Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by

Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...

, to help computer forensic investigators extract evidence from a

Windows Windows is a Product lining, product line of Proprietary software, proprietary graphical user interface, graphical operating systems developed and marketed by Microsoft. It is grouped into families and subfamilies that cater to particular sec ...

computer A computer is a machine that can be Computer programming, programmed to automatically Execution (computing), carry out sequences of arithmetic or logical operations (''computation''). Modern digital electronic computers can perform generic set ...

. Installed on a

USB flash drive A flash drive (also thumb drive, memory stick, and pen drive/pendrive) is a data storage device that includes flash memory with an integrated USB interface. A typical USB drive is removable, rewritable, and smaller than an optical disc, and u ...

or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

Development and distribution

COFEE was developed by Anthony Fung, a former

Hong Kong Hong Kong)., Legally Hong Kong, China in international treaties and organizations. is a special administrative region of China. With 7.5 million residents in a territory, Hong Kong is the fourth most densely populated region in the wor ...

police officer A police officer (also called policeman or policewoman, cop, officer or constable) is a Warrant (law), warranted law employee of a police, police force. In most countries, ''police officer'' is a generic term not specifying a particular rank. ...

who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team. Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft. The device is used by more than 2,000 officers in at least 15 countries. A case cited by Microsoft in April 2008 credits COFEE as being crucial in a

New Zealand New Zealand () is an island country in the southwestern Pacific Ocean. It consists of two main landmasses—the North Island () and the South Island ()—and List of islands of New Zealand, over 600 smaller islands. It is the List of isla ...

investigation into the trafficking of

child pornography Child pornography (also abbreviated as CP, also called child porn or kiddie porn, and child sexual abuse material, known by the acronym CSAM (underscoring that children can not be deemed willing participants under law)), is Eroticism, erotic ma ...

, producing evidence that led to an arrest. In April 2009 Microsoft and

Interpol The International Criminal Police Organization – INTERPOL (abbreviated as ICPO–INTERPOL), commonly known as Interpol ( , ; stylized in allcaps), is an international organization that facilitates worldwide police cooperation and crime cont ...

signed an agreement under which INTERPOL would serve as principal international distributor of COFEE.

University College Dublin University College Dublin (), commonly referred to as UCD, is a public research university in Dublin, Ireland, and a collegiate university, member institution of the National University of Ireland. With 38,417 students, it is Ireland's largest ...

's Center for Cyber Crime Investigations in conjunction with Interpol develops programs for training forensic experts in using COFEE. The

National White Collar Crime Center The National White Collar Crime Center, also known as NW3C, is a congressionally funded non-profit corporation which trains state and local law enforcement agencies to combat emerging economic and cybercrime problems. The NW3C provides the general ...

has been licensed by Microsoft to be the sole US domestic distributor of COFEE.

Public leak

On November 6, 2009, copies of Microsoft COFEE were leaked onto various torrent websites. Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators. Microsoft confirmed the leak; however a spokesperson for the firm said "We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around' to be a significant concern".

Use

The device is activated by being plugged into a

USB Universal Serial Bus (USB) is an industry standard, developed by USB Implementers Forum (USB-IF), for digital data transmission and power delivery between many types of electronics. It specifies the architecture, in particular the physical ...

port. It contains 150 tools and a graphical user interface to help investigators collect data. The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data. Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes. COFEE includes tools for password decryption,

Internet The Internet (or internet) is the Global network, global system of interconnected computer networks that uses the Internet protocol suite (TCP/IP) to communicate between networks and devices. It is a internetworking, network of networks ...

history recovery and other data extraction. It also recovers data stored in

volatile memory Volatile memory, in contrast to non-volatile memory, is computer memory that requires power to maintain the stored information; it retains its contents while powered on but when the power is interrupted, the stored data is quickly lost. Volatile ...

which could be lost if the computer were shut down.

DECAF

In mid to late 2009 a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved group of programmers. The tool would reportedly protect computers against COFEE and render the tool ineffective. It alleged that it would provide real-time monitoring of COFEE signatures on

devices and in running applications and that when a COFEE signature is detected, DECAF would perform numerous user-defined processes. These included COFEE log clearing, ejecting USB devices, and contamination or spoofing of

MAC address A MAC address (short for medium access control address or media access control address) is a unique identifier assigned to a network interface controller (NIC) for use as a network address in communications within a network segment. This use i ...

es. On December 18, 2009, the DECAF creators announced that the tool was a hoax and part of "a stunt to raise awareness for security and the need for better forensic tools".

References

External links

* * * * {{cite web, url=http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/ , publisher=

Praetorian Prefect The praetorian prefect (; ) was a high office in the Roman Empire. Originating as the commander of the Praetorian Guard, the office gradually acquired extensive legal and administrative functions, with its holders becoming the Emperor's chief ai ...

, title=Reactivating DECAF in Two Minutes , access-date=2009-12-18 , url-status=dead , archive-url=https://web.archive.org/web/20140223193138/http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/ , archive-date=February 23, 2014 Microsoft software Law enforcement techniques Government software Digital forensics software

Development and distribution

Public leak

Use

DECAF

See also

References

External links