COFEE on Torrent! & Mixing Private/Public Sector

springmovies07_hotfuzz.hmedium
Armed with Microsoft's USB stick and COFEE even these two will be able to collect evidence from a live system....The courts will love that one.

It is being reported that COFEE, Microsoft’s forensic tool used in the fight against crime [1] has been leaked and uploaded to a BT tracker.  The tracker in question (what.cd) has subsequently removed the offending torrent, probably with visions of dawn raids and court cases, however I thought it would be interesting to take a look at the tools PR and what it (allegedly) offers.  Before we go any further though, its worth noting that the actions taken by what.cd have not managed to preserve the “secrecy” of this Microsoft product.  COFEE is available from thousands of sources online already.

Firstly because its Microsoft you can expect the usual blurb.  Microsoft doesn’t disappoint here with:

If it’s vital to government, it’s mission critical to Microsoft.

Which would beg the question; what happened then when various armed forces computer systems allegedly fell victim to a Windows based exploit?  Doesn’t sound very mission critical to me.

Back to COFEE though (Computer Online Forensic Evidence Extractor) is in essence software and USB solution which enable a live system to be “snapshotted” in situ.  Exactly how this code operates is anyones guess since its only provided to law enforcement and not to the general populus.  Would this software/hardware work on a rig with Linux?  I would highly doubt it and I assume it is developed to “handshake” with a Windows based system in some way.

An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device.

…And COFEE is being provided—at no charge—to law enforcement around the world.

So Microsoft gives COFEE away free to law enforcement does it?  Lets remind ourselves of what Bill Gates had to say about “free” some time ago:

They’ll get sort of addicted, and then we’ll somehow figure out how to collect sometime in the next decade

bribe
Here you go....a USB stick for every copper! Become an IT expert in 10 minutes! Question is, why should law enforcement use what you can already get (legally) for free and why should the "mighty" Microsoft be giving it away to law enforcement?

Maybe a warning there for Law Enforcement?  “Beware of a Redmond employee bearing gifts”

From reports of users that have looked at this Microsoft GUI its allegedly only a set of data collection tools that can be found on the net anyway and there is nothing “secret” or “cutting edge” to be found in Microsoft’s freebie.

There are other issues I have with this Microsoft freebie and its in respect of evidential value.  In my opinion an in situ dump of a live system will only have real evidential worth in a court if its backed up with the original system.  I would doubt very much if a court would accept a “snapshot” on a USB stick on its own without calling into question the integrity of the data collected on it. [2]

Are we really believing some IT inept officer brandishing COFEE should be allowed to tamper with a live system of possible evidential worth even if she/he has had “a 10 minute training course”..?   I would expect any Law Enforcement Agency to call in its own experts if it encountered a situation where a live exam/retrieval was essential.

Ive often said I have great reservations when the private/public sector mix (in respect of law enforcement) You have to look no further than FACT, where I believe its funded by the very companies it seeks to protect.  No problem in itself, but when (IMO) FACT has the ear of law enforcement, you could be forgiven if you were a little dubious as to the motives of the “advice” they give to the aforementioned agency.

Although it’s a little extreme, when law enforcement and corporate mix, people will always wonder “what goes on behind the scenes” and theories of calls such as “Hi, is that the LAPD?  Its Ballmer here, we have a little trouble at Redmond, can you help us out? Remember we did give you that USB stick all those years ago…..” will always crop up.  It seems strange to me that Microsoft is so keen to help fight crime when in Bill Gates own words (as partly quoted earlier on):

As long as they are going to steal it, we want them to steal ours.

You can read that full article here: http://www.cybersource.com.au/press/gates_set_to_addict_next_billion.html

There is a viewpoint from Torrentfreak.com which can be read here.

Notes

[1] Allegedly since Ive never seen Microsoft credited for any successes and its not clear which or if any Law enforcement actually use it

[2] and its all accademic really since someone booting a LiveCD and USB stick combo would be immune to COFEE (IMO)

Goblin – bytes4free@googlemail.com

24 Comments Add yours

  1. Richard says:

    COFEE looks at a live system (active processes, open files, data in-memory). It is an adjunct to offline forensic investigation. A LiveCD and USB stick are no defense at all.

    It’s easy to stick in a USB stick and collect relevant data, even if you’re untrained. This is what Sekchek does.

    I’m sure it wouldn’t work on Linux, because Windows forensic software don’t work on Linux. Kind of like how Linux forensic tools don’t work on Windows.

    Once again, off you go talking about things you know nothing about. But I suppose it’s all “your opinion”, so why bother with research or educating yourself?

