By Kelly Jackson Higgins
Nov 09, 2009
A forensics tool built by Microsoft exclusively for law enforcement
officials worldwide was posted to a file-sharing site, leaving the
USB-based tool at risk of falling into the wrong hands.
COFEE is a free, USB-based set of tools, which Microsoft offers only to
law enforcement, that plugs into a computer to gather evidence during an
investigation. It lets an officer with little or no computer know-how
use digital forensics tools to gather volatile evidence.
COFEE was posted, and then later removed, from at least one file-sharing
site, but security experts say the cat is now out of the bag. While many
forensics tools with similar functionality as Microsoft's Computer
Online Forensic Evidence Extractor (COFEE) are available, security
experts still worry the bad guys will use their access to the tool to
figure out ways to circumvent it.
Chris Wysopal, CTO at Veracode, says the danger is that a detection tool
will be written for COFEE so that the bad guys can cover their tracks.
"Someone will build a detector so that machines will wipe themselves or
give rootkit-like fake answers if this USB is inserted into a computer,"
One researcher who got a copy of COFEE online says bad guys could abuse
the tool by taking one of its DLLs and loading it into a compromised
machine's memory, where it then dumps stored clear-text passwords to a
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News