Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft COFEE Leaked

Posted by Soulskill on from the not-so-hot-cofee-incident dept.

54mc writes "Crunchgear reports that Microsoft's long-searched-for forensics tool, COFEE, has been leaked. The tool started on a small, private tracker, but has since worked its way to The Pirate Bay. Not all those who have gotten hold of it are enthused, and reviews have ranged from 'disappointing' to 'useless.' From the article: 'You have absolutely no use for the program. It's not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread. No, COFEE is 100 percent useless to you.'"

171 comments

  1. oh by amnezick · · Score: 0

    more like spilled. Pretty useless if you always turn off your computer when you leave home ... or hear "xxPD, open the door".

    --
    mov ax,4c00h
    int 21h
  2. But by Anonymous Coward · · Score: 0

    I still don't understand what it does.

    1. Re:But by hansraj · · Score: 4, Informative

      Wikipedia is your friend.

    2. Re:But by supernova_hq · · Score: 1

      I just read the entire wikipedia article, and I've done all of that, and more, with backtrack for FREE.

    3. Re:But by ThatsNotPudding · · Score: 1

      A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography, producing evidence that led to an arrest[2].

      Ah, yes; the stalking horse to justify the destruction of the individuals' right to privacy. And of course, this evidence could never been planted by self-same investigators via their self-same COFEE USB key. Perish the thought.

    4. Re:But by LO0G · · Score: 2, Interesting

      As far as I know, COFEE is only used when you have a search warrant. If you have a search warrant, then by definition there is no right to privacy - by granting the search warrant, the court has said that investigators are allowed to look at your stuff.

      In the past, people have tried the "I was framed by the police" gambit before with very limited success - typically courts assume that the people investigating crimes aren't out to plant evidence. I'm not sure that this is a wise decision on the part of the courts but it is what it is.

    5. Re:But by Anonymous Coward · · Score: 0

      Cleanup most of Vista's built in spyware (index.dat) files and then find any left over using the following--must be run from Vista's Command Prompt only mode (boot using F8).

      [begin file cleanup.bat]
      cd "C:\Users\\AppData"
      cd Local
      rmdir "Temp" /s /q
      rmdir "Microsoft Internet Explorer" /s /q
      cd ..
      cd Roaming
      rmdir "Microsoft Internet Explorer" /s /q
      cd "C:\Windows\system32\config\systemprofile\AppData"
      cd Local
      rmdir "Microsoft Internet Explorer" /s /q
      cd ..
      cd Roaming
      rmdir Temp /s /q
      rmdir "Microsoft Internet Explorer" /s /q
      cd "C:\Windows\ServiceProfiles\LocalService\AppData"
      cd Local
      rmdir Temp /s /q
      rmdir "Microsoft Internet Explorer" /s /q
      cd ..
      cd Roaming
      rmdir Temp /s /q
      rmdir "Microsoft Internet Explorer" /s /q
      cd "C:\Users\\AppData\Microsoft\Windows"
      rmdir "Temporary Internet Files" /s /q
      rmdir History /s /q
      cd\
      dir /s index.dat
      [end file cleanup.bat]

      (For any left over index.dat files that it finds, you'll have to use "attrib -r -a -s -h", without quotes, on each separate file before they can be deleted. The "attrib -r -a -s -h" removes any read-only, archive, system, and hidden attributes that the file may have.)

      This is valid even for perfectly legitimate browsing because, really, the operating system has no business caching and storing browser history once the browser has been closed. (Vista's Delete History and Cookies still leaves the contents of the index.dat files 100% intact.)

      Disclaimer: not responsible for any data loss, but it has not caused any data loss when used on my system.

    6. Re:But by hansraj · · Score: 5, Insightful

      Really... why should we have to look up something stated in the summary as "100% useless to us"? Thanks fuck head!

      Because:
      1) You are wondering what is the damn thing in the first place (like OP did), and
      2) You want to make your own opinion.

      No one is forcing you to read through the wikipedia entry. I hope, for the sake of people around you, that you don't flip out as easily in real life.

    7. Re:But by Anonymous Coward · · Score: 0

      I'm not a lawyer, but I drink like one, but just because a LE officer has a search warrant doesn't mean the subject has no right to privacy. That's why search warrants have to be so specific.

    8. Re:But by edumacator · · Score: 4, Insightful

      Responsible Mods needed...

      Come on...this guy responds to someone, who calls him a fuck head for providing a link to information connected to the post, in a calm and measured way, and somehow he gets modded flamebait?

      If that doesn't get fixed, I've lost the last little bit of trust I have in the /. mod system.

      --
      An important change for education.
    9. Re:But by LO0G · · Score: 1

      You're right, I should have been more specific. If a LE officer has a search warrant for the contents of your computer, then he has the right to access the contents of your computer, your right to privacy doesn't apply.

    10. Re:But by Anonymous Coward · · Score: 0

      I still don't understand what it does.

      There's a 30MB 'FIXED' version of cofee on piratebay which installs a trojan. woohoo!

    11. Re:But by Anonymous Coward · · Score: 0

      No you can't. Backtrack is a linux live cd - COFEE is meant to run on the windows pc.

      Did you even bother to read... ah we're on /.

    12. Re:But by rcamans · · Score: 2, Funny

      heh heh. he said he had trust in the mod system. heh heh heh.

      --
      wake up and hold your nose
    13. Re:But by supernova_hq · · Score: 1

      The only thing COFEE does that backtrack doesn't is copy the RAM. Unless the person is using encryption, in which case a non-computer-forensics person (who the product is targeted at) shouldn't be anywheres NEAR the machine, there is no reason to preserve the volatile memory. In fact, if a person is that paranoid (and still running windows), chances are the application will end up triggering a dead-switch.

      Any computer forensics expert worth their degree will tell you NEVER to do anything to a running machine suspected of being rigged. They don't even shut it down, just pull the plug. If they want to recover the RAM, they have about 3 minutes to do so (through a clean boot) before the "volatile" memory is gone.

    14. Re:But by Runaway1956 · · Score: 2, Informative

      Try Helix3. Don't jump up and down, telling me that it's another Linux LiveCD. There is a Windows executable in the root directory to capture system state stuff. When that finishes, you can reboot to the LiveCD for more tools.

      They have an outdated version that is free, and if you wish to pay about 7 or 8 hundred bucks, you can get the up-to-date version.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    15. Re:But by tietokone-olmi · · Score: 0, Troll

      heh heh heh butthole heh heh heh heh heh

    16. Re:But by DM9290 · · Score: 1

      typically courts assume that the people investigating crimes aren't out to plant evidence. I'm not sure that this is a wise decision on the part of the courts but it is what it is.

      generally courts presume everyone is honest and play by the rules unless there is some specific reason to think otherwise. It probably can be no other way. if the court assumed everyone was a liar, then it would be impossible to get anywhere, as the only evidence would be evidence submitted by other people also presumably lying.

      the sad fact is that if someone really wants to fuck you over, they probably can. but planting evidence is one of the more complicated ways of doing it.

      --
      No one has a right to their *own* opinion. They have a right to the TRUTH.
  3. While I don't have any use for the program by smallfries · · Score: 4, Insightful

    It's a bit short-sighted to say that nobody does. I'm sure there are lots of people out there with material on their machines that they wouldn't want a law enforcement officer to find. This tool would be perfect for their needs.

    --
    Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    1. Re:While I don't have any use for the program by nurb432 · · Score: 1

      It sounds so basic that you really don't need to see the application to prevent it from hurting you.

      --
      ---- Booth was a patriot ----
    2. Re:While I don't have any use for the program by pla · · Score: 4, Insightful

      It's a bit short-sighted to say that nobody does. I'm sure there are lots of people out there with material on their machines that they wouldn't want a law enforcement officer to find. This tool would be perfect for their needs.

