How proper file, malware, and memory forensics techniques were able to catch the ModifiedElephant threat actor planting incriminating evidence on defendants’ computers in India.
Disclaimer: The views, methods, and opinions expressed at Anchored Narratives are the author’s and do not necessarily reflect my employer’s official policy or position.
I agreed in late 2022 to independently review a new digital forensics report from Arsenal Consulting (hereafter: Arsenal), which was still under embargo. Niha Masih, an award-winning reporter with The Washington Post, reached out to me in early December and explained that she had written a series of articles (based on Arsenal reports) about Indian activists in the “Bhima Koregaon” case who were hacked and had evidence planted on their devices before their arrests. Niha asked if I would be able to validate Arsenal’s work.
The new report from Arsenal (Report V) involved the examination of a forensic image (copy) of the hard drive of one of the defendants, Mr. Stanislaus Lourduswamy (hereafter: Swamy). The 84-year Jesuit priest, unfortunately, died in 2021 while still in the custody of Indian authorities.
The digital forensics report involved a lot of technical details on how information was reconstructed during Arsenal’s investigation, which included memory artifacts that were recovered from the hibernation file (hiberfil.sys) of Mr. Swamy’s computer. As the report contained many technical details regarding memory forensic artifacts, which are not commonly investigated in this type of legal case involving digital forensics, my involvement made sense as I investigate memory images in my full-time job at Volexity.