digg

Facebook Connect Join Digg About

Microsoft device helps police pluck evidence from cyberscene

seattletimes.nwsource.com Microsoft has developed a small plug-in device that investigators can use to quickly extract forensic data from computers that may have been used in crimes. The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB "thumb drive" that was quietly distributed to a handful of law-enforcement agencies last June.

Who dugg this? Made popular Apr 30, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

139 Comments

show profanity settings
expand all
  • rabidmonkey1, on 04/30/2008, -4/+37"Children are particularly at risk to anonymous predators or those with false identities. "Criminals seek to win a child's confidence in cyberspace and meet in real space," Smith cautioned."

    Somebody think of the children!

    /Mrs. Lovejoy
  • methylamine, on 04/30/2008, -2/+31Any time you hear government or their minions say "It's for the children", RUN! You know you're about to have yet another of your rights trampled.
  • chriskeyes, on 04/30/2008, -1/+25Update: Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as "password security auditing technologies" used to access information "on a live Windows system." She cited rainbow tables as an example of other such tools, and "was NOT confirming that COFEE includes Rainbow Tables." It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means." Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority."

    Another update: This from Tim Cranton, associate general counsel at Microsoft: "The key to COFEE is not new forensic tools, but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."

    To sum it up: If you are not logged in or your pc is off the tool is useless.
  • Minarchian, on 04/30/2008, -16/+40And MS still wants people to believe that they have no "back door" keys to everyone's computers?

    I am installing Ubuntu Linux...screw MS, I don't tryst them one iota.
  • inactive, on 04/30/2008, -2/+26I want one.

    I checked ebay, but no luck.

    Dang.
  • cryptoki, on 04/30/2008, -7/+27mee too ... mee too !!!! wow a system thats so insecure a few programs on a flash drive can totally circumvent your login passwords, and possible your efs encryption in an instant. these kinds of tools are bad. becuase eventually a few hackers will get ahold of them and post them somewhere. im guessing.. this goes to prove their ARE backdoors in ms products? they make this tool sound sooo easy to use.. a caveman could do it.
  • Jaablaze, on 04/30/2008, -15/+31-1 for Microsoft
  • decet, on 04/30/2008, -4/+19So who says Microsoft isn't innovative?
    Btw, ever heard of a live linux cd? Of course, this can be copied to a USB stick and plugged into WINDOWS SYSTEMS where you can repair a damaged file system and do other useful things. The juicier versions have password retrievers and all sorts of "forensic" goodies.
  • slickme, on 04/30/2008, -0/+14http://www.microsoft.com/presspass/features/2008/a ...
  • queotic, on 04/30/2008, -8/+22Thank you, Microsoft, for making identity theft even easier.
  • Fartag, on 04/30/2008, -4/+18Exactly, only innocent people worry about being searched, there should be no privacy through private conversation, encrypted files, or thoughts hidden in our brains. Only the guilty would protest cameras installed in every room of their house in case the authorities need to check in on them, or protest when their data is copied for scrutiny at the border. The police _need_ this capability to check everything about you out for illegal activity to protect us from terrorism, child molesters, and copyright violations!

    Microsoft here is boldly continuing their commitment to further interests apart from the users of their software. Writing software that can extract data from a running system before encryption once again securely reclaims the files on shutdown. They used to have to hide these kinds of things behind the scenes like NSA keys, closed source unpatched exploits and apps that phone home with tidbits of information whenever possible, but it's great to see how our society has evolved after 9/11 to accept these more bold things that companies like AT&T do out in the open. Tirelessly working to ensure nothing in critical infrastructure like OSes or communications are inscrutable or untracked. All the while people still buy machines with Vista pre-installed and defend Microsoft whenever possible.
    /s
  • diemunkiesdie, on 04/30/2008, -1/+13This doesn't prove their are backdoors in their products at all! What are you reading?
    Read this: http://blog.seattletimes.nwsource.com/techtracks/2 ...
    Specifically this paragraph:
    Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as "password security auditing technologies" used to access information "on a live Windows system." She cited rainbow tables as an example of other such tools, and "was NOT confirming that COFEE includes Rainbow Tables."
    It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means."
    Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority."
    So in other words, they haven't done anything special, just placed some standard tools on a thumb drive.
  • cquinnd, on 04/30/2008, -1/+12It doesn't prove much of anything, there have been tools on Windows and Linux that have been able to crack the average Windows box for some time now. What is not known is how such a tool would handle a system where the user went beyond the normal steps to secure their system (using third party encryption tools, stronger passowords and encrypted filesystems).
  • tblindt, on 04/30/2008, -2/+13i bet mac is no better... i bet the iphone is rigged too
  • crackah, on 04/30/2008, -4/+15Bet your already using Ubuntu.
  • alexforcefive, on 04/30/2008, -1/+11Give it time
  • quikboy, on 04/30/2008, -1/+11It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means."

    Read one of the above comments.
  • Myonosken, on 04/30/2008, -0/+9Its in the ***** article.
  • inactive, on 04/30/2008, -11/+20from those that steal your private information it's really a non-event.
  • cquinnd, on 04/30/2008, -2/+11What makess you think it "breaks" their security... What is it doing that OPFcrack and similar tools don't already carry off?
  • diemunkiesdie, on 04/30/2008, -0/+8You loose whatever is in the RAM when you turn a computer off. This could mean passwords or encryption keys that are floating around in the RAM which would disappear with a power loss.
    Here is an example of breaking encryption with information from a machine's RAM: http://arstechnica.com/news.ars/post/20080221-rese ...
    In this case they take some canned air, turn the can upside down and lower the temperature of the RAM to carry out the attack before the data disappears from the memory.
  • postingbh, on 04/30/2008, -1/+9This could be valuable for investigations where the police have less than an hour or so to acquire the data. But if the police have more than an hour, they'll probably stick to standard forensic imaging hardware and software.
  • lucutus, on 04/30/2008, -0/+8I've been able to do this for years. It's not new or complicated. Sheesh if anyone who knows what they are doing can access your PC physically it is not hard to find "evidence" yes even if it's passworded and/or encrypted. There are things you can do to prevent this but then they'll just take the whole box back to the lab because they can.
  • wushin, on 04/30/2008, -1/+7Linux, 8 years strong and growing.
  • Meesher, on 04/30/2008, -0/+6A hidden Trucrypt partition would not be useless in protecting your data, even if the person at your computer was logged in with admin rights. He would not even be able to detect that it exists, as the bits in the hidden partition are indistinguishable from the random data on the unhidden partition within which it exists. Fool-proof? No. Useless? Not quite.
  • darkamster07, on 04/30/2008, -1/+6***** *****, people always use sexual crimes as justification for security measures, simply because it's a "hot button crime" that the majority of the American public is buying into when there are way worse crimes out there. Want a remedy for not falling into predator's hands: DON'T BE A ***** IDIOT.

    I am completely fine with some dangers existing on the Internet as long as it ensures complete freedom. The minute they start implementing serious security on the Internet is the day the Internet dies.
  • estvir, on 04/30/2008, -1/+6http://blogs.zdnet.com/Bott/?p=435 (Sorry, conspiracy buffs, there’s no Windows “back door”)

    In relation to nuts like you about this story.
  • KibibyteBrain, on 04/30/2008, -2/+7Actually, thats the thing I disliked about it the most. Maybe you can expect the police of one or two countries to be safe not to give this away to the bad guys, but 15 countries is just insuring that this will be on TPB before we know it. So thanks Microsoft for making yet another quick ID theft tool.
  • Enlefo, on 04/30/2008, -10/+15Oh man, it's only a matter of time before you can download this ***** on bittorrent, usenet, etc. Way to break your own security MS... you're geniuses.
  • asus2000, on 06/30/2008, -3/+8Note to self: Write LaughAtCops virus which spreads to unknown thumbdrives and subsequently erases hard-drives of "other" computers it's plugged into...
  • Murdats, on 04/30/2008, -3/+7it is most likley a bootable device, so then yes.
  • clesch, on 04/30/2008, -3/+7Yay Truecrypt and — to a lesser degree — FileVault.
  • Murdats, on 04/30/2008, -1/+5especially because windows has several system back up tools.
  • smotpoker, on 04/30/2008, -1/+5Dick semantics: Technically if it's rebooting to a non-linux os, the it isn't running *on* linux :P

    Real semantics: I haven't used windows in forever but the last I heard neither it nor MS support any of the more common default Linux file systems out of the box and most of the other file systems Linux supports are not supported under windows/by MS *at all*.

