Forgot your password?
typodupeerror
Software Microsoft Security

Microsoft COFEE Leaked 171

Posted by Soulskill
from the not-so-hot-cofee-incident dept.
54mc writes "Crunchgear reports that Microsoft's long-searched-for forensics tool, COFEE, has been leaked. The tool started on a small, private tracker, but has since worked its way to The Pirate Bay. Not all those who have gotten hold of it are enthused, and reviews have ranged from 'disappointing' to 'useless.' From the article: 'You have absolutely no use for the program. It's not something like Photoshop or Final Cut Pro, an expensive application that you download for the hell of it on the off-chance you need to put Dave Meltzer's face on Brett Hart's body as part of a message board thread. No, COFEE is 100 percent useless to you.'"
This discussion has been archived. No new comments can be posted.

Microsoft COFEE Leaked

Comments Filter:
  • by smallfries (601545) on Sunday November 08, 2009 @09:08AM (#30021324) Homepage

    It's a bit short-sighted to say that nobody does. I'm sure there are lots of people out there with material on their machines that they wouldn't want a law enforcement officer to find. This tool would be perfect for their needs.

    • by nurb432 (527695)

      It sounds so basic that you really don't need to see the application to prevent it from hurting you.

    • by pla (258480) on Sunday November 08, 2009 @10:03AM (#30021806) Journal
      It's a bit short-sighted to say that nobody does. I'm sure there are lots of people out there with material on their machines that they wouldn't want a law enforcement officer to find. This tool would be perfect for their needs.

      As a fan of maximizing my privacy, I would find such a tool useful just for auditing the effectiveness of my standard cleanup procedures.

      You don't need to break the law to have an interest in others not seeing what you do with your computer. Whether making sure you haven't left personal financial information unencrypted on your machine, or have accidentally clicked "yes" to have your browser remember your passwords, or simply your taste in porn stars... All legal, yet things you probably would rather not leave lying around for anyone other than yourself.

      Now, aside from that, don't forget that police exist to help prosecute cases, not to protect us or find the guilty party or any fluffy BS like that. Once they have you in their sights, the less they can dig up, the better. "Good news - Your alibi checked out, you didn't kill that girl. Bad news - Your computer proves that you played poker online once last year, enjoy your 2+ year federal sentence".

      And hey, who better to know where Windows leaks information than Microsoft itself? Not that I would trust them as my sole source of privacy maintenance, but as I said, for auditing "best practices", such a tool would appear fairly useful.
      • Re: (Score:3, Insightful)

        by Baron_Yam (643147)

        Most warrants are specific... not that I'd want to defend myself on that basis, but I'm sure a good lawyer could help you if you were investigated for child porn and the only thing they find is some evidence of Internet gambling.

        On the other hand, I'd stop the Internet gambling right away, because you know they'd be looking for a way to justify getting you for that having 'lost' the child porn case.

        • by Lloyd_Bryant (73136) on Sunday November 08, 2009 @11:00AM (#30022334)

          Most warrants are specific... not that I'd want to defend myself on that basis, but I'm sure a good lawyer could help you if you were investigated for child porn and the only thing they find is some evidence of Internet gambling.

          On the other hand, I'd stop the Internet gambling right away, because you know they'd be looking for a way to justify getting you for that having 'lost' the child porn case.

          The *warrant* is specific, but if, in the service of the warrant, the officer finds something else, that evidence *can* be seized, and I believe it would be admissible in a court of law (IANAL!).

          The police cannot search for something that is not on the warrant, however. So if the warrant specifies a "bicycle", the police would have no business looking in your sock drawer (unless said sock drawer was large enough to hold the bicycle, of course). But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

          Given the nature of a computer search, I'd expect anything on the hard drive to be fair game...

          • by cawpin (875453) on Sunday November 08, 2009 @02:14PM (#30024136)

            But if the warrant specifies drugs (which could reasonably be hidden in a sock drawer), and when searching the sock drawer find a pistol, they can seize the pistol, even though it's not on the warrant.

            No they can't. They can only seize it if it is illegal, by itself, for the owner to possess. Now, if they find drugs as well they can probably do so under the right circumstances.

            Owning a firearm, in and of itself, is not illegal for most people. This, of course, excludes certain persons such as felons, the mentally unstable and most legal, yes legal, aliens.

            • No they can't. They can only seize it if it is illegal, by itself, for the owner to possess. Now, if they find drugs as well they can probably do so under the right circumstances.

              Actually, they *can* seize a perfectly legal weapon, if the police can assert that they felt it was necessary to do so to ensure their safety while performing the search. Of course, if they do this, they have to give it back again (I'm assuming they can make you jump through hoops to get it back).

              That said - I didn't explicitly state it was an unlawful weapon (unregistered, in possession of a felon, etc), but that *was* what I meant. A better example would be if they were searching for cocaine, and in the

          • Re: (Score:2, Informative)

            by nairb774 (728193)
            IANAL, but I think the concept you are looking for is "in plain sight". Programs like this make a lot more things on you computer become visible in a standard search - enough so that the question of whether it qualifies for "in plain sight" has been discussed here and a court case reported on in a slashdot article.
        • by Deagol (323173) on Sunday November 08, 2009 @11:26AM (#30022570) Homepage

          They'll get you, one way of the other.

          I'm too lazy to find links, but there was a case a while back of some minor who was accused of accessing child porn from one of Yahoo's services. By all accounts I've read, the defense correctly used the high probability of malware infection to introduce doubt that he actually downloaded the CP himself. Facing a harsh, drawn-out legal battle (as most defendants in these cases do), the family took a plea. The boy plead to a count of (something like) corruption of a minor. His "crime"? He apparently gave (or displayed -- can't recall) some adult magazine to one of his fellow under-aged buddies.

          That's right, folks, some kid ended up with a criminal record and a listing on his local sex offender list for looking at nude pin-ups with a friend, something countless curious teen boys have done since nude centerfolds have been around.

          Won't somebody think of the children?!?

        • by quickOnTheUptake (1450889) on Sunday November 08, 2009 @11:31AM (#30022626)

          Most warrants are specific

          Yes but IIRC, in the US, they can use any evidence, even of a crime other than what the warrant was initially for, if they found it while carrying out a legitimate search, while acting within the scope of the warrant.
          This happens with Terry stops all the time: The officer has a right to perform a limited search of a suspect (a pat down) to ensure he isn't armed, but in so doing finds a nickle bag, which he can keep as evidence, even though that wasn't what he was allowed to look for.
          I believe this goes back to the plain view doctrine [wikipedia.org].
          Car analogy: If they have a warrant to search your car for coke, and while searching, notice a bloody body in the trunk and a machete with your fingerprints and the victim's blood on it in the glove box, they can certainly charge you with murder, even though that's what the warrant was for.
          IANAL

          • . . . that's not what the warrant was for.
            FTFM
          • plus if they find Y (or evidence of Y) during a search for X they can in fact ring up a judge to ammend the warrant to include Y or W or Z or ...
            this can also be used to expand the search area if evidence supports same (they have a warrant for your house but not grounds and they see something in the house that points to your shed in the garden having evidence they can get the warrant expanded to include the grounds (which they should have had anyway)

        • by DarkOx (621550)

          Um warrants are specific but you certainly can be prosecuted based on evidence discovered pursuant to an otherwise legal search on an unrelated matter. So hypothetically lets say the police suspect you of dealing in child porn (sense you used that example) and get a warrant to search your computer of electronic mails relating to that activity.

          If They then open your mail program and the first 10 message subjects displayed are all "hey man its your bookie where is my money for the CAVs game yesterday" they w

      • by blueg3 (192743)

        COFEE is a live-response tool. It's by no means sufficient to audit the effectiveness of your cleanup procedures.

      • by AmiMoJo (196126)

        What I'd like to know is does this thing work with autorun disabled? Say your PC booted up but locked, will this thing be able to access the data on it?

        It's important because if it can then is bypasses the usual autorun mechanism, which as a security precaution I leave disabled and which Vista/7 put up UAC prompts for. I already disabled by Firewire port because that can be used to access the computer's RAM via DMA without any user interaction.

        • by pla (258480)
          What I'd like to know is does this thing work with autorun disabled?

          You use virtually all forensic tools like this on an offline system - Meaning that you most likely boot to it, and it inspects the HDD in read-only mode.

