This week, as first reported by CNET News.com, Microsoft talked publicly about COFEE, its free Computer Online Forensic Evidence Extractor. The company demonstrated the tool as part of a law enforcement conference held in Redmond.
COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab--files that are stored in active memory would otherwise be lost, for example.
COFEE was developed in 2006 by Ricci Ieong and Anthony Fung, both members of the High Tech Crime Investigators Associate's (HTCIA) Asia South Pacific Chapter. Fung now works for Microsoft's Internet Safety Enforcement team in Hong Kong and used to be on the police force there. Ieong is founder and principal consultant for eWalker Consulting.
COFEE consists of plain text scripts; the data collected from these scripts is routed to a provided USB drive. Although intended for use with a command line, there is also an option for GUI. Raw text captures generate either SH1 or md5 checksums. The results for an acquisition are then presented in either plain text or HTML. Each operation produces its own log file to help investigators.
Although Microsoft would not confirm any specific tools included within COFEE, it did say that all the tools were publicly available. A quick search by CNET revealed several free Windows-based digital forensic tool kits available for download. These include:
- Incident Response Collection Report (IRCR)
- First Responder Evidence Disk (FRED)
- Windows Forensics Toolchest (WFT)
- Forensic Acquisition Utilities
- Windows Forensic Toolkit
- Windows Memory Forensics Toolkit
- The Forensic Toolkit (Windows NT 4.0 SP3)
Several news reports have suggested that Microsoft is also providing law enforcement with new tools to defeat BitLocker in Windows Vista or access to a secret back door within Windows. A Microsoft spokesperson denied this, saying, "COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means." Microsoft also stressed that COFEE is still in beta.
"The key to COFEE is not new forensic tools," said Tim Cranton, associate general counsel for Microsoft, "but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."
More than 2,000 officials are using it worldwide, according to Microsoft.