Tricks, Hacks and Fixes for Everyday Problems.

What is COFEE?

“Computer Online Forensic Evidence Extractor (COFEE) Easily captures important “live” computer evidence at the scene in cybercrime investigations, without special forensics expertise.”

That basically means COFEE extracts all important passwords, network connections, internet history, documents, photos and whatever else  it thinks is important from any computer with a USB port. It’s a pretty deadly piece of software. People have been trying to get their hands on COFEE  for a long time now.  Well the wait it over, today at sometime in the morning COFEE was leaked online.

Here’s a little more info on COFEE from wikipedia.org:

Computer Online Forensic Evidence Extractor (COFEE) is a modified USB flash drive for investigators for quick extraction of forensic data from computers that are suspected to contain evidence of criminal activity. It allows investigators to search through data onsite as an automated forensic tool. The device, developed by Microsoft, is activated by being plugged into a USB port, and purportedly contains 150 commands that can dramatically cut the time it takes to gather digital evidence (estimates cited by Microsoft state that a job that previously took 3-4 hours can be done with COFEE in as little as 20 minutes). These commands offer such functions as the ability to decrypt passwords, search a computer’s Internet activity, and analyze the data stored on a computer — including data stored in volatile memory, which could be lost if the computer were shut down for transport to a lab. Microsoft currently provides COFEE devices and online technical support free to law enforcement agencies.

Why no screen shots? I wont be downloading it myself.

***Warning Please Read***

As for downloading it yourself, I don’t suggest it. You are putting your safety in jeopardy by downloading it as it is illegal to own and to operate this software. Personally, I won’t be downloading it.

But if you are so inclined, hit up thepiratebay.org.

** Update **

So, after much reading on the subject, it appears that Microsoft’s COFEE is a just a group of basic tools that take a snapshot of the computer’s current state. This includes current internet connections, information that is stored in your RAM (that would be lost if the computer was shutdown), IE passwords, firefox passwords, etc etc. It does this, basically, by installing a program on a USB key that will autorun when you plug it in the target’s computer with 45 or so commands preset to run and extract data from the target’s PC.

However, it is only currently supported by Windows XP: If you have Windows 7, Vista, OSx or Linux this program simply will not run and the police wouldn’t be able to harvest any info from you with COFEE. The other thing about COFEE is that all of the tools are readily available online for free anyway (albeit not in such a neat and tidy package). I think it’s likely, however, that there are more tools for this program then those that were leaked and that there are a couple of secret tools that Microsoft has added to the official copy of COFEE. These tools might break through encryption on hard drives and other fun things that would probably make it a little more useful. Don’t get me wrong though, from an officer’s standpoint COFEE saves A LOT of paperwork and allows them to harvest info from select machines that would be otherwise lost if the machine was shut off and moved to the station.

If you want to read more about COFEE from the source but don’t want to download it yourself check here

Lastly, it appears that a lot of people are having ‘The Parameter is Incorrect” error when trying to install COFEE from thepiratebay.org. I have heard from a source you should probably search for a copy already extracted on one of those rapidshare like websites. :)

Happy Hunting,

Joshua