      As a fan of maximizing my privacy, I would find such a tool useful just for auditing the effectiveness of my standard cleanup procedures.

      You don't need to break the law to have an interest in others not seeing what you do with your computer. Whether making sure you haven't left personal financial information unencrypted on your machine, or have accidentally clicked "yes" to have your browser remember your passwords, or simply your taste in porn stars... All legal, yet things you probably would rather not leave lying around for anyone other than yourself.

      Now, aside from that, don't forget that police exist to help prosecute cases, not to protect us or find the guilty party or any fluffy BS like that. Once they have you in their sights, the less they can dig up, the better. "Good news - Your alibi checked out, you didn't kill that girl. Bad news - Your computer proves that you played poker online once last year, enjoy your 2+ year federal sentence".

      And hey, who better to know where Windows leaks information than Microsoft itself? Not that I would trust them as my sole source of privacy maintenance, but as I said, for auditing "best practices", such a tool would appear fairly useful.

    3. Re:While I don't have any use for the program by Baron_Yam · · Score: 2, Insightful

      Most warrants are specific... not that I'd want to defend myself on that basis, but I'm sure a good lawyer could help you if you were investigated for child porn and the only thing they find is some evidence of Internet gambling.

      On the other hand, I'd stop the Internet gambling right away, because you know they'd be looking for a way to justify getting you for that having 'lost' the child porn case.

    4. Re:While I don't have any use for the program by Anonymous Coward · · Score: 5, Insightful

      I agree. Using the software may not prove useful, but studying the software to see how it works might be. It is said the software can decrypt passwords and access otherwise inaccessible files. If true, that would be a major security hole that black hats could exploit, so the public has the right to know what exactly COFEE does, how it works, and how to defend their systems from it and similar software.

    5. Re:While I don't have any use for the program by Lloyd_Bryant · · Score: 4, Informative

      Most warrants are specific... not that I'd want to defend myself on that basis, but I'm sure a good lawyer could help you if you were investigated for child porn and the only thing they find is some evidence of Internet gambling.

      On the other hand, I'd stop the Internet gambling right away, because you know they'd be looking for a way to justify getting you for that having 'lost' the child porn case.

      The *warrant* is specific, but if, in the service of the warrant, the officer finds something else, that evidence *can* be seized, and I believe it would be admissible in a court of law (IANAL!).

      The police cannot search for something that is not on the warrant, however. So if the warrant specifies a "bicycle", the police would have no business looking in your sock drawer (unless said sock drawer was large enough to hold the bicycle, of course). But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

      Given the nature of a computer search, I'd expect anything on the hard drive to be fair game...

      --
      Don't tell me to get a life. I had one once. It sucked.
    6. Re:While I don't have any use for the program by Deagol · · Score: 4, Interesting

      They'll get you, one way of the other.

      I'm too lazy to find links, but there was a case a while back of some minor who was accused of accessing child porn from one of Yahoo's services. By all accounts I've read, the defense correctly used the high probability of malware infection to introduce doubt that he actually downloaded the CP himself. Facing a harsh, drawn-out legal battle (as most defendants in these cases do), the family took a plea. The boy plead to a count of (something like) corruption of a minor. His "crime"? He apparently gave (or displayed -- can't recall) some adult magazine to one of his fellow under-aged buddies.

      That's right, folks, some kid ended up with a criminal record and a listing on his local sex offender list for looking at nude pin-ups with a friend, something countless curious teen boys have done since nude centerfolds have been around.

      Won't somebody think of the children?!?

      --
      Method of processing duck feet
    7. Re:While I don't have any use for the program by quickOnTheUptake · · Score: 3, Informative

      Most warrants are specific

      Yes but IIRC, in the US, they can use any evidence, even of a crime other than what the warrant was initially for, if they found it while carrying out a legitimate search, while acting within the scope of the warrant.
      This happens with Terry stops all the time: The officer has a right to perform a limited search of a suspect (a pat down) to ensure he isn't armed, but in so doing finds a nickle bag, which he can keep as evidence, even though that wasn't what he was allowed to look for.
      I believe this goes back to the plain view doctrine.
      Car analogy: If they have a warrant to search your car for coke, and while searching, notice a bloody body in the trunk and a machete with your fingerprints and the victim's blood on it in the glove box, they can certainly charge you with murder, even though that's what the warrant was for.
      IANAL

      --
      Mod points: Guaranteed to remove your sense of humor.
      Side effects may include gullibility and temporary retardation
    8. Re:While I don't have any use for the program by blueg3 · · Score: 1

      COFEE is a live-response tool. It's by no means sufficient to audit the effectiveness of your cleanup procedures.

    9. Re:While I don't have any use for the program by quickOnTheUptake · · Score: 1

      . . . that's not what the warrant was for.
      FTFM

      --
      Mod points: Guaranteed to remove your sense of humor.
      Side effects may include gullibility and temporary retardation
    10. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      TrueCrypt would be perfect for their needs.

    11. Re:While I don't have any use for the program by dkleinsc · · Score: 4, Informative

      Well, that sort of thing comes from the idea that if we don't tell kids about sex then they won't have it. You know, unlike their parents, grandparents, great-grandparents, and great-great-grandparents.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    12. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      But what if it's not that basic? WHAT IF IT'S NOT?!? You might end up floating face down in a BLOODY swimming pool that people have PEED in!

    13. Re:While I don't have any use for the program by cawpin · · Score: 3, Informative

      But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

      No they can't. They can only seize it if it is illegal, by itself, for the owner to possess. Now, if they find drugs as well they can probably do so under the right circumstances.

      Owning a firearm, in and of itself, is not illegal for most people. This, of course, excludes certain persons such as felons, the mentally unstable and most legal, yes legal, aliens.

    14. Re:While I don't have any use for the program by RobertLTux · · Score: 1

      plus if they find Y (or evidence of Y) during a search for X they can in fact ring up a judge to ammend the warrant to include Y or W or Z or ...
      this can also be used to expand the search area if evidence supports same (they have a warrant for your house but not grounds and they see something in the house that points to your shed in the garden having evidence they can get the warrant expanded to include the grounds (which they should have had anyway)

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
    15. Re:While I don't have any use for the program by nairb774 · · Score: 2, Informative

      IANAL, but I think the concept you are looking for is "in plain sight". Programs like this make a lot more things on you computer become visible in a standard search - enough so that the question of whether it qualifies for "in plain sight" has been discussed here and a court case reported on in a slashdot article.

    16. Re:While I don't have any use for the program by DarkOx · · Score: 1

      Um warrants are specific but you certainly can be prosecuted based on evidence discovered pursuant to an otherwise legal search on an unrelated matter. So hypothetically lets say the police suspect you of dealing in child porn (sense you used that example) and get a warrant to search your computer of electronic mails relating to that activity.

      If They then open your mail program and the first 10 message subjects displayed are all "hey man its your bookie where is my money for the CAVs game yesterday" they would have probably cause to suspect you of another crime open those mails and investigate. You then could certainly be brought up on gambling charges as well. Now if the warrant mentioned nothing about searching the fridge and the police decided to open it up and found the coke(caine) you keep in there you might have an argument; a court might find it was unreasonable to search the fridge for additional evidence of child porn while executing a warrant to search a computer and remove any shoe boxes of photos from the clothests.

      IANAL but its never to your interest to be searched by the police; evidence is only tainted if its discovered during an illegal search. If you let them in and say "sure take a look around" and they find anything you can be on the hook.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    17. Re:While I don't have any use for the program by Rabbitbunny · · Score: 1

      (sense you used that example) ...Are you joking?

      (since you used that example)

    18. Re:While I don't have any use for the program by Zouden · · Score: 0

      If they're looking for drugs and they find a pistol in a sock drawer (rather than a proper gun safe), I think most judges would agree that it's reasonable for them to seize it.

