Microsoft device helps police pluck evidence from cyberscene

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

View: Full Article @ The Seattle Times

Report a problem with article
Previous Story

Dell Cuts Jobs in Ireland

Next Story

Team Fortress 2 Update Released

47 Comments

Commenting is disabled on this article.

somebody has to catch the "Pete Townsend's" in this world (he got convicted for child porn)

From Wikipeda it states that after searching 14 of his computers they didn't find anything. The post even states:

A later investigator stated that he was "falsely accused".[16] After obtaining copies of the Landslide hard drives and tracing Townshend's actions, investigative journalist Duncan Campbell wrote in PC Pro Magazine, "Under pressure of the media filming of the raid, Townshend appears to have confessed to something he didn't do." Campbell states that their entire evidence against Townshend was that he accessed a single site among the Landslide offerings which was not connected with child pornography.

Just hate to see an innocent person get a bum wrap like that.

sounds like that P2P system they designed for spying on people that MS designed
they offered it to teh USA gov and they refused it but canada took it and
i assume has been using it ever since..
called CETS - http://arstechnica.com/news.ars/post/20080...child-porn.html

somebody has to catch the "Pete Townsend's" in this world (he got convicted for child porn)

i mention this cause i doubt most people in canada know about this
and for some reason canadians seem to think everything is Legal (when it comes to downloading)

oh noes 5.0 gotz teh usb thumb drive.. quick hide under the bed !!!111ONE

i alwayz knewz teh Mikrosoftz w3re stealingz meh memegahurtz

What i dont get is WHY do people care??? U think the police are just gonna come into your house unwarrented and want to look thru your computer? If they come in and want to use this, they're damn sure gonna have a warrent.... and if they have a warrent, you must have done something VERY bad......

I've said it once and i'll say it again. If you do nothing illegal, whats the problem with tools like this that "invade your privacy?"

It's called the Online Forensic Evidence Extractor which sounds to me like some kind of hack tool.
What if the RIAA gets a hold of this are you going to say I'm not doing anything Illegal?
In the eyes of the RIAA all you have to do is rip a song to m3p, and you are guilty of a crime.
If the RIAA gets one or a bunch of clones of these all they would have to do is paste a link here on the forum that said free mp3s.
when you visit their site they have you in their net using the COFEE they examine your computer to see if you have more MP3s, and when they find them that will be all they need to sue you for damages.

Personaly this ****es me off that microsoft would create such a back door

(fr33k said @ #19)
It's called the Online Forensic Evidence Extractor which sounds to me like some kind of hack tool.
What if the RIAA gets a hold of this are you going to say I'm not doing anything Illegal?
In the eyes of the RIAA all you have to do is rip a song to m3p, and you are guilty of a crime.
If the RIAA gets one or a bunch of clones of these all they would have to do is paste a link here on the forum that said free mp3s.
when you visit their site they have you in their net using the COFEE they examine your computer to see if you have more MP3s, and when they find them that will be all they need to sue you for damages.

Personaly this ****es me off that microsoft would create such a back door

ONLINE as in the computer is on when running the tool, not online internet-wise. It runs in realtime on the computer, before shutting it down and taking it back to the lab.

1. its not a back door...
2. online doesnt mean they can use it remotely.....
3. the RIAA would have no business using this technology. If they were caught using it they'd be in a ****load of trouble, because that means that someone leaked it to them AND they are not authorized to use it.
4. as i stated in a later reply, if you don't do anything wrong, what do you have to worry?

I laugh at how they give it an acronym name. It's just a f*ckin' thumb drive for Christ sake!!

I still don't see why they don't take the pc like they've always done. Now, the cops have to be concerned with the handling of such a small device as to not lose cases in court. Anyone can simply say "prov to me the thumb drive was empty before you transferred my data to it, prove the device was sealed in an evidence bag and all handling of the bag was tracked."

One would think it be easier and safer evidence control to grab the pc.

(Apple-a-Day said @ #14)
Started getting calls on this today... Anything to cut down on Child Porn... may they all hang from "piece"

Yeah, that makes you a better person, wanting to hang/kill someone... NOT.

Where in the article does it say anything about bypassing security? It sounds like a bunch of tools that just do crap like pull saved passwords.

While it's not a real deal with us citizen, it's a big trouble with foreign countries, cause it can be used by spies.

