Microsoft COFEE device
I’ve been keeping up today with a story that was reported in the Seattle Times regading the Computer Online Forensic Evidence Extractor device Microsoft has made available to law enforcement agencies. So far I’ve read Ed Bott’s response and recently The Register’s response and I have to say that I think that they are overreacting at this. I’m going to go through some of the points made in The Register article below, my points are in bold.Microsoft has reportedly developed a USB key that allows investigators toextract forensic data from PCs.COFEE (Computer Online Forensic EvidenceExtractor) comes in a USB key form factor, and was distributed to a small numberof law-enforcement agencies last June, the Seattle Times reports. The device includes 150 tools that allowinvestigators to extract internet history files, for example, or “decryptpasswords”.The 150 tools are simply based on the 150 commands that forensic experts must enter anyway and that normally take 4+ hours. Microsoft claim that they are simply making this stage easier. Rather than pointing to the existence of a backdoor There are people that have climed that this tool circumvents security such as BitLocker and exploits backdoors in the system. It doesn’t! Never did, that’s just anti-Microsoft propaganda. Nice to see The Register rubbishing it.the decrypting passwordfeature appears to relate to password auditing tools. COFEE also allowsinvestigators to upload data for analysis.The device is used by more than2,000 officers in at least 15 countries, including Germany and the US. Microsoftsupplies the technology to law enforcement agencies without charge. The toolreportedly allows investigators to scan for evidence on site without necessarilyhaving to cart PCs back to a lab.Computer forensics is a painstaking processcarefully designed to make sure data on a suspect computer isn’t changed -simply plugging a device into a computer to extract data seems like a quick anddirty fix. The admissibility of such data in court in debatable even before weget into considering the possibility that the USB key might harbourmalware.Do we honestly think that this is a revelation to the people who designed the tool or consulted on the tool? I honestly do not believe that there is a room in Redmond where someone is now thinking, “I wonder should we have asked a computer forensic professional about this stuff before we built this. The fact that the Microsoft General Counsel Brad Smith has commented about it makes me think that they’ve done a lot of research into the legal viability of the evidence the tool will produce. Anyway, I suspect the tool is meant to indicate the presence of evidence and produce passwords rather than actually produce the evidence. It’s not designed to replace forensic experts just make their lives a bit easier.Another, even greater concern is that the kit will get into thehands of hackers. The form factor for COFEE would be just their cup oftea.To start with hackers would need to actually gain physical access to the machine they are trying to attack for this to be a real threat. Secondly do you think they don’t have similar tools already? Anyone heard of Switchblade?The extraction and analysis of digital evidence features in theinvestigation of more on more crimes, not just those specific to computers suchas internet fraud and child abuse investigations. UK specialists we’ve spoken totell us they’re struggling to cope with the volume of work from law enforcementclients. There’s a genuine problem here, but we’re not convinced COFEE is thesolution.Law enforcement officials from forces in 35 countries are meetingin Redmond this week to talk about the role of technology in combating crime. Asimilar event two years ago led to the development of COFEE, the Seattle Timesreports. ®So the industry has been involved in this tool for while then? My only problem with it is that by the time law enforcement agencies have finished testing it and ensuring it’s going to work in virtually all conditions there’ll be a new set of technologies out there and it’ll have to be updated again anyway. Great place to start though so I say well done Microsoft. Reading the comments on Ed’s blog, as well as on the Seattle Times site, though it’s obvious that there are people out there that are willing to believe anything anti-Microsoft and no matter how sensationalist and obviously false the story they want to believe it.
No Comments
No comments yet.
Comments RSS TrackBack Identifier URI
Leave a comment