Microsoft has given law enforcement officials a new tool known as “Computer Online Forensic Evidence Extractor,” or COFEE, to aid in the pursuit of crimes involving computers. COFEE is a framework of customizable and common forensic tools for law enforcement.
Microsoft made the announcement at this year’s Law Enforcement Technology conference. The three-day event, hosted by Microsoft, draws together some 400 law enforcement officials from more than 35 countries to demonstrate the latest technology tools and provide information from experts on techniques for investigating computer-related crimes.
Cops and COFEE
The challenge for federal, state and local law enforcement investigating crimes such as child pornography, identity theft and online scams comes when officers move in to make an arrest. Whether armed with a search warrant or allowed onto the premises by an alleged suspect, accessing the suspect’s computer has proven difficult at best if for some reason the system has been shut down and encrypted.
“Basically, this is going after the bad guys doing bad stuff on the Internet. And what happens is, when a law enforcement agent gets there with his search warrant and either knocks on the door or bursts through the door, most bad guys shut their computer down and encrypt the hard drive,” explained Terrence Brewton, an analyst at Frost & Sullivan.
The data is only available so long as the suspect is logged in and the computer remains on. When law enforcement seizes the equipment to collect digital evidence, the encryption impedes their efforts, he added.
Officers either need the password or a way around the suspect’s security. One popular method of encryption is found in Microsoft’s Vista operating system. Its BitLocker encryption application, available with Vista Ultimate and Enterprise, sometimes puts law enforcement at a disadvantage.
COFEE provides law enforcement with a framework they can use to leverage publicly available forensic tools to access information on a PC running Windows. The set of tools is kept on a USB (universal serial bus) storage device. Agents can run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab, Microsoft said.
Rather than a collection of new forensic tools, COFEE is a simple, automated forensic tool officers can deploy at the scene of an arrest, Tim Cranton, associate general counsel for Microsoft, told TechNewsWorld.
“It’s the ease of use, speed and consistency of evidence extraction that is the key,” he continued.
However, Microsoft pointed out, COFEE does not circumvent Windows Vista BitLocker encryption or undermine protections in Windows through secret “back doors” or other undocumented means.
More than 2,000 agents in 15 countries, including Germany, New Zealand, the Philippines and the U.S. have added the device as an investigative tool.
Although Microsoft emphasizes that COFEE is designed for use by law enforcement only with proper legal authority, privacy advocates still have reservations about the all-in-one tool.
“It’s a great tool, but a lot of privacy advocates look at this as another tool law enforcement can use to infringe on a person’s rights,” Brewton told TechNewsWorld.
Evidence in the open is fair game for law enforcement, he noted, but if a screen saver is on and the officers are unable to see what is on the screen, they can simply plug the USB drive into the back of the computer and extract all its data.
“There are different types of search warrants. General search warrants cover everything, but others are specific and only allow them to look at X,Y or Z. Most cyber crimes that call for a search warrant are specific search warrants for the hard drive and other media like external hard drives and thumb drives or CDs and DVDs,” Brewton explained.
Privacy advocates’ concern focuses on the possibility that a law enforcement agent could abuse the device by accessing a person’s computer without their consent, according to Brewton.
“Some law enforcement officials have a tendency to go a little overboard and bend the rules in their favor. It is my concern that they’ll bend the rules just because they have a hunch and violate someone’s privacy,” he added.
“The other side is if hackers get their hands on this tool and find a way to reverse engineer the tool and find ways to prevent that tool from getting to the information. It is very dangerous that this tool is out there. Law enforcement has been known to lose things — everything from a baton to a handgun — and I guarantee that a thumb drive is nothing,” Brewton said.
This may give agents a leg up on cyber criminals today, but in three to six months with this tool out on the market, it will have to be something different, he stated.
“The thing about BitLocker is that if it uses 256, BlowFish or triple DES (data encryption standard) and it encrypts their whole hard drive, this will not crack it. This is geared at Microsoft BitLocker. If they go after PGP (Pretty Good Privacy) and other encryption tools out there, I’m not sure this will crack it,” Brewton concluded