Wednesday 30 April 2008

Microsoft COFEE device

I've been keeping up today with a story that was reported in the Seattle Times regading the Computer Online Forensic Evidence Extractor device Microsoft has made available to law enforcement agencies. So far I've read Ed Bott's response and recently The Register's response and I have to say that I think that they are overreacting at this. I'm going to go through some of the points made in The Register article below, my points are in bold.

Microsoft has reportedly developed a USB key that allows investigators to
extract forensic data from PCs.
COFEE (Computer Online Forensic Evidence
Extractor) comes in a USB key form factor, and was distributed to a small number
of law-enforcement agencies last June, the Seattle Times
reports. The device includes 150 tools that allow
investigators to extract internet history files, for example, or "decrypt
passwords".

The 150 tools are simply based on the 150 commands that forensic experts must enter anyway and that normally take 4+ hours. Microsoft claim that they are simply making this stage easier.

Rather than pointing to the existence of a backdoor

There are people that have climed that this tool circumvents security such as BitLocker and exploits backdoors in the system. It doesn't! Never did, that's just anti-Microsoft propaganda. Nice to see The Register rubbishing it.

the decrypting password
feature appears to relate to password auditing tools. COFEE also allows
investigators to upload data for analysis.
The device is used by more than
2,000 officers in at least 15 countries, including Germany and the US. Microsoft
supplies the technology to law enforcement agencies without charge. The tool
reportedly allows investigators to scan for evidence on site without necessarily
having to cart PCs back to a lab.
Computer forensics is a painstaking process
carefully designed to make sure data on a suspect computer isn't changed -
simply plugging a device into a computer to extract data seems like a quick and
dirty fix. The admissibility of such data in court in debatable even before we
get into considering the possibility that the USB key might harbour
malware.

Do we honestly think that this is a revelation to the people who designed the tool or consulted on the tool? I honestly do not believe that there is a room in Redmond where someone is now thinking, "I wonder should we have asked a computer forensic professional about this stuff before we built this. The fact that the Microsoft General Counsel Brad Smith has commented about it makes me think that they've done a lot of research into the legal viability of the evidence the tool will produce. Anyway, I suspect the tool is meant to indicate the presence of evidence and produce passwords rather than actually produce the evidence. It's not designed to replace forensic experts just make their lives a bit easier.


Another, even greater concern is that the kit will get into the
hands of hackers. The form factor for COFEE would be just their cup of
tea.

To start with hackers would need to actually gain physical access to the machine they are trying to attack for this to be a real threat. Secondly do you think they don't have similar tools already? Anyone heard of Switchblade?


The extraction and analysis of digital evidence features in the
investigation of more on more crimes, not just those specific to computers such
as internet fraud and child abuse investigations. UK specialists we've spoken to
tell us they're struggling to cope with the volume of work from law enforcement
clients. There's a genuine problem here, but we're not convinced COFEE is the
solution.
Law enforcement officials from forces in 35 countries are meeting
in Redmond this week to talk about the role of technology in combating crime. A
similar event two years ago led to the development of COFEE, the Seattle Times
reports. ®

So the industry has been involved in this tool for while then?

My only problem with it is that by the time law enforcement agencies have finished testing it and ensuring it's going to work in virtually all conditions there'll be a new set of technologies out there and it'll have to be updated again anyway. Great place to start though so I say well done Microsoft. Reading the comments on Ed's blog, as well as on the Seattle Times site, though it's obvious that there are people out there that are willing to believe anything anti-Microsoft and no matter how sensationalist and obviously false the story they want to believe it.

No comments:

Post a Comment