RMP Forensic Investigation/Process

Police Custody

A Forensic Investigation is different from a similar process conducted by an IT Professional because the information obtained may be used as Evidence. The information has to be legally obtained and the whole process must be documented in a manner which will stand up in Court.

The first step is to take custody of the computer, data storage or system which may contain the evidence. Usually this requires a Warrant, which gives the Police the legal right to search premises and take custody of the items named in the Warrant.

The Royal Malaysia Police (RMP), also known as Polis DiRaja Malaysia (PDRM), visited the home of Captain Shah on Saturday, 15 March 2014 and removed his personal Flight Simulator. It was disassembled, packed into two vans, and taken to an RMP Forensic Laboratory (Makmal Forensik).

Identification

According to an official media statement:-

This statement makes it seem as though Zaharie's flight simulator was re-assembled and one could imagine it being operated while someone searched for useful data. That would be completely incorrect.

At the forensic laboratory the investigators would label each component using a schema which was generated from the forensic software tools they use. It seems that the PDRM used a product called EnCase which is an industry-standard forensic application. The computer case, which would include the main board, graphics cards etc. was numbered MK 20.

Inside the computer case were five storage devices. Three of those were magnetic disk drives, commonly called Hard Disks, and these were labelled MK 22, MK 23 and MK 24. Two of the storage drives were modern SATA Solid State Drives which are diskless. These drives were labelled MK 25 and MK 26.

Objective

An Investigation should have a pre-defined purpose or objective.

In the case of MH370, the aircraft had deviated from its' course and had not been located. The Pilot-in-Command was known to have a sophisticated flight simulator at his home. A question needed to be asked - would there be any evidence that could explain what happened? Was Captain Shah involved in any way? Was the diversion planned? Could data on the flight simulator provide any useful information?

The Investigator would then focus on files and data related to or generated by the flight simulator software application and generally ignore other programs and data.

Preparation

It is extremely important to avoid compromising the original data. An important step is to create 'images' of each storage device. Special software tools are required which copy the data from the original drives to new storage media without any alteration such as date changes. The Image and the Original drives are compared with algorithms called hash values which will only be equal if the image is a bit-by-bit replica of the original. Often more than one Image will be made so different people can work on it, but the Original will be sealed and locked away, uncorrupted.

So when it is said that data was recovered from Zaharie's flight simulator in reality the data would have been recovered from Images of each of his original storage devices.

Discovery

The next stage is to discover whatever may be interesting and relevant to the objective of the Investigation. For this it would be important to know which flight simulator software had been installed, and what type of files are used or generated by that software.

Zaharie had used Microsoft Flight Simulator which has two basic versions: the original one released in 2004 and updated to version 9, commonly called FS9; and version 10, commonly called FSX. User data such as a flight or flight plan or the state of play (it is regarded as a game) when the user saves their game, etc. is stored in different types of files. One of the most common has the format *.FLT.

Searching for all *.FLT files, and similarly with other file formats, may yield some results but the forensic investigator will also be looking for deleted files, backup files and file fragments - the pieces of files remaining after some of the data has been over-written. The forensic software, like EnCase, performs this role.

For example, the Investigators targeted three types of files associated with Microsoft Flight Simulator. The table below shows the number of files identified on each disk.

Focus

By this stage in the Investigation it was known that flight MH370 ended in the southern Indian Ocean.

The Investigators discovered two files which had coordinates for locations in the south Indian Ocean. This data was on disk MK 25 and the files were recovered from the System Volume Information folder. To be relevant, any other data would also have to be from the same folder on the same disk. All other data points could be eliminated. The Safety Investigation Report summarises the result:-

Verification

The RMP Forensic Investigators had identified over 2700 coordinates, recovered nearly 700 files created or saved by the Microsoft Flight Simulator application, and focussed on just seven which could create a flight path from KLIA to the southern Indian Ocean. So the RMP requested assistance from CyberSecurity Malaysia (part of the Malaysian Communications and Multimedia Commission) to verify the findings and, in particular, to prove that the recovered data was from *.FLT files.

Investigators from CyberSecurity Malaysia purchased components and built a flight simulator (which was less elaborate than Captain Shah's) at their Digital Forensics Laboratory. They installed Microsoft Flight Simulator X to create *.FLT files which had the same information as that recovered from disk MK 25 from Zaharie's flight simulator. To achieve this they generated a *.FLT file and then manually entered the coordinate information and corresponding flight information and saved it. This step was repeated seven times, to create a *.FLT file which matched each of the files recovered from the MK 25 disk. The results were viewed on-screen, captured using a screen-capture tool, and added to a Table which summarised the verification result..

