Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on..
I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit.
Would it be better than your average security or forensics LiveCD? I wouldn’t know unless I can indeed get one of these COFEE sticks.
Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.
The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.
I’m guessing it’s the common suspects, mostly open source tools bundled together with a nice interface or some batch scripts.
‘Internet History’ - I bet it only works if they use Internet Explorer (history.dat anyone?) and not Firefox with caching turned off.
Passwords? Some rainbow cracking brute forcer and a few of the smaller rainbow tables would suffice.
But then with USB pen drives going up to 8-16gb nowadays you could fit almost a full set of Rainbow Tables for common characters.
Brad Smith, Microsoft’s general counsel, described COFEE in an interview.
“It’s basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you’re a law enforcement official and let’s say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that’s encrypted, and you’ve got that information off in order to have a successful investigation and prosecution.
“In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They’d have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information.”
A MS rep has confirmed that the kit is a compilation of publicly available forensics tools and it does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret ‘backdoors’ or other undocumented means.
So who’s gonna send me one?
Source: The Seattle Times
Subscribe to Darknet RSS Feed Stored in: Forensics, Windows Hacking
Related Posts:
- A Forensic Analysis of the Stolen Veteran’s Administration Laptop
- Microsoft UK Defaced by Saudi Hackers
- Microsoft Opens the Gates to Hack Their Web Services
- German Police Creating Law Enforcement Trojan
- Former Hacker Irks Microsoft in EU Dispute
- Fake Microsoft Patch - BeastPWS-C
| 1,505 views |
Hi,
I do not get your first point: “I’d guess MS is doing this to sell additional software and service” how do you think are we making money out of this? It is to help LE to do the forensics on a PC they are allowed to search.
I am not clear why this creates to much discussions on the net.
Roger
I think this is one more way of MS to get rid piracy. They will also equip their vigilance department with this tool to find pirated copies of MS operating system, but who cares!!!!!!!!!
I’m curious about it too.
What exactly is in that thumb drive ? And what really means internet history, just browser’s (IE, sic) data or some other stuff, like… chat, mails, and alike ?
Roger: Perhaps we got the idea from Microsoft General Counsel Brad Smith who acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said. RTFA.
gul: No one really knows…apart from MS and the people who have a copy of the software.
So what does “analyze a computer’s Internet activity” mean? Does it look in DNS cache and cached html files or does it sniff network traffic in realtime using something like ChaosReader or NetworkMiner?
Ya even I wanna know the same thig as eric and gul
What will this “suite” comprise of??
Well, I think Brad was pretty clear in the interview you cite:
“These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”
We are doing a lot of things with Law Enforcement - mainly aroudn training them how to do forensics. This becomes especially important in areas like Africa or other developing countries.
Roger
I’ve talked to a couple of people who have used the tool. It was just in passing, and the conversation didn’t get in depth at all, however the gist of the conversation was that the tool was crap. Well, maybe crap is an exaggeration. But, for anyone who really is involved in forensics, making your own thumb drive is the way to go. It’s all about using the tools you’re familiar with and trust. I’m not entirely sure, however, I do think that the tool did have some Microsoft programs on there. But, some of the tools, or implementations of the tools might work on only certain OS’s. (XP but not Vista). Not sure which tools though. Could be something like dd being used for dumping physical memory. As far as I know it’ll work on XP but not on Vista (at least my most recent Helix disc didn’t do it on Vista). But yeah, as for the COFEE tool, from what I’ve heard from people in the forensics field, it’s just like any other Microsoft product. Good for Microsoft on making an effort and putting out a product like this, but it’s a bad implementation and most people can do a better job on their own. IMO
Although its a couple years old this sourceforge project is probably a similar tool. This tool can be modified to include other portable apps and can be easily ran off a USB with most modules working flawlessly. I do not know what happened to the development of this tool but it would be cool if someone continued it. Rpier - Intel(R) Regimented Potential Incident Examination Report (RPIER) is a 1st handlers tool used to obtain volatile information from Windows OS computer systems.
http://sourceforge.net/projects/rpier
I,ll just take two thanks. one for me and the other for … Me.
Roger: That’s somewhat laughable as ONE person made this toolkit and it’s made from freely available (probably open source) tools. I don’t see this being a huge R&D product or MS developed software being released to the community. I’d prefer to get my forensics training from Encase, last time I looked MS wasn’t a pioneer in the forensics industry.
Doey6: I agree most (myself included) have their own forensics toolkit gathered from tools that work and get the job done.
Randy: That’s cool, I’ll check it out. I have something similar, boot CDs are fine for post analysis but when you want to dump the RAM etc before shutting down a machine USB is the way to go (well it was floppy disks in the old days).
Well, again, I was probably not clear: He did not say “this is something we invest” but “these are things we invest”. If you look at what we do for LE, this is a significant investemt. There are tools which help LE to coordinate on Chiled Exploitation cases and so on - there is much, much more than I am willing to write down here in this box (but we can have a discussion on this if you wish - I am happy to invest some time and blog on it).
With regards to the tool: the basic target was and still is the LE Office doing a house search not being a deep forensic specialist as you all seem to be. I agree that a forensic speciallist being called to a hacking scene has his own tools. This is not the focus on that. But a police officer doing a house search: it is probably better to have an automated script rather than a checklist of what he has and can do.
It is interesting to me that a lot of people attack us for the quality of a tool we did for LE and LE is very interested in using it……
Roger
I don’t know if USB is the right way to go when dumping memory, running an application from USB will overwrite some memory. A better solution would be to use the firewire attach that has been discussed all over the net recently.
The use of a usb based toolkit suggests to me a degree of covertness is being employed. Usually, law enforcement is a very overt function when it comes to forensic imaging and capture.
Very cool CD/USB compilation.
Right now I use a combination of Ophcrack, Hirens Boot CD and a couple other tools to get into computers that have passwords that the owner has forgotten, etc.
Thanks for the post, nice to finally find a pack with everything someone could need for this kind of stuff.
Just noticed there aren’t any more number verification boxes to prevent spamming
Nice try ms,
but as many have mentioned before, we’ll compile our own thumb drive of usefull app’s (tried and tested) instead of relying on you.
@Bogwitch, have a look at Tim Vidas CanSecWest 2007 presentation
( cansecwest.com/slides07/csw07-vidas.pdf ) for some proof of concept stuff and we had some volatile RAM blogging here as well.
As eM3rC says, Hiren’s bootdisk or a carefully prepared WinPE cd will provide enough tools for a postmortem (or a forgotten pw), there are some pm distro’s outthere as well.
Oh, this sounded like some cool, MS made apps, that worked with there OS’s in some brand spankin awesome way. Guess not.
Well they just want you to think there “cool”
A nice compilation of forensic stuff
http://www.geschonneck.com/security/forensics/
So much about “trust” for MS. They provide people with operating system and then they provide LE tools to screw us over. If that was just set of public domain tools why this tool is not available on their website?
But from the other hand until after they release SP1 for that “tool” it will be probably useless
Hey Jerk ! Screw whom over? As long as the “good” guys - assuming they all are (a big assumption) - are the ones that have it, so what? Are you a criminal? The only reason we have laws and cops is that human beings aren’t by and large civilized (or particularly intelligent) creatures. If we were civilized, we would need neither laws or cops.
There’s a lot of ifs, and and buts, but this stuff isn’t anything new. Both the good guys and the bad guys have all this stuff already, so what’s the big deal. This is all just stuff you can browse around and find. Microsoft isn’t screwing anyone, and if this does help to curb some of the world’s uncivilized inhabitants, I’m all for it.
A friend of mine’s step son does covert work for the government (he’s ‘009.5′ or something), and the word I got is that the Feds have PGP and TrueCrypt, etc hacked. They don’t do it by brute force. They use smarts. ‘You have no privacy, get used to it ” as some computer industry guy once said. If you need the kind of privacy that requires that level of security, you should rethink your life. Become civilized.
Well I do not know I am criminal or not (I’d like to think I am the good guy) but in a situation where everyone is looking for terrorists and having (or reading) wrong stuff in a wrong time on your PC may result in one being thrown in a prison (or like in the big wise democracy: Guantamo).
So… yes I am worried that MS provides tools to LE guys (it’s like the guy that replaced your front door lock give a key to your local LE guy - would you like that? )
have you seen that stuff they provide, have you got anything more than just gossip?