Microsoft's COFEE Computer Forensic Tools Leaked

from the that-can't-be-good dept

Last year, we wrote about Microsoft's COFEE tools, which are a set of computer forensic and auditing tools that Microsoft puts on a USB key and gives to law enforcement to use in trying to extract info from a computer. There was some fear that it was a "back door," but people insisted it was no such thing, but just a collection of basic tools. Still, the fact that the system was promoted as being useful for decrypting passwords and analyzing a computer's data and internet activity seemed troubling. We noted that if Microsoft was giving it out to law enforcement, it seemed likely that others would have access to it as well.

Well, late last week, reports started showing up noting that COFEE itself had been leaked to various file sharing sites. Apparently, the program had been quite sought after at private tracker -- though, after it was leaked there, the admins actually removed the torrent.

Still, you have to imagine that the software is very much out there. So, the question still remains, is this a big deal or not? When we did our original post, many people insisted that there was no big deal in Microsoft COFEE and it was just basic everyday auditing software. Yet, when even is removing the torrent, claiming they "didn't like" what they saw when they examined the software, in terms of "the potential impact on the site and security of our users and staff," it does raise certain questions that are similar to those we originally raised.

So, once again, let's get some feedback from the folks reading here. Is this really a big deal? Or is it just your ordinary tools?

Reader Comments (rss)

(Flattened / Threaded)

  1. identicon
    Adub, Nov 9th, 2009 @ 9:02am


    The fact that the torrent was taken down is very intriguing. I wonder why?

    reply to this | link to this | view in thread ]

  2. icon
    SteelWolf (profile), Nov 9th, 2009 @ 9:15am

    I think the big deal has less to do with the software itself than with how high-profile it is. My guess is that a site like what would rather not give legal guns additional reason to hunt them down for "leaking secret law enforcement software."

    reply to this | link to this | view in thread ]

  3. identicon
    Thought Cancer, Nov 9th, 2009 @ 9:17am


    As an Information Security Assessor, I can tell you that I've played with COFFEE and the functionality it provides is equivalent or inferior to the tools that the "bad guys" use to compromise systems. That is, there's nothing that COFFEE can show you that other freely available tools cannot. That said, COFFEE is still a useful tool for basic digital forensics.

    reply to this | link to this | view in thread ]

  4. icon
    roxanneadams (profile), Nov 9th, 2009 @ 9:21am

    Did anyone see Microsoft's tagline at the bottom of their official COFEE website?

    If it's vital to government, it's mission critical to Microsoft. Pretty funny stuff.

    reply to this | link to this | view in thread ]

  5. icon
    mobiGeek (profile), Nov 9th, 2009 @ 9:26am

    Re: Hmm

    COFEE has only one F. Here is it's homepage.

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, Nov 9th, 2009 @ 9:28am


    I thought you could always download it ? ;)

    reply to this | link to this | view in thread ]

  7. identicon
    anonymous, Nov 9th, 2009 @ 9:36am

    actually. for USB Switchblade is MUCH more valuable for this sort of thing, and it is just as free

    reply to this | link to this | view in thread ]

  8. icon
    Free Capitalist (profile), Nov 9th, 2009 @ 9:48am

    Better in the Open

    It is very curious that the admins pulled this torrent. I wonder if there was pressure from some entity, and if so, who? Could this have been DMCA action from MS?

    In my opinion it is better that hacker tools (used for "legitimate reasons", or otherwise) are kept in the open, available for public review. For law enforcement, there should be no confidential method of obtaining evidence... otherwise how can they claim they even have a chain of evidence?

    But to be more salacious, MS has a history of releasing their operating systems with undocumented functions. It would be in the public's best interest to know just how secure they are when they license an operating system.

    But more to the point of security, it is far easier to detect and defend against known threats than against the unknown.

    Either way, whether the code is public or not is kind of a moot point. Real hackers can reverse engineer anything, especially operating systems.

    There was a big "pantiesinabunchcident" about SATAN back in 95 or so, and I think the world is much better off for having had the tool during that period of Internet proliferation.

    reply to this | link to this | view in thread ]

  9. identicon
    Dr Prawn, Nov 9th, 2009 @ 9:58am

    A little research goes a long way

    Before the e-media gets all up in arms about this, maybe they should look into the leak itself. Several hints show that it may possibly be a fake.

