Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


November 09, 2009

Microsoft Digital Forensics Tool Leaks Online

A Web Exclusive from WinInfo
Paul Thurrott
WinInfo
InstantDoc #103101
WinInfo
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More News and Analysis Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!
A secretive Microsoft utility called Computer Online Forensic Evidence Extractor (COFEE) has leaked online. An automated digital forensics tool for law-enforcement agencies, COFEE isn't available legally to individuals.

"COFEE brings together a number of common digital forensics capabilities into a fast, easy-to-use, automated tool for first responders. And COFEE is being provided—at no charge—to law enforcement around the world," a description of the tool reads.

"With COFEE, law-enforcement agencies without on-the-scene computer-forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence," the description continues. "An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a preconfigured COFEE device. This enables the officer to take advantage of the same common digital-forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer."

Microsoft ships COFEE on a tiny USB device to law-enforcement agencies in almost 190 countries worldwide. The company has been working with Florida State University and University College Dublin to develop future versions of COFEE that can adapt to the evolving needs of digital forensics.

Security researchers point out that COFEE provides no useful tools for individuals, though of course it's possible that criminals might investigate how the code works to find ways around its capabilities.

The most important aspect of this story, of course, is that I avoided obvious headline puns such as "Microsoft COFEE Leaks Online," "Microsoft COFEE: HOT!" or "CSI: Redmond." You're welcome.

End of Article

Reader Comments
What does it look for? Kiddie ****?

paulusar1 November 09, 2009 (Article Rating: )

"What does it look for? Kiddie ****?"

More than likely it's a search tool that can search for text in files that are present and/or searches for deleted files and traces of files that have been overwritten using data recovery techniques. Some data forensics tools can also scan images for specific faces or content too. I wonder how this would stack up against DoD-level data wipe tools.

I'd also imagine that there are brute-force password cracking tools in there, and/or a scan for insecure login accounts. It's always possible that it may take advantage of some kind of backdoor in Windows, or in the encryption standards that it uses (if one even exists - that's only speculation). If Microsoft developed this, then there's always a possibility that they developed some kind of mechanism where approved law officials would have easier access to user-encrypted data on Windows.

Waethorn November 09, 2009 (Article Rating: )

COFEE isn't a stand-alone tool itself. It's a set of scripts that run other tools (almost all of which are publicly available already) to gather forensic data. The goal of COFEE was to provide an easy-to-use way for untrained LEOs to gather forensic data without tainting it.

One other note: I don't think it's true that "COFEE isn't available legally to individuals". Microsoft hasn't released it, but there aren't any legal restrictions on possessing or using it, at least in the US.

paulrobichaux November 09, 2009 (Article Rating: )

"The goal of COFEE was to provide an easy-to-use way for untrained LEOs to gather forensic data without tainting it."

Uh oh. Looks like Steve Gibson won't be needed on Security Now anymore then. ;)

Waethorn November 09, 2009 (Article Rating: )

Despite not knowing anything about this tool, I disagree with Microsoft's statement about it. Heck, just plugging a USB device in is going to create disk activity, RAM activity, etc...possibly enough to compromise anything found on the PC.

scottm99999 November 09, 2009 (Article Rating: )

Looks like it's perfect for identifying the victims of this nasty little Windows-only virus.

http://abcnews.go.com/Technology/wireStory?id=9028516

Another reason NOT to buy a PC.

infiniteloop November 09, 2009 (Article Rating: )

Ah, sweeps month. A story put together by someone who doesn't understand technology, doesn't site statistics, or bother to indicate where the person actually got the virus.

infinitetroll - did you write it yourself?

Where to start....

First - it never says "Windows only".

Second - it never says how the person got infected. While it may have been a self-reproducing virus (what virus actually means), more than likely it was a trojan horse that the user launched without paying attention - something that can infect Windows, Linux or Mac.

Third - It never mentions what version of the OS, or if any AV or anti-malware software was installed. It also fails to mention if any patches were actually applied or if there was a firewall - again something that impacts any system.

Fourth - The FUD factor of "This could happen to you!!!" is about on par with "They stole my organs!" They don't site any number of users this has happened to. The only numbers they do site is the number of infected computers connected to the internet (20M) and total computers connected (1B). Looking at the number 20 million is classic FUD. Quick math shows it's 2%.

There's more, but frankly I've already spent more time on this than I care to.

jersey72 November 09, 2009 (Article Rating: )

wtf can I get the Hot Coffee Mod, I've been drivin around for hours and I can't even find a paint booth!

sx4sport November 09, 2009 (Article Rating: )

"Heck, just plugging a USB device in is going to create disk activity, RAM activity, etc.."

I would imagine it would be a streamlined environment (knowing Microsoft, probably a customized, bootable WinPE USB stick) to get around that exact problem.

@sx4sport: +1

Does Microsoft have a DONUT app to go along with that? (or if you're in Canada, a TIMBIT app?)

Waethorn November 10, 2009 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...

Confirmed: Battery Life Issues Not Windows 7's Fault

Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. Put simply, Windows 7 is not responsible for any battery life issues ...

Getting your iPhone to Sync with Exchange 2003

Follow these steps to use an iPhone with Exchange. ...
Related Events Check out our list of Free Email Newsletters!
News and Analysis eBooks Getting Maximum Performance from Your Web-based Applications

Business Process Automation - Managing Cost in Your Enterprise
Related News and Analysis Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Collaborate with Confidence
Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services.

Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Announcing Symantec Backup Exec 2010
With integrated deduplication and unified archiving technology.
Feb 25 - Are your IT Systems distributed? Or Convoluted?
Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions.

Virtualization Faceoff – Join the Discussion
Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions.

Should Your Email Live in the Cloud?
This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.

Exchange Server 2010: Deploying Unified Communications
register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation

New from Left-Brain.com - Manage VMware with PowerShell
Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines.  Solve your old problems using less code than you thought possible!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2010 Penton Media, Inc. Terms of Use | Privacy Statement