Tuesday, 10 November 2009

No point crying over spilled COFEE

In 2007 Microsoft released a tool called COFEE which is an acronym for Computer Online Forensic Evidence Extractor.
It was released to law enforcement agencies around the world and while COFEE is a professional tool, it’s meant for the average police officer who may not have a lot of experience with computers, you just plug a USB key with COFEE installed and if autorun is enabled on the computer, it will run a series of diagnostics and 150 ‘commands’ that can, among other things, decrypt passwords, display internet activity, and uncover all data stored on the computer.  Most importantly, it can do this on-site, rather than an investigator needing to remove a machine during a search or raid and send it to a lab for analysis. It then writes a report and generally gives a quick and dirty analysis of the computer. It’s not an exhaustive tool and most of the commands and tools the COFEE uses are things that many hackers already have on their computers and could run manually any time they want.
COFEE is a good simple tool and a tool law enforcement officers need and should have, and it’s been a pretty closely guarded tool – until now.
In the last few days, a user on the what.cd uploaded torrent of COFEE and made it available for any user to download. Which, of course, means that it’s now available on any number of bittorrent sites. The site it was originally found on did something they rarely do and took the torrent offline, but it was already too late and the tool is in the wild. Even if many of the bittorent sites agree to pull the torrent, there’s enough users who have the file and enough sites that will be uncooperative that it’s very unlikely that this djinni can be put back in the bottle.
The fact that this tool has been a big mystery before now has made it very enticing, but getting your hands on a copy has been limited to a very few people who were in law enforcement or had friends that were.
It needs to be pointed out that is owned and jealously guarded by Microsoft. I won’t be surprised if they start going after people to get this removed from the Internet.
Now that the COFEE has been spilled into the tubes of the Internet, what are the moral and ethical responsibilities as security professionals, IT managers or personnel managers concerning the tool? This is a tool that’s aimed at letting police officers who are computer novices collect valuable forensics information using applications that are available natively in Windows and creating a simple report for future reference. While this is interesting, it’s nothing top secret or even that revolutionary, but it does impact on many privacy laws if it is used wrongly.
I suspect the main reason it was only available to law enforcement officers was to keep the malware creators and hackers from the limits of COFEE and figuring ways to prevent it from collecting anything if they ever have their own computers compromised.
Personally I think the tool’s been leaked and rather than try to get it back, law enforcement and the security community should be concentrating on providing an even better tool that will do everything COFEE can do and more using open source tools. There are any number of forensics tools already out there that will do a very good job of evaluating a desktop’s running configuration that could be made at least as easy to use as COFEE the hard part would probably be getting law enforcement agents to accept something that didn’t have a huge name like Microsoft behind it. For example, if a limited version of Backtrack was created that would run when you plug a USB key into the computer, the amount of data collected could be greatly increased.
If there are already other tools available that can easily and cheaply provide law enforcement with forensics evidence they can use in court, I don’t know of them and would appreciate some pointers.  If not, someone needs to create something and make it available to law enforcement, especially if it’s something that’s easy for a computer neophyte to use. I don’t think that having COFEE leaked reduces it’s effectiveness or makes it harder for law enforcement to use, but I believe that the open source community can create a better tool and make it available to everyone without feeling a need to keep it’s capabilities secret.

No comments:

Post a Comment