The forensics tool provided to law enforcement officials created by Microsoft called COFEE (Computer Online Forensic Evidence Extractor) has been leaked on torrents last week, and this has caused quite a bit of excitement. Let’s see if the big deal is warranted.
The software is made up of three components or phases:
* The tool generation phase which is meant for the more tech-savvy forensics examiner to setup a profile which is exported to a USB disk. This is a simple decision making process of which tools and parameters should be setup to run from the USB drive.
* The data acquisition phase which is meant for the non-technical law enforcement folks who arrive on the scene to collect evidence. They use the USB disk configured in the tool generation phase which runs through a set of common tools to gather volatile data, such as running processes, etc and saves the output from each command.
* The report generation phase is once again meant for the tech-savvy. It uses the same GUI console as the tool generation phase, but this time to view the reports which are generated from the output of the tools run from the USB disk.
.How the hackers now have more ammunition, by seeing how COFEE works they can improve malicious code to avoid or misrepresent data. However, COFEE is not very special. Aside from being provided by Microsoft, it really doesn’t do much more than the other forensics toolkits out there. For example, IRCR (Incident Response Collection Report) by John McLeod, the Windows Forensics Toolchest by Monty McDougal, Harlan Carvey’s FSP (Forensic Server Project) , and a forensics toolkit called PTN-FT that I’ve written myself, all operate on the same basis of providing a forensics framework which allows you to configure a list of commands used to collect volatile data and save the output for use in some reporting format or a format that can be uploaded to a database for analysis.
Microsoft provides a GUI for tool selection (see figure) whereas most toolkits use a config file or batch file to modify tool selection and parameters. It appears even the configuration of the USB disk comes with an easy to use interface. In addition to the tools preconfigured, you can add tools from your own collection.
One feature I found to be useful from COFEE is the random generation of the tool name. While most toolkits out there will use tools from a good source (such as the Helix CD), Microsoft goes a step further in renaming the tools to random generated names, causing no doubt that the intended version of the tool is running.
The output format is in XML and when loaded into the GUI, gives a view to the information as seen in the figure on the left. As mentioned, this is not ground-breaking forensics technology as many toolkits give a nice view into the output data by framing it in HTML.
**
More of the same in terms of forensics toolkits, COFEE keeps hashes of the tools in a checksum file and also has multiple directories for OS specific tools (winxp, win2k03, etc). According to the documentation, it is not supported on Vista and Windows 7, but apparently a new version is planned for those operating systems.
List of Tools :
arp.exe â€a
at.exe
autorunsc.exe
getmac.exe
handle.exe â€a
hostname.exe
ipconfig.exe /all
msinfo32.exe /report %OUTFILE%
nbtstat.exe â€n
nbtstat.exe â€A 127.0.0.1
nbtstat.exe â€S
nbtstat.exe â€c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators /domain
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe â€ao
netstat.exe â€no
openfiles.exe /query/v
psfile.exe
pslist.exe
pslist.exe â€t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck 127.0.0.1
tasklist.exe /svc
whoami.exe
