Microsoft COFEE Leaked

54mc writes "Crunchgear reports that Microsoft's long-searched-for forensics tool, COFEE, has been leaked. The tool started on a small, private tracker, but has since worked its way to The Pirate Bay. Not all those who have gotten hold of it are enthused, and reviews have ranged from 'disappointing' to 'useless.' From the article: 'You have absolutely no use for the program. It's not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread. No, COFEE is 100 percent useless to you.'"

Re:But

[hansraj]

Wikipedia is your friend [wikipedia.org].

Re:As someone in the Security Field...

[Anonymous Coward]

I've been doing computer forensics for twenty five years. I am the original poster and I happen to konw exactly what I'm talking about, having been prompted to give detailed feedback about Microsoft's COFEE "suite".

The lowdown:

It doesn't do anything that any number of freely available, open source tools don't do (most of which, or at least most of the lineage of which can be found in Knoppix-STD (www.knoppix-std.org), and it happens to do them poorly.

Stock photography sucks

[Anonymous Coward]

Bingo. First thing I thought was "generic stock photograph". That one's not too bad, but some of them are really obvious, like the ones of three people standing round a computer in a modern-looking airy office, smiling their white teeth and looking "businesslike". Really obvious stock photo that makes anyone that uses it look cheesy.

Re:While I don't have any use for the program

[Lloyd_Bryant]

Most warrants are specific... not that I'd want to defend myself on that basis, but I'm sure a good lawyer could help you if you were investigated for child porn and the only thing they find is some evidence of Internet gambling.

On the other hand, I'd stop the Internet gambling right away, because you know they'd be looking for a way to justify getting you for that having 'lost' the child porn case.

The *warrant* is specific, but if, in the service of the warrant, the officer finds something else, that evidence *can* be seized, and I believe it would be admissible in a court of law (IANAL!).

The police cannot search for something that is not on the warrant, however. So if the warrant specifies a "bicycle", the police would have no business looking in your sock drawer (unless said sock drawer was large enough to hold the bicycle, of course). But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

Given the nature of a computer search, I'd expect anything on the hard drive to be fair game...

Re:While I don't have any use for the program

[quickOnTheUptake]

Most warrants are specific

Yes but IIRC, in the US, they can use any evidence, even of a crime other than what the warrant was initially for, if they found it while carrying out a legitimate search, while acting within the scope of the warrant.
This happens with Terry stops all the time: The officer has a right to perform a limited search of a suspect (a pat down) to ensure he isn't armed, but in so doing finds a nickle bag, which he can keep as evidence, even though that wasn't what he was allowed to look for.
I believe this goes back to the plain view doctrine [wikipedia.org].
Car analogy: If they have a warrant to search your car for coke, and while searching, notice a bloody body in the trunk and a machete with your fingerprints and the victim's blood on it in the glove box, they can certainly charge you with murder, even though that's what the warrant was for.
IANAL

Yes, but does it run Gnu/Linux on Alpha and others

[Anonymous Coward]

As having known a person who had their house raided by the Calgary Police (many times) and their computers stolen as a result of their former employer making false claims, the tool is as useful as the Calgary Police Computer Tech Team (or whatever they are called today).

I saw the photos of the damage caused by the Calgary Police, cut keyboard cables, broken doors, general damage done to the house, broken commercial (legally bought PS3 games, music, films) CD/DVD/BDs, broken case covers, cut USB cables, are just a few of the damage left in the Calgary Police wake.

The items stolen by the Calgary Police under a possible false warrant, included TVs, old laptops from the mid-90s, USB Media, most items labeled Sony, SUN Sparc systems, Compaq Alphas, PS3, Network Switches. and anything Calgary Police felt proved his innocent's. The official list of items stolen, was never provided to him, as the Calgary Police refused to provide, even to his lawyer.

He was handcuffed, body searched, and threaten by Calgary Police with their hands on their pistols to hand over passwords. He refused, taken physical damage. He feels he would have been shot, if his Lawyer and Minister wasn't contacted.

When the Calgary Police found Gnu/Linux on most systems, they told him 'Only hackers use Linux'.

No charges were laid as a result of the raid. Calgary Police had the items for more than 6 months. When the items were returned, some were no longer working.

Re:Not having seen the app, but

[Anonymous Coward]

In an academic environment yes, but unfortunately the courts are happy to accept that "all efforts were made to ensure the tools used on the live system were free from tampering and their effects on the live system are documented to not damage the integrity of the system's normal operation" thus the evidence gathered using such tools on a live system is usually accepted.

Re:While I don't have any use for the program

[dkleinsc]

Well, that sort of thing comes from the idea that if we don't tell kids about sex then they won't have it. You know, unlike their parents, grandparents, great-grandparents, and great-great-grandparents.

Re:While I don't have any use for the program

[cawpin]

But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

No they can't. They can only seize it if it is illegal, by itself, for the owner to possess. Now, if they find drugs as well they can probably do so under the right circumstances.

Owning a firearm, in and of itself, is not illegal for most people. This, of course, excludes certain persons such as felons, the mentally unstable and most legal, yes legal, aliens.

Re:While I don't have any use for the program

[nairb774]

IANAL, but I think the concept you are looking for is "in plain sight". Programs like this make a lot more things on you computer become visible in a standard search - enough so that the question of whether it qualifies for "in plain sight" has been discussed here and a court case reported on in a slashdot article.

Re:But

[Runaway1956]

Try Helix3. Don't jump up and down, telling me that it's another Linux LiveCD. There is a Windows executable in the root directory to capture system state stuff. When that finishes, you can reboot to the LiveCD for more tools.

They have an outdated version that is free, and if you wish to pay about 7 or 8 hundred bucks, you can get the up-to-date version.