Microsoft’s Cofee!

Yes!, you read it right!

It’s Cofee [Computer Online Forensic Evidence Extractor], from Microsoft.

COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab–files that are stored in active memory would otherwise be lost.

COFEE was developed in 2006 by Ricci Ieong and Anthony Fung, both members of the High Tech Crime Investigators Associate’s (HTCIA) Asia South Pacific Chapter. Fung now works for Microsoft’s Internet Safety Enforcement team in Hong Kong and used to be on the police force there. Ieong is founder and principal consultant for eWalker Consulting.

COFEE consists of plain text scripts; the data collected from these scripts is routed to a provided USB drive. Although intended for use with a command line, there is also an option for GUI. Raw text captures generate either SH1 or md5 checksums. The results for an acquisition are then presented in either plain text or HTML. Each operation produces its own log file to help investigators.

Although Microsoft would not confirm any specific tools included within COFEE, it did say that all the tools were publicly available.

A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung says. It can be used on a computer using any type of encryption software, not just BitLocker.

COFEE doesn’t break BitLocker or open a back door, it captures live data on the computer”

Similar tools which have been in use and which are also being worked upon are:

RAPIER, SwitchBlade, USBDumper, MacLockPick, WFT.


Nitin Kushwaha

Categories: IncidentResponse | Tags: , , , , , , , , , , | Leave a comment

Post navigation

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: