Join Us!

COFEE - what it is ...
 
Notifications
Clear all

COFEE - what it is really? - can it be used in court?  

Page 1 / 2
  RSS
jaclaz
(@jaclaz)
Community Legend

There are a lot of rumours around this MS COFEE thingy (Computer Online Forensic Evidence Extractor).

The mistery about it's real nature appears to be slightly solved by this
http//blog.seattletimes.nwsource.com/techtracks/2008/04/looking_for_answers_on_microsofts_cofee_device.html

It sounds to me like the device doesn't do anything that a trained computer forensics expert can't already do. This just automates the execution of the commands for data extraction. Check later for updates.

Update Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as "password security auditing technologies" used to access information "on a live Windows system." She cited rainbow tables as an example of other such tools, and "was NOT confirming that COFEE includes Rainbow Tables."

It "does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means."

Further, she reiterated that the tool is intended for use "by law enforcement only with proper legal authority."

Another update This from Tim Cranton, associate general counsel at Microsoft "The key to COFEE is not new forensic tools, but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."

From the above it seems like it is just (maybe very well done)

a compilation of publicly available forensics tools

On the other hand, if it was not, would it be usable in a trial where the Police or Law Enforcement officer produces evidence based on the tool and the defendant consultant (who supposedly has not access to COFEE) cannot verify the method and results of the investigation carried on through the "reserved use" tool? 😯

jaclaz

Quote
Posted : 03/05/2008 6:02 pm
keydet89
(@keydet89)
Community Legend

I can't speak for Italian or European law, and I can't even speak for US law…but what I can say is this…there was a time when DNA and fingerprint evidence were not considered usable in court. Even computer evidence that we see today was not considered "evidence" at one time.

How did that change?

Someone took the steps to document what they were doing. What most people who end up asking these types of questions don't realize is that it's not about the tool you ran necessarily…its more about, can the examiner/responder explain what they did and why? What is the process and methodology used to collect the "evidence"? Can the examiner explain why they deviated from the process, if that's what they did?

COFEE is nothing new. The fact that it runs more tools than WFT doesn't make it "better"…in fact, it can be argued that it makes things worse.

Folks, its not about the tools, its about the process you use. All COFEE does is remove ALL obstacles used by LEs…"we don't have the time to learn anything new", or "we don't have the time and knowledge to pull these tools together and put them into a usable format on appropriate media"…that's it.

Another thing that comes to mind…lots of folks like to refer to the defense counsel picking the examiner apart on the stand…well, one thing that you all fail to realize is that the examiner never even gets on the stand without the approval of the…wait for it…wait for it…that's right, the PROSECUTOR!!! If the prosecutor never introduces any computer-based evidence, then there's no reason for the defense to challenge or cross-examine the forensics guy. If the prosecutor doesn't feel that the computer-based evidence is strong enough, or that the examiner is prepared, it's unlikely that they're going to put the examiner on the stand to be challenged and questioned.

ReplyQuote
Posted : 03/05/2008 6:46 pm
jaclaz
(@jaclaz)
Community Legend

Yes, of course.

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy)
Defendant Solicitor
I read in your report that my client allegedly connected to the site www.someplace.org on the 29th March 2006 at 2135 logging on as "Mickeymouse" and using password "donaldduck". How can you affirm that?

Prosecution IT investigator (witness under oath)
I was given the computer the defendant used at the time.
I used this tool to create a 11 copy of it's hard disk, leaving the HD unmodified.
I made another identical copy that was given to the defense.
The using this other tool I verified that Internet Explorer was used to browse to the www.someplace.org address.
You see, Internet Explorer keeps track of sites visited and, in certain occasions keeps also track of the logins/passwords used in an encrypted area of the windows registry called protected storage, which is later accessible with the said utility that can decrypt it's contents.
This can be verified even now, accessing a new copy of the original HD.
Besides the said utility, same data can be retrieved also by using yet this other tool.

Now, compare this to the reply a "generic" COFEE user John Doe could give
John Doe ("normal" LE Officer, made into IT expert by COFEE) - (witness under oath as well)
John Doe
The good guys at Microsoft came to the Sheriff's and gave him a number of those USB thingies, you just put that one in one of those flat sockets computer have and it starts printing on the screen all kind of info about the computer.
I went to the house, found a PC, put the thingie in, wrote down everything that came on screen on a paper napkin…. that's about all.

Defendant Solicitor
Am I correct to state that you do not know how the "thingie" - your words - actually works?

John Doe
Well, no, not really but the guy from Microsoft told us that we need not all it is needed is to put the thingie in and wait for the report.

Defendant Solicitor
Look, Officer, do you carry a gun?

John Doe
Not at the moment, Sir.

Defendant Solicitor
I mean when you are on duty….

John Doe
Well, of course, yes.

Defendant Solicitor
Are you trained to use that gun?

John Doe
Yes, we do have a basic training and periodically we are examined to verify our proficiency in using firearms and also some psychological examinations are carried to validate us, and we must every three weeks go to the shooting range to practice.

Defendant Solicitor
So, noone from, say, Browning or Beretta, came to the Sheriff's and gave you a gun saying "all you need to know is point and shoot"?

John Doe
Sir?

Defendant Solicitor
Never mind, officer.
Am I correct to state that you are founding your report on the words by an unknown Microsoft representative that told you "just insert this thingie in a PC and it will report everything was done from it" or words to a similar effect?

John Doe
Yes, but…

Defendant Solicitor
And that you were not properly trained to use this device?

John Doe
Yes, but…

Defendant Solicitor
And that you have no idea on how the device actually works?

John Doe
Well, no, but the Microsoft guy said….

Defendant Solicitor
That's all, thank you very much Officer.

😯

jaclaz

ReplyQuote
Posted : 03/05/2008 7:37 pm
chuck378
(@chuck378)
Junior Member

Keydet89,
Very, Very well put. You took the words right out of my mouth. You must document everything you do. I consider Computer Forensics a crime scene within a crime scene. The steps you take and the things you do will determine your destiny in court. The era of point and click forensics are gone. No matter what software you use and what "buttons" your press, you MUST be able to explain what happen behind the scenes.

…"we don't have the time to learn anything new", or "we don't have the time and knowledge to pull these tools together and put them into a usable format on appropriate media"… or "I just pressed this button and this is what I found". These statements are no longer accepted in most courts.

Another important issue is that the report you make probably took you a couple of weeks to produce, go over etc… The defense will have sometimes years to go over it to see what you have done wrong. If the suspect has money they will hire thier own experts (more than one that know more than you!!!) to go over your paper work.

It's like this veteran told me "You sometimes have seconds to react to a situation. When the powers to be (Defense Attorneys) get your paperwork, they have years to think how they would of done different".

I hope I did not confuse anybody. Once again well put Keydet89

ReplyQuote
Posted : 03/05/2008 7:48 pm
bshavers
(@bshavers)
Active Member

When testifying as an 'operator' of any device, the operator doesn't have to be an expert in the inner workings of that device to testify to its use or its results of the use. If that were the case, then you'd have these types of problems (in the law enforcement world as an example)
*Officers' testimony concerning vehicle pursuits would not be credible (how many officers can tell you anything about the inner workings of an engine, the brakes, or the transmission?-answer-very few)
*Officers' testimony of using a radar gun would not be credible (how many officers have taken apart or designed how that radar gun works?-answer-very few)
*Officers' testimony of firing their handgun would not be credible (how many know the inner workings of how a handgun works?-answer, few)
*Officers' testimony of using a breathalyser would not be credible (how many officers know how it is designed or the internal workings? answer-very few).

As Harlan points out, and as it is pointed out in trial, it is the process used, the procedures followed, and the decisions made that are in question. Even if processes or procedures are not followed in a specific instance, if it is shown that a 'reasonable' response or decision was made, then that is ok, based on the totality of the circumstances.

So, I would suggest that if an officer is trained to plug in a device and watch it produce some output, then why would that not be admissible? If the steps taken were documented, reasonable, and followed a common accepted practice, wouldn't that be admissible?

Also, anything related to a case matter can be evidence. And of this mass evidence in a case matter, nearly everything can be admitted IF collected within the guidelines of law. Even evidence that may have been damaged or otherwise not collected reasonably, can still be admitted, although, the weight of that particular evidence will be less, like on a sliding scale of credibility.

Conversely, if an investigator (of any sort in any field) is giving an opinion on what they believe to be factual, then I would agree that knowing more than plugging in a device is necessary.

And no, I'm not a lawyer, but I've been examined and cross examined and examined and crossed examined on an occasion or two.

ReplyQuote
Posted : 04/05/2008 4:45 am
Walkabout_fr
(@walkabout_fr)
Member

Although I work under a different legal system, I tend to agree with bshavers.

In France, regular police officers can be trained to lift fingerprints that will be admissible as evidence. That doesn't mean they'll be able to compare the fingerprints.

Even CSI technicians collect biological samples while they're totally unable to extract DNA from them and run comparison tests.

