If they've any sense
It'll be a bootable drive
Microsoft has reportedly developed a USB key that allows investigators to extract forensic data from PCs. COFEE (Computer Online Forensic Evidence Extractor) comes in a USB key form factor, and was distributed to a small number of law-enforcement agencies last June, the Seattle Times reports. The device includes 150 tools that …
...now all we need is for MS chaps to supply monthly patches to the USB doggle. I bet if it lands in the hands of hackers then reverse engineering it will simply go to the shelf as one of microsoft's other failed attempt at conquering the world
Paris, because she knows how to prevent any forensic evidence get adulterated
There are so many problems with this approach. As you say the admissibility of such data is very questionable. You can guarantee that data WILL be changed by plugging in your device.
That's not to mention how easy it would be to design a computer system to evade justice by such means.
if (usb.device.inserted) then
{
delete(incriminating files);
sendmail("I've been raided!", accomplices);
}
I'm sure it wouldn't understand where to start with a linux system. Probably the same for Macs but I wonder if it would even spot the surfing history of a firefox under windows user?
There are a zillion tools on the net for finding passwords in all different kinds of file formats, lots of software to scrub and remove windows password and software to allow you to view saved passwords in forms, etc and remove the ********* masking. I don't see how this would pose a threat.
My setup is a RAID5 array with total encryption (key + password), and only bootable from a CD. Next buildworld, I shall be removing USB device drivers too.
I have nothing to hide, but still it is my personal data and want it to stay that way.
Black helicopters for obvious reasons.
No, it isn't, not in the slightest. All these kinds of tools (samdump, pwdump, and friends) are freely and widely available and hackers have had them for ages. See for example the USB Haksaw/Hakblade tool, of which this COFEE appears to be a near identical tool.
So they come along, switch on the PC, plug in a USB device and walk away with a load of secret information and decrypted passwords. Can I have one?
That's a great OS you got there. Really secure, yeh, can totally see why you would SECRETLY distribute that USB key to only law enforcement officers.
Is there any similar tricks they can pull over the net perhaps? If Germany makes it legal to install a trojan remotely over the internet, will it be an official MS trojan installed via Windows update perhaps? Or perhaps there's a little packet that can be sent to get decrypted passwords over the net from a Windows PC.
How's the Bitlocker lawsuit coming?
http://cyb3rcrim3.blogspot.com/2007_03_01_archive.html
The one where a guy says they put a backdoor in bitlocker and that's how they decrypted his 'encrypted' drive.
As the article points out, proper computer forensics means that the data must demonstrably not have been changed. This little fob obviously doesn't satisfy this.
Which makes you wonder if the target market isn't legitimate investigators, but instead is nosy bosses/spouses. Best keep your systems well scrubbed.
El Reg does love a good jab at MS.
MS did an article in TechNet Mag about this a few months back. The USB stick contains imaging software for a start - which takes a whole image of the HD's on the system.
The rest of the stuff is your pretty usual run of the mill utilities. (recovery/undelete tools, various password crackers etc.)
If you bothered to read the Seattle Times article linked to the the Reg article, the whole point of the USB key package is that you DO NOT REBOOT THE TARGET PC.
By not needing to reboot, you can go after volatile information in the PC's RAM that would be lost if the PC were shut down and carted off to a forensics lab.
Every 'big city' police department already has these tools and more and knows how to automate them when appropriate? So this might be of use to small departments that have to send computers etc. to the bigger depts. for assistance. Or it's just another Microsoft PR move designed to impress execs who don't have a clue... oh, good move.
"The USB stick contains imaging software for a start - which takes a whole image of the HD's on the system."
You mean it's got enough free space on the drive to store an image of a multi TB array? I doubt it!
The largest USB memory sticks ~16GB
The the smallest HDDs installed in a new system ~ 150GB
See the problem?
Thanks to M$, my computer will simply report.
"USB Device not recognised" as per all the other devices i try to plug in to it.
Also, the legitimacy of downloaded "volatile" data maybe a legal hot potato. volatile data by its definition is not permanent or even consistent, and it cant be proved that the person knows it is there half the time.
Besides, the Feds probably know what is on your computer by now anyway. Anyone noticed that XP and Vista are at least 200% bigger than the work they do suggests? that'll be J Edgar Hoover's boys trojaning your ass!
While my first reaction as someone who's struggled with the challenge of sourcing economically viable forensics capability within an in-house team was definitely 'Gissit'.....
It's admissability of evidence that's the issue here.
How do you prove that by inserting a USB device you DIDNT modify the configuration of the machine when its patently demonstrable that you CAN .......
Not to mention the thought that if MS are true to form, any collection of 'specialised tools' that comes from them, will likely be so bloated as to need a 16GB USB stick, just to hold the software itself, let alone any room left for data retrieval.
Also as others have already said, there are plenty of Linux based liveCDs out there that do this already.
I would also hope it is a bootable stick, but then there are many more computers out there that can't boot from a USB device than there are that can't boot from a CD. If it all runs in an existing live Windows environment, then that really is defeating the object.
Still, the very principle of all this is giving me something to have an evil chuckle about. Mwuhuhuhuhuhuh.....
If you've got the search warrant, why plug in a USB recording device? You're going to have to have the original for evidenciary purposes, so why not just take the thing?
Oh, yeah...mission critical apps and mainframes. So, corporate interests are trying to work around the law again, just to save a buck. You'd figure that if the mission was so critical, you'd have a backup computer ready to go, and the police could easily cart off the evidence. As for mainframes, you'd think you could just pull the evidence drive(s), plug in the backups and rebuild the RAID array as you go. This kind of planning is part of elementary disaster recovery. As for volatile data, I could see USB'ing the RAM, but I agree with previous posters that contact with a target platform in an uncontrolled environment makes each USB device a throw-away (it could pass an infection to other computers if reused). Then there's the chain of custody problems, and the potential of altering the data in transit, etc. It's a waste of money, really.
Having had some computer forensics experience, this is a cockamamie scheme if I've ever heard one.
I know quite a few people mentioned that there are other tools out there that do the same thing... but what makes me give a mischievous grin is the fact that these are either First Party created tools, meaning Microsoft developed these items THEMSELVES or are tools APPROVED by Microsoft. Third Party tools , even though they work, would tend to have more quirks in getting to the information than with a tool that was created by Microsoft themselves. I wonder if there will be suspicious websites or spyware that will use these tools to decrypt and upload people's passwords.
I would see these as more dangerous because most tools , especially Linux based ones can't run from a live WIndows environment. Meaning, no access to the network, registry settings, and the such. On an a Windows system that lacks the proper updates... this could be potentially devastating.
If like me you use the free USBDLM service, you'll know you can set it up to run programs when an unknown usb device is plugged in.
Ok it takes hours to securely delete a harddrive's contents. But then it's easy to use a crypt tool to put in a couple of MB of your secure stuff and just delete that quickly.
I recently had cause to want to know the administrator password for a Windows XP install.
loginrecovery.com is great. Download thing, burn to CD, boot the CD, and send them the magic number. 3 days later, log on to their web site and you get the password. Fantastic.
Pay money and they'll do it quicker, over multiple accounts. Rar.
Secure ? Pfft. Nothing is secure if you're at the console... right ? Windows double so.
The point is, why cart off the whole thing when there's no evidenciary value to it?
If on-scene forensics can determine whether the system is worth seizing or not, that works a lot better than seizing everything and then using lab tools to figure out what to keep and what to give back to the suspect. And, yes, the suspects generally get to have their equipment back if it is useless as evidence and if they ask for it, at least in the U.S.
The problem is that as soon as you plug this device in - the evidence is worthless. Unless you can prove this particular unit came direct from Microsoft in a sealed tamper-evident container and you can get MS to certify in court that it contained no malware.
Anyway it's just a tool for dumping the NTHash for later offline passwd cracking - and we all have one of those anyway.
The advantage over a Linux boot disk is that this can extract the passwd hash from an encrypted system while it's running.
If it contained a secret backdoor to bitlocker it would have been leaked by now.
The purpose is the software on the USB stick can take a snapshot of critical areas in system RAM before the computer is shut down - something like decrypted strings, passwords sitting on stacks, etc. If you shut down you lose that stuff.
Of course everyone who has ever stuck a thumb drive into a Windows box knows it fiddles and churns and loads drivers and fiddles with the registry in order to be able to say "your new hardware is ready to use", and only after that can anything on the drive be executed. So much for preserving an unadulterated hard drive image, even if you do get something useful from RAM afterwards.
Of course, as other posters have noted, disabling the USB ports is pretty easy. Heck, my wife's XP box did that all by itself!
This technology is only for "investigators" who understand neither computers nor evidence rules.
First: You can't have a true forensic tool which which is only available to law enforcement. The defence requires a means to test any evidence that is being produced.
Second; the first Principle of the current ACPO Good Practice Guidelines for Computer Evidence says: "No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court." As soon as you put a USB stick into a Windows computer an entry is made into the USBSTOR part of the System Registry unless you know how to change the BIOS to boot from a USB device and the BIOS actually supports this function.
There is a problem in cases involving many seized computers of triage - determining at an early stage which computers are worth a more detailed look and which can be discarded. But, subject to a sight of the actual M$ USB product, most people will want to stick with a bootable "forensic" CDs based on Linux (like Helix) as it is far easier reliably to change a PC's BIOS to boot from CD. Given that most PCs now have DVD_ROMs rather than simple CD-ROM drives, we can expect that forensic bootable CDs to move on to the more expansive DVD format.