Print this article  |  E-mail this article  |  Comment on this article

Microsoft slowly seals its lips about its police toolkit

By Jacqueline Emigh, BetaNews

May 5, 2008, 2:08 PM

To put a lid on bloggers' speculation about police getting "backdoors" to Windows security, Microsoft is starting to hush up on the subject. In an e-mail to BetaNews on Friday, a spokesperson described COFEE as a "customizable framework."

Despite releasing a few more facts on Friday about a controversial new tool for police officers, Microsoft has now vowed to stay mum on the "exact methods" used by COFEE (Computer Online Forensic Evidence Extractor), as well as about what kinds of passwords -- OS or network, for example -- COFEE might be able to crack.

"Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed," a Microsoft spokesperson wrote, in an e-mail to BetaNews on Friday.

On the other hand, Microsoft's expanded statement to BetaNews on Friday did add some new information to the public pool of knowledge about a tool already distributed to 2,000 police around the globe.

For instance, the spokesperson described COFEE on Friday as a customizable framework, "operating from a USB storage device, that law enforcement can use to leverage publicly available forensic tools and access information on a live Windows system."

Microsoft went on to say, "Microsoft's COFEE works by being plugged into a running system where a user has already logged on. It enables law enforcement to expedite the evidence gathering process by automating over one hundred different commands that would otherwise have to be typed by hand. COFEE saves the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab."

In earlier accounts, COFEE had been variously explained as either a set of software tools or a series of about 150 commands.

As previously reported, COFEE controversy started last week when some bloggers started rumors that Microsoft was handing out "backdoor keys" to Windows security. The blogs got sparked by an article published in the Seattle Times based on an interview with Brad Smith, Microsoft senior VP and general counsel. Last week, Smith gave a talk at a law enforcement conference in Seattle, where he characterized COFEE as a "Swiss army knife for law enforcement officers."

In the Times article, reporter Benjamin J. Romano wrote that COFEE can "decrypt passwords and analyze a computer's Internet activity as data stored in the computer" -- words that soon touched off tirades among several incensed bloggers.

In an update to his article, Romano said a Microsoft spokesperson had later written to him describing COFEE as "a compilation of publicly available forensics tools, such as password security auditing technologies."

Although an initial statement to BetaNews contained no mention of the password tools, a second e-mail from Microsoft provided the information that COFEE does "include password security auditing tools." Subsequently, last Thursday, BetaNews asked Microsoft to identify the kinds of passwords that might be audited or recovered by police using COFEE -- Windows OS passwords, network passwords, or application passwords, for example.

We also asked Microsoft whether the password security auditing tools mentioned by Microsoft are being premiered with COFEE, or whether they are tools which are already readily available elsewhere. Although Microsoft declined to provide more answers to this inquiry specifically, the company's response did shed a little bit more light on what COFEE is, who uses it, and how it was created.

What follows is the full text of Microsoft's final answer on COFEE, as provided to BetaNews on Friday.

I have the following comment to share in regard to your follow-up question. Please note this will be all we have to share about COFEE.

COFEE (Computer Online Forensic Evidence Extractor) is a framework for first responders to customize a set of common forensic tools. It is a framework operating from a USB storage device that law enforcement can use to leverage publically available forensic tools and access information on a live Windows system. COFEE works by being plugged into a running system where a user has already logged on. It enables law enforcement to expedite the evidence gathering process by automating over one hundred different commands that would otherwise have to be typed by hand. COFEE saves the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

COFEE is designed for use by law enforcement only with proper legal authority. It does not contain new forensic tools, but rather is an easy to use, automated forensic tool at the scene. COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret "backdoors" or other undocumented means.

Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed.