    - All of the included "tools" are preinstalled on a Windows OS since Win2K.

    - The few files not included in OS's are not digitally signed by Microsoft.

    - Would MS really release something this major, even only in small circulations with a broken installer?

    - Why would MS use opensource ajax javascript when they have already coded similar scripts for use in their live suite of products?

    - Would MS really include a "Gang Bustaz" mode in their products, let alone something of this stature?

    - None of the accompanying documentation, such as how to use the tools manual contain MS wordmarks, copyright or logos.

    - The loader application does nothing more than run scripts that utilise OS's built in functions and logs them to a .xml, any user can copy files from sys32 to a usb drive and run a batch script to achieve the same effects.

    Unsigned files:

    Inconsistent design (read: designed by a 7 year old with vbasic)

    reply to this | link to this | view in thread ]

  10. icon
    Steven (profile), Nov 9th, 2009 @ 10:21am

    I'm not all that surprised pulled it and I doubt it has anything to do with pressure from any outside organization. is basically an invite only music specific torrent site. They have very strict rules on uploading, sharing ratio, file naming, the works.

    reply to this | link to this | view in thread ]

  11. icon
    Steven (profile), Nov 9th, 2009 @ 10:28am


    Looks like I was a bit off, but here is what they posted:

    Nothing is impossible. Nothing is out of reach. That's the lesson we take away from today, boys and girls (and men and women). Not long after we switched to Gazelle, and instituted the request bounty system, a request popped up for Microsoft COFEE - a forensic tool supplied by Microsoft to law enforcement offices around the world. You can Google it for more details, but the gist is that the tool was developed and distributed solely to law enforcement agencies. Sounds tempting, right?

    And it was. So much so that user after user voted for the request, adding to the ever-increasing bounty. Everyone seemed to have a good laugh with it, figuring that no one would ever get their hands on it and actually upload it. That was the staff consensus, at least. Several imitators were uploaded and removed, users were warned, and the bounty remained.

    Then, today, a user actually did it. They got a copy of COFEE and uploaded it here. The resourcefulness of our users never ceases to amaze us. Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff. And when we did, we didn't like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again.)

    Just to be clear: we were not threatened by Microsoft or any law enforcement agency. We haven't been contacted, nor has our host. This was a decision made by the staff based on our own conversations and feelings about the security impact of having the software here. We know some of you, perhaps the majority of you, won't agree with it. To those that feel that way, we can only offer an apology and the explanation that we removed it for your security, and ours.

    This is not an indication of any policy or rule changes going forward. This is a one-time decision, for a unique situation. This is not something we will do with other torrents or requests. At this point, the software can probably be found elsewhere, for anyone who wants it. We hope you all understand, and will continue searching out those rare items which attract huge request bounties. Feel free to discuss this here, but this decision is final. Thank you, all.

    /The What.CD Staff

    reply to this | link to this | view in thread ]

  12. identicon
    Troller, Nov 9th, 2009 @ 10:43am

    Re: Re: Hmm

    Pretty amusing... jump on the misspelling, but misuse "its" in the process...

    reply to this | link to this | view in thread ]

  13. identicon
    Chad, Nov 9th, 2009 @ 11:19am


    From what I have read in various articles, people who have used it have used such terms as "useless", "disappointing" or "unusable" to describe the program.

    It's not as though people have ripped of a program like Photoshop or Finalcut... I think the use of the tool is far beyond the knowledge of the people who are obtaining it.

    13 year old script kiddies everywhere will jump at the chance to get this software thinking it will give them access to some secret dimension of a computer system only to be disappointed.

    reply to this | link to this | view in thread ]

  14. identicon
    mjpinvestor, Nov 9th, 2009 @ 11:46am

    much hype

    When you keep something very secret like COFEE was, it will become a big deal when it is leaked, regardless of what it actually is. Like many comments, the tool is lacking when compared to forensic frameworks that are freely available. If they had published some of this info, no one would care about the leak and it would be a typical torrent. The intention of the tool was for non-techs to be able to run it.

    reply to this | link to this | view in thread ]

  15. icon
    Overcast (profile), Nov 9th, 2009 @ 11:49am

    If it's just 'ordinary tools' - then what's the issue?

    reply to this | link to this | view in thread ]

  16. identicon
    Yohann, Nov 9th, 2009 @ 12:15pm

    Heh heh.