I don't think many of them could explain to you in details and with the correct scientific terms why a blood stained pece of clothe mustn't be seized in air-tight plastic bags. They don't need to. All they need to know if that moisture damages DNA and that this kind of evidence must be dried and placed in paper bags…

I believe that this is what procedures are all about allow people who do not fully understand all the inner workings to perform their jobs correctly. Then, the responsability is split in two parts the person who created the procedure is responsible for it to produce correct results if all steps are followed correctly and the field officier is responsible for applying correctly this procedure (and documenting it)

Back to CF, I do believe that a regular police officer with very limited training can run automated tool on a suspect's computer, following a given procedure. That doesn't mean he will be qualified to interpret the results of the output and testify about it in court, though. That would be the job of a CF specialist.

In the end, I firmly believe that CF and the use of digital evidence will gain more efficiency by having all field officers get limited training and basic tools than by increasing the number of highly trained specialists in regional labs.

Just my €0.02

ReplyQuote
Posted : 04/05/2008 12:10 pm
keydet89
(@keydet89)
Community Legend

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy)

Again, what so few people realize is that the prosecution wouldn't allow something into evidence if it was going to lead to this kind of "fantasy" exchange.

ReplyQuote
Posted : 04/05/2008 4:11 pm
jaclaz
(@jaclaz)
Community Legend

What I mean is nowadays, to the best of my knowledge a "IT investigator" is a knowledgeable person that can support and backup whatever his/her conclusions are in front of a cross-examination.

Just think about this (just my fantasy)

Again, what so few people realize is that the prosecution wouldn't allow something into evidence if it was going to lead to this kind of "fantasy" exchange.

Yep I do realize that, my point is that if the "something" cannot be allowed into evidence, and if this same "something", if handled correctly by a professional, could have been, part of the evidence will not be produced or, if produced, will have undesired results.

In other words, I presume that giving this tool in the hands of untrained Officers or LE could have the consequence of LESS or "BAD" prosecution evidence, which is exactly the opposite of the intended result. roll

And on the other hand, reserving this tool to LE only prevents defendant consultants from examining in detail how the information was gathered, depriving hypothetically the defendant of some of his rights or paradoxically make space for invalidating the reports as they are made through a "secret" method, undocumented or undisclosed, and thus not necessarily acceptable.

Radar guns, fixed Autovelox as we have in Italy, traffic lights cameras, breathalyzers and similar apparatus are an all together different thing, they need to be of a "Government approved" type, their specs and inner workings are available to defendants, they are tested for accuracy by independent ("approved" or "certified" as well) laboratories, they need to be periodically re-checked, the procedure of recording and reporting is fixed by the Law, and notwithstanding that thousands of traffic fines based on these hardwares are invalidated annually because
1) they were operated improperly by untrained officers
2) the report was poorly worded procedure contained a violation of rights
3) the device had not been properly "approved"
4) the device had not been properly tested in compulsory periodical check or proof of this is missing

So, my opinion is that COFEE can be a great thing IF
1) it is "certified" by third-parties and approved by the Law
2) it is used by (at least minimally) trained officers
3) it's nature is disclosed to both LE and defendants

jaclaz

ReplyQuote
Posted : 04/05/2008 5:32 pm
chuck378
(@chuck378)
Junior Member

bshavers,

What I was trying to point out is that you must explain how you got your evidence. You must explain what happend after you "pressed" such button. You must have knowledge of how a computer works. You can't go to court and say, "I pushed the power button on the computer, double-clicked on the program, pushed a couple of buttons and WOW! there it was". So I feel that you are comparing apples and oranges.

I don't have to go to court and explain what each circuit on the motherboard does, how the interior of HD looks or works, and what each wire on the computer does. I have to just explain how I got what I got.

"*Officers' testimony concerning vehicle pursuits would not be credible (how many officers can tell you anything about the inner workings of an engine, the brakes, or the transmission?-answer-very few)"
*** You are correct, but every time I go on duty, I must check all fluids tire pressure etc… and make sure all emergency lights are working properly.

"*Officers' testimony of using a radar gun would not be credible (how many officers have taken apart or designed how that radar gun works?-answer-very few)"
*** When I got certified and did have to know how a radar gun works and how to calibrate it. Even the margin of error on it.

"*Officers' testimony of firing their handgun would not be credible (how many know the inner workings of how a handgun works?-answer, few)"
*** I must qualify every 3 months, take the weapon apart, know what each part does and clean it.

"*Officers' testimony of using a breathalyser would not be credible (how many officers know how it is designed or the internal workings? answer-very few)."
*** The breathalyser class here is a week long at the academy. You must know the chemical composition of alcohol. Hell, they even make you drink so you feel the effects of alcohol etc…

I will even go further and add that when you get certified in carrying mace, stun guns, and bean bag bullets. You must get maced, shocked and shot, so you know how it feels and you can testify of such.

