Microsoft provides investigators with forensic tool
Microsoft presented new technologies that combat computer and Internet crime to representatives of police authorities from more than 35 countries at the Law Enforcement Technology (LE Tech) 2008 Conference in Redmond. One of them was the Computer Online Forensic Evidence Extractor (COFEE). This is a USB stick tool designed to quickly copy digital data for forensic analysis.
COFEE contains 150 commands that automatically decrypt passwords, find data on hard drives, and analyse a user's surfing patterns on Windows devices. The goal is to reduce the amount of time needed to find and take possession of digital evidence on a computer. Microsoft says that, once inserted in a USB port, it only takes COFEE 20 minutes to do what an expert would need hours for. Furthermore, the investigator would be able to search the computer on site without having to seize it and bring it to the lab. However, according to the Seattle Times blog, Microsoft have admitted that this is not new technology but a compilation of standard forensics tools in a convenient package.
There are critics of the COFEE approach. The overriding issue in court is the credibility of the evidence. Doubt cast on the integrity of the data is potentially far more damaging than the loss of run-time machine state information. To maintain data integrity, it is standard practice to pull the plug on the seized machine and make a digitally signed disk mirror in the lab, on which all analysis is performed. Chris Ridder, a residential fellow at the Stanford Center for Internet and Society suggests that by running applications on the original system, COFEE’s approach could modify the evidence, thereby casting doubt on its legal standing. Indeed Forensics guidelines stress that "No action taken by Law Enforcement agencies or their agents should change data held on a computer or storage media, which may be relied upon in court", and generally assume that the equipment will be switched off and transported to a controlled examination environment. Nevertheless, trusted field forensics kits are readily available that allow on-site analysis, and considerable effort is expended in their hardware design to ensure the integrity of evidence. There are even devices on the market that allow computers to be transported to the lab without powering down.
Microsoft's offering, developed by Microsoft Internet Safety Enforcement Team member Anthony Fung after the first LE Tech last year, has already been provided to a number of police authorities free of charge. As Microsoft's chief legal official Brad Smith explained, "We invest considerable resources in these things. And we do it to help ensure that the Internet remains safe." He also admitted that Microsoft was not being completely altruistic here but would profit from sales of products to security authorities. But a USB stick containing Windows utilties to which the gathered evidence is also possibly written falls far short of accepted engineering standards for computer forensics systems, and it remains to be seen whether its results will consistently stand up in court.