RMP Forensic Investigation

DECODING MH370
Jump to navigation Jump to search


Royal Malaysia Police Forensic Investigation of Captain Shah's Flight Simulator


Captain Zaharie Shah was the Pilot-in-Command (PIC) of Malaysia Airlines flight MH370 which went missing on Saturday, 8 March 2014. Captain Shah had a sophisticated Flight Simulator at his home which the Royal Malaysia Police (RMP) seized on Saturday, 15 March 2014. The RMP then started a forensic investigation to determine if there was any information on the flight simulator which could relate to the flight MH370.

This forensic investigation forms part of the overall Criminal Investigation into MH370. Related articles are indexed below.

Background

It is recommended to read the overview of Captain Shah's Flight Simulator before reading the articles about the forensic investigation. This article collates information about Captain Zaharie Shah's flight simulator from his Facebook page and other sources, describing how it was upgraded during 2013 and developed to include motion simulation.

The Forensic Investigation of Captain Shah's Flight Simulator
  1. RMP Forensic Report - this report has not been released to the public. However, there is sufficient information about it, to develop a description of what it contains.
  2. Forensic Investigation Process - a non-technical overview of the process involved in a forensic investigation of computer data and relates the stages to the recovery of data from Captain Shah's personal Flight Simulator. More detail is provided in the following articles:-
  3. Data Discovery - This article provides details about the discovery of relevant data from the flight simulator.
    • Data Point - Investigators used different terminology to describe the recovered data. The term 'data point' is defined in this article.
    • Volume Shadow Information (VSI) file - The term Volume Shadow Information (VSI) file, used in a RMP Forensic Report, is not consistent with Microsoft terminology. This article suggests that the forensic investigator may have meant the System Volume Information folder which contains files created by the Volume Shadow Copy Service. These terms are explained so that the reader can better understand where the recovered data came from and how it got there.
  4. Interpretation - Extracts from two official Reports which have used or interpreted results from the RMP Forensic Report.