Microsoft slowly seals its lips about its police toolkit

To put a lid on bloggers' speculation about police getting "backdoors" to Windows security, Microsoft is starting to hush up on the subject. In an e-mail to BetaNews on Friday, a spokesperson described COFEE as a "customizable framework."

Despite releasing a few more facts on Friday about a controversial new tool for police officers, Microsoft has now vowed to stay mum on the "exact methods" used by COFEE (Computer Online Forensic Evidence Extractor), as well as about what kinds of passwords -- OS or network, for example -- COFEE might be able to crack.

"Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed," a Microsoft spokesperson wrote, in an e-mail to BetaNews on Friday.

On the other hand, Microsoft's expanded statement to BetaNews on Friday did add some new information to the public pool of knowledge about a tool already distributed to 2,000 police around the globe.

For instance, the spokesperson described COFEE on Friday as a customizable framework, "operating from a USB storage device, that law enforcement can use to leverage publicly available forensic tools and access information on a live Windows system."

Microsoft went on to say, "Microsoft's COFEE works by being plugged into a running system where a user has already logged on. It enables law enforcement to expedite the evidence gathering process by automating over one hundred different commands that would otherwise have to be typed by hand. COFEE saves the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab."

In earlier accounts, COFEE had been variously explained as either a set of software tools or a series of about 150 commands.

As previously reported, COFEE controversy started last week when some bloggers started rumors that Microsoft was handing out "backdoor keys" to Windows security. The blogs got sparked by an article published in the Seattle Times based on an interview with Brad Smith, Microsoft senior VP and general counsel. Last week, Smith gave a talk at a law enforcement conference in Seattle, where he characterized COFEE as a "Swiss army knife for law enforcement officers."

In the Times article, reporter Benjamin J. Romano wrote that COFEE can "decrypt passwords and analyze a computer's Internet activity as data stored in the computer" -- words that soon touched off tirades among several incensed bloggers.

In an update to his article, Romano said a Microsoft spokesperson had later written to him describing COFEE as "a compilation of publicly available forensics tools, such as password security auditing technologies."

Although an initial statement to BetaNews contained no mention of the password tools, a second e-mail from Microsoft provided the information that COFEE does "include password security auditing tools." Subsequently, last Thursday, BetaNews asked Microsoft to identify the kinds of passwords that might be audited or recovered by police using COFEE -- Windows OS passwords, network passwords, or application passwords, for example.

We also asked Microsoft whether the password security auditing tools mentioned by Microsoft are being premiered with COFEE, or whether they are tools which are already readily available elsewhere. Although Microsoft declined to provide more answers to this inquiry specifically, the company's response did shed a little bit more light on what COFEE is, who uses it, and how it was created.


What follows is the full text of Microsoft's final answer on COFEE, as provided to BetaNews on Friday.

I have the following comment to share in regard to your follow-up question. Please note this will be all we have to share about COFEE.

COFEE (Computer Online Forensic Evidence Extractor) is a framework for first responders to customize a set of common forensic tools. It is a framework operating from a USB storage device that law enforcement can use to leverage publically available forensic tools and access information on a live Windows system. COFEE works by being plugged into a running system where a user has already logged on. It enables law enforcement to expedite the evidence gathering process by automating over one hundred different commands that would otherwise have to be typed by hand. COFEE saves the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

COFEE is designed for use by law enforcement only with proper legal authority. It does not contain new forensic tools, but rather is an easy to use, automated forensic tool at the scene. COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret "backdoors" or other undocumented means.

Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed.

History of the Tool:

* Microsoft believes that global public-private sector partnerships are essential to successfully fighting cybercrime in the Web 2.0 environment. Using technology, strategic partnerships, and a foundation of trust, our goal is to turn the positive opportunities which are created by Web 2.0 technologies against the cybercriminals trying to exploit them. COFEE is part of the tools and training that Microsoft provides to law enforcement around the world. It is designed to be used only in circumstances where proper legal authority has been given, such as a court ordered warrant. COFEE is reserved specifically for law enforcement.

* COFEE was first conceived in 2006 by Anthony Fung, formerly of the Hong Kong Cybercrime Police Unit, as a way to simplify the collection of critical volatile evidence at computer crime scenes. With important support from both Microsoft and fellow law enforcement personnel, COFEE achieved a limited release in the summer of 2007 and is now used by forensic examiners in countries the world over."

© 1998-2014 BetaNews, Inc. All Rights Reserved. Privacy Policy.