ABC News
April 30, 2008 11:58 AM PDT

Microsoft serves law enforcement free COFEE

Posted by Robert Vamosi
  • Font size
  • Print

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) is available only to law enforcement.

(Credit: Microsoft)

This week, as first reported by CNET News.com, Microsoft talked publicly about COFEE, its free Computer Online Forensic Evidence Extractor. The company demonstrated the tool as part of a law enforcement conference held in Redmond.

COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab--files that are stored in active memory would otherwise be lost, for example.

COFEE was developed in 2006 by Ricci Ieong and Anthony Fung, both members of the High Tech Crime Investigators Associate's (HTCIA) Asia South Pacific Chapter. Fung now works for Microsoft's Internet Safety Enforcement team in Hong Kong and used to be on the police force there. Ieong is founder and principal consultant for eWalker Consulting.

COFEE consists of plain text scripts; the data collected from these scripts is routed to a provided USB drive. Although intended for use with a command line, there is also an option for GUI. Raw text captures generate either SH1 or md5 checksums. The results for an acquisition are then presented in either plain text or HTML. Each operation produces its own log file to help investigators.

Although Microsoft would not confirm any specific tools included within COFEE, it did say that all the tools were publicly available. A quick search by CNET revealed several free Windows-based digital forensic tool kits available for download. These include:

Several news reports have suggested that Microsoft is also providing law enforcement with new tools to defeat BitLocker in Windows Vista or access to a secret back door within Windows. A Microsoft spokesperson denied this, saying, "COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means." Microsoft also stressed that COFEE is still in beta.

"The key to COFEE is not new forensic tools," said Tim Cranton, associate general counsel for Microsoft, "but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."

More than 2,000 officials are using it worldwide, according to Microsoft.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

Microsoft,

COFEE,

Computer Online Forensic Evidence Extractor

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Add a Comment (Log in or register) 10 comments
Something smells funny here.
by russkeller April 30, 2008 5:21 PM PDT
Goodbye key loggers here come the ram snap shots. I'm going back to stone tablets.
Reply to this comment
will never work
by TheManInDboX May 1, 2008 7:16 AM PDT
This feature will never work for a computer crime devission, as Microsoft 2k, XP, and vista all contain a GPedit utility that will alow you to clear the Virtual memory, (ram) as well as cache on the fly. This will, then just cause the thumb drive to fill with useless crap. I would suggest that the Computer crime devissions just go with a die hard IT guy to do this, and not put all there faith in a company that cant even release service packs correctly.
I can't find any contact stuff for Cnet
by russkeller May 1, 2008 8:08 AM PDT
Is there something in the terms of use about pointing out specific security holes? 'Cause I can't find it. I'm just curious about a couple of posts disappearing. If your gonna do that please get rid of my first post it points it out too.
A reason not to trust Microsoft with your data
by tudza April 30, 2008 6:31 PM PDT
The idea that Microsoft wants to make it easier for people to take information off my machine, even if it's The Man, makes we wonder why I should trust them or their systems.

This is like finding out the local locksmith is giving lock picking classes.
Reply to this comment
Nuddin New
by RicABlair May 1, 2008 7:01 AM PDT
COFEE is nothin new. My geeky ex Hortense (name changed to protect the guilty) had come up with something like it years ago, sent the idea to MSFT and of course, they preempted it. If you don't want private stuff to be extracted from a computer, don't put it on there. 100% safe.
by pdxsharkey May 8, 2008 8:19 PM PDT
Nothing really new actually. Take a look at Jesse Kornblum's FRED tool.

Or our own OPEN SOURCE, not just for COPS tool, RAPIER. It's for incident handling
and from what we have seen, COFEE is a falttering imitation of it.

http://code.google.com/p/rapier/
Reply to this comment
by DetroitBill May 12, 2008 11:27 AM PDT
Um, and this is a threat how?

Anybody handling sensitive information should be able to beat this device without skipping a beat.

I won't go into details, but if you get a full second to respond, you should be able to defeat this attack. If you get two seconds, you should be able to turn your HD into an unreadable stone AND dispose of the evidence that you did so deliberately.

Think 'single point of failure' and how to cause that failure on demand.
Reply to this comment
by gd0102 May 14, 2008 8:36 AM PDT
since these are "free" to law enforcement only, does that mean consumers are paying for via worked into the cost of purchasing the OS? kinda like we productive citizens pay taxes so welfare recipients can live for "free"? just a thought... =)
Reply to this comment
by FastEddi July 7, 2008 7:46 AM PDT
DetroitBill - What if millions of computers are under any governments control using "botnets"? As I understand the current situation, Russia and China and Korea use botnets to control computer content - then SPAM you to death.......

In the Cyber WAR it is being used by Governments including the U.S. Military.
Reply to this comment
by FastEddi July 7, 2008 9:55 AM PDT
DetroitBill - What if millions of computers are under any governments control using "botnets"? As I understand the current situation, Russia and China and Korea use botnets to control computer content - then SPAM you to death.......

In the Cyber WAR it is being used by Governments including the U.S. Military.
Reply to this comment
advertisement

In the news now

Yahoo's Decker strong contender for CEO

Sources say the president of the embattled Internet search pioneer has been through two rounds of interviews with the board.


Gadget extravaganza in Las Vegas

CES 2009 is in full swing. Highlights so far include Palm's WebOS and Pre device, Microsoft's Windows 7 beta, and much more.


About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET