{"id":849,"date":"2008-05-09T08:34:19","date_gmt":"2008-05-09T08:34:19","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=849"},"modified":"2015-09-09T19:39:28","modified_gmt":"2015-09-09T11:39:28","slug":"want-some-cofee-microsoft-computer-online-forensic-evidence-extractor","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2008\/05\/want-some-cofee-microsoft-computer-online-forensic-evidence-extractor\/","title":{"rendered":"Want Some COFEE? Microsoft Computer Online Forensic Evidence Extractor"},"content":{"rendered":"
[ad]<\/p>\n
Microsoft helping the good guys eh? I had someone ask me if I can get a hold of this so I did some checking up on..<\/p>\n
I’d guess MS is doing this to sell additional software and services, but either way its a good thing to make a portable, easy to use and effective forensics toolkit.<\/p>\n
Would it be better than your average security or forensics LiveCD<\/a>? I wouldn’t know unless I can indeed get one of these COFEE sticks.<\/p>\n Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes.<\/p>\n The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.<\/p>\n The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.<\/p><\/blockquote>\n I’m guessing it’s the common suspects, mostly open source tools bundled together with a nice interface or some batch scripts.<\/p>\n ‘Internet History’ – I bet it only works if they use Internet Explorer (history.dat anyone?<\/em>) and not Firefox with caching turned off.<\/p>\n