More COFEE Please, on Second Thought…

938-024
The forensics tool provided to law enforcement officials created by Microsoft called COFEE  (Computer Online Forensic Evidence Extractor) has been leaked on torrents last week, and this has caused quite a bit of excitement.  Let’s see if the big deal is warranted.

The software is made up of three components or phases:

  • The tool generation phase which is meant for the more tech-savvy forensics examiner to setup a profile which is exported to a USB disk. This is a simple decision making process of which tools and parameters should be setup to run from the USB drive.
  • The data acquisition phase which is meant for the non-technical law enforcement folks who arrive on the scene to collect evidence. They use the USB disk configured in the tool generation phase which runs through a set of common tools to gather volatile data, such as running processes, etc and saves the output from each command.
  • The report generation phase is once again meant for the tech-savvy.  It uses the same GUI console as the tool generation phase, but this time to view the reports which are generated from the output of the tools run from the USB disk.

I’ve been reading some of the news articles, blogs, and related comments on the issue of the software being leaked and how the hackers now have more ammunition, by seeing how COFEE works they can improve malicious code to avoid or misrepresent data.  However, COFEE is not very special.  Aside from being provided by Microsoft, it really doesn’t do much more than the other forensics toolkits out there.  For example, IRCR (Incident Response Collection Report) by John McLeod, the Windows Forensics Toolchest by Monty McDougal, Harlan Carvey’s FSP (Forensic Server Project) , and a forensics toolkit called PTN-FT that I’ve written myself, all operate on the same basis of providing a forensics framework which allows you to configure a list of commands used to collect volatile data and save the output for use in some reporting format or a format that can be uploaded to a database for analysis.

ScreenHunter_01 Nov. 09 11.30 Microsoft provides a GUI for tool selection (see figure) whereas most toolkits use a config file or batch file to modify tool selection and parameters.  It appears even the configuration of the USB disk comes with an easy to use interface.  In addition to the tools preconfigured, you can add tools from your own collection.

One feature I found to be useful from COFEE is the random generation of the tool name.  While most toolkits out there will use tools from a good source (such as the Helix CD), Microsoft goes a step further in renaming the tools to random generated names, causing no doubt that the intended version of the tool is running. 


ScreenHunter_02 Nov. 09 11.46

The output format is in XML and when loaded  into the GUI, gives a view to the information as seen in the figure on the left. As mentioned, this is not ground-breaking forensics technology as many toolkits give a nice view into the output data by framing it in HTML.

More of the same in terms of forensics toolkits, COFEE keeps hashes of the tools in a checksum file and also has multiple directories for OS specific tools (\winxp, \win2k03, etc). According to the documentation, it is not supported on Vista and Windows 7, but apparently a new version is planned for those operating systems.

Conclusion

The conclusion is that the excitement is not warranted.  There is nothing groundbreaking in COFEE that has not been seen in other toolkits.  It may even come short in some areas as I did not see any methods of memory dumps or capturing of the prefetch directory.  The excitement is rather because this piece of software has been difficult to obtain, even by law enforcement, and that both forensics experts and the anti-forensics communities has been curious to see what Microsoft themselves had to provide in this space.  Personally, I will pass on this cup of COFEE and continue using my own forensics framework along with the others I mentioned earlier.

 

 


Default tools & parameters launched by COFEE:

arp.exe ‐a  
at.exe   
autorunsc.exe   
getmac.exe   
handle.exe ‐a 
hostname.exe   
ipconfig.exe  /all 
msinfo32.exe  /report %OUTFILE% 
nbtstat.exe ‐n 
nbtstat.exe ‐A 127.0.0.1 
nbtstat.exe ‐S 
nbtstat.exe ‐c 
net.exe  share 
net.exe  use 
net.exe  file 
net.exe  user 
net.exe  accounts
net.exe  view 
net.exe  start 
net.exe  Session 
net.exe  localgroup administrators /domain 
net.exe  localgroup 
net.exe  localgroup administrators 
net.exe  group 
netdom.exe  query DC 
netstat.exe ‐ao 
netstat.exe ‐no 
openfiles.exe  /query/v 
psfile.exe   
pslist.exe   
pslist.exe ‐t 
psloggedon.exe   
psservice.exe   
pstat.exe   
psuptime.exe   
quser.exe   
route.exe  print 
sc.exe  query 
sc.exe  queryex 
sclist.exe   
showgrps.exe   
srvcheck  \127.0.0.1 
tasklist.exe  /svc 
whoami.exe  

Update – 11/10/09

There is speculation that the version released only has 45 commands and is therefore not the full “150 command” version that Microsoft reported releasing. The released version is 1.1.2 which corresponds to the version information in the documentation. The documentation does not list 150 discrete commands (really separate programs). Therefore the 150 command statement may be incorrect or may just be inflation of what’s there (for example treating ‘netstat + option’ as its own command).

Filed Under: featuredForensics

Tags: , ,

Comments (13)

Trackback URL | Comments RSS Feed

  1. Teksquisite says:

    Thanks for the great info – keep it coming :)

  2. Teilo says:

    In other words, it’s just a bunch of stock C:\Windows\System32 and live.sysinternals.com command-line utilities, already freely available, run from a batch file, with their output piped to a log file.

    OOOOOO! Scaaaaaary!

  3. Computer Guy says:

    What I’d like to know is if the software interacts at all with the cryptographic stealthware built into Windows.

  4. r3df0x says:

    some of there programs are that of Systernal.

  5. spenser says:

    “crytographic stealthware”

    care to elaborate?

  6. [...] a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of [...]

  7. [...] Online Forensic Evidence Extractor) was leaked on torrents for download. The news coverage was much hype about nothing, as many free tools already out there exceed COFEE in features and functionality. However, that did [...]

  8. [...] Regular or Decaf? Tool launched to combat COFEE [...]

  9. [...] de fonctions non documentées de Windows. Dès que COFEE a été diffusé sur Internet, il a été décortiqué et critiqué. C’est d’ailleurs intéressant de voir combien certaines critiques sont [...]