Computer Online Forensic Evidence Extractor

From Wikipedia, the free encyclopedia

Computer Online Forensic Evidence Extractor (COFEE) is a modified USB flash drive for investigators for quick extraction of forensic data from Windows computers that are suspected to contain evidence of criminal activity. It allows investigators to search through data onsite as an automated forensic tool. The device, developed by Microsoft, is activated by being plugged into a USB port, and purportedly contains 150 commands that can dramatically cut the time it takes to gather digital evidence (estimates cited by Microsoft state that a job that previously took 3-4 hours can be done with COFEE in as little as 20 minutes^[1][2]). These commands offer such functions as the ability to decrypt passwords, search a computer's Internet activity, and analyze the data stored on a computer^[3] — including data stored in volatile memory, which could be lost if the computer were shut down for transport to a lab.^[4] Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

COFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team.^[2] Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft.^[3] The device is used by more than 2,000 officers in at least 15 countries.^[5]

A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography, producing evidence that led to an arrest.^[2]

In April 2009 Microsoft and INTERPOL signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with INTERPOL develops programs for training forensic experts in using COFEE.^[6] The National White Collar Crime Center has been licensed by Microsoft to be the sole US domestic distributor of COFEE.^[7][8]

On November 6, 2009, copies of Microsoft COFEE were leaked onto various BitTorrent websites.^[9] Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators.^[10]

Similar functionality can also be attained by using specialized Linux distributions like BackTrack, Knoppix STD, PHLAK and nUbuntu. But, unlike COFEE, they also support gathering forensic data from non-Windows operating systems.

Contents 1 Detect and Eliminate Computer Assisted Forensics (DECAF) 2 See also 3 References 4 External links

[edit] Detect and Eliminate Computer Assisted Forensics (DECAF)

DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.

[edit] See also

• Computer forensics
• BackTrack
• Knoppix STD
• PHLAK
• nUbuntu
• DECAF

[edit] References

1. ^ Valich, Theo (2008-05-07). "Microsoft's new product goes against crime: Meet (Hot) COFEE". Tigervision Media. http://www.tgdaily.com/content/view/37305/108/. Retrieved 2008-05-19. 
2. ^ ^{a b c} "Brad Smith: Law Enforcement Technology Conference 2008". Microsoft Corporation. 2008-04-28. http://www.microsoft.com/presspass/exec/bradsmith/04-28letech.mspx. Retrieved 2008-05-19. 
3. ^ ^{a b} Romano, Benjamin J. (2008-04-29). "Microsoft device helps police pluck evidence from cyberscene of crime". The Seattle Times. http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html. Retrieved 2008-05-19. 
4. ^ Mills, Elinor (2008-04-29). "Microsoft hosts its own police academy". CNet News.com. http://www.news.com/8301-10784_3-9930664-7.html. Retrieved 2008-05-19. 
5. ^ "Microsoft Calls on Global Public-Private Partnerships to Help in the Fight Against Cybercrime (Q&A with Tim Cranton, Associate General Counsel for Microsoft)". Microsoft Corporation. 2008-04-28. http://www.microsoft.com/presspass/features/2008/apr08/04-28CrantonQA.mspx. Retrieved 2008-05-19. 
6. ^ "INTERPOL initiative with Microsoft aims to raise global standards against cybercrime through strategic partnership with IT sector". INTERPOL. http://www.interpol.int/public/ICPO/PressReleases/PR2009/PR200937.asp. Retrieved 2009-07-16. 
7. ^ http://www.microsoft.com/industry/government/solutions/cofee/default.aspx
8. ^ https://cofee.nw3c.org/
9. ^ "Microsoft COFEE law enforcement tool leaks all over the Internet". TechCrunch. http://www.crunchgear.com/2009/11/06/siren-gif-microsoft-cofee-law-enforcement-tool-leaks-all-over-the-internet/. Retrieved 2009-11-07. 
10. ^ "More COFEE Please, on Second Thought". http://praetorianprefect.com/archives/2009/11/more-cofee-please-on-second-thought/. 

[edit] External links

• "FAQ: Computer Online Forensic Evidence Extractor (COFEE)". Microsoft Corporation. http://www.microsoft.com/industry/government/news/cofee_faq.mspx. Retrieved 2008-05-19. 
• "Regular or Decaf? Tool launched to combat COFEE". Praetorian Prefect. http://praetorianprefect.com/archives/2009/12/regular-or-decaf-tool-launched-to-combat-cofee/. Retrieved 2009-12-18. 
• "Reactivating DECAF in Two Minutes". Praetorian Prefect. http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/. Retrieved 2009-12-18. 

This computer-related article is a stub. You can help Wikipedia by expanding it. v • d • e