[ISN] Microsoft Forensics Tool For Law Enforcement Leaked Online

From: InfoSec News <alerts_at_private>
Date: Tue, 10 Nov 2009 00:48:52 -0600 (CST)

By Kelly Jackson Higgins
Nov 09, 2009 

A forensics tool built by Microsoft exclusively for law enforcement 
officials worldwide was posted to a file-sharing site, leaving the 
USB-based tool at risk of falling into the wrong hands.

COFEE is a free, USB-based set of tools, which Microsoft offers only to 
law enforcement, that plugs into a computer to gather evidence during an 
investigation. It lets an officer with little or no computer know-how 
use digital forensics tools to gather volatile evidence.

COFEE was posted, and then later removed, from at least one file-sharing 
site, but security experts say the cat is now out of the bag. While many 
forensics tools with similar functionality as Microsoft's Computer 
Online Forensic Evidence Extractor (COFEE) are available, security 
experts still worry the bad guys will use their access to the tool to 
figure out ways to circumvent it.

Chris Wysopal, CTO at Veracode, says the danger is that a detection tool 
will be written for COFEE so that the bad guys can cover their tracks. 
"Someone will build a detector so that machines will wipe themselves or 
give rootkit-like fake answers if this USB is inserted into a computer," 
Wysopal says.

One researcher who got a copy of COFEE online says bad guys could abuse 
the tool by taking one of its DLLs and loading it into a compromised 
machine's memory, where it then dumps stored clear-text passwords to a 


Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
Received on Mon Nov 09 2009 - 22:48:52 PST

This archive was generated by hypermail 2.2.0 : Mon Nov 09 2009 - 22:56:09 PST