{"id":87614650,"date":"2009-11-17T23:31:59","date_gmt":"2009-11-18T07:31:59","guid":{"rendered":"http:\/\/www.geckotemple.com\/blog\/?p=87614650"},"modified":"2009-11-17T23:35:41","modified_gmt":"2009-11-18T07:35:41","slug":"cofee-really-thats-it","status":"publish","type":"post","link":"http:\/\/www.geckotemple.com\/blog\/?p=87614650","title":{"rendered":"COFEE – Really? That’s it?"},"content":{"rendered":"

Latest Movember<\/a> photos are on the Mo’09 photos (there’s a link to the page at the top of this page.)<\/p>\n

So, a while ago (really? April of last year?) I wrote about Microsoft’s new toolkit<\/a> for police to quickly gather everything they’d need from a Windows-based workstation, called COFEE.\u00a0 I had a bunch of questions about COFEE at the time, and now that I know a little more about it, I’m going to go back and answer my own questions and see if there’s any clarification on some of the\u00a0 (I hope).<\/p>\n

(15 minutes go by while I read the documentation).<\/p>\n

Are you serious<\/em>?\u00a0 Is this the right thing?<\/p>\n

There’s like, it’s practically, I mean, c’mon.<\/p>\n

It’s a nice big batch file that collects a bunch of information, fair enough, but it doesn’t actually DO very much.\u00a0 No passwords are grabbed.\u00a0 No filelist generated (at least, not that they documented), and it looks like all you’d need to do to make it pretty-much useless is disable your USB ports’ and\/or mass storage device drivers<\/a>.\u00a0 The documentation for end-users tells us how to do such things as run the scanner with OR without the autorun enabled on the system.<\/p>\n

(Heh, wait. What?)<\/p>\n

I thought this was going to be a bootable thing – was I wrong?\u00a0 I thought there was going to be this killer tool that meant you could walk up to a machine that’s OFF, boot from the stick instead of the onboard drive, collect the data from the operating system, and walk away, and as far as Windows knows, the machine wasn’t even powered on.<\/p>\n

I’m, I guess, in a way, sorta saddened.\u00a0 Don’t get me wrong – I don’t expect the average cop out there to be able to do a thorough job of collecting all the necessary data by hand, but I was sorta hoping that maybe they’d have something that would at least be on-par with Backtrack<\/a>, which any person with a highspeed connection and a thumb drive (or a blank CD) could create, and it’ll let you do all SORTS of alarming things to a machine without actually “touching” the operating system (unless you want to, in which case you can pretty much set the thing on “Liquefy” and watch all of Microsoft’s security go away).<\/p>\n

(That <\/em>was a long sentence, woof).<\/p>\n

I guess what makes me sad is that COFEE isn’t going to collect any data that isn’t obviously available on the system in the first place.\u00a0 Seriously: is it common for prosecutors to bring forth evidence based on which local groups on the machine someone is a member of?<\/p>\n

“He must have done it – he’s in the SuperElite Hacker Pwnz0rz group, see?”<\/p>\n

I know the “no touchies” forensic methods for data gathering (like ENCASE<\/a>, which I’ve used in a previous job) are a different class than what COFEE is meant to do, but it looks like it’s only meant to be useful for kicking the door in, pushing the alleged bad guy outta the chair in front of the computer, and then running the launcher to collect your data.<\/p>\n

I can literally hear the hardware hackers out there trying to figure out how to set up something that’ll either automatically cram the drive with data that’s bogus, or simply melt it into a little plastic Hershey’s Kiss, or hey, maybe a virus that’ll wreak havoc back at the station.<\/p>\n

Not that I want that to happen.\u00a0 As much as my brain enjoys trying to figure out how to defeat whatever security system I come across, I want the cops to be able to figure out what’s real and what’s not about a given machine.\u00a0 I want them to be able to nail the bad guys when the chips are down.\u00a0 I want them to have the tools, I really do.<\/p>\n

COFEE isn’t the tool they need (yet).\u00a0 It’s better than taking the machine to the guys at the nearest Best Buy and asking “has this machine been used illegally?” but not much better.<\/p>\n

And if any of you have ever had your USB stick’s data go “poof” when being moved from computer A to computer B, you’ll know why I don’t trust that the data will even make <\/em>it back to the office (or even the cruiser’s laptop).<\/p>\n

I just hope what I have is a red herring, and not the real deal.<\/p>\n

Oh, and this time last year*? I was yammering about other stuff<\/a>, but still lovin’ a good run-on sentence…<\/p>\n

And now, because most people won’t bother going to my Movember page, here’s a picture of me rubber-facing because my normal face never looks good to me.<\/p>\n

Neither does this, but it makes me giggle.<\/p>\n

\"Helps<\/a>

Helps if you imagine me going "Borkely-orkely-yobbley-bawk!"<\/p><\/div>\n

* I’m tellin’ you? With the uptalking?<\/h6>\n
http:\/\/www.forensicswiki.org\/wiki\/Encase_image_file_format<\/div>\n","protected":false},"excerpt":{"rendered":"

Latest Movember photos are on the Mo’09 photos (there’s a link to the page at the top of this page.) So, a while ago (really? April of last year?) I wrote about Microsoft’s new toolkit for police to quickly gather everything they’d need from a Windows-based workstation, called COFEE.\u00a0 I had a bunch of questions […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,24,7],"tags":[],"class_list":["post-87614650","post","type-post","status-publish","format-standard","hentry","category-general","category-grumpy-old-man","category-software"],"_links":{"self":[{"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/87614650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=87614650"}],"version-history":[{"count":3,"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/87614650\/revisions"}],"predecessor-version":[{"id":87614652,"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/87614650\/revisions\/87614652"}],"wp:attachment":[{"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=87614650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=87614650"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.geckotemple.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=87614650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}