Microsoft's COFEE (Computer Online Forensic Evidence Extractor) tool, which is used on a USB drive by law enforcement to take apart your dirty secrets was leaked on to the net this week. A private music torrent site had a request up for it offering 1.6TB bounty (of ratio) which is a huge amount for that site, and surprisingly to everyone someone leaked it just 18 months after the initial request.

The admins of the site reviewed the code and made the decision not to allow it to be tracked there, but now it's (supposedly) all over the internet. I've heard that the copy on pirate bay is fake.

"Then, today, a user actually did it. They got a copy of COFEE and uploaded it here. The resourcefulness of our users never ceases to amaze us. Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff. And when we did, we didn't like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again.)

Just to be clear: we were not threatened by Microsoft or any law enforcement agency. We haven't been contacted, nor has our host. This was a decision made by the staff based on our own conversations and feelings about the security impact of having the software here. We know some of you, perhaps the majority of you, won't agree with it. To those that feel that way, we can only offer an apology and the explanation that we removed it for your security, and ours.

This is not an indication of any policy or rule changes going forward. This is a one-time decision, for a unique situation.

You can read about it on these links, though there's no mention of the 1.6tb bounty that lead to the leak:

http://www.microsoft.com/industry/government/solutions/cofee/default.aspx

http://gizmodo.com/385476/microsoft-cofee-wont-perk-you-up-but-it-will-instamagically-hack-your-computer)

http://www.crunchgear.com/2009/11/06/siren-gif-microsoft-cofee-law-enforcement-tool-leaks-all-over-the-internet/

The person that leaked it had this to say just 2 hours ago:

ALright, ive been speaking with a few buddies of mine in law enforcement who know about the "leaking" of this, i hope this puts a few people minds at ease a bit. COFEE is not something that isnt allowed for the public, it just was not MADE for the public becasue the public literally has NO use for it, it was made for forensics specialists and investigators to retrieve information from a target computer, like it has been stated before, every single program that COFEE runs within itself can be found for free on the internet, the FBI and Microsoft do NOT care about the "releasing" of this tool, as no harm can come from it, simply put, ppl only wanted it becasue they couldnt have it, dont expect any heat from the FBI as they have much bigger fish to fry. TBH this info puts me at ease as well.

The user guide for the tool has been posted here: http://www.scribd.com/doc/22216754/User-Guide-for-COFEE-v112

Well, I dont see it on Usenet yet. I guess the advantage for black hat types is that having this tool allows them to see if their shit is hidden sufficiently !?

I dont want to give bad people tips but really, only a total fool would attempt to hide stuff on their computer these days.

I wonder how safe other operating systems are? I'm assuming this thing is windows specific but are there similar tools/back doors into ubuntu, osx, etc?

I'm more worried about this part

The GUI interface was developed for managing the tool selection, generating scripts, loading programs onto a USB device, and creating a report from the collected data. 
The command‐line application was developed for controlling and executing a set of selected tools on the target machine. 

Does this mean someone could load up this command line tool in a malicious virus-like program to get it on your computer and then gather all your information remotely over the internet?

I dont want to give bad people tips but really, only a total fool would attempt to hide stuff on their computer these days.

Where would you hide it then? printed out on tractor feed paper hidden inside your walls?

From the looks of the list of files it runs, most come from the sysinternals suite which I use on a regular basis to diagnose my broken boxes/friends computers. ha.

last edited by whoop at 03:05:38 08/Nov/09

Where would you hide it then?

As trog said in the thread about truecrypt - you put all your kiddie porn on a thumb drive and encrypt it.

im pretty sure it would be illegal not to decrypt stuff that the cops want to look at

im pretty sure it would be illegal not to decrypt stuff that the cops want to look at

News.com.au link

A MAN who established a sophisticated network of peepholes and cameras to spy on his flatmates has escaped a jail sentence after police were unable to crack an encryption code on his home computer.

Looking at the screenshots it looks pretty simple, nothing super spy secret about it at all.

theres some UN convetion about self incriminating. they where using it to get out of speed camera fines.

Abstract: In most jurisdictions a suspect has the right to remain silent during criminal proceedings and he cannot be penalised for making false statements. This is loosely known as the ‘ban on self incrimination’ and is regarded as an important factor in due process protection of individuals subject to criminal proceedings. The right to silence applies only to the stage of criminal proceedings, and up to date it has surprisingly not been seriously debated. A criminal may have caused individuals and society major loss, damage or suffering; in principle one would expect that he would be obliged to assist in the clearing-up of the case, particularly if this could ameliorate or repair the negative consequences of the crime. But this is not the way it is looked at. The suspect is under pressure, and must not be faced with the choice of lying or confessing

last edited by mooby at 21:05:54 08/Nov/09

Well, I dont see it on Usenet yet

Ok, so it is on Usenet now.

.torrent > NNTP

.torrent > NNTP

Good. That's exactly how we want it to be.

.torrent > NNTP

If you like spending your time uploading, not always getting things at full speed, waiting for releases and worrying about ratios then maybe :)

If you like spending your time uploading,

Nope. I dont do that. Uploads dont count anyway for me towards my monthly usage so its not like it matters.

not always getting things at full speed,

Almost everything i download comes down at 400KB+/s-800KB/s. Thats by no means slow.

waiting for releases and worrying about ratios then maybe :)

Yeah since there is so few people using torrents ... stuff takes ages to get up right? LOL.