    1. steve says:

      um, backtrack works on windows you moron.

      1. Richard says:

        … and backtrack isn’t tool for forensic investigation of a live system. In fact, by design, you need to REBOOT the system before backtrack loads, thus destroying the very information that COFEE extracts.

        “Moron”.

      2. openbytes says:

        Hi Steve,

        Richard is a regular here who often puts his foot in it by either not reading or understanding concepts properly. After reading his numerous attempts to fudge I believe he is not here for debate he is here to cheapen any opinion contrary to Microsoft…

        The basis for his attempts (are anyones guess).

    2. openbytes says:

      Dear Richard,

      If you are the same Richard who visited before, you are about to crash and burn again purely because yet again you’ve failed to read and understand what was said.

      You say:
      “A LiveCD and USB stick are no defense at all.”

      That wasn’t the point, what I thought I had explained in simple enough terms was the fact that a user booting from a LiveCD with a removalable medium such as a USB stick would be a barrier to COFEE (you even said it yourself it wouldn’t work on Linux) but forgetting that for a second, the point was, remove the USB stick holding the data and COFEE has nothing to snapshot. Simple.

      I’ll qoute your end comment first Richard as that gave me the chuckle:

      “Once again, off you go talking about things you know nothing about. ”

      whilst also saying:
      “Kind of like how Linux forensic tools don’t work on Windows.”

      Research it Richard, I think you will find some of the best recovery tools for Windows are Linux based…infact theres distros made specifically for that purpose.

      Quote “It’s easy to stick in a USB stick and collect relevant data, even if you’re untrained.”

      Never said it wasn’t again you missed the point. Have you ever seen forensic evidence being cross examined in a court of law? or a forensic professional? The point was having your average Jo collecting the data is not something which would stand up well against a controlled independent forensic retrieval of data.

      The other point I was making is that a 10 minute training course cop would be open to all sorts of security measures the live system may have. For example if the data is so valuable and the criminal so experienced, whose to say that a USB detection might not trigger a TSR to trash the data on the HD?

      There are SOP’s in place for data retrieval which I don’t believe are appropriate for me to discuss, however its funny you mention

      “But I suppose it’s all “your opinion”, so why bother with research or educating yourself?”

      any system I haven’t used (COFEE) would be subject to a degree of assumption….that being said when you check out the next article (as Im sure you will) you will see theres a few clues as to where my area of experience and expertise is. Unfortunately for you the computer misuse act (and as one Twitter will see soon) the comunications act of 2003 are just two…

      EDIT:

      Whilst we wait for the grand return of Richard (and because Im loathed to make another separate comment), maybe he could also consider returning with some examples of his comment “off you go talking about things you know nothing about. ” I challenged people before to quote me on anything untrue on this site. Since I (and presumably Richard) have opinions you can’t help but put them in your text.

      For the readers I would like you to notice the “generic” cheapening attempt where people seek to cheapen a view without being specific. Its often used and never explained and will often be used when there is no counter.

      Maybe me and my views are all wrong? Maybe Vista was really great? Maybe Ballmer didn’t refer to GPL as a cancer, maybe someone was able to give a compelling reason for buying Windows 7 or what about maybe my experiences of Linux are wrong too? Maybe Linux isn’t better for me?…the list goes on and you get the idea. Again, I ask anyone to quote me where I have posted anything as fact which is untrue. I challenge anyone to quote me where I have printed something false…

      That offer is open to Richard just as it is anyone else. I look forward to seeing any such challenges. Why don’t I post about Apple and any issues? Simple because although its my wife who loves their products, I have had no bad experiences/problems with the limited use of their products. For me the same cannot be said about Microsoft and to be fair I am really trying to give Windows7 a fair run. I won’t comment further until Ive had a little more time with it.

      1. Richard says:

        Laughable. A forensic tool to snapshot a live system isn’t a recovery tool, so who cares that “some of the best recovery tools for Windows are Linux based”? Nobody.

        (Don’t feel bad that you’ve “printed something false”. It’s only because you don’t believe in things like research and education.)

        I guess that, in your world, removing the USB stick will magically make all of the running processes started from the LiveCD disappear, and all of the file handles will be gone, and the routing table will be flushed. In the real world, that’s not what happens. COFEE snapshots live data, NOT persistent data. Do you understand the difference? No? Well, don’t worry yourself about it. It’s only your ignorant opinion.

        Let’s see, what else is there to respond to? Personal attack, personal attack, random rambling about Apple and Microsoft, paranoia, more personal attack, allusion to Super-Secret-Knowledge of Forensic SOPs (hah! sure.) … no, nothing else worth replying to.

  2. openbytes says:

    Dear Richard.

    I see this is one of your timewasting diversions again with half truths and misquotes. I’ll break it down in simple pieces and hopefully you’ll be able to keep up.

    Quote “Laughable. A forensic tool to snapshot a live system isn’t a recovery tool, so who cares that “some of the best recovery tools for Windows are Linux based”? Nobody.”

    Er Richard…its that word again RESEARCH. I think you will find the “recovery” part is exactly what is used in forensic retrieval….criminals do delete files you know.

    Its funny that had you actually sat and considered that maybe a Linux based system would be ideal to snapshot and recover data from a Windows based one since it won’t be able to run natively any Win malcode that might be in place to prevent retrieval. Of course you didn’t consider that and since you now realised that a LiveCD and USB machine would be immune to a Cofee interogation you are feebly attempting to change the argument again. Bless.

    Quote “Don’t feel bad that you’ve “printed something false”.”

    Again, I say quote me…lol…you never do though. I would call you a liar but you are far to transparent to be convincing.

    Quote “I guess that, in your world, removing the USB stick will magically make all of the running processes started from the LiveCD disappear,”

    Richard, please keep up…You agreed yourself (and with me) that Cofee would not work with a linux based system. Of course the running processes would not disapear, but like you say Cofee would not work on Linux. What on earth is your point?

    Quote “COFEE snapshots live data, NOT persistent data. Do you understand the difference?”

    Yes I do, which is why Im confused by you firstly saying that Linux would not be able to be intergated by Cofee and then suggested it would…please make up your mind.

    Quote ” Personal attack, personal attack,”

    Please (again for about the 4th time) quote me.

    Paranoia? Where? Quote me.

    Quote “allusion to Super-Secret-Knowledge of Forensic SOPs”

    Liar. I have never said (and am certainly not) either involved in the forensic retrieval of data nor have I been. Since you spend time reading this blog, my stance has always been that my job is about as far removed from the IT world as you can get. Thats been quoted on COLA, its been mentioned in BN IRC and its something Ive always said.

    Lets look at Richards theory. Is he suggesting that the defense would not be able to rip appart electronic evidence collected by a 10 minute course average jo cop? I would say even the most casual observer would agree.

    What I want to know now (as I wouldn’t believe Richard is in anyway involved in law enforcement judging by his childish approach) how does he know about Cofee?

    I personally refuse to download copyrighted material so I make my opinion based on the numerous reports of people who have claimed to. Richard, what are you basing your opinions of the software on?

    I don’t expect you will answer that as you have done what you usually do when you’ve tried to divert a topic you have horribly wrong, that being running away with your tail between your legs.

    Quote “nothing else worth replying to.”

    Yet you keep coming back, don’t you?

    Keep trying, maybe one day your silly remarks and attempts to divert conversation may work…

    In the meantime, I’ll ask again, please quote me on any of the allegations you made….I look forward to it.

    Kind regards
    Goblin.

  3. openbytes says:

    Since Richard talks about research (and obviously doesn’t himself) here are some of the tools which Richard suggests don’t exist. These a Linux packages/distro designed for forensic examination (of among other things) a windows system:

    http://www.sleuthkit.org/sleuthkit/

    Since we already have the French Police migrated to FOSS, and this is but one example we can but assume that contrary to Richards latest fantasy there are indeed good reasons why you would want to use a Linux system to interogate a Windows one and in addition Linux systems are a viable alternative for large organizations….

    Thats bound to get Richards blood boiling, since if you look back he likes to popup when Mother Microsoft is challenged with competing products.

    Of course in the case of recovery it could be because you have damaged/deleted a file by mistake, but as I say above, recovery tools are also used to extract that which has been intentionally done so.

    Live and in situ data is wholly different to that which is stored on say an HD, although Richard does need to actually research how much “live” data Windows actually does store which can be recovered with the right tools.

    1. Richard says:

      Thanks for the giggles, li’l Goblin. You’ve given every educated reader of your weblog a good belly laugh by now, with your hopeless (deliberate?) misunderstanding of the difference between live and persistent. I bring out the “best” (read: most amusing) in you … and you wonder why your readership increases when I’m around!

      I guess now is where I’ll “run away with my tail between my legs”. I can’t teach anything to those who refuse to learn! Until your next failure to understand, adieu.

      PS don’t do any post editing for any of your posts, now. They’re just *priceless* the way they are😀.

