More COFEE Please, on Second Thought…

Monday, November 09, 2009

Daniel Kennedy

B426b30042abbc15e363cb679bbc937d
The forensics tool provided to law enforcement officials created by Microsoft called COFEE  (Computer Online Forensic Evidence Extractor) has been leaked on torrents last week, and this has caused quite a bit of excitement.  Let’s see if the big deal is warranted.

The software is made up of three components or phases:

The tool generation phase which is meant for the more tech-savvy forensics examiner to setup a profile which is exported to a USB disk. This is a simple decision making process of which tools and parameters should be setup to run from the USB drive. The data acquisition phase which is meant for the non-technical law enforcement folks who arrive on the scene to collect evidence. They use the USB disk configured in the tool generation phase which runs through a set of common tools to gather volatile data, such as running processes, etc and saves the output from each command. The report generation phase is once again meant for the tech-savvy.  It uses the same GUI console as the tool generation phase, but this time to view the reports which are generated from the output of the tools run from the USB disk.

I’ve been reading some of the news articles, blogs, and related comments on the issue of the software being leaked and how the hackers now have more ammunition, by seeing how COFEE works they can improve malicious code to avoid or misrepresent data.  However, COFEE is not very special.  Aside from being provided by Microsoft, it really doesn’t do much more than the other forensics toolkits out there.  For example, IRCR (Incident Response Collection Report) by John McLeod, the Windows Forensics Toolchest by Monty McDougal, Harlan Carvey’s FSP (Forensic Server Project) , and a forensics toolkit called PTN-FT that I’ve written myself, all operate on the same basis of providing a forensics framework which allows you to configure a list of commands used to collect volatile data and save the output for use in some reporting format or a format that can be uploaded to a database for analysis.

Microsoft provides a GUI for tool selection (see figure) whereas most toolkits use a config file or batch file to modify tool selection and parameters.  It appears even the configuration of the USB disk comes with an easy to use interface.  In addition to the tools preconfigured, you can add tools from your own collection.

One feature I found to be useful from COFEE is the random generation of the tool name.  While most toolkits out there will use tools from a good source (such as the Helix CD), Microsoft goes a step further in renaming the tools to random generated names, causing no doubt that the intended version of the tool is running. 

The output format is in XML and when loaded  into the GUI, gives a view to the information as seen in the figure on the left. As mentioned, this is not ground-breaking forensics technology as many toolkits give a nice view into the output data by framing it in HTML.

More of the same in terms of forensics toolkits, COFEE keeps hashes of the tools in a checksum file and also has multiple directories for OS specific tools (\winxp, \win2k03, etc). According to the documentation, it is not supported on Vista and Windows 7, but apparently a new version is planned for those operating systems.

 

Conclusion

The conclusion is that the excitement is not warranted.  There is nothing groundbreaking in COFEE that has not been seen in other toolkits.  It may even come short in some areas as I did not see any methods of memory dumps or capturing of the prefetch directory.  The excitement is rather because this piece of software has been difficult to obtain, even by law enforcement, and that both forensics experts and the anti-forensics communities has been curious to see what Microsoft themselves had to provide in this space.  Personally, I will pass on this cup of COFEE and continue using my own forensics framework along with the others I mentioned earlier.

Original source: More COFEE, Praetorian Prefect

Possibly Related Articles:
13217
General Operating Systems SPAM Viruses & Malware
Consulting Information Security
Data Loss COFEE Forensics Torrent
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.