operat0r_001 Posted November 11, 2009 Share Posted November 11, 2009 Wow .. really ? dont even bother .. its like hacksaw but some how worse .. only good thing about it prob not picked up by malware scanners ... .. This "Computer Online Forensic Evidence Extractor (COFEE)" is no more then just old windows exe all compiled into a dump log with some www.sysinternals.com utils added on ... w0w really .. ? this is joke right ?!? --operat0r AKA rmccurdy.com //----------------------------------------------- // Check Requied Files //----------------------------------------------- Finding uptime.exe ... found Finding config.txt ... found Finding folders.txt ... found Finding pausep.exe ... found Finding NW3C_SHA1.exe ... found //----------------------------------------------- // Load Config //----------------------------------------------- //----------------------------------------------- // Read Disk Label //----------------------------------------------- //----------------------------------------------- // Find COFEE Drives //----------------------------------------------- //----------------------------------------------- // Detect OS //----------------------------------------------- The OS of this system is Windows XP //----------------------------------------------- // Create Output Folders //----------------------------------------------- F:\out-PANSY-8349E3157-20091110214413 is created F:\out-PANSY-8349E3157-20091110214413\network is created F:\out-PANSY-8349E3157-20091110214413\process is created F:\out-PANSY-8349E3157-20091110214413\services is created F:\out-PANSY-8349E3157-20091110214413\users is created F:\out-PANSY-8349E3157-20091110214413\password is created F:\out-PANSY-8349E3157-20091110214413\policy is created F:\out-PANSY-8349E3157-20091110214413\registry is created F:\out-PANSY-8349E3157-20091110214413\log is created F:\out-PANSY-8349E3157-20091110214413\file is created F:\out-PANSY-8349E3157-20091110214413\memory is created F:\out-PANSY-8349E3157-20091110214413\opt_tool is created F:\out-PANSY-8349E3157-20091110214413\misc is created //----------------------------------------------- // Run Command //----------------------------------------------- Start COFEE Verifying ... Success Start... Commandline : at.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : autorunsc.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : arp.exe -a [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : getmac.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : hostname.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : ipconfig.exe /all [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : msinfo32.exe /report F:\out-PANSY-8349E3157-20091110214413\misc\1b 7c1a3b3ded3e610cdb046ddbdf2c22.txt [Press Space to KILL the Process] ************************************ Pause... Select Process to kill : 0 ... Resume 1 ... msinfo32.exe ************************************ ************************************ Killing msinfo32.exe /report F:\out-PANSY-8349E3157-20091110214413\misc\1b7c1a3b 3ded3e610cdb046ddbdf2c22.txt ************************************ Calculating Hash ... Done End Verifying ... Success Start... Commandline : nbtstat.exe -A 127.0.0.1 [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : nbtstat.exe -S [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : nbtstat.exe -c [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : nbtstat.exe -n [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe user [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe file [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe accounts [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe view [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe start [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe session [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe localgroup administrators /domain [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe localgroup [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe share [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe use [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe localgroup administrators [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : net.exe group [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : netdom.exe query DC [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : openfiles.exe /query /v [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : psfile.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : pslist.exe -t [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : pslist.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : psloggedon.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : psservice.exe [Press Space to KILL the Process] Calculating Hash ... Done End Verifying ... Success Start... Commandline : pstat.exe [Press Space to KILL the Process] Calculating Hash ... Quote Link to comment Share on other sites More sharing options...
DHT420 Posted November 11, 2009 Share Posted November 11, 2009 COFEE does not collect as much information as the Incident Response USB tool on this website. Though it does have a nice XML Report Generator. Another big issue is that it doesn't collect information on Vista/7. Quote Link to comment Share on other sites More sharing options...
misfitsman805 Posted November 11, 2009 Share Posted November 11, 2009 lol just use a usb switchblade Quote Link to comment Share on other sites More sharing options...
IOSys Posted November 11, 2009 Share Posted November 11, 2009 lol just use a usb switchblade Why not mod this de-caff cofee-thing into a switchblade/hacksaw ? It has a nice little GUI for adding new functions, randomizes filenames, easy control over load-order and performs hash-checks .. pretty nice IMO . Could probably even run off the CD-ROM of a capable flash-drive :P Quote Link to comment Share on other sites More sharing options...
Jen Posted November 12, 2009 Share Posted November 12, 2009 Yeah, if someone could mod it to be even more useful, then it would be great! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.