COFEE Forensic Tool Leaks To What.cd, Admins Ban It

[Rart]

COFEE Forensic Tool Leaks To What.cd, Admins Ban It
November 08, 2009

" Microsoft’s much sought-after COFEE law-enforcement forensic tool has leaked onto the Internet. One user uploaded it to private tracker What.cd to collect a huge 1.6tb bounty. However, in a sensible move, the admins of the site took action to remove the link and ban further sharing of the tool via the site.

“Law enforcement agencies around the world face a common challenge in their fight against cybercrime, child pornography, online fraud, and other computer-facilitated crimes,” says the marketing blurb on Microsoft’s site.

“They must capture important evidence on a computer at the scene of an investigation before it is powered down and removed for later analysis. ‘Live’ evidence, such as active system processes and network data, is volatile and may be lost in the process of turning off a computer. How does an officer on the scene effectively do this if he or she is not a trained computer forensics expert?”

Using COFEE, of course.

The Computer Online Forensic Evidence Extractor (COFEE) is a piece of software designed for the use of law enforcement agencies, and provided to the same free of charge by Microsoft. And, largely because of its mystique, has been a much sought-after piece of code.

Indeed, on the private tracker What.cd, users had offered a huge bounty (a reward for finding and sharing something) of 1.6 terabytes.

During the last day or so, a user – who had only been a member for a matter of weeks – uploaded COFEE.

However, What.cd then took the unusual step of removing the torrent. Not just an unusual step but, in my opinion, a very sensible step indeed.

“Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff,” said What.cd management in a statement.

“And when we did, we didn’t like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again),” they added.

According to the site’s staff, neither them or their host was threatened by Microsoft or law enforcement. The decision was taken purely on the issue of site and member security.

Of course, the tool is now widely available from other sources and while some are saying that the tool is useless to regular Internet users, there are others who disagree. It certainly won’t take long for a detailed analysis to appear.

There will doubtless be lots of finger-wagging and complaints that this tool has become available in this way, but as with unexpected leaks of anything from software, to movies, to music, rarely is the finger pointed at the initial supplier of the material. That is usually way too embarrassing to reveal. "

Source: http://torrentfreak.com/cofee-forens...ban-it-091108/ Homepage: http://torrentfreak.com

[Enzo]

Is still can be found in some other trackers ...

[megabyteme]

In the battle between an individual's right to privacy and an effective means to capture illegal activity done with that computer, I err on the side of privacy.

Ofc, there is the argument that one should just not do illegal things on their computer. However, there has never been a device more thorough in recording our activities, our thoughts, our interests, and much more.

I doubt many of us would feel comfortable being videotaped 24/7 on the off chance that we might do something illegal. The same bad argument can be applied- just don't do anything illegal and you won't have anything to worry about. Right.

I simply do not want that kind of "evidence" available to agents or agencies who would take away our freedom. Even with all of the bad things things that can be done, I want a barrier between individual rights and constant surveillance. I understand that protects some serious scumbags. However, I believe they are in the extreme minority so efforts to catch them should not put us all under scrutiny.

I also do not like the fact that our operating system stores so much information. M$ has shown repeatedly that they cannot be responsible towards consumer rights. I do not want them to be the end decision maker for consumer privacy.

That said, I believe users of Windows have a right to know exactly what M$ has been keeping on our computers and we should have the ability to disable such surveillance.

[Rart]

One thing I worry about is whether this is actually real. From what I have seen from others posts, the program seems relatively simple. Very basic GUI, sends a couple commands to the computer and outputs them in a easy to read format.

Would it really be that hard for someone to program a fake "COFEE" in order to get a nice (big) buffer on one of the most notoriously difficult of sites to seed on?

Or could the authorities simply have given us a severely simplified version in order to track anyone who would download it?

I really just don't see the appeal or motive for any authority to leak something like this. It's extremely dangerous for their career, only to collect some bounty on a petty little torrent site.

[SonsOfLiberty]

Edit, I was wrong it's not worthless to some people, only the truest of truest criminals.

[karachidude]

the app must be high tech,if it can break through protections

[megabyteme]

Edited quote it's not useless

If it is valuable for cops, then someone will be able to take the program apart and be able to make a program that eliminates what it is looking for. That is good, IMO (in light of my above post).

[SonsOfLiberty]

I take back what I said, I've delged deeper into it.

I guess it can break shit apart, but there are hackers who've been doing this for years, and it's a police tool, I mean they've been doing this for years stated in the article even before this program was around.

Computer Online Forensic Evidence Extractor (COFEE) is a modified USB flash drive for investigators for quick extraction of forensic data from computers that are suspected to contain evidence of criminal activity. It allows investigators to search through data onsite as an automated forensic tool. The device, developed by Microsoft, is activated by being plugged into a USB port, and purportedly contains 150 commands that can dramatically cut the time it takes to gather digital evidence (estimates cited by Microsoft state that a job that previously took 3-4 hours can be done with COFEE in as little as 20 minutes. These commands offer such functions as the ability to decrypt passwords, search a computer's Internet activity, and analyze the data stored on a computer — including data stored in volatile memory, which could be lost if the computer were shut down for transport to a lab. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

COFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team. Fung conceived of the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft. The device is used by more than 2,000 officers in at least 15 countries.

A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography, producing evidence that led to an arrest.

In April 2009 Microsoft and INTERPOL signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with INTERPOL develops programs for training forensic experts in using COFEE. The National White Collar Crime Center has been licensed by Microsoft to be the sole US domestic distributor of COFEE.

On November 6, 2009, Microsoft COFEE leaked onto various BitTorrent websites

Microsoft COFEE, Some of the Most Illegal Software You Can Pirate
http://gizmodo.com/5399377/microsoft...you-can-pirate

[Rart]

These commands offer such functions as the ability to decrypt passwords

Has that always been an easy thing to do or is that kinda scary? A lot could be done with that if put in the wrong hands...

[SonsOfLiberty]

There are program out that can decrypt WinRAR passwords, and there are password breakers and password decrypters around...

How do you think you can rip a DVD?