Dileep circumstance: Did memory card get swapped or copied, cyber safety specialist weighs in

A forensic report produced in a police petition discovered that the card, carrying the visuals of the girl actor’s assault in 2017, was past accessed in July 2021 when it was at the demo court docket of Decide Honey M Varghese.

5 days back, when a new forensic report came out as portion of a petition that the Kerala law enforcement filed in the actor assault case, there were shocking revelations. It claimed that the memory card, that contains visuals of the assault on the actor in February 2017, was accessed thrice though it was intended to be in the risk-free custody of courts. The last time it was accessed — in July 2021 — it was at the Ernakulam Supplemental Special Classes Court docket of Decide Honey M Varghese, the place the trial of the circumstance is likely on. Now, it seems there are additional lacking particulars to be concerned about, in accordance to worldwide cyber stability expert Sangameswaran Manikkyam Iyer.

“The trouble is that there is no serial amount for the memory card described any place in the report. This is a problem mainly because, without it, we cannot be confident if this is the primary memory card which was collected as evidence in 2017, or if it was swapped with a further,” Sangameswaran tells TNM.

Every memory card manufacturer will have a serial variety, making use of which law enforcement organizations throughout the globe track information this kind of as who obtained the gadget from exactly where, the 12 months of the manufacture and many others. The memory card in this scenario is made up of eight movie files, recognised as those similar to the sexual assault of a distinguished female actor in a relocating automobile in Kochi 5 several years ago. The case acquired further attention when an additional preferred actor, Dileep, was alleged to be the mastermind of the assault. In the many years since the attack, the unit made up of the visuals of the attack has been moved to numerous courts and is presently at Decide Honey’s trial courtroom.

“It could be major, this deficiency of a serial selection. Eight movie data files have been identified as relevant to the incident. Let’s say there ended up other data files in the memory card, which may perhaps or may possibly not be connected to the crime. If all those documents are modified or deleted, the hash value of the memory card could improve, even if the hash value of the individual documents do not. An additional chance is that the initial memory card was swapped with one more one particular made up of the very same 8 files, with some of the other files removed or modified,” Sangameswaran states.

The hash benefit he mentions is a string of alphanumeric people, unique for a machine and employed to identify it. The forensic report has talked about that the hash value of the memory card — referred to as volume hash — has transformed, when that of the eight unique data files has not. This means that the 8 files have not been modified or replaced, but some improve has occurred to the memory card. This has introduced issue, primarily with the forensic report mentioning that the past entry of the card was created applying a cell telephone, indicating the existence of messaging applications this sort of as WhatsApp and Telegram, and the social media app Instagram. It poses severe issues as to whether or not any information of the card was copied and despatched using these apps to an additional unit.

How did the hash benefit transform?

“In the forensic report, there is a very clear point out of this memory card being inserted on a cell mobile phone, the make of which is in the report. It was operating on an Android running system and there is seize of unique purposes such as WhatsApp and Telegram put in in the cellular device. The Android working procedure will mount the memory card (inserted) as aspect of the process, and try out to compose procedure information and facts on to the memory card. That’s how the messaging applications’ data has been published as a process file onto the card, which in turn transformed the quantity hash price,” Sangameswaran explains.

This usually means that the hash value of the memory card modified mainly because the mobile unit it was inserted on extra program facts on the card. Any improve on the card would alter its hash value.

Ended up the video clip information copied?

But at this phase, there is no way to know if exfiltration has occurred — which means, if the written content of the memory card was copied to one more gadget. “Further in-depth examination utilizing advanced and specialised forensic applications may well be required to obtain out what transpired. The files could be copied in excess of distinctive channels – despatched as a concept or e-mail attachment, copied to the android mobile phone (in which the card was inserted) and then to an additional memory card, played on the product and the monitor captured by the same gadget or another. We are not able to say unless we study the cellphone in which the card was used and conduct a comprehensive evaluation.”

The report has outlined aspects of the cellphone – a Vivo, working with the service provider Jijo. It is also not clear if any other applications (than Whatsapp, Telegram or Instagram) have been utilised on the phone at the time the memory card was inserted in it. All the apps operating on the mobile phone need not compose system information on to the memory card, as some of them have to have specific permissions.

Hash worth of specific documents

Sangameswaran also makes another critical observation. In the several tables of the forensic report, the very last access date of the 8 person files stay unchanged from the last time the card was uncovered to be accessed — December 13, 2018. This was the previous accessibility date that an before forensic report had described, revealing that the videos were being accessed when it was in the Principal and Classes Courtroom of Ernakulam, ahead of it achieved Judge Honey’s court. The primary past obtain date was February 18, 2017, a day after the criminal offense transpired.

Even in the new forensic report, the previous entry of these specific data files is described as December 2018, and not July 2021. But it needn’t suggest that in July 2021, only the memory card was accessed and the data files were untouched, Sangameswaran states. “File attributes — which contains the previous access day — are not a reliable source and can be effortlessly tampered with, with out modifying the content of the file. So the hash value also will not transform. This is 1 of the choices,” he suggests. He has primarily based all his analyses only on the forensic report that arrived as element of the law enforcement petition, he clarifies.

Read: Dileep scenario: Was the memory card tampered with? A cyber safety expert clarifies