Computer Online Forensic Evidence Extractor

Last updated

Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by Microsoft, to help computer forensic investigators extract evidence from a Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

Contents

Development and distribution

COFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team. [1] Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft. [2] The device is used by more than 2,000 officers in at least 15 countries. [3]

A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography, producing evidence that led to an arrest. [1]

In April 2009 Microsoft and Interpol signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with Interpol develops programs for training forensic experts in using COFEE. [4] The National White Collar Crime Center has been licensed by Microsoft to be the sole US domestic distributor of COFEE. [5]

Public leak

On November 6, 2009, copies of Microsoft COFEE were leaked onto various torrent websites. [6] Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators. [7] Microsoft confirmed the leak; however a spokesperson for the firm said "We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around' to be a significant concern". [8]

Use

The device is activated by being plugged into a USB port. It contains 150 tools and a graphical user interface to help investigators collect data. [1] The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data. [7] Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes. [1] [9]

COFEE includes tools for password decryption, Internet history recovery and other data extraction. [2] It also recovers data stored in volatile memory which could be lost if the computer were shut down. [10]

DECAF

In mid to late 2009 a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved group of programmers. The tool would reportedly protect computers against COFEE and render the tool ineffective. [11] It alleged that it would provide real-time monitoring of COFEE signatures on USB devices and in running applications and that when a COFEE signature is detected, DECAF would perform numerous user-defined processes. These included COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses. [12] On December 18, 2009, the DECAF creators announced that the tool was a hoax and part of "a stunt to raise awareness for security and the need for better forensic tools". [13] [14] [15] [16]

See also

Related Research Articles

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime is a type of crime involving a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

<span class="mw-page-title-main">USB flash drive</span> Data storage device

A USB flash drive is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than 30 g (1 oz). Since first appearing on the market in late 2000, as with virtually all other computer memory devices, storage capacities have risen while prices have dropped. As of March 2016, flash drives with anywhere from 8 to 256 gigabytes (GB) were frequently sold, while 512 GB and 1 terabyte (TB) units were less frequent. As of 2018, 2 TB flash drives were the largest available in terms of storage capacity. Some allow up to 100,000 write/erase cycles, depending on the exact type of memory chip used, and are thought to physically last between 10 and 100 years under normal circumstances.

<span class="mw-page-title-main">Computer forensics</span> Branch of digital forensic science

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

<span class="mw-page-title-main">Federal Criminal Police Office (Germany)</span> German federal investigative police agency

The Federal Criminal Police Office of Germany is the federal investigative police agency of Germany, directly subordinated to the Federal Ministry of the Interior. It is headquartered in Wiesbaden, Hesse, and maintains major branch offices in Berlin and Meckenheim near Bonn. It has been headed by Holger Münch since December 2014.

<span class="mw-page-title-main">Convention on Cybercrime</span> 2001 international treaty on cybercrime

The Convention on Cybercrime, also known as the Budapest Convention on Cybercrime or the Budapest Convention, is the first international treaty seeking to address Internet and computer crime (cybercrime) by harmonizing national laws, improving investigative techniques, and increasing cooperation among nations. It was drawn up by the Council of Europe in Strasbourg, France, with the active participation of the Council of Europe's observer states Canada, Japan, the Philippines, South Africa and the United States.

<span class="mw-page-title-main">IsoBuster</span> Data recovery software

IsoBuster is a data recovery computer program by Smart Projects, a Belgian company founded in 1995 by Peter Van Hove. As of version 3.0, it can recover data from damaged file systems or physically damaged disks including optical discs, hard disk drives, USB flash drives and solid-state disks. It has the ability to access "deleted" data on multisession optical discs, and allows users to access disc images and to extract files in the same way that they would from a ZIP archive. IsoBuster is also often used by law enforcement and data forensics experts.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

<span class="mw-page-title-main">Mobile device forensics</span> Recovery of evidence from mobile devices

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

<span class="mw-page-title-main">Digital forensic process</span>

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

High Technology Crime Investigation Association (HTCIA) is an international non-profit professional organization devoted to the prevention, investigation, and prosecution of crimes involving advanced technologies. Author and cybercrime expert, Christopher Brown, described HTCIA as "one of the largest and most respected" associations of its kind.

Forensic search is an emerging field of computer forensics. Forensic search focuses on user created data such as email files, cell phone records, office documents, PDFs and other files that are easily interpreted by a person.

Advanced Digital Forensic Solutions, Inc. is a company based in Bethesda, Maryland, that develops tools for scanning suspect computers and digital devices in order to locate and extract data, a process known as digital forensics. Digital forensic tools scan mobile phones, computers and digital devices to collect intelligence or evidence of a crime to identify computers that contain content relevant to an investigation.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

The University College Dublin Centre for Cybersecurity & Cybercrime Investigation is a centre for research and education in cybersecurity, cybercrime and digital forensic science in Dublin, Ireland.

<span class="mw-page-title-main">USBKill</span> Software to protect from unknown USB devices

USBKill is anti-forensic software distributed via GitHub, written in Python for the BSD, Linux, and OS X operating systems. It is designed to serve as a kill switch if the computer on which it is installed should fall under the control of individuals or entities against the desires of the owner. It is free software, available under the GNU General Public License.

<span class="mw-page-title-main">Strengthening State and Local Cyber Crime Fighting Act of 2017</span>

The Strengthening State and Local Cyber Crime Fighting Act of 2017 is a bill introduced in the United States House of Representatives by U.S. Representative John Ratcliffe (R-Texas). The bill would amend the Homeland Security Act of 2002 to authorize the National Computer Forensics Institute, with the intent of providing local and state officials with resources to better handle cybercrime threats. Ratcliffe serves as the current chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection.

<span class="mw-page-title-main">CAINE Linux</span>

CAINE Linux is an Italian Linux live distribution managed by Giovanni "Nanni" Bassetti. The project began in 2008 as an environment to foster digital forensics and incidence response (DFIR), with several related tools pre-installed.

References

  1. 1 2 3 4 "Brad Smith: Law Enforcement Technology Conference 2008". Microsoft Corporation. 2008-04-28. Archived from the original on 2012-02-23. Retrieved 2008-05-19.
  2. 1 2 Romano, Benjamin J. (2008-04-29). "Microsoft device helps police pluck evidence from cyberscene of crime". The Seattle Times. Retrieved 2008-05-19.
  3. "Microsoft Calls on global public-private partnerships to Help in the Fight Against Cybercrime (Q&A with Tim Cranton, Associate General Counsel for Microsoft)". Microsoft Corporation. 2008-04-28. Retrieved 2008-05-19.
  4. "INTERPOL initiative with Microsoft aims to raise global standards against cybercrime through strategic partnership with IT sector". INTERPOL. Archived from the original on 2009-07-15. Retrieved 2009-07-16.
  5. [ dead link ]
  6. "Microsoft COFEE law enforcement tool leaks all over the Internet". TechCrunch . Retrieved 2009-11-07.
  7. 1 2 "More COFEE Please, on Second Thought" . Retrieved 2009-11-09.
  8. Pullin, Alexandra. "Microsoft's not bothered about COFEE leak". The Inquirer. Archived from the original on November 14, 2009. Retrieved 24 August 2010.{{cite web}}: CS1 maint: unfit URL (link)
  9. Valich, Theo (2008-05-07). "Microsoft's new product goes against crime: Meet (Hot) COFEE". Tigervision Media. Archived from the original on 2008-05-17. Retrieved 2008-05-19.
  10. Mills, Elinor (2008-04-29). "Microsoft hosts its own police academy". CNet News.com. Retrieved 2008-05-19.
  11. Michael, Bartolacci (2012). Advancements and Innovations in Wireless Communications and Network Technologies. IGI Global. p. 226. ISBN   978-1466621541 . Retrieved 26 June 2015.
  12. Goodin, Dan (14 December 2009). "Hackers declare war on international forensics tool". The Register. Retrieved 15 December 2009.
  13. Eaton, Nick. "Anti-COFEE tool DECAF revealed as stunt". Seattle PI. Retrieved 26 June 2015.
  14. "DECAF Was Just a Stunt, Now Over". Slashdot. 18 December 2009. Retrieved 26 June 2015.
  15. "Anti-forensische tool DECAF geen hoax". Security.nl. Retrieved 26 June 2015.
  16. Zetter, Kim (14 December 2009). "Hackers Brew Self-Destruct Code to Counter Police Forensics". Wired.com. Retrieved 15 December 2009.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.