          Actually using this on a live, running system just begs to have any findings thrown out on grounds of tampering with the evidence... "So, you use this little USB stick on a lot of machines, Officer? Did any of those machines have a virus? Congratulations, you didn't find child porn,
          • by AmiMoJo (196126)

            COFEE runs on a running system. Encryption is a big problem for law enforcement so they need tools which can grab keys from a working system. If you read the documentation it states that the software is designed to have as little impact on the running system as possible.

    • by Anonymous Coward on Sunday November 08, 2009 @10:22AM (#30021974)

      I agree. Using the software may not prove useful, but studying the software to see how it works might be. It is said the software can decrypt passwords and access otherwise inaccessible files. If true, that would be a major security hole that black hats could exploit, so the public has the right to know what exactly COFEE does, how it works, and how to defend their systems from it and similar software.

      • It is said the software can decrypt passwords and access otherwise inaccessible files

        This is probably true if one depends upon Microsoft products for their security (ha). However, I would wager that the sorts of people that COFEE is typically used against are not depending upon the built-in Microsoft file encryption for their security needs. They probably use open-source security tools (non-Microsoft browser with private browsing, TrueCrypt or other Full Disk Encryption software, and hidden partitions/OS). There are generally two types of people in this world when it comes to security; (1)

  • by nurb432 (527695) on Sunday November 08, 2009 @09:16AM (#30021374) Homepage Journal

    So, don't run windows, encrypt your drive with hidden partitions and turn the thing off when the cops arrive.

    • Yes, and install a Big Red Switch [wikipedia.org].
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      One of the things that happened during the "Hacker Crackdown" in 1990 was that Law Enforcement were trained to quickly separate people and their computers. Then take pictures of the set-up before touching anything. IDK if that is still the case or if they do it for say any old warrent they are serving.

      • Most computers can be hard shutdown in seconds by cutting the power. It would be extremely difficult to sneak up on someone fast enough, particularly in their own residence, to prevent them from flipping the power switch.
      • by syncrotic (828809)

        Mercury tiltswitch from a thermostat + relay. Cuts the power if anyone tries to move your box. It wouldn't be hard to wire it such that it sends mains voltage to your hard drives instead, but I stopped short of that because I was just doing it for fun and didn't want an accidental kick to the tower to destroy all of my data.

    • And watch out for evil maids [schneier.com] installing [blogspot.com] malware [stoned-vienna.com] that subverts your encryption and sends/stores everything unencrypted.
      And don't tell me that ain't easy with Linux.
      That's right, you can never leave your computer unlocked unattended. Realistic?

  • by Anonymous Coward on Sunday November 08, 2009 @09:16AM (#30021384)
    From the description on the link site, which I think was quoting MS about what does an untrained beat cop do when they find digital evidence? Step back, don't touch it, and call in the law-enforcement folks who are trained and won't destroy the evidence. It's hard enough to get a jury to understand evidence pulled off of a computer - these folks see viruses or similar on their own machines that "just magically appears" so surely the defense's argument that the kiddie porn just magically appeared on his client's machine is completely possible. Having the defense say, "Mr. Officer, you admit to having no background in computer forensics, and you admit to not knowing what the program does. You admit to clicking on the talking paperclip when it said, "I see you are trying to bust a felon. Would you like me to help you?" but have no idea what then happened? Your honor, I move that the case be dismissed because the so-called evidence has obviously not followed the proper evidentiary chain." I'm posting anon because I've gone through the proper training at places like FLETC [fletc.gov] and it's something they drill into us, time and time again. If you're not sure you're qualified to handle investigating the content on the computer, don't touch it. Get someone who is qualified.
    • by ledow (319597) on Sunday November 08, 2009 @09:55AM (#30021740) Homepage

      I would think even mere insertion of a USB device into a computer could lead to all sorts of problems - what if that USB key had a virus that transferred itself to the PC and then deleted itself from the USB device? The fact that this is a bog-standard set of files means that someone has to put these programs onto a writable USB drive (it's possible it's write-once but I would be dubious of that actually being the case) and then plug it into a computer - exactly the action that companies block by default because of the potential for rogue programs to be introduced and destroy/modify data.

