Welcome to Microsoft Pri0: That's Microspeak for top priority, and that's the news and observations you'll find here from Seattle Times reporter Sharon Chan.
April 29, 2008 1:20 PM
Posted by Benjamin J. Romano
Today's story on a Microsoft device that helps law enforcement gather forensic evidence from a crime suspect's computer has garnered lots of attention and raised questions about how exactly it works and what it's able to do. Update, 5:10 p.m. I just got a response from Microsoft. See the end of the post.
I've received calls and emails from law enforcement officials -- ranging from Amtrak's Office of Inspector General to a U.S. Army cybercrime investigator to the Citrus County, Florida, Sheriff's Office -- all wanting to know how they can get their hands on the device.
Other readers have wondered about the implications of the device for civil liberties and Windows security. There is also concern the device could fall into the hands of criminals (who, I'd add, would also have to gain physical access to a computer to do harm with it) or that something similar could be developed.
A reader from Snohomish County writes, "a little usb device cannot break encrypted info (passwords) -- unless microsoft has built a back door into its computers -- it seems. i have worked with encryption software before -- stuff it would take NSA a month to crack -- so how does MS do it in minutes?"
Others have dismissed the idea that this is even news. A reader writes:
"Have you heard of this? Nearly every American home has been infiltrated with a device that allows complete strangers to talk to and gain the confidence of your children. These criminals then indulge in rampant child abuse! The device? The telephone. I say we need a bureau whose job it is to listen in on each and every 'telephone' conversation in order to thwart these insidious criminals. And I think the Seattle Times should run a lengthy series exposing the dangers of this pernicious technology."
I'm trying to get answers from Microsoft on how the Computer Online Forensic Evidence Extractor actually works. I'll update this post when I hear back from Microsoft.
In the meantime, here are some other details that didn't make it into today's story:
Brad Smith, Microsoft's general counsel, described COFEE in an interview.
"It's basically a thumb drive that is like a Swiss army knife for law enforcement officials that are investigating computer crimes. If you're a law enforcement official and let's say you have access to a computer that might be used, for example, by a child predator, a lot of times they have information on their hard disk that's encrypted, and you've got that information off in order to have a successful investigation and prosecution.
"In the past, people would have to literally unplug the computer, they would lose whatever was in RAM. They'd have to transport it somewhere else, and it would take at least four hours, often more to get at the heart of the information."
The device can get that job done in as little as 20 minutes, Smith said.
"With this tool, they can just plug it into the computer, wherever it's located. They don't have to turn off the power. It has over 150 different technology tools that law enforcement officers can use to analyze data, to get access to passwords, to obtain the information typically that people need to successfully prosecute a crime."
COFEE can also be customized with additional tools and commands.
It was developed by Anthony Fung, a senior investigator on Microsoft's Internet Safety Enforcement Team. Fung, formerly a Hong Kong police officer, joined Microsoft four years ago.
It sounds to me like the device doesn't do anything that a trained computer forensics expert can't already do. This just automates the execution of the commands for data extraction. Check later for updates.
Update: Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as "password security auditing technologies" used to access information "on a live Windows system." She cited rainbow tables as an example of other such tools, and "was NOT confirming that COFEE includes Rainbow Tables."
It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means."
Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority."
Another update: This from Tim Cranton, associate general counsel at Microsoft: "The key to COFEE is not new forensic tools, but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."
Posted by Eric Fowler
7:11 PM, Apr 29, 2008
Looks like a tool for espionage more than anything else
Posted by EXMCSE
7:54 PM, Apr 29, 2008
Microsoft is now hiring Communist Police officers Probably on a work VISA. He did NOT TELL that to Congress when he was begging for more foreign workers!!!! Any Commie MCSE candidates here needing work?
Looks like they have moved from being Big Bother To Big Brother.
Remember the secret update that you did not know about until some savvy individuals figured it out? It did not go into a BACK DOOR that damn thing went through the FRONT DOOR, The Window and the Garage!!! All while you were home. Can you spell S T E A L T H.
After being a Microsoft Systems Engineer for some years I learned a long time ago NOT to TRUST Bill Gates...... He is also AGAINST Hiring AMERICAN WORKERS......They just will not put up with this BS.
Posted by Tim
8:05 PM, Apr 29, 2008
Whether or not this tool is useful - I can guarantee you that any information gathered while using it will be absolutely inadmissible in a U.S. courtroom. No chain of custody, no data verification procedures, etc. This is tier 1 forensics at best.
Posted by TJ
8:29 PM, Apr 29, 2008
This tool will fall into the hands of common crackers within months most likely. The cat is officially out o' the hat. I'm certified in xp... and if there is no back door (which btw uh-hem uh-em.. never mind (sigh)) a good password like Th1s1sthePWD!@# would be unbreakable otherwise.
Make sure you set the screen saver > password protect on resume. (for 5 or 10 minutes in case you leave your pc unattended).
Posted by sciron64
8:43 PM, Apr 29, 2008
Any one care to guess as to how many GPL licenses were broken over this one? I can think of many...
And the implications ARE quite hazardous. THIS is one of the many reasons Windoze never enters my home. Heck, you don't even NEED a USB drive. An internet connection is all one needs to gain access to a machine.
If people REALLY think they can do all they need to without removing the machine, I have a few hundred gigabytes of data that will NOT fit on ANY USB thumb drive (even if it was provided by Microsoft).
Really, really pointless. The last time MS did something this idiotic was when they released VB6 to the masses. Now we have a LOT of ignorant coders running around. Do we REALLY need ignorant law enforcement personnel having NO way to verify if their training and information are GOOD? Would we trust a police sargeant to conduct DNA tests? Why? Because they have no clue. Even if trained, they would still have no clue.
Idiocy at its best.
Posted by 0k1
11:39 PM, Apr 29, 2008
I am a IT person working for a law enforcement agency and from my experience, the best law enforcement could do is something like:
1. Plug USB stick into computer
2. Click on the "Gather evidence" button
3. Hope it works...
Posted by J. Lee
6:14 AM, Apr 30, 2008
Within every revolution lie the seeds of it's own destruction.
In 2012 will we see Vladimir Putin running for supreme Oberkommander here in the U.S.? The FBI is already catching up with tactics of the old KGB. I'm old, I don't really give a S--T, but younger people should begin to think about dealing with this government in a not so nice way!
I think America is ready for the second tea party!
Posted by Paul Kruger
7:03 AM, Apr 30, 2008
This may be good for police but not for business. Based on this I can't upgrade, assuming they even make Vista reliable. I have a lot of personal data related to my business including customer credit card information etc, stored on my computers.
Knowing this back door may be there probably puts me personally at risk for theft of data as related to Visa and other merchant account rules regarding safeguarding of consumer data.
More reasons to move toward Linux as fast as possible.
Posted by zipper
7:39 AM, Apr 30, 2008
Tim obviously has no clue what he's talking about. he's never seen Cofee, has no idea what tools are on it yet he has the internet and a computer so he believes himself to be an expert. I have seen this tool and used it. It uses commonly available software, follows the rules and has already been used to prosecute several individuals in the US courts. Like it or not, it works.
Posted by Clifton Bullard
1:54 PM, Apr 30, 2008
Unfortunately, use of this tool will allow many defendents in cybercrime cases to get off, if they can get a defense attorney competent in cyber crimes.
Currently, when a digital forensics teams accesses and analyzes a suspect's hard drive, they do it using tools which have been proven over time to leave the hard drive *completely* unchanged. This allows both sides to know that what is on the drive is exactly what was there when it was seized.
*ANY* change to the drive, no matter how small, invalidates this premise -- and the simple act of adding and accessing new hardware (such as a jump drive) makes small changes to the data on the hard drive.
Now you have a prosecution team that is forced to admit under oath that the hard drive was altered, that it was done by someone other than a digital forensics specialist, and that it was not done under controlled conditions (i.e. it was done "in the field" rather than "in the lab").
I'm sorry, but I must consider this a serious blow against the ladies and gentlemen who try to fight cyber crimes.
Posted by wr
1:59 PM, Apr 30, 2008
Actually Tim is right on target there is no way that any tool should circumvent 'Chain of Custody", but most defendants are not going to have the adequate defense to win. This tool was made to dumb down technology for cops. It is more than likely a set of scripted tools that are already available that gathers information that will fit on a usb drive. The only thing that might make this special if Microsoft wrote an API (backdoor) that makes gathering information easier. The chain of Custody rules cannot be automated. Either you require the proper chain of custody or you dont.
Posted by Ray
10:54 AM, May 10, 2008
From the "Ophcrack" website:
"Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds."
Posted by PH
9:56 PM, May 11, 2008
To the extent that foreign government intelligence agencies and commercial companies that compete with American companies have COFEE and other Microsoft secrets, there goes our competitive edge along with our governmental secrets. PH
Posted by Foster Tawiah
11:24 AM, May 20, 2008
Posted by Jake
8:14 PM, Jun 02, 2008
Old News -- Beginning with DOS 3.0, Microsoft has had 3 teeny weeny little programs that take care of the FAT files and go about searching the enitre computer and/or network of computers for logical components. Microsoft has always said this if for tracking your logical systems (hard drive, 9 Pin Serial Port, Modem, etc., and that it does no harm. It appears that everyone in the world but Bill Gates and Company have forgotten that computers are just logical electronic gadgets built around how a hard drive is written to. That's all. Nothing more and nothing less. There's a lot of brain stuff you can do with this litte gadget - but, all said and done - it's all about which circuit is open or closed and can a logical path be discerned. If "Yes" then goto "Next" and if "No" then "Stop"! Pretty easy to understand - unless you have forgotten everything you learned in basic electronics associated with binary math. Do you even remember that a Hard Drive is "NEVER" erased...it's only the information being written over and the FAT file being changed that makes it appear that the drive has been erased. To date -- no such techniques exist that actually "erase" a hard drive. Written over binary pulses imbedded in the "iron ore" that resides on the drive disks - can be re-assembled after some 5 to 7 write overs...depending. After 5 it starts getting a bit harder -- but, not impossible and their are algorithms already created to "re-assemble" any binary dots that have not been completely written over so many times as not to be able to refit a word to them or a calculation if it is a spreadsheet. Yes - this is old news. Microsoft has been doing this stuff since it's BINARY Disk Writing Disk Reading DOS was developed. There are 3 little programs that control it and if you down those 3 little programs - guess what - your OS ceases to function. Yep - those 3 little programs send debug info across any wire found - back to Microsoft and it can pretty much do what it wants with the data since it owns it.
LOL -- Microsoft outsmarted eveyone --- AGAIN!
Posted by enaid
2:01 AM, Jun 29, 2008
As long as the computer BIOS remains closed source, passwords and passphrases can easily be recorded ad infinitum via keystroke logging, and then logging to the BIOS firmware or logging directly to a MS system file for retrieval by Microsoft during system update connections or other connections to their systems over the Internet, or by them accessing directly the hard drive or system provided by whatever law enforcement agencies/intelligence agencies they normally deal with or provide access to (remember the infamous NSA key removed prior to them "shared sourcing" their source code to foreign governments including China?). This would make any statement on MS talking heads' part true, about whether their (MS) software contains any backdoors or undocumented methods, it's in the BIOS. It may not even be necessary to require MS's help. Law enforcement can get the keylogged passwords/phrases directly from Phoenix or the other major BIOS company...as long as the BIOS or any other low-level firmware remains closed source.
As for commenter Jake: not everyone uses a MS operating system. Not everyone "deletes" or "rm's" their files, some "shred" by default, with a minimum of 30 or more overwrites with random data, some encrypt their swap files/partitions, some encrypt financial, business or other sensitive data in RAM, some encrypt files then "shred" the originating files, etc. And yes, some are aware of the dangers of journaled file systems in regards to encryption/shredding, and the differences of full-journaling and meta-data journaling. And some are even aware of sniffing RF from keyboard presses and other methods of gaining access to data. So MS may pwn 85% of the computing population, but they don't pwn all of us.
Jul 1, 08 - 11:45 AM
Microsoft buying natural-language search company Powerset
Jun 30, 08 - 05:16 PM
Report: Microsoft to cut Xbox 360 price ahead of big industry event
Jun 27, 08 - 03:52 PM
Gates send-off: Gates has had Ballmer's back from the beginning
Jun 27, 08 - 01:09 PM
Gates send-off: Photos
Jun 27, 08 - 11:48 AM
Gates send-off: Two guys and 90,000 employees
Bill Gates, who last week ended his full-time involvement with Microsoft, was often right. He made a career, a company and an industry by looking over the horizon.