COFEE - what it is ...
 
Notifications
Clear all

COFEE - what it is really? - can it be used in court?

18 Posts
9 Users
0 Likes
1,038 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

There are a lot of rumours around this MS COFEE thingy (Computer Online Forensic Evidence Extractor).

The mistery about it's real nature appears to be slightly solved by this
http//blog.seattletimes.nwsource.com/techtracks/2008/04/looking_for_answers_on_microsofts_cofee_device.html

It sounds to me like the device doesn't do anything that a trained computer forensics expert can't already do. This just automates the execution of the commands for data extraction. Check later for updates.

Update Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as "password security auditing technologies" used to access information "on a live Windows system." She cited rainbow tables as an example of other such tools, and "was NOT confirming that COFEE includes Rainbow Tables."

It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means."

Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority."

Another update This from Tim Cranton, associate general counsel at Microsoft "The key to COFEE is not new forensic tools, but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."

From the above it seems like it is just (maybe very well done)

a compilation of publicly available forensics tools

On the other hand, if it was not, would it be usable in a trial where the Police or Law Enforcement officer produces evidence based on the tool and the defendant consultant (who supposedly has not access to COFEE) cannot verify the method and results of the investigation carried on through the "reserved use" tool? 😯

jaclaz

 
Posted : 03/05/2008 5:02 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I can't speak for Italian or European law, and I can't even speak for US law…but what I can say is this…there was a time when DNA and fingerprint evidence were not considered usable in court. Even computer evidence that we see today was not considered "evidence" at one time.

How did that change?

Someone took the steps to document what they were doing. What most people who end up asking these types of questions don't realize is that it's not about the tool you ran necessarily…its more about, can the examiner/responder explain what they did and why? What is the process and methodology used to collect the "evidence"? Can the examiner explain why they deviated from the process, if that's what they did?

COFEE is nothing new. The fact that it runs more tools than WFT doesn't make it "better"…in fact, it can be argued that it makes things worse.

Folks, its not about the tools, its about the process you use. All COFEE does is remove ALL obstacles used by LEs…"we don't have the time to learn anything new", or "we don't have the time and knowledge to pull these tools together and put them into a usable format on appropriate media"…that's it.

Another thing that comes to mind…lots of folks like to refer to the defense counsel picking the examiner apart on the stand…well, one thing that you all fail to realize is that the examiner never even gets on the stand without the approval of the…wait for it…wait for it…that's right, the PROSECUTOR!!! If the prosecutor never introduces any computer-based evidence, then there's no reason for the defense to challenge or cross-examine the forensics guy. If the prosecutor doesn't feel that the computer-based evidence is strong enough, or that the examiner is prepared, it's unlikely that they're going to put the examiner on the stand to be challenged and questioned.

 
Posted : 03/05/2008 5:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Yes, of course.

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy)
Defendant Solicitor
I read in your report that my client allegedly connected to the site www.someplace.org on the 29th March 2006 at 2135 logging on as "Mickeymouse" and using password "donaldduck". How can you affirm that?

Prosecution IT investigator (witness under oath)
I was given the computer the defendant used at the time.
I used this tool to create a 11 copy of it's hard disk, leaving the HD unmodified.
I made another identical copy that was given to the defense.
The using this other tool I verified that Internet Explorer was used to browse to the www.someplace.org address.
You see, Internet Explorer keeps track of sites visited and, in certain occasions keeps also track of the logins/passwords used in an encrypted area of the windows registry called protected storage, which is later accessible with the said utility that can decrypt it's contents.
This can be verified even now, accessing a new copy of the original HD.
Besides the said utility, same data can be retrieved also by using yet this other tool.

Now, compare this to the reply a "generic" COFEE user John Doe could give
John Doe ("normal" LE Officer, made into IT expert by COFEE) - (witness under oath as well)
John Doe
The good guys at Microsoft came to the Sheriff's and gave him a number of those USB thingies, you just put that one in one of those flat sockets computer have and it starts printing on the screen all kind of info about the computer.
I went to the house, found a PC, put the thingie in, wrote down everything that came on screen on a paper napkin…. that's about all.

Defendant Solicitor
Am I correct to state that you do not know how the "thingie" - your words - actually works?

John Doe
Well, no, not really but the guy from Microsoft told us that we need not all it is needed is to put the thingie in and wait for the report.

Defendant Solicitor
Look, Officer, do you carry a gun?

John Doe
Not at the moment, Sir.

Defendant Solicitor
I mean when you are on duty….

John Doe
Well, of course, yes.

Defendant Solicitor
Are you trained to use that gun?

John Doe
Yes, we do have a basic training and periodically we are examined to verify our proficiency in using firearms and also some psychological examinations are carried to validate us, and we must every three weeks go to the shooting range to practice.

Defendant Solicitor
So, noone from, say, Browning or Beretta, came to the Sheriff's and gave you a gun saying "all you need to know is point and shoot"?

John Doe
Sir?

Defendant Solicitor
Never mind, officer.
Am I correct to state that you are founding your report on the words by an unknown Microsoft representative that told you "just insert this thingie in a PC and it will report everything was done from it" or words to a similar effect?

John Doe
Yes, but…

Defendant Solicitor
And that you were not properly trained to use this device?

John Doe
Yes, but…

Defendant Solicitor
And that you have no idea on how the device actually works?

John Doe
Well, no, but the Microsoft guy said….

Defendant Solicitor
That's all, thank you very much Officer.

😯

jaclaz

 
Posted : 03/05/2008 6:37 pm
chuck378
(@chuck378)
Posts: 25
Eminent Member
 

Keydet89,
Very, Very well put. You took the words right out of my mouth. You must document everything you do. I consider Computer Forensics a crime scene within a crime scene. The steps you take and the things you do will determine your destiny in court. The era of point and click forensics are gone. No matter what software you use and what "buttons" your press, you MUST be able to explain what happen behind the scenes.

…"we don't have the time to learn anything new", or "we don't have the time and knowledge to pull these tools together and put them into a usable format on appropriate media"… or "I just pressed this button and this is what I found". These statements are no longer accepted in most courts.

Another important issue is that the report you make probably took you a couple of weeks to produce, go over etc… The defense will have sometimes years to go over it to see what you have done wrong. If the suspect has money they will hire thier own experts (more than one that know more than you!!!) to go over your paper work.

It's like this veteran told me "You sometimes have seconds to react to a situation. When the powers to be (Defense Attorneys) get your paperwork, they have years to think how they would of done different".

I hope I did not confuse anybody. Once again well put Keydet89

 
Posted : 03/05/2008 6:48 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

When testifying as an 'operator' of any device, the operator doesn't have to be an expert in the inner workings of that device to testify to its use or its results of the use. If that were the case, then you'd have these types of problems (in the law enforcement world as an example)
*Officers' testimony concerning vehicle pursuits would not be credible (how many officers can tell you anything about the inner workings of an engine, the brakes, or the transmission?-answer-very few)
*Officers' testimony of using a radar gun would not be credible (how many officers have taken apart or designed how that radar gun works?-answer-very few)
*Officers' testimony of firing their handgun would not be credible (how many know the inner workings of how a handgun works?-answer, few)
*Officers' testimony of using a breathalyser would not be credible (how many officers know how it is designed or the internal workings? answer-very few).

As Harlan points out, and as it is pointed out in trial, it is the process used, the procedures followed, and the decisions made that are in question. Even if processes or procedures are not followed in a specific instance, if it is shown that a 'reasonable' response or decision was made, then that is ok, based on the totality of the circumstances.

So, I would suggest that if an officer is trained to plug in a device and watch it produce some output, then why would that not be admissible? If the steps taken were documented, reasonable, and followed a common accepted practice, wouldn't that be admissible?

Also, anything related to a case matter can be evidence. And of this mass evidence in a case matter, nearly everything can be admitted IF collected within the guidelines of law. Even evidence that may have been damaged or otherwise not collected reasonably, can still be admitted, although, the weight of that particular evidence will be less, like on a sliding scale of credibility.

Conversely, if an investigator (of any sort in any field) is giving an opinion on what they believe to be factual, then I would agree that knowing more than plugging in a device is necessary.

And no, I'm not a lawyer, but I've been examined and cross examined and examined and crossed examined on an occasion or two.

 
Posted : 04/05/2008 3:45 am
(@walkabout_fr)
Posts: 67
Trusted Member
 

Although I work under a different legal system, I tend to agree with bshavers.

In France, regular police officers can be trained to lift fingerprints that will be admissible as evidence. That doesn't mean they'll be able to compare the fingerprints.

Even CSI technicians collect biological samples while they're totally unable to extract DNA from them and run comparison tests.

I don't think many of them could explain to you in details and with the correct scientific terms why a blood stained pece of clothe mustn't be seized in air-tight plastic bags. They don't need to. All they need to know if that moisture damages DNA and that this kind of evidence must be dried and placed in paper bags…

I believe that this is what procedures are all about allow people who do not fully understand all the inner workings to perform their jobs correctly. Then, the responsability is split in two parts the person who created the procedure is responsible for it to produce correct results if all steps are followed correctly and the field officier is responsible for applying correctly this procedure (and documenting it)

Back to CF, I do believe that a regular police officer with very limited training can run automated tool on a suspect's computer, following a given procedure. That doesn't mean he will be qualified to interpret the results of the output and testify about it in court, though. That would be the job of a CF specialist.

In the end, I firmly believe that CF and the use of digital evidence will gain more efficiency by having all field officers get limited training and basic tools than by increasing the number of highly trained specialists in regional labs.

Just my €0.02

 
Posted : 04/05/2008 11:10 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy)

Again, what so few people realize is that the prosecution wouldn't allow something into evidence if it was going to lead to this kind of "fantasy" exchange.

 
Posted : 04/05/2008 3:11 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy)

Again, what so few people realize is that the prosecution wouldn't allow something into evidence if it was going to lead to this kind of "fantasy" exchange.

Yep I do realize that, my point is that if the "something" cannot be allowed into evidence, and if this same "something", if handled correctly by a professional, could have been, part of the evidence will not be produced or, if produced, will have undesired results.

In other words, I presume that giving this tool in the hands of untrained Officers or LE could have the consequence of LESS or "BAD" prosecution evidence, which is exactly the opposite of the intended result. roll

And on the other hand, reserving this tool to LE only prevents defendant consultants from examining in detail how the information was gathered, depriving hypothetically the defendant of some of his rights or paradoxically make space for invalidating the reports as they are made through a "secret" method, undocumented or undisclosed, and thus not necessarily acceptable.

Radar guns, fixed Autovelox as we have in Italy, traffic lights cameras, breathalyzers and similar apparatus are an all together different thing, they need to be of a "Government approved" type, their specs and inner workings are available to defendants, they are tested for accuracy by independent ("approved" or "certified" as well) laboratories, they need to be periodically re-checked, the procedure of recording and reporting is fixed by the Law, and notwithstanding that thousands of traffic fines based on these hardwares are invalidated annually because
1) they were operated improperly by untrained officers
2) the report was poorly worded procedure contained a violation of rights
3) the device had not been properly "approved"
4) the device had not been properly tested in compulsory periodical check or proof of this is missing

So, my opinion is that COFEE can be a great thing IF
1) it is "certified" by third-parties and approved by the Law
2) it is used by (at least minimally) trained officers
3) it's nature is disclosed to both LE and defendants

jaclaz

 
Posted : 04/05/2008 4:32 pm
chuck378
(@chuck378)
Posts: 25
Eminent Member
 

bshavers,

What I was trying to point out is that you must explain how you got your evidence. You must explain what happend after you "pressed" such button. You must have knowledge of how a computer works. You can't go to court and say, "I pushed the power button on the computer, double-clicked on the program, pushed a couple of buttons and WOW! there it was". So I feel that you are comparing apples and oranges.

I don't have to go to court and explain what each circuit on the motherboard does, how the interior of HD looks or works, and what each wire on the computer does. I have to just explain how I got what I got.

"*Officers' testimony concerning vehicle pursuits would not be credible (how many officers can tell you anything about the inner workings of an engine, the brakes, or the transmission?-answer-very few)"
*** You are correct, but every time I go on duty, I must check all fluids tire pressure etc… and make sure all emergency lights are working properly.

"*Officers' testimony of using a radar gun would not be credible (how many officers have taken apart or designed how that radar gun works?-answer-very few)"
*** When I got certified and did have to know how a radar gun works and how to calibrate it. Even the margin of error on it.

"*Officers' testimony of firing their handgun would not be credible (how many know the inner workings of how a handgun works?-answer, few)"
*** I must qualify every 3 months, take the weapon apart, know what each part does and clean it.

"*Officers' testimony of using a breathalyser would not be credible (how many officers know how it is designed or the internal workings? answer-very few)."
*** The breathalyser class here is a week long at the academy. You must know the chemical composition of alcohol. Hell, they even make you drink so you feel the effects of alcohol etc…

I will even go further and add that when you get certified in carrying mace, stun guns, and bean bag bullets. You must get maced, shocked and shot, so you know how it feels and you can testify of such.

When you do "Computer Forensics" or any type of Forensics, you don't have to be a doctor and/or a computer engineer, but you must know well beyond the basics of the inner workings of a computer system to be effective and understand what you are doing.

Don't get me wrong, I'm not by far the smartest guy around, I learn something new about Computer Forensics everyday.

The era of point and click forenscis is well gone…

 
Posted : 04/05/2008 8:03 pm
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

I'm only saying that there are tools that LE uses everyday that they are only trained to operate to get results. The collection of DNA evidence by a detective is only collection of evidence. The examination of that evidence is done by a scientist. If it is collected properly, there is no issue. If done wrong, bad evidence. Could this not apply to digital evidence as well?

I don't believe the MS tool was designed for officers to conduct forensic examinations more than it may have been designed to be a collection tool for someone else to exam the results.

Given that LE is far behind in live forensics, I think its a step in 'a' direction instead of 'no' direction as government commonly doesn't move fast enough or at all to keep up with technology.

Not to create another argument, but ILook (the LE only forensic tool), is the tool that non-LE cannot obtain to tear apart in court. This MS tool, as described, seems to contain tools that are available elsewhere. They just put a bunch of tools together in a toolbox and gave it a name. ILook is a complete, proprietary suite.

And cops don't have to be shot by their guns or pepper sprayed to know that it works.

Brett

 
Posted : 04/05/2008 10:33 pm
Page 1 / 2
Share: