Hacker’s Holy Grail - Redefined by Microsoft…
Countdown to Black-Hat COFEE Device Begins !
The Seattle Times is reporting today that Microsoft has developed the ultimate hacker tool for Windows. Of course, MS doesn’t consider it a hacker tool, they describe it as a computer forensics tool. Here is a quote from the article:
The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.
The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.
It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.
Of course, on the one hand MS has developed a forensic tool for use by authorized law enforcement agents. They have also produced a compelling proof of concept that their operating system’s security can be soundly defeated anytime an attacker has physical access. And they have also created a treasure trove of exploits to be reverse engineered.
It is well documented that cybercrime is not only big business, but that it is highly organized. The fact that, in the cybercrime underworld, there are markets for stolen data, toolkits (such as the Rock Phish Kit), and services (such as renting time on Botnets) is a strong demonstration of how organized (and profitable) cybercrime is. Microsoft has now defined a new Holy Grail for those organizations to pursue. The CSI/FBI computer crime report consistently demonstrates how significant the Insider Threat is, and clones of the COFEE will make those individuals that much more dangerous.
Also, the reverse engineering of one of these devices would certainly be of great value to the black hat community, and do potentially long term harm to desktop security. The fact that there are 150 exploit functions on the device written by Microsoft’s own, with their privileged knowledge, makes this device worth its weight in gold (or perhaps plutonium).
Given the number of governments that have been accused of either participating with or shielding cyber criminals, it is only a matter of time before these devices are reverse engineered and duplicated. Of course, it may not be necessary for the black hat community to acquire one to reverse engineer it. Many countries require public documentation of how evidence is collected and preserved. So it may only be a matter of time before Microsoft finds itself providing direct testimony, as other forensic product companies have done, on the exact workings of COFEE.
- Erik
I'm not quite sure how you're making the jump from
Rory McCuneI’m not quite sure how you’re making the jump from the quote saying 150 commands to the idea that those commands will be exploits.
I’d expect the commands on the key to be forensics tools like you see on some of the bootable Linux forensics distributions which help an investigator gather information from a potential target machine.
Rory - I concede that your are probably right. The exploit
ErikRory -
I concede that your are probably right. The exploit functions are the functions that permit for cracking passwords, reading memory contents, etc. via the USB port on a running machine, and I don’t know how much of that functionality is on the device.
I am trying to get more detailed information and I will pass that on (with corrections to my post of course
) as I am able to get it.
Thanks for your comment.
Erik
In a process of computer forsensics it is quite frequent
Bozidar SpirovskiIn a process of computer forsensics it is quite frequent that the forensic team employs tools which will analyze browser cookies, decrypt passwords, search for hidden text etc, much like a hacker. To be very frank, both forensic experts and hackers might find themselves using the same tools.
But that doesn’t mean that Microsoft produced anything new or spectatular. The same set of tools can be found in Helix forensic CD or several oter toolkits - when looking at open platforms and known standards, the tools are already outhere - and they are mostly free.
What Microsoft could have done to empower government officials (FBI, DEA etc) is to produce tools that employ backdoors into their systems to achieve certain forensic actions at a faster rate. But this would be a very dangerous road to tread on - since any such back door will become public domain knowledge before long, and then MS will be deemed extremely insecure - once again
Bozidar Spirovski
http://www.shortinfosec.net
As a former security guy at Microsoft, I am pretty
Mark LongAs a former security guy at Microsoft, I am pretty familiar with the tools used although COFEE was not one that I used on a daily basis - I specialised in malware and we had different but related tools for that.
So, what does COFEE do? Well, nothing that other forensics tools don’t do really. You could duplicate the functionality of most of it using Sysinternals tools and a couple of other public utilities. The point of COFEE is to automate the grabbing of evidence without needing the cop on the scene to be an IT forensics specialist with access to a copy of ENCASE to get and preserve some useful evidence. It isn’t a replacement for the conventional imaging tools though.
Would this be of use as a hacking tool? Not so much. It is a thumb drive to be used on an unlocked PC. It doesn’t have a magical way of unlocking a locked PC or elevating privilege levels. There are ways of doing this intrinsic to the hardware that can be used but I am not aware of any software vulnerability or built in mechanism to do this and I am sure that I would know about it if there were one.
COFEE is a local tool that needs physical access to the machine and you need to be logged on and ideally you need admin rights to use it. It just automates the process and doesn’t open up any new holes.
Hope that this information helps
Mark Long, Digital Looking Glass