By Kelly Jackson Higgins
DarkReading
Nov 09, 2009
A forensics tool built by Microsoft exclusively for law enforcement officials worldwide was posted to a file-sharing site, leaving the USB-based tool at risk of falling into the wrong hands.
COFEE is a free, USB-based set of tools, which Microsoft offers only to law enforcement, that plugs into a computer to gather evidence during an investigation. It lets an officer with little or no computer know-how use digital forensics tools to gather volatile evidence.
COFEE was posted, and then later removed, from at least one file-sharing site, but security experts say the cat is now out of the bag. While many forensics tools with similar functionality as Microsoft's Computer Online Forensic Evidence Extractor (COFEE) are available, security experts still worry the bad guys will use their access to the tool to figure out ways to circumvent it.
Chris Wysopal, CTO at Veracode, says the danger is that a detection tool will be written for COFEE so that the bad guys can cover their tracks.
"Someone will build a detector so that machines will wipe themselves or give rootkit-like fake answers if this USB is inserted into a computer,"
Wysopal says.
One researcher who got a copy of COFEE online says bad guys could abuse the tool by taking one of its DLLs and loading it into a compromised machine's memory, where it then dumps stored clear-text passwords to a file.
[...]