Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| MS forensics tool for law enforcement leaked online via P2P
Dark Reading | nov 09, 2009
A forensics tool built by Microsoft exclusively for law enforcement officials worldwide was posted to a file-sharing site, leaving the USB-based tool at risk of falling into the wrong hands.
COFEE is a free, USB-based set of tools, which Microsoft offers only to law enforcement, that plugs into a computer to gather evidence during an investigation. It lets an officer with little or no computer know-how use digital forensics tools to gather volatile evidence.
COFEE was posted, and then later removed, from at least one file-sharing site, but security experts say the cat is now out of the bag. While many forensics tools with similar functionality as Microsoft's Computer Online Forensic Evidence Extractor (COFEE) are available, security experts still worry the bad guys will use their access to the tool to figure out ways to circumvent it.
Chris Wysopal, CTO at Veracode, says the danger is that a detection tool will be written for COFEE so that the bad guys can cover their tracks. "Someone will build a detector so that machines will wipe themselves or give rootkit-like fake answers if this USB is inserted into a computer," Wysopal says.
One researcher who got a copy of COFEE online says bad guys could abuse the tool by taking one of its DLLs and loading it into a compromised machine's memory, where it then dumps stored clear-text passwords to a file.
Graham Cluley, senior technology consultant with Sophos, says while there are plenty of tools that perform similar tasks to COFEE, it's not very likely to be abused for nefarious purposes. But, "that can't be ruled out," he says.
Cluley is more concerned about criminals learning the inner workings of COFEE. The real danger is if they can "determine if it is being run on one of their PCs and take precautionary steps to prevent the computer crime community from finding out what they've been up to," he says.
»www.darkreading.com/security/vul···21600872
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Official Jetico Inc. Support Forums »www.smokey-services.eu/ |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
2 edits | FWIW: I checked the availability of COFEE on file-sharing sites, within 10 seconds I traced and downloaded the tool..  (and don't ask me for the tool, I trashed it right away after downloading it). |
|
jaykaykay
4 Ever Young
Premium,MVM
join:2000-04-13
Scottsdale, AZ
 ·Speakeasy
| reply to Smokey Bear
All I can say is more's the pity. Nothing is sacred any more and for an oldie such as myself and that leaves me wondering what our children etc. will have to contend with. "The real danger is if they can, criminals learning the inner workings of COFEE can determine if it is being run on one of the PCs of those in law enforcement and take precautionary steps to prevent the computer crime community from finding out what they've been up to, is really bothersome to even if one doesn't know anyone personally in law enforcement. Who's chasing whom?
--
JKK
Age is a very high price to pay for my maturity. If I can't stay young, I can at least stay immature!
»www.pbase.com/jaykaykay
|
|
boognish
Premium
join:2001-09-26
Baton Rouge, LA
clubs: | reply to Smokey Bear
At first glance it doesn't seem to do anything that something like USB Switchblade wouldn't do.
--
don't get 2 close 2 my fantasy |
|
siljaline
mind that delimiter
Premium
join:2002-10-12
Montreal, QC | reply to Smokey Bear
Pirates get a taste of Microsoft COFEE  |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
 ·Shaw
1 edit | reply to Smokey Bear
quote:
On November 6, 2009, copies of Microsoft COFEE were leaked onto various BitTorrent websites. Analysis of the tool post leak indicates that it is largely a wrapper around other utilities previously available to investigators.
»en.wikipedia.org/wiki/Computer_O···xtractor
surprise, not.
Blake
edit - A link on Microsoft's site »www.microsoft.com/industry/gover···ult.aspx |
|
SUMware
Premium
join:2002-05-21
1 edit | Interesting, also from your link:
quote:
Similar functionality can also be attained by using specialized Linux distributions like: BackTrack, Knoppix STD, PHLAK and nUbuntu. But, unlike COFEE, they also support gathering forensic data from non-Windows operating systems.
So Microsoft is helping the Feds investigate suspects who run Windows, to the exclusion of all others.
...and from siljaline's link:
quote:
The forensics tool is approximately 15MB in size and works best with Windows XP. Microsoft is working on a new version of COFEE for next year that fully supports Windows Vista and Windows 7.
Lucky MS users! Don't ya love irony? |
|
UnderHood
@anonymouse.org
 from:
antdude 
thumbs down from:
antdude
| reply to siljaline
A review is out: »praetorianprefect.com/archives/2···thought/
Just a SysIntenals.com Bundle... |
|
Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
·Shaw
| reply to SUMware
said by SUMware :So Microsoft is helping the Feds investigate suspects who run Windows, to the exclusion of all others. You expect otherwise? Why would you expect Microsoft assist the Feds in investigating other OS? I know I get all my OSX forensics tools from Microsoft .
