Slashdot Mirror
Microsoft COFEE Leaked
54mc writes "Crunchgear reports that Microsoft's long-searched-for forensics tool, COFEE, has been leaked. The tool started on a small, private tracker, but has since worked its way to The Pirate Bay. Not all those who have gotten hold of it are enthused, and reviews have ranged from 'disappointing' to 'useless.' From the article: 'You have absolutely no use for the program. It's not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread. No, COFEE is 100 percent useless to you.'"
It's a bit short-sighted to say that nobody does. I'm sure there are lots of people out there with material on their machines that they wouldn't want a law enforcement officer to find. This tool would be perfect for their needs.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
So, don't run windows, encrypt your drive with hidden partitions and turn the thing off when the cops arrive.
---- Booth was a patriot ----
From the description on the link site, which I think was quoting MS about what does an untrained beat cop do when they find digital evidence? Step back, don't touch it, and call in the law-enforcement folks who are trained and won't destroy the evidence. It's hard enough to get a jury to understand evidence pulled off of a computer - these folks see viruses or similar on their own machines that "just magically appears" so surely the defense's argument that the kiddie porn just magically appeared on his client's machine is completely possible. Having the defense say, "Mr. Officer, you admit to having no background in computer forensics, and you admit to not knowing what the program does. You admit to clicking on the talking paperclip when it said, "I see you are trying to bust a felon. Would you like me to help you?" but have no idea what then happened? Your honor, I move that the case be dismissed because the so-called evidence has obviously not followed the proper evidentiary chain." I'm posting anon because I've gone through the proper training at places like FLETC and it's something they drill into us, time and time again. If you're not sure you're qualified to handle investigating the content on the computer, don't touch it. Get someone who is qualified.
Come on, the setup is so obvious!
Wikipedia is your friend.
Its a tool written by Microsoft, for Microsoft products. Do you have nefarious stuff you'd rather not have leaked? Warez or other secret stuff you'd rather keep hidden? The solution? Don't run Windows, run HURD! As added bonus, there's no viruses, no nasties that'll install on your system. No COFEE or other LEO programs to infect your privacy.
HURD...The only sensible solution.
I thought the same thing and pursued her only to find out the her is a he. I became the 2nd person to throw chairs at MS.
"Won’t be long before DECAF is released, which will block attempts to use COFEE on your machine, I’m sure."
-- Mister Toast, Nov 08, 2009, 13:58
At first I thought these two stories were related.
http://gizmodo.com/5399583/famous-paintings-reproduced-in-coffee
I was about to download the MS tool so I could create my own spectacular tasting, eye-opening, knock-off classic art.
Well, of course it's useless to most of them...but that has nothing to do with whether or not COFEE is any good. Let's face it; how many casual downloaders are going to need a forensics toolkit? They already have access to all of their own files, and already know what they've been doing with their system. And COFEE is not meant to be a "point and shoot" system; it's really meant for professionals that know what they're looking for to some degree. So getting a copy and using it doesn't instantly give you some insight into how computer forensics work.
For your security, this post has been encrypted with ROT-13, twice.
What does someone in the "security field" know about a digital forensics tool?
Very few people are actually in the security field and most who claim to be have posted a bug on a mailing list and setup a site talking about how to "hack" with Visual Basic.
That lady is most likely a model who was photographed by someone else, who in turn sold a photo license to microsoft.
If you are redhat racing with ms , you can use his tool to prove that their platform can't be trusted. All you need is running it.
I don't run windows.
There's nothing wrong with that. Some guys come out of the IT trenches and some come out of the management world. Most of these security guys are presenting themselves to middle and upper level management. They only need to know how to make charts and graphs, for which VB is really very good.
They of course also need to know how to get policies signed, walk into strange meeting rooms, identify and get key people into meetings to understand those policies, implement and audit them regularly. If they have time to pick up a little bit of VB hacking on the side, I'm happy that they can better understand the nuts and bolts. VB is fun in small doses.
I downloaded it. This little thing might be interesting :-)
> No, COFEE is 100 percent useless to you.'"
Yes, and the software that runs voting machines is "useless to us", too.
I think the submitter is missing the point. This (probably) closed-source tool by Microsoft (that bears repeating... by MICROSOFT) is going to be used by law enforcement to help throw people in jail. If for no 'practical' use, now that COFFEE is leaked, people will be able to reverse-engineer it an see exactly what it is doing, and how. That is a good thing.
Mod down people who tell people how to mod in their sigs
Ok, the tool from Microsoft is 'free' also, but here is something with way more options: http://wiki.hak5.org/wiki/USB_Switchblade
I've been doing computer forensics for twenty five years. I am the original poster and I happen to konw exactly what I'm talking about, having been prompted to give detailed feedback about Microsoft's COFEE "suite".
The lowdown:
It doesn't do anything that any number of freely available, open source tools don't do (most of which, or at least most of the lineage of which can be found in Knoppix-STD (www.knoppix-std.org), and it happens to do them poorly.
Bingo. First thing I thought was "generic stock photograph". That one's not too bad, but some of them are really obvious, like the ones of three people standing round a computer in a modern-looking airy office, smiling their white teeth and looking "businesslike". Really obvious stock photo that makes anyone that uses it look cheesy.
Why has the STD distro not been updated in over 5 years?
Have you tried http://www.remote-exploit.org/backtrack.html? It's geared towards pen testing and ethical hacking... but it's VERY good, and modern.
Nothing beats a digital cup of coffee...
If only you'd bothered to write that in the summary, rather than the clever-clever "You don't need this" shenanigans. Half these initially posts could have been avoided.
I just read the entire wikipedia article, and I've done all of that, and more, with backtrack for FREE.
I wonder... does cofee have a java component?
Can Cofee check my Kaffeine history?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
Ah, yes; the stalking horse to justify the destruction of the individuals' right to privacy. And of course, this evidence could never been planted by self-same investigators via their self-same COFEE USB key. Perish the thought.
As having known a person who had their house raided by the Calgary Police (many times) and their computers stolen as a result of their former employer making false claims, the tool is as useful as the Calgary Police Computer Tech Team (or whatever they are called today).
I saw the photos of the damage caused by the Calgary Police, cut keyboard cables, broken doors, general damage done to the house, broken commercial (legally bought PS3 games, music, films) CD/DVD/BDs, broken case covers, cut USB cables, are just a few of the damage left in the Calgary Police wake.
The items stolen by the Calgary Police under a possible false warrant, included TVs, old laptops from the mid-90s, USB Media, most items labeled Sony, SUN Sparc systems, Compaq Alphas, PS3, Network Switches. and anything Calgary Police felt proved his innocent's. The official list of items stolen, was never provided to him, as the Calgary Police refused to provide, even to his lawyer.
He was handcuffed, body searched, and threaten by Calgary Police with their hands on their pistols to hand over passwords. He refused, taken physical damage. He feels he would have been shot, if his Lawyer and Minister wasn't contacted.
When the Calgary Police found Gnu/Linux on most systems, they told him 'Only hackers use Linux'.
No charges were laid as a result of the raid. Calgary Police had the items for more than 6 months. When the items were returned, some were no longer working.
...i know this is a tool for n00bz, but it is seriously lacking in several areas. First of all it even says in its dox, that it is only supported by a suspects computer supporting windows XP, which is still pretty good and better then nothing. Secondly, if the suspects computer doesnt have autorun enabled you have to go to the USB drive and run the EXE on the suspects computer...meaning that if the computer is BIOS locked, encrypted on boot, or password protected, then the user must log in to execute the EXE. i downloaded it and ran it, but it is ineffective against my W7 machines (password protected, encrypted). understanding that if you dont give cops your password when they request it, they can charge you with obstruction of justice and then just move up to REAL computer forensics
I know its not perfect, and it isn't designed for the "1334", but it just seems useless if you are going up against someone who REALLY paranoid or very secure. it seems like if someone has their computer as open as it needs to be to run COFEE, you wouldn't need the tool in the first place, just someone remotely proficient in computers.
they say it is often more relevant then the comment above, all we know is its called the Sig!
How do we know that Microsoft didn't intentionally leak this?
Maybe they did it so that they can start selling Microsoft CREAM!
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
So what you're saying is that it's a true Microsoft product, amirite?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
No charges were laid as a result of the raid.
WTF? Why didn't he file charges against them?
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Would this utility be useless if you lock your computer when you get up from it? If so, the criminally-minded among us should do that.
If it works even with the computer locked, it implies a Microsoft back door into Windows. I doubt this.
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
As far as I know, COFEE is only used when you have a search warrant. If you have a search warrant, then by definition there is no right to privacy - by granting the search warrant, the court has said that investigators are allowed to look at your stuff.
