Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft COFEE Leaked

Posted by Soulskill on from the not-so-hot-cofee-incident dept.

54mc writes "Crunchgear reports that Microsoft's long-searched-for forensics tool, COFEE, has been leaked. The tool started on a small, private tracker, but has since worked its way to The Pirate Bay. Not all those who have gotten hold of it are enthused, and reviews have ranged from 'disappointing' to 'useless.' From the article: 'You have absolutely no use for the program. It's not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread. No, COFEE is 100 percent useless to you.'"

36 of 171 comments (clear)

  1. While I don't have any use for the program by smallfries · · Score: 4, Insightful

    It's a bit short-sighted to say that nobody does. I'm sure there are lots of people out there with material on their machines that they wouldn't want a law enforcement officer to find. This tool would be perfect for their needs.

    --
    Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
    1. Re:While I don't have any use for the program by pla · · Score: 4, Insightful

      It's a bit short-sighted to say that nobody does. I'm sure there are lots of people out there with material on their machines that they wouldn't want a law enforcement officer to find. This tool would be perfect for their needs.

      As a fan of maximizing my privacy, I would find such a tool useful just for auditing the effectiveness of my standard cleanup procedures.

      You don't need to break the law to have an interest in others not seeing what you do with your computer. Whether making sure you haven't left personal financial information unencrypted on your machine, or have accidentally clicked "yes" to have your browser remember your passwords, or simply your taste in porn stars... All legal, yet things you probably would rather not leave lying around for anyone other than yourself.

      Now, aside from that, don't forget that police exist to help prosecute cases, not to protect us or find the guilty party or any fluffy BS like that. Once they have you in their sights, the less they can dig up, the better. "Good news - Your alibi checked out, you didn't kill that girl. Bad news - Your computer proves that you played poker online once last year, enjoy your 2+ year federal sentence".

      And hey, who better to know where Windows leaks information than Microsoft itself? Not that I would trust them as my sole source of privacy maintenance, but as I said, for auditing "best practices", such a tool would appear fairly useful.

    2. Re:While I don't have any use for the program by Baron_Yam · · Score: 2, Insightful

      Most warrants are specific... not that I'd want to defend myself on that basis, but I'm sure a good lawyer could help you if you were investigated for child porn and the only thing they find is some evidence of Internet gambling.

      On the other hand, I'd stop the Internet gambling right away, because you know they'd be looking for a way to justify getting you for that having 'lost' the child porn case.

    3. Re:While I don't have any use for the program by Anonymous Coward · · Score: 5, Insightful

      I agree. Using the software may not prove useful, but studying the software to see how it works might be. It is said the software can decrypt passwords and access otherwise inaccessible files. If true, that would be a major security hole that black hats could exploit, so the public has the right to know what exactly COFEE does, how it works, and how to defend their systems from it and similar software.

    4. Re:While I don't have any use for the program by Lloyd_Bryant · · Score: 4, Informative

      Most warrants are specific... not that I'd want to defend myself on that basis, but I'm sure a good lawyer could help you if you were investigated for child porn and the only thing they find is some evidence of Internet gambling.

      On the other hand, I'd stop the Internet gambling right away, because you know they'd be looking for a way to justify getting you for that having 'lost' the child porn case.

      The *warrant* is specific, but if, in the service of the warrant, the officer finds something else, that evidence *can* be seized, and I believe it would be admissible in a court of law (IANAL!).

      The police cannot search for something that is not on the warrant, however. So if the warrant specifies a "bicycle", the police would have no business looking in your sock drawer (unless said sock drawer was large enough to hold the bicycle, of course). But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

      Given the nature of a computer search, I'd expect anything on the hard drive to be fair game...

      --
      Don't tell me to get a life. I had one once. It sucked.
    5. Re:While I don't have any use for the program by Deagol · · Score: 4, Interesting

      They'll get you, one way of the other.

      I'm too lazy to find links, but there was a case a while back of some minor who was accused of accessing child porn from one of Yahoo's services. By all accounts I've read, the defense correctly used the high probability of malware infection to introduce doubt that he actually downloaded the CP himself. Facing a harsh, drawn-out legal battle (as most defendants in these cases do), the family took a plea. The boy plead to a count of (something like) corruption of a minor. His "crime"? He apparently gave (or displayed -- can't recall) some adult magazine to one of his fellow under-aged buddies.

      That's right, folks, some kid ended up with a criminal record and a listing on his local sex offender list for looking at nude pin-ups with a friend, something countless curious teen boys have done since nude centerfolds have been around.

      Won't somebody think of the children?!?

      --
      Method of processing duck feet
    6. Re:While I don't have any use for the program by quickOnTheUptake · · Score: 3, Informative

      Most warrants are specific

      Yes but IIRC, in the US, they can use any evidence, even of a crime other than what the warrant was initially for, if they found it while carrying out a legitimate search, while acting within the scope of the warrant.
      This happens with Terry stops all the time: The officer has a right to perform a limited search of a suspect (a pat down) to ensure he isn't armed, but in so doing finds a nickle bag, which he can keep as evidence, even though that wasn't what he was allowed to look for.
      I believe this goes back to the plain view doctrine.
      Car analogy: If they have a warrant to search your car for coke, and while searching, notice a bloody body in the trunk and a machete with your fingerprints and the victim's blood on it in the glove box, they can certainly charge you with murder, even though that's what the warrant was for.
      IANAL

      --
      Mod points: Guaranteed to remove your sense of humor.
      Side effects may include gullibility and temporary retardation
    7. Re:While I don't have any use for the program by dkleinsc · · Score: 4, Informative

      Well, that sort of thing comes from the idea that if we don't tell kids about sex then they won't have it. You know, unlike their parents, grandparents, great-grandparents, and great-great-grandparents.

      --
      I am officially gone from /. Long live http://www.soylentnews.com/
    8. Re:While I don't have any use for the program by cawpin · · Score: 3, Informative

      But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

      No they can't. They can only seize it if it is illegal, by itself, for the owner to possess. Now, if they find drugs as well they can probably do so under the right circumstances.

      Owning a firearm, in and of itself, is not illegal for most people. This, of course, excludes certain persons such as felons, the mentally unstable and most legal, yes legal, aliens.

    9. Re:While I don't have any use for the program by nairb774 · · Score: 2, Informative

      IANAL, but I think the concept you are looking for is "in plain sight". Programs like this make a lot more things on you computer become visible in a standard search - enough so that the question of whether it qualifies for "in plain sight" has been discussed here and a court case reported on in a slashdot article.

    10. Re:While I don't have any use for the program by cawpin · · Score: 2

      This may be true for many parts of the U. S. A. In much of civilized world,

      Don't pull that "civilized world" shit. Your government telling you that you can't own them is quite uncivilized. I suppose you think the police are there to protect "you" as an individual, too.

      Which, in my opion, is a good thing, but that's a different matter altogether.

      Well, you're wrong. See above.

  2. on a live computer system? by nurb432 · · Score: 4, Insightful

    So, don't run windows, encrypt your drive with hidden partitions and turn the thing off when the cops arrive.

    --
    ---- Booth was a patriot ----
    1. Re:on a live computer system? by Anonymous Coward · · Score: 3, Interesting

      One of the things that happened during the "Hacker Crackdown" in 1990 was that Law Enforcement were trained to quickly separate people and their computers. Then take pictures of the set-up before touching anything. IDK if that is still the case or if they do it for say any old warrent they are serving.

  3. Not having seen the app, but by Anonymous Coward · · Score: 5, Insightful

    From the description on the link site, which I think was quoting MS about what does an untrained beat cop do when they find digital evidence? Step back, don't touch it, and call in the law-enforcement folks who are trained and won't destroy the evidence. It's hard enough to get a jury to understand evidence pulled off of a computer - these folks see viruses or similar on their own machines that "just magically appears" so surely the defense's argument that the kiddie porn just magically appeared on his client's machine is completely possible. Having the defense say, "Mr. Officer, you admit to having no background in computer forensics, and you admit to not knowing what the program does. You admit to clicking on the talking paperclip when it said, "I see you are trying to bust a felon. Would you like me to help you?" but have no idea what then happened? Your honor, I move that the case be dismissed because the so-called evidence has obviously not followed the proper evidentiary chain." I'm posting anon because I've gone through the proper training at places like FLETC and it's something they drill into us, time and time again. If you're not sure you're qualified to handle investigating the content on the computer, don't touch it. Get someone who is qualified.

    1. Re:Not having seen the app, but by ledow · · Score: 5, Insightful

      I would think even mere insertion of a USB device into a computer could lead to all sorts of problems - what if that USB key had a virus that transferred itself to the PC and then deleted itself from the USB device? The fact that this is a bog-standard set of files means that someone has to put these programs onto a writable USB drive (it's possible it's write-once but I would be dubious of that actually being the case) and then plug it into a computer - exactly the action that companies block by default because of the potential for rogue programs to be introduced and destroy/modify data.

      Want to put someone in jail? Put something illegal on that USB drive, plug it into their computer with an autorun script that copies itself over and then deletes itself (and the script) from the USB drive. Then claim that it was a *different* drive you put in and submit a "clean" drive as evidence if they demand to see it.

      Not to mention that actually doing *anything* on the original PC is damn stupid anyway but relying on a USB stick to run it? That's got to be asking for trouble. Oh, and disable USB and you've just stopped that attack.

      I was always told that *anything* capable of writing to the drive or modifying the data you're trying to access was a no-no... that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image. Saving transient information onto a writable USB stick by execution of a program from that stick? Sounds like a recipe for disaster. That's gotta touch your swap or do something to memory in order to execute and proving that happened cleanly and provided a complete accurate copy of the contents of RAM/disk/swap before you plugged it in is probably impossible.

  4. "Microsoft COFFEE Spilled" by beatsme · · Score: 5, Funny

    Come on, the setup is so obvious!

  5. Re:But by hansraj · · Score: 4, Informative

    Wikipedia is your friend.

  6. The Solution? HURD! by Bananatree3 · · Score: 4, Funny

    Its a tool written by Microsoft, for Microsoft products. Do you have nefarious stuff you'd rather not have leaked? Warez or other secret stuff you'd rather keep hidden? The solution? Don't run Windows, run HURD! As added bonus, there's no viruses, no nasties that'll install on your system. No COFEE or other LEO programs to infect your privacy.

    HURD...The only sensible solution.

    1. Re:The Solution? HURD! by supersat · · Score: 2, Insightful

      There's no viruses or nasties for it because NOTHING RUNS ON IT. ;)

  7. Re:I like TEA by thetoadwarrior · · Score: 2, Funny

    I thought the same thing and pursued her only to find out the her is a he. I became the 2nd person to throw chairs at MS.

  8. DECAF by Anonymous Coward · · Score: 3, Funny

    "Won’t be long before DECAF is released, which will block attempts to use COFEE on your machine, I’m sure."

    -- Mister Toast, Nov 08, 2009, 13:58

  9. Creation of Adam... thought it was the same story by jep77 · · Score: 3, Funny

    At first I thought these two stories were related.
    http://gizmodo.com/5399583/famous-paintings-reproduced-in-coffee
    I was about to download the MS tool so I could create my own spectacular tasting, eye-opening, knock-off classic art.

  10. Bloody DUH by Shoten · · Score: 4, Insightful

    Well, of course it's useless to most of them...but that has nothing to do with whether or not COFEE is any good. Let's face it; how many casual downloaders are going to need a forensics toolkit? They already have access to all of their own files, and already know what they've been doing with their system. And COFEE is not meant to be a "point and shoot" system; it's really meant for professionals that know what they're looking for to some degree. So getting a copy and using it doesn't instantly give you some insight into how computer forensics work.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  11. Ummm.... well.... by Le+Marteau · · Score: 5, Insightful

    > No, COFEE is 100 percent useless to you.'"

    Yes, and the software that runs voting machines is "useless to us", too.

    I think the submitter is missing the point. This (probably) closed-source tool by Microsoft (that bears repeating... by MICROSOFT) is going to be used by law enforcement to help throw people in jail. If for no 'practical' use, now that COFFEE is leaked, people will be able to reverse-engineer it an see exactly what it is doing, and how. That is a good thing.

    --
    Mod down people who tell people how to mod in their sigs
  12. free alternative by telenut · · Score: 3, Interesting

    Ok, the tool from Microsoft is 'free' also, but here is something with way more options: http://wiki.hak5.org/wiki/USB_Switchblade

  13. Re:As someone in the Security Field... by Anonymous Coward · · Score: 4, Informative

    I've been doing computer forensics for twenty five years. I am the original poster and I happen to konw exactly what I'm talking about, having been prompted to give detailed feedback about Microsoft's COFEE "suite".

    The lowdown:

    It doesn't do anything that any number of freely available, open source tools don't do (most of which, or at least most of the lineage of which can be found in Knoppix-STD (www.knoppix-std.org), and it happens to do them poorly.

  14. Re:As someone in the Security Field... by Dr.+Evil · · Score: 4, Interesting

    Why has the STD distro not been updated in over 5 years?

    Have you tried http://www.remote-exploit.org/backtrack.html? It's geared towards pen testing and ethical hacking... but it's VERY good, and modern.

  15. Re:As someone in the Security Field... by Angostura · · Score: 4, Insightful

    If only you'd bothered to write that in the summary, rather than the clever-clever "You don't need this" shenanigans. Half these initially posts could have been avoided.

  16. Re:As someone in the Security Field... by jcr · · Score: 2, Funny

    So what you're saying is that it's a true Microsoft product, amirite?