      Want to put someone in jail? Put something illegal on that USB drive, plug it into their computer with an autorun script that copies itself over and then deletes itself (and the script) from the USB drive. Then claim that it was a *different* drive you put in and submit a "clean" drive as evidence if they demand to see it.

      Not to mention that actually doing *anything* on the original PC is damn stupid anyway but relying on a USB stick to run it? That's got to be asking for trouble. Oh, and disable USB and you've just stopped that attack.

      I was always told that *anything* capable of writing to the drive or modifying the data you're trying to access was a no-no... that's why they image the drives through special "read-only" adaptors (apparently harder with SATA nowadays) and then analyse the image. Saving transient information onto a writable USB stick by execution of a program from that stick? Sounds like a recipe for disaster. That's gotta touch your swap or do something to memory in order to execute and proving that happened cleanly and provided a complete accurate copy of the contents of RAM/disk/swap before you plugged it in is probably impossible.

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Once again, slashdotters seem to think that because something involves a computer it's a new concept, rather than one that has been around since the beginning of civilization.

        How is that ANY different than any other case where someone given the task of investigating a crime decides to set up a frame instead? It's not. Planting files on someone's hard drive is exactly like planting fingerprints. Or before fingerprints, planting a gun. Or before guns, planting a weapon with blood on it.

        Please stop thinkin

      • WRONG (Score:3, Interesting)

        by Anonymous Coward
        IAAGCFA. (I am a GIAC Certified Forensic Analyst)

        You are 100% incorrect.

        I would think even mere insertion of a USB device into a computer could lead to all sorts of problems

        The mere insertion of a USB device has its problems. First, you have to differentiate. Say, on a WinXPsp2 machine, a USB device has no working autostart mechanism. You can circumvent that, e.g. by using those "U3" devices that emulate a CD drive (Autostart is working fine with CD drives if you didn't disable autorun at all) or like the Conficker worm does, by displaying an "open folder" icon that will result in the action of calling

  • by beatsme (1472991) on Sunday November 08, 2009 @09:22AM (#30021438)
    Come on, the setup is so obvious!
  • by Bananatree3 (872975) on Sunday November 08, 2009 @09:33AM (#30021554)

    Its a tool written by Microsoft, for Microsoft products. Do you have nefarious stuff you'd rather not have leaked? Warez or other secret stuff you'd rather keep hidden? The solution? Don't run Windows, run HURD! As added bonus, there's no viruses, no nasties that'll install on your system. No COFEE or other LEO programs to infect your privacy.

    HURD...The only sensible solution. [wikipedia.org]

    • by Dogtanian (588974)

      Do you have nefarious stuff you'd rather not have leaked? Warez or other secret stuff you'd rather keep hidden? The solution? Don't run Windows, run HURD! As added bonus, there's no viruses, no nasties that'll install on your system.

      Are you fucking serious?! The HURD has been in development for almost 20 years, still isn't properly finished, and I've never heard of any software for it, aside (I assume) from the GNU stuff that forms the basis of any Linux distro anyway.

      The HURD has likely missed the boat anyway, Linux drove it away years ago.

    • Re: (Score:3, Insightful)

      by supersat (639745)
      There's no viruses or nasties for it because NOTHING RUNS ON IT. ;)
    • Anyone who is truly concerned with security knows that you take your drive with you and/or lock it up at night. Thankfully SSDs are lightweight and easy to stick in a pocket. I'm amazed at how many businesses don't have any physical protection plan in place, because that's how most data ends up getting into the wrong hands.

      http://www.startech.com/item/SAT2510U2REM-InfoSafe-35-Bay-Removable-25-SATA-Drive-Enclosure.aspx [startech.com]
      Under $40 for this model.

      • by Asic Eng (193332)
        People who are truly concerned with security don't get mugged?
      • by Minwee (522556)

        Anyone who is truly concerned with security knows that you take your drive with you [...] that's how most data ends up getting into the wrong hands.

        You've got that right. Many of the people I have worked with have excellent heads for business, graphic design, administration, or programming, but I still don't trust them to put their pants on the right way around every morning. Why would I want them pulling their hard drives out of their computers every night?

        • by Plekto (1018050)

          The typical "solution" to this is to check you drive in and out every morning, at least in places that do this sort of thing.

    • by SLi (132609)

      Maybe. Except things like Firewire (and some USB controllers) allow a device to read all the memory, so they are practically operating system agnostic. They can just grab a live memory image of your Hurd running, which will contain the hard drive crypto key (the only really interesting piece of information I can think of, if your HDD is not encrypted, you don't have much privacy anyway).

  • by jep77 (1357465) on Sunday November 08, 2009 @09:41AM (#30021622) Homepage

    At first I thought these two stories were related.
    http://gizmodo.com/5399583/famous-paintings-reproduced-in-coffee [gizmodo.com]
    I was about to download the MS tool so I could create my own spectacular tasting, eye-opening, knock-off classic art.

  • Bloody DUH (Score:5, Insightful)

    by Shoten (260439) on Sunday November 08, 2009 @09:42AM (#30021628)

    Well, of course it's useless to most of them...but that has nothing to do with whether or not COFEE is any good. Let's face it; how many casual downloaders are going to need a forensics toolkit? They already have access to all of their own files, and already know what they've been doing with their system. And COFEE is not meant to be a "point and shoot" system; it's really meant for professionals that know what they're looking for to some degree. So getting a copy and using it doesn't instantly give you some insight into how computer forensics work.

  • with that ringing endorsement and the spelling that looks annoying like "coffee", but not quite... I didn't even read TFA
    I'm not even sure why I'm even commenting.
    This is kinda like the message you occasionally see on Slashdot for idle.slashdot.org "don't go there"

  • I don't run windows.
  • Ummm.... well.... (Score:5, Insightful)

    by Le Marteau (206396) on Sunday November 08, 2009 @10:13AM (#30021894) Journal

    > No, COFEE is 100 percent useless to you.'"

    Yes, and the software that runs voting machines is "useless to us", too.

    I think the submitter is missing the point. This (probably) closed-source tool by Microsoft (that bears repeating... by MICROSOFT) is going to be used by law enforcement to help throw people in jail. If for no 'practical' use, now that COFFEE is leaked, people will be able to reverse-engineer it an see exactly what it is doing, and how. That is a good thing.

  • free alternative (Score:3, Interesting)

    by telenut (1673970) on Sunday November 08, 2009 @10:18AM (#30021938)
    Ok, the tool from Microsoft is 'free' also, but here is something with way more options: http://wiki.hak5.org/wiki/USB_Switchblade [hak5.org]
  • by ttyX (1546893)
    Nothing beats a digital cup of coffee...
  • I wonder... does cofee have a java component?
    Can Cofee check my Kaffeine history?

  • by Anonymous Coward

    As having known a person who had their house raided by the Calgary Police (many times) and their computers stolen as a result of their former employer making false claims, the tool is as useful as the Calgary Police Computer Tech Team (or whatever they are called today).

    I saw the photos of the damage caused by the Calgary Police, cut keyboard cables, broken doors, general damage done to the house, broken commercial (legally bought PS3 games, music, films) CD/DVD/BDs, broken case covers, cut USB cables, are

    • by jcr (53032)

      No charges were laid as a result of the raid.

      WTF? Why didn't he file charges against them?

      -jcr

  • ...i know this is a tool for n00bz, but it is seriously lacking in several areas. First of all it even says in its dox, that it is only supported by a suspects computer supporting windows XP, which is still pretty good and better then nothing. Secondly, if the suspects computer doesnt have autorun enabled you have to go to the USB drive and run the EXE on the suspects computer...meaning that if the computer is BIOS locked, encrypted on boot, or password protected, then the user must log in to execute the
  • How do we know that Microsoft didn't intentionally leak this?

    Maybe they did it so that they can start selling Microsoft CREAM!

  • Would this utility be useless if you lock your computer when you get up from it? If so, the criminally-minded among us should do that.

    If it works even with the computer locked, it implies a Microsoft back door into Windows. I doubt this.

  • Couple of days from now there will be a HOT COFEE mod for Windows. So much more comprehensive than whatever was in GTA.

  • Probably a lot more law enforcement agencies use that than COFEE.

Sigmund Freud is alleged to have said that in the last analysis the entire field of psychology may reduce to biological electrochemistry.

Working...