In the past, people have tried the "I was framed by the police" gambit before with very limited success - typically courts assume that the people investigating crimes aren't out to plant evidence. I'm not sure that this is a wise decision on the part of the courts but it is what it is.
Anyone who is truly concerned with security knows that you take your drive with you and/or lock it up at night. Thankfully SSDs are lightweight and easy to stick in a pocket. I'm amazed at how many businesses don't have any physical protection plan in place, because that's how most data ends up getting into the wrong hands.
http://www.startech.com/item/SAT2510U2REM-InfoSafe-35-Bay-Removable-25-SATA-Drive-Enclosure.aspx
Under $40 for this model.
Really... why should we have to look up something stated in the summary as "100% useless to us"? Thanks fuck head!
Because:
1) You are wondering what is the damn thing in the first place (like OP did), and
2) You want to make your own opinion.
No one is forcing you to read through the wikipedia entry. I hope, for the sake of people around you, that you don't flip out as easily in real life.
I don't know about talking to her or putting cream in her mug, but if you look through the comments below, you can get a pic at 12k resolution for ~£700. Once you've seen her skin magnified that much, you'll likely be cured of any interest you once had ;)
Responsible Mods needed...
Come on...this guy responds to someone, who calls him a fuck head for providing a link to information connected to the post, in a calm and measured way, and somehow he gets modded flamebait?
If that doesn't get fixed, I've lost the last little bit of trust I have in the /. mod system.
An important change for education.
You're right, I should have been more specific. If a LE officer has a search warrant for the contents of your computer, then he has the right to access the contents of your computer, your right to privacy doesn't apply.
Couple of days from now there will be a HOT COFEE mod for Windows. So much more comprehensive than whatever was in GTA.
Some links would be useful. This is the internet after all :)
"I'd rather have a bottle in front of me than have to have a frontal lobotomy."
That's the nasty sort of positive feedback loop from which an innocent person, once trapped, can never escape. The burden of proof should grow each time, not shrink, to prevent police harassment.
You're safe - no one wastes mod points on an AC.
It could be a boon for counter-forensics; it wouldn't be that hard to make a root-kit that either doesn't allow COFEE to run or returns bogus information from system calls when COFEE is running.
Probably a lot more law enforcement agencies use that than COFEE.
People who are truly concerned with security don't get mugged?
As having known a person who had their house raided by the Calgary Police (many times) and their computers stolen as a result of their former employer making false claims, the tool is as useful as the Calgary Police Computer Tech Team (or whatever they are called today).
"Many times" probably occurred due to not finding anything, and said employer continuing to insist there was.
heh heh. he said he had trust in the mod system. heh heh heh.
wake up and hold your nose
The only thing COFEE does that backtrack doesn't is copy the RAM. Unless the person is using encryption, in which case a non-computer-forensics person (who the product is targeted at) shouldn't be anywheres NEAR the machine, there is no reason to preserve the volatile memory. In fact, if a person is that paranoid (and still running windows), chances are the application will end up triggering a dead-switch.
Any computer forensics expert worth their degree will tell you NEVER to do anything to a running machine suspected of being rigged. They don't even shut it down, just pull the plug. If they want to recover the RAM, they have about 3 minutes to do so (through a clean boot) before the "volatile" memory is gone.
Try Helix3. Don't jump up and down, telling me that it's another Linux LiveCD. There is a Windows executable in the root directory to capture system state stuff. When that finishes, you can reboot to the LiveCD for more tools.
They have an outdated version that is free, and if you wish to pay about 7 or 8 hundred bucks, you can get the up-to-date version.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
Well it is very useful for Microsoft - they can now go after the Pirate Bay for Copyright Infringement. All hail the DMCA.
I can already picture the Microsoft Lawyers - "THEY STOLE MY COFEE". It will be quoted in legal textbooks for years!
You are 100% incorrect.
I would think even mere insertion of a USB device into a computer could lead to all sorts of problems
The mere insertion of a USB device has its problems. First, you have to differentiate. Say, on a WinXPsp2 machine, a USB device has no working autostart mechanism. You can circumvent that, e.g. by using those "U3" devices that emulate a CD drive (Autostart is working fine with CD drives if you didn't disable autorun at all) or like the Conficker worm does, by displaying an "open folder" icon that will result in the action of calling a program. But by default, the recent MS OSses do not allow autorun via USB Sticks.
