World Library  
Flag as Inappropriate
Email this Article

Computer Online Forensic Evidence Extractor

 

Computer Online Forensic Evidence Extractor

Computer Online Forensic Evidence Extractor also said (COFEE) is a tool kit, developed by Microsoft, to help computer forensic investigators extract evidence from a Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

Contents

  • Development and distribution 1
    • Public leak 1.1
  • Use 2
  • DECAF 3
  • See also 4
  • References 5
  • External links 6

Development and distribution

COFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team.[1] Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft.[2] The device is used by more than 2,000 officers in at least 15 countries.[3]

A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography, producing evidence that led to an arrest.[1]

In April 2009 Microsoft and Interpol signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with Interpol develops programs for training forensic experts in using COFEE.[4] The National White Collar Crime Center has been licensed by Microsoft to be the sole US domestic distributor of COFEE.[5]

Public leak

On November 6, 2009, copies of Microsoft COFEE were leaked onto various torrent websites.[6] Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators.[7] Microsoft confirmed the leak; however a spokesperson for the firm said "We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around' to be a significant concern".[8]

Use

The device is activated by being plugged into a USB port. It contains 150 tools and a graphical user interface to help investigators collect data.[1] The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data.[7] Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes.[1][9]

COFEE includes tools for password decryption, Internet history recovery and other data extraction.[2] It also recovers data stored in volatile memory which could be lost if the computer were shut down.[10]

DECAF

In mid to late 2009 a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved group of programmers. The tool would reportedly protect computers against COFEE and render the tool ineffective.[11] It alleged that it would provide real-time monitoring of COFEE signatures on USB devices and in running applications and when a COFEE signature is detected, DECAF performs numerous user-defined processes. These included COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.[12] On December 18, 2009 the DECAF creators announced that the tool was a hoax and part of "a stunt to raise awareness for security and the need for better forensic tools".[13][14][15][16]

See also

References

  1. ^ a b c d
  2. ^ a b
  3. ^
  4. ^
  5. ^ http://www.microsoft.com/industry/government/solutions/cofee/default.aspx
  6. ^
  7. ^ a b
  8. ^
  9. ^
  10. ^
  11. ^
  12. ^
  13. ^
  14. ^
  15. ^
  16. ^

External links

  • Official website
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and USA.gov, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for USA.gov and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
 
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
 
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.
 


Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.