    Also, I it is not all that likely that it could easily support many of the various encryption solutions, let alone all of them and any secret MS backdoor the thing might utilize for entry/access (not saying it does, I haven't really investigated it) does not exist in any form on any distribution of Linux (which can be easily validated by checking the source ;))

    In other words, even if it was rebooted, if it runs any version of windows it likely would be unable to access anything on LInux
  • kr00lplatinum, on 04/30/2008, -0/+4Yet one more reason to use Linux vs Microsoft or Mac! It We could just get the big game industry to port games to Linux I would be on Ubuntu all day!
  • blueskydiver76, on 04/30/2008, -0/+4I guess it doesn't have to be stolen to be used inappropriately...
  • MellerTime, on 04/30/2008, -1/+4So the officers will be foiled once or twice over the course of their entire careers. Damn.
  • luchid, on 04/30/2008, -0/+3Yeah, because its firmware has so not totally been exposed and thoroughly examined by the thousands of people who researched it to find an unlock method.
  • inactive, on 04/30/2008, -0/+3Found in the back of a taxi cab stuck in a laptop containing fifty thousand social security numbers...
  • inactive, on 04/30/2008, -1/+4http://technet.microsoft.com/en-us/sysinternals/de ...
  • luchid, on 04/30/2008, -1/+4I don't think one could be used on a computer running OS X or Linux.
  • gregoryfenton, on 04/30/2008, -0/+3The Principles of Computer Based Electronic Evidence

    Four principles are involved:
    Principle 1: No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court.

    Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

    Principle 3: An audit trail or other record of all processes applied to computer based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

    Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are adhered to.

    Principle 1: violated.
    Principle 2: a police officer that has been given a usb dongle is not an exceptional circumstance
    Principle 3: Impossible after the initial alteration has occured.
    Principle 4: irrelevant to this discussion

    It is essential to show objectively to a court both continuity and integrity of evidence. It is also necessary to demonstrate how evidence has been recovered showing each process through which the evidence was obtained. Evidence should be preserved to such an extent that a third party is able to repeat the same process and arrive at the same result as that presented to a court.

    http://www.acpo.police.uk/asp/policies/Data/gpg_co ...

    Want to get any more authoritative than that?
  • asus2000, on 06/30/2008, -1/+4That was Windows 98...
  • ChayesFSS, on 04/30/2008, -0/+3I would think that this is just going to allow those idiots to quickly pull things like index.dat's, a snap shot of the history and maybe a few other things.
    Any ways, always a good idea to disable usbstorage (USB < Firewire) by flipping the switch on it via
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesUsbStor and setting the value data to a 4. You'll still be able to use your mice and keyboards.
  • mxmj, on 04/30/2008, -0/+3No he works for the Feds.
  • estvir, on 04/30/2008, -1/+4All it is is a collection of available tools for use on a flash drive and if someone has physical access to your machine, which is needed to plug a flash drive in, no security is going to stop whoever has your machine.

    RTFA and THINK before you post.
  • Myztry, on 04/30/2008, -0/+3One of old cracker buddies has a BBS full of warez that got seized by the police. Unfortunately for them, it was Amiga based. They kept the machine for a month before returning it intact. They had absolutely no idea what to do with it.
    I imagining the police would have the same problem with my system as it's not an insecure operating system that the Microsoft tools would function on. Though outside of porn (which someone no-doubt owns Copyright too) they wouldn't find anything. The rest is all Open Source.
    I feel more secure being Microsoft free regardless...
  • PJBovoNox, on 04/30/2008, -3/+6Linux (Ubuntu), at the minute.
  • ats314, on 04/30/2008, -2/+5sorry, jumpdrive is a name brand thumb drive by lexar. I meant to say thumb drive or flash drive.
  • Gambra, on 04/30/2008, -7/+9So where can I download this? Is it up on thepiratebay yet? :)
  • Fetching more discussions...
    Show 51 - 100 of 139 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.