Over a period of time, an influential pressure group comprising Advocates, Media professionals and Academics having left leanings has taken the entire system of governance to ransom. The peaceful existence of any ideology as constructive betterment of the society and Nation is never underestimated. However, in an increasingly worrying trend, there are repeated attempts by the members of this unholy nexus, at strategic places in India, to create false narratives about every legitimate action of the State. Their activities range from instigating disgruntled elements in the society, based on caste, creed, religion or economic backwardness to protest against the State. Once that is achieved, they further go ahead to create lawlessness in the society to prove that there is no governance and State is neither effective nor sympathetic to the cause of these instigated sections of the society. Several such examples of lawlessness by these left wing elements are a regular feature hampering the growth of Indian economy and jeopardising the security of Nation. These acts of lawlessness and violence can be traced from Paramakudi in Ramanathapuram District, Sterlite agitation in Tuticorin both in Tamilnadu, violence at Bheema Koregaon and the recent riots of Delhi. The geographical disposition of these places may be thousand miles apart but there is one thing in common between all these incidents, that is, planned instigation of riots, consistent flow of misinformation, creating false narrative, to discredit the police, considered as the visible arm of the state, and to project the accused as victims.
The scope of this article is to analyse one such fake narrative created by these supporters of urban naxals. On 14th of December, 2019; a story titled “Did the Pune Police temper with evidence against Bheema Koregaon accused?” was carried by ‘The Caravan’. The story went unnoticed with only one comment by a single reader. But recently the story was again floated in the market when the bail petitions of the accused in Bhima Koregaon case was being vigorously pushed by these left wing elements. This is one of the best examples of how these so called liberals create false narrative by discrediting the lawful actions of the State and projecting the accused as victims of State high handedness. In the following lines, I would explain how the story carried by ‘The Caravan’ is a false narrative to pre-empt the decisions on bail petitions of the accused in Bhima Koregaon case. The above story has given six points to discredit the police investigation and project the accused is victim of high handedness by the State.
Files were edited while the evidence was under police custody
It is claimed that the letter which was released to media on September 2018 by Pune Police titled “Dear Surendar.docx” was in the justified alignment and it was said that the copy of the same letter submitted to the lawyer of the accused on November 2019 was left aligned. This is due to that there might be two document of the same name in two different folders of the computer, in which one might have aligned in justification and another in left. It is also claimed that, this has happened because police have not taken the Bit-stream imaging while seizing the computer, Even though Bit-stream Imaging was taken, the said evidence document has to be accessed using the application it was created through the Forensic Tool. Here it is the “Word” application and it would have been opened using this application in order to see the contents of the word document. In a rare situation, the document “Dear Surendar.docx” recovered and opened using the digital forensic tool might have been aligned and then print out might have been taken. This doesn’t mean that the police have edited or altered the digital evidence in this situation.
The “Last Accessed” dates indicate illogical behaviour
It is possible that a person can keep his entire incriminating document in a pen drive or flash drive. In order to transfer the documents from one pen drive to another or to have a backup copy of the documents, the accused might have saved the file in his desktop computer. That is the reason that the time stamping ranges for a span of one minute and 48 seconds. It is not logical that a person who wants to do undercover operations must keep his entire incriminating file openly in proper order of time in his desktop computer. There are many scrip kiddie information security experts available in the market that neither has understanding of the concept of time stamping in a word document nor done any kind of research work on the working of time stamping in the word document. They only rely on freely available tools to change the time stamping of the file and show that they have done the magic. According to Arman Gungor in his article “Word Forensic Analysis and Compound File Binary Format”, it is strongly recommended that the expert need to get familiar with the Microsoft specification on Word (.doc) Binary File Format [MS-DOC], Office Common Data Types and Objects Structures [MS-OSHARED], Compound File Binary File Format [MS-CFB] and Object Linking and Embedding (OLE) Property Set Data Structures [MS-OLEPS]. There are tonnes of information available especially in the Compound File Binary File Format. Manual examination of these file might reveal the exact time stamping or alteration in time stamping can be proved. It is improper to say that the police have created the file and pasted in the accused file at this juncture.
Gross procedural violations during raids on the activists
There is no procedure laid down in the IT Act to seize the evidence from the Scene of Crime. But Law Enforcement Agencies across the world follow the Standard Operating Procedure or Cyber Crime Investigation Manual or Best Practices prepared by professionals in this field. One such widely followed manual prepared by Data Security Council of India states in its “Crime Scene Investigation: Search and Seizure” explains the Digital Forensic Evidence Collection Principle created by the Association of Chiefs Police Officers (ACPO) which was under the INTERPOL says as below.
Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents to change data which may subsequently be relied upon in court.
Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
According to the Principle 2 above, if the circumstance required, the police can take the help of the expert who is competent to handle the digital evidence to access the original data to find the required files and can give evidence explaining the relevance and the implication of his action to the Court.
Inconsistency in following security procedures
Taking the Hash value of the disk or the file depends upon the location of the evidence and the time available in handling the particular crime scene. According to the SOP on Digital Evidence prepared by “National Criminal Justice Reference Service” (NCJRS) of USA, it is clearly mentioned in “Processing Location Assessment” section that
“Assess the evidence to determine where the examination should occur. It is preferable to complete an examination in a controlled environment, such as a dedicated forensicwork area or laboratory. Whenever circumstances require an onsite examination to beconducted, attempt to control the environment. Assessment considerations might includethe following:
- The time needed onsite to accomplish evidence recovery.
- Logistic and personnel concerns associated with long-term deployment.
- The impact on the business due to a lengthy search.
- The suitability of equipment, resources, media, training, and experience for an onsite examination.”
The Police can take a decision where to process and how to process the digital evidence in order to properly do the investigation. And if required, individual file Hash value can also be taken and preserved. There is no violation of any rule or inconsistency in following the security procedure by the police in handling the digital evidence.
Denial of access to the evidence for the accused
It is not a very simple and easy work to do the analysis of Hard Drives for digital evidence. Its time consuming tedious work which takes weeks or months to unlock a single file which might have been strongly encrypted by the accused. There are different hiding techniques like Encryption, Steganography, Bit Shifting, Alternate Data Streaming, etc, might have been adopted by the accused to hid the valuable evidence. In order to do all the analysis, it will take much time, so the police have taken all the precautionary measures not to let any single stone unturned to gather the evidence as it is a case of national security. At the investigation stage, if the police provide the information to the accused then there is a chance of manipulation of physical evidence. It is better to give the copy of the whole hard drive or a copy of the file which will not affect the case.
All the files are either in “.docx” or “.pdf” form
In order to save time in sending the email, a person can type a letter in the word document and then later copy the content to the online email platform to send the email. Moreover, if a person who don’t want to disclose the contents of the mail can send a password protected word document or pdf file as an attachment to the email. It is also possible to hide these word or pdf file in another file as steg file so that no one has any doubt in the email conversation even though someone intercepts the email conversation. So the incriminating documents that have been found here were sent to others using these techniques. This might be the reason that many docx or pdf files were found in the analysis.
The above analysis clearly demonstrates how non- technical experts collaborate with non- relevant technical experts to create false narratives to discredit the State and project the accussed as victims of State atrocities. We must not forget that naxalism is the most important threat to the national security and therefore need to be shown no mercy by virtue of these false narratives.
Sandeep Mittal, IPS is a Postgraduate in Cyber Defence and Computer Forensics and hold Doctorate in Cyber Security. He taught Cyberspace Investigation to functionaries of Criminal Justice Administration. The academic views expressed here are his own and may not reflect the views of Organisations where he works.
© The content of this Article is intellectual property of The 4th Estate and cannot be used except with prior written consent of the Editor, The 4th Estate.