It was one of the most sought after applications on the Internet until it was leaked earlier today. And now that it’s out there—and it is all over the place, easily findable by anyone able to use a search engine—we can all move on with our lives. Yes, Microsoft COFEE, the law enforcement tool that mystified so many of us (including Gizmodo~! and Ars Technica~!), is now available to download. If only there were a “bay” of some sort where, I don’t know, pirates hang out…
I’m not mentioning any names, nor will there be any screenshots, but the resourceful among you will be able to find the application. Not that it’ll do you any good, since this is how Microsoft describes COFEE, which stands for Computer Online Forensic Evidence Extractor:
With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.
To reiterate: you have absolutely no use for the program. It’s not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer’s face on Brett Hart’s body as part of a message board thread. No, COFEE is 100 percent useless to you.
Given that, what makes COFEE so mysterious, so special? The sole reason is because it’s never been available before (unless, of course, you’re a law enforcement official). People get a thrill by having something they’re not meant to have, and that effect is magnified online where you have chat rooms and message boards filled with people who get all excited over the idea of having some super-secret piece of software that was never meant to reside on their hard drive.
So that’s that then; Microsoft COFEE is out there. It’s not too big, either, at around 15MB. I’ve kept this post as cryptic as possible primarily to work y’all, and to put over COFEE as the most amazing thing to have never been leaked onto the Internet… until now~!
Quick reporting! The National White Collar Crime Center has recently become the North American distributer for COFFEE, so it probably originated here: https://cofee.nw3c.org/
mputer Online Forensic Evidence Extractor (COFEE) is a modified USB flash drive for investigators for quick extraction of forensic data from computers that are suspected to contain evidence of criminal activity. It allows investigators to search through data onsite as an automated forensic tool. The device, developed by Microsoft, is activated by being plugged into a USB port, and purportedly contains 150 commands that can dramatically cut the time it takes to gather digital evidence (estimates cited by Microsoft state that a job that previously took 3-4 hours can be done with COFEE in as little as 20 minutes[1][2]). These commands offer such functions as the ability to decrypt passwords, search a computer’s Internet activity, and analyze the data stored on a computer[3] — including data stored in volatile memory, which could be lost if the computer were shut down for transport to a lab[4]. Microsoft currently provides COFEE devices and online technical support free to law enforcement agencies.
not only does that sound useful, that sounds *very* useful.
um you have to havea secure copy first other wise you can destroy the chain of custody.
Hahaha
I happened to be one of the first to grab a copy of this and it’s pathetic.
After running some test scans with it, not only is it worthless to any normal user, I hardly see how it would be useful at all to a “computer forensics expert”
Unless those “experts” don’t know how to use a damn computer.
It’s not for computer experts. It’s for the police on the scene not to mess anything up by pretty much saving the volatile data that would get lost when the computer turns off, so it can be restored.
Pretty much. This program is for police noobs to use so they don’t screw anything up.
But any more specifics on what this actually does? Save what’s in RAM and stop any deletions going on? At 15MB I can’t imagine it does a whole lot.
I love sarcastic reporting~!
The symbol ~! is an homage to Figure 4 Weekly (f4wonline.com), and “siren.gif” is a reference to the siren that drudgereport.com uses with really huge breaking news.
http://drudgereport.com/siren.gif
didn’t you read? it’s a tool for people who “don’t have computer expertise”.
Without fully understanding how COFEE works or how sophisticated it is, my guess would be that the primary reason that people might be excited about it is that once it’s out, it can be cracked and counteracted, so that folks who might not want Johnny Law poking around in their PC can defeat it. I give it three weeks before we see DECAF released.
A service pack will be released.
Hooray! i’m being illegal!
hand me the milk, please.
I know you say it’s of no use at all, but say you get locked out of your computer, or forgot your password to an old one, wouldn’t you be able to use this to get yourself back in?
Then you’d use something like Ophcrack, which is free and open source.
A Russian company, ElcomSoft, is currently attempting to copyright “Thunder Tables”. Like Rainbow Tables but for PDF and MS Office files. Bet Ophcrack gets taken out from copyright infringement. =P
Although if you’ve locked yourself out of a Windows computer, there’s lots of ways to get in that are easier than bruteforcing the password.
Hiren’s has an app for that! Or two, or more… Who knows, I’ve never used it… What were we talking about again?
While I’m sure no one who reads CrunchGear falls into this category, I can see one group of people who would find this very useful — the people targeted by police investigations that would involve this tool.
My guess is that with this software available a relatively sophisticated hacker could develop countermeasures, so it’s got to be a bit worrying to Microsoft that this has been leaked.
Not at all, because this does nothing but facilitate batch execution of utilities. All of the tools that are included with the standard COFEE package do nothing but extract system specs and diagnostic data. They don’t even bundle a tool to dump physical memory. However, this tool is useful for newb cops because (a) it runs a predefined list of utilities with specific arguments, (b) logs the data and (c) generates a well organized report of that data. It’s also pretty flexible in that you can add your own tool; so if you had a utility that did dump physical memory you could easily add it to the profile and it would be included when generating the file collection to be placed on the USB device.
In any case… this doesn’t circumvent protection, unless they include a tool that does it. So basically, it’ll take a group of utilities you want to run, make a batch file, copy all the needed files to a USB device, and when *manually* executed on the suspect’s machine, will save all the output for organized display when taking it back for analysis.
It’s not a major h4×0r tool, believe me…
Er, I should add, many of the utilities are already on Windows, like netstat, ipconfig, etc.
Someone stole COFEE?
I guess you could call it… HOT COFEE!
HOT COFEE … hilarious, you’ve made my day! (I am easily amused)
First images of the utility :
http://www.megaleecher.net/uploads/COFEE.jpg
http://www.megaleecher.net/uploads/using-cofee.jpg
It’s useful in the way many spyware trackers are useful, to help people visualize what is on their computer and where it is. And in this case, it shows people what the average cop is going to be able to find on their computer.
Did somebody say DAVE MELTZER?
Impact sucked this week.
Hogan or not, nobody watches Impact~!
Yeah but does it run on wine?
Previously I read that COFEE copies the bitlocker keys from volatile memory while the OS is running. So if you think bitlocker encryption will protect your hard drives, you’ll need to pull the power from your computer at the first sight of a blue uniform!
Pretty sure that most computer geeks would do that … at least I would and I can’t think of anything that is illegal on my machine but why tempt them.
Intentional and advertent sponsorship of terrorism. Explicit providing of resources and exploits in support of organized crime and terrorism. Sponsorship of international crimes and espionage including sponsorship of terrorism. Direct and intentional provisioning of resources and support for organized crime and terrorist use.
THIS IS YOUR INTERPOL, YOUR DMCA. [sing] It’s fun to sponsor terrorism with the D. M. C. A., Organized crime, terrorists can rhyme! D. M. C. A. Eh, terrorists?
It would be funny if Cofee turns out to ‘phone home’ (Microsoft) and report where it’s being used and what it is seeing.
Just to check that, would be one reason for grabbing a copy.
Also, Iced Cofee! You know a USB stick that gets plugged into your computer with Cofee on it, is going to get plugged into other ‘interesting’ computers later. This presents all sorts of opportunities.
TerraHertz, that’s a sick idea. I like the way you think!
The developer is interviewed on our podcast about his motivations behind the effort. We posted the interview at http:\\cyberspeak.libsyn.com. His decision to take stop development is a direct result of the interview.
Interview Link
http://media.libsyn.com/media/cyberspeak/CyberSpeak_114_Decaf-Interview.mp3
About CyberSpeak:
CyberSpeak is the oldest and largest computer forensic podcast on the Internet. Ovie Carroll and Bret Padres are former federal agents who specialized in cybercrime and computer forensics. We have been doing a weekly podcast on computer forensics, computer crime and computer security since December 2004. As a part of the show, CyberSpeak routinely conducts audio interviews with leaders in the field and newcomers to the discipline.
Cyberspeak
Your Place for Computer Forensic and Computer Crime Information
cyberspeak@gmail.com
Podcast via iTunes:
http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=108218375
It’s pretty rubbish to the public. Well its rubish to me.
It’s supposed to be. =P
It’s not a ‘for the general public’ tool, hence the closed release. It’s meant for computer illiterate police officers to get some basic forensic data off of computers.