(Updated from my old blog post)
The COFEE/DECAF affair happened around late 2009, when Microsoft thought it was a good idea to supply its own Computer Online Forensics Evidence Extractor (COFEE). The idea was live data could be extracted by police and incident response personnel with minimal training – a case manager would configure the tool for the particular incident, and someone on the scene would just plug in the COFEE USB drive.
It wasn’t a bad idea in itself, but there were several issues.
COFEE is installed on a workstation, and whenever a live acquisition tool is required, a collection of executables and a script to automate them are loaded onto a (forensically clean) USB drive. This can be customised and prepared for the particular incident. When the USB drive is plugged into the target machine, those executables are run automatically, and the output directed to the USB drive or another specified storage medium.
The Distribution of COFEE
Microsoft intended to limit COFEE’s distribution to government and law enforcement, and supplied the software to 187 agencies internationally. INTERPOL also supplied it on request. Someone had leaked a copy to Cryptome, and from there it went onto file sharing networks.
The Need for Proper Training and Software
There are problems with the idea itself. Although Microsoft recommended the management and preparation of COFEE be done by a competent examiner, personnel without the training still shouldn’t really perform live acquisitions. If it became known they interacted with the target system, the evidence could easily be challenged. For example, a forensic analyst working for the defence will notice, from the Registry files, that something was plugged in after the incident response team arrived. That’s enough to substantially weaken a case, unless the responders are able to explain exactly how COFEE affected the system.
But there is a strong need for live acquisition to somehow become standard practice. More stuff is done online, in particular file storage and sharing, most people use some form of cloud computing service, and today the average computer has around 2GB of system memory. Together, that’s a lot of potentially valuable evidence lost with the current practice of removing the computer’s power cable. Live acquisition must somehow be performed using methods provn to have minimal effect on the system.
COFEE as an Exfiltration Tool
Given COFEE is already in wider circulation, others could potentially use it for exfiltrating data from a target location, where someone could enter an office building, wander about unchallenged while extracting data from multiple computers running Microsoft Windows. If the target computers are connected to the company’s remote services, this might allow access to them later.
This brings me to another problem I have with COFEE: the fact Microsoft released something that could be used against its own customers, the ones who expected Microsoft to secure the operating system against this kind of thing.
A countermeasure known as DECAF was quickly published by two anonymous programmers, the motive apparently being that acquisitions should be performed by professionals with the proper tools, and with the full understanding of how those systems work. DECAF would supposedly force agencies to do this.
But DECAF was designed specifically to lock down a computer if COFEE was detected, and therefore it was designed specifically to obstruct forensic investigations. We could assume that only criminals anticipating a raid, following some already compelling evidence, would bother installing DECAF. This was pointed out in a CyberSpeak interview in late 2009, and DECAF was taken down following a request.