(naap51stang said @ #8)
Wondering how long til the source code shows up on the-pirate-bay website in 3...2...1...

well, they have been distributing these for almost a year from what i can tell from some Norwegian sources.

I would guess that this device isn't easy to copy/re-produce.

Microsoft would have some serious lawsuits on them if this device was "just software on usb stick", and someone copied it and put it out there.

Have some faith in Microsoft.

(morphen said @ #8.1)
Have some faith in Microsoft.



Your post is pure speculation btw, using words like "guess", "would have/if", "from what I can tell", and worst of all "faith".

I would have faith until I remember that the smartest cryptographers in the world don't work at MS.

There is nothing they can encrypt that others can't encrypt and duplicate.

The Chinese, in particular, have shown themselves to be VERY adept at doing just that...bypassing milspec and dod level security measures.

It's called industrial espionage and MS just made their lives a hell of a lot more convenient.

(excalpius said @ #8.2)


Your post is pure speculation btw, using words like "guess", "would have/if", "from what I can tell", and worst of all "faith".

I would have faith until I remember that the smartest cryptographers in the world don't work at MS.

There is nothing they can encrypt that others can't encrypt and duplicate.

The Chinese, in particular, have shown themselves to be VERY adept at doing just that...bypassing milspec and dod level security measures.

It's called industrial espionage and MS just made their lives a hell of a lot more convenient.

Of course it speculation, i never made any statement that would suggest otherwise?

I'm just saying that we should not underestimate Microsoft.

"Microsoft has not and will not put 'backdoors' into Windows. The suggestion is that we are working with governments to create a back door so that they can always access BitLocker-encrypted data," Niels Ferguson, a developer and cryptographer at Microsoft, wrote Thursday on a corporate blog. "Over my dead body," he wrote. "Back doors are simply not acceptable."

(abcdefg said @ #7.1)

"There are no American infidels in Baghdad. Never!"

"There are no infidel backdoors in Windows! Over my dead body!"

I liked when the general was asked about the Tanks with US flags on them behind him, he said, 'no worry, they have come to surrender'.

Anyway, this was also mentioned in xp about a little back door only savvy people knew about and m$ were told about it then they realized they were tumbled and patched it.

Why are people flaming Microsoft for giving tools to the police and feds used mostly to catch pedofiles and alike? There trying to help catch criminals. Not unlock your masses of MP3 files and ever so private files like any one gives a sh*t about.

Among otherthings they have to have PHSYICAL ACCESS to the PC, its not like there taking these USB drives home and hacking into your PC to pry on your private life of 4chan, Neowin and MSN logs

Grab your tinfoil hat james!

Whatever the police may do, the fact is that if criminals get their hands on this USB they can figure out new ways to get into your computer or your company's machines. To me that is what is a worry with security whatever the case, when it can be breached by people with unwholesome intentions.

(James7 said @ #6.1)
Whatever the police may do, the fact is that if criminals get their hands on this USB they can figure out new ways to get into your computer or your company's machines. To me that is what is a worry with security whatever the case, when it can be breached by people with unwholesome intentions.
I am sure you realize that tools like this already exist. This is nothing more than a LiveCD(ok, USB) that has some file scanning and password cracking utilities.

(markjensen said @ #6.2)
I am sure you realize that tools like this already exist. This is nothing more than a LiveCD(ok, USB) that has some file scanning and password cracking utilities.

I may be wrong but I was under the impression you could use this USB to hook up to a computer that is already running and so analyse the RAM (which would of course be lost with a reboot).

Brad Smith, Microsoft's general counsel, described COFEE in an interview.

"It's basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you're a law enforcement official and let's say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that's encrypted, and you've got that information off in order to have a successful investigation and prosecution.


"In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They'd have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information."

The device can get that job done in as little as 20 minutes, Smith said.

"With this tool, they can just plug it into the computer, wherever it's located. They don't have to turn off the power. It has over 150 different technology tools that law enforcement officers can use to analyze data, to get access to passwords, to obtain the information typically that people need to successfully prosecute a crime."

Source: http://blog.seattletimes.nwsource.com/tech...fee_device.html

Actually, come to think of it, this sounds exactly like a backdoor to be honest. We downplay the significance of this matter at our peril. Just imagine what criminals could do with these tools, say, modified for use in spyware or whatever. This is not exactly 'security', where you can just plug in a USB and take over someone's computer. This must mean that Windows Vista is coded to be 'open' and 'receptive' to these tools, if it drops all security the moment such a USB is inserted. This is scary, to me at least.

How does this sound like a backdoor? It sounds to me like a collection of tools that autoruns... You may want to wake up and realize that if someone has physical access to your machine, especially if it is powered on, they have access to your data.

BTW, you do realize that every "BUILTINadministrator" SID in windows is 500 right? Given the average user using administrator, and many not being disabled even if they don't use it, there is a lot less security around than most people think.

grrr...the reply is to the wrong level, should have been to:
"Actually, come to think of it, this sounds exactly like a backdoor to be honest..."

Haha, well am I glad I didn't buy that POS, another reason to NEVER use pista or mac (lets face it they have or will do the same thing but will deny it and say its all rubbish, whereas MS actually admits it)

(n_K said @ #4)
Haha, well am I glad I didn't buy that POS, another reason to NEVER use pista or mac (lets face it they have or will do the same thing but will deny it and say its all rubbish, whereas MS actually admits it)

I love the way you call vista "pista".

Shows how mature you are.

The key feature of the device is to get a snapshot of everything in memory before the system is shutdown and taken to the labs. Otherwise if you don't, you lose the ability to see what files are open and any encryption keys that might be loaded in memory.

And the timing of this with the recent ruling that customs agents can mirror your data without probable cause in violation of the constitution at border crossings is purely coincidental. Maybe, but...

The linked article was titled "Microsoft device helps police pluck evidence from cyberscene of crime"

Yet neowins title is "Microsoft Gives Police Keys To Unlock Vista Security"

I love how you spin it.

Very well said. Why do we need to hear about flaming and such things. Can't you people sometimes get it right?

In the whole article, there is not a single word about Vista and the poster still tries his luck with flaming MS and Vista.

For a site like Neowin, this is unacceptable. Please either fix the title or delete this whole news report.

If you read the full article, you'll see that that is exactly what is happening. At least I didn't suggest the use of the shocking and inflammatory word 'backdoor' (as here: http://www.techdirt.com/articles/20080429/095514977.shtml ), which is what it frankly amounts to and which is what all the tinfoil hat crew and foreign governments have feared for ages about Microsoft's relations with authorities, which is not actually accurate.

I guess I may have read too much into a developing story: http://blog.seattletimes.nwsource.com/tech...fee_device.html . Who knows where this will lead, though?

The trick remains that MS are giving police a quick way to get at encrypted aspects of your Vista computer. However they want to spin it, that is the case. And it means that the title is accurate.

(James7 said @ #2.2)
The trick remains that MS are giving police a quick way to get at encrypted aspects of your Vista computer. However they want to spin it, that is the case. And it means that the title is accurate.

In my line of work we often need to bypass the security in Windows, search through mass amounts of data and computer history and more. The tools we use do everything and more then Microsoft's package, which it is providing to law enforcement agencies, and many of our tools have similar clones which can be found online if you know where to look.

Its safe to assume that anyone using the package provided by microsoft will also have access to the tools i have, and if that is the case then this changes nothing. Your data is never safe.

I can tell you right now from my own experiences: No matter what you do, if the data exists somewhere, in some form it can be extracted and can be analysed it only takes time.
Anyone who expects privacy from the security provided with windows is sadly very mistaken.

You should be less worried about microsoft and more worried about your civil rights.

A tip from me, if you have data that you need to hide or secure, destroy it. If you cant do that, find a drive and use low level hardware encryption.

Why oh why!!!! I mean come on this si asking for trouble, what if someone looses it.........
Kind of defeats the whole point of secure encryption dont it

(tunafish said @ #1)
Why oh why!!!! I mean come on this si asking for trouble, what if someone looses it.........
Kind of defeats the whole point of secure encryption dont it

Well, say, someone is arrested in your neighborhood, for molesting a child, wouldn't you like the police to have this device to get all relevant information out of his computer?

I would bet it's not just plugging it in.

We know nothing relevant about the technical side of this, there might be a hardware RSA key or something you would need to activate it?

I bet the developers of this device is smarter than we all could think.

(morphen said @ #1.1)
I bet the developers of this device is smarter than we all could think.

They're not smarter than I am, which means the only thing keeping everyone else safe is my integrity.

That would be fine, EXCEPT that I can't vouch for all of the other "smarter than they are" people in the world.

And therein lies the problem with such a device getting into the wild.

QED