COFEE Break Turns Messy

A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. As some active system processes and network data are volatile and may be lost after the computer is turning off, investigators were in search of a tool that could assist them in the very limited space of time they may have to investigate a crime. It is for this reason, that in October, Microsoft and the National White Collar Crime Center (NW3C) announced an agreement establishing NW3C as the first U.S.-based distributor of the Computer Online Forensic Evidence Extractor (COFEE).

Recently there seems to be a leak of the software onto the Internet. On Tuesday November 10, someone using the pseudonym DrWeird of Eti.in posted the documentation and a working build from Version 1.1.2 online.

Here are some details I collected from one of the posted manuals.

Working on Windows XP, COFEE consists of three major components: the GUI for the investigator, the command”line application to be executed on the target machine, and the individual tools that are managed by COFEE and the command”line application. As explained in the manual, the execution process is divided into three phases: tool generation, data acquisition, and report generation.

During the tool generation phase, digital forensics specialists can select tools to run against a target machine based on the individual case requirements. They can do this by either selecting a predefined profile, or by manually creating a profile and selecting which tools (including switches) to run against the target machine.

Two predefined profiles were developed to help investigators during the generation phase. The first is the Volatile Data Profile, which carries out a full forensic examination. None of the programs makes any direct writes to the suspect’s file system. The second, the Incident Response Profile, can be used when an investigator cannot perform a forensic analysis on the target machine. This profile is designed to have minimal impact on the suspect’s file system.

After “brewing” a cup of COFEE, investigators insert the USB device into the target machine. The data acquisition phase runs and all collected data will be stored on the USB stick.

After data collection, investigators can start the report generation phase by loading that information into the GUI console on the investigator’s machine and generate a report.

In the past, I pointed out that if law enforcement created dedicated tools, that one of these days they will certainly fall into crooked hands. These hands will be happy to study and re-use them for their own porpuses. The detection policies for the original piece of codes as well as its existing and potential future variants is still much debated. Today the disclosed program is not so sensitive; it is merely a repackaging of known utility tools many have been using for a long time. But this leak must remind us that people will use the same tools for very different reasons and goals.