RMP Forensic Investigation/Discovery
Data Discovery
This article describes part of the forensic investigation process - discovery. Information has been sourced from the several documents described in the article RMP Forensic Report.
Introduction
Captain Zaharie Shah was the Pilot-in-Command of Malaysia Airlines flight MH370 which went missing on Saturday, 8 March 2014. The Royal Malaysia Police (RMP) commenced their investigation on the same day, and visited the homes of both Captain Shah and the First Officer on Sunday, 9 March 2014.
On Saturday, 15 March 2014 Prime Minister Najib Razak made a Statement revealing that, based on satellite data (provided by Inmarsat), the aviation authorities of Malaysia and their international counterparts have determined that the plane’s last communication with the satellite was in one of two possible corridors: a northern corridor stretching approximately from the border of Kazakhstan and Turkmenistan to northern Thailand, or a southern corridor stretching approximately from Indonesia to the southern Indian ocean. On the same day, a team from the Royal Malaysia Police returned to Zaharie's house and seized his personal flight simulator.
The forensic investigation was then tasked with trying to find anything which could be related to, or explain, the disappearance of MH370.
Five Hard Disks
When Captain Shah's flight simulator was seized by the Royal Malaysia Police (RMP) it was photographed, labelled, documented, dismantled and taken to a secure facility where it may have been reassembled.
The forensic investigators used software called EnCase. Part of the process in an Investigation is to record components and details and Encase allocates a number to identify the item.
There were five hard disks installed inside the main computer case. These were allocated item numbers MK 22, MK 23, MK 24, MK 25 and MK 26. Using these numbers eliminates confusion about which drive or storage device is being referred to.
The disks found inside Zaharie's flight simulator computer are listed below:-
| Disk | ID |
|---|---|
| Seagate Barracuda 80 GB (4LR0NY8Y) | MK 22 |
| Western Digital 500 GB (WCAV95097190) | MK 23 |
| Western Digital 1TB (WMC1S2825793) | MK 25 |
| Sandisk Extream SSD 240 GB (125095402609) | MK 25 |
| Corsair Force SSD 240 GB (1233071380011540502) | MK 26 |
Investigators do not use the actual, original, disks when recovering data. Simply connecting a disk to a power source or a computer can compromise the data. The procedure is to create an Image of each disk. This is a bit by bit replica of the data stored on the disk. The quality of the image is checked against the original using an algorithm which calculates a hash value - if the original and image have the same hash value then the content must be identical. Two algorithms were used - MD5 (Message Digest 5) and SHA1 (Secure Hash Algorithm). When data is said to be recovered from MK 25 or MK 26 what is meant is that data was recovered from an image of the original disk MK 25 or MK 26 - and the forensic team could use the hash values prove that the image and original disk are identical.
Three Operating System Disks
Every computer needs at least one operating system disk. The Investigation found that Zaharie's flight simulator computer had three.
- MK 22 Seagate Barracuda 80 GB was formatted on 20 February 2014 as an operating system disk, with Microsoft Windows XP
- MK 25 Sandisk Extream SSD 240 GB was formatted on as an operating system disk, with Microsoft Windows 7 Ultimate
- MK 26 Corsair Force SSD 240 GB was formatted on as an operating system disk, with Microsoft Windows 7 Ultimate
Windows 7 Ultimate has all the media features of Windows 7 Home Premium and the business features of Windows 7 Professional, and can support Windows XP programs using XP Mode.
One Connected Disk MK 26
At the time that the flight simulator was seized by the RMP only one of the disk storage devices was connected.
This was MK26 - the Corsair Force 240 GB SATA-3 Solid State Drive.
If Zaharie wanted to change between operating system disks he could simply power the computer off, disconnect one disk and connect an alternate one. When powered up, the computer would start from the connected disk.
The reason for this may become apparent in a later Section.
Flight Simulator Software Versions
Zaharie used Microsoft Flight Simulator software. There are two main versions:-
- Microsoft Flight Simulator 2004, which is also called version 9 or FS9
- Microsoft Flight Simulator X, which is version 10 and also called FSX
Each of the 240 GB SSD disks had a different version of Microsoft Flight Simulator:-
- MK 25 - Sandisk Extream SSD 240 GB
- Microsoft Flight Simulator 9 was installed on 23 December 2013
However, this software application was uninstalled on 20 February 2014. - Mk 26 - Corsair Force SSD 240 GB
- Microsoft Flight Simulator X was installed on 20 December 2013
Zaharie had experienced some problems with FSX. The Investigation found that Windows Event Viewer on MK 26 held four application error (crash) reports caused by FSX. The Internet had also been used to search for solutions.
Simulated Aircraft
The Investigation found several different aircraft used for simulations. Log entries show the following:-
- Boeing 738
- Douglas DC3 (The airport selected for a Douglas DC3 simulation was CYZF. This is Yellowknife in Canada, where a DC3 crashed shortly after take-off on 19 August 2013.)
- Boeing 77L (this may be an abbreviation of 777-200LR)
Zaharie was a customer of PMDG Simulations which produces add-ons for flight simulator software. PMDG use the Long Range version of the Boeing 777 so if Zaharie was simulating a B777 then the aircraft would be a Boeing 777-200LR. By selecting Malaysia Airlines livery - the colour scheme used by MAS aircraft - Zaharie could make his simulated Boeing 777-200LR look like a Malaysian Airlines plane. The simulator would identify that as a Boeing 777-200LR Malaysia.
Focus of the Investigation
Following discovery of what was inside Zaharie's computer. the investigation focussed on discovery of any data that could be linked to the missing Malaysia Airlines Boeing 777-200 on flight MH370.
The focus included:-
- All five storage disks.
- Files generated by the flight simulator software, or saved by the flight simulator software, were analysed. File types or data formats are related to four events:-
- User access to the flight simulator application generates a Logbook.Bin file.
- If a user saves their session (or game) the application generates files *.FSSAVE, *.FLT, *.WX, and *.SPB
- If a user saves a flight planner the application generates a *.PLN file
- If a user saves their device configuration the application generates a *.CFG file. This file-type was not relevant to the investigation.
- Files deleted during normal operation of the flight simulator software. These files have file extensions *.FSSAVE, *.FLT, *.WX and *.SPB
- Data identified by the aircraft type PSS Boeing 777-200LR Malaysia No VC.
The table below shows the number of saved files on each disk.
| File Type | MK 22 | MK 23 | MK 24 | MK 25 | MK 26 |
|---|---|---|---|---|---|
| *.PLN | 0 | 1 | 1 | 62 | 27 |
| *.FLT | 0 | 106 | 105 | 348 | 112 |
| *.FSSAVE | 0 | 4 | 4 | 0 | 6 |
Forensic software tools enable an investigator to recover files which have been deleted, or fragments of files which have been over-written. These tools do not distinguish between a file or data which has been deleted as part of a normal process (such as when a software application is closed); or a file which has been deliberately deleted by the user, perhaps in attempt to hide something.
Seven Points of Interest
The discovery process identified seven data points of interest, described below:-
- All seven data points were recovered from a Volume System Information (VSI) File dated 3 February 2014.
- The VSI file was recovered from MK 25 - the Sandisk Extream SSD 240 GB drive
- Six of the seven data points included coordinates
- Two of the locations were in the southern Indian Ocean
- The document which has the diagram below does not provide the actual coordinates.
The relationship between these seven data points is shown in the diagram below.
Source: A Forensic Report dated 19 Mei 2014.
In this diagram the altitude is abbreviated ATT.
C, L and R are the Centre, Left and Right fuel tanks with current fuel shown as a percentage of capacity.
The Angle indicated has been calculated using the distance between adjacent locations and the change in altitude.
At Point 6 the altitude should have been written as 37651.09.
The final two points (in the southern Indian Ocean) are only 4km apart but the difference in altitude is 33651 feet!
The data provided in this diagram has been transcribed into the table below.
Fuel |
|||||
Point |
Location | Centre |
Left |
Right |
Altitude |
|---|---|---|---|---|---|
1 |
KLIA | 100% |
100% |
100% |
70' |
2 |
KLIA | 0% |
80% |
80% |
87.02' |
3 |
Selat Melaka (Off Sekinchan) | 10% |
99% |
99% |
23246.66' |
4 |
Pulau Perak (180km from Penang) | 9.9% |
99% |
99% |
32245.50' |
5 |
Andaman (250km to Nicobar Island) | 7.7% |
99% |
99% |
40003.3' |
6 |
Indian Ocean | 0% |
0% |
0% |
37651.09' |
7 |
Indian Ocean | 0% |
0% |
0% |
3999.99' |
Values transcribed from the Distance/Location diagram
Altitude is normally stated in feet. The unit of measurement, feet, is usually abbreviated ft, however an older method was to use ' to mean feet.
The fuel levels are expressed as a percentage of centre, left and right tank capacity.
Coordinates
The Preliminary Examination Report which covers the discovery process does not include the coordinate data for each of the 7 points. However, coordinates which match the data above is provided in other documents as described in the article RMP Forensic Report.
