MS forensics tool leaks onto the web Microsoft's point-and-click "computer forensics for cops" tool has leaked onto the web. COFEE (Computer Online Forensic Evidence Extractor) is designed to allow law enforcement officers to collect digital evidence from a suspect's PC without requiring any particular expertise. Using the technology - which recovers a list of …
So MS is _STILL_ producing software that will run any old crap that it happens to sniff on a USB drive?
No wonder the world is full of zombie crap infested computers clogging the 'net...
I'd love to see the Bill Gates scene from the South Park film come true. Line-up and shoot all the execs at MS until they get the message that their software must work properly.
So this MS thingy? I'm a nasty weasel, for the sake of argument, so to protect my nasty stuff I built my own Linux/BSD server from source. How's this MS stick thingy going to be able to get into my server and pull the stuff out? I simply bought a Mac, SPARC, AIX box, are these MS progs cross platform magic?
You see I'm a bad guy, I hack Windows, I know it's faults so there is no way on God's earth I am going to store my important stuff on an operating system I know that I and everyone else can hack, 'cos I wrote some of the hacking tools everyone else is using to hack Windows!!!!
Flipping heck!
If this thing depends on autorun I am extremely surprised that they have managed to use this -- as I would expect anyone involved in any kind of nefarious activity on a computer to have the basic IT knowledge to turn it off, and want it off.
I suppose we can expect expect more terrorists, paedorasts and other scum to start using more Linux systems once this becomes common knowledge.
RE: @ All windows users: Way to go spreading the meme!
Attach a USB drive and the operating system has to recognise it. Therefore the process of adding the device changes the PC before they even begin to look at the contents - hence any lawyer worth his salt would argue that any data obtained is invalid as evidence, as there is no way to prove that what was found was on the PC before the plods started to look at it.
On the Forensics course that I started a year ago, they made a point of indicating that you have to use either a hardware device to stop the hard drive being modified or a linux based boot disk that mounts the drive as read only. Failure to do this prevents the data being used as evidence which we were told is 90% of the reason for a court case to fail.
Once again the police are ignoring their own guidelines and setting themselves up to interpret the law - which is actually the job of the courts.
OK:
1) anyone seriously worried can simply disable USB in the firmware. This would at least ensure someone has to reset the bios (if it's not one of the better boards that requires a password to do so)
2) still only gives access to encrypted files, does not decrypt them without a key.
3) hard core hackers and terorists who know this might be snooped on, and have the skills to cript COFEE don't run Windows...
4) the data's not there, it;s in the cloud on an encrypted system.
5) you have to actually FIND these guys first....
no, this tool is for basic phorensics of dumbasses who trade in kiddie porn, people who cheat on their taxes, and people having police investigate their own spouses. Most REAL computer criminals do not fear this technology at all, the fact it's been leaked will simply be amiusing for them (and far more importantly, could give them back doors to exploit).
Fact is, the more ways you give the government to get into systems, the more ways you give the hackers, a group of people distinctly immune to the tools you;re using. Just stop putting in back doors and lock the shit down completely and we'll all be a lot safer. The dumbasses hitting the kiddie porn sites don't use countermeasuers, and crumble under contempt of court cases and give up their passwords willingly anyway... (or the evidence that was enough to get a warant toseize the computer is in itself enough to convict anyway).
"Target Machine
Hardware: USB Port Enabled
Software: Windows XP*
*Windows XP is currently the only supported operating system. It is possible that COFEE will work on additional operating systems, but these operating systems have not been tested, and are not supported."
Of course, this could always be a bogus copy, although the user manual (dated September 30th, 2009) would be a better presentation than I would have anticipate for a bodged item.
BTW, here in the UK you are obliged to give Plod any passwords, failure to do so is a criminal offence.
'Graham Cluley, senior security consultant a Sophos, explains: "What's to say that the bad guys couldn't analyse COFEE, and write their own code which neutralises it (or wipes sensitive data from their computer) if they determine it is being run on their own computer?"'
For this reason, it seems obvious that either those using this tool are a lot less clued up than the high tech crime cops I have met, or this tool doesn't analyse a running system at all. If this USB stick doesn't boot it's own operating system from cold, read lock the fixed media and analyse the latter as static read-only objects, then it would have no value for its stated purpose.
The system it analyses would have to be in a shut-down state first and booted from this device. To argue in court that the USB stick modified the system being examined would then either require the defendant sustain a claim that the system BIOS ran software not on the USB stick first, which changed the contents of the system, or that the media read locking of the OS on the USB stick wasn't effective. Likely to be a flimsy defence, but it might just about convince a thick jury.
So I guess the Police might only risk using the BIOS of the system being investigated against such a defence to help boot it if they are prioritising getting results quickly in a situation where a caution would suffice or someone could be pursuaded to assist in their investigations or prosecution of their real target. As I understand it, they remove the hard disk or SSD and write protect it to copy and analyse media entirely outside the context of the defendant's running system.
That the High Tech Crime Unit would allow their software to interact with the system of a suspect in the manner suggested in this article (i.e. on a suspect's live system) is either unimaginable incompetence or more likely ingenous misinformation.
@anyonymous coward
----------------------------------------------------------
"...even decrypt passwords"
Excusame?? Is this an admission that Windows hashed passwords can actually be decrypted? Because if it is so, I wonder how Windows could be sold/proposed with any claim at security at all.
----------------------------------------------------------
Um, yeah, for quite a long time. Google "l0phtcrack".
There is no security when the attacker has physical access to your machine.
That it is an automation of netstat, ipconfig, various net commands, a dump of system memory (including potential passwords / password hashes in RAM) and not a lot else. Just designed to prevent power-off losing evidence (for instance, when booted from a LiveCD, resulting in no swap file, hibernation file, no temporary files of any kind, no logs etc.)
Shame it's MS only. Those Linux LiveCD's are simply too good to pass up anymore.
Our pain-in-the-a*se security guys disabled the USB's on all our computers years ago. Then they gave some of us removable media manager software that seems to be very effective.
Not that it matters, we have lately switched to Linux and all our stuff is via VPN and passwords delivered through our cells over Bluetooth.
Now, because of the penchant of UK and US customs to check laptops we have to travel with everything offloaded and a fresh OS installed. Canadian customs are active, too, but since it is our destination country we just look on bemused if any of us get hooked for secondary checking.
Another requirement is that none of our travels route us through any UK or US airports, either.
I guess MS never thinks about these things. IMHO they have scored another own goal by demonstrating MS software is insecure. A real help to sales figures, undoubtedly.
BTW, the Register piece said: "copies of the software leaked onto the web and were briefly made available via BitTorrent, before the torrent tracking file was pulled". Not so, I have just found 11 .torrent links and have downloaded 7 of them onto 7 machines for crosschecking,
A friend in BeiJing said there are several sources on-line in China and they don't even listen to their own government, let alone foreign ones.
The article also said: "allow law enforcement officers ... without requiring any particular expertise" and, presumably, with minimal intelligence if its a 'police tool'.
Another thing that seems to upset customs inspectors are old cell phones. Seems they lack most of what this type of plod needs to 'forensically examine' the old models, switching them off and removing the SIM seems to complete their bad days. :)
So travel light, guys, no data, no live cells and no SIMs!
"Using the technology - which recovers a list of processes running on an active computer at the scene of an investigation - involves inserting a specially adapted USB stick into a computer."
Without a warrant detailing exactly what they are looking for?
Won't hold up in court. Yet another useless tool from Microsoft. Whodathunkit?
...and write their own code which neutralises it (or wipes sensitive data from their computer)"
What's to say the bad guys couldn't use an OS that won't dump all your most sensitive data onto a USB flash drive "in a fraction of the time the process would normally require".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
