Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by

Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...

, to help computer forensic investigators extract evidence from a

Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for serv ...

computer A computer is a machine that can be programmed to Execution (computing), carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as C ...

. Installed on a

USB flash drive A USB flash drive (also called a thumb drive) is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than . Since firs ...

or other

external disk drive A disk enclosure is a specialized casing designed to hold and power disk drives while providing a mechanism to allow them to communicate to one or more separate computers. Drive enclosures provide power to the drives therein and convert the dat ...

, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

Development and distribution

COFEE was developed by Anthony Fung, a former

Hong Kong Hong Kong ( (US) or (UK); , ), officially the Hong Kong Special Administrative Region of the People's Republic of China ( abbr. Hong Kong SAR or HKSAR), is a city and special administrative region of China on the eastern Pearl River Delt ...

police officer A police officer (also called a policeman and, less commonly, a policewoman) is a warranted law employee of a police force. In most countries, "police officer" is a generic term not specifying a particular rank. In some, the use of the ...

who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team. Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft. The device is used by more than 2,000 officers in at least 15 countries. A case cited by Microsoft in April 2008 credits COFEE as being crucial in a

New Zealand New Zealand ( mi, Aotearoa ) is an island country in the southwestern Pacific Ocean. It consists of two main landmasses—the North Island () and the South Island ()—and over 700 smaller islands. It is the sixth-largest island count ...

investigation into the trafficking of

child pornography Child pornography (also called CP, child sexual abuse material, CSAM, child porn, or kiddie porn) is pornography that unlawfully exploits children for sexual stimulation. It may be produced with the direct involvement or sexual assault of a chi ...

, producing evidence that led to an arrest. In April 2009 Microsoft and

Interpol The International Criminal Police Organization (ICPO; french: link=no, Organisation internationale de police criminelle), commonly known as Interpol ( , ), is an international organization that facilitates worldwide police cooperation and cri ...

signed an agreement under which INTERPOL would serve as principal international distributor of COFEE.

University College Dublin University College Dublin (commonly referred to as UCD) ( ga, Coláiste na hOllscoile, Baile Átha Cliath) is a public research university in Dublin, Ireland, and a collegiate university, member institution of the National University of Ireland ...

's Center for Cyber Crime Investigations in conjunction with Interpol develops programs for training forensic experts in using COFEE. The

National White Collar Crime Center The National White Collar Crime Center, also known as NW3C, is a congressionally funded non-profit corporation which trains state and local law enforcement agencies to combat emerging economic and cyber crime problems. The NW3C provides the general ...

has been licensed by Microsoft to be the sole US domestic distributor of COFEE.

Public leak

On November 6, 2009, copies of Microsoft COFEE were leaked onto various torrent websites. Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators. Microsoft confirmed the leak; however a spokesperson for the firm said "We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around' to be a significant concern".

Use

The device is activated by being plugged into a

USB Universal Serial Bus (USB) is an industry standard that establishes specifications for cables, connectors and protocols for connection, communication and power supply (interfacing) between computers, peripherals and other computers. A broad v ...

port. It contains 150 tools and a graphical user interface to help investigators collect data. The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data. Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes. COFEE includes tools for password decryption,

Internet The Internet (or internet) is the global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a '' network of networks'' that consists of private, pub ...

history recovery and other data extraction. It also recovers data stored in volatile memory which could be lost if the computer were shut down.

DECAF

In mid to late 2009 a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved group of programmers. The tool would reportedly protect computers against COFEE and render the tool ineffective. It alleged that it would provide real-time monitoring of COFEE signatures on

devices and in running applications and that when a COFEE signature is detected, DECAF would perform numerous user-defined processes. These included COFEE log clearing, ejecting USB devices, and contamination or spoofing of

MAC address A media access control address (MAC address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use is common in most IEEE 802 networking techno ...

es. On December 18, 2009, the DECAF creators announced that the tool was a hoax and part of "a stunt to raise awareness for security and the need for better forensic tools".

References

External links

* * * * {{cite web, url=http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/ , publisher=

Praetorian Prefect The praetorian prefect ( la, praefectus praetorio, el, ) was a high office in the Roman Empire. Originating as the commander of the Praetorian Guard, the office gradually acquired extensive legal and administrative functions, with its holders be ...

, title=Reactivating DECAF in Two Minutes , accessdate=2009-12-18 , url-status=dead , archiveurl=https://web.archive.org/web/20140223193138/http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/ , archivedate=February 23, 2014 Computer forensics Microsoft software Law enforcement techniques Government software Digital forensics software

Development and distribution

Public leak

Use

DECAF

See also

References

External links