Microsoft's COFEE forensics tool leaks online

Microsoft's secret Computer Online Forensic Evidence Extractor (COFEE) has leaked online, available for all.

COFEE is a forensics tool, approximately 15MB in size that fits on a USB drive for law enforcement officials to use in PC forensics. According to Microsoft:

With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

COFEE can be used to locate parts of a computer's hard drive that criminals could use for identity theft, online fraud, child pornography and other such crimes. It is designed to be easy to use and quick for law enforcement officials. The small program contains 150 commands which simplify and speed up the process of data retrieval. According to a Microsoft spokesperson "an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device."

COFEE requires Windows XP for configuration however, it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE which will be released next year that fully supports Windows Vista and Windows 7.


Image Credit: CNET news.com

Report a problem with article
Previous Story

Nokia Beats Apple in Smartphone Shipments Worldwide

Next Story

Murdoch could remove his sites from Google's index

58 Comments

Commenting is disabled on this article.

One thing most people are forgetting is that Cofee is a legally excepted product for this type of work. The courts accept any findings it produces. This is a big point when you need a rock solid case. Other tools that have not been 'certified' or passed the court test (in the US and others).

It may not be the best tool, but it does work.

There are other forensics toolkits which work around the same concept of executing a list of commands, using MD5 hashes of the tools to ensure they are the intended commands being launched, etc. COFEE is not groundbreaking, it is meant for non-tech law enforcement to capture volatile data (using standard tools sysadmins use everyday like the ones included in sysinternals). Much hype about nothing.

http://praetorianprefect.com/archives/2009...second-thought/

To be honest, I'm surprised that each copy of COFEE that's supplied hasn't got some digital fingerprint that can be traced back. Or maybe Microsoft don't care, since they give it away for free

Couldn't I do the same god damn thing this does using a linux live CD? Or am I just not getting the purpose of this tool?

"an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device."

A defense attorney would crucify an officer who did not understand the intricacies of the evidence he took.

It's the prosecutor's job to make use of gathered evidence. It doesn't matter if the investigating officer doesn't understand the cigarette butt has DNA on it.

Doh! Why is it hidden?

It isn't any hidden hooks into Windows and it's a piece of software that's been known about for a while. The only thing is it doesn't have general availability, which is hardly unusual.

Anyway, as others have indicated it doesn't appear to be very sophisticated at all.

(Sometimes I'm amazed by the lack of intelligence and basic reading ability by people posting on here - it really does amaze!)

Yeah right!

Im pretty sure this was "Leaked" on purpose. "some" vista support, and then it advertises to say that a new version is being released that supports Vista and Windows 7. Unless this was the new version, it's pretty good timing for M$ to "leak" a outdated version.

SmNet said,
Yeah right!

Im pretty sure this was "Leaked" on purpose. "some" vista support, and then it advertises to say that a new version is being released that supports Vista and Windows 7. Unless this was the new version, it's pretty good timing for M$ to "leak" a outdated version.

Man, "M$" bashers get more ridiculous everytime.

I'm surprised they manage to log in and comment at all considering they can't find the 'S' key on their keyboard.

C_Guy said,
I'm surprised they manage to log in and comment at all considering they can't find the 'S' key on their keyboard.

They probably can't afford an 'S' key with all the shiny Apple Hardware they're buying (;

This is really basic IT security stuff that any quasi professional or computer literate person could do very easily. It's designed as a stop-gap to prevent computer illiterates from ripping the power cable out of a suspects computer and walking back to the office with the PC (thus losing volatile memory data); this way they have something to do (i.e. plug it in) that at least gives them a chance at saving some of that data.

It's really of no benefit to anyone who is even remotely computer literate. Slashdot had links to the downloads a couple of days ago and Microsoft don't really care about distribution of it (nor do Interpol who have signed a deal with Microsoft for distribution of it). It's not a big deal.

forster said,
Aww I was hoping for internet excitements :(

Lol, aren't we all.

Just to clarify; I agree COFEE is a fantastic step forward for computer crime (the less beat cops destroying evidence the better) but yeah this has no value for IT professionals or security hobbyists.

You would benefit a lot more from a Nessus home feed or Backtrack.

omni1 said,
It's really of no benefit to anyone who is even remotely computer literate.

That's who it's aimed at, not every law enforcement official is all that computer savvy

akav0id said,
That's who it's aimed at, not every law enforcement official is all that computer savvy ;)

Oh for sure I didn't mean to give an indication otherwise. I meant all the hub-bub by some of the people here about it is misplaced.

