A first impression of Microsoft's forensic tools that got away
Intended for use exclusively by law enforcement teams gathering evidence from computers, initially, Microsoft's COFEE collection of forensic tools, only appeared on a file sharing site. Just a short time later, copies were available via bit torrent.
The Computer Online Forensic Evidence Extractor (COFEE) is intended for inexperienced computer users who only need to know how to plug a USB Flash drive into the PC under investigation to extract a comprehensive report. However, those who expect marvellous things from these tools will be disappointed. The version available to The H's associates at heise Security included few surprises for computer professionals.
Once the Flash drive has been plugged into the USB port, COFEE starts via autorun and executes a command line script. Tools such as whoami, autoruns and others generate a basic information snapshot which is then formatted to look pretty in a web browser. No sophisticated tools for tasks like restoring deleted files or hidden information were found in the collection. The real value of the collection is its user-friendliness and its focus on gathering evidence that will stand up in court.
The included user manual already indicates the tool kit's level of technological sophistication. While the manual was apparently created in September 2009, the only operating system COFEE is officially suitable for is Windows XP – there is no mention of Vista or even Windows 7. The directory tree of the version-specific tools likewise only contains the win2k, win2k03 and winxp folders.
Those who happen to stumble over an alleged copy of COFEE should treat it with extreme caution. This is not only because the programs are copyright protected, but also because there is no guarantee that the software won't introduce any backdoors or spyware.