Microsoft’s COFEE forensic tool leaks onto the web

According to media reports, a tool developed by Microsoft to assist in computer crime investigations has leaked onto the web.

COFEE (Computer Online Forensic Evidence Extractor) is a system designed to collect digital evidence from suspect’s computers while they are running, without the investigating officer having to do much more than inserting a USB stick.

Microsoft COFEE

COFEE allows computer crime investigators to grab a dump of processes running on an active computer at the scene of an investigation. The ability to grab a perfect copy of data from a PC without interfering with a computer is attractive to the computer crime authorities – and it’s especially handy when more and more drives are using encryption and strong passwords to prevent unauthorised access.

But at the same time, you can probably understand why Microsoft might wish to control who can get their paws on the software.

Yes, it’s understandable that some will be concerned that disreputable parties may now have access to a tool which may assist them in their own criminal activities. But more than that, what’s to say that the bad guys couldn’t analyse COFEE, and write their own code which neutralises it (or wipes sensitive data from their computer) if they determine it is being run on their own computer?

That, after all, might make life difficult for the computer cops when they try and dash-and-grab data from a suspicious PC.