    More hell for Windows users everywhere.

    If you're a proud Linux user, get yourself Conky and put the script below in the conkyrc file. It will show you the five top incoming connections to your computer so you can see who's knocking at your door.

    ${tcp_portmon 1 32767 rhost 0} ${alignr} ${tcp_portmon 1 32767 lservice 0}
    ${tcp_portmon 1 32767 rhost 1} ${alignr} ${tcp_portmon 1 32767 lservice 1}
    ${tcp_portmon 1 32767 rhost 2} ${alignr} ${tcp_portmon 1 32767 lservice 2}
    ${tcp_portmon 1 32767 rhost 3} ${alignr} ${tcp_portmon 1 32767 lservice 3}
    ${tcp_portmon 1 32767 rhost 4} ${alignr} ${tcp_portmon 1 32767 lservice 4}

    You can do the same for outgoing, too.
    ${tcp_portmon 32768 61000 rhost 0} ${alignr} ${tcp_portmon 32768 61000 rservice 0}
    ${tcp_portmon 32768 61000 rhost 1} ${alignr} ${tcp_portmon 32768 61000 rservice 1}
    ${tcp_portmon 32768 61000 rhost 2} ${alignr} ${tcp_portmon 32768 61000 rservice 2}
    ${tcp_portmon 32768 61000 rhost 3} ${alignr} ${tcp_portmon 32768 61000 rservice 3}
    ${tcp_portmon 32768 61000 rhost 4} ${alignr} ${tcp_portmon 32768 61000 rservice 4}

    Hope this helps.

    reply to this | link to this | view in thread ]

  17. icon
    Eric C (profile), Nov 9th, 2009 @ 12:31pm


    SteelWolf:I think the big deal has less to do with the software itself than with how high-profile it is. My guess is that a site like what would rather not give legal guns additional reason to hunt them down for "leaking secret law enforcement software."

    That was my understanding of it. Steven has posted what they put up on the main page, and though their wording is a bit cryptic, it seems to me that they got rid of it simply because it was so high-profile, and a site like What can exist only as long as it is at least somewhat under the radar. The last thing you want is to have a tool that isn't that interesting, but will still draw lots of negative attention to your site/private tracker.

    reply to this | link to this | view in thread ]

  18. icon
    weneedhelp (profile), Nov 9th, 2009 @ 12:45pm


    I can do what they claim with bartpe, or a live linux cd and freeware. Nothing new there.

    I would like add it to the 236 programs I currently have on my utility CD.

    Ill let you know after I find it.

    reply to this | link to this | view in thread ]

  19. identicon
    anon, Nov 9th, 2009 @ 12:46pm

    Re: Hmm

    It is hard to trust what you are saying when you didn't even spell the software's name correctly...

    reply to this | link to this | view in thread ]

  20. identicon
    Anonymous Coward, Nov 9th, 2009 @ 12:47pm

    Go away

    reply to this | link to this | view in thread ]

  21. icon
    MikeP (profile), Nov 9th, 2009 @ 12:49pm

    hot potato

    From what i understood, the deal was that this was a plug in USB device that your non tech savvy cop could use to pull things off a suspects computer before things could get deleted or destroyed.
    I'm guessing the admins pulled it because they took one look and realized "oh crap, in this climate they're going to decide we're bloody terrorists, kick down the doors, melt the servers into scrap, and shoot us all while attempting to escape."
    Then it became a "let's flush this down the toilet before every LEO imaginable sends in a predator drone on this location0"
    How useful it is isn't at all the question, how useful it's PERCIEVED to be by the relevant authorities on the other hand is.
    The whole idea of a super secret program is moronic in this day and age, granted...but to the beancounter who came up with it, it is sacred and must be defended to the death...yours preferably.

    I mean they've raided data centers and cost people millions for substantially less then this, just a couple of months ago in fact...can't find the link to the story right offhand, but i'm pretty sure i found it here first so most of you likely remember it

    reply to this | link to this | view in thread ]

  22. icon
    Christopher (profile), Nov 9th, 2009 @ 12:54pm

    maybe it's about cohesion? is ostensibly about music... maybe they thought they were squeaking past if they were constrained to music sharing; law enforcement/ investigation tools of this profile on the other hand might have ruined A Good Thing.


    reply to this | link to this | view in thread ]

  23. icon
    Eric C (profile), Nov 9th, 2009 @ 1:00pm

    Re: maybe it's about cohesion?