Now, that having said, there still are some problems with the mere insertion of an USB device. The one I know of is that typically Windows makes a "bing" noise, when an USB stick is inserted. This means, that the Windows "USB insertion bing noise".wav is getting read and thus the "read" timestamp of that file gets modified. This results in the fact that after plugging in an USB stick, the forensic analysist might not be able to determine, when an USB stick has been plugged into that machine the last time prior to the said USB stick having been plugged into it. This might be especially of concern if you want to find out how a certain piece of malware entered a PC which happened to be via a USB stick exactly the last time an USB stick was plugged into the foreniscally examined PC.
So, let's go on...
that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image.
Well, yes, sort of. Cloning images of drives with "read-only" adaptors is done for post mortem analysis. I mean the following:
If the investigator is called to a site with an already unplugged device, this is the usual procedure - that way it is ensured, that no evidence is altered in any way.
However, the situation is completely different, when the investigator is faced with a live system. Because there, you have a huge amount of information that will get destroyed by unplugging the system. In former times, investigators where taught to unplug the system and then to clone the drive with a write-blocker, like you said. But this removes volatile evidence like:
See RFC 3227 - Guidelines for Evidence Collection and Archiving for more. So, when encountering a live system, switching it off and cloning the disk with a write-blocker is so much more problematic in terms of destroying evidence than plugging in a foreniscally sound USB thumb drive, than it gets.
You see, the consequences of plugging in an foreniscally sound device - and plugging it in will have some consequences and ultimately result in the destruction of some evidence - can be reproduced and thus can be tolerated in court without problems. NOT plugging in that device will lead to much much greater destruction of evidence.
This is probably nitpicking, but the tracker the file originated from is not "a small, private tracker".
It is actually one of the most regarded private trackers, and the largest private music trackers currently operational. In terms of provided content, it is BY FAR the biggest private tracker on the Internet, past or present, with over 600k torrents.
IMHO it is one of the best places for any music lover to hang out on the Internet, with a great selection of music, awesome community, and friendly staff, and it isn't really that hard to get into either.
What is really interesting is how the upload of the original file was to fill a request with a very lucrative bounty of 1.6 TB. For one and a half year, no one really believed that the request would ever be filled, but people kept voting it up, quickly ranking it as the largest bounty on the site.
Disclaimer: I'm not affiliated with the aforementioned tracker.
You've got that right. Many of the people I have worked with have excellent heads for business, graphic design, administration, or programming, but I still don't trust them to put their pants on the right way around every morning. Why would I want them pulling their hard drives out of their computers every night?
...then it would have been cut out as not being sensationalist enough for an article summary.
You're new here, aren't you?
It's not a Federal crime, stop perpetuating this BS.
There are some localities that have outlawed it, but there is no Federal law against it, and no, UIGEA doesn't outlaw it.
F.A.Q. zero:
Does it work on linux?
Thanks AC !
"I'd rather have a bottle in front of me than have to have a frontal lobotomy."
I believe you must have at least 2nd degree burns to the groin region before it validates a lawsuit.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
"And tax laws don't deal with the revenue issue because the sites are outside the jurisdiction where they are taxed. Dah."
This is the kind of stupid that needs to be stamped out.
The players and owners of the sites are not.
Does "Dah" mean "What I just said is colossally stupid and ignorant"because if so, then I agree, what you said was colossally stupid and ignorant.
As to the rest of your poorly written and ignorant post, YOU TOTALLY MISSED THE FUCKING POINT.
Why do you people respond when you're too stupid to even understand what is being discussed?
One last thing, it took two seconds to find links proving this "Nobody is going to going to be fined or even tried by an Australian court for playing online poker." A TOTAL FUCKING LIE.
So, you were wrong about pretty much everything you said.
typically courts assume that the people investigating crimes aren't out to plant evidence. I'm not sure that this is a wise decision on the part of the courts but it is what it is.
generally courts presume everyone is honest and play by the rules unless there is some specific reason to think otherwise. It probably can be no other way. if the court assumed everyone was a liar, then it would be impossible to get anywhere, as the only evidence would be evidence submitted by other people also presumably lying.
the sad fact is that if someone really wants to fuck you over, they probably can. but planting evidence is one of the more complicated ways of doing it.
No one has a right to their *own* opinion. They have a right to the TRUTH.
The typical "solution" to this is to check you drive in and out every morning, at least in places that do this sort of thing.