“Computer Online Forensic Evidence Extractor”的意思、由来-开放百科全书

Computer Online Forensic Evidence Extractor (COFEE) is a tool kit, developed by Microsoft, to help computer forensic investigators extract evidence from a Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an automated forensic tool during a live analysis. Microsoft provides COFEE devices and online technical support free to law enforcement agencies.

Development and distribution

COFEE was developed by Anthony Fung, a former Hong Kong police officer who now works as a senior investigator on Microsoft's Internet Safety Enforcement Team.^[1] Fung conceived the device following discussions he had at a 2006 law enforcement technology conference sponsored by Microsoft.^[2] The device is used by more than 2,000 officers in at least 15 countries.^[3]

A case cited by Microsoft in April 2008 credits COFEE as being crucial in a New Zealand investigation into the trafficking of child pornography, producing evidence that led to an arrest.^[1]

In April 2009 Microsoft and Interpol signed an agreement under which INTERPOL would serve as principal international distributor of COFEE. University College Dublin's Center for Cyber Crime Investigations in conjunction with Interpol develops programs for training forensic experts in using COFEE.^[5] The National White Collar Crime Center has been licensed by Microsoft to be the sole US domestic distributor of COFEE.^[1]

Public leak

On November 6, 2009, copies of Microsoft COFEE were leaked onto various torrent websites.^[7] Analysis of the leaked tool indicates that it is largely a wrapper around other utilities previously available to investigators.^[8] Microsoft confirmed the leak; however a spokesperson for the firm said "We do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around' to be a significant concern".^[9]

Use

The device is activated by being plugged into a USB port. It contains 150 tools and a graphical user interface to help investigators collect data.^[1] The software is reported to be made up of three sections. First COFEE is configured in advance with an investigator selecting the data they wish to export, this is then saved to a USB device for plugging into the target computer. A further interface generates reports from the collected data.^[8] Estimates cited by Microsoft state jobs that previously took 3–4 hours can be done with COFEE in as little as 20 minutes.^[1]

COFEE includes tools for password decryption, Internet history recovery and other data extraction.^[2] It also recovers data stored in volatile memory which could be lost if the computer were shut down.^[15]

DECAF

In mid to late 2009 a tool named Detect and Eliminate Computer Acquired Forensics (DECAF) was announced by an uninvolved group of programmers. The tool would reportedly protect computers against COFEE and render the tool ineffective.^[2] It alleged that it would provide real-time monitoring of COFEE signatures on USB devices and in running applications and when a COFEE signature is detected, DECAF performs numerous user-defined processes. These included COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.^[3] On December 18, 2009 the DECAF creators announced that the tool was a hoax and part of "a stunt to raise awareness for security and the need for better forensic tools".^[4]^[5]^[6]^[7]

See also

References

1. ^http://www.microsoft.com/industry/government/solutions/cofee/default.aspx
2. ^{{cite book|last1=Michael|first1=Bartolacci|title=Advancements and Innovations in Wireless Communications and Network Technologies|date=2012|publisher=IGI Global|isbn=1466621540|page=226|url=https://books.google.com/books?id=jvZJzz37hh4C&pg=PA226&lpg=PA226&dq=Detect+and+Eliminate+Computer+Acquired+Forensics&source=bl&ots=FnjshQK8GQ&sig=yPL0v8AODg7d35-085vc36P_3gM&hl=en&sa=X&ei=WUONVc_8JIfegwS814HwAg&ved=0CEIQ6AEwBQ#v=onepage&q=%22Detect%20and%20Eliminate%20Computer%20Acquired%20Forensics%22&f=false|accessdate=26 June 2015}}
3. ^{{cite news|url=https://www.theregister.co.uk/2009/12/14/microsoft_cofee_vs_decaf/|title=Hackers declare war on international forensics tool|last=Goodin|first=Dan|date=14 December 2009|publisher=The Register|accessdate=15 December 2009}}
4. ^{{cite web|last1=Eaton|first1=Nick|title=Anti-COFEE tool DECAF revealed as stunt|url=http://blog.seattlepi.com/microsoft/2009/12/18/anti-cofee-tool-decaf-revealed-as-stunt/|publisher=Seattle PI|accessdate=26 June 2015}}
5. ^{{cite web|title=DECAF Was Just a Stunt, Now Over|url=http://tech.slashdot.org/story/09/12/18/1810250/decaf-was-just-a-stunt-now-over|publisher=Slashdot|accessdate=26 June 2015}}
6. ^{{cite web|title=Anti-forensische tool DECAF geen hoax|url=https://www.security.nl/posting/27113/Anti-forensische+tool+DECAF+geen+hoax|publisher=Security.nl|accessdate=26 June 2015}}
7. ^{{cite news|url=https://www.wired.com/threatlevel/2009/12/decaf-cofee/|title=Hackers Brew Self-Destruct Code to Counter Police Forensics|last=Zetter|first=Kim|date=14 December 2009|publisher=Wired.com|accessdate=15 December 2009}}
8. ^¹²³⁴{{cite web|url=http://www.microsoft.com/presspass/exec/bradsmith/04-28letech.mspx |publisher=Microsoft Corporation|title=Brad Smith: Law Enforcement Technology Conference 2008|accessdate=2008-05-19|date=2008-04-28|archive-url=https://web.archive.org/web/20120223063026/https://www.microsoft.com/presspass/exec/bradsmith/04-28letech.mspx|archive-date=2012-02-23|dead-url=yes}}
9. ^¹{{cite web|url=http://www.microsoft.com/presspass/features/2008/apr08/04-28CrantonQA.mspx |publisher=Microsoft Corporation|title=Microsoft Calls on global public-private partnerships to Help in the Fight Against Cybercrime (Q&A with Tim Cranton, Associate General Counsel for Microsoft)|accessdate=2008-05-19|date=2008-04-28}}
10. ^¹{{cite web|url=http://www.interpol.int/public/ICPO/PressReleases/PR2009/PR200937.asp |publisher=INTERPOL|title=INTERPOL initiative with Microsoft aims to raise global standards against cybercrime through strategic partnership with IT sector |accessdate=2009-07-16}}
11. ^¹{{cite web|last=Pullin|first=Alexandra|title=Microsoft's not bothered about COFEE leak|url=http://www.theinquirer.net/inquirer/news/1561911/microsoft-bothered-cofee-leak|publisher=The Inquirer|accessdate=24 August 2010}}
12. ^¹{{cite web|url=http://www.crunchgear.com/2009/11/06/siren-gif-microsoft-cofee-law-enforcement-tool-leaks-all-over-the-internet/|publisher=TechCrunch|title=Microsoft COFEE law enforcement tool leaks all over the Internet |accessdate=2009-11-07}}
13. ^¹²{{cite web|url=http://praetorianprefect.com/archives/2009/11/more-cofee-please-on-second-thought/|title=More COFEE Please, on Second Thought|accessdate=2009-11-09}}
14. ^¹²{{cite web|url=http://seattletimes.nwsource.com/html/microsoft/2004379751_msftlaw29.html|title=Microsoft device helps police pluck evidence from cyberscene of crime|publisher=The Seattle Times|date=2008-04-29|accessdate=2008-05-19|last=Romano|first=Benjamin J.}}
15. ^¹{{cite web|url=http://www.news.com/8301-10784_3-9930664-7.html |title=Microsoft hosts its own police academy|last=Mills|first=Elinor|publisher=CNet News.com|date=2008-04-29|accessdate=2008-05-19}}

Development and distribution

Public leak

Use

DECAF

See also

References

External links