On January 13, when Crime Branch officials in Kerala raided the houses of actor Dileep and his brother Anoop, they had seized several phones belonging to Dileep, Anoop, their brother-in-law Suraj and another relative Appu. The police soon realised that the phones that were seized were relatively new and all the four men started using these new devices on the same day — January 9.
The police sent notices to Dileep and the other three to submit their phones, but there was no reply. The police then informed the Kerala High Court which was hearing Dileep's anticipatory bail petition in a new case that he conspired to kill or harm police officers investigating the 2017 sexual assault. When the HC asked Dileep, his reply was audacious.
Dileep's advocate Raman Pillai informed the court that the old phones were already sent to a lab of Dileep's choice in Mumbai for "forensic examination." In a written affidavit, Dileep told the court that he will forensically retrieve all the data, store it and submit it to the prosecution when the time is right. Dileep's contention was that if he submitted the phone to the police, they would tamper with it and implicate him. Even as questions rose on how an accused can send his phone for forensic tests, the judge gave time for Dileep to submit phones and said that the phone may be "tampered with" by forensic experts.
So now to the big question: why do the Kerala police want physical possession of phones that Dileep and his family used?
Let's get one thing straight. Every mobile service provider, no matter what your phone and what your connection, stores call detail records. Call detail records (CDR) essentially show what number called which number, what time the call was made, and how long the call lasted and where the call was made from. It will not show what the content of the phone calls were — which means you cannot access the conversation. Telecom companies in India actively store CDR data for two years, as per a new Department of Telecom rule, and archive the rest. As per the law, access to these archives needs special permission, from law enforcement or investigating agencies.
The police are seeking physical custody of the phones because in many cases, it is possible to remotely delete data from a phone.
However, a lot of time has passed since Dileep is believed to have used this phone. So how do police retrieve data from older phones, or data that may possibly have been deleted or formatted?
When investigative agencies get access to a phone, everything that has been stored on the device can be retrieved on most occasions, like WhatsApp messages, calls, emails, videos, SMSes, location details, etc. Even if the data was deleted a while ago.
Cyber security expert Gagan Jain tells TNM that most of the time, the data you have deleted from your smartphone device does not immediately disappear into nothingness. It stays on your phone, but it goes to a space that is not accessible to the user. He explains that any form of data that is deleted from a mobile phone — for example, photos, music, calls, messages — leaves behind a ‘skeleton’ that can be accessed. This skeleton is basically a copy of the deleted data in the form of temporary files.
Every smartphone device has an ‘unlocated space’ that your data goes to when it is deleted. “It is not visible to you, but it will be there in the memory,” says Gagan. This space can only be accessed by special software programs or cyber security forensic experts.
This depends on your phone usage. The temporary files that are the ‘ghosts’ of your data will remain in your phone till your phone has the space to accommodate the other, tangible data. However, if your phone nears its storage capacity, these temporary files will get overwritten. Simply put, your phone will give priority to new photos and videos over your deleted photos and videos.
“When you delete data, it will still be there in the temporary memory. Until you overwrite it with something else, then it cannot be retrieved,” Gagan explains.
This means that if the phone does not have enough memory to keep storing the deleted data, it will get overwritten. But as long as you have the space, your phone will continue to store this ghost data.
Local data cannot be accessed by regular smartphone users. You need a special application specifically designed to extricate such forensic data. Technical experts can run a programme or a code to overwrite the unlocated data. This is usually done when second-hand computers or phones have to be refurbished and a former user’s data needs to be deleted and secured.
Now, Dileep has told the Kerala High Court which is hearing his anticipatory bail plea, that he sent his old phone to Mumbai, to be examined by cyber forensic experts in connection with another case he is booked in — the 2017 actor abduction and assault case. The prosecution has told the High Court that Dileep, by sending his phone for a forensic examination, is trying to conceal and possibly tamper with evidence that may implicate him in the case.
According to the law in India, digital evidence like WhatsApp chats, calls etc, can be counted as evidence if they satisfy criteria under the Indian Evidences Act, 1872.
Section 65(A) of the Act says that the contents of electronic records may be proved in court if they satisfy certain criteria. The conditions are mentioned in Section 65B of the Act. They include: The electronic device should be used regularly, the information that is present in the device should be such that it is regularly fed into the device, the device should be working properly and should not affect the information fed into it, and that the evidence produced should be a duplicate of the record on the original device.
The new case against Dileep was filed following some startling revelations by filmmaker Balachandra Kumar, who said he was a friend of the accused actor. He has also claimed that there is evidence including digital ones to prove that Dileep had influenced the witnesses in the 2017 case. He alleged that Dileep had access to visuals of the sexual assault, even before he and his lawyers watched it at the magistrate’s chamber in 2017. The female actor’s sexual assault was recorded on video, and this is a crucial piece of evidence in the case. Balachandra Kumar also released a series of audio clips, pertaining to the actor assault case, and the clips were aired by Reporter TV.
Balachandra Kumar had told the media that there was a “VIP” who allegedly showed the video to Dileep beforehand, and that the sound in the video was even enhanced by 20 times at a film studio. While the prosecution has always maintained that Dileep has a copy of the visual of the sexual assault, Dileep’s version has been that he did not contact Pulsar Suni and therefore he never had the visual. Balachandra Kumar has also said that he has in his possession certain audio clips in which a male voice can be heard speaking about the video, the trial, and about influencing a witness.
In one audio clip, a voice, allegedly belonging to Dileep's brother-in-law Suraj, can be heard talking about a conspiracy to murder the investigating official and Deputy Superintendent of Police Baiju Paulose. Paulose is probing the 2017 actor sexual assault case. The clips, released on the channel ReporterLive, show a man who is allegedly Dileep saying, “All five officials, you watch what you’re going to get.” The conversation, allegedly between Suraj and Dileep, took place in November 2017 at the latter's house in Aluva.
The new FIR was filed against six people — Dileep, Dileep's brother Anoop, Dileep’s brother-in-law Suraj, Anoop’s brother-in-law Appu, a man that Balachandrakumar addressed as 'VIP,' and one another person. They were charged under IPC sections 116 (abetment of offence punishable with imprisonment), 118 (concealing design to commit offence punishable with death or imprisonment for life), 120B (party to criminal conspiracy), 506 (criminal intimidation), and 34 (criminal act done by several people).
Four days after the new FIR was filed, the Kerala police conducted raids on Dileep’s home. Phones and devices belonging to Dileep and his relatives were seized. However, after an examination of the call detail records (CDR) on the phones, the police reportedly found that the phones were allegedly changed and all the seized phones were new ones. Police sources said that the phones were bought on January 9, the day the new FIR was registered.
Following this, the police filed a fresh application in the Kerala High Court for the older phones used by Dileep and others, during which Dileep's counsel said that the phones were sent to forensic experts in Mumbai, in connection with the actor assault case. The court, however, has asked that the phones be handed over, and be given to the Aluva Magistrate for custody.
Dileep, meanwhile, moved the Kerala High Court with an anticipatory bail plea. The hearing is still underway in the High Court.