Microsoft device helps police pluck evidence from cyberscene of crime

[doomtroll 1]

http://seattletimes.nwsource.com/html/micr..._msftlaw29.html

I want to get a hold of one of these, find out what OS its running, and if its really all its cracked up to be.

[BSDfan 0]

Yet another reason to avoid using Microsoft products, They're not your friend.

[deadwax 0]

It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

Probably a thumb drive with Cain & Abel, Wireshark, and some file manager on it.

[doomtroll 1]

It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

Probably a thumb drive with Cain & Abel, Wireshark, and some file manager on it.

I'd be interested in what Microsoft would have put on it though......and if there is a way to bypass even this tool

[mungewell 7]

.....and if there is a way to bypass even this tool

If it's an automated break-through of their security, I would suggest the only workaround is not to use their OS. Who knows what back-doors there are in Windows.... There are plenty of others to choose from, many offer far better value for money.

Another point that no one else is picking up on; What to they do to ensure the data integrity of the disk/evidence. Do they previously clone the drive with a write-blocker in place, or is it just your average flat foot cop poking around the file system (who might have a grudge to bare).

Boy it would be really amusing if these USB dongles got shipped with a virus installed ;-).

Munge.

[Poetic-Justice 1]

It can decrypt passwords....

Would this mean that the passwords are decrypted straight away (afterall, if Microsoft have made this, then most likely they can decrypt passwords easily), or would it just run like Cain?

[jedibebop 1]

I'd laugh if it turns out it does use wireshark and other open source stuff, and doesn't put the GPL on the device, thus violating the GPL.

Edited April 29, 2008 by jedibebop

[jabzor 1]

Sounds like it is just a supped-up Windows PE with in house and/or contracted third-party software.

[mstanley 0]

I can't believe you guys! In about 5 minutes of googling I found the Helix website which contains COFEE along with other forensic tools. The only thing MS did was to add an autorun.inf file to a USB drive to make the software auto-run when the device is plugged in.

Go to the link above and download your free copy of the Knoppix live CD of the Helix distribution or be a real hacker and grab the bittorrent.

[doomtroll 1]

I can't believe you guys! In about 5 minutes of googling I found the Helix website which contains COFEE along with other forensic tools. The only thing MS did was to add an autorun.inf file to a USB drive to make the software auto-run when the device is plugged in.

Go to the link above and download your free copy of the Knoppix live CD of the Helix distribution or be a real hacker and grab the bittorrent.

Where did you find that this is the tool Microsoft is giving Law Enforcement?

I have not found any information that says such.

[eshaelon 0]

Am I seeing a reoccurring theme? There seems to be a standard format that the media uses to sell new ways of stripping away privacy.

The article claims that anonymity is the precursor to crime.

As people flocked from small communities where everyone knew each other, an anonymity emerged in the cities and a rise in crime followed.

Our law enforcement officers are human and subject to the same manipulations as any human would. In a perfect world, I would trust my identity to anyone. Until we reach that world, I would like the option of anonymity. I'm not a criminal for that desire.

Then they bring in the fear.

That's allowing "criminals to infiltrate the community, become part of the conversation and persuade people to part with personal information," Smith said.

Children are particularly at risk to anonymous predators or those with false identities. "Criminals seek to win a child's confidence in cyberspace and meet in real space," Smith cautioned.

OMG, the children are in danger. The children are in danger from paper cuts at school and the mercury in the florescent lights. If anonymity will lead to child molestation, then lets ban public school to further protect children.

Maybe it would be too much to ask that the parents get involved with what the children are doing online and maybe Little Jimmy can stay safe. Instead, let's make sure that we can ID everyone that's in chat. That's a much better alternative.

Sorry for misspellings and grammer errors, i'm late back from break.

[friendless 0]

I can't believe you guys! In about 5 minutes of googling I found the Helix website which contains COFEE along with other forensic tools. The only thing MS did was to add an autorun.inf file to a USB drive to make the software auto-run when the device is plugged in.

Go to the link above and download your free copy of the Knoppix live CD of the Helix distribution or be a real hacker and grab the bittorrent.

Where did you find that this is the tool Microsoft is giving Law Enforcement?

I have not found any information that says such.

Incident Response / Forensics Tools:



sleuthkit : Brian Carrier's replacement to TCT. 
autopsy : Web front-end to sleuthkit. 
mac-robber : TCT's graverobber written in C. 
fenris : debugging, tracing, decompiling. 
wipe : Secure file deletion. 
MAC_Grab : e-fense MAC time utility. 
AIR : Steve Gibson Forensic Acquisition Utility. 
foremost : Carve files based on header and footer. 
fatback : Analyze and recover deleted FAT files. 
md5deep : Recursive md5sum with db lookups. 
sha15deep : Recursive sha1sum with db lookups. 
dcfldd : dd replacement from the DCFL. 
sdd : Specialized dd w/better preformance. 
PyFLAG : Forensic and Log Analysis GUI. 
Faust : Analyze elf binaries and bash scripts. 
e2recover : Recover deleted files in ext2 file systems. 
Pasco : Forensic tool for Internet Explorer Analysis. 
Galleta : Cookie analyzer for Internet Explorer. 
Rifiuti : "Recycle BIN" analyzer. 
Bmap : Detect & Recover data in used slackspace. 
Ftimes : A toolset for forensic data acquisition. 
chkrootkit : Look for rootkits. 
rkhunter : Rootkit hunter. 
ChaosReader : Trace tcpdump files and extract data. 
lshw : Hardware Lister. 
logsh : Log your terminal session (Borrowed from FIRE). 
ClamAV : ClamAV Anti Virus Scanner. 
F-Prot : F-Prot Anti Virus Scanner. 
2 Hash : MD5 & SHA1 parallel hashing. 
glimpse : Indexing and query system. 
Outguess : Stego detection suite. 
Stegdetect : Stego detection suite. 
Regviewer : Windows Registry viewer. 
Chntpw : Change Windows passwords. 
Grepmail : Grep through mailboxes. 
logfinder : EFF logfinder utility. 
linen : EnCase Image Acquisition Tool. 
Retriever : Find pics/movies/docs/web-mail. 
Scalpel : Carve files based on header and footer.

I don't see the word COFEE in there...

Did a search on their forums... nothing...

What're you talking about? *slap*

Also autorun.inf? Wouldn't you boot from the USB not AUTO-RUN? What would auto-run do against any kind of security, unless microsoft checks for a USB with this autorun during a pre-login process of some sort, however that be easy to stop would it not?

[mstanley 0]

Here's a quote and link for an O'Reilly book called SQL Server Forensic Analysis by Kevvie Fowler expected to be published Dec. 2008.

Helix distribution, a bootable and run-time live environment, includes WFT, COFEE, FRED, IRCR toolkits as well as other forensics and incident response related tools that allows you to select one or more of these toolkits for use in a given forensic scenario.

The original article that I read on Digg explained the acronym, COFEE, and from there I went searching. The first real lead I got was the link above. It seems it might have been a red herring.

And I just now loaded up Helix on my Windows machine and I see WFT, FRU, IRCR2 and Nigilant32 but no COFEE. So now I'm wondering why a prospective book would have that reference. Unless a new version of Helix will contain COFEE? Hmm, the results from the Windows Forensic Tool (WFT) seem rather revealing. It shows browsing history and protected storage amongst many other bits of info.

[doomtroll 1]

Here's a quote and link for an O'Reilly book called SQL Server Forensic Analysis by Kevvie Fowler expected to be published Dec. 2008.

Helix distribution, a bootable and run-time live environment, includes WFT, COFEE, FRED, IRCR toolkits as well as other forensics and incident response related tools that allows you to select one or more of these toolkits for use in a given forensic scenario.

The original article that I read on Digg explained the acronym, COFEE, and from there I went searching. The first real lead I got was the link above. It seems it might have been a red herring.

And I just now loaded up Helix on my Windows machine and I see WFT, FRU, IRCR2 and Nigilant32 but no COFEE. So now I'm wondering why a prospective book would have that reference. Unless a new version of Helix will contain COFEE? Hmm, the results from the Windows Forensic Tool (WFT) seem rather revealing. It shows browsing history and protected storage amongst many other bits of info.

I'm still waiting for the proof that Microsoft is endorsing this to use on their OS via Law Enforcement.

[\xC3 0]

I'd laugh if it turns out it does use wireshark and other open source stuff, and doesn't put the GPL on the device, thus violating the GPL.

Not that that keeps them from doing it, C1sc0 1PS Sens0r D3vic3s, for example, are really just Red Hat 7.3 (kernel 2.4x no ASLR) running a parser over a known-to-be-vulnerable version of tcpdump with a 32 bit celeron. Not only that, but tcpdump and RH are both binaries only, and are not distributed with the source code. This is a clear violation? (vendor and product "1337ed out" to avoid "googled")

I'm still waiting for the proof that Microsoft is endorsing this to use on their OS via Law Enforcement.

From the article:

More than 2,000 officers in 15 countries, including Poland, the Philippines, Germany, New Zealand and the United States, are using the device, which Microsoft provides free.

It wouldn't surprise me if there was a proprietary "windows backdoor". I know of a few larger vendors that build their own backdoors into systems for law enforcement/governmental purposes, or at least governments/LEAs have their own private 0day for products of these "larger vendors".

Boy it would be really amusing if these USB dongles got shipped with a virus installed ;-).

I'm not sure that it would actually have to have something replicated to the machine, since it can automatically gain access as it is, it wouldn't have to?

Also autorun.inf? Wouldn't you boot from the USB not AUTO-RUN? What would auto-run do against any kind of security, unless microsoft checks for a USB with this autorun during a pre-login process of some sort, however that be easy to stop would it not?

There may be something inside the device for data mining or tracking purposes that executes during exploitation and/or it may actually double as a thumbdrive and have a "custom driver" for the rest of its "toolkit"? I'm sure it has a boot sector as well, but this may be a possibility. There's also a possibility that M$ has some hardware-level function embedded in the OS to recognize these devices. We're not really going to know; for now I agree with mungewell:

If it's an automated break-through of their security, I would suggest the only workaround is not to use their OS. Who knows what back-doors there are in Windows.... There are plenty of others to choose from, many offer far better value for money.

edit: formatting

Edited May 24, 2008 by RETN

[alienbinary 1]

this is such a tremendous shock to me. microsoft supporting an oppressive, overarching, constantly voyeuristic society? No way.

[Ohm 25]

It can decrypt passwords and analyze a computer's Internet activity, as well as data stored in the computer.

Probably a thumb drive with Cain & Abel, Wireshark, and some file manager on it.

I'd be interested in what Microsoft would have put on it though......and if there is a way to bypass even this tool

They plug it into a live machine? That's not smart and could easily be detected. Turn autorun off and write a small program that looks for thumb drives like these. If it sees them start deleting things. Or detonate that M-80 you rigged to your hard drive (don't actually do that, sounds like a bad idea). Hell, to mess with the "investigators" erase the thumb drive too. Forensics on a live machine is a no-no.

[nicholas 0]

They plug it into a live machine? That's not smart and could easily be detected. Turn autorun off and write a small program that looks for thumb drives like these. If it sees them start deleting things. Or detonate that M-80 you rigged to your hard drive (don't actually do that, sounds like a bad idea). Hell, to mess with the "investigators" erase the thumb drive too. Forensics on a live machine is a no-no.

It would be incredibly dumb to not do a live scan and copy of a computer. One if you shut it down you lose all data you can obtain from RAM and any live connections going at the time. Also if the hard drive is encrypted you'll never be able to get access to that hard drive again if you shut it down and I very much doubt you'll get the password from your suspect.

[Ohm 25]

It would be incredibly dumb to not do a live scan and copy of a computer. One if you shut it down you lose all data you can obtain from RAM and any live connections going at the time. Also if the hard drive is encrypted you'll never be able to get access to that hard drive again if you shut it down and I very much doubt you'll get the password from your suspect.

[nicholas 0]

Yup why go through that process? The computer either has to be on, in sleep mode or just recently turned off to work. If the computer is already on and you're past the encryption passkey and login screen then all you have to do is copy the hard drive and then run the other forensic processes and not have to worry about data encryption of the hard drive. So why do that and risk losing what you need when you are already past what that video is trying to accomplish? When doing forensics on a computer you need to get all the information you need from the computer you're working on without altering it or damaging it. This is why forensics are done on live machines. Yes forensics can be done on systems that have been shutdown but you gain more information during an investigation from a live system then you could from one thats been shut down. So yes it is stupid to not run forensics on live system.