Tuesday, May 20, 2008


If you haven't heard about Microsoft's Computer Online Forensic Evidence Extractor (COFEE), it's high time you did. Here's a little intro from the Seattle Times.

I'm all for eliminating any excuse for law enforcement to take away my computer hardware, but this goes too far! This is basically a USB key that lets anyone into my computer and past any encryption that may be protecting me. I know the article says it's for law enforcement only - but how long before an officer leaves one in a donut shop and it finds its way onto the Pirate Bay? -- hold on, I better see if it's already there -- phew, not yet.

Actually, my outrage is dramatized for purposes of this article. Most of us know this game of security we play only stops the casual passer-by. If someone has physical access, it's only a matter of time before they get in. If not through back doors created by Microsoft then through bugs or unknown technical trickery.

I myself hacked a system once in my past. I was helping a director from another department with his laptop. XP was locked down by his IT folks but he really needed to get a program installed while at this conference. I had no prior hacking experience or skills to help me. I did a quick Google search and in 10 minutes burned a bootable Linux CD. It knew how to mount the NTFS volume, find the passwords file and examine its contents. Within 15 minutes I had this director in his laptop as administrator working with his critical application. Scary.

Actually, physical access isn't even needed either. I'm not talking about a generic virus or trojan. It is possible for someone to target your PC and run a program on it that can extract whatever they need remotely - without ever touching it. This past March this very thing was done to a Mac and a Vista machine at the CanSecWest conference as part of a contest.

But if you still care about the COFEE application and the dangers of making user-friendly hacking tools available...

COFEE, a preconfigured, automated tool fits on a USB thumb drive. Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button --completing the work in about 20 minutes.
  • I like this article at C|Net news where Microsoft claims the tool is just in beta but that it has 2,000 users already. This obviously won't stay secure for long.

No comments: