Follow Us:

10
Nov 2009
Microsoft's COFEE spilled on the Internet by Torrent pirates

One of the most important tools in computer forensics and law enforcement was compromised, uploaded to bit torrents and is now widely available on the Internet.

Microsoft's COFEE law-enforcement forensic tool has leaked on the Internet. Someone uploaded it to a Bit Torrent private tracker site What.CD. COFEE is not a tool anyone can purchase and its distribution is limited to law enforcement, intelligence agencies and the military. To get COFEE you have to ask the National White Collar Crime Center (NW3C) or Interpol for approval and access.

As soon as the What.CD administrators discovered the COFEE torrent link, they removed the link.

But it was too late. COFEE is now widely available to anyone who knows how to search the bit torrent world or has the patience to shift through Google links.

Microsoft explains what COFEE is on their web site:

Law enforcement agencies around the world face a common challenge in their fight against cybercrime, child pornography, online fraud, and other computer-facilitated crimes: They must capture important evidence on a computer at the scene of an investigation before it is powered down and removed for later analysis. "Live" evidence, such as active system processes and network data, is volatile and may be lost in the process of turning off a computer. How does an officer on the scene effectively do this if he or she is not a trained computer forensics expert?

"They must capture important evidence on a computer at the scene of an investigation before it is powered down and removed for later analysis. "Live" evidence, such as active system processes and network data, is volatile and may be lost in the process of turning off a computer. How does an officer on the scene effectively do this if he or she is not a trained computer forensics expert?" Using COFEE, of course.

The Computer Online Forensic Evidence Extractor (COFEE) is a piece of software designed for the use of law enforcement agencies, and provided to the same free of charge by Microsoft. And, largely because of its mystique, has been a much sought-after piece of code.

COFEE was so sought after in the computer underground that an enormous bounty of 1.6 terabytes of capacity was offered to the first one who would upload the software.

It did not take long... someone uploaded COFEE last week.

What.CD management issued a statement, "Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff... And when we did, we didn't like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again)."

Richard Boscovich, a member of Microsoft's internet safety team said, "Its value for law enforcement is not in secret functionality unknown to cybercriminals. Its value is in the way Cofee brings those tools together in a simple and customisable format for law enforcement use in the field."

I predict that within the next few weeks, the full reverse engineered code will begin appearing on the Internet.

AddToAny

Share:

Related News