Microsoft gives cops COFEE: free computer forensic tools
by Nilay Patel 
posted Apr 29th 2008 at 10:02PM
Cops doing computer forensic work already have a ton of tools to choose from, but Microsoft is doing its part to help out as well -- the company just revealed that it's been distributing a special thumb drive to cops in 15 countries to help them identify and extract information from suspects' computers. The drive, called COFEE for Computer Online Forensic Evidence Extractor, is in use by more than 2,000 officers, including some in the States, and Microsoft is giving it away for free, saying that its doing it not for profit but to "help make ensure the Internet stays safe." COFEE contains more than 150 commands that can be used to collect information, decrypt passwords, and poke through network activity, which helps alleviate the problem of having to remove and transport a suspect's computer for evidence purposes -- officers can just plug in the drive. There's no word on when Microsoft will start widely distributing the drives, but we'd assume it'll be soon.[Thanks, Yoshi]
Filed under: Misc. Gadgets
Reader Comments (Page 1 of 2)
schmitty338 @ Apr 29th 2008 10:06PM
BLARG?
Tinu @ Apr 29th 2008 11:06PM
DONUTS = Disc Of New Undercover Tracking Software :-D.
or maybe Disc Of New Unreleased Trial Software :-D.
compuguy1088 @ Apr 29th 2008 11:44PM
Blerg!
m16 @ Apr 29th 2008 10:07PM
bittorrent link? :)
Keaton @ Apr 29th 2008 10:56PM
@mark
minutes...
tb @ Apr 29th 2008 10:57PM
what?
you men it's not yet on BT ites all around?
linumax @ Apr 29th 2008 11:24PM
Try any live Linux, there are even several distros specifically for the purpose of Windows Recovery which let you mount ntfs and bypass/reset passwords.
Nothing new about this tool, Police have been using other tools forever, now Microsoft is giving them a MS-branded tool.
schmitty338 @ Apr 29th 2008 10:07PM
Damnit....what i meant to say was: "Worst....Acronym....EVER"
Philippe @ Apr 29th 2008 10:10PM
Unless it comes in the shape of a donut
astute @ Apr 30th 2008 10:39AM
CD's are shaped like donuts. Sadly enough thumbdrives are not shaped like coffee..
Jake E. @ Apr 29th 2008 10:09PM
Great. Now where are the DONUTS?
Tim @ Apr 29th 2008 10:15PM
im not sure which countries this will be going too, or how their justice system works, but I have a bad feeling that this will serve mostly to violating privacy rights (yes, I'm american, and yes I'm aware that our rights get trampled - Ron Paul ftw? nope, sry, ron paul = fail) hopefully it remains beneficial, but, ya know, good intentions and all that . . .
Reader @ Apr 29th 2008 11:23PM
Why bring politics into this? I can resist getting into flamboy wars, but it's extreeemely hard for me to push down the urge to join in on a politics debate... Please stop torturing me.
Andir3.0 @ Apr 30th 2008 9:45AM
@Dolemite: Then you yourself have fallen for the old political games if you think RP is a racist or a supremacist in any way. I'm sure there's a Republican or 50 out there thanking you for believing that.
retro77 @ Apr 30th 2008 10:41AM
@Dolemite: good job at being a tool. Did you read his whole post?
flyby @ Apr 29th 2008 10:15PM
This is great until it gets into the hands of a criminal. If they could crack/bypass passwords that would be bad.
TomTom2007 @ Apr 29th 2008 10:27PM
** 15 terabyte of porn deleted **
Noooooo.......
Reader @ Apr 29th 2008 11:20PM
Tera is weak sauce... Men measure their porn in petas.
clifferny @ Apr 29th 2008 10:17PM
OMG, somebody at Microsoft was able to download public tools available on sectools.com on a usb thumb drive.
This is a news, because first somebody at microsoft was able to do something.
And second because they at least admit that open source is superior.
I'm sure it includes ping.exe a powerful tool for tracking computer on the internet.
Fitz @ Apr 29th 2008 10:40PM
Open Source is great if people know where to find it.
Do you thing a cop could actually figure that out? Doubt it, otherwise they would've achieved more in life.
So this time, MS pulls an 'Apple' and just makes it easy.
Mike @ Apr 30th 2008 10:39AM
Fitz,
Spoken like a true idiot!
I "thing" the level of expertise of many forensic investigators in LE would make you look like a pre-schooler banging away at a Fisher-Price computer.
http://www.fisher-price.com/img/product_shots/L3480_d_1.jpg
schmitty338 @ Apr 29th 2008 10:21PM
wow...such naivety...software like this has been available for free on the internet for a LONG time and can be used by criminals at any time... just because microsoft is giving it to cops for free on little USB sticks doesn't mean it was just created, is top secret or eventually going to lead to rampant fraud and loss of privacy....*sigh*....
Kurian @ Apr 29th 2008 10:42PM
Not to mention that any hacker's PC will be properly secured against such threats. Heck even MY PC cant be busted into by that crap.
kal326 @ Apr 30th 2008 1:15PM
These tools may have been around forever, but not Microsoft has gotten its own version of it. So now when you plug the drive in a little animated assistant pops up and states
"It looks like you're hacking a computer. Would you like me to: ....."
DarkLightConnection Unbanned @ Apr 29th 2008 10:34PM
lolz i use bsd i can render teh cop's tools useless lolz 1!11!!!!1!oneoneoneone
(Before you blame me for this message: No I'm not being serious... However, I really do think that this thing is a cheap USB stick with a bunch of totally useless tools)
CUBSWILLWIN @ Apr 29th 2008 10:45PM
I bet since it's microsoft, these tools only work for windows so microsoft makes them arrest anyone using linux or OSX.
( Not really being serious either, but it is a microsoft mentality, not that I have nothing against them.)
CUBSWILLWIN @ Apr 29th 2008 10:45PM
you were banned? why?
DarkLightConnection Unbanned @ Apr 29th 2008 11:00PM
That reminded me of this: http://www.engadget.com/2007/08/24/linux-user-forced-to-use-windows-as-part-of-home-confinement/
Linux/BSD/Mac users (with illegal stuff): Be afraid. Be very afraid. :-)
And yeah, I got banned for messing around with the comment system and pointing out one of it's "secret bugs" in public :-P.... But it happened during that live Apple event, no one ever noticed... The news were flowing too fast to comment for the Apple lovers, and Apple haters turned off the internet...
Bender Bending Rodriguez @ Apr 29th 2008 10:41PM
And the chances of this being used at the next hacker convention are pretty high.
AlphaTeam @ Apr 29th 2008 10:46PM
I think I should assume this only works on people with Windows? Also I don't see this defeating encryption nor hackers taking the software and building a block for it.
Jonathan-DBOSS @ Apr 29th 2008 10:49PM
Hot COFEE!
ED @ Apr 29th 2008 11:11PM
This is defeated by connecting a decoy USB socket to the right part of your power supply.
Yevon @ Apr 29th 2008 11:12PM
Wait. Microsoft is all excited about hacking THEIR OWN SOFTWARE? That's just cheating.
SiLo @ Apr 29th 2008 11:20PM
First of all, I don't see what this can possibly help them with. If it can, that means we are always being probed and recorded on our own PCs by Microsoft? I'm sure that violates at least one law and requires users to be properly informed (read: not shrink-wrap agreements). Even if so, I am sure they must give users the option to opt out of such a "courtesy."
Decrypting passwords? From what I can recall, passwords are stored as a hash, which is not something you can just "decrypt," that's called GUESSING or BRUTE FORCING and that's far more of an attack on security rather than a "transformation" of decrypting. While possible, it would take time for sure.
Then again, I am glad I have made the switch to Linux as of late for most of my computing needs.
SiLo @ Apr 29th 2008 11:26PM
If it came on a CD/DVD you could just defeat it by using a Macbook Air. :O
RandomCake @ Apr 30th 2008 7:17AM
The MacBook Air defeats it anyway with it's tiny USB slots I doubt the pen drive will fit!
barry @ Apr 30th 2008 12:34AM
so is this suppose to be used to be booted off of? or is it like plug it in and it just opens windows up to what you want to do?
if it worries you encrypt your drive as these tools do not work with encrypted drives. if its a usb driver someone needs to find it and make a patch for it for the paranoid, i for one welcome our microsoft 'hacker' overlords
IndiaTech @ Apr 30th 2008 1:11AM
This is probably the most stupidest idea by Microsoft after MS Bob. Firstly, you can't just go into a suspect's house and stick this thing into their computer. It is invasion of privacy. They cannot do it without a search warrant. Even if they have a search warrant, they still cannot stick this in since the password cracking software reads and writes into the memory thus contaminating critical evidence thus making it inadmissible.
The correct procedure in such cases is going into a suspects place, doing a memory dump of the RAM, sealing and securing the computer, bringing it into the lab AND then examining the contents.
It would be sad if some kiddy porn storing perv gets to go free if some stupid cop decides to stick this USB stick into the evidence computer.
Real Life is not CSI.
tekdroid @ Apr 30th 2008 5:29AM
Firstly, you can't just go into a suspect's house and stick this thing into their computer. It is invasion of privacy. They cannot do it without a search warrant.
--------
Everything can be done under the umbrella of 'anti-terrorism' these days. At least in my country (Australia) and the US, that's for sure.
erislover @ Apr 30th 2008 10:23AM
They are called sneak-and-peek warrants, and they're not real warrants at all, and they don't need to notify you. You've been in a fascist police state all this time and didn't even know it!
But seriously, there are sneak-and-peek warrants, and they suck.
Brandon L @ Apr 30th 2008 1:18AM
Yea, cops can have all the COFEE they want, they aren't touching this guy...
http://www.washingtonpost.com/wp-dyn/content/article/2008/01/15/AR2008011503663.html
Vishakha @ Apr 30th 2008 2:43AM
what i meant to say was: "Worst....Acronym....EVER"
Ilyas @ May 1st 2008 12:20PM
It`s Best against those who are Mis using the Modern technologies. It should be a Kane for them.
rodcadneo @ Apr 30th 2008 4:02AM
just use diamond boot to hack in windows pc :)
Scott @ Sep 8th 2008 3:26AM
First off, replacing your hash with theirs, will now let them boot up your computer with your account, but will hose the encryption key you used to encrypt your folders, but... what they don't tell you is that your encrypted files have a "Recovery Agent" key (for your safety), this is most likely how they can gain access to your encrypted files. Even if you removed such key, they still could just "tree /f /a >evidance.txt" and have a complete list of all your files, sure they couldn't open them, but if you have 72,000 files named *.mp3, they could probably still win a case against you to an ignorant jury.
Most people use simple passwords anyway, to brute force an 8 character only alphabet password takes no time at all. MyC1viaLriGht$, try to bruteforce that.
Just use linux, encrypt your files using a 512-bit key, password lock your harddrive, and wear a tin-foil hat.
COFEE is really just an inclined table, some saran-wrap, and a bucket of water. Guaranteed to get your password in 5 minutes or less.
Rususeruru @ Apr 30th 2008 7:08AM
TIN FOIL HAT FTW!
or for the secure in this case? fts, just doesn't flow right.
anabouboula @ Apr 30th 2008 7:10AM
Take that Apple!
Chew @ Apr 30th 2008 8:36AM
Or you guys could just visit the guys who originally did this over at Hak.5 and have been supporting the community with different payloads for years!
http://wiki.hak5.org/wiki/USB_Switchblade and in the forums at http://forums.hak5.org/index.php?board=20.0
Mischa G @ Apr 30th 2008 10:16AM
Wow, that's just great. Would they like a cookie while they're there? Imagine if you bought a house and they gave a copy of the keys to the cops and so they could search your place more easily.
http://impatientsufferance.com/2008/04/30/microsoft-invites-police-into-your-computer-offers-them-a-cofee-213/
retro77 @ Apr 30th 2008 10:53AM
The article doesn't mention if its a live Windows OS. In order to be admissible in court, you can't alter any of the information on the hard drive.