Blake
--
Vendor: Author of Link Logger which is a traffic analysis and firewall logging tool |
|
shrine
join:2009-08-28
| reply to jaykaykay
said by jaykaykay :All I can say is more's the pity. Nothing is sacred any more and for an oldie such as myself and that leaves me wondering what our children etc. will have to contend with. "The real danger is if they can, criminals learning the inner workings of COFEE can determine if it is being run on one of the PCs of those in law enforcement and take precautionary steps to prevent the computer crime community from finding out what they've been up to, is really bothersome to even if one doesn't know anyone personally in law enforcement. Who's chasing whom? Oh lord, the knee-jerking that goes on here. So what? A tool got released publicly. If the tool's use can be nullified by public knowledge of it, then it wasn't a very useful tool to begin with. This is the same tripe argument that bomb-making manuals should be censored, or that any information should be controlled.
I think the mentality arises from the backwards and counter intuitive "information control" that the US government practices. They're still trying to sell us this idea, and people still buy it. That's why events like 9/11 went un-responded to: strict control over which parts of which body get information.
It's nonsense - I can't believe people are still saying this. |
|
xxTRAGEDYxx
join:2008-03-14
Kannapolis, NC | It doesn't have anything to do with "knowledge" of the software, it has to do with "access" to the software. There's a big difference my friend.... |
|
Agent Smith
join:2008-07-07
New York
 ·Verizon FIOS
·Optimum Online
1 edit | reply to Smokey Bear
I don't get it i download it and what lol ..Oo im so scared.. |
|
OZO
Premium
join:2003-01-17
| Congratulations! You've just successfully installed rootkit into your computer that will send its reports directly to ... 
--
Keep it simple, it'll become complex by itself... |
|
The Snowman
Premium
join:2007-05-20
·Verizon Online DSL
| reply to Smokey Bear
Re: MS forensics tool for law enforcement leaked online via P2P
There are so much better forensic tools than Cofee. If I understand correctly Cofee is mainly ment for Users with little or no computer experience ? An if anything its use may actually be harmful to a prosecutors case if the User is not an expert...........an actual experts could dispute the evidence..........perhaps as being tainted..........
The fact that Cofee was placed on p2p.........well it seems like everything is these days. Sure there was a breach somewhere but by who, when and where most likely will never be known. As for falling into the wrong hands.......not sure thats even possible........the Operating System is what it is........what tools is used for forensics does not change it.........an there will always be forensic tools. |
|
nonymous
join:2003-09-08
Glendale, AZ | reply to Smokey Bear
Maybe it was by accident. Someone tried out the new fangled software on a suspect computer. The suspect computer was so infested with virus and such it hacked the usb and put it straight on P2P. |
|
caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
Spokane, WA | reply to Smokey Bear
Well, I like coffee...
I'd rather have a copy of EnCase, personally... |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs: | reply to Smokey Bear
It's no surprise that it already leaked out. It was only a matter of time. |
|
Smokey Bear
veritas odium parit
Premium
join:2008-03-15
Annie's Pub
| reply to Smokey Bear
Source: Technet Blogs
said by Roger :
You definitely have heard of COFEE (Computer Online Forensic Evidence Extractor) which we make freely available to Law Enforcement through Interpol and NW3C. Now, the probably unavoidable happened and the tool leaked to the Internet. There was actually an interesting statement by ArsTechnica yesterday: Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer.
To make our point clear, let me quote Richard Boscovich, senior attorney, Internet Safety at Microsoft Corporation:
We have confirmed that unauthorized and modified versions of Microsoft’s COFEE tool have been improperly posted to bit torrent networks for public download. We strongly recommend against downloading any technology purporting to be COFEE outside of authorized channels – both because any unauthorized technology may not be what it claims to be and because Microsoft has only granted legal usage rights for our COFEE technology for law enforcement purposes for which the tool was designed.
Note that contrary to reports, we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around’ to be a significant concern. COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals, its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field.
In cooperation with our partners, we will continue to work to mitigate unauthorized distribution of our technology beyond the means for which it’s been legally provided and, again, would strongly discourage people from downloading unauthorized versions of the tool. As always, law enforcement wishing to use COFEE can safely get the latest released version of the tool free of charge through the established channels with both NW3C and INTERPOL by contacting NW3C at www.nw3c.org or INTERPOL at cofee [at] interpol.int.
So, to be clear: It is not “only” illegal but it is modified as well. Do you really want to install that? Signed:
Roger - Chief Security Advisor of Microsoft EMEA
»blogs.technet.com/rhalbheer/arch···net.aspx
--
Smokey's Security Forums »www.smokey-services.eu/forums/
Smokey's Security Weblog »smokeys.wordpress.com/
Official Jetico Inc. Support Forums »www.smokey-services.eu/ |
|
EGeezer
Summertime -
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to caffeinator
said by caffeinator :Well, I like coffee... I'd rather have a copy of EnCase, personally... And I'd love to be trained and EnCEP certified! $^$
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