      --
      "A week in the lab saves an hour in the library"
    19. Re:While I don't have any use for the program by thuerrsch · · Score: 1

      Owning a firearm, in and of itself, is not illegal for most people.

      This may be true for many parts of the U. S. A. In much of civilized world, however, owning a firearm is indeed illegal for most people. Here in Germany you even need a special license for many types of knives. Which, in my opion, is a good thing, but that's a different matter altogether.

      --
      most of what follows is true
    20. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      No they can't and what they will do are two completely separate things.

    21. Re:While I don't have any use for the program by rhook · · Score: 1

      Here in the US legal aliens can purchase and own firearms if they keep a valid hunting or fishing license.

    22. Re:While I don't have any use for the program by maxwell+demon · · Score: 1

      Here in the US legal aliens can purchase and own firearms if they keep a valid hunting or fishing license.

      I doubt it's a good idea to allow extraterrestrial life forms which grow inside people to own firearms. :-)

      --
      The Tao of math: The numbers you can count are not the real numbers.
    23. Re:While I don't have any use for the program by cawpin · · Score: 1

      No they wouldn't. There is nothing saying you have to keep a gun in a safe. That is an unreasonable request for most people that only own a gun or two. Buying a $300 safe isn't a good buy to lock up a $100 gun.

      In my case, safes are necessary but in most they are not.

    24. Re:While I don't have any use for the program by cawpin · · Score: 2

      This may be true for many parts of the U. S. A. In much of civilized world,

      Don't pull that "civilized world" shit. Your government telling you that you can't own them is quite uncivilized. I suppose you think the police are there to protect "you" as an individual, too.

      Which, in my opion, is a good thing, but that's a different matter altogether.

      Well, you're wrong. See above.

    25. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      Your computer proves that you played poker online once last year, enjoy your 2+ year federal sentence

      What sort of backward, third world, Taliban-inspired place would you have to live in where you could get 2 years in jail for playing poker?

    26. Re:While I don't have any use for the program by norpy · · Score: 1

      I hate to burst your "I'm an American and I'll do what I want" bubble, but some countries have laws that state just that. I believe the Australian laws also state that a gun isn't to be stored loaded in the safe.

    27. Re:While I don't have any use for the program by PitViper401 · · Score: 1

      Well then it must suck to be a chef in Germany.

    28. Re:While I don't have any use for the program by norpy · · Score: 1

      Some countries have very strict limits (and taxes) on gambling. Online poker is illegal in Australia but you are welcome to go down to the local casino and play some hands.

      Personally I think that is reasonable, these online poker sites are run from outside the reach of our country's laws - both from a tax and a "we have no idea if this site is 100% scam" point of view.

    29. Re:While I don't have any use for the program by Lloyd_Bryant · · Score: 1

      No they can't. They can only seize it if it is illegal, by itself, for the owner to possess. Now, if they find drugs as well they can probably do so under the right circumstances.

      Actually, they *can* seize a perfectly legal weapon, if the police can assert that they felt it was necessary to do so to ensure their safety while performing the search. Of course, if they do this, they have to give it back again (I'm assuming they can make you jump through hoops to get it back).

      That said - I didn't explicitly state it was an unlawful weapon (unregistered, in possession of a felon, etc), but that *was* what I meant. A better example would be if they were searching for cocaine, and in the course of the search found kiddie porn.

      --
      Don't tell me to get a life. I had one once. It sucked.
    30. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      Controlling/denying sexual urges is by far, the most effective way to make and keep a person submissive and aggressive. And it serves to get people to act irrationally in supporting that which suppresses them. A perfect example of this would be the teabaggers and the double life of their "leaders"(father figures)

      - FT

    31. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      Good thing? I'm sure all those people suffering due to the amusingly high rate of burglary, mugging and rape in the UK would disagree. Needless to say once they got rid of guns and knives the murder didn't budge but the others went up. After all when you know your target can't protect themselves it's so much easier to commit a crime. And if you trust the police? Heck, they're too busy to even investigate crimes like burglaries since they're just so many of them.

    32. Re:While I don't have any use for the program by Sir_Lewk · · Score: 1

      In the context of a legal discussion on an American centric website*, I think it is a fair assumption that most of the parties involved are talking about US laws. If we throw that assumption out the window then the "searches require a warrent" statment could also be considered false.

      *Yes it is, and it has never pretended to be otherwise.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
    33. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      Owning a firearm, in and of itself, is not illegal for most people. This, of course, excludes certain persons such as felons, the mentally unstable and most legal, yes legal, aliens.

      Aliens - surrender your weapons!

    34. Re:While I don't have any use for the program by cawpin · · Score: 1

      I agree with Sir Lewk's comment.

      I hate to break it to you but I don't have a bubble to burst. Using Australia as an example for ANY firearm law is ludicrous. Their current laws were put into place in an over the top reaction to a psycho who shot some people.

      An armed society is a polite society.

    35. Re:While I don't have any use for the program by djfuq · · Score: 0, Troll

      Armed and polite, like America, Africa and the middle east just to name a few armed regions of the world... very polite indeed.
      Guns make police officers quite polite, don't you agree?
      Murder is a very polite way of saying "fuck you" is it not?
      polite.

      --
      Dj fuQ [url="http://djfuq.org"]djfuq urges you to listen to the beats[/url] [url="http://djfuq.org"]http://djfuq.org[
    36. Re:While I don't have any use for the program by CodeBuster · · Score: 1

      It is said the software can decrypt passwords and access otherwise inaccessible files

      This is probably true if one depends upon Microsoft products for their security (ha). However, I would wager that the sorts of people that COFEE is typically used against are not depending upon the built-in Microsoft file encryption for their security needs. They probably use open-source security tools (non-Microsoft browser with private browsing, TrueCrypt or other Full Disk Encryption software, and hidden partitions/OS). There are generally two types of people in this world when it comes to security; (1) those who don't give a shit and don't use any security beyond writing their user account password on a sticky note and posting it on their monitor AND (2) those who care deeply about their security and privacy and take the time to research, acquire, and use the best available technology and tools. Slashdot has many of the later and few, if any, of the former. I have never met anyone who is lukewarm on security; they either care and are all in or they respond, "what's that" when asked about basic computer security. The "what's that" crowd are the same people who's used computer gets shipped to Africa, complete with original hard drive and old bank spreadsheets (which they thought were "deleted"), and then wonder how their identity was stolen.

    37. Re:While I don't have any use for the program by the_womble · · Score: 1

      Yes but it stops the paedophiles because...er.....

      Well, there ought to be a law.

      Anyway, if legislators did not pass laws about everything people panicked about, we might realise how useless they are.

    38. Re:While I don't have any use for the program by ifwm · · Score: 1

      "What sort of backward, third world, Taliban-inspired place would you have to live in where you could get 2 years in jail for playing poker?"

      Nowhere in the US, except Washington state.

    39. Re:While I don't have any use for the program by ifwm · · Score: 1

      "Personally I think that is reasonable"

      Then you're part of the problem.

      There's no legitimate reason to make a criminal out of the PLAYER because YOU are irrationally concerned about the site being a scam, and tax laws already deal quite effectively with the revenue issues.

      In short, you're completely wrong.

    40. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      Hmm, that explains the American attitude against the rest of the world. If you use the same word for human-beings coming from a different surface of dry soil as you use for extra-terrestrials.

    41. Re:While I don't have any use for the program by craagz · · Score: 1

      Maybe this will be perfect for everybody's needs.

      --
      My Blog | Badsh
    42. Re:While I don't have any use for the program by AmiMoJo · · Score: 1

      What I'd like to know is does this thing work with autorun disabled? Say your PC booted up but locked, will this thing be able to access the data on it?

