IT Breathes!

Microsoft just recently released a tool to help IT security people do their forensics work. The tool is called COFEE (Computer Online Forensic Evidence Extractor) and it’s a USB key with U3 capabilities. A U3 USB thumb drive works such that Windows accepts the drive as a CD with autorun capabilities. Once inserted the USB key drive goes to work collecting what it can using whatever tools Microsoft has at its disposal. Here’s an excerpt from their site:

COFEE (Computer Online Forensic Evidence Extractor) is a framework for first-responders to customize a set of command line tools. It is a framework that law enforcement can use to leverage publically available tools to access information on a live Windows system operating from a USB storage device. The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab. 

Now the problem I see with this tool is you have to initiate the scanning manually. What if you’re trying to gather data off of a running headless server? You’ll have to get a username and password for the server which might prove difficult if you’re law enforcement.

Unfortunately Microsoft is only providing this tool to those in Law Enforcement and so far only Interpol. So what can we, the lay person, use? Well there are plenty of alternatives out there.

Linux Live CDs

There are a multitude of Live CDs out there for your choose from do this type of work. Backtrack, which gives you a slew of tools for forensics and other tools such as adding a user to windows and downloading the entire LMHash db. There’s also Helix which provides you with a multitude of forensic tools. The only problem with a live CD is that you must shutdown the machine and reboot it into Linux. This erases all memory on the machine. One of the upsides however is you can mount the Windows hard drives as read only.

Hak5’s USB Switchblade

This is where I think windows got the whole idea for this anyway. It’s basically a USB key that has U3 and contains a whole slew of tools for gathering evidence. The key with Swithblade is that it doesn’t need any interaction from a user. The main downside is it can get caught up by Anti-virus software. You can find information about the tool and download it here: http://wiki.hak5.org/wiki/USB_Switchblade.

In the end Microsoft really isn’t doing anything new here. The reason everyone is in an uproar over this is because privacy experts are concerned COFEE is using some as yet unknown backdoors into Windows. While I doubt that’s the case it is interesting that Microsoft is only releasing COFEE to Law Enforcement and no one outside that are is allowed access to the tool. That doesn’t mean people wont get access but if it smells fishy it’s probably fish.