Online Computer Forensic Evidence Extractor also says ( COFEE ) is a tool kit, developed by Microsoft, to help computer forensics researchers retrieve evidence from Windows computers. Installed on a USB flash drive or other external disk drive, serves as an automated forensic tool during live analysis. Microsoft provides COFEE tools and free online technical support for law enforcement agencies.
Video Computer Online Forensic Evidence Extractor
Development and distribution
COFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on Microsoft's Internet Security Enforcement Team. Fung understood this device after a discussion he did at a 2006 law enforcement technology conference sponsored by Microsoft. This device is used by over 2,000 officers in at least 15 countries.
A case cited by Microsoft in April 2008 states that COFEE is critical in New Zealand's investigation of child pornography trading, resulting in evidence leading to the arrest.
In April 2009 Microsoft and Interpol signed an agreement whereby INTERPOL will serve as COFEE's principal international distributor. The Crime Investigation Center Maya University College Dublin together with Interpol developed a program to train forensic experts in using COFEE. The National White Collar Crime Center has been licensed by Microsoft to be the only COFEE domestic distributor in the US.
Public leak
On November 6, 2009, a copy of Microsoft COFEE was leaked onto various torrent websites. The leaked analysis of the tool shows that most of it is a wrapper around other utilities previously available to researchers. Microsoft confirmed the leak; But a company spokeswoman said "We do not anticipate COFEE availability possibilities for cyber criminals to download and find ways to 'build around' to be of significant concern".
Maps Computer Online Forensic Evidence Extractor
Use
The device is enabled by plugged into a USB port. It contains 150 tools and graphical user interface to help investigators collect data. The software is reported to consist of three parts. First COFEE is configured first with the investigators selecting the data they want to export, this is then saved to the USB device to connect to the target computer. The subsequent interface generates reports from collected data. Estimates cited by Microsoft's state work that previously took 3-4 hours can be done with COFEE in just 20 minutes.
COFEE includes tools for password decryption, Internet history restore, and other data extraction. It also recovers data stored in the volatile memory that can be lost if the computer is shut down.
DECAF
In the mid to late 2009, a tool called Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by a group of uninvolved programmers. This tool is reportedly will protect the computer against COFEE and make this tool ineffective. It is suspected that it will provide real-time monitoring of COFEE signs on USB devices and in running applications and when COFEE signatures are detected, DECAF performs many user-defined processes. This includes cleaning of COFEE logs, ejecting USB devices, and contamination or spoofing of MAC addresses. On December 18, 2009 DECAF makers announced that the tool was a hoax and part of "action to raise awareness of the security and need for better forensic tools".
See also
- Linux Times
- nUbuntu
- Windows To Go, a bootable USB drive with Windows capable of running the data recovery/recovery utility
References
External links
- Official website
- "Microsoft Computer Online Forensic Evidence Extractor (COFEE)". Microsoft company. Archived from the original on 2012-06-21 . Retrieved 2009-10-17 .
- "Regular or Decaf? Tool launched to combat COFEE". Preetorian Prefect . Retrieved 2009-12-18 . Ã,
- "Disabling DECAF in Two Minutes". Praetorian Prefect. Archived from the original on February 23, 2014 . Retrieved 2009-12-18 .
Source of the article : Wikipedia
0 Comments