Schneier on Security

The hacker version will be called the Data Organizer for Nationally Undermining Terrorism.

"How long before this device is in the hands of the hacker community?"-

Interesting; my assumption was that COFEE was mostly a collection of hacker tools, re-marketed for law enforcement.

From another forum:

Original link: http://scissec.scis.ecu.edu.au/wordpress/conference_proceedings/2006/forensics/Proceedings_Forensics2006.doc

If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

Computer Online Forensic Evidence Extractor (COFEE)

In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.

Interestingly, this article if from 2006. So COFEE has been around for 2 years already.

Doesn't law enforcement have tools like this already? Has CSI been lying to me all these years?

Microsoft Discloses Government Backdoor on Windows Operating Systems
Wednesday, April 30th, 2008 @ 6:00 am
http://www.infiltrated.net/?p=91

Microsoft may have inadvertently disclosed a potential Microsoft backdoor for law enforcement earlier this week. To explain this all, here is the layman term of a backdoor from Wikipedia:

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.

According to an article on PC World: “The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows.”

Not a big deal until you keep reading: “Although Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it”

Stop the press for second or two and look at this logically: “users who have installed the Malicious Software Removal tool” followed by “ Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it”, what? This is perhaps the biggest gaffe I’ve read thus far on potential government collusion with Microsoft.

/ Article continues...

So why isn't there any takers on this one?

So you can defeat this by turning off autorun?

Looks to me like FUD, and the media-whores are all linking up a storm to show how "with it" they are.

From what Threat Level has seen, this is a package of already available tools. http://blog.wired.com/27bstroke6/2008/04/microsoft-gives.html

Let's not get irrational and begin throwing stones just yet.

From a legal point of view, it doesn't really "(eliminate) the need to seize a computer itself." There are also other agent-less tools around for forensic examination.

They're trying to provide something that doesn't require much expertise, but they'll end up with a bunch of cases any half way decent lawyer can get thrown out.

Where can we get the Mac version? What, it's not cross platform?

So much for the trusted computing platform initiative.

"How long before this device is in the hands of the hacker community? Days? Months? They had it before it was released?"

That last one

@borked

"What, it's not cross platform?"

Nobody cares what you did on your mac

"Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device"

And how much data will you store on one USB key? And what about the chain of evidence? This is at best a nice collection of tools for covert actions but useless for a real investigator.

Anyone actually used COFEE before? If so, thoughts on its use & capabilities?

If your system is locked and you have autorun disabled, how can this work?

"How long before this device is in the hands of the hacker community? Days? Months? They had it before it was released?"

Bruce, you always say that the we can't ban cars only because the bad guys use them for robbing banks. This seems similar to me. It's not a bad idea to train people to capture evidence and give them tools they need.
Furthermore the bad guys already have those tools. I don't think there are any magic tools the hackers would not already have.

Five years ago, MS has a forensic ioolkit, but it was a modification of their stand data capture tools. It was installed and wrot to the hard drive, so it wasn't very good. Perhaps, they've learned from their past mistakes, but why didn't they just use WFT instead of copy it? Also, a possible weakness of the app is that hidden processes may stay hidden. A rootkit that loads before the OS does, may not be detected by this application.

@Alan

The "trusted computing initiative" was never about what you, who paid real money in bona fide sales transactions to acquire a computer and software as personal property, could have any faith in.

If you want to be able to trust what goes on in your own computer, stick to Free/Open Source software, where you've at least got a fighting chance of finding out about gotchas and back doors.

You mention RootkitRevealer above. While that wasn't a Microsoft-developed tool originally, it is now; it was developed by Mark Russinovich of Winternals/SysInternals, which Microsoft purchased in July 2006. In fact, it was RootkitRevealer which Mark used to discover the Sony rootkit back in October 2005...

the irony is that in using those "on-site" forensic tools, the detective causes spoilage of the evidence. There's undoubtedly a place for this (life & death situation tracking down info to prevent immediate harm) but like anything it's a tradeoff because it ruins the court case later for the prosecution.

sean

I want to get my hands one one of these just so I can write a script for Linux that recognizes when one has been plugged into a system, locks the screen, and puts the text of the Fourth Amendment into the screen saver.

Honestly, I'm all for police having this. It's better to have someone thumbdrive your PC than seize it. That is, after all, the alternative here.

@jayo
So maybe all those foks being paranoid about the registry key with the word NSA in it weren't so far off base?

How does existence of this tool imply violation of the 4th amendment?

As others have already said or implied, if a bona fide computer forensic expert has come to legally collect your machine, this tool is not likely to be used. And if it is...well, a good lawyer may get any case thrown out of court for you. And if your script popped up while Customs checked your computer at the border, you're guaranteed an unscheduled meeting with the FBI in a holding room, at least under current US law => http://opencrs.cdt.org/document/RL34404

For vulnerable systems, this would provide any badhat the means to put incriminating evidence on your computer -- without leaving any traces, not even a fingerprint. Then the authorities could get a warrant specifying exactly what they would find on your machine. The result would so impress a judge that he'd wet his pants.

Hi Bruce,

I corrected my article yesterday. I'm not sure why your post, today, is claiming that I'm still saying it's a backdoor. Since yesterday I made it clear that it was not a backdoor, though that was what the original Seattle Times article implied.

Mike

Yet another reason to disable auto insert notification....

Sounds like someone took the Windows side of Helix and re-badged it.

This may be helpful:
http://www.usbhacks.com/
Even more phun with firewire:
http://www.scribd.com/doc/2214477/Hit-by-a-Bus-Physical-Access-Attacks-with-Firewire
http://storm.net.nz/projects/16

Are WFT and RootKitRevealer and their like big technology surprises to anyone...?

I wonder if there's anything on this gadget that would be news.

"Power to the people Marty" - Sneakers - 1992

http://www.gpg4win.org/download.html
gpg4win-1.1.3.exe

____________________________________________________________________
Lewis Donofrio Sr. Windows / Unix Systems Administrator 734-355-0592

Does this mean that apple sales will increase?

/me starts writing a driver that automatically formats every usb disk inserted without holding down ctrl-shift-alt...

How is this worse than having a pen drive linux, or a knoppix cd, with an NTFS driver?

For the scripts, perhaps a thumbdrive would do, but to collect the information, its likely a 180GB USB external hard drive. and when its used to collect all those kidde porn shots, this information will remain on it after they take it back and download it. Then they will go and use it again, without using deep delete to scrub it. Used more than once, there will be potential for it to make a lot of false accusations after its crossed a file of harddrive recovery codes. never trust the feebs to understand technology and never trust them to be honest. the law says they can lie to you but its a felony for you to lie to them. Free speach is only thier right, yours has been stolen.

When I was in forensics training we were warned not to touch anything on the original suspect machine. That is because of the possibility of booby traps.

@wiredog

A knoppix cd is unlikely to contaminate the evidence (and can easily be used in ways that absolutely won't). A machine running windows is almost impossible to configure to avoid monkeying with the C: drive. They may have set all the options, but don't count on finding a bug somewhere that directly modifies the registry, dlls, etc.

@Mithrandir: RE: "It's better to have someone thumbdrive your PC than seize it. That is, after all, the alternative here."

They'll likely still take the PC. The idea here is that some hackers have installed tools that wipe incriminating data on shutdown/reboot, so they want to capture that before they take the PC.

If hackers already know about this, the solution is to disable th USB port altogether. I'd think a smart hacker isn't using the same machine for music/phone/digital camera that they need to plug in via USB, as they're using to hack.

This will really only be useful for investigation of non-hackers. i.e. average joes who are doing something wrong. And those people wouldn't have their computer set to wipe on shutdown anyway. So, that leaves it to be only useful to copy someone's data without them knowing...

This tool is far more valuable to a covert entry/data extraction op (without a warrant) than to any real, legitimate warranted daylight entry. When you consider that the 3 letters all have existing back door access courtesy of the chipmakers, this avenue is really only useful to the tin-starred barnie fifes who dont play the game on a high level.

From a chain of evidence standpoint, changing a live system (by plugging in the USB drive and executing programs) gives the defense ammo. You have to make a forensic copy of the drive without making any changes, then work on the copy, or all of your "evidence" can be considered suspect.

What if Microsoft's USB stick is infected with a virus? What if a corrupt officer decides to use the USB stick to plant evidence? Police should not be monkeying with live systems - too much room for error or abuse.

Trusted binaries on a writable medium.

Yes... Yes! I like it! It's the last thing they'll expect!

*eye glint*

Are we going to get a Hot COFEE mod as well?

A former Hong Kong cop who now works for Microsoft developed COFEE. Microsoft gives out free COFEE to law enforcement.

That which we obtain too easily, we esteem too lightly. What's it worth?

A former Hong Kong cop who now works for Microsoft developed COFEE. Microsoft gives out free COFEE to law enforcement.

That which we obtain too easily, we esteem too lightly. What's it worth?

I suppose I'll have to mod my USB ports to swap the VCC and ground connection and use 12v instead of 5v, and also set it up so when something that isn't modified to take that is plugged in it does a hardware shutdown (but keeps the USB power going). I'll also need to build a mini pocket adapter to correct and regulate my ports.

Why not just leak to them the rest of the backdoors [in Windows] injected under the guise of "remote exploits" to begin with?

It's just a collection of tools that you can download free from anywhere, packaged onto a thumbdrive. It's not a big deal.

@wumpus/wiredog - http://www.penguinsleuth.org/linuxforensics/pensleuth.html has made a claim that Linux and Knoppix will change the MD5 sum of ext3 and reiserfs partitions even when mounted read-only. Which would be contaminating the evidence. (I've not personally tested this yet.)

"If you're a bad guy and you want to frustrate law enforcement, use a Mac."

So you are saying that Windows users will be getting a COFEE enema?

How is that different than Vista?

RE: COFFEE,
The North Wales Police Hi tec Crime unit use Helix which is a collection of pD tools running from a knoppix Linux CD. I grabbed myself a copy and found that all the tools were available for FREE download.
So you don't need Microsoft to give you a collection of tools. How long before its in the hands of hackers?
It probably has been for years.
Mike
Been into computing since 1961 IBM STRETCH & Fortran-2

When I read this article initially my first thought was "where is the companion product"?

Given the scenario I would think that there should also be another tool in the arsenal called the "Digital Online Network Utilization Tracker" or...DONUT for short.