Anyone in the digital forensics community will have heard todays big story, Microsoft’s Live forensic toolkit called COFEE has been leaked (pun intended) onto the Internet. Normally this would not be big news, but since it was supposedly designed for “Law enforcement only” it is being reported on and discussed widely.
I remember when this was announced. Like many, I was able to obtain some factual information on the COFEE ‘unofficially’ through a few contacts. If you take a bunch of open source and freeware programs wrap them up in a pretty GUI based system that lets you create profiles to control which of these programs are run in what order and with what switches — that is COFEE. You can then load a particular profile or profiles on a USB key. You insert the USB key into the target and COFEE runs (assuming auto-run is enabled, if not you can manually start COFEE) the requested commands and options in the profile. The output is saved and you can view it in a simple reporting package that organizes the information hierarchically by type REGISTRY, POLICY, MEMORY, PASSWORDS and other categories. Of course you have to have user access to the system for COFEE to work, ideally an administrative level account.
One of the ‘selling points’ was that any untrained officer could run COFEE on a target system and not have to understand what they are doing. If the investigation does go to court, it will be expected that chain of custody, documentation, due diligence is all taken care of. More importantly, I could see the lawyer for the defense saying something to the effect of “Let me see if I understand this. Officer Joe here who has no knowledge of digital forensics, ran a COFEE on the target system unsupervised. Officer Joe, are you sure the process list is complete? There were no hidden processes that are not being shown? Are you certain that you obtained every active user running on the system? How are you sure? Are you certain you have a copy of all areas of memory and nothing was missed?” The key to digital forensics is not the tool, it is having a understanding of what data is being extracted, how it is being extracted, what the data means that was extracted, and being able to explain what might have been missed or might be inaccurate and why. This requires knowledge and training.
However, my biggest issue with COFEE has always been the “law enforcement only” type of approach. It never works. The software will eventually get out. It is just another play on “Security via Obscurity”. Why restrict it to law enforcement? The only argument I have heard to support that is that if the tools get out the anti-forensics community will figure out a way around them so they don’t work. This type of research and software deployment is alive and well and has been for some time. I even received training on how to fool forensic memory acquisition software it in 2007 at Blackhat. To be honest, if law enforcement is investigating a breech at a nuclear plant, or some other critical infrastructure I really hope they use many other publically available tools for their investigation instead of COFEE and individuals that know what they are doing – Personally, I’d feel more confident in them. Of the few lawyers and law enforcement officials I do know, I have not heard of an untrained officer using COFEE on a system to date as the primary source of data gathering — not scientific, but I hope it is a sign that they are smarter then that.
