Computer Online Forensic Evidence Extractor
Encyclopedia
Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by Microsoft
, to help computer forensic investigators
extract evidence from a Windows computer
. Installed on a USB flash drive
or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.
police officer
who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team. Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft. The device is used by more than 2,000 officers in at least 15 countries.
A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand
investigation into the trafficking of child pornography
, producing evidence that led to an arrest.
In April 2009 Microsoft and INTERPOL
signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with INTERPOL develops programs for training forensic experts in using COFEE. The National White Collar Crime Center
has been licensed by Microsoft to be the sole US domestic distributor of COFEE.
port. It contains 150 tools and a graphical user interface to help investigators collect data. The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data. Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes.
COFEE includes tools for password decryption
, Internet
history recovery and other data extraction. It also recovers data stored in volatile memory
which could be lost if the computer were shut down.
) is a counter intelligence tool specifically created around obstructing COFEE. DECAF provides real-time monitoring of COFEE signatures on USB devices and in running applications. When a COFEE signature is detected, DECAF performs numerous user-defined processes. These may include COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, to help computer forensic investigators
Computer forensics
Computer forensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media...
extract evidence from a Windows computer
Personal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...
. Installed on a USB flash drive
USB flash drive
A flash drive is a data storage device that consists of flash memory with an integrated Universal Serial Bus interface. flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g...
or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.
Development and distribution
COFEE was developed by Anthony Fung, a former Hong KongHong Kong
Hong Kong is one of two Special Administrative Regions of the People's Republic of China , the other being Macau. A city-state situated on China's south coast and enclosed by the Pearl River Delta and South China Sea, it is renowned for its expansive skyline and deep natural harbour...
police officer
Police officer
A police officer is a warranted employee of a police force...
who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team. Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft. The device is used by more than 2,000 officers in at least 15 countries.
A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand
New Zealand
New Zealand is an island country in the south-western Pacific Ocean comprising two main landmasses and numerous smaller islands. The country is situated some east of Australia across the Tasman Sea, and roughly south of the Pacific island nations of New Caledonia, Fiji, and Tonga...
investigation into the trafficking of child pornography
Child pornography
Child pornography refers to images or films and, in some cases, writings depicting sexually explicit activities involving a child...
, producing evidence that led to an arrest.
In April 2009 Microsoft and INTERPOL
Interpol
Interpol, whose full name is the International Criminal Police Organization – INTERPOL, is an organization facilitating international police cooperation...
signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with INTERPOL develops programs for training forensic experts in using COFEE. The National White Collar Crime Center
National White Collar Crime Center
The National White Collar Crime Center also known as NW3C is a congressionally funded non-profit corporation that trains state and local law enforcement agencies in how to combat emerging economic and cyber crime problems. NW3C provides information and research to the general public in the...
has been licensed by Microsoft to be the sole US domestic distributor of COFEE.
Public leak
On November 6, 2009, copies of Microsoft COFEE were leaked onto various BitTorrent websites. Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators. Microsoft confirmed the leak, however a spokesperson for the firm said "We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around' to be a significant concern".Use
The device is activated by being plugged into a USBUniversal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
port. It contains 150 tools and a graphical user interface to help investigators collect data. The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data. Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes.
COFEE includes tools for password decryption
Password cracking
Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password...
, Internet
Internet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
history recovery and other data extraction. It also recovers data stored in volatile memory
Ram
-Animals:*Ram, an uncastrated male sheep*Ram cichlid, a species of freshwater fish endemic to Colombia and Venezuela-Military:*Battering ram*Ramming, a military tactic in which one vehicle runs into another...
which could be lost if the computer were shut down.
Detect and Eliminate Computer Assisted Forensics (DECAF)
Detect and Eliminate Computer Assisted Forensics (DECAFDECAF
Detect and Eliminate Computer Acquired Forensics is a counter intelligence tool specifically created around obstructing the well known Microsoft product COFEE used by law enforcement around the world...
) is a counter intelligence tool specifically created around obstructing COFEE. DECAF provides real-time monitoring of COFEE signatures on USB devices and in running applications. When a COFEE signature is detected, DECAF performs numerous user-defined processes. These may include COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.
See also
- BackTrackBackTrackBackTrack is an operating system based on the Ubuntu GNU/Linux distribution aimed at digital forensics and penetration testing use. It is named after backtracking, a search algorithm...
- Knoppix STDKnoppix STDKnoppix STD is a Live CD Linux distribution based on Knoppix that focused on computer security tools. It included GPL licensed tools in the following categories: authentication, password cracking, encryption, forensics, firewalls, honeypots, intrusion detection system, network utilities,...
- PHLAK
- nUbuntuNUbuntunUbuntu or Network Ubuntu was a project to take the existing Ubuntu operating system LiveCD and Full Installer and remaster it with tools needed for penetration testing servers and networks. The main idea is to keep Ubuntu's ease of use and mix it with popular penetration testing tools...
- DECAFDECAFDetect and Eliminate Computer Acquired Forensics is a counter intelligence tool specifically created around obstructing the well known Microsoft product COFEE used by law enforcement around the world...
- Windows To GoWindows To GoWindows To Go is a feature in Windows 8 that allows the entire system to run from USB mass storage devices such as flash drives and external hard drives....
, bootable USB drive with Windows capable of running data recovery/collection utilities - Espresso A COFEE plug-in which creates archives of common high-yield PII locations on a Windows PC (IE, Firefox, Amazon, Windows Live Mails).