Defense in Depth Subscribe to Defense in Depth
April 30, 2008 11:58 AM PDT

Microsoft serves law enforcement free COFEE

Posted by Robert Vamosi

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) is available only to law enforcement.

(Credit: Microsoft)

This week, as first reported by CNET News.com, Microsoft talked publicly about COFEE, its free Computer Online Forensic Evidence Extractor. The company demonstrated the tool as part of a law enforcement conference held in Redmond.

COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab--files that are stored in active memory would otherwise be lost, for example.

COFEE was developed in 2006 by Ricci Ieong and Anthony Fung, both members of the High Tech Crime Investigators Associate's (HTCIA) Asia South Pacific Chapter. Fung now works for Microsoft's Internet Safety Enforcement team in Hong Kong and used to be on the police force there. Ieong is founder and principal consultant for eWalker Consulting.

COFEE consists of plain text scripts; the data collected from these scripts is routed to a provided USB drive. Although intended for use with a command line, there is also an option for GUI. Raw text captures generate either SH1 or md5 checksums. The results for an acquisition are then presented in either plain text or HTML. Each operation produces its own log file to help investigators.

Although Microsoft would not confirm any specific tools included within COFEE, it did say that all the tools were publicly available. A quick search by CNET revealed several free Windows-based digital forensic tool kits available for download. These include:

Several news reports have suggested that Microsoft is also providing law enforcement with new tools to defeat BitLocker in Windows Vista or access to a secret back door within Windows. A Microsoft spokesperson denied this, saying, "COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means." Microsoft also stressed that COFEE is still in beta.

"The key to COFEE is not new forensic tools," said Tim Cranton, associate general counsel for Microsoft, "but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."

More than 2,000 officials are using it worldwide, according to Microsoft.

Recent posts from Defense in Depth
ZoneAlarm virtualizes the desktop Internet browser
Yahoo e-mail accounts compromised for spammers' use
Skeleton key unlocks Microsoft SQL servers in latest Web attack
Web browsers and other mistakes
Goodbye Storm, Hello Srizbi
Add a Comment (Log in or register) 7 comments (Page 1 of 1)
Something smells funny here.
by russkeller April 30, 2008 5:21 PM PDT
Goodbye key loggers here come the ram snap shots. I'm going back to stone tablets.
Reply to this comment View all 2 replies
A reason not to trust Microsoft with your data
by tudza April 30, 2008 6:31 PM PDT
The idea that Microsoft wants to make it easier for people to take information off my machine, even if it's The Man, makes we wonder why I should trust them or their systems. This is like finding out the local locksmith is giving lock picking classes.
Reply to this comment View reply
by pdxsharkey May 8, 2008 8:19 PM PDT
Nothing really new actually. Take a look at Jesse Kornblum's FRED tool. Or our own OPEN SOURCE, not just for COPS tool, RAPIER. It's for incident handling and from what we have seen, COFEE is a falttering imitation of it. http://code.google.com/p/rapier/
Reply to this comment
by DetroitBill May 12, 2008 11:27 AM PDT
Um, and this is a threat how? Anybody handling sensitive information should be able to beat this device without skipping a beat. I won't go into details, but if you get a full second to respond, you should be able to defeat this attack. If you get two seconds, you should be able to turn your HD into an unreadable stone AND dispose of the evidence that you did so deliberately. Think 'single point of failure' and how to cause that failure on demand.
Reply to this comment
Powered by Jive Software

  • About Defense in Depth

  • With over eight years at CNET covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews with the top security researchers making the news as well as offering the hands-on, non-technical advice you'll need to stay safe online.

Add this feed to your online news reader
Google
Yahoo
MSN

Defense in Depth topics

Latest blog posts from News.com

Featured blogs

Beyond Binary by Ina Fried A look at how technology is changing our lives and at the people behind all that life-changing stuff.

Coop's Corner by Charles Cooper Charles Cooper weighs in on Silicon Valley hijinks, and he doesn't suffer fools gladly.

Geek Gestalt by Daniel Terdiman At the tech culture nexus of video games, fire art, and virtual worlds.

Green Tech Fresh green tech news and commentary.

One More Thing by Tom Krazit Tom Krazit takes on the tech phenomenon that is Apple, and keeps a close watch on the chip industry.

Outside the Lines by Dan Farber When business and technology meet, that's when things get interesting.

The Iconoclast by Declan McCullagh Exploring the intersection of politics and technology.

The Social by Caroline McCarthy Exploring all facets of social media and tech culture.

Underexposed by Stephen Shankland Coverage of digital photography, science, and open-source software.

Resource center from News.com sponsors

advertisement
Click Here
Welcome (log out) |View profile
Log in | Sign up Why join?
On GameSpot: Download game demos, patches, and more!
Advanced
search
advertisementStart Doing More with Windows Mobile
Advanced
search
Visit other CNET Networks sites: