TorrentFreak report Microsoft’s much sought-after COFEE law-enforcement forensic tool has leaked onto the Internet. One user uploaded it to private tracker What.cd to collect a huge 1.6tb bounty. However, in a sensible move, the admins of the site took action to remove the link and ban further sharing of the tool via the site.
“Law enforcement agencies around the world face a common challenge in their fight against cybercrime, child pornography, online fraud, and other computer-facilitated crimes,” says the marketing blurb on Microsoft’s site.
“They must capture important evidence on a computer at the scene of an investigation before it is powered down and removed for later analysis. ‘Live’ evidence, such as active system processes and network data, is volatile and may be lost in the process of turning off a computer. How does an officer on the scene effectively do this if he or she is not a trained computer forensics expert?”
Using COFEE, of course.
The Computer Online Forensic Evidence Extractor (COFEE) is a piece of software designed for the use of law enforcement agencies, and provided to the same free of charge by Microsoft. And, largely because of its mystique, has been a much sought-after piece of code.
Indeed, on the private tracker What.cd, users had offered a huge bounty (a reward for finding and sharing something) of 1.6 terabytes.
During the last day or so, a user – who had only been a member for a matter of weeks – uploaded COFEE.
However, What.cd then took the unusual step of removing the torrent. Not just an unusual step but, in my opinion, a very sensible step indeed.
“Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff,” said What.cd management in a statement.
“And when we did, we didn’t like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again),” they added.
According to the site’s staff, neither them or their host was threatened by Microsoft or law enforcement. The decision was taken purely on the issue of site and member security.
Of course, the tool is now widely available from other sources and while some are saying that the tool is useless to regular Internet users, there are others who disagree. It certainly won’t take long for a detailed analysis to appear.
There will doubtless be lots of finger-wagging and complaints that this tool has become available in this way, but as with unexpected leaks of anything from software, to movies, to music, rarely is the finger pointed at the initial supplier of the material. That is usually way too embarrassing to reveal.
Have a question or need help? Post on the forum, thats why it's here.
I will only reply to Digiex related issues via PM, not general help requests.
XB1: Launch console - 500gb internal drive, 1tb external drive
360: Jasper - 1tb drive - jtag hacked running the 17150 dashboard
360: Falcon - 500gb drive hacked with hddhackr, not flashed