    Actually, What allows apps, as long as they follow certain guidelines. This program technically did, hence the lengthy explanation to their users of why they were taking it down.

    reply to this | link to this | view in thread ]

  24. icon
    senshikaze (profile), Nov 9th, 2009 @ 1:26pm

    I just use a few different Linux live cds that can do all this and more.
    Not sure what is so special about it.

    reply to this | link to this | view in thread ]

  25. identicon
    Vic, Nov 9th, 2009 @ 1:44pm

    Re: Re:

    One-time my A$$...

    reply to this | link to this | view in thread ]

  26. identicon
    Vic, Nov 9th, 2009 @ 1:54pm

    Just a collection of underperforming utilities/tools?

    But then again, there could be two or more flavors of COFEE... And lets say the unusual, never before seen one has been uploaded to

    "Safety of our user"? whoa! that's rich!

    I doubt though, that it's going to be a "one-time decision for a unique situation" to remove the torrent. If they did it once - they'll do it again to something else.

    reply to this | link to this | view in thread ]

  27. icon
    Eric C (profile), Nov 9th, 2009 @ 2:13pm

    Re: Just a collection of underperforming utilities/tools?

    While I wouldn't say that the safety of their users trumps their own safety, the fact is that if they decide to go after What, everyone involved loses. When Oink was shut down, most of their equipment was seized, including information on usernames, e-mail addresses, and of course, since it's a BT tracker, IP addresses. That's a hell of a lot of information for the authorities to have on you, and I would think many users of What would appreciate that sort of diligence toward keeping them away from that situation.

    Also, AFAIK, What has been around for a little over two years, and this is the first time that they have done something like this. I'm sure if they were put into a similar situation they'd do it again, and it may be a little bit disingenuous to downplay that, but considering how tight their requirements are for uploads, I doubt they'll NEED to do this very often.

    reply to this | link to this | view in thread ]

  28. identicon
    anom, Nov 9th, 2009 @ 2:15pm

    So, if you use total disk encryption, of most any flavor, this pretty much poses no threat to your comp, right?

    reply to this | link to this | view in thread ]

  29. identicon
    Jesse, Nov 9th, 2009 @ 2:46pm

    Not so impressive

    I've played around with the leaked COFEE a bit, and, well, it's not much to get excited about. It just automatically runs a large set of windows informational utilities (all of which are publicly available) and then generates a pretty report with the results from all of them.

    That said, COFEE is extensible - you can easily add tasks that it should perform (and record the results of) on each machine, so a computer forensicist could easily add utilities to dump passwords or copy over certain files, and indeed, the manual's recommendation that 2GB of storage be available on the device it will log to suggests that they intend for COFEE to record more than the leaked version does (it only records about 600kb of info). Other things, like the presence of a reporting category called "Passwords", strongly suggest that MS intended (and perhaps implemented) functionality that is not included in the leaked version.

    That said, the included validation documents from the National White Collar Crime Center only discuss the utilities included in the leak. Of course, those documents could have been modified, or there could be additional validation documents covering additional utilities not included in the torrent.

    reply to this | link to this | view in thread ]

  30. icon
    Prefect (profile), Nov 9th, 2009 @ 4:42pm

    Much ado about nothing?

    Echoing some of the comments above, there does not seem to be much new to the COFEE tool. A full analysis can be found here:

    reply to this | link to this | view in thread ]

  31. identicon
    Anonymous Coward, Nov 9th, 2009 @ 7:08pm

    If have nothing to hide, you may have an unexpected friend find you, usually at an untimely time.

    reply to this | link to this | view in thread ]

  32. icon
    mobiGeek (profile), Nov 11th, 2009 @ 10:41am

    Re: Re: Re: Hmm


    reply to this | link to this | view in thread ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
Insider Shop - Show Your Support!

Hide this ad »
Essential Reading
Techdirt Deals
Techdirt Insider Chat
Hide this ad »
Recent Stories
Hide this ad »


Email This

This feature is only available to registered users. Register or sign in to use it.