Hi Chuck,
I have to just explain how I got what I got.
I think this is part of Brett's point. Let's take Harlan's point and click tool RegRipper for example. How deep of an explanation do you need to go into to justify its use?
a) I used RR to take certain keys from the registry and display them in a readable format. Here's a quick description of the registry and the results.
or
b) I used RR to take certain keys from the registry. I'll now explain how it pulled and displayed each entry. Let's start with the User Assist key, which is ROT13 encoded (which means…), and is decoded by this part of the Perl code, the date is found in this eight bytes, etc.
I'm fairly certain that the prosecutors in my area can walk an examiner through A, but not B. I'm also guessing you'd lose the jury's interest at some point in option B.
Most examiners cannot explain the inner workings of FTK, EnCase, ProDiscover, and plenty are not certified at each tool. But, they still use them and can testify about their results. While some explanation is necessary, I think the era of point and click forensics is alive and well. As drive sizes and file system complexity increase, automated tools will evolve to assist in the analysis.
I think that perhaps there is a distinction to be made between an evidence collector and an evidence interpreter. The collector need not understand the inner workings of a tool, merely that it should be operated in a certain way e.g. an officer can bag an item ( say clothes ) taken from an offender, but need not necessarily know what forensic relevlance it is - that is determined by an expert finding a drop of blood on it, and identifying it as matching the victim. The officer probably won't have a clue about how that is done.
I understand that often computers are encountered by officers without an expert present, something that they can plug and record on paper - even a paper napking - could well be more use than an encrypted disk that has had the plug pulled on it …
Even "damaged" evidence is still admisible if ruled that by the court ( in the UK at any rate … ) so just becuase Mr.Plod happens to overwrite some files in recovering the passwords, doesn't mean that Mr.Culprit can get away with his stash of CP.
I think that the bottom line is that _we_ should know what COFEE _is_ and _does_, but that doesn't make it an obligation for the siezing officer.
( N.B. I do think that training in proper useage would be good though … Just makes life easier later ! )
I think what many of you are missing also (& this is the reason for the development of COFEE) is that computer expertise is spread thinly among most LE Agencies. COFEE (ie the USB drive) is designed to be preconfigured by the experts and passed to a front line officer as a collection tool. The results can be analysed by the 'experts' once the drive is returned to the lab. All the front line officer has to verify is the chain of eveidence handling.
Interpretation of results, explanation as to which collection features were utilised and any expert opinion should be provided by the forensic expert.
If used in this way, the tool can and should save many valuable hours of the expert's time and allow them to prioritise work rather than attending every onsite turn-out. I think I am correct in saying that it has never been the intention of the developers to issue this tool to general investigators to use indiscriminately.
And on the other hand, reserving this tool to LE only prevents defendant consultants from examining in detail how the information was gathered, depriving hypothetically the defendant of some of his rights or paradoxically make space for invalidating the reports as they are made through a "secret" method, undocumented or undisclosed, and thus not necessarily acceptable.
I cannot agree with this at all.
MS simply handed out some thumb drives with the available tools on them to LE only. If these tools are used to collect evidence presented in the a case, the fact that the thumb drives were handed out to LE only in no way whatsoever prevents defense counsel from examining them and the tools during discovery.
The only people that COFEE is a secret from is those folks who didn't receive a copy. Processes, methodologies and toolkits like this will be included in discovery if a case is ever presented that utilizes COFEE to collect evidence. And this will only happen if the prosecution decides to use the collected evidence against the defendant…if the prosecution feels that the examination of the tool, process, or LE who collected the evidence using COFEE will suffer in any way and pose a threat to the success of their case, they won't use it.
Reading this thread and others, it occurs to me that the real issue here is that someone else got access to something that others think is "secret" and "cool" because it came from MS, and was only given to LE.
MS simply handed out some thumb drives with the available tools on them to LE only.
Right. )
If these tools are used to collect evidence presented in the a case, the fact that the thumb drives were handed out to LE only in no way whatsoever prevents defense counsel from examining them and the tools during discovery.
Perfect. )
What I was trying to say is that unless someone else (not Microsoft) certifies in some way that the tool or collection of tools works reliably and in a foolproof way, there is a possibility that info gathered with it may be invalidated or be plainly wrong.
And the fact that the intended "audience" are the less skilled/educated in forensics acquisition LE officers does not help.