When you do "Computer Forensics" or any type of Forensics, you don't have to be a doctor and/or a computer engineer, but you must know well beyond the basics of the inner workings of a computer system to be effective and understand what you are doing.

Don't get me wrong, I'm not by far the smartest guy around, I learn something new about Computer Forensics everyday.

The era of point and click forenscis is well gone…

ReplyQuote
Posted : 04/05/2008 9:03 pm
bshavers
(@bshavers)
Active Member

I'm only saying that there are tools that LE uses everyday that they are only trained to operate to get results. The collection of DNA evidence by a detective is only collection of evidence. The examination of that evidence is done by a scientist. If it is collected properly, there is no issue. If done wrong, bad evidence. Could this not apply to digital evidence as well?

I don't believe the MS tool was designed for officers to conduct forensic examinations more than it may have been designed to be a collection tool for someone else to exam the results.

Given that LE is far behind in live forensics, I think its a step in 'a' direction instead of 'no' direction as government commonly doesn't move fast enough or at all to keep up with technology.

Not to create another argument, but ILook (the LE only forensic tool), is the tool that non-LE cannot obtain to tear apart in court. This MS tool, as described, seems to contain tools that are available elsewhere. They just put a bunch of tools together in a toolbox and gave it a name. ILook is a complete, proprietary suite.

And cops don't have to be shot by their guns or pepper sprayed to know that it works.

Brett

ReplyQuote
Posted : 04/05/2008 11:33 pm
dcso
 dcso
(@dcso)
Junior Member

Hi Chuck,

I have to just explain how I got what I got.

I think this is part of Brett's point. Let's take Harlan's point and click tool RegRipper for example. How deep of an explanation do you need to go into to justify its use?
a) I used RR to take certain keys from the registry and display them in a readable format. Here's a quick description of the registry and the results.
or
b) I used RR to take certain keys from the registry. I'll now explain how it pulled and displayed each entry. Let's start with the User Assist key, which is ROT13 encoded (which means…), and is decoded by this part of the Perl code, the date is found in this eight bytes, etc.

I'm fairly certain that the prosecutors in my area can walk an examiner through A, but not B. I'm also guessing you'd lose the jury's interest at some point in option B.

Most examiners cannot explain the inner workings of FTK, EnCase, ProDiscover, and plenty are not certified at each tool. But, they still use them and can testify about their results. While some explanation is necessary, I think the era of point and click forensics is alive and well. As drive sizes and file system complexity increase, automated tools will evolve to assist in the analysis.

ReplyQuote
Posted : 04/05/2008 11:45 pm
azrael
(@azrael)
Senior Member

I think that perhaps there is a distinction to be made between an evidence collector and an evidence interpreter. The collector need not understand the inner workings of a tool, merely that it should be operated in a certain way e.g. an officer can bag an item ( say clothes ) taken from an offender, but need not necessarily know what forensic relevlance it is - that is determined by an expert finding a drop of blood on it, and identifying it as matching the victim. The officer probably won't have a clue about how that is done.

I understand that often computers are encountered by officers without an expert present, something that they can plug and record on paper - even a paper napking - could well be more use than an encrypted disk that has had the plug pulled on it …

Even "damaged" evidence is still admisible if ruled that by the court ( in the UK at any rate … ) so just becuase Mr.Plod happens to overwrite some files in recovering the passwords, doesn't mean that Mr.Culprit can get away with his stash of CP.

I think that the bottom line is that _we_ should know what COFEE _is_ and _does_, but that doesn't make it an obligation for the siezing officer.

( N.B. I do think that training in proper useage would be good though … Just makes life easier later ! )

ReplyQuote
Posted : 05/05/2008 2:52 am
phius
(@phius)
Junior Member

I think what many of you are missing also (& this is the reason for the development of COFEE) is that computer expertise is spread thinly among most LE Agencies. COFEE (ie the USB drive) is designed to be preconfigured by the experts and passed to a front line officer as a collection tool. The results can be analysed by the 'experts' once the drive is returned to the lab. All the front line officer has to verify is the chain of eveidence handling.

Interpretation of results, explanation as to which collection features were utilised and any expert opinion should be provided by the forensic expert.

If used in this way, the tool can and should save many valuable hours of the expert's time and allow them to prioritise work rather than attending every onsite turn-out. I think I am correct in saying that it has never been the intention of the developers to issue this tool to general investigators to use indiscriminately.

