Computer Online For...
 
Notifications
Clear all

Computer Online Forensic Evidence Extractor

17 Posts
9 Users
0 Likes
1,467 Views
(@ronanmagee)
Posts: 145
Estimable Member
Topic starter
 

Hi guys,

I just seen this article on vnunet.com. Apparently MS have been giving this away for free since last year. Anyone got one and used (and fancies to give a review of it) or knows how to get one?

Ronan

 
Posted : 29/04/2008 10:13 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

First sentence of the article says, "…for the police…".

 
Posted : 29/04/2008 11:21 pm
(@mindsmith)
Posts: 174
Estimable Member
 

Yes it is for the police, but …. that does not mean it's not worth discussing here with those that are interested. It raises some interesting questions such as

Does this contain some of their earlier WOLF (Windows Online Forensics) tool, which was not just for LE?

Will evidence gathered using this tool be valid in US courts? What validation has this product been through?

Thanks & Regards,

 
Posted : 01/05/2008 11:54 am
(@ronanmagee)
Posts: 145
Estimable Member
Topic starter
 

Cheers Smitthy,

I'm just curious as to the kind of functionality it contains and if any technical analysis has been done on it. As its built by MS i'd be keen to know the approach they used in acquiring the information from the computer.

If it was simply SysInternals bundled onto a USB then its something I could probably put together myself.

Ronan

 
Posted : 01/05/2008 1:40 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

If it was simply SysInternals bundled onto a USB then its something I could probably put together myself.

It's more than just SysInternals tools…too much so, I would say. It has a bit more than WFT…which doesn't make it better, per se.

Even though it's put together by MS, the folks at MS who put it together do not do IR…and they built the tool for folks who do not traditionally do live response, either.

In this case, the only really unique thing about the tool is that it was put together on a USB stick and handed to the LE, rather than requiring them to assemble the tools themselves.

 
Posted : 01/05/2008 3:14 pm
(@mindsmith)
Posts: 174
Estimable Member
 

Hi Ron,

I suspect it contains alot of the earlier WOLF toolset, with some additional new utils, am still trying to find out. WOLF was/is MS's Live response toolkit, really more of a comprehensive auditing tool with items like DumpACL, and other tools cobbled together via a series of scripts.

Also its no secret that MS have been recruiting from the LE and Forensics sector especially in UK & US for their 'cyber crime unit', so it is very probable they've done some major work these past 1 yr on developing a more comprehensive set of tools to replace the aged iLOOK.

Will keep you posted if I come accross anything of value on this.

Thanks & Regards,

 
Posted : 01/05/2008 3:29 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I suspect….

Based on…what?

…so it is very probable…

Again, based on what?

I've worked with both WOLF and COFEE. They were both written by folks within MS who had nothing do with each other, and at the time what WOLF was produced, I believe they didn't even know that the other group existed. The similarity stops at the point where outside tools are used by both frameworks.

 
Posted : 01/05/2008 3:41 pm
(@Anonymous)
Posts: 0
Guest
 

"…for the police…", eh?

So… police get nifty utilities that private investigators can't have? Why can't we civilians have access to COFEE? I would love to have a tool that cuts some of my preliminary work down from hours to minutes. Notice I said "some." I seriously doubt that M$ has devised a mini-suite that does ALL of the work of a cyber-investigator… but I *am* willing to try their wares. wink

I'm sure it's only a matter of (brief) time before we can download either the tools or a USB image from one of the Torrents sites. I'm already searching….

 
Posted : 07/05/2008 12:35 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"…for the police…", eh?

So… police get nifty utilities that private investigators can't have? Why can't we civilians have access to COFEE? I would love to have a tool that cuts some of my preliminary work down from hours to minutes. Notice I said "some." I seriously doubt that M$ has devised a mini-suite that does ALL of the work of a cyber-investigator… but I *am* willing to try their wares. wink

I'm sure it's only a matter of (brief) time before we can download either the tools or a USB image from one of the Torrents sites. I'm already searching….

You're wasting your time…seriously.

Or another way of putting it…if you're searching Torrent for COFEE, that's an extremely good indicator that I DON'T want you on my site or on my systems.

Dude, COFEE is nothing special…it was loaded on a thumb drive for folks who don't know how to…you know…load files onto thumb drives.

 
Posted : 07/05/2008 3:00 am
(@Anonymous)
Posts: 0
Guest
 

Or another way of putting it…if you're searching Torrent for COFEE, that's an extremely good indicator that I DON'T want you on my site or on my systems.

Sarcasm aside, Torrents are a reality; get used to it. Many ISVs now routinely distribute their products via P2P. Or is the problem that *I* would have the temerity to search for something that <gasp!> only law-enforcement is supposed to have?

Dude, COFEE is nothing special…it was loaded on a thumb drive for folks who don't know how to…you know…load files onto thumb drives.

Uh-huh, I am fully cognizant that M$ has aggregated the work of other's and repackaged it into a "user-friendly" (maybe) format. How typical of those Redmondites! What's interesting is that they GAVE these USB sticks to thousands of LEOs in numerous countries. If M$ is *giving* something away, my inquiring mind wants to have a look.

Now who could possibly have a problem with that? roll

 
Posted : 07/05/2008 10:05 pm
Page 1 / 2
Share: