Microsoft Has Developed Windows Forensic Analysis Tool for Police


The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

More news here. Commentary here.

How long before this device is in the hands of the hacker community? Days? Months? They had it before it was released?

EDITED TO ADD (4/30): Seems that these are not Microsoft-developed tools:

COFEE, according to forensic folk who have used it, is simply a suite of 150 bundled off-the-shelf forensic tools that run from a script. None of the tools are new or were created by Microsoft. Microsoft simply combined existing programs into a portable tool that can be used in the field before agents bring a computer back to their forensic lab.

Microsoft wouldn’t disclose which tools are in the suite other than that they’re all publicly available, but a forensic expert told me that when he tested the product last year it included standard forensic products like Windows Forensic Toolchest (WFT) and RootkitRevealer.

With COFEE, a forensic agent can select, through the interface, which of the 150 investigative tools he wants to run on a targeted machine. COFEE creates a script and copies it to the USB device which is then plugged into the targeted machine. The advantage is that instead of having to run each tool separately, a forensic investigator can run them all through the script much more quickly and can also grab information (such as data temporarily stored in RAM or network connection information) that might otherwise be lost if he had to disconnect a machine and drag it to a forensics lab before he could examine it.

And it’s certainly not a back door, as TechDirt claims.

But given that a Federal court has ruled that border guards can search laptop computers without cause, this tool might see wider use than Microsoft anticipated.

Posted on April 30, 2008 at 1:54 PM57 Comments


anon1234 April 30, 2008 2:18 PM

The hacker version will be called the Data Organizer for Nationally Undermining Terrorism.

Fred P April 30, 2008 2:24 PM

“How long before this device is in the hands of the hacker community?”-

Interesting; my assumption was that COFEE was mostly a collection of hacker tools, re-marketed for law enforcement.

Mike April 30, 2008 2:27 PM

From another forum:

Original link:

If you scan down about 15% of the way down, there is a blurb about COFEE mixed in with the rest:

Computer Online Forensic Evidence Extractor (COFEE)

In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition.

Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process.

Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine.

Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.

Interestingly, this article if from 2006. So COFEE has been around for 2 years already.

Keith April 30, 2008 2:29 PM

Doesn’t law enforcement have tools like this already? Has CSI been lying to me all these years?

jayo April 30, 2008 2:32 PM

Microsoft Discloses Government Backdoor on Windows Operating Systems
Wednesday, April 30th, 2008 @ 6:00 am

Microsoft may have inadvertently disclosed a potential Microsoft backdoor for law enforcement earlier this week. To explain this all, here is the layman term of a backdoor from Wikipedia:

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.

According to an article on PC World: “The software vendor is giving law enforcers access to a special tool that keeps tabs on botnets, using data compiled from the 450 million computer users who have installed the Malicious Software Removal tool that ships with Windows.”

Not a big deal until you keep reading: “Although Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it”

Stop the press for second or two and look at this logically: “users who have installed the Malicious Software Removal tool” followed by “ Microsoft is reluctant to give out details on its botnet buster — the company said that even revealing its name could give cyber criminals a clue on how to thwart it”, what? This is perhaps the biggest gaffe I’ve read thus far on potential government collusion with Microsoft.

/ Article continues…

So why isn’t there any takers on this one?

Thomas Tankengine April 30, 2008 3:10 PM

From a legal point of view, it doesn’t really “(eliminate) the need to seize a computer itself.” There are also other agent-less tools around for forensic examination.

They’re trying to provide something that doesn’t require much expertise, but they’ll end up with a bunch of cases any half way decent lawyer can get thrown out.

Timmy303 April 30, 2008 3:19 PM

“How long before this device is in the hands of the hacker community? Days? Months? They had it before it was released?”

That last one

Timmy303 April 30, 2008 3:20 PM


“What, it’s not cross platform?”

Nobody cares what you did on your mac

Alex April 30, 2008 3:36 PM

“Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device”

And how much data will you store on one USB key? And what about the chain of evidence? This is at best a nice collection of tools for covert actions but useless for a real investigator.

Jiri April 30, 2008 3:41 PM

“How long before this device is in the hands of the hacker community? Days? Months? They had it before it was released?”

Bruce, you always say that the we can’t ban cars only because the bad guys use them for robbing banks. This seems similar to me. It’s not a bad idea to train people to capture evidence and give them tools they need.
Furthermore the bad guys already have those tools. I don’t think there are any magic tools the hackers would not already have.

John Moore April 30, 2008 3:43 PM

Five years ago, MS has a forensic ioolkit, but it was a modification of their stand data capture tools. It was installed and wrot to the hard drive, so it wasn’t very good. Perhaps, they’ve learned from their past mistakes, but why didn’t they just use WFT instead of copy it? Also, a possible weakness of the app is that hidden processes may stay hidden. A rootkit that loads before the OS does, may not be detected by this application.

David April 30, 2008 3:48 PM


The “trusted computing initiative” was never about what you, who paid real money in bona fide sales transactions to acquire a computer and software as personal property, could have any faith in.

If you want to be able to trust what goes on in your own computer, stick to Free/Open Source software, where you’ve at least got a fighting chance of finding out about gotchas and back doors.

Bryan Feir April 30, 2008 3:52 PM

You mention RootkitRevealer above. While that wasn’t a Microsoft-developed tool originally, it is now; it was developed by Mark Russinovich of Winternals/SysInternals, which Microsoft purchased in July 2006. In fact, it was RootkitRevealer which Mark used to discover the Sony rootkit back in October 2005…

Sean April 30, 2008 4:02 PM

the irony is that in using those “on-site” forensic tools, the detective causes spoilage of the evidence. There’s undoubtedly a place for this (life & death situation tracking down info to prevent immediate harm) but like anything it’s a tradeoff because it ruins the court case later for the prosecution.


Max Kaehn April 30, 2008 4:17 PM

I want to get my hands one one of these just so I can write a script for Linux that recognizes when one has been plugged into a system, locks the screen, and puts the text of the Fourth Amendment into the screen saver.

Mithrandir April 30, 2008 4:26 PM

Honestly, I’m all for police having this. It’s better to have someone thumbdrive your PC than seize it. That is, after all, the alternative here.

Anonymous April 30, 2008 4:30 PM

So maybe all those foks being paranoid about the registry key with the word NSA in it weren’t so far off base?

Jeff Pettorino April 30, 2008 4:32 PM

How does existence of this tool imply violation of the 4th amendment?

As others have already said or implied, if a bona fide computer forensic expert has come to legally collect your machine, this tool is not likely to be used. And if it is…well, a good lawyer may get any case thrown out of court for you. And if your script popped up while Customs checked your computer at the border, you’re guaranteed an unscheduled meeting with the FBI in a holding room, at least under current US law =>

Roy April 30, 2008 4:53 PM

For vulnerable systems, this would provide any badhat the means to put incriminating evidence on your computer — without leaving any traces, not even a fingerprint. Then the authorities could get a warrant specifying exactly what they would find on your machine. The result would so impress a judge that he’d wet his pants.

Mike Masnick April 30, 2008 6:40 PM

Hi Bruce,

I corrected my article yesterday. I’m not sure why your post, today, is claiming that I’m still saying it’s a backdoor. Since yesterday I made it clear that it was not a backdoor, though that was what the original Seattle Times article implied.


Patrick Cahalan May 1, 2008 2:01 AM

Are WFT and RootKitRevealer and their like big technology surprises to anyone…?

I wonder if there’s anything on this gadget that would be news.

Kærast May 1, 2008 6:39 AM

/me starts writing a driver that automatically formats every usb disk inserted without holding down ctrl-shift-alt…

wiredog May 1, 2008 7:36 AM

How is this worse than having a pen drive linux, or a knoppix cd, with an NTFS driver?

Rai May 1, 2008 7:41 AM

For the scripts, perhaps a thumbdrive would do, but to collect the information, its likely a 180GB USB external hard drive. and when its used to collect all those kidde porn shots, this information will remain on it after they take it back and download it. Then they will go and use it again, without using deep delete to scrub it. Used more than once, there will be potential for it to make a lot of false accusations after its crossed a file of harddrive recovery codes. never trust the feebs to understand technology and never trust them to be honest. the law says they can lie to you but its a felony for you to lie to them. Free speach is only thier right, yours has been stolen.

morey May 1, 2008 7:44 AM

When I was in forensics training we were warned not to touch anything on the original suspect machine. That is because of the possibility of booby traps.

wumpus May 1, 2008 8:07 AM


A knoppix cd is unlikely to contaminate the evidence (and can easily be used in ways that absolutely won’t). A machine running windows is almost impossible to configure to avoid monkeying with the C: drive. They may have set all the options, but don’t count on finding a bug somewhere that directly modifies the registry, dlls, etc.

mrs_helm May 1, 2008 9:56 AM

@Mithrandir: RE: “It’s better to have someone thumbdrive your PC than seize it. That is, after all, the alternative here.”

They’ll likely still take the PC. The idea here is that some hackers have installed tools that wipe incriminating data on shutdown/reboot, so they want to capture that before they take the PC.

If hackers already know about this, the solution is to disable th USB port altogether. I’d think a smart hacker isn’t using the same machine for music/phone/digital camera that they need to plug in via USB, as they’re using to hack.

This will really only be useful for investigation of non-hackers. i.e. average joes who are doing something wrong. And those people wouldn’t have their computer set to wipe on shutdown anyway. So, that leaves it to be only useful to copy someone’s data without them knowing…

DigitalCommando May 1, 2008 10:08 AM

This tool is far more valuable to a covert entry/data extraction op (without a warrant) than to any real, legitimate warranted daylight entry. When you consider that the 3 letters all have existing back door access courtesy of the chipmakers, this avenue is really only useful to the tin-starred barnie fifes who dont play the game on a high level.

derf May 1, 2008 10:56 AM

From a chain of evidence standpoint, changing a live system (by plugging in the USB drive and executing programs) gives the defense ammo. You have to make a forensic copy of the drive without making any changes, then work on the copy, or all of your “evidence” can be considered suspect.

What if Microsoft’s USB stick is infected with a virus? What if a corrupt officer decides to use the USB stick to plant evidence? Police should not be monkeying with live systems – too much room for error or abuse.

j0hnner_ca May 1, 2008 1:06 PM

Trusted binaries on a writable medium.

Yes… Yes! I like it! It’s the last thing they’ll expect!

eye glint

"Mission Accomplished" May 1, 2008 3:20 PM

A former Hong Kong cop who now works for Microsoft developed COFEE. Microsoft gives out free COFEE to law enforcement.

That which we obtain too easily, we esteem too lightly. What’s it worth?

jammit May 1, 2008 6:08 PM

I suppose I’ll have to mod my USB ports to swap the VCC and ground connection and use 12v instead of 5v, and also set it up so when something that isn’t modified to take that is plugged in it does a hardware shutdown (but keeps the USB power going). I’ll also need to build a mini pocket adapter to correct and regulate my ports.

ball him her May 2, 2008 1:45 AM

Why not just leak to them the rest of the backdoors [in Windows] injected under the guise of “remote exploits” to begin with?

Ben May 2, 2008 3:40 AM

It’s just a collection of tools that you can download free from anywhere, packaged onto a thumbdrive. It’s not a big deal.

alan May 2, 2008 4:09 PM

So you are saying that Windows users will be getting a COFEE enema?

How is that different than Vista?

Mike Orton May 15, 2008 9:04 AM

The North Wales Police Hi tec Crime unit use Helix which is a collection of pD tools running from a knoppix Linux CD. I grabbed myself a copy and found that all the tools were available for FREE download.
So you don’t need Microsoft to give you a collection of tools. How long before its in the hands of hackers?
It probably has been for years.
Been into computing since 1961 IBM STRETCH & Fortran-2

Maeve May 15, 2008 10:07 AM

When I read this article initially my first thought was “where is the companion product”?

Given the scenario I would think that there should also be another tool in the arsenal called the “Digital Online Network Utilization Tracker” or…DONUT for short.

Mike May 18, 2008 5:04 PM

“Microsoft wouldn’t disclose which tools are in the suite other than that they’re all publicly available”

Why not? Anyone know what’s in there? And if not, wouldn’t it be a good idea to submit a FOIA request to the local gendarmes to find out what gifts they have received?

Clive Robinson May 23, 2009 11:46 AM

@ mark,

“Can anyone tell me where I can download a free open source computer forensics toolkit that is windows based.”

For a number of reasons MS OS’s are not suitable for forensics without a lot of work…

However most of the free *nix don’t have the same issues if booted correctly.

You can download several CD’s with forensics tools on them.

Have a search for the “The Coroner’s Toolkit” (TCT). It was probably the first of many, you can also find it or similar on CD’s in the back of books.

All will be better than trying to force an MS OS to do something it was never designed to do.

frankly December 3, 2009 2:51 PM

The MS Computer Online Forensic Evidence Extractor (COFEE) has been leaked on the internet, initially via:

But it has been taken down, but you can get hold of it on the (in)famous Leaks website and a summary can be read at:

What I find interesting is how MS has highlighted that COFEE is merely a collection 150 existing data collection software tools, which seem to be something akin to the ones provided by:

Try a leaky search query:

Decaf a Tea Leaf December 14, 2009 1:32 PM



Step 1: Download and extract
Step 2: Download and extract devcon.exe
Step 3: Move devcon.exe (for your environment i386 or ia64) into decaf directory

DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.

DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE’s presence by sending the application into a ‘Spill the cofee’ type mode. Simulation gives the user an opportunity to test his or her configuration before going live.

Future versions will have text message and email triggers so in case the computer needs to enter into lockdown mode the user can do it remotely. It will also have notification services where in the case of an emergency, someone can be notified (private torrent tracker admins). DECAF’s next release is going to be available in a more light-weight version and/or a windows service.

DECAF Lockdown Mode features

* Contaminate MAC Addresses: Spoof MAC addresses of network adapters
* Kill Processes: Quick shutdown of running processes
* Shutdown Computer: On the fly machine power down
* Disable network adapters
* Disable USB ports
* Disable Floppy drive
* Disable CD-ROM
* Disable Serial/Printer Ports
* Erase Data: Quick file/folder removal (Basic Windows delete)
* Clear Event Viewer: Remove logs from the Event Viewer
* Remove Torrent Clients: Removes Azureus and BitTorrent clients
* Clear Cache: Remove cookies, cache, and history

DECAF Downloads
Version File Size MD5 Checksum
DECAF v1.0.2 47KB 48ae74ec9dc24286f5f87606cee6506f
devcon.exe (From Microsoft) 72KB 370363472c4e024442c283d24b67a009

DECAF Information
File Name File Size MD5 Checksum
decaf.exe 201KB 4039e1632a40651e2d47887e9db90164
Step 1: Download and extract
Step 2: Download and extract devcon.exe
Step 3: Move devcon.exe (for your environment i386 or ia64) into decaf directory

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.