back to article MS forensics tool leaks onto the web

Microsoft's point-and-click "computer forensics for cops" tool has leaked onto the web. COFEE (Computer Online Forensic Evidence Extractor) is designed to allow law enforcement officers to collect digital evidence from a suspect's PC without requiring any particular expertise. Using the technology - which recovers a list of …

COMMENTS

This topic is closed for new posts.
  1. lukewarmdog

    CUP

    Crackers with USB Pendrives maybe.

    Any really bad guys would already have a bent cop on the payroll and copies of this software.

    The really bad guys don't get their stuff off torrents.

  2. Anonymous Coward
    Anonymous Coward

    And for everybody else...

    ... there's alternatives such as open source operating systems. You'd lose the machinery to the police but hopefully you have off-site backups and enough cash for a replacement box.

  3. Anonymous Coward
    Anonymous Coward

    Countermeasures?

    Like preventing autoload and run of USB devices?

    Blimee that was hard.

  4. Anonymous Coward
    FAIL

    @ All windows users

    UR SECURITY IS ZERO%

  5. M7S
    Joke

    Perhaps as a countermeasure, they'll have some TEA

    Total Enforcement Awareness

  6. Anonymous Coward
    Coffee/keyboard

    It's still out there...btw

    Does this smell like viral marketing to you?

  7. Anonymous Coward
    Anonymous Coward

    it's all hype

    I had a look at cofee two days ago and all it does it run already existing tools eg; ipconfig.exe / netstat.exe and dump the output into one xml file.

    it's really nothing to worry about.

  8. NB
    Coat

    yeah but

    does it run linux?

  9. Chris Wright 1
    FAIL

    Checkpoint

    Install Checkpoint removable media manager , enable authorisation & then any USB devices have to be authorised before you can use them , in order for them to be authorised they cannot have any executable files on them .... *sorted*

  10. Valerion
    Coat

    CUP?

    So, given that cops usually arrive in pairs, that'd be 2 Cops, 1 Cup?

    I can see why they are worried though. Presumably this thing works without needing a password to unlock a pc, etc... giving a rather-large backdoor into any Windows system.

  11. BristolBachelor Gold badge
    FAIL

    MAJOR FAIL

    So MS is _STILL_ producing software that will run any old crap that it happens to sniff on a USB drive?

    No wonder the world is full of zombie crap infested computers clogging the 'net...

    I'd love to see the Bill Gates scene from the South Park film come true. Line-up and shoot all the execs at MS until they get the message that their software must work properly.

  12. The Original Ash
    Thumb Up

    New solution

    Leave one USB drive free, unsolder the +5v and ground connection and wire it up to the +12v and earth from the PSU.

    Not enough to harm a person, enough to ruin a memory stick.

    Malicious? Me? No...

  13. The Fuzzy Wotnot
    Paris Hilton

    Hmmmmm

    So this MS thingy? I'm a nasty weasel, for the sake of argument, so to protect my nasty stuff I built my own Linux/BSD server from source. How's this MS stick thingy going to be able to get into my server and pull the stuff out? I simply bought a Mac, SPARC, AIX box, are these MS progs cross platform magic?

    You see I'm a bad guy, I hack Windows, I know it's faults so there is no way on God's earth I am going to store my important stuff on an operating system I know that I and everyone else can hack, 'cos I wrote some of the hacking tools everyone else is using to hack Windows!!!!

    Flipping heck!

  14. Cameron Colley

    Autorun or another "feature"?

    If this thing depends on autorun I am extremely surprised that they have managed to use this -- as I would expect anyone involved in any kind of nefarious activity on a computer to have the basic IT knowledge to turn it off, and want it off.

    I suppose we can expect expect more terrorists, paedorasts and other scum to start using more Linux systems once this becomes common knowledge.

    RE: @ All windows users: Way to go spreading the meme!

  15. Anonymous Coward
    Grenade

    What would be interesting to know is....

    What would be interesting to know, is if this handy package batch-handles bitlocker (thus proving the fears that MS has made backdoors). Anybody know this (yet)?

  16. Tony S

    Hmmmm

    Attach a USB drive and the operating system has to recognise it. Therefore the process of adding the device changes the PC before they even begin to look at the contents - hence any lawyer worth his salt would argue that any data obtained is invalid as evidence, as there is no way to prove that what was found was on the PC before the plods started to look at it.

    On the Forensics course that I started a year ago, they made a point of indicating that you have to use either a hardware device to stop the hard drive being modified or a linux based boot disk that mounts the drive as read only. Failure to do this prevents the data being used as evidence which we were told is 90% of the reason for a court case to fail.

    Once again the police are ignoring their own guidelines and setting themselves up to interpret the law - which is actually the job of the courts.

  17. Michael C

    dumb

    OK:

    1) anyone seriously worried can simply disable USB in the firmware. This would at least ensure someone has to reset the bios (if it's not one of the better boards that requires a password to do so)

    2) still only gives access to encrypted files, does not decrypt them without a key.

    3) hard core hackers and terorists who know this might be snooped on, and have the skills to cript COFEE don't run Windows...

    4) the data's not there, it;s in the cloud on an encrypted system.

    5) you have to actually FIND these guys first....

    no, this tool is for basic phorensics of dumbasses who trade in kiddie porn, people who cheat on their taxes, and people having police investigate their own spouses. Most REAL computer criminals do not fear this technology at all, the fact it's been leaked will simply be amiusing for them (and far more importantly, could give them back doors to exploit).

    Fact is, the more ways you give the government to get into systems, the more ways you give the hackers, a group of people distinctly immune to the tools you;re using. Just stop putting in back doors and lock the shit down completely and we'll all be a lot safer. The dumbasses hitting the kiddie porn sites don't use countermeasuers, and crumble under contempt of court cases and give up their passwords willingly anyway... (or the evidence that was enough to get a warant toseize the computer is in itself enough to convict anyway).

  18. Ross 7

    Eh?

    Paradise seeking XP die hard - wtb superglue. Gud money paid!!!!1!!! /w me nowz

  19. Anonymous Coward
    Anonymous Coward

    Decrypt passwords?

    "...even decrypt passwords"

    Excusame?? Is this an admission that Windows hashed passwords can actually be decrypted? Because if it is so, I wonder how Windows could be sold/proposed with any claim at security at all.

  20. Kwac
    Happy

    " were briefly made available via BitTorrent"

    Isn't this like saying "she briefly lost her virginity"?

  21. Anonymous Coward
    Big Brother

    XP only?

    "Target Machine

    Hardware: USB Port Enabled

    Software: Windows XP*

    *Windows XP is currently the only supported operating system. It is possible that COFEE will work on additional operating systems, but these operating systems have not been tested, and are not supported."

    Of course, this could always be a bogus copy, although the user manual (dated September 30th, 2009) would be a better presentation than I would have anticipate for a bodged item.

    BTW, here in the UK you are obliged to give Plod any passwords, failure to do so is a criminal offence.

  22. copsewood
    Dead Vulture

    Whats to say the bad guys can't neutralise it or wipe data ?

    'Graham Cluley, senior security consultant a Sophos, explains: "What's to say that the bad guys couldn't analyse COFEE, and write their own code which neutralises it (or wipes sensitive data from their computer) if they determine it is being run on their own computer?"'

    For this reason, it seems obvious that either those using this tool are a lot less clued up than the high tech crime cops I have met, or this tool doesn't analyse a running system at all. If this USB stick doesn't boot it's own operating system from cold, read lock the fixed media and analyse the latter as static read-only objects, then it would have no value for its stated purpose.

    The system it analyses would have to be in a shut-down state first and booted from this device. To argue in court that the USB stick modified the system being examined would then either require the defendant sustain a claim that the system BIOS ran software not on the USB stick first, which changed the contents of the system, or that the media read locking of the OS on the USB stick wasn't effective. Likely to be a flimsy defence, but it might just about convince a thick jury.

    So I guess the Police might only risk using the BIOS of the system being investigated against such a defence to help boot it if they are prioritising getting results quickly in a situation where a caution would suffice or someone could be pursuaded to assist in their investigations or prosecution of their real target. As I understand it, they remove the hard disk or SSD and write protect it to copy and analyse media entirely outside the context of the defendant's running system.

    That the High Tech Crime Unit would allow their software to interact with the system of a suspect in the manner suggested in this article (i.e. on a suspect's live system) is either unimaginable incompetence or more likely ingenous misinformation.

