• Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • About Darknet
  • Hacking Tools
  • Popular Posts
  • Darknet Archives
  • Contact Darknet
    • Advertise
    • Submit a Tool
Darknet – Hacking Tools, Hacker News & Cyber Security

Darknet - Hacking Tools, Hacker News & Cyber Security

Darknet is your best source for the latest hacking tools, hacker news, cyber security best practices, ethical hacking & pen-testing.

Want Some COFEE? Microsoft Computer Online Forensic Evidence Extractor

May 9, 2008

Views: 21,699

[ad]

Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on..

I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit.

Would it be better than your average security or forensics LiveCD? I wouldn’t know unless I can indeed get one of these COFEE sticks.

Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

I’m guessing it’s the common suspects, mostly open source tools bundled together with a nice interface or some batch scripts.

‘Internet History’ – I bet it only works if they use Internet Explorer (history.dat anyone?) and not Firefox with caching turned off.

Passwords? Some rainbow cracking brute forcer and a few of the smaller rainbow tables would suffice.

But then with USB pen drives going up to 8-16gb nowadays you could fit almost a full set of Rainbow Tables for common characters.

Brad Smith, Microsoft’s general counsel, described COFEE in an interview.

“It’s basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you’re a law enforcement official and let’s say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that’s encrypted, and you’ve got that information off in order to have a successful investigation and prosecution.

“In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They’d have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information.”

A MS rep has confirmed that the kit is a compilation of publicly available forensics tools and it does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret ‘backdoors’ or other undocumented means.

So who’s gonna send me one?

Source: The Seattle Times

Share
Tweet
Share
Buffer
WhatsApp
Email
0 Shares

Filed Under: Forensics, Windows Hacking Tagged With: computer-forensics, Forensics, Password Cracking, windows forensics



Reader Interactions

Comments

  1. Roger Halbheer says

    May 9, 2008 at 8:48 am

    Hi,
    I do not get your first point: “I

  2. Jinesh says

    May 9, 2008 at 9:10 am

    I think this is one more way of MS to get rid piracy. They will also equip their vigilance department with this tool to find pirated copies of MS operating system, but who cares!!!!!!!!!

  3. gul says

    May 9, 2008 at 9:31 am

    I’m curious about it too.

    What exactly is in that thumb drive ? And what really means internet history, just browser’s (IE, sic) data or some other stuff, like… chat, mails, and alike ?

  4. Darknet says

    May 9, 2008 at 10:25 am

    Roger: Perhaps we got the idea from Microsoft General Counsel Brad Smith who acknowledged Microsoft’s efforts are not purely altruistic. It benefits from selling collaboration software and other technology to law-enforcement agencies, just like everybody else, he said. RTFA.

    gul: No one really knows…apart from MS and the people who have a copy of the software.

  5. Erik says

    May 9, 2008 at 10:44 am

    So what does “analyze a computer

  6. navin says

    May 9, 2008 at 10:57 am

    Ya even I wanna know the same thig as eric and gul

    What will this “suite” comprise of??

  7. Roger Halbheer says

    May 9, 2008 at 11:19 am

    Well, I think Brad was pretty clear in the interview you cite:
    “These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”
    We are doing a lot of things with Law Enforcement – mainly aroudn training them how to do forensics. This becomes especially important in areas like Africa or other developing countries.
    Roger

  8. Doey6 says

    May 9, 2008 at 2:24 pm

    I’ve talked to a couple of people who have used the tool. It was just in passing, and the conversation didn’t get in depth at all, however the gist of the conversation was that the tool was crap. Well, maybe crap is an exaggeration. But, for anyone who really is involved in forensics, making your own thumb drive is the way to go. It’s all about using the tools you’re familiar with and trust. I’m not entirely sure, however, I do think that the tool did have some Microsoft programs on there. But, some of the tools, or implementations of the tools might work on only certain OS’s. (XP but not Vista). Not sure which tools though. Could be something like dd being used for dumping physical memory. As far as I know it’ll work on XP but not on Vista (at least my most recent Helix disc didn’t do it on Vista). But yeah, as for the COFEE tool, from what I’ve heard from people in the forensics field, it’s just like any other Microsoft product. Good for Microsoft on making an effort and putting out a product like this, but it’s a bad implementation and most people can do a better job on their own. IMO

  9. Randy says

    May 9, 2008 at 2:31 pm

    Although its a couple years old this sourceforge project is probably a similar tool. This tool can be modified to include other portable apps and can be easily ran off a USB with most modules working flawlessly. I do not know what happened to the development of this tool but it would be cool if someone continued it. Rpier – Intel(R) Regimented Potential Incident Examination Report (RPIER) is a 1st handlers tool used to obtain volatile information from Windows OS computer systems.

    http://sourceforge.net/projects/rpier

  10. Fever says

    May 9, 2008 at 5:26 pm

    I,ll just take two thanks. one for me and the other for … Me.

  11. Darknet says

    May 9, 2008 at 6:59 pm

    Roger: That’s somewhat laughable as ONE person made this toolkit and it’s made from freely available (probably open source) tools. I don’t see this being a huge R&D product or MS developed software being released to the community. I’d prefer to get my forensics training from Encase, last time I looked MS wasn’t a pioneer in the forensics industry.

    Doey6: I agree most (myself included) have their own forensics toolkit gathered from tools that work and get the job done.

    Randy: That’s cool, I’ll check it out. I have something similar, boot CDs are fine for post analysis but when you want to dump the RAM etc before shutting down a machine USB is the way to go (well it was floppy disks in the old days).

  12. Roger Halbheer says

    May 9, 2008 at 7:13 pm

    Well, again, I was probably not clear: He did not say “this is something we invest” but “these are things we invest”. If you look at what we do for LE, this is a significant investemt. There are tools which help LE to coordinate on Chiled Exploitation cases and so on – there is much, much more than I am willing to write down here in this box (but we can have a discussion on this if you wish – I am happy to invest some time and blog on it).
    With regards to the tool: the basic target was and still is the LE Office doing a house search not being a deep forensic specialist as you all seem to be. I agree that a forensic speciallist being called to a hacking scene has his own tools. This is not the focus on that. But a police officer doing a house search: it is probably better to have an automated script rather than a checklist of what he has and can do.
    It is interesting to me that a lot of people attack us for the quality of a tool we did for LE and LE is very interested in using it……
    Roger

  13. Bogwitch says

    May 9, 2008 at 8:44 pm

    I don’t know if USB is the right way to go when dumping memory, running an application from USB will overwrite some memory. A better solution would be to use the firewire attach that has been discussed all over the net recently.
    The use of a usb based toolkit suggests to me a degree of covertness is being employed. Usually, law enforcement is a very overt function when it comes to forensic imaging and capture.

  14. eM3rC says

    May 9, 2008 at 11:48 pm

    Very cool CD/USB compilation.

    Right now I use a combination of Ophcrack, Hirens Boot CD and a couple other tools to get into computers that have passwords that the owner has forgotten, etc.

    Thanks for the post, nice to finally find a pack with everything someone could need for this kind of stuff.

    Just noticed there aren’t any more number verification boxes to prevent spamming :)

  15. Pantagruel says

    May 10, 2008 at 6:56 am

    Nice try ms,
    but as many have mentioned before, we’ll compile our own thumb drive of usefull app’s (tried and tested) instead of relying on you.

    @Bogwitch, have a look at Tim Vidas CanSecWest 2007 presentation
    ( cansecwest.com/slides07/csw07-vidas.pdf ) for some proof of concept stuff and we had some volatile RAM blogging here as well.

    As eM3rC says, Hiren’s bootdisk or a carefully prepared WinPE cd will provide enough tools for a postmortem (or a forgotten pw), there are some pm distro’s outthere as well.

