RMP Forensic Investigation/Process
This article describes the process of a forensic investigation of computer data and relates the stages to the recovery of data from Captain Shah's personal Flight Simulator.
Captain Shah was the Pilot-in-Command of Malaysia Airlines Flight MH370 which went missing on Saturday, 8 March 2014.
Linked articles provide more detail.
A Forensic Investigation is different from a similar process conducted by an IT Professional because the information obtained may be used as Evidence. The information has to be legally obtained and the whole process must be documented in a manner which will stand up in Court.
The first step is to take custody of the computer, data storage or system which may contain the evidence. Usually this requires a Warrant, which gives the Police the legal right to search premises and take custody of the items named in the Warrant.
The Royal Malaysia Police (RMP), also known as Polis DiRaja Malaysia (PDRM), visited the home of Captain Shah on Saturday, 15 March 2014 and removed his personal Flight Simulator. It was disassembled, packed into two vans, and taken to an RMP Forensic Laboratory (Makmal Forensik).
According to an official media statement:-
Police visited the homes of the pilot and co-pilot again on Saturday 15 March. The pilot’s flight simulator was taken from his house with the assistance of his family. The simulator was re-assembled at police headquarters.
This statement makes it seem as though Zaharie's flight simulator was re-assembled and one could imagine it being operated while someone searched for useful data. That would be completely incorrect.
At the forensic laboratory the investigators would label each component using a schema which was generated from the forensic software tools they use. It seems that the PDRM used a product called EnCase which is an industry-standard forensic application. The computer case, which would include the main board, graphics cards etc. was numbered MK 20.
Inside the computer case were five storage devices. Three of those were magnetic disk drives, commonly called Hard Disks, and these were labelled MK 22, MK 23 and MK 24. Two of the storage drives were modern SATA Solid State Drives which are diskless. These drives were labelled MK 25 and MK 26.
An Investigation should have a pre-defined purpose or objective.
In the case of MH370, the aircraft had deviated from its' course and had not been located. The Pilot-in-Command was known to have a sophisticated flight simulator at his home. A question needed to be asked - would there be any evidence that could explain what happened? Was Captain Shah involved in any way? Was the diversion planned? Could data on the flight simulator provide any useful information?
The Investigator would then focus on files and data related to or generated by the flight simulator software application and generally ignore other programs and data.
It is extremely important to avoid compromising the original data. An important step is to create 'images' of each storage device. Special software tools are required which copy the data from the original drives to new storage media without any alteration such as date changes. The Image and the Original drives are compared with algorithms called hash values which will only be equal if the image is a bit-by-bit replica of the original. Often more than one Image will be made so different people can work on it, but the Original will be sealed and locked away, uncorrupted.
So when it is said that data was recovered from Zaharie's flight simulator in reality the data would have been recovered from Images of each of his original storage devices.
The next stage is to discover whatever may be interesting and relevant to the objective of the Investigation. For this it would be important to know which flight simulator software had been installed, and what type of files are used or generated by that software.
Zaharie had used Microsoft Flight Simulator which has two basic versions: the original one released in 2004 and updated to version 9, commonly called FS9; and version 10, commonly called FSX. User data such as a flight or flight plan or the state of play (it is regarded as a game) when the user saves their game, etc. is stored in different types of files. One of the most common has the format *.FLT.
Searching for all *.FLT files, and similarly with other file formats, may yield some results but the forensic investigator will also be looking for deleted files, backup files and file fragments - the pieces of files remaining after some of the data has been over-written. The forensic software, like EnCase, performs this role.
For example, the Investigators targeted three types of files associated with Microsoft Flight Simulator. The table below shows the number of files identified on each disk.
|File Type||MK 22||MK 23||MK 24||MK 25||MK 26|
By this stage in the Investigation it was known that flight MH370 ended in the southern Indian Ocean.
The Investigators discovered two files which had coordinates for locations in the south Indian Ocean. This data was on disk MK 25 and the files were recovered from the System Volume Information folder. To be relevant, any other data would also have to be from the same folder on the same disk. All other data points could be eliminated. The Safety Investigation Report summarises the result:-
The RMP Forensic Report dated 19 May 2014 documented more than 2,700 coordinates retrieved from separate file fragments and most of them are default game coordinates.
It was also discovered that there were seven ‘manually programmed’ waypoint coordinates ... that when connected together, will create a flight path from KLIA to an area south of the Indian Ocean through the Andaman Sea. These coordinates were stored in the Volume Shadow Information (VSI) file dated 03 February 2014. The function of this file was to save information when a computer is left idle for more than 15 minutes. Hence, the RMP Forensic Report could not determine if the waypoints came from one or more files.
The RMP Forensic Investigators had identified over 2700 coordinates, recovered nearly 700 files created or saved by the Microsoft Flight Simulator application, and focussed on just seven which could create a flight path from KLIA to the southern Indian Ocean. So the RMP requested assistance from CyberSecurity Malaysia (part of the Malaysian Communications and Multimedia Commission) to verify the findings and, in particular, to prove that the recovered data was from *.FLT files.
Investigators from CyberSecurity Malaysia purchased components and built a flight simulator (which was less elaborate than Captain Shah's) at their Digital Forensics Laboratory. They installed Microsoft Flight Simulator X to create *.FLT files which had the same information as that recovered from disk MK 25 from Zaharie's flight simulator. To achieve this they generated a *.FLT file and then manually entered the coordinate information and corresponding flight information and saved it. This step was repeated seven times, to create a *.FLT file which matched each of the files recovered from the MK 25 disk. The results were viewed on-screen, captured using a screen-capture tool, and added to a Table which summarised the verification result..
Each team of Investigators seems to have developed their own terminology to describe or refer to the recovered data. In essence, they all mean the same, but here are the different terms:-
- The forensic investigators identified more than 2,700 coordinates. Most of those coordinates are simply the latitude and longitude of places, airports etc. within the Microsoft Flight Simulator application.
When the RMP Forensic Investigators referred to Coordinates 1 to 7 they were referring to a simulated aircraft (a Boeing 777-200LR) at a specific latitude and longitude (the coordinates), with other parameters such as fuel, altitude, pitch, bank and heading.
- Route Point
- The Investigators from CyberSecurity Malaysia must have realised that a coordinate only defines a location and that the relevant data was related to a Route eg. from KLIA to the southern Indian Ocean via the Andaman Sea, so they identified the data as relating to Route Point A, Route Point B etc.
- Manually Programmed Waypoints
- The Malaysian ICAO Annex 13 Safety Investigation Team for MH370 preferred to use an aviation term Waypoint instead of coordinate, but noted that the latitude and longitude for each of the seven Coordinates did not match any Waypoint in any published Airway Chart so defined them as 'manually programmed waypoints'. However, since a Waypoint is a location used for navigation, the use of the term 'manually programmed waypoints', in the context of the data recovered from Captain Shah's flight simulator, includes the parameters of the simulated aircraft, as above.
- Data Points
- The ATSB, in their report The Operational Search for MH370, used the term 'data point' to mean the data about the simulated aircraft at the point defined by it's coordinates.
A definition was not provided by the ATSB but a suitable definition has been developed here.
It is good practice to include a context in a forensic investigation. This could explain what the data was used for, whether it was generated by the computer operator for their personal use, or for work-related or research purposes.
The CyberSecurity investigators discovered that Zaharie had experienced some computer software crashes caused by his installed version of FSX, and also a log entry where he had flown a DC3 simulated aircraft on 1 February 2014. Other simulations used the Boeing 777-200LR.
However, there is nothing in the information available to indicate whether the Investigators considered if Zaharie used his own flight simulator to generate scenarios he could use when conducting flight simulator training for Malaysia Airlines or related to any other emergency scenario used by MAS.
The RMP also invited other specialists to assist with the Investigation and analysis, including several Boeing 777 operators, experts in flight simulators, and Information Technology (IT) professionals
The Safety Investigation Report refers to a RMP Forensic Report dated 19 May 2014. This Report has not been made public.
As the RMP Investigation is conducted under Section 130C of the Penal Code, all reports, documents etc form evidence, and would be classified under the Official Secrets Act.
To access the data, hoping it might assist the search for the aircraft, the Australian Transport Safety Bureau requested the information via the Australian Federal Police. However, when referring to the recovered data points in the report The Operational Search for MH370 the ATSB was careful not to release the actual coordinates.
Initially, the Media seemed to obtain information which was vague but included references to deleted data on Zaharie's flight simulator, a remote island in the Indian Ocean, and various other snippets of leaked data which inferred that the flight path of MH370 had been pre-planned by Captain Shah.
The first detailed leak was published by New York Magazine in July 2016. The article quoted an 'FBI Report' - which was unlikely but would shift the blame for the leak onto the FBI rather than the RMP. The headline read MH370 Pilot Flew a Suicide Route on His Home Simulator Closely Matching Final Flight. Several coordinates were subsequently published by journalist Jeff Wise and verified by a member of the Independent Group.
Since then there has been a major (unofficial) release of folders of documents from the RMP Investigation. So there are now several documents available on the Internet which may form part of, or early versions of, a RMP Forensic Report. Coordinate and flight information data from recovered data points can be determined from those documents.
Use and Interpretation
The RMP Forensic Report has been used by two official teams of investigators and extracts have been published or interpreted in two Reports:-
- The Operational Search for MH370 ATSB
- Safety Investigation Report by the Malaysian ICAO Annex 13 Safety Investigation Team for MH370
This article has described the data forensic investigation process as applied to the recovery of data from Captain Shah's personal flight simulator.
It has been shown that two teams - from the PDRM Forensic Laboratory and the CyberSecurity Malaysia Digital Forensics Laboratory - performed the data recovery and verification. And experts from other areas including Boeing 777 pilots and flight simulator experts were asked to assist.
A classified RMP Forensic Report exists and has been referred to by the Malaysian ICAO Annex 13 Safety Investigation Team for MH370 and the Australian Transport safety Bureau
However, some of the information contained within that Report was leaked and is now accessible on the Internet.
Notes and References
- On 19 March 2014 the New Straits Times quoted the Home Minister, Datuk Seri Ahmad Zahid Hamidi:-
“The police had invited several Boeing 777 operators and also those who were experts in flight simulators, as well as Information Technology (IT) professionals to assist in the probe,” he told a press conference, near here, this afternoon.
Source: http://www.nst.com.my/latest/font-color-red-missing-mh370-font-zahid-data-deleted-from-pilot-s-simulator-1.521285# Note: As at 8 April 2019 Page not found.