CID informs PCoI its inability to recover deleted data from the phone of ex-SIS Director

By Rathindra Kuruwita

The Digital Forensic Laboratory of the CID had been unable to recover deleted data from the mobile phone used by former Director of the State Intelligence Service (SIS) SDIG Nilantha Jayawardena during the Easter Sunday attacks, the PCoI probing Easter Sunday attacks was told on Wednesday night.

OIC of the Digital Forensic Laboratory, Sampath Kumara Senaratne told the PCoI that Jayawardena’s wife was using the phone now and that Jayawardena told him that he conducted a factory reset before giving it to his wife. A factory reset restores an electronic device to its original system state by erasing all information stored on the device.

The PCoI in September ordered a mobile phone and a laptop used by former State Intelligence Service (SIS) Director to be sent to the CID for extraction of data relevant to their investigation. SDIG Mahesh Welikanna, attached to PCoI Police unit, was asked to take into custody a mobile phone used by SDIG Jayawardena, which he used to record some of his conversations with senior security officials after Easter Sunday attacks and his laptop that he had been using to give evidence.

Chairman of PCoI also gave specific instructions to the SDIG of the CID about handling the devices. He said: “These devices must be opened before a representative of Jayawardena, two officers of PCoI police unit, a CERT official appointed to assist the PCoI and a representative of the current SIS Director. Any relevant data, in conversations recorded or in messaging applications, between January 01 and December 31, 2019, must be extracted in front of these individuals.”

The Chairman also ordered the SDIG of the CID to ‘hard delete’ (erase in a way that is impossible to recover data) personal data or information pertaining to national security. However, that did not apply to data pertaining to early warnings on Easter Sunday attacks, any information on National Thowheed Jamaat (NTJ) or its leader Zahran Hashim, suicide bombers and those who were killed in Sainthamaruthu on April 26, 2019.

The Chairman said: “The CID must also see if there has been any deletion of data and see if they can be recovered. All the reports should be sent to PCoI secretary. After the investigations are over the phone and laptop should be returned to the PCoI secretary too.”

This task was entrusted to the OIC of the Digital Forensic Unit, who presented a report to the PCoI on Wednesday night. OIC Sampath Kumara Senaratne informed the Commission that since Jayawardena had done a factory reset there was no way of reproducing deleted content.

Chairman of the PCoI: “Did you ask SDIG Jayawardena why he had done a factory reset ?”

OIC Senaratne: “He told me that he had given the mobile phone to his wife and that he had wanted to remove everything that could compromise national security from the phone.”

Chairman of the PCoI: “But you couldn’t verify when the data was deleted?”

OIC Senaratne: “No. Verifying the data would have required me to connect the phone to the Internet. However, I was working within certain limitations set by the PCoI. Moreover, in a digital forensic investigation, we usually don’t connect the phone to the Internet. So, I couldn’t verify when a factory reset was done.”

However, the CID had been able to recover some data that had been deleted from SDIG Jayawardena’s laptop, the PCoI was informed.

The OIC said that about 2.6 million deleted files had been recovered and about 210 of them, relevant to the probe handed over to the Presidential Commission Police Unit.