| Thursday May 26th 2016

Microsoft is giving cops free COFEE

This (old) article is making it’s rounds on the news aggregator sites again; but since no one actually wants to RTFA: COFEE is designed for saving any data from a LIVE system. A suspect is sitting at his computer when the cops bust in. They can use this to save whatever he was doing, since it’ll probably be lost when the computer is shut down and taken to the lab.

microsoft-cofeeI’d be damned surprised if this was an instamagic hacking tool – cops don’t need that. The computer is going to the lab anyway, where the techies will mount the drive on another computer and just read all the files that way. Furthermore, all the tools on the drive are already publicly available.

If the USB drive was actually “hacking” or using any magic back doors, it’d be ammo for the defense attorneys to get the evidence thrown out for being possibly tainted.

Either way, here’s the FAQ from Microsoft’s website:

Frequently asked questions (FAQ) about Computer Online Forensic Evidence Extractor (COFEE)

Q. What is COFEE?
A. COFEE (Computer Online Forensic Evidence Extractor) is a framework for first-responders to customize a set of command line tools. It is a framework that law enforcement can use to leverage publically available tools to access information on a live Windows system operating from a USB storage device. The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

Q. Who are the intended users of COFEE?
A. COFEE is currently designed exclusively for use by Law enforcement officials. It is not currently designed for distribution to any other group of users. Please note that COFEE has only been distributed in a beta/test format to a select group of law enforcement users. When it is ready for broader law enforcement distribution we will be announcing it via our Microsoft Law Enforcement Portal (and associated newsletter).

Q. What benefit does COFEE provide to law enforcement?
A. COFEE is not new forensic tools, but rather an easy to use, automated tool for first responders. It’s the ease of use, speed, and consistency of evidence extraction that is key. The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

Q. Who has access to COFEE?
A. COFEE is still in development and Microsoft has distributed the beta version of COFEE to select law enforcement agencies worldwide, however, this beta phase is now closed. The release ready versions of COFEE will be announced to law enforcement users via the Microsoft Law Enforcement Portal sometime in the next several months. COFEE will only be made available to verified law enforcement officials. There will be no charge to users.

Q. Why is COFEE still in its beta version?
A. Microsoft is working closely with our partners in law enforcement to continue development on the tool to ensure that it is meeting their constantly evolving needs.

Q. What languages is COFEE developed in?
A. COFEE is currently available in six languages: English, French, German, Chinese, Russian and Spanish.

Q. What is the LE Portal?
A. The Microsoft Law Enforcement Portal, launched in September 2006, is a web “portal” that provides law enforcement with secure online access to a centralized resource containing Internet crime-related information as well as tools, training, and technical support to assist in cyber crime investigations.

Technological solutions like these that facilitate the sharing of resources can be a powerful weapon in the fight against cybercriminals. To date, there are over 2000+ active users from 45 different countries, with over 500 Support Incidents closed since its inception 17 months ago.

Q. Who is the audience for the LE Portal?
A. The LE Portal is designed to be a resource for law enforcement officials focused on cyber crime investigations. The fundamental idea is to give cyber crime focused law enforcement officials a designated contact point for Microsoft in order to support their efforts. The LE Portal is not designed to replace enterprise support arrangements, but rather to be a resource for those customers/partners who do not have a designated support contact at Microsoft.

Q. What kind of information can law enforcement expect to find on the LE Portal?
A. The LE Portal offers targeted technical and investigative support resources, information on specific threats, information on Microsoft enforcement programs and contact information for various Microsoft teams. The Portal also includes online training modules, as well as a calendar of upcoming training sessions, conferences and LE collaborations.

Q. Who maintains and updates the LE Portal? How frequently is it updated?
A. The Microsoft Internet Safety Enforcement team manages the LE Portal with contributions from several groups across Microsoft. It is updated constantly as new information becomes available.

Q. How do law enforcement officials get access to the LE Portal?
A. Since the LE Portal is a Microsoft Extranet application all users need a Microsoft Partners Account. For access law enforcement should e-mail leportal@microsoft.com.

Related Posts: On this day...

Leave a Reply

You must be logged in to post a comment.