Nov 08 2009
Last year Microsoft released a tool called COFEE (Computer Online Forensic Evidence Extractor) to law enforcement agencies around the nation and around the world a couple of years ago. While COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers; you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics, writes a report and generally gives a quick and dirty analysis of the computer. It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that you already have on your computer and could run manually any time you want. It’s a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.
In the last 48 hours, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download. Which, of course, means that it’s now available on any number of bittorrent sites. The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild. Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle. The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.
It needs to be pointed out that is owned and jealously guarded by Microsoft. I won’t be surprised if they start going after people to get this removed from the Internet. Surprisingly the folks at What.cd say they took down the torrent on their own, with no prompting from either Microsoft or law enforcement. It may be that they decided the amount of attention it could draw to a site like theirs was more than they were willing to itself. Or it could be they did it for altruistic reasons, but I’m more willing to believe in the former than the latter.
Now that the COFEE has been spilled into the tubes of the Interweb thingy, what are our moral and ethical responsibilities as security professionals concerning the tool? Should we ignore it and hope the police can pull it off the bittorrent sites before everyone and their brother have a copy? Should we be reporting people who make it available? Or should we be reviewing the tool ourselves and proposing ways to make it better? This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference. While this is interesting, it’s nothing top secret or even that revolutionary. I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised.
Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools. There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE; the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it. For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased.
If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers. If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use. I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret.