Reports/RMP/Flight Simulator Analysis/1 RMP Forensic Report

MH370 DECODED
Jump to navigation Jump to search


Royal Malaysia Police Forensic Investigation of Captain Shah's Flight Simulator

1) RMP Forensic Report

Background

Malaysia Airlines flight MH370 went missing on Saturday, 8 March 2014. The aircraft departed Kuala Lumpur International Airport at 00:42 MYT and was expected to land in Beijing Beijing at 06.30 MYT the same day. Instead, the aircraft diverted west across the Malay Peninsula, travelled north-west toward the Andaman Sea, and then turned south. The flight is believed to have ended in the southern Indian Ocean.

The Pilot-in-Command was Captain Zaharie Shah, a respected and experienced pilot who had been flying with Malaysia Airlines throughout his career. Following the 'disappearance' of flight MH370 the Royal Malaysia Police commenced an Investigation during which they discovered that Captain Shah had a sophisticated flight simulator at his home. Those who knew Zaharie personally, or were friends through a community of flight simulator enthusiasts, knew about the simulator that he constructed, so it was no secret. However, it was of interest to the RMP so the simulator was taken into custody and then evaluated to determine whether there was any data of interest to their investigation into MH370. Of particular interest would be any data that may show evidence of planning for the flight diversion and/or data which could assist in the search efforts which had, by then, included the Indian Ocean.

The term forensic is appropriate when scientific methods are used to solve a crime. Although commonly used in relation to deceased persons, forensic investigations can be undertaken in other contexts, such as industrial accidents, and cyber crimes. Different tools are used in each context, but a forensic investigation always requires suitably qualified persons, standardised processes, and documentation, which would meet the evidence requirements of a Court.

The outcome of a forensic investigation is likely to be a Report, or a compilation of several reports each created by experts in their own field, together with descriptions of the actual evidence, an outline of the process, and a summary or conclusion based on the evaluation of the evidence.

However, the Royal Malaysia Police has not released any report to the public related to MH370, nor are they likely to. When the Australian Transport Safety Bureau wanted to know if any data had been discovered on Captain Shah's personal flight simulator, protocol required that the request be handled by the Australian Federal Police (AFP). The requested information was conveyed by the Royal Malaysia Police to the Australian Federal Police on 19 April 2014, thence to the Australian Transport Safety Bureau and the Australian Maritime Safety Authority. There is no mention of a formal report at that time.[1]

However, it was the ATSB which made public various facts about the data recovered from the Pilot in Command’s flight simulator[2] when their final report The Operational Search for MH370 was published in October 2017. Prior to then there had been rumours, speculation and possibly leaked information, but no official confirmation of the fact that data recovered from Captain Shah's personal flight simulator included two data points in the southern Indian Ocean.

More detail was included in The Safety Investigation Report MH370/01/2018 by The Malaysian ICAO Annex 13 Safety Investigation Team for MH370. This Report confirmed the existence of the Royal Malaysia Police’s Report on Flight Simulator of PIC[3], referred to as an RMP Forensic Report dated 19 May 2014 .

Summary

  • The Royal Malaysia Police seized a flight simulator from the home of Captain Zaharie Shah, who was the Pilot-in-Command of Malaysia Airlines flight MH370 when it went missing on Saturday, 8 March 2014.
  • The forensic investigation of the flight simulator is documented in an RMP Forensic Report dated 19 May 2014.
  • Data recovered during the forensic investigation of the flight simulator was provided to the Australian Transport Safety Bureau and the Australian Maritime Safety Authority. The ATSB described that data in the report The Operational Search for MH370.
  • The Malaysian ICAO Annex 13 Safety Investigation Team for MH370 subsequently referred to the RMP Forensic Report in the Safety Investigation Report MH370/01/2018.
  • The RMP Forensic Report has not been officially released to the public.




Document List

Relevant information contained within the RMP Folders circulated on the Internet is in several separate documents which have been combined with other scanned pages to create larger files. Although appearing genuine, these are not Official documents released to the public with version control and provenance (a chain of custody and guarantee of authenticity). The separate documents are described below:-

  1. A Preliminary Examination Report [4] dated 19 MEI 2014 and written in Malay seems to be the first Report. This Investigation was conducted by the computer crime section of the Royal Malaysia Police forensic laboratory and the Report was signed by a single Investigation Officer. It documents the process of discovery of seven data points[5] from disk MK 25, including the two data points located in the southern Indian Ocean but does not include the actual coordinates. A diagram does, however, illustrate a possible relationship between the seven data points, using altitude, fuel levels and distance between each location. This report concluded (paraphrased) that the computer was used mainly for playing the Flight Simulator game; inspection of all the disks found that there was no unusual activity; and found no information to show any plan to [get rid of (or) terminate] MH370.

  2. A Preliminary Case Report [6] dated 19 May 2014 is written in English, apparently by staff of CyberSecurity Malaysia which had been asked to assist the PDRM in their investigation. An Appendix A is attached to the report - see below for details. This report is signed by two analysts, neither of whom wrote the Preliminary Examination Report.
    The Investigators assembled a flight simulator from purchased components, less sophisticated than Zaharie's, but sufficient to use the Flight simulator software and verify that the recovered data is from *.FLT files. An additional objective of their investigation was to analyze the seven (7) coordinates found in the MK25 exhibit. A The coordinate data is in a Table, with latitude, Longitude, Altitude, Pitch, Bank and Head (Heading).

  3. Appendix A   7 Extracted Coordinates From MK25 [7] is a poor quality scan of a data printout from the MK 25 System Volume Information file included with the Preliminary Case Report. The printout contains 30 pages of data (with no blank pages) so holds more information than Appendix M-1 (below). However, there are many lines of unreadable characters which may have been omitted from Appendix M-1 because they seem meaningless. The coordinates are the same; parameter values seem the same; but this Appendix contains some parameters and values which are not in Appendix M-1.

  4. Analysis on Simulator Data From Captain MH370 Pilot's House. [8] This is a 2-page document with a Table containing six[5] coordinates labelled Route A to Route F and data including Latitude, Longitide, Altitude, Speed (No Data) and Fuel. A diagram shows Point A to Point F plotted on Google Earth. It is stated (incorrectly) that:-
    This particular flight path was found in windows restore point file, deleted files and unallocated cluster files of hard disk labelled as MK22 and MK25[9]. Detailed extract of this flight path can be found in Appendix M-1.

  5. Appendix M-1 [10] contains the Recovered Simulation Data From Zaharie's Flight Simulator That was taken from his House in 27 pages of data printed from the recovered files. Each data point is labelled Route A, Route B etc to Route F: a total of six sets of data. Data for each 'Route' comprises parameters for the simulated aircraft including latitude, longitude, altitude, pitch, bank, heading, fuel levels and more - approximately 4 1/2 pages per 'Route'. Some pages are blank and some data sets are not complete.




NEXT: 2 Forensic Investigation Process




References
  1. The Operational Search for MH370 (ATSB) Table 15: Second refinement to surface search area (3–28 April 2014)
    "MH370 PIC Microsoft flight simulator data analysis provided to AMSA/ ATSB by Australian Federal Police (19 April 2014)".
  2. The Operational Search for MH370 (ATSB) Pilot in Command’s flight simulator
  3. Safety Investigation Report MH370/01/2018 The Malaysian ICAO Annex 13 Safety Investigation Team for MH370, 1.5.3 2) Royal Malaysia Police’s Report on Flight Simulator of PIC
  4. Source: MH370-RMP-Folder-1-Pilot
  5. 5.0 5.1 Although seven data points were initially identified, it seems that as the investigation progressed one was discarded. The ATSB report refers to six data points; the Annex 13 Team referred to the original seven data points. The discarded point was one of two data points at KLIA and therefore not significant.
  6. Source: MH370-RMP-Folder-1-Pilot
  7. Source: MH370-RMP-Folder-1-Pilot
  8. Source: MH370-RMP-Folder-4-SKMM-Analysis-Communications-and-Multi-Media
  9. According to other documents the only source of data was the Volume System Information file recovered from disk MK 25
  10. Source: MH370-RMP-Folder-Appendix Appendix M-1