History of the Tool:

* Microsoft believes that global public-private sector partnerships are essential to successfully fighting cybercrime in the Web 2.0 environment. Using technology, strategic partnerships, and a foundation of trust, our goal is to turn the positive opportunities which are created by Web 2.0 technologies against the cybercriminals trying to exploit them. COFEE is part of the tools and training that Microsoft provides to law enforcement around the world. It is designed to be used only in circumstances where proper legal authority has been given, such as a court ordered warrant. COFEE is reserved specifically for law enforcement.

* COFEE was first conceived in 2006 by Anthony Fung, formerly of the Hong Kong Cybercrime Police Unit, as a way to simplify the collection of critical volatile evidence at computer crime scenes. With important support from both Microsoft and fellow law enforcement personnel, COFEE achieved a limited release in the summer of 2007 and is now used by forensic examiners in countries the world over."

Add a Comment (27 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By altenhund

edited May 6, 2008 - 12:13 AM

Why Do They Bother? I recall my grandfather telling me about the Horse that wanted to get-back it's owner by deficating in the it's own stall. I for one being a pensioner had to save long for every OS licence I own,but now have begun to seriously tackle Linux knwoledge-bases.
At first it was difficult, as the more one learns, the less one knows....But computers/and/software began a learning and assistance tools to be enjoyed and benefit mankind in these fast-paced time,and not be full of bugs/faults and not conduits for needless data mining and privacy invasion.
Whould any of you, reading about such issues, go and continues to buy and/or use, e.g, motor vehicles, that with each model contined to have
unfinished, and or missing parts, and pose danger to you?...No! I didn't think so. I'm now increasingly supporting through donations, the developers of open-source, rather than prop up already huge, but impersonal behemoths

Score: 0

By Program86

posted May 6, 2008 - 12:15 PM

Just try and backdoor my computer. Go ahead, I dare ya... I have a few surprises for you.

Score: 0

By WeezulDK

posted May 6, 2008 - 10:02 AM

First Rule: Always secure your system when not around it. Turn OFF your PC on a regular basis or have it shut itself off to save energy, and set a BIOS bootup password. Sure, the bios password can be cleared/bypassed, but this would require a court order to get around, as well as pulling your hard disk and analyzing it. If you're that paranoid, use a non-Microsoft based full disk encryption software, and disable your USB ports from allowing any device to install without requiring a password (see policies to understand).

Another thing is, if this somehow got leaked to the public and was able to be reproduced, it could contribute to corporate espionage, it would be a huge threat to national security in the wrong hands. In fact, the US DOJ should be investigating this along with DHS.

Besides, isn't Vista supposed to be invulnerable to security threats like this? What happened to the security initiative, Microsoft? Encryption is supposed to be our protection against unlawful search and seizures, right? What use is your security and encryption now?

This goes to prove that no matter WHAT a corporation or the government says, *always* take any statements regarding your "safety and security" with a HUGE grain of salt.

This is a backdoor. Plain and Simple. And it was intended to give the government the ability to violate your 4th Amendment rights.

If Vista was so secure, it would not be able to be farmed/hacked and it's memory dumped by someone simply plugging in a USB key. Microsoft just proved their security is crap.

Score: 0

By PC_Tool

posted May 6, 2008 - 10:26 AM

First rule?

For whom, exactly?

Terrorists? People with a grudge?

Seriously, this is totally overkill for most computer users out there.

Besides, isn't Vista supposed to be invulnerable to security threats like this?

There is no security when the hacker (or forensic technician) has physical access to the machine. 256bit RSA? Pfft...

Encryption is supposed to be our protection against unlawful search and seizures, right?

No...that would be the laws in your respective countries. For instance, in the US, it's a little document called the Constitution.

This is a backdoor. Plain and Simple. And it was intended to give the government the ability to violate your 4th Amendment rights.

No, this is a forensic tool. Like knoppix and "Active Password Remover" (Google it).

If Vista was so secure, it would not be able to be farmed/hacked and it's memory dumped by someone simply plugging in a USB key

Any system where one has physical access can be accessed in the same fashion with the proper tools. Again, physical access=zero security... unless the system is booby trapped to vaporize itself.

From conspiracy whack-but to anti-Vista troll in one post. Nice touch.

Score: 0

By pforbes

edited May 6, 2008 - 4:52 AM

"COFEE works by being plugged into a running system where a user has already logged on". COFEE is only an instrument, like a gun. If a judge has authorized an investigation this and all existing evidence finders are of course legal. If there's no judge at all, nobody has the right in America to invade your privacy.

Score: 0

By NunjaBusiness

posted May 5, 2008 - 11:26 PM

Easy answer is, don't use hashed keys on anything you want really protected.

Score: 0

By Tenoq

posted May 5, 2008 - 8:00 PM

What's the big deal? There are freeware programs everywhere that can crack/display/remove Microsoft passwords on most of their OS programs & features. It's not like they really need a new program to do it....

...unless it cracks BitLocker. In which case, why pay the extra for Ultimate? Might as well just use Truecrypt/Bestcrypt/PGP or whatever your preference is.

Score: 0

By mesat

edited May 7, 2008 - 9:51 AM

Not a bad idea but if you are already logged in, there is a chance that your encrypted drive is already unlocked.

I have had this discussion with one of our IT staff about using double encryption for sensitive files. One for the file system and one for the files. The file system would become decrypted at login and the files when opened.

If the file is closed, then the file is now protected.

The only problem is many applications don't know how to handle encrypted files.

Also, will your passwords be stored in memory for analysis later?

Best way to start to protect yourself? Stop using Windows and then you are sure that there is no Microsoft back door on your system.

Score: 0

By giwo

posted May 5, 2008 - 7:28 PM

"Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed," a Microsoft spokesperson wrote, in an e-mail to BetaNews on Friday.

So whose word should we take that it's not doing anything illegal? Microsoft or "Law Enforcement Officials". Given that they are both beyond reproach, I suppose it's a toss-up....

Score: 0

By PC_Tool

posted May 6, 2008 - 10:19 AM

So whose word should we take that it's not doing anything illegal?

FYI:

If the police are searching your PC, they likely have a warrant. The tools they use are irrelevant. Warrant=legal.

Score: 0

By palweb

posted May 5, 2008 - 6:52 PM

Ah the old "if you don't do anything wrong you have nothing to worry about" theory. This is all we need, industry teaming up with law enforcement. Some of the biggest crooks are "law enforcement". This thing will be on the street by tomorrow.

Score: 0

By lazarus98

posted May 5, 2008 - 5:30 PM

Here's a novel thought... Don't store illegal crap on your computers or be into criminal activities and you won't have to worry now will you?

Score: 0

By sjc001

posted May 5, 2008 - 5:51 PM

Ok. So you wouldn't mind it if they put video cameras all through your home and watched you 24/7 at EVERYTHING you do? After all, you haven't done anything illegal, have you?

Score: 0

By lazarus98

posted May 6, 2008 - 12:09 AM

You could start with a decent comparison, not the conspiracy theory tripe that everyone brings up. Big brother is not watching you, I'm sure. I doubt that you'd be that interesting to them or anyone. Besides, COFFEE is nothing new. There have been other forensic devices around that are as just as pervasive.

Score: 0

By dhjdhj

edited May 6, 2008 - 8:49 AM

It's not about big brother actually watching. It's an abuse issue (among other things).

It is the potential for an employee of big brother to get access to private information that (for many legitimate reasons) you might not want people to know about. For example, the terms of an important business deal, the fact you're having an affair, or you're watching socially "frowned upon" movies. None of these things are illegal but most people would probably not want them known.

It's also about the potential for mistakes.

It's easy to say "I've nothing to hide so go ahead" until you become the victim by mistake. Then all hell breaks loose.

A free society needs to be able to protect its citizens from such things.

Score: 0

By PC_Tool

posted May 6, 2008 - 10:17 AM

...

In all fairness you have the same possibility for abuse from your banker, ISP, neighbor, IRS, etc...

