±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35388
New Yesterday: 3 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

COFEE - what it is really? - can it be used in court?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

jaclaz
Senior Member
 

COFEE - what it is really? - can it be used in court?

Post Posted: May 03, 08 11:02

There are a lot of rumours around this MS COFEE thingy (Computer Online Forensic Evidence Extractor).

The mistery about it's real nature appears to be slightly solved by this:
blog.seattletimes.nwso...evice.html

It sounds to me like the device doesn't do anything that a trained computer forensics expert can't already do. This just automates the execution of the commands for data extraction. Check later for updates.

Update: Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as "password security auditing technologies" used to access information "on a live Windows system." She cited rainbow tables as an example of other such tools, and "was NOT confirming that COFEE includes Rainbow Tables."

It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means."

Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority."

Another update: This from Tim Cranton, associate general counsel at Microsoft: "The key to COFEE is not new forensic tools, but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."


From the above it seems like it is just (maybe very well done)

a compilation of publicly available forensics tools


On the other hand, if it was not, would it be usable in a trial where the Police or Law Enforcement officer produces evidence based on the tool and the defendant consultant (who supposedly has not access to COFEE) cannot verify the method and results of the investigation carried on through the "reserved use" tool? Shocked

jaclaz  
 
  

keydet89
Senior Member
 

Re: COFEE - what it is really? - can it be used in court?

Post Posted: May 03, 08 11:46

I can't speak for Italian or European law, and I can't even speak for US law...but what I can say is this...there was a time when DNA and fingerprint evidence were not considered usable in court. Even computer evidence that we see today was not considered "evidence" at one time.

How did that change?

Someone took the steps to document what they were doing. What most people who end up asking these types of questions don't realize is that it's not about the tool you ran necessarily...its more about, can the examiner/responder explain what they did and why? What is the process and methodology used to collect the "evidence"? Can the examiner explain why they deviated from the process, if that's what they did?

COFEE is nothing new. The fact that it runs more tools than WFT doesn't make it "better"...in fact, it can be argued that it makes things worse.

Folks, its not about the tools, its about the process you use. All COFEE does is remove ALL obstacles used by LEs..."we don't have the time to learn anything new", or "we don't have the time and knowledge to pull these tools together and put them into a usable format on appropriate media"...that's it.

Another thing that comes to mind...lots of folks like to refer to the defense counsel picking the examiner apart on the stand...well, one thing that you all fail to realize is that the examiner never even gets on the stand without the approval of the...wait for it...wait for it...that's right, the PROSECUTOR!!! If the prosecutor never introduces any computer-based evidence, then there's no reason for the defense to challenge or cross-examine the forensics guy. If the prosecutor doesn't feel that the computer-based evidence is strong enough, or that the examiner is prepared, it's unlikely that they're going to put the examiner on the stand to be challenged and questioned.  
 
  

jaclaz
Senior Member
 

Re: COFEE - what it is really? - can it be used in court?

Post Posted: May 03, 08 12:37

Yes, of course.

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy):
Defendant Solicitor:
I read in your report that my client allegedly connected to the site www.someplace.org on the 29th March 2006 at 21:35 logging on as "Mickeymouse" and using password "donaldduck". How can you affirm that?

Prosecution IT investigator (witness under oath):
I was given the computer the defendant used at the time.
I used this tool to create a 1:1 copy of it's hard disk, leaving the HD unmodified.
I made another identical copy that was given to the defense.
The using this other tool I verified that Internet Explorer was used to browse to the www.someplace.org address.
You see, Internet Explorer keeps track of sites visited and, in certain occasions keeps also track of the logins/passwords used in an encrypted area of the windows registry called protected storage, which is later accessible with the said utility that can decrypt it's contents.
This can be verified even now, accessing a new copy of the original HD.
Besides the said utility, same data can be retrieved also by using yet this other tool.

Now, compare this to the reply a "generic" COFEE user John Doe could give:
John Doe ("normal" LE Officer, made into IT expert by COFEE) - (witness under oath as well)
John Doe:
The good guys at Microsoft came to the Sheriff's and gave him a number of those USB thingies, you just put that one in one of those flat sockets computer have and it starts printing on the screen all kind of info about the computer.
I went to the house, found a PC, put the thingie in, wrote down everything that came on screen on a paper napkin.... that's about all.


Defendant Solicitor:
Am I correct to state that you do not know how the "thingie" - your words - actually works?

John Doe:
Well, no, not really but the guy from Microsoft told us that we need not all it is needed is to put the thingie in and wait for the report.

Defendant Solicitor:
Look, Officer, do you carry a gun?

John Doe:
Not at the moment, Sir.

Defendant Solicitor:
I mean when you are on duty....

John Doe:
Well, of course, yes.

Defendant Solicitor:
Are you trained to use that gun?

John Doe:
Yes, we do have a basic training and periodically we are examined to verify our proficiency in using firearms and also some psychological examinations are carried to validate us, and we must every three weeks go to the shooting range to practice.

Defendant Solicitor:
So, noone from, say, Browning or Beretta, came to the Sheriff's and gave you a gun saying "all you need to know is point and shoot"?

John Doe:
Sir?

Defendant Solicitor:
Never mind, officer.
Am I correct to state that you are founding your report on the words by an unknown Microsoft representative that told you "just insert this thingie in a PC and it will report everything was done from it" or words to a similar effect?

John Doe:
Yes, but...

Defendant Solicitor:
And that you were not properly trained to use this device?

John Doe:
Yes, but...

Defendant Solicitor:
And that you have no idea on how the device actually works?

John Doe:
Well, no, but the Microsoft guy said....

Defendant Solicitor:
That's all, thank you very much Officer.

Shocked

jaclaz  
 
  

chuck378
Member
 

Re: COFEE - what it is really? - can it be used in court?

Post Posted: May 03, 08 12:48

Keydet89,
Very, Very well put. You took the words right out of my mouth. You must document everything you do. I consider Computer Forensics a crime scene within a crime scene. The steps you take and the things you do will determine your destiny in court. The era of point and click forensics are gone. No matter what software you use and what "buttons" your press, you MUST be able to explain what happen behind the scenes.

..."we don't have the time to learn anything new", or "we don't have the time and knowledge to pull these tools together and put them into a usable format on appropriate media"... or "I just pressed this button and this is what I found". These statements are no longer accepted in most courts.

Another important issue is that the report you make probably took you a couple of weeks to produce, go over etc... The defense will have sometimes years to go over it to see what you have done wrong. If the suspect has money they will hire thier own experts (more than one that know more than you!!!) to go over your paper work.

It's like this veteran told me "You sometimes have seconds to react to a situation. When the powers to be (Defense Attorneys) get your paperwork, they have years to think how they would of done different".

I hope I did not confuse anybody. Once again well put Keydet89  
 
  

bshavers
Senior Member
 

Re: COFEE - what it is really? - can it be used in court?

Post Posted: May 03, 08 21:45

When testifying as an 'operator' of any device, the operator doesn't have to be an expert in the inner workings of that device to testify to its use or its results of the use. If that were the case, then you'd have these types of problems (in the law enforcement world as an example):
*Officers' testimony concerning vehicle pursuits would not be credible (how many officers can tell you anything about the inner workings of an engine, the brakes, or the transmission?-answer-very few)
*Officers' testimony of using a radar gun would not be credible (how many officers have taken apart or designed how that radar gun works?-answer-very few)
*Officers' testimony of firing their handgun would not be credible (how many know the inner workings of how a handgun works?-answer, few)
*Officers' testimony of using a breathalyser would not be credible (how many officers know how it is designed or the internal workings? answer-very few).

As Harlan points out, and as it is pointed out in trial, it is the process used, the procedures followed, and the decisions made that are in question. Even if processes or procedures are not followed in a specific instance, if it is shown that a 'reasonable' response or decision was made, then that is ok, based on the totality of the circumstances.

So, I would suggest that if an officer is trained to plug in a device and watch it produce some output, then why would that not be admissible? If the steps taken were documented, reasonable, and followed a common accepted practice, wouldn't that be admissible?

Also, anything related to a case matter can be evidence. And of this mass evidence in a case matter, nearly everything can be admitted IF collected within the guidelines of law. Even evidence that may have been damaged or otherwise not collected reasonably, can still be admitted, although, the weight of that particular evidence will be less, like on a sliding scale of credibility.

Conversely, if an investigator (of any sort in any field) is giving an opinion on what they believe to be factual, then I would agree that knowing more than plugging in a device is necessary.

And no, I'm not a lawyer, but I've been examined and cross examined and examined and crossed examined on an occasion or two.  
 
  

Walkabout_fr
Senior Member
 

Re: COFEE - what it is really? - can it be used in court?

Post Posted: May 04, 08 05:10

Although I work under a different legal system, I tend to agree with bshavers.

In France, regular police officers can be trained to lift fingerprints that will be admissible as evidence. That doesn't mean they'll be able to compare the fingerprints.

Even CSI technicians collect biological samples while they're totally unable to extract DNA from them and run comparison tests.

I don't think many of them could explain to you in details and with the correct scientific terms why a blood stained pece of clothe mustn't be seized in air-tight plastic bags. They don't need to. All they need to know if that moisture damages DNA and that this kind of evidence must be dried and placed in paper bags...

I believe that this is what procedures are all about : allow people who do not fully understand all the inner workings to perform their jobs correctly. Then, the responsability is split in two parts : the person who created the procedure is responsible for it to produce correct results if all steps are followed correctly and the field officier is responsible for applying correctly this procedure (and documenting it)

Back to CF, I do believe that a regular police officer with very limited training can run automated tool on a suspect's computer, following a given procedure. That doesn't mean he will be qualified to interpret the results of the output and testify about it in court, though. That would be the job of a CF specialist.

In the end, I firmly believe that CF and the use of digital evidence will gain more efficiency by having all field officers get limited training and basic tools than by increasing the number of highly trained specialists in regional labs.

Just my €0.02
_________________
Marc ETIENNEY,
Investigator
Office of Internal Oversight Services
World Health Organization 
 
  

keydet89
Senior Member
 

Re: COFEE - what it is really? - can it be used in court?

Post Posted: May 04, 08 09:11

- jaclaz

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy):


Again, what so few people realize is that the prosecution wouldn't allow something into evidence if it was going to lead to this kind of "fantasy" exchange.  
 

Page 1 of 3
Page 1, 2, 3  Next