Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on..
I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit.
Would it be better than your average security or forensics LiveCD? I wouldn’t know unless I can indeed get one of these COFEE sticks.
Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.
The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.
I’m guessing it’s the common suspects, mostly open source tools bundled together with a nice interface or some batch scripts.
‘Internet History’ – I bet it only works if they use Internet Explorer (history.dat anyone?) and not Firefox with caching turned off.
Passwords? Some rainbow cracking brute forcer and a few of the smaller rainbow tables would suffice.
But then with USB pen drives going up to 8-16gb nowadays you could fit almost a full set of Rainbow Tables for common characters.
Brad Smith, Microsoft’s general counsel, described COFEE in an interview.
“It’s basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you’re a law enforcement official and let’s say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that’s encrypted, and you’ve got that information off in order to have a successful investigation and prosecution.
“In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They’d have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information.”
A MS rep has confirmed that the kit is a compilation of publicly available forensics tools and it does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret ‘backdoors’ or other undocumented means.
So who’s gonna send me one?
Source: The Seattle Times