      It's important because if it can then is bypasses the usual autorun mechanism, which as a security precaution I leave disabled and which Vista/7 put up UAC prompts for. I already disabled by Firewire port because that can be used to access the computer's RAM via DMA without any user interaction.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    43. Re:While I don't have any use for the program by donscarletti · · Score: 1

      "Personally I think that is reasonable"

      There's no legitimate reason to make a criminal out of the PLAYER because YOU are irrationally concerned about the site being a scam, and tax laws already deal quite effectively with the revenue issues.

      The grandparent was discussing Australia. Nobody is going to going to be fined or even tried by an Australian court for playing online poker. I'm not sure what the case is when something is banned in other countries, but in Australia, generally it just means it can't be advertised or be dealt with over the counter. Heaps of things are illegal in Australia, it doesn't mean you're going to get a criminal record for doing most of them anyway. Weed is illegal in Australia, it doesn't mean that you can't buy it or you'll be thrown into gaol for doing so, it just means that kids aren't bombarded with advertisements for it in supermarkets. Hard core pornography is banned from sale in all Australian states, but you can get it over the counter in stores country wide. Illegal in Australia just means "keep it in your pocket in public or the police will take it off you".

      Most of Australia's laws are in place because most Australians are stupid and can't take care of themselves. Australia, like every other country is mostly filled with morons. The government tries to protect them from scammers because its job in theory is protecting the weak from the strong. This applies to the intellectually weak as much as the physically weak. The laws are not in place to punish morons.

      And tax laws don't deal with the revenue issue because the sites are outside the jurisdiction where they are taxed. Dah.

      In short, his position is completely justifiable. Maybe just cultural differences between America and Australia. In America, freedom is an ideal. In Australia, freedom is just doing what you want. I've been to America more recently than Australia, it's a nice enough country, but I did get the feeling that everyone wanted me to do more or less what I was told, whereas in Australia, people kind of hope that you play up a little. Australia has laws that would make a patriotic American's eyes fog with rage, but there are far less Australians in prison per capita and it's an ex-penal colony, what does that say?

      --
      When Argumentum ad Hominem falls short, try Argumentum ad Matrem
    44. Re:While I don't have any use for the program by pla · · Score: 1

      What I'd like to know is does this thing work with autorun disabled?

      You use virtually all forensic tools like this on an offline system - Meaning that you most likely boot to it, and it inspects the HDD in read-only mode.

      Actually using this on a live, running system just begs to have any findings thrown out on grounds of tampering with the evidence... "So, you use this little USB stick on a lot of machines, Officer? Did any of those machines have a virus? Congratulations, you didn't find child porn, you instsalled it!".

    45. Re:While I don't have any use for the program by AmiMoJo · · Score: 1

      COFEE runs on a running system. Encryption is a big problem for law enforcement so they need tools which can grab keys from a working system. If you read the documentation it states that the software is designed to have as little impact on the running system as possible.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    46. Re:While I don't have any use for the program by Anonymous Coward · · Score: 0

      You know, CP is what happens when someone DOES think of the children.

  4. on a live computer system? by nurb432 · · Score: 4, Insightful

    So, don't run windows, encrypt your drive with hidden partitions and turn the thing off when the cops arrive.

    --
    ---- Booth was a patriot ----
    1. Re:on a live computer system? by Slim+Backwater · · Score: 1

      Yes, and install a Big Red Switch.

    2. Re:on a live computer system? by Anonymous Coward · · Score: 3, Interesting

      One of the things that happened during the "Hacker Crackdown" in 1990 was that Law Enforcement were trained to quickly separate people and their computers. Then take pictures of the set-up before touching anything. IDK if that is still the case or if they do it for say any old warrent they are serving.

    3. Re:on a live computer system? by buchner.johannes · · Score: 1

      And watch out for evil maids installing malware that subverts your encryption and sends/stores everything unencrypted.
      And don't tell me that ain't easy with Linux.
      That's right, you can never leave your computer unlocked unattended. Realistic?

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    4. Re:on a live computer system? by acheron12 · · Score: 1

      Obligatory xkcd

      --
      there is no god but truth, and reality is its prophet
    5. Re:on a live computer system? by CodeBuster · · Score: 1

      Most computers can be hard shutdown in seconds by cutting the power. It would be extremely difficult to sneak up on someone fast enough, particularly in their own residence, to prevent them from flipping the power switch.

    6. Re:on a live computer system? by syncrotic · · Score: 1

      Mercury tiltswitch from a thermostat + relay. Cuts the power if anyone tries to move your box. It wouldn't be hard to wire it such that it sends mains voltage to your hard drives instead, but I stopped short of that because I was just doing it for fun and didn't want an accidental kick to the tower to destroy all of my data.

    7. Re:on a live computer system? by Anonymous Coward · · Score: 0

      The difference is that the police generally believe that they are not a force for evil. And they definitely need to give off the appearance of not being a force for evil. Thus, they tend to be less willing to do things that are obviously and unequivocally evil. At least where others might find out.

  5. Not having seen the app, but by Anonymous Coward · · Score: 5, Insightful

    From the description on the link site, which I think was quoting MS about what does an untrained beat cop do when they find digital evidence? Step back, don't touch it, and call in the law-enforcement folks who are trained and won't destroy the evidence. It's hard enough to get a jury to understand evidence pulled off of a computer - these folks see viruses or similar on their own machines that "just magically appears" so surely the defense's argument that the kiddie porn just magically appeared on his client's machine is completely possible. Having the defense say, "Mr. Officer, you admit to having no background in computer forensics, and you admit to not knowing what the program does. You admit to clicking on the talking paperclip when it said, "I see you are trying to bust a felon. Would you like me to help you?" but have no idea what then happened? Your honor, I move that the case be dismissed because the so-called evidence has obviously not followed the proper evidentiary chain." I'm posting anon because I've gone through the proper training at places like FLETC and it's something they drill into us, time and time again. If you're not sure you're qualified to handle investigating the content on the computer, don't touch it. Get someone who is qualified.

    1. Re:Not having seen the app, but by ledow · · Score: 5, Insightful

      I would think even mere insertion of a USB device into a computer could lead to all sorts of problems - what if that USB key had a virus that transferred itself to the PC and then deleted itself from the USB device? The fact that this is a bog-standard set of files means that someone has to put these programs onto a writable USB drive (it's possible it's write-once but I would be dubious of that actually being the case) and then plug it into a computer - exactly the action that companies block by default because of the potential for rogue programs to be introduced and destroy/modify data.

      Want to put someone in jail? Put something illegal on that USB drive, plug it into their computer with an autorun script that copies itself over and then deletes itself (and the script) from the USB drive. Then claim that it was a *different* drive you put in and submit a "clean" drive as evidence if they demand to see it.

      Not to mention that actually doing *anything* on the original PC is damn stupid anyway but relying on a USB stick to run it? That's got to be asking for trouble. Oh, and disable USB and you've just stopped that attack.

      I was always told that *anything* capable of writing to the drive or modifying the data you're trying to access was a no-no... that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image. Saving transient information onto a writable USB stick by execution of a program from that stick? Sounds like a recipe for disaster. That's gotta touch your swap or do something to memory in order to execute and proving that happened cleanly and provided a complete accurate copy of the contents of RAM/disk/swap before you plugged it in is probably impossible.

    2. Re:Not having seen the app, but by Anonymous Coward · · Score: 0

      maybe they are using bootable live-usb? it could be setup so that no writing is done

    3. Re:Not having seen the app, but by ledow · · Score: 1

      The idea of the utility-pack is to be run when the OS is still working (e.g. to capture passwords that are still in memory etc.). Bootable devices are another thing entirely. Such "off-line" analysis is much easier to do by just copying the drive in a special device that has no write logic to the source drive at all. You wouldn't risk an entire investigation just because you used a bootable CD to access the hard drive first, you'd access the copy.

    4. Re:Not having seen the app, but by Anonymous Coward · · Score: 1, Informative

      In an academic environment yes, but unfortunately the courts are happy to accept that "all efforts were made to ensure the tools used on the live system were free from tampering and their effects on the live system are documented to not damage the integrity of the system's normal operation" thus the evidence gathered using such tools on a live system is usually accepted.

    5. Re:Not having seen the app, but by Anonymous Coward · · Score: 1, Insightful

      Once again, slashdotters seem to think that because something involves a computer it's a new concept, rather than one that has been around since the beginning of civilization.

      How is that ANY different than any other case where someone given the task of investigating a crime decides to set up a frame instead? It's not. Planting files on someone's hard drive is exactly like planting fingerprints. Or before fingerprints, planting a gun. Or before guns, planting a weapon with blood on it.

      Please stop thinking that this is some new problem that you're solving, or that society is going to shut down because this is an unsolvable problem (which it is to an extent, and always has been since humans first stood upright).

    6. Re:Not having seen the app, but by Anonymous Coward · · Score: 0

      Ah. Sweet memories of beautiful downtown Clynco. Does the Mean Green Machine still train there?

  6. I like TEA by BadAnalogyGuy · · Score: 0, Offtopic

    I like my tea green.

    But I'd probably give MS Support a call just to talk to this lady. I'd love to add some cream to her mug.

    1. Re:I like TEA by thetoadwarrior · · Score: 2, Funny

      I thought the same thing and pursued her only to find out the her is a he. I became the 2nd person to throw chairs at MS.

    2. Re:I like TEA by CarpetShark · · Score: 1

      That lady is most likely a model who was photographed by someone else, who in turn sold a photo license to microsoft.

    3. Re:I like TEA by CarpetShark · · Score: 1

      I don't know about talking to her or putting cream in her mug, but if you look through the comments below, you can get a pic at 12k resolution for ~£700. Once you've seen her skin magnified that much, you'll likely be cured of any interest you once had ;)

  7. "Microsoft COFFEE Spilled" by beatsme · · Score: 5, Funny

    Come on, the setup is so obvious!

    1. Re:"Microsoft COFFEE Spilled" by noidentity · · Score: 1

      Microsoft coffee may seem nice in the morning, but you'll always crash later in the day.

    2. Re:"Microsoft COFFEE Spilled" by Blakey+Rat · · Score: 1

      Raymond Chen wrote a blog posting about this: http://blogs.msdn.com/oldnewthing/archive/2009/11/05/9917671.aspx

      The installers of the coffee machine didn't consider the number of visitors. I don't see what it has to do with software leaking though.

      --
      Comment of the year
    3. Re:"Microsoft COFFEE Spilled" by AniVisual · · Score: 1

      Read it again. It's Microsoft CO-FEE masquerading as COFFEE.

  8. As someone in the Security Field... by Anonymous Coward · · Score: 0

    I can tell you that Microsoft COFEE isn't remotely useful for anyone doing bona fide forensics work either.

    1. Re:As someone in the Security Field... by Manip · · Score: 1

      What does someone in the "security field" know about a digital forensics tool?

      Very few people are actually in the security field and most who claim to be have posted a bug on a mailing list and setup a site talking about how to "hack" with Visual Basic.

    2. Re:As someone in the Security Field... by Dr.+Evil · · Score: 1

      There's nothing wrong with that. Some guys come out of the IT trenches and some come out of the management world. Most of these security guys are presenting themselves to middle and upper level management. They only need to know how to make charts and graphs, for which VB is really very good.

      They of course also need to know how to get policies signed, walk into strange meeting rooms, identify and get key people into meetings to understand those policies, implement and audit them regularly. If they have time to pick up a little bit of VB hacking on the side, I'm happy that they can better understand the nuts and bolts. VB is fun in small doses.

      I downloaded it. This little thing might be interesting :-)

    3. Re:As someone in the Security Field... by Anonymous Coward · · Score: 4, Informative

      I've been doing computer forensics for twenty five years. I am the original poster and I happen to konw exactly what I'm talking about, having been prompted to give detailed feedback about Microsoft's COFEE "suite".

      The lowdown:

      It doesn't do anything that any number of freely available, open source tools don't do (most of which, or at least most of the lineage of which can be found in Knoppix-STD (www.knoppix-std.org), and it happens to do them poorly.

    4. Re:As someone in the Security Field... by Dr.+Evil · · Score: 4, Interesting

      Why has the STD distro not been updated in over 5 years?

      Have you tried http://www.remote-exploit.org/backtrack.html? It's geared towards pen testing and ethical hacking... but it's VERY good, and modern.

    5. Re:As someone in the Security Field... by Angostura · · Score: 4, Insightful

      If only you'd bothered to write that in the summary, rather than the clever-clever "You don't need this" shenanigans. Half these initially posts could have been avoided.

    6. Re:As someone in the Security Field... by jcr · · Score: 2, Funny

      So what you're saying is that it's a true Microsoft product, amirite?

      -jcr

      --
      The only title of honor that a tyrant can grant is "Enemy of the State."
    7. Re:As someone in the Security Field... by Anonymous Coward · · Score: 0

      Except half of the software is not setup correctly seeing as it's been setup by people who added it as an after thought, this is evident when it comes to logging options.

    8. Re:As someone in the Security Field... by Anonymous Coward · · Score: 0

      It would still be interesting to dissect COFEE to see if there are any backdoors that MS uses to gain access to certain things that the Security Tools access the "official" way. The only reason MS would be so super-secretive about this tool would be for marketing reasons...

       

    9. Re:As someone in the Security Field... by Minwee · · Score: 1

      If only you'd bothered to write that in the summary, rather than the clever-clever "You don't need this" shenanigans [...]

      ...then it would have been cut out as not being sensationalist enough for an article summary.

      You're new here, aren't you?

  9. Useless? by dandart · · Score: 0

    It doesn't even make you hyper, either!

    Hmm, must be decaf,

    1. Re:Useless? by jep77 · · Score: 0

      Of course it doesn't... it's missing the necessary double F.

      Boring story so far.

  10. The Solution? HURD! by Bananatree3 · · Score: 4, Funny

    Its a tool written by Microsoft, for Microsoft products. Do you have nefarious stuff you'd rather not have leaked? Warez or other secret stuff you'd rather keep hidden? The solution? Don't run Windows, run HURD! As added bonus, there's no viruses, no nasties that'll install on your system. No COFEE or other LEO programs to infect your privacy.

    HURD...The only sensible solution.

    1. Re:The Solution? HURD! by Dogtanian · · Score: 1

      Do you have nefarious stuff you'd rather not have leaked? Warez or other secret stuff you'd rather keep hidden? The solution? Don't run Windows, run HURD! As added bonus, there's no viruses, no nasties that'll install on your system.

      Are you fucking serious?! The HURD has been in development for almost 20 years, still isn't properly finished, and I've never heard of any software for it, aside (I assume) from the GNU stuff that forms the basis of any Linux distro anyway.

      The HURD has likely missed the boat anyway, Linux drove it away years ago.

      --
      "Slashdot - News and Chat Sites Deviant". (Click "homepage" link above for details).
    2. Re:The Solution? HURD! by heeen · · Score: 1

      Woooosh!

    3. Re:The Solution? HURD! by supersat · · Score: 2, Insightful

      There's no viruses or nasties for it because NOTHING RUNS ON IT. ;)

    4. Re:The Solution? HURD! by Anonymous Coward · · Score: 0

      Maybe the most hilariously brain-damaged troll I've ever seen. Approval!

