Microsoft's COFEE forensic tool leaks onto the web

Filed Under: Data loss, Law & order, Microsoft

According to media reports, a tool developed by Microsoft to assist in computer crime investigations has leaked onto the web.

COFEE (Computer Online Forensic Evidence Extractor) is a system designed to collect digital evidence from suspect's computers while they are running, without the investigating officer having to do much more than inserting a USB stick.

Microsoft COFEE

COFEE allows computer crime investigators to grab a dump of processes running on an active computer at the scene of an investigation. The ability to grab a perfect copy of data from a PC without interfering with a computer is attractive to the computer crime authorities - and it's especially handy when more and more drives are using encryption and strong passwords to prevent unauthorised access.

But at the same time, you can probably understand why Microsoft might wish to control who can get their paws on the software.

Yes, it's understandable that some will be concerned that disreputable parties may now have access to a tool which may assist them in their own criminal activities. But more than that, what's to say that the bad guys couldn't analyse COFEE, and write their own code which neutralises it (or wipes sensitive data from their computer) if they determine it is being run on their own computer?

That, after all, might make life difficult for the computer cops when they try and dash-and-grab data from a suspicious PC.

, ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.