{"id":1388,"date":"2009-11-11T00:35:02","date_gmt":"2009-11-11T05:35:02","guid":{"rendered":"http:\/\/rbach.net\/blog\/?p=1388"},"modified":"2022-12-30T12:20:09","modified_gmt":"2022-12-30T17:20:09","slug":"microsoft-cop-tool-leaked","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/microsoft-cop-tool-leaked\/","title":{"rendered":"Microsoft Cop Tool Leaked"},"content":{"rendered":"

\"Microsoft<\/a>I recently wrote about Microsoft’s COFEE computer forensics tool here<\/a>. Three weeks later, Yobie Benjamin at SFGate<\/a><\/em> writes<\/a> that Microsoft COFEE, “One of the most important tools in computer forensics and law enforcement,<\/strong>” was apparently uploaded to bit torrent site What.CD on November 09, 2009, and is now available on the Internet.<\/p>\n

What.CD management issued a statement, “Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff… And when we did, we didn’t like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again).<\/em>”<\/p>\n

\"Microsoft<\/a>DarkReading<\/a><\/em> says that COFEE was so sought after in the computer underground that an enormous bounty of 1.6 terabytes of capacity was offered to the first one who would upload the software.\u00a0Robert Graham on DarkReading<\/em> explains that the version on COFEE om BitTorrent has only Microsoft tools, so I don’t know for certain what other tools it might run. Yet similar forensics toolkits all run the same sorts of programs. They run standard tools for grabbing the browser history (from Firefox and IE). The tools can run versions of “pwdump” to grab the password hashes for offline cracking. The browser cache can be captured by these types of tools. They look for recently changed files. They might scour the hard drive and take an MD5 hash of all the files. Similar tools look for unique device IDs, such as your MAC address or built-in hard drive ID.<\/p>\n

\"Steve<\/a>

Who took my COFEE<\/em><\/p><\/div>\n

One of the worries is that now that the tool is public, criminals can now defend against it. This is nonsense according to Graham. Police forensics are already well-known, and criminals already know how to defend against them. Graham, concludes that tools like COFEE don’t do anything extra that is unknown or secret. What makes them dangerous (to criminals) is that law enforcement agents can run them without much training, in an automated fashion.<\/p>\n

 <\/p>\n

Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn<\/a>,\u00a0Facebook<\/a>,\u00a0and\u00a0Twitter<\/a>. Email the Bach Seat\u00a0here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

Microsoft tool for law enforcement COFEE allows agents to run digital forensics without much training is leaked within 3 weeks of being released<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3216,1819,83,67,82,421,4],"class_list":["post-1388","post","type-post","status-publish","format-standard","hentry","category-security","tag-3216","tag-computer","tag-forensics","tag-hack","tag-microsoft","tag-msft","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/1388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=1388"}],"version-history":[{"count":9,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/1388\/revisions"}],"predecessor-version":[{"id":132120,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/1388\/revisions\/132120"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=1388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=1388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=1388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}