Microsoft's COFEE Computer Forensic Tools Leaked
from the that-can't-be-good dept
Last year, we wrote about Microsoft's COFEE tools, which are a set of computer forensic and auditing tools that Microsoft puts on a USB key and gives to law enforcement to use in trying to extract info from a computer. There was some fear that it was a "back door," but people insisted it was no such thing, but just a collection of basic tools. Still, the fact that the system was promoted as being useful for decrypting passwords and analyzing a computer's data and internet activity seemed troubling. We noted that if Microsoft was giving it out to law enforcement, it seemed likely that others would have access to it as well.Well, late last week, reports started showing up noting that COFEE itself had been leaked to various file sharing sites. Apparently, the program had been quite sought after at private tracker What.cd -- though, after it was leaked there, the admins actually removed the torrent.
Still, you have to imagine that the software is very much out there. So, the question still remains, is this a big deal or not? When we did our original post, many people insisted that there was no big deal in Microsoft COFEE and it was just basic everyday auditing software. Yet, when even What.cd is removing the torrent, claiming they "didn't like" what they saw when they examined the software, in terms of "the potential impact on the site and security of our users and staff," it does raise certain questions that are similar to those we originally raised.
So, once again, let's get some feedback from the folks reading here. Is this really a big deal? Or is it just your ordinary tools?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cofee, forensics, leak, privacy
Companies: microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Interesting
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
That was my understanding of it. Steven has posted what they put up on the main page, and though their wording is a bit cryptic, it seems to me that they got rid of it simply because it was so high-profile, and a site like What can exist only as long as it is at least somewhat under the radar. The last thing you want is to have a tool that isn't that interesting, but will still draw lots of negative attention to your site/private tracker.
[ link to this | view in chronology ]
Hmm
[ link to this | view in chronology ]
Re: Hmm
[ link to this | view in chronology ]
Re: Re: Hmm
[ link to this | view in chronology ]
Re: Re: Re: Hmm
[ link to this | view in chronology ]
Re: Hmm
[ link to this | view in chronology ]
If it's vital to government, it's mission critical to Microsoft. Pretty funny stuff.
[ link to this | view in chronology ]
Hmmm...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Better in the Open
In my opinion it is better that hacker tools (used for "legitimate reasons", or otherwise) are kept in the open, available for public review. For law enforcement, there should be no confidential method of obtaining evidence... otherwise how can they claim they even have a chain of evidence?
But to be more salacious, MS has a history of releasing their operating systems with undocumented functions. It would be in the public's best interest to know just how secure they are when they license an operating system.
But more to the point of security, it is far easier to detect and defend against known threats than against the unknown.
Either way, whether the code is public or not is kind of a moot point. Real hackers can reverse engineer anything, especially operating systems.
There was a big "pantiesinabunchcident" about SATAN back in 95 or so, and I think the world is much better off for having had the tool during that period of Internet proliferation.
[ link to this | view in chronology ]
A little research goes a long way
- All of the included "tools" are preinstalled on a Windows OS since Win2K.
- The few files not included in OS's are not digitally signed by Microsoft.
- Would MS really release something this major, even only in small circulations with a broken installer?
- Why would MS use opensource ajax javascript when they have already coded similar scripts for use in their live suite of products?
- Would MS really include a "Gang Bustaz" mode in their products, let alone something of this stature?
- None of the accompanying documentation, such as how to use the tools manual contain MS wordmarks, copyright or logos.
- The loader application does nothing more than run scripts that utilise OS's built in functions and logs them to a .xml, any user can copy files from sys32 to a usb drive and run a batch script to achieve the same effects.
Unsigned files:
http://i37.tinypic.com/2uglaj7.jpg
Inconsistent design (read: designed by a 7 year old with vbasic)
http://i37.tinypic.com/9amxld.jpg
[ link to this | view in chronology ]
What.cd
[ link to this | view in chronology ]
Re: What.cd
Nothing is impossible. Nothing is out of reach. That's the lesson we take away from today, boys and girls (and men and women). Not long after we switched to Gazelle, and instituted the request bounty system, a request popped up for Microsoft COFEE - a forensic tool supplied by Microsoft to law enforcement offices around the world. You can Google it for more details, but the gist is that the tool was developed and distributed solely to law enforcement agencies. Sounds tempting, right?
And it was. So much so that user after user voted for the request, adding to the ever-increasing bounty. Everyone seemed to have a good laugh with it, figuring that no one would ever get their hands on it and actually upload it. That was the staff consensus, at least. Several imitators were uploaded and removed, users were warned, and the bounty remained.
Then, today, a user actually did it. They got a copy of COFEE and uploaded it here. The resourcefulness of our users never ceases to amaze us. Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff. And when we did, we didn't like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again.)
Just to be clear: we were not threatened by Microsoft or any law enforcement agency. We haven't been contacted, nor has our host. This was a decision made by the staff based on our own conversations and feelings about the security impact of having the software here. We know some of you, perhaps the majority of you, won't agree with it. To those that feel that way, we can only offer an apology and the explanation that we removed it for your security, and ours.
This is not an indication of any policy or rule changes going forward. This is a one-time decision, for a unique situation. This is not something we will do with other torrents or requests. At this point, the software can probably be found elsewhere, for anyone who wants it. We hope you all understand, and will continue searching out those rare items which attract huge request bounties. Feel free to discuss this here, but this decision is final. Thank you, all.
/The What.CD Staff
[ link to this | view in chronology ]
Re: Re: What.cd
[ link to this | view in chronology ]
Useless
It's not as though people have ripped of a program like Photoshop or Finalcut... I think the use of the tool is far beyond the knowledge of the people who are obtaining it.
13 year old script kiddies everywhere will jump at the chance to get this software thinking it will give them access to some secret dimension of a computer system only to be disappointed.
[ link to this | view in chronology ]
much hype
http://praetorianprefect.com/archives/2009/11/more-cofee-please-on-second-thought/
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Heh heh.
If you're a proud Linux user, get yourself Conky and put the script below in the conkyrc file. It will show you the five top incoming connections to your computer so you can see who's knocking at your door.
--------------------------------------------
${tcp_portmon 1 32767 rhost 0} ${alignr} ${tcp_portmon 1 32767 lservice 0}
${tcp_portmon 1 32767 rhost 1} ${alignr} ${tcp_portmon 1 32767 lservice 1}
${tcp_portmon 1 32767 rhost 2} ${alignr} ${tcp_portmon 1 32767 lservice 2}
${tcp_portmon 1 32767 rhost 3} ${alignr} ${tcp_portmon 1 32767 lservice 3}
${tcp_portmon 1 32767 rhost 4} ${alignr} ${tcp_portmon 1 32767 lservice 4}
--------------------------------------------
You can do the same for outgoing, too.
--------------------------------------------
${tcp_portmon 32768 61000 rhost 0} ${alignr} ${tcp_portmon 32768 61000 rservice 0}
${tcp_portmon 32768 61000 rhost 1} ${alignr} ${tcp_portmon 32768 61000 rservice 1}
${tcp_portmon 32768 61000 rhost 2} ${alignr} ${tcp_portmon 32768 61000 rservice 2}
${tcp_portmon 32768 61000 rhost 3} ${alignr} ${tcp_portmon 32768 61000 rservice 3}
${tcp_portmon 32768 61000 rhost 4} ${alignr} ${tcp_portmon 32768 61000 rservice 4}
--------------------------------------------
Hope this helps.
[ link to this | view in chronology ]
meh
I would like add it to the 236 programs I currently have on my utility CD.
Ill let you know after I find it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
hot potato
I'm guessing the admins pulled it because they took one look and realized "oh crap, in this climate they're going to decide we're bloody terrorists, kick down the doors, melt the servers into scrap, and shoot us all while attempting to escape."
Then it became a "let's flush this down the toilet before every LEO imaginable sends in a predator drone on this location0"
How useful it is isn't at all the question, how useful it's PERCIEVED to be by the relevant authorities on the other hand is.
The whole idea of a super secret program is moronic in this day and age, granted...but to the beancounter who came up with it, it is sacred and must be defended to the death...yours preferably.
I mean they've raided data centers and cost people millions for substantially less then this, just a couple of months ago in fact...can't find the link to the story right offhand, but i'm pretty sure i found it here first so most of you likely remember it
[ link to this | view in chronology ]
maybe it's about cohesion?
-C
[ link to this | view in chronology ]
Re: maybe it's about cohesion?
[ link to this | view in chronology ]
Pirate Bay
is it real?
[ link to this | view in chronology ]
Not sure what is so special about it.
[ link to this | view in chronology ]
Just a collection of underperforming utilities/tools?
"Safety of our user"? whoa! that's rich!
I doubt though, that it's going to be a "one-time decision for a unique situation" to remove the torrent. If they did it once - they'll do it again to something else.
[ link to this | view in chronology ]
Re: Just a collection of underperforming utilities/tools?
Also, AFAIK, What has been around for a little over two years, and this is the first time that they have done something like this. I'm sure if they were put into a similar situation they'd do it again, and it may be a little bit disingenuous to downplay that, but considering how tight their requirements are for uploads, I doubt they'll NEED to do this very often.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Not so impressive
That said, COFEE is extensible - you can easily add tasks that it should perform (and record the results of) on each machine, so a computer forensicist could easily add utilities to dump passwords or copy over certain files, and indeed, the manual's recommendation that 2GB of storage be available on the device it will log to suggests that they intend for COFEE to record more than the leaked version does (it only records about 600kb of info). Other things, like the presence of a reporting category called "Passwords", strongly suggest that MS intended (and perhaps implemented) functionality that is not included in the leaked version.
That said, the included validation documents from the National White Collar Crime Center only discuss the utilities included in the leak. Of course, those documents could have been modified, or there could be additional validation documents covering additional utilities not included in the torrent.
[ link to this | view in chronology ]
Much ado about nothing?
[ link to this | view in chronology ]
[ link to this | view in chronology ]