Armed with Microsoft's USB stick and COFEE even these two will be able to collect evidence from a live system....The courts will love that one.

It is being reported that COFEE, Microsoft’s forensic tool used in the fight against crime [1] has been leaked and uploaded to a BT tracker.  The tracker in question (what.cd) has subsequently removed the offending torrent, probably with visions of dawn raids and court cases, however I thought it would be interesting to take a look at the tools PR and what it (allegedly) offers.  Before we go any further though, its worth noting that the actions taken by what.cd have not managed to preserve the “secrecy” of this Microsoft product.  COFEE is available from thousands of sources online already.

Firstly because its Microsoft you can expect the usual blurb.  Microsoft doesn’t disappoint here with:

If it’s vital to government, it’s mission critical to Microsoft.

Which would beg the question; what happened then when various armed forces computer systems allegedly fell victim to a Windows based exploit?  Doesn’t sound very mission critical to me.

Back to COFEE though (Computer Online Forensic Evidence Extractor) is in essence software and USB solution which enable a live system to be “snapshotted” in situ.  Exactly how this code operates is anyones guess since its only provided to law enforcement and not to the general populus.  Would this software/hardware work on a rig with Linux?  I would highly doubt it and I assume it is developed to “handshake” with a Windows based system in some way.

An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device.

…And COFEE is being provided—at no charge—to law enforcement around the world.

So Microsoft gives COFEE away free to law enforcement does it?  Lets remind ourselves of what Bill Gates had to say about “free” some time ago:

They’ll get sort of addicted, and then we’ll somehow figure out how to collect sometime in the next decade

Here you go....a USB stick for every copper! Become an IT expert in 10 minutes! Question is, why should law enforcement use what you can already get (legally) for free and why should the "mighty" Microsoft be giving it away to law enforcement?

Maybe a warning there for Law Enforcement?  “Beware of a Redmond employee bearing gifts”

From reports of users that have looked at this Microsoft GUI its allegedly only a set of data collection tools that can be found on the net anyway and there is nothing “secret” or “cutting edge” to be found in Microsoft’s freebie.

There are other issues I have with this Microsoft freebie and its in respect of evidential value.  In my opinion an in situ dump of a live system will only have real evidential worth in a court if its backed up with the original system.  I would doubt very much if a court would accept a “snapshot” on a USB stick on its own without calling into question the integrity of the data collected on it. [2]

Are we really believing some IT inept officer brandishing COFEE should be allowed to tamper with a live system of possible evidential worth even if she/he has had “a 10 minute training course”..?   I would expect any Law Enforcement Agency to call in its own experts if it encountered a situation where a live exam/retrieval was essential.

Ive often said I have great reservations when the private/public sector mix (in respect of law enforcement) You have to look no further than FACT, where I believe its funded by the very companies it seeks to protect.  No problem in itself, but when (IMO) FACT has the ear of law enforcement, you could be forgiven if you were a little dubious as to the motives of the “advice” they give to the aforementioned agency.

Although it’s a little extreme, when law enforcement and corporate mix, people will always wonder “what goes on behind the scenes” and theories of calls such as “Hi, is that the LAPD?  Its Ballmer here, we have a little trouble at Redmond, can you help us out? Remember we did give you that USB stick all those years ago…..” will always crop up.  It seems strange to me that Microsoft is so keen to help fight crime when in Bill Gates own words (as partly quoted earlier on):

As long as they are going to steal it, we want them to steal ours.

You can read that full article here: http://www.cybersource.com.au/press/gates_set_to_addict_next_billion.html

There is a viewpoint from Torrentfreak.com which can be read here.


[1] Allegedly since Ive never seen Microsoft credited for any successes and its not clear which or if any Law enforcement actually use it

[2] and its all accademic really since someone booting a LiveCD and USB stick combo would be immune to COFEE (IMO)

Goblin – bytes4free@googlemail.com