I've found this tool 2 days ago and I 've read the user guide quickly and, to me, it's just a bunch of scripts to automate a lot of really simple tasks like ipconfig, netstat and stuff like that. Maybe I've missed something.

BTW, this is 2 days old news :P

Thats what I found from the manual too. This program just seems to automate dos commands... like netstat, and the like. There is nothing that even remotely looks like it can collect information on anything you may be hiding on ure computer.

Have applications like this not been readily available for ages in the form of PE's? Or is this just an idiot proof way or finding what is hidden in a computer, technically taking the forensics out of the computer technician's job?

That being said, the more applications like this are released, the better for everyone. I could see something like this being used in education too, as there are a lot of students who are very adept at covering their tracks, not just criminals! Maybe the students are the criminals.....

COFEE is for retards, law enforcement agencies have the best forensics/monitoring resources on hand - real hackers on plea bargaining or sentence reduction deals.

HAckEur said,
COFEE is for retards, law enforcement agencies have the best forensics/monitoring resources on hand - real hackers on plea bargaining or sentence reduction deals.

Heh, in law enforcement I think it's more usually a case of half-trained college drop outs.

Cant get it to install on Windows 7 :(

I do have the pdf thou which is the manual, I can give Tom a link to it later if he pleases for additional information and or screenshots.

Anarkii said,
Cant get it to install on Windows 7 :(

I do have the pdf thou which is the manual, I can give Tom a link to it later if he pleases for additional information and or screenshots.


RTFA
COFEE requires Windows XP for configuration however, it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE which will be released next year that fully supports Windows Vista and Windows 7.

Jugalator said,
RTFA

within the pdf manual, it mentions the investigator's machine, which can be XP and above, where the software is installed, and then the target machine, where the scan is performed from the usb drive - which must be windows XP

From pdf manual included in the download
Investigator Machine
Hardware: Pentium 4 or Above
512 MB RAM
USB 1.1 or higher
50MB free hard drive space
Software: Windows XP or Above
.NET Framework 3.5 or higher

USB Removable Device
Hardware: Minimum 1GB Device
Recommended 2GB or larger
File System: FAT32 File System is recommended

Target Machine
Hardware: USB Port Enabled
Software: Windows XP*
*Windows XP is currently the only supported operating system. It is possible that COFEE will work on additional operating
systems, but these operating systems have not been tested, and are not supported.

*Windows XP is currently the only supported operating system.

Terrorists and criminal around the world will now rush to upgrade to Windows 7. What a marketing coup!

protocol7 said,
*Windows XP is currently the only supported operating system.

Terrorists and criminal around the world will now rush to upgrade to Windows 7. What a marketing coup!

Or just use a version of Linux..

Or just use a version of Linux..

What if they wanted to, you know, do stuff with their computer?


.Neo said,
Or Mac OS X.

I don't think they're that well funded.

I can :P but i cant tell you where.

Mr Tom... is it okay to post screenshots of this program? (If I get it working under Windows 7) ?

If you have this software I suggest either stay silent or delete it, having a copy of this is much much worse than having for example... 50TB of music and movies.

Beastage said,
If you have this software I suggest either stay silent or delete it, having a copy of this is much much worse than having for example... 50TB of music and movies.


Explain.

Beastage said,
If you have this software I suggest either stay silent or delete it, having a copy of this is much much worse than having for example... 50TB of music and movies.

/me facepalms

Ummm, RIAA is much worse than anything Interpol can do. You would get MUCH heavier punishment for having 50TB of music and movies than you would for having 50TB of CP on your machine. Remember; RIAA goes after your whole family, Interpol will go after just you. And RIAA don't hold back. :P

Anarkii said,
Ummm, RIAA is much worse than anything Interpol can do. You would get MUCH heavier punishment for having 50TB of music and movies than you would for having 50TB of CP on your machine. Remember; RIAA goes after your whole family, Interpol will go after just you. And RIAA don't hold back. :P

I'm sorry but 50TB of CP would get you life in prison and a needle in your arm in some countries/states. I don't know about you but I would rather a couple of million in you-dont-actually-have-to-pay-them fines versus a needle in my arm.

I know you think you're cool and all because you grabbed COFEE off TBP or whatever but you need a serious wake up call.

i see it on usenet but i just aint sure if it's clean or not.

it's about 14MB in size, sound about right? (i.e. COFEE v1.1.2 Installer.msi ? )