ReplyQuote
Posted : 05/05/2008 8:17 am
keydet89
(@keydet89)
Community Legend

And on the other hand, reserving this tool to LE only prevents defendant consultants from examining in detail how the information was gathered, depriving hypothetically the defendant of some of his rights or paradoxically make space for invalidating the reports as they are made through a "secret" method, undocumented or undisclosed, and thus not necessarily acceptable.

I cannot agree with this at all.

MS simply handed out some thumb drives with the available tools on them to LE only. If these tools are used to collect evidence presented in the a case, the fact that the thumb drives were handed out to LE only in no way whatsoever prevents defense counsel from examining them and the tools during discovery.

The only people that COFEE is a secret from is those folks who didn't receive a copy. Processes, methodologies and toolkits like this will be included in discovery if a case is ever presented that utilizes COFEE to collect evidence. And this will only happen if the prosecution decides to use the collected evidence against the defendant…if the prosecution feels that the examination of the tool, process, or LE who collected the evidence using COFEE will suffer in any way and pose a threat to the success of their case, they won't use it.

Reading this thread and others, it occurs to me that the real issue here is that someone else got access to something that others think is "secret" and "cool" because it came from MS, and was only given to LE.

ReplyQuote
Posted : 05/05/2008 4:07 pm
jaclaz
(@jaclaz)
Community Legend

MS simply handed out some thumb drives with the available tools on them to LE only.

Right. )

If these tools are used to collect evidence presented in the a case, the fact that the thumb drives were handed out to LE only in no way whatsoever prevents defense counsel from examining them and the tools during discovery.

Perfect. )

What I was trying to say is that unless someone else (not Microsoft) certifies in some way that the tool or collection of tools works reliably and in a foolproof way, there is a possibility that info gathered with it may be invalidated or be plainly wrong.
And the fact that the intended "audience" are the less skilled/educated in forensics acquisition LE officers does not help.

The only people that COFEE is a secret from is those folks who didn't receive a copy. Processes, methodologies and toolkits like this will be included in discovery if a case is ever presented that utilizes COFEE to collect evidence. And this will only happen if the prosecution decides to use the collected evidence against the defendant…if the prosecution feels that the examination of the tool, process, or LE who collected the evidence using COFEE will suffer in any way and pose a threat to the success of their case, they won't use it.

And, as said previously, if, because of the hypothetical "suffering", some evidence will not be used, it means less evidence in the trial than what would have been possible to produce, which I do not see as a good thing.

Reading this thread and others, it occurs to me that the real issue here is that someone else got access to something that others think is "secret" and "cool" because it came from MS, and was only given to LE.

At least for me, the real issue is just the "secrecy" in itself, or to be even more exact, the reasons behind this secrecy, that I believe being not justified and, again in my personal opinion, could lead to worsen the quality or lessen the quantity of the evidence that will be brought in court.

I mean, if as stated in the MS e-mail cited, COFEE is just

a compilation of publicly available forensics tools

"glued" together by a "smart" engine of some kind, while MS has all the rights to keep every possible secrecy about it's proprietary engine, I cannot see the reason why the list of the "publicly available forensic tools" is not disclosed.

If, on the other hand, and again this is just a speculative idea for the sake of discussion, it uses some undocumented code to retrieve something that publicly available utilities cannot retrieve, that would pose a problem, at least until independent third party experts, possibly binded by a very restrictive NDA, do not somehow "certify" this part of the "suite" and it's correct working.

Not being a professional forensic expert, nor a LE officer, the matter is of interest to me only from the "philosophical" point of view, I wouldn't want to see EVER, say, a pedophile or a killer get assolved because the evidence against him was not produced by the prosecutor (being not fully valid) or be invalidated by the defendant consultants, but I wouldn't want to see EVER an innocent being condemned because a "secret" app determined wrongly something against him.

)

Just to make an example of this period, here in Italy there have been recently a couple of terrible homicides, see this
http//dorigo.wordpress.com/2007/09/24/the-killer-of-garlasco-has-a-name/
and this, that since the victim was an English girl, the news made it to International press
http//www.timesonline.co.uk/tol/news/world/europe/article2821154.ece

From what has been printed on our local newspapers, in both cases the alibi of the suspects should be, at least partially, connected to the use (and in one case access to the Internet) of a PC.

And it also seems that the PC's have been tampered with by local police in such a way that the defendants' solicitors have already, or are tryng successfully to, invalidate the evidence brought forward by prosecution.

Regardless of whether the suspects are actually innocent or guilty, this badly carried procedure is an obstacle to the ascertaining of what really happened.

jaclaz

ReplyQuote
Posted : 05/05/2008 6:01 pm
Page 1 / 2
Share: