Microsoft Helps Police Crack Your Computer

IGnatius T Foobar writes "Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that "may have been used in crimes." It basically bypasses all of the Windows security (decrypting passwords, etc.) in order to eliminate all that pesky privacy when the police have physical access to your computer. Just one more reason not to run Windows on your computer."

Re:What could possibly go wrong?

[tokul]

Reverse engineering and ...

Why do you have to reverse engineer it when tools already exist?

Some COFEE info from an Australian L.E. Conference

[d3ac0n]

Google .DOC-to-HTML link

Here is the original link if anyone wants it: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Proceedings_Forensics2006.doc

If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

Computer Online Forensic Evidence Extractor (COFEE)

In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.

Interestingly, this article if from 2006. So COFEE has been around for 2 years already. Fascinating that we are just hearing about it now.

Re:Really?

[v1]

The gorey details here are that the key to the filevault is a random number, and THAT is encrypted separately in the header using two different keys - the user's hashed password, and the filevault master. So if you know the master password, OR the user password, you can decrypt the actual image key and can get in. And changing the user password does not require reencoding all the image data, you just reencode the key in the header using the new password

There is no other back door. The only possible hack is if they have auto login turned on, which basically indicates they are a retard. Technically it's possible to recover the login password once booted and auto logged in, though I have yet to see anyone figure it out, and I do look periodically. But at that point the HD is mounted anyway so all your data is there for copying to ext HD. Just no access to passwords in the keychain, (as in to recover, but you can still use them since the keychain is probably unlocked) but as above that is technically possible but not seen it done yet.

If auto login is not on, they are not logged in, you don't know the password, and you don't know the master password, nobody can help you. Not the Apple store, not Steve, it doesn't matter who you are.