  16. macdaddy says

    May 10, 2008 at 10:23 am

    Oh, this sounded like some cool, MS made apps, that worked with there OS’s in some brand spankin awesome way. Guess not.

    Well they just want you to think there “cool”

  17. Pantagruel says

    May 10, 2008 at 1:09 pm

    A nice compilation of forensic stuff

    http://www.geschonneck.com/security/forensics/

  18. Jerk says

    May 11, 2008 at 7:58 am

    So much about “trust” for MS. They provide people with operating system and then they provide LE tools to screw us over. If that was just set of public domain tools why this tool is not available on their website?
    But from the other hand until after they release SP1 for that “tool” it will be probably useless :)

  19. Dadwhiskers says

    May 11, 2008 at 8:55 am

    Hey Jerk ! Screw whom over? As long as the “good” guys – assuming they all are (a big assumption) – are the ones that have it, so what? Are you a criminal? The only reason we have laws and cops is that human beings aren’t by and large civilized (or particularly intelligent) creatures. If we were civilized, we would need neither laws or cops.

    There’s a lot of ifs, and and buts, but this stuff isn’t anything new. Both the good guys and the bad guys have all this stuff already, so what’s the big deal. This is all just stuff you can browse around and find. Microsoft isn’t screwing anyone, and if this does help to curb some of the world’s uncivilized inhabitants, I’m all for it.

    A friend of mine’s step son does covert work for the government (he’s ‘009.5’ or something), and the word I got is that the Feds have PGP and TrueCrypt, etc hacked. They don’t do it by brute force. They use smarts. ‘You have no privacy, get used to it ” as some computer industry guy once said. If you need the kind of privacy that requires that level of security, you should rethink your life. Become civilized.

  20. Jerk says

    May 11, 2008 at 10:24 am

    Well I do not know I am criminal or not (I’d like to think I am the good guy) but in a situation where everyone is looking for terrorists and having (or reading) wrong stuff in a wrong time on your PC may result in one being thrown in a prison (or like in the big wise democracy: Guantamo).
    So… yes I am worried that MS provides tools to LE guys (it’s like the guy that replaced your front door lock give a key to your local LE guy – would you like that? )
    have you seen that stuff they provide, have you got anything more than just gossip?

  21. Darknet says

    May 12, 2008 at 8:42 am

    Roger: No one is attacking, simply questioning. That’s why it pays to avoid being defensive and to be well informed. Would be interested to see more info on your blog.

    Bogwitch: Agree, Firewire is a better solution than USB due to the way it can directly address memory…still many older and cheaper machines don’t have Firewire ports. Personally I do live assessments with a CD as I find read only media the safest

    eM3rC: Yah we removed the maths thingy and put some other protection in place that doesn’t require user action (combination of JavaScript and Cookies).

  22. Changlinn says

    May 13, 2008 at 1:50 am

    Surely someone could get backtrack or nUbuntu onto a usb thumbdrive that would be much better than this drive, they both have thousands of tools, and a full OS to back them up with major TCP/ip access without the hack that is the nt tcp/ip stack.
    PS fix the site so that I can browse it using NoScript, it took me several attempts to post this, all greeted with please enable cookies and javascript; you guys are allowed in noscript, so I have no idea why it didn’t work on my laptop.

  23. eM3rC says

    May 13, 2008 at 4:19 am

    Couple of quick points here.

    @Darknet
    Thanks for doing that! It was always a pain reentering posts because of that anti-spam feature.

    As for the security issue, I stumbled upon a very interest 2600 article in their most recent issue. Using a copy of Knoppix (the live CD) and a removable hard drive/USB key one can gain access to any computer as long as the bios is configured correctly. Basically all you have to do is run the live OS, access the windows hard drive through Knoppix and simply copy and paste the files onto the removable hard drive. No passwords required. Only requirement is the removable hard drive is formatted in FAT32.

