April 30, 2008
Microsoft Has a New Forensic Device for Windows Computers
Microsoft is working with law enforcement by creating a USB jump drive that can extract forensic evidence from a computer at the scene of a crime. It's called COFEE, or Computer Online Forensic Evidence Extractor. The item was distributed to selected law enforcement agencies last June. The device has 150 commands available to the examiner, including those which can decrypt passwords, analyze hard drives and list Internet activity. More details are in the Seattle Post-Intelligencer. An update to some capabilities is here.
Not much is known about the technical capability of the device in terms of evidence gathering. One of the reasons why computers are seized is not only to preserve evidence, but to create a chain of custody that avoids spoliation. Every time a computer starts some basic files change during the initialization. Automatic processes create or edit log files, as an example. Of course, any cursory examination of a hard drive has the potential to change contents, whether in the Internet cache, or other locations. That's why complex forensic systems use processes that duplicate a hard drive and examine it without changing its contents. How Microsoft's device approaches this problem is not reported.
Microsoft's General Counsel, Brad Smith, says Microsoft's motivation is to make the Internet safe and not to make money. Laudable, but will it stand up in court? More details will likely come out when the first prosecution based on the device's evidence collection goes to appeal.
April 30, 2008 | Permalink
TrackBack URL for this entry:
Listed below are links to weblogs that reference Microsoft Has a New Forensic Device for Windows Computers: