Nov 08 2009

Ethics of spilled COFEE

Last year Microsoft released a tool called COFEE (Computer Online Forensic Evidence Extractor) to law enforcement agencies around the nation and around the world a couple of years ago.  While COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers; you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics, writes a report and generally gives a quick and dirty analysis of the computer.  It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that you already have on your computer and could run manually any time you want.  It’s a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.

In the last 48 hours, a user on the uploaded torrent of COFEE and made it available for any user to download.  Which, of course, means that it’s now available on any number of bittorrent sites.  The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild.  Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.  The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.

It needs to be pointed out that is owned and jealously guarded by Microsoft.  I won’t be surprised if they start going after people to get this removed from the Internet.  Surprisingly the folks at say they took down the torrent on their own, with no prompting from either Microsoft or law enforcement.  It may be that they decided the amount of attention it could draw to a site like theirs was more than they were willing to itself.  Or it could be they did it for altruistic reasons, but I’m more willing to believe in the former than the latter.

Now that the COFEE has been spilled into the tubes of the Interweb thingy, what are our moral and ethical responsibilities as security professionals concerning the tool?  Should we ignore it and hope the police can pull it off the bittorrent sites before everyone and their brother have a copy?  Should we be reporting people who make it available?  Or should we be reviewing the tool ourselves and proposing ways to make it better?  This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference.  While this is interesting, it’s nothing top secret or even that revolutionary.  I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised. 

Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools.  There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE; the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it.  For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased. 

If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use.  I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret. 


[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

8 responses so far

8 Responses to “Ethics of spilled COFEE”

  1. Khürt L Williamson 08 Nov 2009 at 10:42 am

    I think what you do about depends on what kind of “security professional” you are. As a CISSP, I feel ethically bound to reportt people who make it available. Anything less would be ignoring my responsiblity to the public.

  2. freckon 08 Nov 2009 at 12:55 pm

    ahahhaha yeah i just got it, i love the internet

  3. Martinon 08 Nov 2009 at 3:03 pm

    I checked with my contacts at Microsoft and was told they are aware of the issue. I’m not sure what they can do about it at this point, but they’ve been informed.

  4. Brianon 09 Nov 2009 at 7:16 am

    For people who believe in security by obscurity, this is a big deal. But if, as you say, this is just a re-packaging of existing tools, then I would be interested in which targets would have the security risks measurably increased. Copyright issues aside, I don’t have any interest in this tool.

    I would be very interested if this spurs competition in the security-tools-for-the-average-cop market. I doubt that it will, as I suspect that the “average police officer” trusts security by obscurity more than they should.

  5. Michael Dundason 09 Nov 2009 at 7:41 am

    It is out there and all the amount of attempting to hide it won’t work — I think we all no that.

    There are people that have had access to the tool for sometime that are not law enforcement, don’t believe everything you read.

    It is really just a wrapper GUI, for freeware and open source with a GUI reporting front end. And you can set specific profiles etc.

    Ethically, I think companies are naive for doing this type of security through obscurity. There are many ‘better’ software packages out there, and I really hope that if Law enforcement is investigating serious breeches such as critical infastructure they use other better software instead of or as well as COFEE and most importantly, please use trained investigators ….. if you don’t and it goes to court it won’t be a good thing .. we want the bad guys in jail not free.

  6. mjpinvestoron 09 Nov 2009 at 11:17 am

    I think the hype or obscurity made the leak more of an event than it should be. It really does look like another forensics framework that uses the same ideas and concepts of others that are readily available. Since it was kept under wraps, people become suspicious of what MS, the owner of the operating system, might have in their tool that others do not have.

    From what I’ve seen, it really does look like the typical framework that launches the builtin tools and sysinternals utilities. The random name generation is something I have not seen in the other frameworks.

  7. […] COFEE Forensic tool leaked to, admins ban it – It’s an interesting toy, but the open source community can do better. […]

  8. tim breenon 12 Feb 2010 at 11:27 pm

    What is the big issue with this? Surely not keeping it secret doesn’t give the hackers a leg up in the race? Its just another forensic tool.

%d bloggers like this: