Over the last few weeks there has been a lot of chatter about a tool we provide in a Beta version to Law Enforcement called COFEE: Computer Online Forensic Evidence Extractor.
Let me give you some information on COFEE and put it into the proper context.
I am personally convinced that every company has its obligation to work towards making the Internet a safer place. Amongst other things, this means a close collaboration with Law Enforcement.
Let’s face it: Most of security is about crime prevention!
Now, Microsoft has a team internally working with Law Enforcement running different programs:
- Anti-Phishing Efforts: You know of the Internet Explorer 7 Phishing Filter. Additionally we are founding member of the Digital Phishnet.
- Anti-Spam Efforts: Again, besides technology we have been a leader in promoting Signal Spam, a unique public/private partnership in Europe and probably in the world.
- Legislative Efforts: One of the key challenges in fighting cybercime is that most of the cases are international but the law internationally is not harmonized. Therefore we joined together with other industry partners the Council of Europe to support their efforts on harmonization of legislation.
- CETS (Child Exploitation Tracking System): CETS is actually a tool we developed jointly with the Canadian police to help to track child exploitation cases across a country. From our perspective, we give the software itself away for free and the police has only to pay for the basic implementation cost.
- Training: All across the globe we are training Law Enforcement Officers in different technological themes. We do this either in a partnership with the local or national Law Enforcement agency or Interpol and Europol. We do this for free. Similar trainings we do for judges and prosecutors.
- LE Tech: Approximately once every other year we hold a conference in Redmond called LE Tech. This is a technical conference completely shaped to the needs of Law Enforcement Officers.
- And a lot more.
Let’s come back to COFEE: During LE Tech, a conference in Redmond we organized for Law Enforcement organizations from around the world, we invited a few journalists to some of the sessions. As a result a story appeared in The Seattle Times called Microsoft device helps police pluck evidence from cyberscene of crime. In my opinion, there was a very good quote, attributed to Brad Smith, (Microsoft Senior Vice President and General Counse) on the programs above: “These are things that we invest substantial resources in, but not from the perspective of selling to make money,” Smith said in an interview. “We’re doing this to help ensure that the Internet stays safe.”
The target audience for COFEE is a forensic investigator with very limited knowledge of IT forensics. There are many standard forensic tools that law enforcement officers routinely use to capture information from a computer for analysis. In most investigation scenarios these tools have to be used to extract information at the scene of an investigation as powering down the computer could lead to loss of data and potential evidence.
The COFEE tool automates many of these existing tools and delivers them via a thumb drive making it quick and easy to use in an investigation scenario – as stated above – for the investigator with very limited knowledge on IT forensics.
I have seen and heard a lot of inaccurate information about what COFEE is and does, so wanted to spend some time addressing these misconceptions:
- COFEE is in Beta stage today
- Use of COFEE is strictly restricted to law enforcement organisations who can only use it within the parameters of national legal frameworks, such as a search warrant or any other valid judicial order.
- COFEE can only be used with physical access to a machine! No, absolutely, no, remote capabilities
COFEE does not do anything that cannot already be done by using a range of tools already available to law enforcement. The only difference is that it automates those tools making them quicker and easier to use in an investigation scenario There is no magic. COFEE does not access a “secret backdoor into Windows” (because such a thing does not exist), and it does not circumvent Bitlocker. It automates standard forensic tools via a USB storage device to enable law enforcement to s to access information on a live Windows system.
The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.
So I hope I have been able to show that Microsoft is committed to helping address cybercrime and that our collaboration with law enforcement organisations is an important element of that.