howyadoin

Law enforcement forensic app 'leaked' onto internet

26 posts in this topic

Has anyone seen this news?

I'll paste this article on it below (with link) :

Microsoft Cofee leaks onto the web

Microsoft Cofee leaks onto the web

No use crying over it

By Alexandra Pullin

Monday, 9 November 2009, 14:18

MICROSOFT'S DIGITAL FORENSICS software has been spotted on a file-sharing site, available for all to download.

Computer Online Forensic Evidence Extractor (COFEE) is a forensics tool that fits on a USB drive for the police to use in PC forensics.

The software is free to police forces around the world and helps access details about crimes such as identity theft, online fraud, child pornography and illegal filesharing before criminals can wipe the information.

It's reportedly illegal for unauthorised people to download and use the software.

According to the Vole it takes the average bobbie "with even minimal computer experience" less than ten minutes to master the program.

"This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer," said Microsoft.

The Vole and police are worried that cyber criminals could analyse COFEE and write code that would identify and intercept it, securely wiping incriminating data from their hard drives.

COFEE requires Windows XP but it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE that will be released next year for Windows Vista and Windows 7. µ

--------------------------

Microsoft's page on this app :

COFEE

There are in fact several sites featuring it for download, including a few torrents I found.

Anyone have an opinion on this?

Edit : I've seen this program on a certain torrent site which has 1 downloader's comment. The comment was a fake, claiming the torrent seems fake because it contains various zips with lots of rar files in it. I happen to know this particular download has none of this in it and was legit, therefore the downloading party is either stoned and was seeing things or more likely someone "concerned" who was trying to discourage people from downloading it (a.k.a. hoping to scare criminals away thinking it's a bad download).

Very interesting.

Edited by totallyAunti
2

Share this post


Link to post
Share on other sites

I didn't hear about this. I actually took a forensics class and we used FTK which is the general purpose mainstream forensics tool out there. EnCase is also another big one. But I'm interested to see how well Cofee works with Windows systems vs. FTK or EnCase...I guess I'll find out...downloading it now...whoa already done. Hope it works!

0

Share this post


Link to post
Share on other sites

I didn't hear about this. I actually took a forensics class and we used FTK which is the general purpose mainstream forensics tool out there. EnCase is also another big one. But I'm interested to see how well Cofee works with Windows systems vs. FTK or EnCase...I guess I'll find out...downloading it now...whoa already done. Hope it works!

I just edited that post above and added something to the bottom of it. Seems "forces" out there are trying to curtail it as best they can.

1

Share this post


Link to post
Share on other sites

I didn't hear about this. I actually took a forensics class and we used FTK which is the general purpose mainstream forensics tool out there. EnCase is also another big one. But I'm interested to see how well Cofee works with Windows systems vs. FTK or EnCase...I guess I'll find out...downloading it now...whoa already done. Hope it works!

I just edited that post above and added something to the bottom of it. Seems "forces" out there are trying to curtail it as best they can.

Yeah...no doubt...the official news is that M$ is "not worried at all." There are two torrents tracking it right now. I'm doing some hard differential equations problems right now for hw and when I get done I test them out and see what's up.

Edit: BTW...M$ gives it out for free to law enforcement all over the world so I'm surprised it has taken this long to get out there. Another thing the two torrents have different sizes so one is probably bogus.

Edited by Phail_Saph
0

Share this post


Link to post
Share on other sites

Jesu Christe, people, find some more reliable 0-day sources out there than torrent sites...

0

Share this post


Link to post
Share on other sites

Jesu Christe, people, find some more reliable 0-day sources out there than torrent sites...

Ok...I'll take this one...so which zero day source did you get it from?

1

Share this post


Link to post
Share on other sites

Jesu Christe, people, find some more reliable 0-day sources out there than torrent sites...

Ok...I'll take this one...so which zero day source did you get it from?

You're making me laff, taking on this new person who seems to only be trying to give people a hard time. I can't wait to see where this ends....

;)

0

Share this post


Link to post
Share on other sites

You're making me laff, taking on this new person who seems to only be trying to give people a hard time. I can't wait to see where this ends....

;)

+1

maybe ohms supermod spidey powers will tell him something is wrong and he'll go on a rant. </if you cant find out thats a joke thats your fault>

0

Share this post


Link to post
Share on other sites

You're making me laff, taking on this new person who seems to only be trying to give people a hard time. I can't wait to see where this ends....

;)

+1

maybe ohms supermod spidey powers will tell him something is wrong and he'll go on a rant. </if you cant find out thats a joke thats your fault>

Ha!

0

Share this post


Link to post
Share on other sites

look I am no programmer so i would not know how to decompile and review the source code of the program, but someone should do that it people are going to install this onto there computer... i would not trust that it was not an intentional leak, and that there could be some very nasty surprises hidden in this thing, resulting in the law enforcement coming to get you

0

Share this post


Link to post
Share on other sites

look I am no programmer so i would not know how to decompile and review the source code of the program, but someone should do that it people are going to install this onto there computer... i would not trust that it was not an intentional leak, and that there could be some very nasty surprises hidden in this thing, resulting in the law enforcement coming to get you

Why did you bring up that idea? That's what we need - You spoiled the fun. Joking........ :P

Putting joking aside, you bring up a good point. I wonder how this 'leak' occurred and from whom? Wonder if that info is around any place to find, but the trouble with this notion is if they were good at covering their tracks they could've made it 'appear' to be a leak in case people came looking. In that case, I'll keep in mind what you brought up.

I wished I could review source code but I'm a noob and can do very little with it unfortunately.

Maybe someone good at code could volunteer to have a look at it and review it for everyone interested on binrev? Hoping.....

2

Share this post


Link to post
Share on other sites

most of what i saw from it was pretty lame. it just has a bunch of "custom" console applications from windows/systinternals (whoami, uptime, w.e.) i havent run it as im too lazy to format/install it to a flashdrive, but im guessing it probably just runs all of the apps and creates a log out of it. theres supposodly some more interesting stuff going on in the main exe checking hashes or something but i would know where to begin for disassembling it.

2

Share this post


Link to post
Share on other sites

most of what i saw from it was pretty lame. it just has a bunch of "custom" console applications from windows/systinternals (whoami, uptime, w.e.) i havent run it as im too lazy to format/install it to a flashdrive, but im guessing it probably just runs all of the apps and creates a log out of it. theres supposodly some more interesting stuff going on in the main exe checking hashes or something but i would know where to begin for disassembling it.

Sysinternals apps? Pretty lame is right - I have nearly all sysinternals anyway.

I'm surprised it has those in it. Hmm... if the exe isn't much better then all I can say is, "Sorry I bothered mentioning it."

0

Share this post


Link to post
Share on other sites

like half of the binarys arent from sysinternals. but most/all accept the sha1 app are automatic being you dont have to type in a command just the name and it grabs the info. the only one of any interest is probably sha1 maybe the one that checks if the user has remote shares.

0

Share this post


Link to post
Share on other sites

like half of the binarys arent from sysinternals. but most/all accept the sha1 app are automatic being you dont have to type in a command just the name and it grabs the info. the only one of any interest is probably sha1 maybe the one that checks if the user has remote shares.

Ever heard of the geek squad MRI disk? It's like that in simplicity but for the cops to point and click an automated forensics report generator without the need to know a whole lot.

0

Share this post


Link to post
Share on other sites

like half of the binarys arent from sysinternals. but most/all accept the sha1 app are automatic being you dont have to type in a command just the name and it grabs the info. the only one of any interest is probably sha1 maybe the one that checks if the user has remote shares.

Ever heard of the geek squad MRI disk? It's like that in simplicity but for the cops to point and click an automated forensics report generator without the need to know a whole lot.

Geeksquad sucks.

If you want a nice bootdisk, make a barts p.e disk

0

Share this post


Link to post
Share on other sites

Hey guys. I found a copy of COFEE and did some testing in a Windows 7 VM. So far what i have seen is that it installs to a USB thumbdrive and basically acts like the USB Hacksaw. It uses tools to do different things but one big thing I noticed is that it can crack encryptions. I'm going to try it out on truecrypt to see if it cracks that encryption but for now thats what I have found. Also it mainly works on win2k winxp win2k03 so it works from windows 2000 to windows vista. A new version will come out for windows 7 and i have not seen any support for mac or linux. If you want your own copy download it here PirateBay COFEE Torrent. Eventually I want to take it all apart to see how it works anyone who has done this please post what you have found this I'm interested to see what you have found.

Edited by Warfusion
0

Share this post


Link to post
Share on other sites

Thanks for the post. Wikileaks has it. Search "cofee".

The slow (US) link works. The SSL link gives a corrupted zip file.

0

Share this post


Link to post
Share on other sites

Hey guys. I found a copy of COFEE and did some testing in a Windows 7 VM. So far what i have seen is that it installs to a USB thumbdrive and basically acts like the USB Hacksaw. It uses tools to do different things but one big thing I noticed is that it can crack encryptions. I'm going to try it out on truecrypt to see if it cracks that encryption but for now thats what I have found. Also it mainly works on win2k winxp win2k03 so it works from windows 2000 to windows vista. A new version will come out for windows 7 and i have not seen any support for mac or linux. If you want your own copy download it here PirateBay COFEE Torrent. Eventually I want to take it all apart to see how it works anyone who has done this please post what you have found this I'm interested to see what you have found.

Good idea trying it in a VM. I would like to test it out myself, but I don't trust anything that has been supposedly "leaked". As time goes by and there is an increasing amount of verification, I might give it a try.

Geeksquad sucks.

If you want a nice bootdisk, make a barts p.e disk

Amen. BartPE is very useful and highly customizable.

Edited by snakesonaplane
0

Share this post


Link to post
Share on other sites

How is this different from any other publicly available forensic suite out there?

First of all you could just wipe shit you don't want the cops to find. Secondly if you use any kind of descent encryption, there's no way that little program is going to crack it this decade.

0

Share this post


Link to post
Share on other sites

How is this different from any other publicly available forensic suite out there?

First of all you could just wipe shit you don't want the cops to find. Secondly if you use any kind of descent encryption, there's no way that little program is going to crack it this decade.

I'm sure this isn't meant to work on "leet haxor" computer systems, but more for on-the-go inspection of your basic criminal. If the crime was indeed related to something in which the person(s) have done something on a computer system, more than likely they will just take the computer and use EnCase to inspect it. Granted using TrueCrypt can halt the inspection or wiping the entire disk a few times. This tool, I __assume__ is strictly for cases where a computer comes in contact with their case lightly (i.e. harassment online etc.).

EDIT: For those of you who don't have a reliable torrent or download link, google the words "illmob + cofee"

EDIT 2: This tool sucks btw, just a bunch of basic cmds rolled into an auto script. Def. not a good leak, must have taken microsoft a day at best to make it.

Edited by Trikk
0

Share this post


Link to post
Share on other sites

Microsoft Cofee leaks onto the web

No use crying over it

By Alexandra Pullin

Monday, 9 November 2009, 14:18

The software is free to police forces around the world and helps access details about crimes such as identity theft, online fraud, child pornography and illegal filesharing before criminals can wipe the information.

COFEE requires Windows XP but it does have some Windows Vista support. According to company insiders, Microsoft is developing a new version of COFEE that will be released next year for Windows Vista and Windows 7. µ

--------------------------

So if I have Windows 7, I am safe to do all of these illegal activities?

Edited by dschu012
0

Share this post


Link to post
Share on other sites

Ok so i have this program.. I came across it a few weeks ago. I have yet to implement it on another puter but i have installed it and played with the GUI.

This program just runs a bunch of predefined batch programs. It runs through the targeted pc and collects data that can be put in to a report and further analyzed. Its mainly for agents with no skills to be able to go in the field and collect sensitive data before the computer can be shut down.

I think this program can be useful at some point.

I have a copy that i can upload to a file server if you want it.

on another note... If you feel that you need to destroy data and are afraid that you are under attack lol....

I suggest you use DBAN boot disk to completely remove you data. This is also a great piece of software that I have used and works like a champ.

0

Share this post


Link to post
Share on other sites

I had it for a while and got rid of it, The version that was leaked was not the full version. Most of the useful function were not included.

0

Share this post


Link to post
Share on other sites

I'll have to check it out when I get home. I'm on a mac right now, soooo.... yeah.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now