back to article MS forensics tool leaks onto the web

Microsoft's point-and-click "computer forensics for cops" tool has leaked onto the web. COFEE (Computer Online Forensic Evidence Extractor) is designed to allow law enforcement officers to collect digital evidence from a suspect's PC without requiring any particular expertise. Using the technology - which recovers a list of …

COMMENTS

This topic is closed for new posts.

CUP

Crackers with USB Pendrives maybe.

Any really bad guys would already have a bent cop on the payroll and copies of this software.

The really bad guys don't get their stuff off torrents.

0
0
Anonymous Coward

And for everybody else...

... there's alternatives such as open source operating systems. You'd lose the machinery to the police but hopefully you have off-site backups and enough cash for a replacement box.

0
0
Anonymous Coward

Countermeasures?

Like preventing autoload and run of USB devices?

Blimee that was hard.

0
0
FAIL

@ All windows users

UR SECURITY IS ZERO%

0
0
M7S
Bronze badge
Joke

Perhaps as a countermeasure, they'll have some TEA

Total Enforcement Awareness

0
0
Coffee/keyboard

It's still out there...btw

Does this smell like viral marketing to you?

1
0
Anonymous Coward

it's all hype

I had a look at cofee two days ago and all it does it run already existing tools eg; ipconfig.exe / netstat.exe and dump the output into one xml file.

it's really nothing to worry about.

0
0
NB
Coat

yeah but

does it run linux?

0
0
FAIL

Checkpoint

Install Checkpoint removable media manager , enable authorisation & then any USB devices have to be authorised before you can use them , in order for them to be authorised they cannot have any executable files on them .... *sorted*

0
0
Coat

CUP?

So, given that cops usually arrive in pairs, that'd be 2 Cops, 1 Cup?

I can see why they are worried though. Presumably this thing works without needing a password to unlock a pc, etc... giving a rather-large backdoor into any Windows system.

0
0
Gold badge
FAIL

MAJOR FAIL

So MS is _STILL_ producing software that will run any old crap that it happens to sniff on a USB drive?

No wonder the world is full of zombie crap infested computers clogging the 'net...

I'd love to see the Bill Gates scene from the South Park film come true. Line-up and shoot all the execs at MS until they get the message that their software must work properly.

0
0
Thumb Up

New solution

Leave one USB drive free, unsolder the +5v and ground connection and wire it up to the +12v and earth from the PSU.

Not enough to harm a person, enough to ruin a memory stick.

Malicious? Me? No...

0
0
Silver badge
Paris Hilton

Hmmmmm

So this MS thingy? I'm a nasty weasel, for the sake of argument, so to protect my nasty stuff I built my own Linux/BSD server from source. How's this MS stick thingy going to be able to get into my server and pull the stuff out? I simply bought a Mac, SPARC, AIX box, are these MS progs cross platform magic?

You see I'm a bad guy, I hack Windows, I know it's faults so there is no way on God's earth I am going to store my important stuff on an operating system I know that I and everyone else can hack, 'cos I wrote some of the hacking tools everyone else is using to hack Windows!!!!

Flipping heck!

0
0

Autorun or another "feature"?

If this thing depends on autorun I am extremely surprised that they have managed to use this -- as I would expect anyone involved in any kind of nefarious activity on a computer to have the basic IT knowledge to turn it off, and want it off.

I suppose we can expect expect more terrorists, paedorasts and other scum to start using more Linux systems once this becomes common knowledge.

RE: @ All windows users: Way to go spreading the meme!

0
0
Grenade

What would be interesting to know is....

What would be interesting to know, is if this handy package batch-handles bitlocker (thus proving the fears that MS has made backdoors). Anybody know this (yet)?

0
0

Hmmmm

Attach a USB drive and the operating system has to recognise it. Therefore the process of adding the device changes the PC before they even begin to look at the contents - hence any lawyer worth his salt would argue that any data obtained is invalid as evidence, as there is no way to prove that what was found was on the PC before the plods started to look at it.

On the Forensics course that I started a year ago, they made a point of indicating that you have to use either a hardware device to stop the hard drive being modified or a linux based boot disk that mounts the drive as read only. Failure to do this prevents the data being used as evidence which we were told is 90% of the reason for a court case to fail.

Once again the police are ignoring their own guidelines and setting themselves up to interpret the law - which is actually the job of the courts.

0
0

dumb

OK:

1) anyone seriously worried can simply disable USB in the firmware. This would at least ensure someone has to reset the bios (if it's not one of the better boards that requires a password to do so)

2) still only gives access to encrypted files, does not decrypt them without a key.

3) hard core hackers and terorists who know this might be snooped on, and have the skills to cript COFEE don't run Windows...

4) the data's not there, it;s in the cloud on an encrypted system.

5) you have to actually FIND these guys first....

no, this tool is for basic phorensics of dumbasses who trade in kiddie porn, people who cheat on their taxes, and people having police investigate their own spouses. Most REAL computer criminals do not fear this technology at all, the fact it's been leaked will simply be amiusing for them (and far more importantly, could give them back doors to exploit).

Fact is, the more ways you give the government to get into systems, the more ways you give the hackers, a group of people distinctly immune to the tools you;re using. Just stop putting in back doors and lock the shit down completely and we'll all be a lot safer. The dumbasses hitting the kiddie porn sites don't use countermeasuers, and crumble under contempt of court cases and give up their passwords willingly anyway... (or the evidence that was enough to get a warant toseize the computer is in itself enough to convict anyway).

0
0

Eh?

Paradise seeking XP die hard - wtb superglue. Gud money paid!!!!1!!! /w me nowz

0
0
Anonymous Coward

Decrypt passwords?

"...even decrypt passwords"

Excusame?? Is this an admission that Windows hashed passwords can actually be decrypted? Because if it is so, I wonder how Windows could be sold/proposed with any claim at security at all.

0
0
Happy

" were briefly made available via BitTorrent"

Isn't this like saying "she briefly lost her virginity"?

0
0
Big Brother

XP only?

"Target Machine

Hardware: USB Port Enabled

Software: Windows XP*

*Windows XP is currently the only supported operating system. It is possible that COFEE will work on additional operating systems, but these operating systems have not been tested, and are not supported."

Of course, this could always be a bogus copy, although the user manual (dated September 30th, 2009) would be a better presentation than I would have anticipate for a bodged item.

BTW, here in the UK you are obliged to give Plod any passwords, failure to do so is a criminal offence.

0
0
Dead Vulture

Whats to say the bad guys can't neutralise it or wipe data ?

'Graham Cluley, senior security consultant a Sophos, explains: "What's to say that the bad guys couldn't analyse COFEE, and write their own code which neutralises it (or wipes sensitive data from their computer) if they determine it is being run on their own computer?"'

For this reason, it seems obvious that either those using this tool are a lot less clued up than the high tech crime cops I have met, or this tool doesn't analyse a running system at all. If this USB stick doesn't boot it's own operating system from cold, read lock the fixed media and analyse the latter as static read-only objects, then it would have no value for its stated purpose.

The system it analyses would have to be in a shut-down state first and booted from this device. To argue in court that the USB stick modified the system being examined would then either require the defendant sustain a claim that the system BIOS ran software not on the USB stick first, which changed the contents of the system, or that the media read locking of the OS on the USB stick wasn't effective. Likely to be a flimsy defence, but it might just about convince a thick jury.

So I guess the Police might only risk using the BIOS of the system being investigated against such a defence to help boot it if they are prioritising getting results quickly in a situation where a caution would suffice or someone could be pursuaded to assist in their investigations or prosecution of their real target. As I understand it, they remove the hard disk or SSD and write protect it to copy and analyse media entirely outside the context of the defendant's running system.

That the High Tech Crime Unit would allow their software to interact with the system of a suspect in the manner suggested in this article (i.e. on a suspect's live system) is either unimaginable incompetence or more likely ingenous misinformation.

0
0

Runs on running OS

According to http://news.cnet.com/8301-10784_3-9930664-7.html

"is a USB thumb drive that captures evidence on a computer that could be lost when the computer is shut off"

I guess the tools on the USB device can take a dump (of the system memory).

0
0
TS

RE: Decrypt passwords?

@anyonymous coward

----------------------------------------------------------

"...even decrypt passwords"

Excusame?? Is this an admission that Windows hashed passwords can actually be decrypted? Because if it is so, I wonder how Windows could be sold/proposed with any claim at security at all.

----------------------------------------------------------

Um, yeah, for quite a long time. Google "l0phtcrack".

There is no security when the attacker has physical access to your machine.

0
0
Black Helicopters

I would speculate...

That it is an automation of netstat, ipconfig, various net commands, a dump of system memory (including potential passwords / password hashes in RAM) and not a lot else. Just designed to prevent power-off losing evidence (for instance, when booted from a LiveCD, resulting in no swap file, hibernation file, no temporary files of any kind, no logs etc.)

Shame it's MS only. Those Linux LiveCD's are simply too good to pass up anymore.

0
0
Coat

COFEE? TEA?

Please make sure you join COCOA - Campaign Outlawing Contrived/Outrageous Acronyms.

0
0

I wonder

if it actually doesn't enumerate itself as a hard-drive in order to auto-run, but maybe as a keyboard or something in order to bypass that. Then, being a keyboard, it could type whatever it wanted to.

0
0
Silver badge
Black Helicopters

What a pity; only Microsoft you say?

Our pain-in-the-a*se security guys disabled the USB's on all our computers years ago. Then they gave some of us removable media manager software that seems to be very effective.

Not that it matters, we have lately switched to Linux and all our stuff is via VPN and passwords delivered through our cells over Bluetooth.

Now, because of the penchant of UK and US customs to check laptops we have to travel with everything offloaded and a fresh OS installed. Canadian customs are active, too, but since it is our destination country we just look on bemused if any of us get hooked for secondary checking.

Another requirement is that none of our travels route us through any UK or US airports, either.

I guess MS never thinks about these things. IMHO they have scored another own goal by demonstrating MS software is insecure. A real help to sales figures, undoubtedly.

BTW, the Register piece said: "copies of the software leaked onto the web and were briefly made available via BitTorrent, before the torrent tracking file was pulled". Not so, I have just found 11 .torrent links and have downloaded 7 of them onto 7 machines for crosschecking,

A friend in BeiJing said there are several sources on-line in China and they don't even listen to their own government, let alone foreign ones.

The article also said: "allow law enforcement officers ... without requiring any particular expertise" and, presumably, with minimal intelligence if its a 'police tool'.

Another thing that seems to upset customs inspectors are old cell phones. Seems they lack most of what this type of plod needs to 'forensically examine' the old models, switching them off and removing the SIM seems to complete their bad days. :)

So travel light, guys, no data, no live cells and no SIMs!

0
1
Silver badge

Due process ... not just a good idea, it's the law.

"Using the technology - which recovers a list of processes running on an active computer at the scene of an investigation - involves inserting a specially adapted USB stick into a computer."

Without a warrant detailing exactly what they are looking for?

Won't hold up in court. Yet another useless tool from Microsoft. Whodathunkit?

0
1
Linux

"What's to say that the bad guys couldn't analyse COFEE...

...and write their own code which neutralises it (or wipes sensitive data from their computer)"

What's to say the bad guys couldn't use an OS that won't dump all your most sensitive data onto a USB flash drive "in a fraction of the time the process would normally require".

0
0
Boffin

SIW

It basically does the same as SIW

It loads as a removable drive and autoruns cofee.exe

Then it extracts things like :-

Computer Name, Password

Network Shares, Network Drives

Hashs a list of directories & contents

Lists passwords for all sites visited (stored) I think

SIW.is easier though

0
0
Anonymous Coward

@Beer Monster

Yeah, as it was aimed at cops I was waiting for them to announce a companion tool called DONUT.

0
0
Happy

Guess you didn't look yourself

Guess you didn't look yourself as this tool is still available on torrent sites.

0
0
This topic is closed for new posts.

Forums