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  17. Re:But by LO0G · · Score: 2, Interesting

    As far as I know, COFEE is only used when you have a search warrant. If you have a search warrant, then by definition there is no right to privacy - by granting the search warrant, the court has said that investigators are allowed to look at your stuff.

    In the past, people have tried the "I was framed by the police" gambit before with very limited success - typically courts assume that the people investigating crimes aren't out to plant evidence. I'm not sure that this is a wise decision on the part of the courts but it is what it is.

  18. Re:The Solution? Removable Drive Bay by Plekto · · Score: 2, Interesting

    Anyone who is truly concerned with security knows that you take your drive with you and/or lock it up at night. Thankfully SSDs are lightweight and easy to stick in a pocket. I'm amazed at how many businesses don't have any physical protection plan in place, because that's how most data ends up getting into the wrong hands.

    http://www.startech.com/item/SAT2510U2REM-InfoSafe-35-Bay-Removable-25-SATA-Drive-Enclosure.aspx
    Under $40 for this model.

  19. Re:But by hansraj · · Score: 5, Insightful

    Really... why should we have to look up something stated in the summary as "100% useless to us"? Thanks fuck head!

    Because:
    1) You are wondering what is the damn thing in the first place (like OP did), and
    2) You want to make your own opinion.

    No one is forcing you to read through the wikipedia entry. I hope, for the sake of people around you, that you don't flip out as easily in real life.

  20. Re:But by edumacator · · Score: 4, Insightful

    Responsible Mods needed...

    Come on...this guy responds to someone, who calls him a fuck head for providing a link to information connected to the post, in a calm and measured way, and somehow he gets modded flamebait?

    If that doesn't get fixed, I've lost the last little bit of trust I have in the /. mod system.

    --
    An important change for education.
  21. Re:But by rcamans · · Score: 2, Funny

    heh heh. he said he had trust in the mod system. heh heh heh.

    --
    wake up and hold your nose
  22. Re:But by Runaway1956 · · Score: 2, Informative

    Try Helix3. Don't jump up and down, telling me that it's another Linux LiveCD. There is a Windows executable in the root directory to capture system state stuff. When that finishes, you can reboot to the LiveCD for more tools.

    They have an outdated version that is free, and if you wish to pay about 7 or 8 hundred bucks, you can get the up-to-date version.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  23. WRONG by Anonymous Coward · · Score: 3, Interesting
    IAAGCFA. (I am a GIAC Certified Forensic Analyst)

    You are 100% incorrect.

    I would think even mere insertion of a USB device into a computer could lead to all sorts of problems

    The mere insertion of a USB device has its problems. First, you have to differentiate. Say, on a WinXPsp2 machine, a USB device has no working autostart mechanism. You can circumvent that, e.g. by using those "U3" devices that emulate a CD drive (Autostart is working fine with CD drives if you didn't disable autorun at all) or like the Conficker worm does, by displaying an "open folder" icon that will result in the action of calling a program. But by default, the recent MS OSses do not allow autorun via USB Sticks.

    Now, that having said, there still are some problems with the mere insertion of an USB device. The one I know of is that typically Windows makes a "bing" noise, when an USB stick is inserted. This means, that the Windows "USB insertion bing noise".wav is getting read and thus the "read" timestamp of that file gets modified. This results in the fact that after plugging in an USB stick, the forensic analysist might not be able to determine, when an USB stick has been plugged into that machine the last time prior to the said USB stick having been plugged into it. This might be especially of concern if you want to find out how a certain piece of malware entered a PC which happened to be via a USB stick exactly the last time an USB stick was plugged into the foreniscally examined PC.

    So, let's go on...

    that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image.

    Well, yes, sort of. Cloning images of drives with "read-only" adaptors is done for post mortem analysis. I mean the following:

    If the investigator is called to a site with an already unplugged device, this is the usual procedure - that way it is ensured, that no evidence is altered in any way.

    However, the situation is completely different, when the investigator is faced with a live system. Because there, you have a huge amount of information that will get destroyed by unplugging the system. In former times, investigators where taught to unplug the system and then to clone the drive with a write-blocker, like you said. But this removes volatile evidence like:

    • registers, cache
    • routing table, arp cache, process table, kernel statistics, etc.
    • memory
    • temporary file systems

    See RFC 3227 - Guidelines for Evidence Collection and Archiving for more. So, when encountering a live system, switching it off and cloning the disk with a write-blocker is so much more problematic in terms of destroying evidence than plugging in a foreniscally sound USB thumb drive, than it gets.

    You see, the consequences of plugging in an foreniscally sound device - and plugging it in will have some consequences and ultimately result in the destruction of some evidence - can be reproduced and thus can be tolerated in court without problems. NOT plugging in that device will lead to much much greater destruction of evidence.