Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft COFEE Leaked

Posted by Soulskill on from the not-so-hot-cofee-incident dept.

54mc writes "Crunchgear reports that Microsoft's long-searched-for forensics tool, COFEE, has been leaked. The tool started on a small, private tracker, but has since worked its way to The Pirate Bay. Not all those who have gotten hold of it are enthused, and reviews have ranged from 'disappointing' to 'useless.' From the article: 'You have absolutely no use for the program. It's not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread. No, COFEE is 100 percent useless to you.'"

6 of 171 comments (clear)

  1. Not having seen the app, but by Anonymous Coward · · Score: 5, Insightful

    From the description on the link site, which I think was quoting MS about what does an untrained beat cop do when they find digital evidence? Step back, don't touch it, and call in the law-enforcement folks who are trained and won't destroy the evidence. It's hard enough to get a jury to understand evidence pulled off of a computer - these folks see viruses or similar on their own machines that "just magically appears" so surely the defense's argument that the kiddie porn just magically appeared on his client's machine is completely possible. Having the defense say, "Mr. Officer, you admit to having no background in computer forensics, and you admit to not knowing what the program does. You admit to clicking on the talking paperclip when it said, "I see you are trying to bust a felon. Would you like me to help you?" but have no idea what then happened? Your honor, I move that the case be dismissed because the so-called evidence has obviously not followed the proper evidentiary chain." I'm posting anon because I've gone through the proper training at places like FLETC and it's something they drill into us, time and time again. If you're not sure you're qualified to handle investigating the content on the computer, don't touch it. Get someone who is qualified.

    1. Re:Not having seen the app, but by ledow · · Score: 5, Insightful

      I would think even mere insertion of a USB device into a computer could lead to all sorts of problems - what if that USB key had a virus that transferred itself to the PC and then deleted itself from the USB device? The fact that this is a bog-standard set of files means that someone has to put these programs onto a writable USB drive (it's possible it's write-once but I would be dubious of that actually being the case) and then plug it into a computer - exactly the action that companies block by default because of the potential for rogue programs to be introduced and destroy/modify data.

      Want to put someone in jail? Put something illegal on that USB drive, plug it into their computer with an autorun script that copies itself over and then deletes itself (and the script) from the USB drive. Then claim that it was a *different* drive you put in and submit a "clean" drive as evidence if they demand to see it.

      Not to mention that actually doing *anything* on the original PC is damn stupid anyway but relying on a USB stick to run it? That's got to be asking for trouble. Oh, and disable USB and you've just stopped that attack.

      I was always told that *anything* capable of writing to the drive or modifying the data you're trying to access was a no-no... that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image. Saving transient information onto a writable USB stick by execution of a program from that stick? Sounds like a recipe for disaster. That's gotta touch your swap or do something to memory in order to execute and proving that happened cleanly and provided a complete accurate copy of the contents of RAM/disk/swap before you plugged it in is probably impossible.

  2. "Microsoft COFFEE Spilled" by beatsme · · Score: 5, Funny

    Come on, the setup is so obvious!

  3. Ummm.... well.... by Le+Marteau · · Score: 5, Insightful

    > No, COFEE is 100 percent useless to you.'"

    Yes, and the software that runs voting machines is "useless to us", too.

    I think the submitter is missing the point. This (probably) closed-source tool by Microsoft (that bears repeating... by MICROSOFT) is going to be used by law enforcement to help throw people in jail. If for no 'practical' use, now that COFFEE is leaked, people will be able to reverse-engineer it an see exactly what it is doing, and how. That is a good thing.

    --
    Mod down people who tell people how to mod in their sigs
  4. Re:While I don't have any use for the program by Anonymous Coward · · Score: 5, Insightful

    I agree. Using the software may not prove useful, but studying the software to see how it works might be. It is said the software can decrypt passwords and access otherwise inaccessible files. If true, that would be a major security hole that black hats could exploit, so the public has the right to know what exactly COFEE does, how it works, and how to defend their systems from it and similar software.

  5. Re:But by hansraj · · Score: 5, Insightful

    Really... why should we have to look up something stated in the summary as "100% useless to us"? Thanks fuck head!

    Because:
    1) You are wondering what is the damn thing in the first place (like OP did), and
    2) You want to make your own opinion.

    No one is forcing you to read through the wikipedia entry. I hope, for the sake of people around you, that you don't flip out as easily in real life.