Five days ago, when a new forensic report came out as part of a petition that the Kerala police filed in the actor assault case, there were surprising revelations. It said that the memory card, containing visuals of the attack on the actor in February 2017, was accessed thrice while it was meant to be in the safe custody of courts. The last time it was accessed — in July 2021 — it was at the Ernakulam Additional Special Sessions Court of Judge Honey M Varghese, where the trial of the case is going on. Now, it seems there are more missing details to be concerned about, according to international cyber security specialist Sangameswaran Manikkyam Iyer.
“The problem is that there is no serial number for the memory card mentioned anywhere in the report. This is a concern because, without it, we can’t be sure if this is the original memory card which was collected as evidence in 2017, or if it was swapped with another,” Sangameswaran tells TNM.
Every memory card manufacturer will have a serial number, using which law enforcement agencies across the globe track details such as who purchased the device from where, the year of the manufacture etc. The memory card in this case contains eight video files, recognised as those related to the sexual assault of a prominent woman actor in a moving car in Kochi five years ago. The case gained further attention when another popular actor, Dileep, was alleged to be the mastermind of the attack. In the years since the attack, the device containing the visuals of the attack has been moved to multiple courts and is presently at Judge Honey’s trial court.
“It could be serious, this lack of a serial number. Eight video files have been found as related to the incident. Let’s say there were other files in the memory card, which may or may not be related to the crime. If those files are modified or deleted, the hash value of the memory card could change, even if the hash value of the individual files do not. Another possibility is that the original memory card was swapped with another one containing the same eight files, with some of the other files removed or changed,” Sangameswaran says.
The hash value he mentions is a string of alphanumeric characters, unique for a device and used to identify it. The forensic report has mentioned that the hash value of the memory card — called volume hash — has changed, while that of the eight individual files has not. This means that the eight files have not been modified or replaced, but some change has happened to the memory card. This has brought concern, especially with the forensic report mentioning that the last access of the card was made using a mobile phone, indicating the presence of messaging apps such as WhatsApp and Telegram, and the social media app Instagram. It poses serious concerns as to whether any content of the card was copied and sent using these apps to another device.
“In the forensic report, there is a clear mention of this memory card being inserted on a mobile phone, the make of which is in the report. It was running on an Android operating system and there is capture of specific applications such as WhatsApp and Telegram installed in the mobile device. The Android operating system will mount the memory card (inserted) as part of the system, and try to write system information onto the memory card. That’s how the messaging applications’ information has been written as a system file onto the card, which in turn changed the volume hash value,” Sangameswaran explains.
This means that the hash value of the memory card changed because the mobile device it was inserted on added system information on the card. Any change on the card would change its hash value.
But at this stage, there is no way to know if exfiltration has happened — meaning, if the content of the memory card was copied to another device. “Further in-depth analysis using advanced and specialised forensic tools may be required to find out what happened. The files could be copied over different channels – sent as a message or email attachment, copied to the android phone (in which the card was inserted) and then to another memory card, played on the device and the screen captured by the same device or another. We cannot say unless we examine the phone in which the card was used and conduct a detailed analysis.”
The report has mentioned details of the phone – a Vivo, using the service provider Jijo. It is also not clear if any other applications (than Whatsapp, Telegram or Instagram) were used on the phone at the time the memory card was inserted in it. All the apps running on the phone need not write system files onto the memory card, as some of them need specific permissions.
Sangameswaran also makes another important observation. In the various tables of the forensic report, the last access date of the eight individual files remain unchanged from the last time the card was found to be accessed — December 13, 2018. This was the last access date that an earlier forensic report had mentioned, revealing that the videos were accessed when it was in the Principal and Sessions Court of Ernakulam, before it reached Judge Honey’s court. The original last access date was February 18, 2017, a day after the crime happened.
Even in the new forensic report, the last access of these individual files is mentioned as December 2018, and not July 2021. But it needn’t mean that in July 2021, only the memory card was accessed and the files were untouched, Sangameswaran says. “File properties — which includes the last access date — are not a reliable source and can be easily tampered with, without modifying the content of the file. So the hash value also will not change. This is one of the possibilities,” he says. He has based all his analyses only on the forensic report that came as part of the police petition, he clarifies.