The forensics tool provided to law enforcement officials created by Microsoft called COFEE (Computer Online Forensic Evidence Extractor) has been leaked on torrents last week, and this has caused quite a bit of excitement. Let’s see if the big deal is warranted.
The software is made up of three components or phases:
* The tool generation phase which is meant for the more tech-savvy forensics examiner to setup a profile which is exported to a USB disk. This is a simple decision making process of which tools and parameters should be setup to run from the USB drive.
* The data acquisition phase which is meant for the non-technical law enforcement folks who arrive on the scene to collect evidence. They use the USB disk configured in the tool generation phase which runs through a set of common tools to gather volatile data, such as running processes, etc and saves the output from each command.
* The report generation phase is once again meant for the tech-savvy. It uses the same GUI console as the tool generation phase, but this time to view the reports which are generated from the output of the tools run from the USB disk.
.How the hackers now have more ammunition, by seeing how COFEE works they can improve malicious code to avoid or misrepresent data. However, COFEE is not very special. Aside from being provided by Microsoft, it really doesn’t do much more than the other forensics toolkits out there. For example, IRCR (Incident Response Collection Report) by John McLeod, the Windows Forensics Toolchest by Monty McDougal, Harlan Carvey’s FSP (Forensic Server Project) , and a forensics toolkit called PTN-FT that I’ve written myself, all operate on the same basis of providing a forensics framework which allows you to configure a list of commands used to collect volatile data and save the output for use in some reporting format or a format that can be uploaded to a database for analysis.
Microsoft provides a GUI for tool selection (see figure) whereas most toolkits use a config file or batch file to modify tool selection and parameters. It appears even the configuration of the USB disk comes with an easy to use interface. In addition to the tools preconfigured, you can add tools from your own collection.
One feature I found to be useful from COFEE is the random generation of the tool name. While most toolkits out there will use tools from a good source (such as the Helix CD), Microsoft goes a step further in renaming the tools to random generated names, causing no doubt that the intended version of the tool is running.
The output format is in XML and when loaded into the GUI, gives a view to the information as seen in the figure on the left. As mentioned, this is not ground-breaking forensics technology as many toolkits give a nice view into the output data by framing it in HTML.
More of the same in terms of forensics toolkits, COFEE keeps hashes of the tools in a checksum file and also has multiple directories for OS specific tools (winxp, win2k03, etc). According to the documentation, it is not supported on Vista and Windows 7, but apparently a new version is planned for those operating systems.
List of Tools : arp.exe â€a at.exe autorunsc.exe getmac.exe handle.exe â€a hostname.exe ipconfig.exe /all msinfo32.exe /report %OUTFILE% nbtstat.exe â€n nbtstat.exe â€A 127.0.0.1 nbtstat.exe â€S nbtstat.exe â€c net.exe share net.exe use net.exe file net.exe user net.exe accounts net.exe view net.exe start net.exe Session net.exe localgroup administrators /domain net.exe localgroup net.exe localgroup administrators net.exe group netdom.exe query DC netstat.exe â€ao netstat.exe â€no openfiles.exe /query/v psfile.exe pslist.exe pslist.exe â€t psloggedon.exe psservice.exe pstat.exe psuptime.exe quser.exe route.exe print sc.exe query sc.exe queryex sclist.exe showgrps.exe srvcheck 127.0.0.1 tasklist.exe /svc whoami.exe