      1. openbytes says:

        What on earth are you talking about. YOU agreed Cofee wouldn’t work with a Linux system. So I am right am I not? A liveCD would be no good to Cofee since its Linux..or have a misunderstood anything there? If you are claiming something different please explain or else stop repeating that which we both already agree on.

    2. Richard says:

      Most Priceless Misunderstanding:

      Quote “COFEE snapshots live data, NOT persistent data. Do you understand the difference?”

      Yes I do, which is why Im confused by you firstly saying that Linux would not be able to be intergated by Cofee and then suggested it would…please make up your mind.

      Oh, the delicious, delicious irony… “Yes I do”, followed by a total and complete failure of comprehension😀. Now that’s comedy!

      1. openbytes says:

        Richard please just read my article where I say:

        “is in essence software and USB solution which enable a live system to be “snapshotted” in situ.”

        or how about:

        “In my opinion an in situ dump of a live system will only have real evidential worth in a court if its backed up with the original system”

        or what about:

        “Agency to call in its own experts if it encountered a situation where a live exam/retrieval was essential.”

        It has been obvious I have stated that live retrieval function of Cofee from writing the article. You are wasting my time. The only contentious part is that there are people claiming that Cofee ALSO takes persistent data too, since I havent use it I wouldnt know for sure but its a moot point since its seems Cofee’s selling feature is its live data snapshot.

        Please tell me how Ive got anything else wrong, or why nobody else is claiming the same as you. I had you down as a time waster not a liar, but you can’t even tell the truth in your own posts as detailed in my next response.

    3. Richard says:

      A friend of mine thinks that this is the most amusing misunderstanding:

      Quote “I guess that, in your world, removing the USB stick will magically make all of the running processes started from the LiveCD disappear,”

      Richard, please keep up…You agreed yourself (and with me) that Cofee would not work with a linux based system. Of course the running processes would not disapear, but like you say Cofee would not work on Linux. What on earth is your point?

      … because, quite obviously, the existence of Windows LiveCDs has escaped the keen eyes of this particular Goblin. I find his ability to misunderstand the simplest of distinctions to be funnier, but I’m reliably told that his inability to do a simple Google-search for “Windows LiveCD” is quite the comic act. YMMV!

      1. openbytes says:

        Richard are you not understanding what you are reading? What do I advocate? Linux. What do I review? Linux. What do I talk about? Linux.

        How often do you come across a user runing Windows liveCD? I certainly havent and it is obvious (since this is a Linux/Foss blog) that when I say LiveCD I mean linux.

        Since you seem to comment everytime I highlight the benefits of Linux over Windows, I fail to see how you’ve mistaken my use of LiveCD to possibly mean Windows…Keep up Richard.

        Once again though, just for you I will remind you this blog is dedicated to FOSS/Linux. infact I say repeatedly I don’t use Microsoft product.

        Richard, as well as distracting me with pointless and intentional misunderstanding of my text (which no-one else has) you can’t even tell the truth about your own actions:

        Quote “no, nothing else worth replying to.”

        You still havent answered my challenge to quote me in respect of the allegations you made, you havent responded to the Linux tools you claimed didn’t exist and yet you still come back for more.

        I’ll let the readers decide who is right.

        I’m pleased your friend found humor here. Maybe I can welcome him as another reader to this blog, whose readerbase grows on a monthly basis.

        Thank you Richard for completely wasting my time with your pointless around the houses intentional misunderstandings….

        One last time Richard so I know you understand, this is a Linux blog…I know it sounds strange but because of it being a Linux blog when I say LiveCD I am refering to a Linux one not a Windows one…..strange I know….confusing, probably…if you repeat Linux to yourself enough times I think you will finally understand.

        Kind regards
        Goblin.

  4. Keranky1a1 says:

    richards knows nothing why does he even come here? to be pwned everytime?

  5. openbytes says:

    Richard, you’ve wasted enough of my time with your childish attempts to fudge and distort.

    What I would ask readers to do (as I presume they already have done) is read what I say, then what Richard says and make up your own mind. It seems strange that after over 2000 UIP’s to this article Richard is the only one who claims I misunderstand the terms…

    The only thing I resent about Richards comments are his refusals to evidence his claims and the inference he draws that I may delete the posts. It has never happened, it never will.

    Whilst Richard never seemed to realize that this was a blog with a Linux flavour, he also seems to have misunderstood my stance from day 1. I write this blog in the hope that people enjoy reading it, if it entertains them, great if they agree thats fine and if they don’t as long as they enjoy coming back (which Richard seems to do) thats the only important thing.

    There are plenty of sites that offer news in a generic format. They are far quicker and far better resourced to do that. This blog takes a different route and when the blog hit 1yr old, the wordpress stats that I published show a great increase in readership.

    I would only ask readers here to consider, why does Richard keep coming back? Where have we seen this behaviour before? Why does Richard put so much wordage into responding, but more importantly if Richard so strongly disagrees with me and this blog, why does he keep returning?

    I will let you consider that in your own time whilst also considering that anything which challenges Mother Microsoft superiority seems to attract attacks and time wasters. comp.os.linux.advocacy is one of the best examples.

    And finally to Richard, if you think by continuing this time-wasting route you have any chance of stopping this blog you are mistaken. This blog was created purely because of actions like yours and infact its what gives me the motivation to carry on.

    Ric Flair (an ex-WWE wrestler) said a very true thing about the media. “It doesn’t matter if you are loved or hated, its indifference thats the killer”

    Never a truer word. Thanks for coming Richard.

    1. Richard says:

      Oh, you’re precious! Seriously, I’m writing this with tears of laughter in my eyes …

      Yes, “Goblin”, your blog is so Amazingly Threatening to the Global Microsoft World Domination Conspiracy that I’ve been sent (from the Future!) to shut you down. They pay me to seek out poorly-researched blogs with inadequate grammar and a few thousand visitors each year, because they have money to burn.

      You have a terribly overinflated sense of your own importance, and the importance of your amusing little weblog. Perhaps you’re confusing it with, oh, I don’t know, Slashdot? Or you think that you’ve got the reach of Scoble, or Tim O’Reilly? It’s like watching a tiny little doggie yapping out at the world from behind his fence, sure that he’s the master of the known universe…

      Dear Goblin, you’ll definitely be getting more visitors, because I’ll definitely be recommending people to come here for the laughs😀. You’re just too much… oh, I’m tempted to print out your little rant and stick it up on the wall. It’s so cute! Woof-woof!

  6. openbytes says:

    What are you reading Richard? Its certainly not this blog.

    I refered to YOU not Microsoft and I think you are simply trying to disrupt and deter. If you check my Twitter a follower (who was very unimpressed by your “work”) asked if I thought you were Microsoft associated. I don’t think so, I don’t think they would pay for your rubbish.

    “Dear Goblin, you’ll definitely be getting more visitors, because I’ll definitely be recommending people to come here for the laughs”

    Thanks. Nice comeback. I welcome them all.

    “It’s like watching a tiny little doggie yapping out at the world from behind his fence, ”

    and what pray tell does that make you? a person who comments and spends time returning to a blog they disagree with? Wheres your site?

    “your amusing little weblog.”

    Richard, again, please keep up. If you find ammusement then Im pleased. Its one of the reasons I enjoy writing it. Amusement/agreement/disgust its all the same to me and you keep coming back so I must be good.

    Some little crackers to add to your list.

    “You have a terribly overinflated sense of your own importance”

    Liar. Infact the opposite, thats why I say for readers to check the opinions of many people. Ive said it enough times and the fact you keep coming back means you must read this blog, so you already know that.

    “You’re just too much… oh, I’m tempted to print out your little rant and stick it up on the wall. It’s so cute! Woof-woof!”

    Please do. Anything else?

  7. ml2mst says:

    LOL, me thinks “Richard” is yet another alter ego of “Hadron”. Just take a look at “Hadron’s” record on the Colatrolls list and check out the similarities:

    http://colatrolls.blogspot.com/2007/01/hadron-quark-troll.html

    http://tinyurl.com/y977ctj

    Notice the same reading comprehension difficulties, the desire to “school” anyone on subjects on which he is clueless himself. Oh and “Hadron” posted as “Richard” as well before.

    ROTLMAO🙂

  8. openbytes says:

    Hi Marty!

    I think what Richard thinks he reads is completely different to what he actually has. He spent lines of text saying I was wrong over a point he had already agreed with me on.

    Richard knew full well that LiveCD was refering to a Linux system (or at least I hope he did otherwise he’s missed all the Linux clues over the life of this blog)

    I’ll make sure in future, just for Richard, I use the words LINUX LIVECD so he doesn’t get confused again.

  9. newsgroupsdirect says:

    Torrents aren’t safe, use newsgroups, try it free..

  10. openbytes says:

    and newsgroups are safer because?

    Lets face it if you are going to risk downloading material from anywhere you are putting your trust in the source…

    or did you have another meaning of the word “safe”?

    oh and in the spirit of “safe” Ive removed your link. It was an advert (for a service from a company Ive never heard of)

  11. Direct Download says:

    Can’t be safe on torrents anymore, private trackers are getting hit now. Usenet is the way to go for sure..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s