  23. NickR

    Runs on running OS

    According to http://news.cnet.com/8301-10784_3-9930664-7.html

    "is a USB thumb drive that captures evidence on a computer that could be lost when the computer is shut off"

    I guess the tools on the USB device can take a dump (of the system memory).

  24. TS

    RE: Decrypt passwords?

    @anyonymous coward

    ----------------------------------------------------------

    "...even decrypt passwords"

    Excusame?? Is this an admission that Windows hashed passwords can actually be decrypted? Because if it is so, I wonder how Windows could be sold/proposed with any claim at security at all.

    ----------------------------------------------------------

    Um, yeah, for quite a long time. Google "l0phtcrack".

    There is no security when the attacker has physical access to your machine.

  25. The Original Ash
    Black Helicopters

    I would speculate...

    That it is an automation of netstat, ipconfig, various net commands, a dump of system memory (including potential passwords / password hashes in RAM) and not a lot else. Just designed to prevent power-off losing evidence (for instance, when booted from a LiveCD, resulting in no swap file, hibernation file, no temporary files of any kind, no logs etc.)

    Shame it's MS only. Those Linux LiveCD's are simply too good to pass up anymore.

  26. The Beer Monster
    Coat

    COFEE? TEA?

    Please make sure you join COCOA - Campaign Outlawing Contrived/Outrageous Acronyms.

  27. Valerion

    I wonder

    if it actually doesn't enumerate itself as a hard-drive in order to auto-run, but maybe as a keyboard or something in order to bypass that. Then, being a keyboard, it could type whatever it wanted to.

  28. JaitcH
    Black Helicopters

    What a pity; only Microsoft you say?

    Our pain-in-the-a*se security guys disabled the USB's on all our computers years ago. Then they gave some of us removable media manager software that seems to be very effective.

    Not that it matters, we have lately switched to Linux and all our stuff is via VPN and passwords delivered through our cells over Bluetooth.

    Now, because of the penchant of UK and US customs to check laptops we have to travel with everything offloaded and a fresh OS installed. Canadian customs are active, too, but since it is our destination country we just look on bemused if any of us get hooked for secondary checking.

    Another requirement is that none of our travels route us through any UK or US airports, either.

    I guess MS never thinks about these things. IMHO they have scored another own goal by demonstrating MS software is insecure. A real help to sales figures, undoubtedly.

    BTW, the Register piece said: "copies of the software leaked onto the web and were briefly made available via BitTorrent, before the torrent tracking file was pulled". Not so, I have just found 11 .torrent links and have downloaded 7 of them onto 7 machines for crosschecking,

    A friend in BeiJing said there are several sources on-line in China and they don't even listen to their own government, let alone foreign ones.

    The article also said: "allow law enforcement officers ... without requiring any particular expertise" and, presumably, with minimal intelligence if its a 'police tool'.

    Another thing that seems to upset customs inspectors are old cell phones. Seems they lack most of what this type of plod needs to 'forensically examine' the old models, switching them off and removing the SIM seems to complete their bad days. :)

    So travel light, guys, no data, no live cells and no SIMs!

  29. jake Silver badge

    Due process ... not just a good idea, it's the law.

    "Using the technology - which recovers a list of processes running on an active computer at the scene of an investigation - involves inserting a specially adapted USB stick into a computer."

    Without a warrant detailing exactly what they are looking for?

    Won't hold up in court. Yet another useless tool from Microsoft. Whodathunkit?

  30. Bernie 2
    Linux

    "What's to say that the bad guys couldn't analyse COFEE...

    ...and write their own code which neutralises it (or wipes sensitive data from their computer)"

    What's to say the bad guys couldn't use an OS that won't dump all your most sensitive data onto a USB flash drive "in a fraction of the time the process would normally require".

  31. Anonymous Coward
    Boffin

    SIW

    It basically does the same as SIW

    It loads as a removable drive and autoruns cofee.exe

    Then it extracts things like :-

    Computer Name, Password

    Network Shares, Network Drives

    Hashs a list of directories & contents

    Lists passwords for all sites visited (stored) I think

    SIW.is easier though

  32. Anonymous Coward
    Anonymous Coward

    @Beer Monster

    Yeah, as it was aimed at cops I was waiting for them to announce a companion tool called DONUT.

  33. Anonymous Coward
    Happy

    Guess you didn't look yourself

    Guess you didn't look yourself as this tool is still available on torrent sites.

This topic is closed for new posts.

Other stories you might like