    5. Re:The Solution? HURD! by Anonymous Coward · · Score: 0

      Wooooosch

    6. Re:The Solution? HURD! by SLi · · Score: 1

      Maybe. Except things like Firewire (and some USB controllers) allow a device to read all the memory, so they are practically operating system agnostic. They can just grab a live memory image of your Hurd running, which will contain the hard drive crypto key (the only really interesting piece of information I can think of, if your HDD is not encrypted, you don't have much privacy anyway).

  11. DECAF by Anonymous Coward · · Score: 3, Funny

    "Won’t be long before DECAF is released, which will block attempts to use COFEE on your machine, I’m sure."

    -- Mister Toast, Nov 08, 2009, 13:58

    1. Re:DECAF by beatsme · · Score: 1

      Why was this downmodded? The metagods frown upon your sense of humor, Mr. Coward.

    2. Re:DECAF by Anonymous Coward · · Score: 0

      We humans are fallable.

      Thanks for standing up for me. :)

    3. Re:DECAF by Anonymous Coward · · Score: 0

      If the investigator is stupid you might figure out a way to block execution of any exe file named runner.exe (the name of the main executable in the forensics tool, this might actually be possible with some Anti-viruses, then you could password protect the settings of your AV). Or you might be able to set up a script/batchfile that deletes everyting on a USB device that has that particular executable too and then shuts down the machine or maybe formats the computer when this file is detected.

      Just a few ideas from the top of my head.

    4. Re:DECAF by Anonymous Coward · · Score: 0

      Thought of a few more ideas, you could also make encrypted volumes unmount (TrueCrypt, PGPDisk), securely wipe browser history, wipe certain directories, if you have more than one computer you might send some trigger over the network to make all your computers do the same thing and then shutdown. Man, I'd like to see the look on the investigators face when the fireworks go off. Just for good measure you might end the whole thing with a popup displaying some creative statement.. or do everything in the background to make everything look clean as a whistle.

      Second thought, triggering this simply upon detection of "runner.exe" might be overkill (name is too generic), might also want to check if the name of the device is COFEE and check for the bin directory that contains the commands that runner.exe executes.

    5. Re:DECAF by Anonymous Coward · · Score: 0

      Bah...MS will be emailing out new procedures and telling them all to change the file names by Monday morning.

  12. Creation of Adam... thought it was the same story by jep77 · · Score: 3, Funny

    At first I thought these two stories were related.
    http://gizmodo.com/5399583/famous-paintings-reproduced-in-coffee
    I was about to download the MS tool so I could create my own spectacular tasting, eye-opening, knock-off classic art.

  13. Bloody DUH by Shoten · · Score: 4, Insightful

    Well, of course it's useless to most of them...but that has nothing to do with whether or not COFEE is any good. Let's face it; how many casual downloaders are going to need a forensics toolkit? They already have access to all of their own files, and already know what they've been doing with their system. And COFEE is not meant to be a "point and shoot" system; it's really meant for professionals that know what they're looking for to some degree. So getting a copy and using it doesn't instantly give you some insight into how computer forensics work.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  14. "COFEE is 100 percent useless to you" by thomasdz · · Score: 0, Redundant

    with that ringing endorsement and the spelling that looks annoying like "coffee", but not quite... I didn't even read TFA
    I'm not even sure why I'm even commenting.
    This is kinda like the message you occasionally see on Slashdot for idle.slashdot.org "don't go there"

    --
    Karma: Excellent. 15 moderator points expire sometime.
  15. Useful by Ilgaz · · Score: 1

    If you are redhat racing with ms , you can use his tool to prove that their platform can't be trusted. All you need is running it.

  16. Of course it's useless... by lisany · · Score: 1, Redundant

    I don't run windows.

  17. Ummm.... well.... by Le+Marteau · · Score: 5, Insightful

    > No, COFEE is 100 percent useless to you.'"

    Yes, and the software that runs voting machines is "useless to us", too.

    I think the submitter is missing the point. This (probably) closed-source tool by Microsoft (that bears repeating... by MICROSOFT) is going to be used by law enforcement to help throw people in jail. If for no 'practical' use, now that COFFEE is leaked, people will be able to reverse-engineer it an see exactly what it is doing, and how. That is a good thing.

    --
    Mod down people who tell people how to mod in their sigs
  18. free alternative by telenut · · Score: 3, Interesting

    Ok, the tool from Microsoft is 'free' also, but here is something with way more options: http://wiki.hak5.org/wiki/USB_Switchblade

  19. Not having seen the app, but by Anonymous Coward · · Score: 0

    I would think even mere insertion of a USB device into a computer could lead to all sorts of problems.

    I was always told that *anything* capable of writing to the drive or modifying the data you're trying to access was a no-no... that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image.

    You are 100% correct. Anytime you access the filesystem or memory of a running computer system there is the potential to inadvertently alter the contents thereof. Such actions are not forensically sound.

  20. Stock photography sucks by Anonymous Coward · · Score: 1, Informative

    Bingo. First thing I thought was "generic stock photograph". That one's not too bad, but some of them are really obvious, like the ones of three people standing round a computer in a modern-looking airy office, smiling their white teeth and looking "businesslike". Really obvious stock photo that makes anyone that uses it look cheesy.

    1. Re:Stock photography sucks by IceD'Bear · · Score: 1

      Stock photo indeed (via TinEye): http://www.inmagine.com/bld087/bld087082-photo

    2. Re:Stock photography sucks by bickerdyke · · Score: 1

      You mean like you could find here: http://www.headsethotties.com/ ?

      --
      bickerdyke
  21. Yummy! by ttyX · · Score: 1

    Nothing beats a digital cup of coffee...

  22. I am betting that it includes OSS code by Anonymous Coward · · Score: 0

    More likely than not, MS has included code from one of the many OSS tools out there for doing this. I would also guess that it borrows from some virus.

  23. Hmm... I wonder by Sfing_ter · · Score: 1

    I wonder... does cofee have a java component?
    Can Cofee check my Kaffeine history?

    --
    A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
  24. Yes, but does it run Gnu/Linux on Alpha and others by Anonymous Coward · · Score: 1, Informative

    As having known a person who had their house raided by the Calgary Police (many times) and their computers stolen as a result of their former employer making false claims, the tool is as useful as the Calgary Police Computer Tech Team (or whatever they are called today).

    I saw the photos of the damage caused by the Calgary Police, cut keyboard cables, broken doors, general damage done to the house, broken commercial (legally bought PS3 games, music, films) CD/DVD/BDs, broken case covers, cut USB cables, are just a few of the damage left in the Calgary Police wake.

    The items stolen by the Calgary Police under a possible false warrant, included TVs, old laptops from the mid-90s, USB Media, most items labeled Sony, SUN Sparc systems, Compaq Alphas, PS3, Network Switches. and anything Calgary Police felt proved his innocent's. The official list of items stolen, was never provided to him, as the Calgary Police refused to provide, even to his lawyer.

    He was handcuffed, body searched, and threaten by Calgary Police with their hands on their pistols to hand over passwords. He refused, taken physical damage. He feels he would have been shot, if his Lawyer and Minister wasn't contacted.

    When the Calgary Police found Gnu/Linux on most systems, they told him 'Only hackers use Linux'.

    No charges were laid as a result of the raid. Calgary Police had the items for more than 6 months. When the items were returned, some were no longer working.

  25. Nice but there are more robust tools by acedotcom · · Score: 1

    ...i know this is a tool for n00bz, but it is seriously lacking in several areas. First of all it even says in its dox, that it is only supported by a suspects computer supporting windows XP, which is still pretty good and better then nothing. Secondly, if the suspects computer doesnt have autorun enabled you have to go to the USB drive and run the EXE on the suspects computer...meaning that if the computer is BIOS locked, encrypted on boot, or password protected, then the user must log in to execute the EXE. i downloaded it and ran it, but it is ineffective against my W7 machines (password protected, encrypted). understanding that if you dont give cops your password when they request it, they can charge you with obstruction of justice and then just move up to REAL computer forensics

    I know its not perfect, and it isn't designed for the "1334", but it just seems useless if you are going up against someone who REALLY paranoid or very secure. it seems like if someone has their computer as open as it needs to be to run COFEE, you wouldn't need the tool in the first place, just someone remotely proficient in computers.

    --
    they say it is often more relevant then the comment above, all we know is its called the Sig!
  26. Grammer patrol by Anonymous Coward · · Score: 0

    Please think about consulting a dictionary. "Enthused" is not an adjective. It is a verb. It is something you do, not a characteristic state of being. "Enthusiastic" is the word you are looking for.

  27. What's the big deal? by Anonymous Coward · · Score: 0

    I don't see why this is a big deal. If this were ever used to produce evidence to be used at trial in an actual criminal case, they would have to share that info with the defense. So I'm not sure what the big secret is.

  28. Cofee leak by VGPowerlord · · Score: 1

    How do we know that Microsoft didn't intentionally leak this?

    Maybe they did it so that they can start selling Microsoft CREAM!

    --
    GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
  29. Re:Yes, but does it run Gnu/Linux on Alpha and oth by jcr · · Score: 1

    No charges were laid as a result of the raid.

    WTF? Why didn't he file charges against them?

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  30. What about locking your computer? by Myria · · Score: 1

    Would this utility be useless if you lock your computer when you get up from it? If so, the criminally-minded among us should do that.

    If it works even with the computer locked, it implies a Microsoft back door into Windows. I doubt this.

    --
    "Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
    1. Re:What about locking your computer? by rcolbert · · Score: 1

      Winkey+L is your friend. BitLocker + a printed sign on the outside of your CPU case 'contents copyright [yourname / date]. Now you've made it a crime to circumvent your encryption of copyrighted materials. All my illegal stuff is on an external USB drive, labeled 'illegal stuff'. It is of course encrypted and every time the SWAT team rolls through my neighborhood I pull the USB cable so that if plugged back in I have to unlock the illegal stuff with a strong password (that I have written down on a sticky note so that I don't forget it.)

  31. Re:The Solution? Removable Drive Bay by Plekto · · Score: 2, Interesting

    Anyone who is truly concerned with security knows that you take your drive with you and/or lock it up at night. Thankfully SSDs are lightweight and easy to stick in a pocket. I'm amazed at how many businesses don't have any physical protection plan in place, because that's how most data ends up getting into the wrong hands.

    http://www.startech.com/item/SAT2510U2REM-InfoSafe-35-Bay-Removable-25-SATA-Drive-Enclosure.aspx
    Under $40 for this model.

  32. Re:Yes, but does it run Gnu/Linux on Alpha and oth by Anonymous Coward · · Score: 0

    In Canada it is 90 days before the Police are forced to return the items, not 6 Months.

    Calgary Police has kicked dogs to death, with little investigation. Check CBC Website for more details.

    Calgary Police has violate the Canadian Charter of Rights and Freedom. Check Canadian News Websites for more details.

    Calgary Police have gone to people's employers and told them lies. Check the CBC and other Canadian News Websites for more details.

    It is suspected (by people who live and work in Calgary) Calgary Police are using their badges to get what they want. Check the CBC Website for more details.

    RCMP has shot (and tasered) people to death. Check CBC, CTV W5, and other news sources for more details.

    For independent video and audio, check freenet.

  33. Sysinternals by Anonymous Coward · · Score: 0

    It's basically a set of scripts that runs various sysinternals utilities and dumps the output to a .txt file when you insert an usb drive. Nothing fancy and I'm willing to bet most system admins have written something similar themselves in the past. It's meant to be used by police officers who are not computer experts, so the experts can review the data later.

  34. MS using Suckers^h^h^h^h Customers by Anonymous Coward · · Score: 0

    Is it just me or is there something intrinsically wrong with a company that has a history of, how do I put this delicately so the fanboys don't mod me down, security "challenges" to release a free tool that has its express purpose of cracking the operating system that was purchased seemingly in good faith from said company in the first place?

    My head *aspload*

    PT Barnum must have had MS customers in mind when he made his famous quote. Guess I'll just keep using Linux.

    1. Re:MS using Suckers^h^h^h^h Customers by Anonymous Coward · · Score: 0

      Same rationale that safe makers give locksmiths drill templates for their products so they can easily (easily is a relative term when you have to drill through hardened steel) disable the lock mechanism. With the template, a locksmith would take a while boring through. Without it, add to that time the fact that much more hardplate must be chewed up to be able to retract the safe door locking bolts... and the relockers that almost certainly fired off.

      This is a similar case in that Microsoft helps forensics people by giving them some basic tools. Ideally, there should be a complete toolkit that consists of a hardware write blocker apparatus for imaging and cryptographic signature tools for chain of custody.

    2. Re:MS using Suckers^h^h^h^h Customers by Savior_on_a_Stick · · Score: 1

      You're safe - no one wastes mod points on an AC.

  35. Horay, MS is on the right track! by failedlogic · · Score: 1

    Couple of days from now there will be a HOT COFEE mod for Windows. So much more comprehensive than whatever was in GTA.

  36. Re:Yes, but does it run Gnu/Linux on Alpha and oth by GeorgeS · · Score: 1

    Some links would be useful. This is the internet after all :)

    --
    "I'd rather have a bottle in front of me than have to have a frontal lobotomy."
  37. Off-chance? by Anonymous Coward · · Score: 0

    on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread.

    That happens to me ALL THE TIME!

  38. Re:Yes, but does it run Gnu/Linux on Alpha and oth by slamb · · Score: 1

    That this person's home was raided on several occasions is probable cause for suspicion in my mind.

    That's the nasty sort of positive feedback loop from which an innocent person, once trapped, can never escape. The burden of proof should grow each time, not shrink, to prevent police harassment.

  39. Re:Yes, but does it run Gnu/Linux on Alpha and oth by Anonymous Coward · · Score: 0

    http://www.cbc.ca/canada/calgary/story/2009/06/23/calgary-huggett-child-porn-sentencing-hearing.html

    http://www.cbc.ca/canada/calgary/story/2009/07/07/calgary-police-officer-dog-death.html

    http://www.cbc.ca/canada/calgary/story/2009/06/12/calgary-police-officer-charged.html

    http://www.cbc.ca/canada/calgary/story/2009/09/17/calgary-police-cop-dog-kick-death.html

    http://www.cbc.ca/canada/calgary/story/2009/02/04/cgy-police-izzo-stewart-assault-trial-day3.html

    http://www.cbc.ca/canada/calgary/story/2009/03/18/cgy-homeless-man-verdict-police.html

    http://www.thedrunkdrivingmasses.com/2009/10/calgary-police-officer-travis-dunkle.html

    http://www.calgaryherald.com/entertainment/movie-guide/Calgary+officer+charged+with+drunk+driving+challenges+arrest/2148930/story.html

    http://www.flickr.com/photos/thivierr/3737684999/

    http://www.youtube.com/watch?v=ttVi8QjUpQU&feature=related

    You can find more on your own.

  40. Not totally useless... by ponraul · · Score: 1

    It could be a boon for counter-forensics; it wouldn't be that hard to make a root-kit that either doesn't allow COFEE to run or returns bogus information from system calls when COFEE is running.

    1. Re:Not totally useless... by SuiteSisterMary · · Score: 1

      Generally, you don't run the forensics software on the target computer; that would be stupid.

      Generally, you pull the hard drive out of the target computer, plug it into a drive duplicator (which can be a simple as a PC with an IDE cable missing the write pins), mount the duplicate, and scan it. No executables on the duplicate are actually executed.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
  41. You can find EnCase on TPB also by Kernel+Kurtz · · Score: 1

    Probably a lot more law enforcement agencies use that than COFEE.

    1. Re:You can find EnCase on TPB also by jd2112 · · Score: 1

      Are you kidding? Most cops use COFEE. It's even more popular among law enforcement types than DONUTS.

      --
      Any insufficiently advanced magic is indistinguishable from technology.
  42. Scary thought... by Anonymous Coward · · Score: 0

    This from MS' COFEE page:

    "If it's vital to government, it's mission critical to Microsoft."

  43. Re:The Solution? Removable Drive Bay by Asic+Eng · · Score: 1

    People who are truly concerned with security don't get mugged?

  44. Re:Yes, but does it run Gnu/Linux on Alpha and oth by PrimaryConsult · · Score: 1
    Methinks you did not read the first line:

    As having known a person who had their house raided by the Calgary Police (many times) and their computers stolen as a result of their former employer making false claims, the tool is as useful as the Calgary Police Computer Tech Team (or whatever they are called today).

    "Many times" probably occurred due to not finding anything, and said employer continuing to insist there was.

  45. Copyright Troll? by Anci3nt+of+Days · · Score: 1

    Well it is very useful for Microsoft - they can now go after the Pirate Bay for Copyright Infringement. All hail the DMCA.

    I can already picture the Microsoft Lawyers - "THEY STOLE MY COFEE". It will be quoted in legal textbooks for years!

  46. WRONG by Anonymous Coward · · Score: 3, Interesting
    IAAGCFA. (I am a GIAC Certified Forensic Analyst)

    You are 100% incorrect.

    I would think even mere insertion of a USB device into a computer could lead to all sorts of problems

    The mere insertion of a USB device has its problems. First, you have to differentiate. Say, on a WinXPsp2 machine, a USB device has no working autostart mechanism. You can circumvent that, e.g. by using those "U3" devices that emulate a CD drive (Autostart is working fine with CD drives if you didn't disable autorun at all) or like the Conficker worm does, by displaying an "open folder" icon that will result in the action of calling a program. But by default, the recent MS OSses do not allow autorun via USB Sticks.

    Now, that having said, there still are some problems with the mere insertion of an USB device. The one I know of is that typically Windows makes a "bing" noise, when an USB stick is inserted. This means, that the Windows "USB insertion bing noise".wav is getting read and thus the "read" timestamp of that file gets modified. This results in the fact that after plugging in an USB stick, the forensic analysist might not be able to determine, when an USB stick has been plugged into that machine the last time prior to the said USB stick having been plugged into it. This might be especially of concern if you want to find out how a certain piece of malware entered a PC which happened to be via a USB stick exactly the last time an USB stick was plugged into the foreniscally examined PC.

    So, let's go on...

    that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image.

    Well, yes, sort of. Cloning images of drives with "read-only" adaptors is done for post mortem analysis. I mean the following:

    If the investigator is called to a site with an already unplugged device, this is the usual procedure - that way it is ensured, that no evidence is altered in any way.

    However, the situation is completely different, when the investigator is faced with a live system. Because there, you have a huge amount of information that will get destroyed by unplugging the system. In former times, investigators where taught to unplug the system and then to clone the drive with a write-blocker, like you said. But this removes volatile evidence like:

    • registers, cache
    • routing table, arp cache, process table, kernel statistics, etc.
    • memory
    • temporary file systems

    See RFC 3227 - Guidelines for Evidence Collection and Archiving for more. So, when encountering a live system, switching it off and cloning the disk with a write-blocker is so much more problematic in terms of destroying evidence than plugging in a foreniscally sound USB thumb drive, than it gets.

    You see, the consequences of plugging in an foreniscally sound device - and plugging it in will have some consequences and ultimately result in the destruction of some evidence - can be reproduced and thus can be tolerated in court without problems. NOT plugging in that device will lead to much much greater destruction of evidence.

  47. About the originating tracker by tvelocity · · Score: 1

    This is probably nitpicking, but the tracker the file originated from is not "a small, private tracker".

    It is actually one of the most regarded private trackers, and the largest private music trackers currently operational. In terms of provided content, it is BY FAR the biggest private tracker on the Internet, past or present, with over 600k torrents.

    IMHO it is one of the best places for any music lover to hang out on the Internet, with a great selection of music, awesome community, and friendly staff, and it isn't really that hard to get into either.

    What is really interesting is how the upload of the original file was to fill a request with a very lucrative bounty of 1.6 TB. For one and a half year, no one really believed that the request would ever be filled, but people kept voting it up, quickly ranking it as the largest bounty on the site.

    Disclaimer: I'm not affiliated with the aforementioned tracker.

  48. Re:The Solution? Removable Drive Bay by Minwee · · Score: 1

    Anyone who is truly concerned with security knows that you take your drive with you [...] that's how most data ends up getting into the wrong hands.

    You've got that right. Many of the people I have worked with have excellent heads for business, graphic design, administration, or programming, but I still don't trust them to put their pants on the right way around every morning. Why would I want them pulling their hard drives out of their computers every night?

  49. Please stop this crap, even in jest by ifwm · · Score: 1

    Your computer proves that you played poker online once last year, enjoy your 2+ year federal sentence

    It's not a Federal crime, stop perpetuating this BS.

    There are some localities that have outlawed it, but there is no Federal law against it, and no, UIGEA doesn't outlaw it.

  50. Linux! by cpscotti · · Score: 1

    F.A.Q. zero:
    Does it work on linux?

  51. Re:Yes, but does it run Gnu/Linux on Alpha and oth by GeorgeS · · Score: 1

    Thanks AC !

    --
    "I'd rather have a bottle in front of me than have to have a frontal lobotomy."
  52. At least 2nd degree burns to the groin by Dareth · · Score: 1

    I believe you must have at least 2nd degree burns to the groin region before it validates a lawsuit.

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  53. Please stop lying by ifwm · · Score: 1

    "And tax laws don't deal with the revenue issue because the sites are outside the jurisdiction where they are taxed. Dah."

    This is the kind of stupid that needs to be stamped out.

    The players and owners of the sites are not.

    Does "Dah" mean "What I just said is colossally stupid and ignorant"because if so, then I agree, what you said was colossally stupid and ignorant.

    As to the rest of your poorly written and ignorant post, YOU TOTALLY MISSED THE FUCKING POINT.

    Why do you people respond when you're too stupid to even understand what is being discussed?

    One last thing, it took two seconds to find links proving this "Nobody is going to going to be fined or even tried by an Australian court for playing online poker." A TOTAL FUCKING LIE.

    So, you were wrong about pretty much everything you said.

    1. Re:Please stop lying by donscarletti · · Score: 1

      As to the rest of your poorly written and ignorant post, YOU TOTALLY MISSED THE FUCKING POINT.

      Wow, you are the least civil person I have encountered on slashdot. I am sad I didn't just simply mod you down rather than waste the effort to reply to your enraged and incoherent ranting.

      --
      When Argumentum ad Hominem falls short, try Argumentum ad Matrem
  54. utter rubish! by Anonymous Coward · · Score: 0

    This is a re-packaged 'package' of all the old programs written by SysIntenals years ago. MS has had them for sometime - they were still available as such just recently. As far as I know MS vever even made any changes and if you run this program - you see sysinternals all over the place. they not even changed the app names.

    The usb builder part just 'builds' what you can do in a 100k batch file. The info is very limited and it does not get passwords - as this util is well know to all virus scanners.

    There are far better apps out there! I am amazed that they think this is 'forensics'!
    This is schoolboy toys!

  55. Re:The Solution? Removable Drive Bay by Plekto · · Score: 1

    The typical "solution" to this is to check you drive in and out every morning, at least in places that do this sort of thing.