The only people that COFEE is a secret from is those folks who didn't receive a copy. Processes, methodologies and toolkits like this will be included in discovery if a case is ever presented that utilizes COFEE to collect evidence. And this will only happen if the prosecution decides to use the collected evidence against the defendant…if the prosecution feels that the examination of the tool, process, or LE who collected the evidence using COFEE will suffer in any way and pose a threat to the success of their case, they won't use it.
And, as said previously, if, because of the hypothetical "suffering", some evidence will not be used, it means less evidence in the trial than what would have been possible to produce, which I do not see as a good thing.
Reading this thread and others, it occurs to me that the real issue here is that someone else got access to something that others think is "secret" and "cool" because it came from MS, and was only given to LE.
At least for me, the real issue is just the "secrecy" in itself, or to be even more exact, the reasons behind this secrecy, that I believe being not justified and, again in my personal opinion, could lead to worsen the quality or lessen the quantity of the evidence that will be brought in court.
I mean, if as stated in the MS e-mail cited, COFEE is just
a compilation of publicly available forensics tools
"glued" together by a "smart" engine of some kind, while MS has all the rights to keep every possible secrecy about it's proprietary engine, I cannot see the reason why the list of the "publicly available forensic tools" is not disclosed.
If, on the other hand, and again this is just a speculative idea for the sake of discussion, it uses some undocumented code to retrieve something that publicly available utilities cannot retrieve, that would pose a problem, at least until independent third party experts, possibly binded by a very restrictive NDA, do not somehow "certify" this part of the "suite" and it's correct working.
Not being a professional forensic expert, nor a LE officer, the matter is of interest to me only from the "philosophical" point of view, I wouldn't want to see EVER, say, a pedophile or a killer get assolved because the evidence against him was not produced by the prosecutor (being not fully valid) or be invalidated by the defendant consultants, but I wouldn't want to see EVER an innocent being condemned because a "secret" app determined wrongly something against him.
)
Just to make an example of this period, here in Italy there have been recently a couple of terrible homicides, see this
http//
and this, that since the victim was an English girl, the news made it to International press
http//
From what has been printed on our local newspapers, in both cases the alibi of the suspects should be, at least partially, connected to the use (and in one case access to the Internet) of a PC.
And it also seems that the PC's have been tampered with by local police in such a way that the defendants' solicitors have already, or are tryng successfully to, invalidate the evidence brought forward by prosecution.
Regardless of whether the suspects are actually innocent or guilty, this badly carried procedure is an obstacle to the ascertaining of what really happened.
jaclaz
So, my opinion is that COFEE can be a great thing IF
1) it is "certified" by third-parties and approved by the Law
2) it is used by (at least minimally) trained officers
3) it's nature is disclosed to both LE and defendantsjaclaz
couldn't agree more… certification & validation from the relevant authorities can certainly solve this issue… i think its pretty much the same how tools like EnCase & FTK are now accepted in the court of law..
If, on the other hand, and again this is just a speculative idea for the sake of discussion…
That's the key word…"speculative".
The big secret to all this is simply this…there is no secret.
Not being a professional forensic expert, nor a LE officer, the matter is of interest to me only from the "philosophical" point of view, I wouldn't want to see EVER, say, a pedophile or a killer get assolved because the evidence against him was not produced by the prosecutor (being not fully valid) or be invalidated by the defendant consultants, but I wouldn't want to see EVER an innocent being condemned because a "secret" app determined wrongly something against him.
Your focus is too much on COFEE, apparently for no other reason than b/c it was given to LE only.
What you say that you don't want to ever see happen, in fact, happens all the time.
Not a pedophile or sex offender, but illustrates the point
http//
Once again, to try and clarify things, as you can see from the news article COFEE is not a forensic analysis tool in the traditional sense (EnCase, FTK etc) but is rather an Incident Response tool, so I think some of the posters here are going a bit off track with talk of using it to prosecute child porn offenders. I think I would be correct in saying that their intended purpose would be for malware & intrusion type investigations.
Essentially, in an ideal world, all LE Investigators would be able to develop their own tool kits & be like Harlan & write their own perl scripts - in doing so they could then extract all valuable information about running processes, live network information, RAM etc etc before shutting down a machine and bringing it to a lab for analysis. Is that the case? No, of course not!
What Microsoft have done as a public service is create a software which can be run from a USB drive with minimal user intervention. The software can be preconfigured by an expert and passed on a thumbdrive to a field investigator… hence obviating the need for the expert to attend every crime scene! As they are giving it away, it is entirely their right who they provide it to. As Harlan has said, there are no secrets & there is nothing you can do with COFEE that you couldn't do yourself with a bit of know-how.