The forensic investigation into the complaint filed by IAS officer K Gopalakrishnan, who was suspended for allegedly creating WhatsApp groups with communal overtones, has revealed no evidence of hacking activity on his phone. The forensic report said that WhatsApp and Google confirmed that no unusual activity had been detected on the applications as of October 31. However, the probe noted that Gopalakrishnan repeatedly performed factory resets on his mobile devices, which wiped critical data clean.

According to the forensic report, Gopalakrishnan reset his phones on November 3, 5, and 6 — even after filing the complaint but before submitting the devices for examination. This act has raised suspicions, with Chief Secretary Sarada Muraleedharan issuing a charge memo alleging that the officer’s actions were questionable. The memo accuses Gopalakrishnan of creating WhatsApp groups with divisive names, such as 'Hindu Officer Group' and 'Muslim Officer Group', to incite disunity within the All India Service cadre in the state.

According to the forensic report, Gopalakrishnan, in his plaint, claimed unusual activity on his WhatsApp account on November 4, reporting that multiple accounts had been created and contacts were added without his consent. He stated that a fellow officer alerted him on October 31 about a WhatsApp group allegedly created using his account. Upon checking, he noticed unfamiliar groups with communal names -- 'Hindu Officer Group', 'Muslim Officer Group', etc. -- and immediately removed the members, deleted the groups, and uninstalled WhatsApp. He also performed a factory reset on his phone.

Investigators sought information from Meta Platforms Inc. under Section 94 of Bharatiya Nagarik Suraksha Sanhita (BNSS) to verify his claims. WhatsApp’s response indicated that the account was accessed only on a Samsung SM-S711B/DS device, but no IP details were provided. A follow-up request was sent to retrieve information on the groups created on October 31, but WhatsApp could only confirm the existence of current groups, with no data available on deleted ones.

Additionally, Google was requested to check for remote access applications installed or used on the phone, but it could not provide data specific to October 31. The IPDR analysis of Gopalakrishnan’s mobile numbers also revealed no suspicious remote access protocols.

Forensic examination of the devices—an Apple iPhone 12 Pro and a Samsung SM-S711B/DS—confirmed that the Samsung device, which hosted the WhatsApp account, had been factory reset multiple times, erasing all previous data. Attempts to recover the erased data were unsuccessful. The iPhone showed no evidence of hacking but had been forced to reset on November 5, further complicating the investigation.