fbpx
Wikipedia

Computer Online Forensic Evidence Extractor

January 01, 1970

"COFEE" redirects here. For the beverage, see Coffee.

Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by Microsoft, to help computer forensic investigators extract evidence from a Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

Development and distribution edit

COFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team.[1] Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft.[2] The device is used by more than 2,000 officers in at least 15 countries.[3]

A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography, producing evidence that led to an arrest.[1]

In April 2009 Microsoft and Interpol signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with Interpol develops programs for training forensic experts in using COFEE.[4] The National White Collar Crime Center has been licensed by Microsoft to be the sole US domestic distributor of COFEE.[5]

Public leak edit

On November 6, 2009, copies of Microsoft COFEE were leaked onto various torrent websites.[6] Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators.[7] Microsoft confirmed the leak; however a spokesperson for the firm said "We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around' to be a significant concern".[8]

Use edit

The device is activated by being plugged into a USB port. It contains 150 tools and a graphical user interface to help investigators collect data.[1] The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data.[7] Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes.[1][9]

COFEE includes tools for password decryption, Internet history recovery and other data extraction.[2] It also recovers data stored in volatile memory which could be lost if the computer were shut down.[10]

DECAF edit

In mid to late 2009 a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved group of programmers. The tool would reportedly protect computers against COFEE and render the tool ineffective.[11] It alleged that it would provide real-time monitoring of COFEE signatures on USB devices and in running applications and that when a COFEE signature is detected, DECAF would perform numerous user-defined processes. These included COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.[12] On December 18, 2009, the DECAF creators announced that the tool was a hoax and part of "a stunt to raise awareness for security and the need for better forensic tools".[13][14][15][16]

See also edit

References edit

  1. ^ a b c d . Microsoft Corporation. 2008-04-28. Archived from the original on 2012-02-23. Retrieved 2008-05-19.
  2. ^ a b Romano, Benjamin J. (2008-04-29). "Microsoft device helps police pluck evidence from cyberscene of crime". The Seattle Times. Retrieved 2008-05-19.
  3. ^ "Microsoft Calls on global public-private partnerships to Help in the Fight Against Cybercrime (Q&A with Tim Cranton, Associate General Counsel for Microsoft)". Microsoft Corporation. 2008-04-28. Retrieved 2008-05-19.
  4. ^ . INTERPOL. Archived from the original on 2009-07-15. Retrieved 2009-07-16.
  5. ^ . Archived from the original on 2012-06-21. Retrieved 2009-10-27.{{cite web}}: CS1 maint: archived copy as title (link)
  6. ^ . TechCrunch. Archived from the original on 2012-08-26. Retrieved 2009-11-07.
  7. ^ a b "More COFEE Please, on Second Thought". Retrieved 2009-11-09.
  8. ^ Pullin, Alexandra. . The Inquirer. Archived from the original on November 14, 2009. Retrieved 24 August 2010.{{cite web}}: CS1 maint: unfit URL (link)
  9. ^ Valich, Theo (2008-05-07). . Tigervision Media. Archived from the original on 2008-05-17. Retrieved 2008-05-19.
  10. ^ Mills, Elinor (2008-04-29). . CNet News.com. Archived from the original on 2012-05-15. Retrieved 2008-05-19.
  11. ^ Michael, Bartolacci (2012). Advancements and Innovations in Wireless Communications and Network Technologies. IGI Global. p. 226. ISBN 978-1466621541. Retrieved 26 June 2015.
  12. ^ Goodin, Dan (14 December 2009). "Hackers declare war on international forensics tool". The Register. Retrieved 15 December 2009.
  13. ^ Eaton, Nick. "Anti-COFEE tool DECAF revealed as stunt". Seattle PI. Retrieved 26 June 2015.
  14. ^ "DECAF Was Just a Stunt, Now Over". Slashdot. 18 December 2009. Retrieved 26 June 2015.
  15. ^ "Anti-forensische tool DECAF geen hoax". Security.nl. Retrieved 26 June 2015.
  16. ^ Zetter, Kim (14 December 2009). "Hackers Brew Self-Destruct Code to Counter Police Forensics". Wired.com. Retrieved 15 December 2009.

External links edit

January 01, 1970
computer, online, forensic, evidence, extractor, cofee, redirects, here, beverage, coffee, cofee, tool, developed, microsoft, help, computer, forensic, investigators, extract, evidence, from, windows, computer, installed, flash, drive, other, external, disk, d. COFEE redirects here For the beverage see Coffee Computer Online Forensic Evidence Extractor COFEE is a tool kit developed by Microsoft to help computer forensic investigators extract evidence from a Windows computer Installed on a USB flash drive or other external disk drive it acts as an automated forensic tool during a live analysis Microsoft provides COFEE devices and online technical support free to law enforcement agencies Contents 1 Development and distribution 1 1 Public leak 2 Use 3 DECAF 4 See also 5 References 6 External linksDevelopment and distribution editCOFEE was developed by Anthony Fung a former Hong Kong police officer who now works as a senior investigator on Microsoft s Internet Safety Enforcement Team 1 Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft 2 The device is used by more than 2 000 officers in at least 15 countries 3 A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography producing evidence that led to an arrest 1 In April 2009 Microsoft and Interpol signed an agreement under which INTERPOL would serve as principal international distributor of COFEE University College Dublin s Center for Cyber Crime Investigations in conjunction with Interpol develops programs for training forensic experts in using COFEE 4 The National White Collar Crime Center has been licensed by Microsoft to be the sole US domestic distributor of COFEE 5 Public leak edit On November 6 2009 copies of Microsoft COFEE were leaked onto various torrent websites 6 Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators 7 Microsoft confirmed the leak however a spokesperson for the firm said We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to build around to be a significant concern 8 Use editThe device is activated by being plugged into a USB port It contains 150 tools and a graphical user interface to help investigators collect data 1 The software is reported to be made up of three sections First COFEE is configured in advance with an investigator selecting the data they wish to export this is then saved to a USB device for plugging into the target computer A further interface generates reports from the collected data 7 Estimates cited by Microsoft state jobs that previously took 3 4 hours can be done with COFEE in as little as 20 minutes 1 9 COFEE includes tools for password decryption Internet history recovery and other data extraction 2 It also recovers data stored in volatile memory which could be lost if the computer were shut down 10 DECAF editIn mid to late 2009 a tool named Detect and Eliminate Computer Acquired Forensics DECAF was announced by an uninvolved group of programmers The tool would reportedly protect computers against COFEE and render the tool ineffective 11 It alleged that it would provide real time monitoring of COFEE signatures on USB devices and in running applications and that when a COFEE signature is detected DECAF would perform numerous user defined processes These included COFEE log clearing ejecting USB devices and contamination or spoofing of MAC addresses 12 On December 18 2009 the DECAF creators announced that the tool was a hoax and part of a stunt to raise awareness for security and the need for better forensic tools 13 14 15 16 See also editKali Linux nUbuntu Windows To Go bootable USB drive with Windows capable of running data recovery collection utilitiesReferences edit a b c d Brad Smith Law Enforcement Technology Conference 2008 Microsoft Corporation 2008 04 28 Archived from the original on 2012 02 23 Retrieved 2008 05 19 a b Romano Benjamin J 2008 04 29 Microsoft device helps police pluck evidence from cyberscene of crime The Seattle Times Retrieved 2008 05 19 Microsoft Calls on global public private partnerships to Help in the Fight Against Cybercrime Q amp A with Tim Cranton Associate General Counsel for Microsoft Microsoft Corporation 2008 04 28 Retrieved 2008 05 19 INTERPOL initiative with Microsoft aims to raise global standards against cybercrime through strategic partnership with IT sector INTERPOL Archived from the original on 2009 07 15 Retrieved 2009 07 16 Archived copy Archived from the original on 2012 06 21 Retrieved 2009 10 27 a href Template Cite web html title Template Cite web cite web a CS1 maint archived copy as title link Microsoft COFEE law enforcement tool leaks all over the Internet TechCrunch Archived from the original on 2012 08 26 Retrieved 2009 11 07 a b More COFEE Please on Second Thought Retrieved 2009 11 09 Pullin Alexandra Microsoft s not bothered about COFEE leak The Inquirer Archived from the original on November 14 2009 Retrieved 24 August 2010 a href Template Cite web html title Template Cite web cite web a CS1 maint unfit URL link Valich Theo 2008 05 07 Microsoft s new product goes against crime Meet Hot COFEE Tigervision Media Archived from the original on 2008 05 17 Retrieved 2008 05 19 Mills Elinor 2008 04 29 Microsoft hosts its own police academy CNet News com Archived from the original on 2012 05 15 Retrieved 2008 05 19 Michael Bartolacci 2012 Advancements and Innovations in Wireless Communications and Network Technologies IGI Global p 226 ISBN 978 1466621541 Retrieved 26 June 2015 Goodin Dan 14 December 2009 Hackers declare war on international forensics tool The Register Retrieved 15 December 2009 Eaton Nick Anti COFEE tool DECAF revealed as stunt Seattle PI Retrieved 26 June 2015 DECAF Was Just a Stunt Now Over Slashdot 18 December 2009 Retrieved 26 June 2015 Anti forensische tool DECAF geen hoax Security nl Retrieved 26 June 2015 Zetter Kim 14 December 2009 Hackers Brew Self Destruct Code to Counter Police Forensics Wired com Retrieved 15 December 2009 External links editOfficial website Microsoft Computer Online Forensic Evidence Extractor COFEE Microsoft Corporation Archived from the original on 2012 06 21 Retrieved 2009 10 17 Regular or Decaf Tool launched to combat COFEE Praetorian Prefect Archived from the original on 2009 12 18 Retrieved 2009 12 18 Reactivating DECAF in Two Minutes Praetorian Prefect Archived from the original on February 23 2014 Retrieved 2009 12 18 Retrieved from https en wikipedia org w index php title Computer Online Forensic Evidence Extractor amp oldid 1190833022, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.