Art of Information Security

Countdown to Black-Hat COFEE Device Begins !

The Seattle Times is reporting today that Microsoft has developed the ultimate hacker tool for Windows. Of course, MS doesn’t consider it a hacker tool, they describe it as a computer forensics tool. Here is a quote from the article:

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Of course, on the one hand MS has developed a forensic tool for use by authorized law enforcement agents. They have also produced a compelling proof of concept that their operating system’s security can be soundly defeated anytime an attacker has physical access. And they have also created a treasure trove of exploits to be reverse engineered.

It is well documented that cybercrime is not only big business, but that it is highly organized. The fact that, in the cybercrime underworld, there are markets for stolen data, toolkits (such as the Rock Phish Kit), and services (such as renting time on Botnets) is a strong demonstration of how organized (and profitable) cybercrime is. Microsoft has now defined a new Holy Grail for those organizations to pursue. The CSI/FBI computer crime report consistently demonstrates how significant the Insider Threat is, and clones of the COFEE will make those individuals that much more dangerous.

Also, the reverse engineering of one of these devices would certainly be of great value to the black hat community, and do potentially long term harm to desktop security. The fact that there are 150 exploit functions on the device written by Microsoft’s own, with their privileged knowledge, makes this device worth its weight in gold (or perhaps plutonium).

Given the number of governments that have been accused of either participating with or shielding cyber criminals, it is only a matter of time before these devices are reverse engineered and duplicated. Of course, it may not be necessary for the black hat community to acquire one to reverse engineer it. Many countries require public documentation of how evidence is collected and preserved. So it may only be a matter of time before Microsoft finds itself providing direct testimony, as other forensic product companies have done, on the exact workings of COFEE.

- Erik