Criticizing something based solely on potential for abuse is a cop-out.

Score: 0

By dhjdhj

posted May 6, 2008 - 11:30 AM

What a silly comment. Abuses have happened all over the place, this is hardly hypothetical.

The IRS is part of government with whatever legal rights are deemed appropriate by government. It's absolutely reasonable for them to have information about your financial situation for the SOLE PURPOSE of assessing your taxes but that's all.

Neighbors don't get to come into your house uninvited, nor do they have any legal right to do so. One can keep data private from ISPs by using encryption, anonymous proxies, etc.

Your banker (for example) should be obliged (and allowed) to protect your information from all others (including government) unless your bank has good reason to believe you're doing something illegal, in which case it's appropriate to report it but then there needs to be mechanisms in place so that you have recourse to protect you in the case where they are wrong, etc.

Score: 0

By PC_Tool

edited May 6, 2008 - 11:59 AM

You missed the point completely. Every one of those examples falls under the same basic flawed logic.

Everything has potential for abuse. Everyone is obligated not to do so. Everything has oversight. Anything can be corrupted.

This type of argument is usually a last resort when one can come up with nothing else. It is a generalization that can't be disproven by it's very nature of being true to *all* applicable situations, and as such, it is completely irrelevant to them all as well.

Score: 0

By dhjdhj

posted May 6, 2008 - 2:21 PM

I didn't miss the point at all.

I'm not talking about the "potential" for abuse. I'm talking about how we are supposed to prevent abuse and also how to HANDLE abuses when they do happen.

For example, in a typical court case, prosecution is not allowed to introduce evidence obtained illegally. That's the "prevent abuse" part.

If they do, the judge is supposed to disallow that evidence. That's the "handle abuse" part.

Laws should typically describe what is and what isn't allowed and then go further to provide the appropriate recourse if the law is violated.

To me, such things come under civil liberties, an area that has been much abused the last 7 years or so.

Score: 0

By PC_Tool

edited May 6, 2008 - 3:02 PM

???

I didn't miss the point at all.

I'm not talking about the "potential" for abuse.

To quote your original post:

It is the potential for an employee of big brother to get access to private information

Yeah...it's not about potential.

For example, in a typical court case, prosecution is not allowed to introduce evidence obtained illegally. That's the "prevent abuse" part.

How is the above not applicable with this software? Illegal search and seizure was illegal before this tool and is still illegal now.

Laws should typically describe what is and what isn't allowed and then go further to provide the appropriate recourse if the law is violated.

??? This isn't a law. This is a tool, much like the many that have been in use for decades. MSFT got tired of forensics using linux to hack windows and have now provided an alternative.

Perhaps this is a huge miscommunication? It sounds like you're talking about something completely "other" than the police toolkit. The Patriot Act, perhaps?

Score: 0

By dhjdhj

edited May 6, 2008 - 3:15 PM

Yes, you are correct, I was thinking about the Surveillance (I mean Patriot) Act. This whole thing with MS seemed to fit!

My apologies for the miscommunication.

Score: 0

By PC_Tool

posted May 6, 2008 - 5:20 PM

No problem.

It just totally didn't seem like we were at all communicating there, I knew something had to be awry.

The PATRIOT Act does indeed leave a lot of doors open. The problem I have with it is not solely in it's potential for abuse, as again, all things have that potential, but as I see it, the problem is that such potential has a much lower threshold of consequences.

Examples:

Cop guilty of illegal search and seizure (breaking and entering without a warrant); Justice system finds out, cop gets fired, case dropped, or at the very least, evidence deemed inadmissable.

DHS agent guilty of illegal search and seizure, (holding suspect and evidence without knowledge of any other parties); ... That's pretty much the end of it. No-one knows.

..now even that's pretty wild. Most agents are closely watched, held accountable, their superiors intensely vetted, etc... But the bar has dropped regardless.

Haven't 100% made up my mind on that one yet...

Score: 0

By Adrian79

posted May 5, 2008 - 4:42 PM

omy.. i must destroy my vannesa hudgens photos! lol

Score: 0

By mike_diack

posted May 5, 2008 - 4:40 PM

Security by obscurity never works. All it will take is for one of these devices to leak out, and get reversed engineered...

Score: 0

By Ethelred

posted May 5, 2008 - 5:38 PM

The key item in this it that the tool is used on a running system before it is shut down and taken away. Since the owner is likely logged on there is lot that can be done. If nothing else it could take a memory snapshot which could include unencrypted data. Possibly even the users passwords since users want transparency with encryption and do not want to keep entering the password.

This clearly something that does not need reverse engineering to understand. A live system is very different from a system that is cold.

Besides which there are plenty of tools out in internet land already for digging passwords out MS's hash files. Poor passwords can be beaten in reasonable lengths of time by brute force combined with dictionary attacks. This not a secret known only to MS.

Score: 0

By mesat

posted May 7, 2008 - 11:38 PM

The big difference here is the stick, as reported will allow investigators to get around the screen saver, mount and operate software without knowing any system passwords to start off with. This is some system acces hole that is a security threat in a business atmosphere.

As for the stick being reversed engineered. I think that will be sooner than later. There are enough crooked people working in police forces around the country. And with the falling economy, there are many that need that extra income. Maybe not a police officer but some staff worker.

Score: 0

By altenhund

posted Jul 1, 2008 - 4:33 AM

GPL GPU is the way to go anyway, every MS OS is full of buggs, and if their OS's here cars then the Edsel would a Rolls Royce compared to the rubbish that is foisted onto the unsuspecting public. For starters who would buy a car, if each week you had to go and get an extra needed part fitted. And as for COFEE, well I for one being all for what software, the internet and computers once had been about in the days when the worst "bad-ware" one would have to nuke was the wumpus, and the concept of give and share was true and genuine, have been freely helping many that have gone and locked themselves out over the years, and there was no need for any COFEE, and the only coffee that was needed did not have time to be brewed, and the problem was fixed by the time the jug was boiled.

Now what is the point of the stupid thing anyway, truly, other than for someone to be able to boast. Entering and hacking any pooter
is child's play these days. And as for the rubbish that is shown on TV, anyone with sensitive information knows how to crypt it, and if that information is of a child exploitative kind, then fools like that leave tellt-ail traces even in something as basic as their index.dat, and both owner and pooter should be pointed at the nearest gamma c***tail bar.Likewise those that would do others harm. Now as far as the second is concerned,their locations,( despite what the public is told) are well know, and all these could be sent the same invite, but the flow of the almighty dollar would stop, from those who make certain hardware. So in the end COFEE is neither new or of more use than a feel good device for a few who need the ego boost, and as all of you savvy out there know. If you want it secret, then i can be made so, and there will never be a cray to break it.
(`\0_0/ยด)
I see all said the blind man,and tell little of it if ever.

Score: 0

Jul 8 - 6:44 PM ET Siemens announces massive worldwide job cuts

Jul 8 - 6:23 PM ET Angry YouTube users boycott, Viacom seems to respond

Jul 8 - 6:13 PM ET World saved: There will be Scrabble on Facebook

Jul 8 - 5:57 PM ET Major fix to DNS vulnerability impacts Windows, Debian

Jul 8 - 5:46 PM ET PayPal, Google team in anti-phishing initiative

Jul 8 - 5:20 PM ET Sprint's answer to its troubles: better customer service

Jul 8 - 5:11 PM ET Face it, mobile TV doesn't need the set any more

Jul 8 - 5:07 PM ET Dawn finally nears for JBoss AS 5.0 application server

Jul 8 - 3:58 PM ET Microsoft to host 'Deskless Worker' entry-level Web services

Jul 8 - 3:23 PM ET Google adds fuel to Canada's BitTorrent throttling fracas