Dileep case: has the memory card been exchanged or copied, a cybersecurity expert intervenes

A forensic report released in a police request found the card, containing footage of the actress’ 2017 assault, was last viewed in July 2021 when she was in court in Trial Judge Honey M Varghese.

Five days ago, when a new forensic report came out as part of a petition filed by the Kerala Police in the actor assault case, there were startling revelations. He said the memory card, containing footage of the attack on the actor in February 2017, had been viewed three times while it was believed to be in court custody. He was last seen – in July 2021 – at Judge Honey M Varghese’s Ernakulam Court of Extra Special Sessions, where the case is being tried. Now, there seem to be more missing details to worry about, according to international cybersecurity specialist Sangameswaran Manikkyam Iyer.

“The issue is that there is no serial number for the memory card mentioned anywhere in the report. This is a concern because without it we cannot be sure if it is the original memory card that was collected as evidence in 2017, or if it was swapped with another,” Sangameswaran told TNM.

Every memory card manufacturer will have a serial number, using which law enforcement agencies around the world track details such as who purchased the device, where, year of manufacture, etc. The memory card in this case contains eight video files, identified as those linked to the sexual assault of a prominent actress in a moving car in Kochi five years ago. The case drew attention when another popular actor, Dileep, was accused of being the mastermind of the attack. In the years since the attack, the device containing the visuals of the attack has been moved to multiple courts and is currently in Judge Honey’s trial court.

“It could be serious, this lack of serial number. Eight video files were found in connection with the incident. Let’s say there were other files in the memory card, which may or may not be related to the crime. If these files are modified or deleted, the hash value of the memory card may change, even if the hash value of individual files does not change. Another possibility is that the original memory card was replaced with another containing the same eight files, with some of the other files having been deleted or modified,” explains Sangameswaran.

The hash value it mentions is a string of alphanumeric characters, unique for a device and used to identify it. The forensic report mentioned that the hash value of the memory card – called the volume hash – changed, while that of the eight individual files did not. This means that the eight files have not been modified or replaced, but changes have been made to the memory card. This has raised concerns, particularly with the forensic report mentioning that the card was last accessed using a mobile phone, indicating the presence of messaging apps such as WhatsApp and Telegram, and Instagram social media app. This raises serious concerns as to whether the contents of the card have been copied and sent using these apps to another device.


How has the hash value changed?

“In the forensic report, there is a clear mention of the insertion of this memory card into a mobile phone, the brand name of which appears in the report. It was running on an Android operating system and there is a capture of specific applications such as WhatsApp and Telegram installed on the mobile device.The Android operating system will mount the memory card (inserted) as part of the system and attempt to write system information to the memory card. that the information from the messaging apps was written as a system file to the card, which changed the hash value of the volume,” Sangameswaran explains.

This means that the hash value of the memory card has changed because the mobile device it was inserted into has added system information to the card. Any changes to the card would alter its hash value.


Have the video files been copied?

But at this point, there is no way to know if an exfiltration has occurred, that is, if the contents of the memory card have been copied to another device. “Further analysis using advanced and specialized forensic tools may be required to find out what happened. Files can be copied over different channels – sent as a message or as an attachment to a email, copied to the Android phone (in which the card was inserted), then to another memory card, played back on the device and the screen captured by the same or another device. less to examine the phone in which the card was used and carry out a detailed analysis.

The report mentioned details of the phone – a Vivo, using service provider Jijo. It is also not clear whether other applications (besides Whatsapp, Telegram or Instagram) were being used on the phone at the time the memory card was inserted. Not all apps running on the phone need to write system files to the memory card, as some of them require specific permissions.


Hash value of individual files

Sangameswaran also makes another important observation. In the various tables of the forensic report, the last access date of the eight individual files remains unchanged since the last time the card was consulted – December 13, 2018. This was the last access date mentioned in a previous forensic report. , revealing that the videos were viewed when they were in Ernakulam Main and Sessions Court, before they reached Judge Honey Court. The original last access date was February 18, 2017, one day after the crime.

Even in the new forensic report, the last access to these individual files is mentioned in December 2018, not July 2021. But this does not necessarily mean that in July 2021 only the memory card was accessed and the files were not affected, Sangameswaran said. . “The file properties – which include the date of last access – are not a reliable source and can be easily tampered with, without modifying the contents of the file. Thus, the hash value will not change either. This is one of the possibilities,” he said. He based all of his analyzes solely on the forensic report attached to the police request, he said.

Lily: Dileep case: Has the memory card been tampered with? A cybersecurity expert explains

About Donald J. Beadle

Check Also

Hangzhou hosts cybersecurity forum ahead of Asian Games

You viewed more than 50 articles in the last 12 months. Keep Olympic News Free …