Bhima Koregaon violence case | Jailed activist Rona Wilson’s computer was compromised, finds digital forensics analysis

Report says hacker controlled and planted documents in the computer of Mr. Wilson, arrested with 15 others in the Bhima Koregaon case.

February 10, 2021 07:50 pm | Updated December 04, 2021 10:41 pm IST - Mumbai

An accused in Bhima Koregaon case being produced in court in Pune. File photo

An accused in Bhima Koregaon case being produced in court in Pune. File photo

A report by Arsenal Consulting, a digital forensic analyst from Chelsea, U.S., has debunked the electronic evidence gathered by the investigating agency against 42-year-old Rona Wilson and 15 others arrested in the Bhima Koregaon violence case , including Surendra Gadling, Mahesh Raut, Shoma Sen, Sudhir Dhawale, Arun Ferriera, Vernon Gonslaves, Sudha Bharadwaj and P. Varavara Rao.

Arsenal Consulting, which was roped in by the American Bar Association to examine the clone copy of the hard disc of Mr. Wilson’s computer, has stated that a hacker controlled his computer for a period of 22 months to plant documents, which led to an investigation that supposedly unravelled a Communist Party of India (Maoist) conspiracy to eliminate Prime Minister Narendra Modi “in another Rajiv Gandhi type incident”. A copy of the report is with The Hindu .


The report is a part of the writ petition filed by Mr. Wilson before the Bombay High Court that explains how a hacker exploited the IP addresses provided by one ‘Host Sailor’ and used proxy servers to plant a “trojan horse NetWire”. This initially subjected Mr. Wilson to surveillance, and later on, remotely through the malware, delivered various files, including the incriminating correspondence with other accused.

The same were stored in a folder which was set to a “hidden mode”, and over a period of 22 months, from time-to-time, various letters and material came to be planted on Mr. Wilson’s system without his knowledge, mentions the plea seeking the quashing of the FIR and chargesheet against him.

The report further states that the folders and documents were never opened by Mr. Wilson or anyone else and their existence was unknown to him. The hacker also synchronised these documents in such a way that they would get planted in any external memory device connected to the laptop.

ADGP Parambir Singh shows during a press conference in Mumbai on August 31, 2018 a copy of a print out showing catalogue of arms and ammunition allegedly recovered from activist Rona Wilson’s computer.

ADGP Parambir Singh shows during a press conference in Mumbai on August 31, 2018 a copy of a print out showing catalogue of arms and ammunition allegedly recovered from activist Rona Wilson’s computer.


Arsenal Consulting’s report demonstrates that Mr. Wilson’s computer was compromised through a mail sent to his email account, which carried an attachment in the form of a document (“another victory.rar”). Since it appeared to be innocuous, Mr. Wilson tried opening it but did not succeed in opening it. But because he had clicked on the attachment, it helped the attacker install the malware in his laptop. It is stated in the report that the attachment was enveloped in a decoy file, namely “another victory.rar”, and clicking the same resulted in a chain of events that led to the installation of the malware on his device.

The report shows how the attacker had retained access to Mr. Wilson’s computer for over 22 months, starting June 13, 2016, and used a remote access facility for planting the incriminating letters, while conducting the surveillance on his activities without Mr. Wilson getting a hint of it.


The report also explains that the hacker created a folder namely “kbackup” on November 3, 2016 at 00:10:07, which then was renamed as “Rbackup” and was set to hidden mode. The folder was last modified on April 16, 2018 @16:50:41, that is, a day prior to the raid, search and seizure at Mr. Wilson’s residence on April 17, 2018, weeks before he was arrested on June 6, 2018. It was in this way that incriminating documents were planted and certain genuine documents also copied in the folder, the report says.

It is clear that the hacker used the “Windows volume” on Mr. Wilson’s computer as a “staging area to synchronise data with the computer and the external memory equipment/pen drives”, and stored the same in the “System Volume Information folder” of such memory. Although the pen drive/thumb drive are not kept connected to the computer, as and when they are so connected, material gets synchronised due to the malware, the report says.

It is also pertinent to observe that though it was necessary for the prosecution to provide a clone copy of the hard disc seized from him and his co-accused along with chargesheet itself, the same was purposefully avoided, Mr. Wilson’s writ petition alleges. Instead, the Investigating Officer submitted one disc in which he had stored selected incriminating data and termed it the “Annexure Hard Disc”, it says.

The report concludes that 10 crucial documents, along with various others used to incriminate all the accused in the case, were planted through malware on Mr. Wilson’s device by an unknown person.

Top News Today

Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in


Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.