Jump to content

COFEE Leaked


Recommended Posts

  • 3 weeks later...

Very doubtful it's just pile of M$ junk with no real value to anyone. I really didn't find anything "that" interesting from the whole thing.

Then again by staying clear of it you ain't missing anything either.

Link to comment
Share on other sites

I've not looked at it but, according to comments on various fora, it's not all that special and anyone with experience in dealing with PCs could probably get all the information that the package would provide.

Given this brief assessment, I wonder why it was released only to LEOs? Surely by doing that, it made security professionals, pen testers etc. rub their hands and think "Wow, that must be really "juicy". I *must* get my hands on it."?

Link to comment
Share on other sites

I wonder why it was released only to LEOs?

Well my guess would be that M$ doesn't want to provide every "script-kiddie" out there with "hacking tools".

And they really can't sell this shit for security professionals 'cause it ain't worth a damn.

Link to comment
Share on other sites

  • 3 weeks later...

Microsoft's not bothered about COFEE leak.

Protect yourself from COFEE with some DECAF

In response to Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources, two developers have created "Detect and Eliminate Computer Assisted Forensics" (DECAF), a counter intelligence tool designed to thwart the Microsoft forensic toolkit. DECAF monitors the computer it's running on for any signs that COFEE is operating on the machine and does everything it can to stop it.

More specifically, the program deletes COFEE's temporary files, kills its processes, erases all COFEE logs, disables USB drives, and even contaminates or spoofs a variety of MAC addresses to muddy forensic tracks. It can be told to disable almost every piece of hardware on a machine and delete pre-defined files in the background. The 181KB DECAF program even has a 'Spill the cofee' mode in which it simulates COFEE's presence to give the user an opportunity to test his or her configuration before actually using it. Source code for DECAF has not been made available, since the authors fear it will be reverse engineered, making it unclear what else the tool might be doing and whether or not it is completely safe to use.

DECAF's developers say future versions of the program will allow computer owners to remotely lock down their machine via text message and e-mail once they detect that it has fallen into law enforcement hands and even send out notifications to other parties in the case of an emergency. The plan is to make DECAF's next release more light-weight, possibly having it run in the form of a Windows service.

COFEE, a suite of 150 bundled off-the-shelf forensic tools that run from a script, was created by Microsoft to help law enforcement officials gather volatile evidence that would otherwise be lost in traditional, offline forensic analysis. Officers can run the script in the field from a USB stick, before the computer is brought back to the lab, letting them grab data from password-protected or encrypted sources. The forensics tool works best with Windows XP, but Microsoft is working on a new version of COFEE for next year that fully supports Windows Vista and Windows 7.

Microsoft first revealed the 15MB tool back in April 2008, and in April 2009, the company announced that it will aid global law enforcement in fighting cybercrime by providing COFEE free of charge to 187 countries, distributing it through Interpol. Microsoft managed to keep the existence of it quiet until November 2009, when pirates decided it was time to leak the tool so that people other than just government crime-fighters could use it. Weeks later, Microsoft started issuing takedown notices to multiple websites that hosted the tool. It's unclear whether Microsoft will react to the fact that there's now software that aims to render COFEE useless.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...