Jump to content


Photo
* * * * * 1 votes

Law enforcement forensic app 'leaked' onto internet


  • Please log in to reply
25 replies to this topic

#1 totallyAunti

totallyAunti

    Mack Daddy 31337

  • Members
  • 209 posts
  • Country:
  • Gender:Male
  • Location:nubie-ville (somewhat new to internet, watch out)

Posted 12 November 2009 - 11:00 PM

Has anyone seen this news?

I'll paste this article on it below (with link) :

Microsoft Cofee leaks onto the web

Microsoft Cofee leaks onto the web

No use crying over it
By Alexandra Pullin
Monday, 9 November 2009, 14:18

MICROSOFT'S DIGITAL FORENSICS software has been spotted on a file-sharing site, available for all to download.

Computer Online Forensic Evidence Extractor (COFEE) is a forensics tool that fits on a USB drive for the police to use in PC forensics.

The software is free to police forces around the world and helps access details about crimes such as identity theft, online fraud, child pornography and illegal filesharing before criminals can wipe the information.

It's reportedly illegal for unauthorised people to download and use the software.

According to the Vole it takes the average bobbie "with even minimal computer experience" less than ten minutes to master the program.

"This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer," said Microsoft.

The Vole and police are worried that cyber criminals could analyse COFEE and write code that would identify and intercept it, securely wiping incriminating data from their hard drives.

COFEE requires Windows XP but it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE that will be released next year for Windows Vista and Windows 7. ยต
--------------------------

Microsoft's page on this app :
COFEE

There are in fact several sites featuring it for download, including a few torrents I found.

Anyone have an opinion on this?

Edit : I've seen this program on a certain torrent site which has 1 downloader's comment. The comment was a fake, claiming the torrent seems fake because it contains various zips with lots of rar files in it. I happen to know this particular download has none of this in it and was legit, therefore the downloading party is either stoned and was seeing things or more likely someone "concerned" who was trying to discourage people from downloading it (a.k.a. hoping to scare criminals away thinking it's a bad download).

Very interesting.

Edited by totallyAunti, 12 November 2009 - 11:18 PM.


#2 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 12 November 2009 - 11:13 PM

I didn't hear about this. I actually took a forensics class and we used FTK which is the general purpose mainstream forensics tool out there. EnCase is also another big one. But I'm interested to see how well Cofee works with Windows systems vs. FTK or EnCase...I guess I'll find out...downloading it now...whoa already done. Hope it works!

#3 totallyAunti

totallyAunti

    Mack Daddy 31337

  • Members
  • 209 posts
  • Country:
  • Gender:Male
  • Location:nubie-ville (somewhat new to internet, watch out)

Posted 12 November 2009 - 11:20 PM

I didn't hear about this. I actually took a forensics class and we used FTK which is the general purpose mainstream forensics tool out there. EnCase is also another big one. But I'm interested to see how well Cofee works with Windows systems vs. FTK or EnCase...I guess I'll find out...downloading it now...whoa already done. Hope it works!


I just edited that post above and added something to the bottom of it. Seems "forces" out there are trying to curtail it as best they can.

#4 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 12 November 2009 - 11:43 PM


I didn't hear about this. I actually took a forensics class and we used FTK which is the general purpose mainstream forensics tool out there. EnCase is also another big one. But I'm interested to see how well Cofee works with Windows systems vs. FTK or EnCase...I guess I'll find out...downloading it now...whoa already done. Hope it works!


I just edited that post above and added something to the bottom of it. Seems "forces" out there are trying to curtail it as best they can.


Yeah...no doubt...the official news is that M$ is "not worried at all." There are two torrents tracking it right now. I'm doing some hard differential equations problems right now for hw and when I get done I test them out and see what's up.

Edit: BTW...M$ gives it out for free to law enforcement all over the world so I'm surprised it has taken this long to get out there. Another thing the two torrents have different sizes so one is probably bogus.

Edited by Phail_Saph, 12 November 2009 - 11:52 PM.


#5 cruisefx

cruisefx

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 18 posts
  • Gender:Male

Posted 13 November 2009 - 12:22 AM

Jesu Christe, people, find some more reliable 0-day sources out there than torrent sites...

#6 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 13 November 2009 - 12:26 AM

Jesu Christe, people, find some more reliable 0-day sources out there than torrent sites...


Ok...I'll take this one...so which zero day source did you get it from?

#7 totallyAunti

totallyAunti

    Mack Daddy 31337

  • Members
  • 209 posts
  • Country:
  • Gender:Male
  • Location:nubie-ville (somewhat new to internet, watch out)

Posted 13 November 2009 - 12:32 AM


Jesu Christe, people, find some more reliable 0-day sources out there than torrent sites...


Ok...I'll take this one...so which zero day source did you get it from?


You're making me laff, taking on this new person who seems to only be trying to give people a hard time. I can't wait to see where this ends....
;)

#8 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 936 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 13 November 2009 - 12:36 AM

You're making me laff, taking on this new person who seems to only be trying to give people a hard time. I can't wait to see where this ends....
;)


+1
maybe ohms supermod spidey powers will tell him something is wrong and he'll go on a rant. </if you cant find out thats a joke thats your fault>

#9 totallyAunti

totallyAunti

    Mack Daddy 31337

  • Members
  • 209 posts
  • Country:
  • Gender:Male
  • Location:nubie-ville (somewhat new to internet, watch out)

Posted 13 November 2009 - 12:53 AM


You're making me laff, taking on this new person who seems to only be trying to give people a hard time. I can't wait to see where this ends....
;)


+1
maybe ohms supermod spidey powers will tell him something is wrong and he'll go on a rant. </if you cant find out thats a joke thats your fault>


Ha!

#10 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 13 November 2009 - 09:49 AM

look I am no programmer so i would not know how to decompile and review the source code of the program, but someone should do that it people are going to install this onto there computer... i would not trust that it was not an intentional leak, and that there could be some very nasty surprises hidden in this thing, resulting in the law enforcement coming to get you

#11 totallyAunti

totallyAunti

    Mack Daddy 31337

  • Members
  • 209 posts
  • Country:
  • Gender:Male
  • Location:nubie-ville (somewhat new to internet, watch out)

Posted 13 November 2009 - 10:47 AM

look I am no programmer so i would not know how to decompile and review the source code of the program, but someone should do that it people are going to install this onto there computer... i would not trust that it was not an intentional leak, and that there could be some very nasty surprises hidden in this thing, resulting in the law enforcement coming to get you


Why did you bring up that idea? That's what we need - You spoiled the fun. Joking........ :p

Putting joking aside, you bring up a good point. I wonder how this 'leak' occurred and from whom? Wonder if that info is around any place to find, but the trouble with this notion is if they were good at covering their tracks they could've made it 'appear' to be a leak in case people came looking. In that case, I'll keep in mind what you brought up.

I wished I could review source code but I'm a noob and can do very little with it unfortunately.

Maybe someone good at code could volunteer to have a look at it and review it for everyone interested on binrev? Hoping.....

#12 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 936 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 13 November 2009 - 02:29 PM

most of what i saw from it was pretty lame. it just has a bunch of "custom" console applications from windows/systinternals (whoami, uptime, w.e.) i havent run it as im too lazy to format/install it to a flashdrive, but im guessing it probably just runs all of the apps and creates a log out of it. theres supposodly some more interesting stuff going on in the main exe checking hashes or something but i would know where to begin for disassembling it.

#13 totallyAunti

totallyAunti

    Mack Daddy 31337

  • Members
  • 209 posts
  • Country:
  • Gender:Male
  • Location:nubie-ville (somewhat new to internet, watch out)

Posted 13 November 2009 - 02:51 PM

most of what i saw from it was pretty lame. it just has a bunch of "custom" console applications from windows/systinternals (whoami, uptime, w.e.) i havent run it as im too lazy to format/install it to a flashdrive, but im guessing it probably just runs all of the apps and creates a log out of it. theres supposodly some more interesting stuff going on in the main exe checking hashes or something but i would know where to begin for disassembling it.


Sysinternals apps? Pretty lame is right - I have nearly all sysinternals anyway.
I'm surprised it has those in it. Hmm... if the exe isn't much better then all I can say is, "Sorry I bothered mentioning it."

#14 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 936 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 13 November 2009 - 11:34 PM

like half of the binarys arent from sysinternals. but most/all accept the sha1 app are automatic being you dont have to type in a command just the name and it grabs the info. the only one of any interest is probably sha1 maybe the one that checks if the user has remote shares.

#15 delicatessen

delicatessen

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 17 posts

Posted 20 November 2009 - 12:55 PM

like half of the binarys arent from sysinternals. but most/all accept the sha1 app are automatic being you dont have to type in a command just the name and it grabs the info. the only one of any interest is probably sha1 maybe the one that checks if the user has remote shares.



Ever heard of the geek squad MRI disk? It's like that in simplicity but for the cops to point and click an automated forensics report generator without the need to know a whole lot.

#16 R4p1d

R4p1d

    Hakker addict

  • Members
  • 840 posts
  • Country:
  • Gender:Not Telling
  • Location:Space

Posted 24 November 2009 - 01:59 PM


like half of the binarys arent from sysinternals. but most/all accept the sha1 app are automatic being you dont have to type in a command just the name and it grabs the info. the only one of any interest is probably sha1 maybe the one that checks if the user has remote shares.



Ever heard of the geek squad MRI disk? It's like that in simplicity but for the cops to point and click an automated forensics report generator without the need to know a whole lot.


Geeksquad sucks.

If you want a nice bootdisk, make a barts p.e disk

#17 Warfusion

Warfusion

    Will I break 10 posts?

  • Members
  • 4 posts
  • Gender:Male

Posted 02 December 2009 - 09:06 PM

Hey guys. I found a copy of COFEE and did some testing in a Windows 7 VM. So far what i have seen is that it installs to a USB thumbdrive and basically acts like the USB Hacksaw. It uses tools to do different things but one big thing I noticed is that it can crack encryptions. I'm going to try it out on truecrypt to see if it cracks that encryption but for now thats what I have found. Also it mainly works on win2k winxp win2k03 so it works from windows 2000 to windows vista. A new version will come out for windows 7 and i have not seen any support for mac or linux. If you want your own copy download it here PirateBay COFEE Torrent. Eventually I want to take it all apart to see how it works anyone who has done this please post what you have found this I'm interested to see what you have found.

Edited by Warfusion, 02 December 2009 - 09:22 PM.


#18 bpa

bpa

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 16 posts
  • Gender:Male

Posted 06 December 2009 - 03:09 PM

Thanks for the post. Wikileaks has it. Search "cofee".

The slow (US) link works. The SSL link gives a corrupted zip file.

#19 snakesonaplane

snakesonaplane

    SUP3R 31337 P1MP

  • Members
  • 297 posts
  • Location:Mass

Posted 06 December 2009 - 04:24 PM

Hey guys. I found a copy of COFEE and did some testing in a Windows 7 VM. So far what i have seen is that it installs to a USB thumbdrive and basically acts like the USB Hacksaw. It uses tools to do different things but one big thing I noticed is that it can crack encryptions. I'm going to try it out on truecrypt to see if it cracks that encryption but for now thats what I have found. Also it mainly works on win2k winxp win2k03 so it works from windows 2000 to windows vista. A new version will come out for windows 7 and i have not seen any support for mac or linux. If you want your own copy download it here PirateBay COFEE Torrent. Eventually I want to take it all apart to see how it works anyone who has done this please post what you have found this I'm interested to see what you have found.


Good idea trying it in a VM. I would like to test it out myself, but I don't trust anything that has been supposedly "leaked". As time goes by and there is an increasing amount of verification, I might give it a try.


Geeksquad sucks.

If you want a nice bootdisk, make a barts p.e disk


Amen. BartPE is very useful and highly customizable.

Edited by snakesonaplane, 06 December 2009 - 04:26 PM.


#20 Pi_2.0

Pi_2.0

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 17 posts
  • Country:
  • Gender:Male

Posted 09 December 2009 - 03:43 AM

How is this different from any other publicly available forensic suite out there?

First of all you could just wipe shit you don't want the cops to find. Secondly if you use any kind of descent encryption, there's no way that little program is going to crack it this decade.




BinRev is hosted by the great people at Lunarpages!