COFEE – Really? That’s it?

No Comments »

Latest Movember photos are on the Mo’09 photos (there’s a link to the page at the top of this page.)

So, a while ago (really? April of last year?) I wrote about Microsoft’s new toolkit for police to quickly gather everything they’d need from a Windows-based workstation, called COFEE.  I had a bunch of questions about COFEE at the time, and now that I know a little more about it, I’m going to go back and answer my own questions and see if there’s any clarification on some of the  (I hope).

(15 minutes go by while I read the documentation).

Are you serious?  Is this the right thing?

There’s like, it’s practically, I mean, c’mon.

It’s a nice big batch file that collects a bunch of information, fair enough, but it doesn’t actually DO very much.  No passwords are grabbed.  No filelist generated (at least, not that they documented), and it looks like all you’d need to do to make it pretty-much useless is disable your USB ports’ and/or mass storage device drivers.  The documentation for end-users tells us how to do such things as run the scanner with OR without the autorun enabled on the system.

(Heh, wait. What?)

I thought this was going to be a bootable thing – was I wrong?  I thought there was going to be this killer tool that meant you could walk up to a machine that’s OFF, boot from the stick instead of the onboard drive, collect the data from the operating system, and walk away, and as far as Windows knows, the machine wasn’t even powered on.

I’m, I guess, in a way, sorta saddened.  Don’t get me wrong – I don’t expect the average cop out there to be able to do a thorough job of collecting all the necessary data by hand, but I was sorta hoping that maybe they’d have something that would at least be on-par with Backtrack, which any person with a highspeed connection and a thumb drive (or a blank CD) could create, and it’ll let you do all SORTS of alarming things to a machine without actually “touching” the operating system (unless you want to, in which case you can pretty much set the thing on “Liquefy” and watch all of Microsoft’s security go away).

(That was a long sentence, woof).

I guess what makes me sad is that COFEE isn’t going to collect any data that isn’t obviously available on the system in the first place.  Seriously: is it common for prosecutors to bring forth evidence based on which local groups on the machine someone is a member of?

“He must have done it – he’s in the SuperElite Hacker Pwnz0rz group, see?”

I know the “no touchies” forensic methods for data gathering (like ENCASE, which I’ve used in a previous job) are a different class than what COFEE is meant to do, but it looks like it’s only meant to be useful for kicking the door in, pushing the alleged bad guy outta the chair in front of the computer, and then running the launcher to collect your data.

I can literally hear the hardware hackers out there trying to figure out how to set up something that’ll either automatically cram the drive with data that’s bogus, or simply melt it into a little plastic Hershey’s Kiss, or hey, maybe a virus that’ll wreak havoc back at the station.

Not that I want that to happen.  As much as my brain enjoys trying to figure out how to defeat whatever security system I come across, I want the cops to be able to figure out what’s real and what’s not about a given machine.  I want them to be able to nail the bad guys when the chips are down.  I want them to have the tools, I really do.

COFEE isn’t the tool they need (yet).  It’s better than taking the machine to the guys at the nearest Best Buy and asking “has this machine been used illegally?” but not much better.

And if any of you have ever had your USB stick’s data go “poof” when being moved from computer A to computer B, you’ll know why I don’t trust that the data will even make it back to the office (or even the cruiser’s laptop).

I just hope what I have is a red herring, and not the real deal.

Oh, and this time last year*? I was yammering about other stuff, but still lovin’ a good run-on sentence…

And now, because most people won’t bother going to my Movember page, here’s a picture of me rubber-facing because my normal face never looks good to me.

Neither does this, but it makes me giggle.

Helps if you imagine me going "Borkely-orkely-yobbley-bawk!"

Helps if you imagine me going "Borkely-orkely-yobbley-bawk!"

* I’m tellin’ you? With the uptalking?
http://www.forensicswiki.org/wiki/Encase_image_file_format
Posted on November 17th 2009 in General, Grumpy Old Man, Software
Copyright © 2019 Gecko Bloggle