    Hope this helps some people out.

    eM3rC out.

  24. eM3rC says

    May 13, 2008 at 4:22 am

    Just thought I’d recommend a good program for those of you on a computer that you can log into and can run .msi/.exe programs.

    Its called SIW.

    This program will basically tell you about every aspect of the computer including saved password, registry keys used for all the software, WEP/WPA keys, hardware, etc etc. You get where I’m going with this.

  25. Mik3NL says

    May 13, 2008 at 2:39 pm

    ;)

    Does the term “U3 Switchblade” ring a bell to anyone here?

    Needed:
    ———
    * U3 USB key
    * Universal Costumizer (for modding the U3 bootdisk)
    * VNC/keyloggers/PWDump/nirsoft.net etc! (You get the picture!)
    * some batch scripting power
    * Windows machines with autorun enabled! ;)
    * Imagination!

    No need for RT’s or anything..

  26. Roger Halbheer says

    May 14, 2008 at 2:07 pm

    Sorry, that I did not come back earlier. I had some days off and was on the road. You said that you want more info on my blog. I am not sure whether I cover all your needs (no, there is no list with all the commands) but there you go: http://blogs.technet.com/rhalbheer/archive/2008/05/14/support-for-law-enforcement-and-cofee.aspx
    Roger

  27. Pantagruel says

    May 14, 2008 at 6:30 pm

    @ Roger Halbheer

    Thanks for the added info, but I guess we are really more interrested in what you put on the stick.

  28. Robert Allen says

    May 15, 2008 at 7:24 pm

    Don’t forget about Helix… http://www.e-fense.com/helix.

  29. Howard says

    May 17, 2008 at 8:45 pm

    Let me ask the silly question….Would this be a good tool for the beginner because reading all of the comment it might have goods and bads….How did you learn,I fell on my but sometimes before succeding and I think most of us have.I am not an expert but a newbie that is still filtering and is loking for good training and if the case be falling software.I am reluctant to say good or bad but is it something we can learn from so we dont make up tools that are not the best in the land.

    You know if I continue to listen to all here I will learn faster than any program,no one holds back excellant setup Darknet thanks

  30. davenix says

    May 20, 2008 at 11:48 pm

    I am guessing 3/4 of you are total fanboy, script kiddy douchenozzles…and the other 1/4 are IT managers who know nothing.

  31. Howard says

    May 21, 2008 at 4:23 am

    Mr davenix……..Please explain

  32. lyz says

    August 13, 2008 at 11:32 am

    Helix.. Yah. I heard about that great tool too. Added tools you can use in forensics, the FTK imager, Mediawiper, and Firefly write blocker.

  33. Morgan Storey says

    August 16, 2008 at 9:40 am

    Hmm helix looks good akin to Knoppix STD (There was a good distro, shame it hasn’t been updated much), I’ll have to give it a go. I remember I posted on this ages ago with my Changlinn moniker, I changed to my real name as there is no point, I am the only one that uses Changlinn so it is easy enough to trace back to me.
    I saw some of these windows tools, they are horribly crippled compared to their OSS counterparts. Netmon, pahlease give me wireshark and libpcap capable routers anyday.

Primary Sidebar

Search Darknet

  • Email
  • Facebook
  • LinkedIn
  • RSS
  • Twitter

Advertise on Darknet

Latest Posts

Bantam - Advanced PHP Backdoor Management Tool For Post Exploitation

Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

Views: 281

Bantam is a lightweight post-exploitation utility written in C# that includes advanced payload … ...More about Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation

AI-Powered Cybercrime in 2025 - The Dark Web’s New Arms Race

AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Views: 493

In 2025, the dark web isn't just a marketplace for illicit goods—it's a development lab. … ...More about AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race

Upload_Bypass - Bypass Upload Restrictions During Penetration Testing

Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Views: 490

Upload_Bypass is a command-line tool that automates discovering and exploiting weak file upload … ...More about Upload_Bypass – Bypass Upload Restrictions During Penetration Testing

Shell3r - Powerful Shellcode Obfuscator for Offensive Security

Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Views: 687

If antivirus and EDR vendors are getting smarter, so are the tools that red teamers and penetration … ...More about Shell3r – Powerful Shellcode Obfuscator for Offensive Security

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

Views: 8,443

Introduction: How Much of the Internet Can You See? You're only scratching the surface when you … ...More about Understanding the Deep Web, Dark Web, and Darknet (2025 Guide)

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for forensic investigations and recovery scenarios.

DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Views: 468

DataSurgeon is an open-source Linux-based data extraction and transformation tool designed for … ...More about DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux

Topics

  • Advertorial (28)
  • Apple (46)
  • Countermeasures (227)
  • Cryptography (82)
  • Database Hacking (89)
  • Events/Cons (7)
  • Exploits/Vulnerabilities (431)
  • Forensics (65)
  • GenAI (3)
  • Hacker Culture (8)
  • Hacking News (229)
  • Hacking Tools (684)
  • Hardware Hacking (82)
  • Legal Issues (179)
  • Linux Hacking (73)
  • Malware (238)
  • Networking Hacking Tools (352)
  • Password Cracking Tools (104)
  • Phishing (41)
  • Privacy (219)
  • Secure Coding (118)
  • Security Software (233)
  • Site News (51)
    • Authors (6)
  • Social Engineering (37)
  • Spammers & Scammers (76)
  • Stupid E-mails (6)
  • Telecomms Hacking (6)
  • UNIX Hacking (6)
  • Virology (6)
  • Web Hacking (384)
  • Windows Hacking (169)
  • Wireless Hacking (45)

Security Blogs

  • Dancho Danchev
  • F-Secure Weblog
  • Google Online Security
  • Graham Cluley
  • Internet Storm Center
  • Krebs on Security
  • Schneier on Security
  • TaoSecurity
  • Troy Hunt

Security Links

  • Exploits Database
  • Linux Security
  • Register – Security
  • SANS
  • Sec Lists
  • US CERT

Footer

Most Viewed Posts

  • Brutus Password Cracker – Download brutus-aet2.zip AET2 (2,291,626)
  • Darknet – Hacking Tools, Hacker News & Cyber Security (2,173,069)
  • Top 15 Security Utilities & Download Hacking Tools (2,096,614)
  • 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) (1,199,675)
  • Password List Download Best Word List – Most Common Passwords (933,461)
  • wwwhack 1.9 – wwwhack19.zip Web Hacking Software Free Download (776,130)
  • Hack Tools/Exploits (673,286)
  • Wep0ff – Wireless WEP Key Cracker Tool (530,143)

Search

Recent Posts

  • Bantam – Advanced PHP Backdoor Management Tool For Post Exploitation May 9, 2025
  • AI-Powered Cybercrime in 2025 – The Dark Web’s New Arms Race May 7, 2025
  • Upload_Bypass – Bypass Upload Restrictions During Penetration Testing May 5, 2025
  • Shell3r – Powerful Shellcode Obfuscator for Offensive Security May 2, 2025
  • Understanding the Deep Web, Dark Web, and Darknet (2025 Guide) April 30, 2025
  • DataSurgeon – Fast, Flexible Data Extraction and Transformation Tool for Linux April 28, 2025

Tags

apple botnets computer-security darknet Database Hacking ddos dos exploits fuzzing google hacking-networks hacking-websites hacking-windows hacking tool Information-Security information gathering Legal Issues malware microsoft network-security Network Hacking Password Cracking pen-testing penetration-testing Phishing Privacy Python scammers Security Security Software spam spammers sql-injection trojan trojans virus viruses vulnerabilities web-application-security web-security windows windows-security Windows Hacking worms XSS

Copyright © 1999–2025 Darknet All Rights Reserved · Privacy Policy