Microsoft COFEE Leaked 171
54mc writes "Crunchgear reports that Microsoft's long-searched-for forensics tool, COFEE, has been leaked. The tool started on a small, private tracker, but has since worked its way to The Pirate Bay. Not all those who have gotten hold of it are enthused, and reviews have ranged from 'disappointing' to 'useless.' From the article: 'You have absolutely no use for the program. It's not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread. No, COFEE is 100 percent useless to you.'"
free alternative (Score:3, Interesting)
Re:As someone in the Security Field... (Score:5, Interesting)
Why has the STD distro not been updated in over 5 years?
Have you tried http://www.remote-exploit.org/backtrack.html [remote-exploit.org]? It's geared towards pen testing and ethical hacking... but it's VERY good, and modern.
Re:While I don't have any use for the program (Score:5, Interesting)
They'll get you, one way of the other.
I'm too lazy to find links, but there was a case a while back of some minor who was accused of accessing child porn from one of Yahoo's services. By all accounts I've read, the defense correctly used the high probability of malware infection to introduce doubt that he actually downloaded the CP himself. Facing a harsh, drawn-out legal battle (as most defendants in these cases do), the family took a plea. The boy plead to a count of (something like) corruption of a minor. His "crime"? He apparently gave (or displayed -- can't recall) some adult magazine to one of his fellow under-aged buddies.
That's right, folks, some kid ended up with a criminal record and a listing on his local sex offender list for looking at nude pin-ups with a friend, something countless curious teen boys have done since nude centerfolds have been around.
Won't somebody think of the children?!?
Re:But (Score:3, Interesting)
As far as I know, COFEE is only used when you have a search warrant. If you have a search warrant, then by definition there is no right to privacy - by granting the search warrant, the court has said that investigators are allowed to look at your stuff.
In the past, people have tried the "I was framed by the police" gambit before with very limited success - typically courts assume that the people investigating crimes aren't out to plant evidence. I'm not sure that this is a wise decision on the part of the courts but it is what it is.
Re:The Solution? Removable Drive Bay (Score:3, Interesting)
Anyone who is truly concerned with security knows that you take your drive with you and/or lock it up at night. Thankfully SSDs are lightweight and easy to stick in a pocket. I'm amazed at how many businesses don't have any physical protection plan in place, because that's how most data ends up getting into the wrong hands.
http://www.startech.com/item/SAT2510U2REM-InfoSafe-35-Bay-Removable-25-SATA-Drive-Enclosure.aspx [startech.com]
Under $40 for this model.
Re:on a live computer system? (Score:3, Interesting)
One of the things that happened during the "Hacker Crackdown" in 1990 was that Law Enforcement were trained to quickly separate people and their computers. Then take pictures of the set-up before touching anything. IDK if that is still the case or if they do it for say any old warrent they are serving.
WRONG (Score:3, Interesting)
You are 100% incorrect.
I would think even mere insertion of a USB device into a computer could lead to all sorts of problems
The mere insertion of a USB device has its problems. First, you have to differentiate. Say, on a WinXPsp2 machine, a USB device has no working autostart mechanism. You can circumvent that, e.g. by using those "U3" devices that emulate a CD drive (Autostart is working fine with CD drives if you didn't disable autorun at all) or like the Conficker worm does, by displaying an "open folder" icon that will result in the action of calling a program. But by default, the recent MS OSses do not allow autorun via USB Sticks.
Now, that having said, there still are some problems with the mere insertion of an USB device. The one I know of is that typically Windows makes a "bing" noise, when an USB stick is inserted. This means, that the Windows "USB insertion bing noise".wav is getting read and thus the "read" timestamp of that file gets modified. This results in the fact that after plugging in an USB stick, the forensic analysist might not be able to determine, when an USB stick has been plugged into that machine the last time prior to the said USB stick having been plugged into it. This might be especially of concern if you want to find out how a certain piece of malware entered a PC which happened to be via a USB stick exactly the last time an USB stick was plugged into the foreniscally examined PC.
So, let's go on...
that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image.
Well, yes, sort of. Cloning images of drives with "read-only" adaptors is done for post mortem analysis. I mean the following:
If the investigator is called to a site with an already unplugged device, this is the usual procedure - that way it is ensured, that no evidence is altered in any way.
However, the situation is completely different, when the investigator is faced with a live system. Because there, you have a huge amount of information that will get destroyed by unplugging the system. In former times, investigators where taught to unplug the system and then to clone the drive with a write-blocker, like you said. But this removes volatile evidence like:
See RFC 3227 - Guidelines for Evidence Collection and Archiving [ietf.org] for more. So, when encountering a live system, switching it off and cloning the disk with a write-blocker is so much more problematic in terms of destroying evidence than plugging in a foreniscally sound USB thumb drive, than it gets.
You see, the consequences of plugging in an foreniscally sound device - and plugging it in will have some consequences and ultimately result in the destruction of some evidence - can be reproduced and thus can be tolerated in court without problems. NOT plugging in that device will lead to much much greater destruction of evidence.