Microsoft's COFEE forensics tool leaks online

Microsoft's secret Computer Online Forensic Evidence Extractor (COFEE) has leaked online, available for all.

COFEE is a forensics tool, approximately 15MB in size that fits on a USB drive for law enforcement officials to use in PC forensics. According to Microsoft:

With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

COFEE can be used to locate parts of a computer's hard drive that criminals could use for identity theft, online fraud, child pornography and other such crimes. It is designed to be easy to use and quick for law enforcement officials. The small program contains 150 commands which simplify and speed up the process of data retrieval. According to a Microsoft spokesperson "an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device."

COFEE requires Windows XP for configuration however, it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE which will be released next year that fully supports Windows Vista and Windows 7.


Image Credit: CNET news.com

Report a problem with article
Previous Story

Nokia Beats Apple in Smartphone Shipments Worldwide

Next Story

Murdoch could remove his sites from Google's index

58 Comments

View more comments

omni1 said,
It's really of no benefit to anyone who is even remotely computer literate.

That's who it's aimed at, not every law enforcement official is all that computer savvy

akav0id said,
That's who it's aimed at, not every law enforcement official is all that computer savvy ;)

Oh for sure I didn't mean to give an indication otherwise. I meant all the hub-bub by some of the people here about it is misplaced.

Yeah right!

Im pretty sure this was "Leaked" on purpose. "some" vista support, and then it advertises to say that a new version is being released that supports Vista and Windows 7. Unless this was the new version, it's pretty good timing for M$ to "leak" a outdated version.

SmNet said,
Yeah right!

Im pretty sure this was "Leaked" on purpose. "some" vista support, and then it advertises to say that a new version is being released that supports Vista and Windows 7. Unless this was the new version, it's pretty good timing for M$ to "leak" a outdated version.

Man, "M$" bashers get more ridiculous everytime.

I'm surprised they manage to log in and comment at all considering they can't find the 'S' key on their keyboard.

C_Guy said,
I'm surprised they manage to log in and comment at all considering they can't find the 'S' key on their keyboard.

They probably can't afford an 'S' key with all the shiny Apple Hardware they're buying (;

Doh! Why is it hidden?

It isn't any hidden hooks into Windows and it's a piece of software that's been known about for a while. The only thing is it doesn't have general availability, which is hardly unusual.

Anyway, as others have indicated it doesn't appear to be very sophisticated at all.

(Sometimes I'm amazed by the lack of intelligence and basic reading ability by people posting on here - it really does amaze!)

"an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device."

A defense attorney would crucify an officer who did not understand the intricacies of the evidence he took.

It's the prosecutor's job to make use of gathered evidence. It doesn't matter if the investigating officer doesn't understand the cigarette butt has DNA on it.

Couldn't I do the same god damn thing this does using a linux live CD? Or am I just not getting the purpose of this tool?

To be honest, I'm surprised that each copy of COFEE that's supplied hasn't got some digital fingerprint that can be traced back. Or maybe Microsoft don't care, since they give it away for free

There are other forensics toolkits which work around the same concept of executing a list of commands, using MD5 hashes of the tools to ensure they are the intended commands being launched, etc. COFEE is not groundbreaking, it is meant for non-tech law enforcement to capture volatile data (using standard tools sysadmins use everyday like the ones included in sysinternals). Much hype about nothing.

http://praetorianprefect.com/archives/2009...second-thought/

One thing most people are forgetting is that Cofee is a legally excepted product for this type of work. The courts accept any findings it produces. This is a big point when you need a rock solid case. Other tools that have not been 'certified' or passed the court test (in the US and others).

It may not be the best tool, but it does work.

Commenting is disabled on this article.