09 May 2008 | 19,103 views

Want Some COFEE? Microsoft Computer Online Forensic Evidence Extractor

Acunetix Web Application Security

Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on..

I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit.

Would it be better than your average security or forensics LiveCD? I wouldn’t know unless I can indeed get one of these COFEE sticks.

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

I’m guessing it’s the common suspects, mostly open source tools bundled together with a nice interface or some batch scripts.

‘Internet History’ – I bet it only works if they use Internet Explorer (history.dat anyone?) and not Firefox with caching turned off.

Passwords? Some rainbow cracking brute forcer and a few of the smaller rainbow tables would suffice.

But then with USB pen drives going up to 8-16gb nowadays you could fit almost a full set of Rainbow Tables for common characters.

Brad Smith, Microsoft’s general counsel, described COFEE in an interview.

“It’s basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you’re a law enforcement official and let’s say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that’s encrypted, and you’ve got that information off in order to have a successful investigation and prosecution.

“In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They’d have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information.”

A MS rep has confirmed that the kit is a compilation of publicly available forensics tools and it does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret ‘backdoors’ or other undocumented means.

So who’s gonna send me one?

Source: The Seattle Times


Recent in Forensics:
- HoneyDrive Desktop v0.2 Released – Honeypot LiveCD
- Mobius Forensic Toolkit 0.5.10 – Forensics Framework To Manage Cases & Case Items
- Rec Studio 4 – Reverse Engineering Compiler & Decompiler

Related Posts:
- A Forensic Analysis of the Lost Veteran’s Administration Laptop
- Mobius Forensic Toolkit 0.5.10 – Forensics Framework To Manage Cases & Case Items
- PlainSight – Open Source Computer Forensics LiveCD

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 65,521 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 28,830 views
- sslsniff v0.6 Released – SSL MITM Tool - 26,844 views

Advertise on Darknet

33 Responses to “Want Some COFEE? Microsoft Computer Online Forensic Evidence Extractor”

  1. Roger Halbheer 9 May 2008 at 8:48 am Permalink

    I do not get your first point: “I

  2. Jinesh 9 May 2008 at 9:10 am Permalink

    I think this is one more way of MS to get rid piracy. They will also equip their vigilance department with this tool to find pirated copies of MS operating system, but who cares!!!!!!!!!

  3. gul 9 May 2008 at 9:31 am Permalink

    I’m curious about it too.

    What exactly is in that thumb drive ? And what really means internet history, just browser’s (IE, sic) data or some other stuff, like… chat, mails, and alike ?

  4. Darknet 9 May 2008 at 10:25 am Permalink

    Roger: Perhaps we got the idea from Microsoft General Counsel Brad Smith who acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said. RTFA.

    gul: No one really knows…apart from MS and the people who have a copy of the software.

  5. Erik 9 May 2008 at 10:44 am Permalink

    So what does “analyze a computer

  6. navin 9 May 2008 at 10:57 am Permalink

    Ya even I wanna know the same thig as eric and gul

    What will this “suite” comprise of??

  7. Roger Halbheer 9 May 2008 at 11:19 am Permalink

    Well, I think Brad was pretty clear in the interview you cite:
    “These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”
    We are doing a lot of things with Law Enforcement – mainly aroudn training them how to do forensics. This becomes especially important in areas like Africa or other developing countries.

  8. Doey6 9 May 2008 at 2:24 pm Permalink

    I’ve talked to a couple of people who have used the tool. It was just in passing, and the conversation didn’t get in depth at all, however the gist of the conversation was that the tool was crap. Well, maybe crap is an exaggeration. But, for anyone who really is involved in forensics, making your own thumb drive is the way to go. It’s all about using the tools you’re familiar with and trust. I’m not entirely sure, however, I do think that the tool did have some Microsoft programs on there. But, some of the tools, or implementations of the tools might work on only certain OS’s. (XP but not Vista). Not sure which tools though. Could be something like dd being used for dumping physical memory. As far as I know it’ll work on XP but not on Vista (at least my most recent Helix disc didn’t do it on Vista). But yeah, as for the COFEE tool, from what I’ve heard from people in the forensics field, it’s just like any other Microsoft product. Good for Microsoft on making an effort and putting out a product like this, but it’s a bad implementation and most people can do a better job on their own. IMO

  9. Randy 9 May 2008 at 2:31 pm Permalink

    Although its a couple years old this sourceforge project is probably a similar tool. This tool can be modified to include other portable apps and can be easily ran off a USB with most modules working flawlessly. I do not know what happened to the development of this tool but it would be cool if someone continued it. Rpier – Intel(R) Regimented Potential Incident Examination Report (RPIER) is a 1st handlers tool used to obtain volatile information from Windows OS computer systems.


  10. Fever 9 May 2008 at 5:26 pm Permalink

    I,ll just take two thanks. one for me and the other for … Me.

  11. Darknet 9 May 2008 at 6:59 pm Permalink

    Roger: That’s somewhat laughable as ONE person made this toolkit and it’s made from freely available (probably open source) tools. I don’t see this being a huge R&D product or MS developed software being released to the community. I’d prefer to get my forensics training from Encase, last time I looked MS wasn’t a pioneer in the forensics industry.

    Doey6: I agree most (myself included) have their own forensics toolkit gathered from tools that work and get the job done.

    Randy: That’s cool, I’ll check it out. I have something similar, boot CDs are fine for post analysis but when you want to dump the RAM etc before shutting down a machine USB is the way to go (well it was floppy disks in the old days).

  12. Roger Halbheer 9 May 2008 at 7:13 pm Permalink

    Well, again, I was probably not clear: He did not say “this is something we invest” but “these are things we invest”. If you look at what we do for LE, this is a significant investemt. There are tools which help LE to coordinate on Chiled Exploitation cases and so on – there is much, much more than I am willing to write down here in this box (but we can have a discussion on this if you wish – I am happy to invest some time and blog on it).
    With regards to the tool: the basic target was and still is the LE Office doing a house search not being a deep forensic specialist as you all seem to be. I agree that a forensic speciallist being called to a hacking scene has his own tools. This is not the focus on that. But a police officer doing a house search: it is probably better to have an automated script rather than a checklist of what he has and can do.
    It is interesting to me that a lot of people attack us for the quality of a tool we did for LE and LE is very interested in using it……

  13. Bogwitch 9 May 2008 at 8:44 pm Permalink

    I don’t know if USB is the right way to go when dumping memory, running an application from USB will overwrite some memory. A better solution would be to use the firewire attach that has been discussed all over the net recently.
    The use of a usb based toolkit suggests to me a degree of covertness is being employed. Usually, law enforcement is a very overt function when it comes to forensic imaging and capture.

  14. eM3rC 9 May 2008 at 11:48 pm Permalink

    Very cool CD/USB compilation.

    Right now I use a combination of Ophcrack, Hirens Boot CD and a couple other tools to get into computers that have passwords that the owner has forgotten, etc.

    Thanks for the post, nice to finally find a pack with everything someone could need for this kind of stuff.

    Just noticed there aren’t any more number verification boxes to prevent spamming :)

  15. Pantagruel 10 May 2008 at 6:56 am Permalink

    Nice try ms,
    but as many have mentioned before, we’ll compile our own thumb drive of usefull app’s (tried and tested) instead of relying on you.

    @Bogwitch, have a look at Tim Vidas CanSecWest 2007 presentation
    ( cansecwest.com/slides07/csw07-vidas.pdf ) for some proof of concept stuff and we had some volatile RAM blogging here as well.

    As eM3rC says, Hiren’s bootdisk or a carefully prepared WinPE cd will provide enough tools for a postmortem (or a forgotten pw), there are some pm distro’s outthere as well.

  16. macdaddy 10 May 2008 at 10:23 am Permalink

    Oh, this sounded like some cool, MS made apps, that worked with there OS’s in some brand spankin awesome way. Guess not.

    Well they just want you to think there “cool”

  17. Pantagruel 10 May 2008 at 1:09 pm Permalink

    A nice compilation of forensic stuff


  18. Jerk 11 May 2008 at 7:58 am Permalink

    So much about “trust” for MS. They provide people with operating system and then they provide LE tools to screw us over. If that was just set of public domain tools why this tool is not available on their website?
    But from the other hand until after they release SP1 for that “tool” it will be probably useless :)

  19. Dadwhiskers 11 May 2008 at 8:55 am Permalink

    Hey Jerk ! Screw whom over? As long as the “good” guys – assuming they all are (a big assumption) – are the ones that have it, so what? Are you a criminal? The only reason we have laws and cops is that human beings aren’t by and large civilized (or particularly intelligent) creatures. If we were civilized, we would need neither laws or cops.

    There’s a lot of ifs, and and buts, but this stuff isn’t anything new. Both the good guys and the bad guys have all this stuff already, so what’s the big deal. This is all just stuff you can browse around and find. Microsoft isn’t screwing anyone, and if this does help to curb some of the world’s uncivilized inhabitants, I’m all for it.

    A friend of mine’s step son does covert work for the government (he’s ’009.5′ or something), and the word I got is that the Feds have PGP and TrueCrypt, etc hacked. They don’t do it by brute force. They use smarts. ‘You have no privacy, get used to it ” as some computer industry guy once said. If you need the kind of privacy that requires that level of security, you should rethink your life. Become civilized.

  20. Jerk 11 May 2008 at 10:24 am Permalink

    Well I do not know I am criminal or not (I’d like to think I am the good guy) but in a situation where everyone is looking for terrorists and having (or reading) wrong stuff in a wrong time on your PC may result in one being thrown in a prison (or like in the big wise democracy: Guantamo).
    So… yes I am worried that MS provides tools to LE guys (it’s like the guy that replaced your front door lock give a key to your local LE guy – would you like that? )
    have you seen that stuff they provide, have you got anything more than just gossip?

  21. Darknet 12 May 2008 at 8:42 am Permalink

    Roger: No one is attacking, simply questioning. That’s why it pays to avoid being defensive and to be well informed. Would be interested to see more info on your blog.

    Bogwitch: Agree, Firewire is a better solution than USB due to the way it can directly address memory…still many older and cheaper machines don’t have Firewire ports. Personally I do live assessments with a CD as I find read only media the safest

    eM3rC: Yah we removed the maths thingy and put some other protection in place that doesn’t require user action (combination of JavaScript and Cookies).

  22. Changlinn 13 May 2008 at 1:50 am Permalink

    Surely someone could get backtrack or nUbuntu onto a usb thumbdrive that would be much better than this drive, they both have thousands of tools, and a full OS to back them up with major TCP/ip access without the hack that is the nt tcp/ip stack.
    PS fix the site so that I can browse it using NoScript, it took me several attempts to post this, all greeted with please enable cookies and javascript; you guys are allowed in noscript, so I have no idea why it didn’t work on my laptop.

  23. eM3rC 13 May 2008 at 4:19 am Permalink

    Couple of quick points here.

    Thanks for doing that! It was always a pain reentering posts because of that anti-spam feature.

    As for the security issue, I stumbled upon a very interest 2600 article in their most recent issue. Using a copy of Knoppix (the live CD) and a removable hard drive/USB key one can gain access to any computer as long as the bios is configured correctly. Basically all you have to do is run the live OS, access the windows hard drive through Knoppix and simply copy and paste the files onto the removable hard drive. No passwords required. Only requirement is the removable hard drive is formatted in FAT32.

    Hope this helps some people out.

    eM3rC out.

  24. eM3rC 13 May 2008 at 4:22 am Permalink

    Just thought I’d recommend a good program for those of you on a computer that you can log into and can run .msi/.exe programs.

    Its called SIW.

    This program will basically tell you about every aspect of the computer including saved password, registry keys used for all the software, WEP/WPA keys, hardware, etc etc. You get where I’m going with this.

  25. Mik3NL 13 May 2008 at 2:39 pm Permalink


    Does the term “U3 Switchblade” ring a bell to anyone here?

    * U3 USB key
    * Universal Costumizer (for modding the U3 bootdisk)
    * VNC/keyloggers/PWDump/nirsoft.net etc! (You get the picture!)
    * some batch scripting power
    * Windows machines with autorun enabled! ;)
    * Imagination!

    No need for RT’s or anything..

  26. Roger Halbheer 14 May 2008 at 2:07 pm Permalink

    Sorry, that I did not come back earlier. I had some days off and was on the road. You said that you want more info on my blog. I am not sure whether I cover all your needs (no, there is no list with all the commands) but there you go: http://blogs.technet.com/rhalbheer/archive/2008/05/14/support-for-law-enforcement-and-cofee.aspx

  27. Pantagruel 14 May 2008 at 6:30 pm Permalink

    @ Roger Halbheer

    Thanks for the added info, but I guess we are really more interrested in what you put on the stick.

  28. Robert Allen 15 May 2008 at 7:24 pm Permalink

    Don’t forget about Helix… http://www.e-fense.com/helix.

  29. Howard 17 May 2008 at 8:45 pm Permalink

    Let me ask the silly question….Would this be a good tool for the beginner because reading all of the comment it might have goods and bads….How did you learn,I fell on my but sometimes before succeding and I think most of us have.I am not an expert but a newbie that is still filtering and is loking for good training and if the case be falling software.I am reluctant to say good or bad but is it something we can learn from so we dont make up tools that are not the best in the land.

    You know if I continue to listen to all here I will learn faster than any program,no one holds back excellant setup Darknet thanks

  30. davenix 20 May 2008 at 11:48 pm Permalink

    I am guessing 3/4 of you are total fanboy, script kiddy douchenozzles…and the other 1/4 are IT managers who know nothing.

  31. Howard 21 May 2008 at 4:23 am Permalink

    Mr davenix……..Please explain

  32. lyz 13 August 2008 at 11:32 am Permalink

    Helix.. Yah. I heard about that great tool too. Added tools you can use in forensics, the FTK imager, Mediawiper, and Firefly write blocker.

  33. Morgan Storey 16 August 2008 at 9:40 am Permalink

    Hmm helix looks good akin to Knoppix STD (There was a good distro, shame it hasn’t been updated much), I’ll have to give it a go. I remember I posted on this ages ago with my Changlinn moniker, I changed to my real name as there is no point, I am the only one that uses Changlinn so it is easy enough to trace back to me.
    I saw some of these windows tools, they are horribly crippled compared to their OSS counterparts. Netmon, pahlease give me wireshark and libpcap capable routers anyday.