The software is made up of three components or phases:
- The tool generation phase which is meant for the more tech-savvy forensics examiner to setup a profile which is exported to a USB disk. This is a simple decision making process of which tools and parameters should be setup to run from the USB drive.
- The data acquisition phase which is meant for the non-technical law enforcement folks who arrive on the scene to collect evidence. They use the USB disk configured in the tool generation phase which runs through a set of common tools to gather volatile data, such as running processes, etc and saves the output from each command.
- The report generation phase is once again meant for the tech-savvy. It uses the same GUI console as the tool generation phase, but this time to view the reports which are generated from the output of the tools run from the USB disk.
I’ve been reading some of the news articles, blogs, and related comments on the issue of the software being leaked and how the hackers now have more ammunition, by seeing how COFEE works they can improve malicious code to avoid or misrepresent data. However, COFEE is not very special. Aside from being provided by Microsoft, it really doesn’t do much more than the other forensics toolkits out there. For example, IRCR (Incident Response Collection Report) by John McLeod, the Windows Forensics Toolchest by Monty McDougal, Harlan Carvey’s FSP (Forensic Server Project) , and a forensics toolkit called PTN-FT that I’ve written myself, all operate on the same basis of providing a forensics framework which allows you to configure a list of commands used to collect volatile data and save the output for use in some reporting format or a format that can be uploaded to a database for analysis.
Microsoft provides a GUI for tool selection (see figure) whereas most toolkits use a config file or batch file to modify tool selection and parameters. It appears even the configuration of the USB disk comes with an easy to use interface. In addition to the tools preconfigured, you can add tools from your own collection.
One feature I found to be useful from COFEE is the random generation of the tool name. While most toolkits out there will use tools from a good source (such as the Helix CD), Microsoft goes a step further in renaming the tools to random generated names, causing no doubt that the intended version of the tool is running.
The output format is in XML and when loaded into the GUI, gives a view to the information as seen in the figure on the left. As mentioned, this is not ground-breaking forensics technology as many toolkits give a nice view into the output data by framing it in HTML.
More of the same in terms of forensics toolkits, COFEE keeps hashes of the tools in a checksum file and also has multiple directories for OS specific tools (\winxp, \win2k03, etc). According to the documentation, it is not supported on Vista and Windows 7, but apparently a new version is planned for those operating systems.
The conclusion is that the excitement is not warranted. There is nothing groundbreaking in COFEE that has not been seen in other toolkits. It may even come short in some areas as I did not see any methods of memory dumps or capturing of the prefetch directory. The excitement is rather because this piece of software has been difficult to obtain, even by law enforcement, and that both forensics experts and the anti-forensics communities has been curious to see what Microsoft themselves had to provide in this space. Personally, I will pass on this cup of COFEE and continue using my own forensics framework along with the others I mentioned earlier.
Default tools & parameters launched by COFEE:
msinfo32.exe /report %OUTFILE%
nbtstat.exe ‐A 127.0.0.1
net.exe localgroup administrators /domain
net.exe localgroup administrators
netdom.exe query DC
Update – 11/10/09
There is speculation that the version released only has 45 commands and is therefore not the full “150 command” version that Microsoft reported releasing. The released version is 1.1.2 which corresponds to the version information in the documentation. The documentation does not list 150 discrete commands (really separate programs). Therefore the 150 command statement may be incorrect or may just be inflation of what’s there (for example treating ‘netstat + option’ as its own command).