What’s Behind Microsoft COFEE?

It was announced a few days ago: Microsoft COFEE has been leaked on the wild Internet! Microsoft COFEE stands for “Computer Online Forensic Evidence Extractor“. This “forensic swiss army knife” is available for free to police forces around the world to conduct official forensics investigations.

Note: It’s reportedly illegal for unauthorized people to download and use this software.

Microsoft already communicated on this issue and does not seem bothered.

COFEE is based on three components:

• A GUI interface for the investigator,
• The command‐line application to be executed on the target machine,
• The individual tools which are managed by COFEE and the command‐line application.

The software is very easy to use. The first step is to create an USB drive which will grab evidences from the target system. A GUI helps you to create your USB image with all the required tools to perform the investigations in a fully automated way. The procedure is based on profiles (pre-defined or manually created). Each profile defines which tool will be executed and with which options (flags). A lot of tools are pre-configured and your own tools can be easily added.

Next step, the freshly generated USB drive can be inserted into the target computer. It will execute the predefined scenario (depending on the chosen profile) and save all useful data on the USB drive.

Once this operation done, the last step is to come back to the computer running the GUI, reinsert the USB drive which now contains potential evidences and generate the report. The result is a XML file!

Honestly, this software is not a revolution! Compatible with Windows XP only, it just compiles a cool list of command line tools (well known by system administrators) and allows low-level investigators to easily grad data from suspicious computers in a few minutes. But the creation of profile for the USB drive may require more knowledge (investigators have to know what to search and where).