Skip to main content

Microsoft COFEE device

I've been keeping up today with a story that was reported in the Seattle Times regading the Computer Online Forensic Evidence Extractor device Microsoft has made available to law enforcement agencies. So far I've read Ed Bott's response and recently The Register's response and I have to say that I think that they are overreacting at this. I'm going to go through some of the points made in The Register article below, my points are in bold.

Microsoft has reportedly developed a USB key that allows investigators to
extract forensic data from PCs.
COFEE (Computer Online Forensic Evidence
Extractor) comes in a USB key form factor, and was distributed to a small number
of law-enforcement agencies last June, the Seattle Times
reports. The device includes 150 tools that allow
investigators to extract internet history files, for example, or "decrypt
passwords".

The 150 tools are simply based on the 150 commands that forensic experts must enter anyway and that normally take 4+ hours. Microsoft claim that they are simply making this stage easier.

Rather than pointing to the existence of a backdoor

There are people that have climed that this tool circumvents security such as BitLocker and exploits backdoors in the system. It doesn't! Never did, that's just anti-Microsoft propaganda. Nice to see The Register rubbishing it.

the decrypting password
feature appears to relate to password auditing tools. COFEE also allows
investigators to upload data for analysis.
The device is used by more than
2,000 officers in at least 15 countries, including Germany and the US. Microsoft
supplies the technology to law enforcement agencies without charge. The tool
reportedly allows investigators to scan for evidence on site without necessarily
having to cart PCs back to a lab.
Computer forensics is a painstaking process
carefully designed to make sure data on a suspect computer isn't changed -
simply plugging a device into a computer to extract data seems like a quick and
dirty fix. The admissibility of such data in court in debatable even before we
get into considering the possibility that the USB key might harbour
malware.

Do we honestly think that this is a revelation to the people who designed the tool or consulted on the tool? I honestly do not believe that there is a room in Redmond where someone is now thinking, "I wonder should we have asked a computer forensic professional about this stuff before we built this. The fact that the Microsoft General Counsel Brad Smith has commented about it makes me think that they've done a lot of research into the legal viability of the evidence the tool will produce. Anyway, I suspect the tool is meant to indicate the presence of evidence and produce passwords rather than actually produce the evidence. It's not designed to replace forensic experts just make their lives a bit easier.


Another, even greater concern is that the kit will get into the
hands of hackers. The form factor for COFEE would be just their cup of
tea.

To start with hackers would need to actually gain physical access to the machine they are trying to attack for this to be a real threat. Secondly do you think they don't have similar tools already? Anyone heard of Switchblade?


The extraction and analysis of digital evidence features in the
investigation of more on more crimes, not just those specific to computers such
as internet fraud and child abuse investigations. UK specialists we've spoken to
tell us they're struggling to cope with the volume of work from law enforcement
clients. There's a genuine problem here, but we're not convinced COFEE is the
solution.
Law enforcement officials from forces in 35 countries are meeting
in Redmond this week to talk about the role of technology in combating crime. A
similar event two years ago led to the development of COFEE, the Seattle Times
reports. ®

So the industry has been involved in this tool for while then?

My only problem with it is that by the time law enforcement agencies have finished testing it and ensuring it's going to work in virtually all conditions there'll be a new set of technologies out there and it'll have to be updated again anyway. Great place to start though so I say well done Microsoft. Reading the comments on Ed's blog, as well as on the Seattle Times site, though it's obvious that there are people out there that are willing to believe anything anti-Microsoft and no matter how sensationalist and obviously false the story they want to believe it.

Post a Comment

Popular posts from this blog

iOS 8.4 Is Here!

iOS8.4 is here and available to download so head over and grab it from Software Update.

Radon in Newry, Mourne and Down - Action & Education Needed

Council budgets have been and continue to be slashed and perhaps that's the reason why more is not being done to educate people on the risk Radon gas is posing to their health in the area of Newry, Mourne and Down. A recently published Government report includes the below map which starkly highlights the huge areas of the district that are potentially exposed to high levels of this naturally occurring radioactive gas.



While the UK Government recognises and highlights the role this gas plays in causing lung cancer the EPA in the U.S. goes further adding numbers and additional facts such as : 1. 21,000 deaths a year are linked to Radon gas in the U.S.  2. It's the second biggest cause of lung cancer after smoking 3. Radon can enter the home through the water supply as well as the soil 4. There is a risk of stomach cancer from ingesting water containing Radon and lung cancer from inhaling the gas carried in the water.
To help protect and educate the population it's time the c…

XBox Live Dashboard Update Tomorrow!

I just logged into XBox Live for the first time in a while today and I've mail informing me that XBox live is going to be offline tomorrow for about 24 hours. This must be the big update that was announced at E3. The blades will soon be gone and we'll have the more modern interface. I liked the blades but I'm very excited about new interface. I'll post about the new look once i get a look at it hopefully on Tuesday.