Terminology

Each team of Investigators seems to have developed their own terminology to describe or refer to the recovered data. In essence, they all mean the same, but here are the different terms:-

Coordinates

The forensic investigators identified more than 2,700 coordinates. Most of those coordinates are simply the latitude and longitude of places, airports etc. within the Microsoft Flight Simulator application.
When the RMP Forensic Investigators referred to Coordinates 1 to 7 they were referring to a simulated aircraft (a Boeing 777-200LR) at a specific latitude and longitude (the coordinates), with other parameters such as fuel, altitude, pitch, bank and heading.

Route Point

The Investigators from CyberSecurity Malaysia must have realised that a coordinate only defines a location and that the relevant data was related to a Route eg. from KLIA to the southern Indian Ocean via the Andaman Sea, so they identified the data as relating to Route Point A, Route Point B etc.

Manually Programmed Waypoints

The Malaysian ICAO Annex 13 Safety Investigation Team for MH370 preferred to use an aviation term Waypoint instead of coordinate, but noted that the latitude and longitude for each of the seven Coordinates did not match any Waypoint in any published Airway Chart so defined them as 'manually programmed waypoints'. However, since a Waypoint is a location used for navigation, the use of the term 'manually programmed waypoints', in the context of the data recovered from Captain Shah's flight simulator, includes the parameters of the simulated aircraft, as above.

Data Points

The ATSB, in their report The Operational Search for MH370, used the term 'data point' to mean the data about the simulated aircraft at the point defined by it's coordinates.
A definition was not provided by the ATSB but a suitable definition has been developed here.

Context

It is good practice to include a context in a forensic investigation. This could explain what the data was used for, whether it was generated by the computer operator for their personal use, or for work-related or research purposes.

The CyberSecurity investigators discovered that Zaharie had experienced some computer software crashes caused by his installed version of FSX, and also a log entry where he had flown a DC3 simulated aircraft on 1 February 2014. Other simulations used the Boeing 777-200LR.

However, there is nothing in the information available to indicate whether the Investigators considered if Zaharie used his own flight simulator to generate scenarios he could use when conducting flight simulator training for Malaysia Airlines or related to any other emergency scenario used by MAS.

Analysis

The RMP also invited other specialists to assist with the Investigation and analysis, including several Boeing 777 operators, experts in flight simulators, and Information Technology (IT) professionals^[1]

Report

The Safety Investigation Report refers to a RMP Forensic Report dated 19 May 2014. This Report has not been made public.

As the RMP Investigation is conducted under Section 130C of the Penal Code, all reports, documents etc form evidence, and would be classified under the Official Secrets Act.

To access the data, hoping it might assist the search for the aircraft, the Australian Transport Safety Bureau requested the information via the Australian Federal Police. However, when referring to the recovered data points in the report The Operational Search for MH370 the ATSB was careful not to release the actual coordinates.

Leakage

Initially, the Media seemed to obtain information which was vague but included references to deleted data on Zaharie's flight simulator, a remote island in the Indian Ocean, and various other snippets of leaked data which inferred that the flight path of MH370 had been pre-planned by Captain Shah.

The first detailed leak was published by New York Magazine in July 2016. The article quoted an 'FBI Report' - which was unlikely but would shift the blame for the leak onto the FBI rather than the RMP. The headline read MH370 Pilot Flew a Suicide Route on His Home Simulator Closely Matching Final Flight. Several coordinates were subsequently published by journalist Jeff Wise and verified by a member of the Independent Group.

Since then there has been a major (unofficial) release of folders of documents from the RMP Investigation. So there are now several documents available on the Internet which may form part of, or early versions of, a RMP Forensic Report. Coordinate and flight information data from recovered data points can be determined from those documents.

Use and Interpretation

The RMP Forensic Report has been used by two official teams of investigators and extracts have been published or interpreted in two Reports:-

• The Operational Search for MH370 ATSB
• Safety Investigation Report by the Malaysian ICAO Annex 13 Safety Investigation Team for MH370

Summary

This article has described the data forensic investigation process as applied to the recovery of data from Captain Shah's personal flight simulator.

It has been shown that two teams - from the PDRM Forensic Laboratory and the CyberSecurity Malaysia Digital Forensics Laboratory - performed the data recovery and verification. And experts from other areas including Boeing 777 pilots and flight simulator experts were asked to assist.

A classified RMP Forensic Report exists and has been referred to by the Malaysian ICAO Annex 13 Safety Investigation Team for MH370 and the Australian Transport safety Bureau

However, some of the information contained within that Report was leaked and is now accessible on the Internet.