FAQ: Computer Online Forensic Evidence Extractor (COFEE)

COFEE (Computer Online Forensic Evidence Extractor) is a tool that helps simplify the very complex problem of gathering “live” computer evidence of cybercrime. It utilizes common forensics tools to aid officers at the scene in gathering important live evidence with a single USB device. It also provides reports in a simple format for later interpretation by computer experts, or as supportive evidence for computer investigations. This means that first-responder officers on the scene of a crime don’t have to be computer forensic experts to capture live data for later analysis and that this critical information does not have to be lost once a computer is shut down to be taken for a traditional offline forensic analysis.

COFEE is currently designed exclusively for use by law enforcement officials and is provided at no cost. Law enforcement can find more information about COFEE on our Microsoft Law Enforcement Portal (and associated newsletter).

A common challenge of cybercrime investigations is the need to conduct forensic analysis on a computer before it is powered down and restarted. Important “live” evidence, such as active system processes and network data, is volatile and can be lost in the process of turning off a computer. This means that when gathering evidence, law enforcement must either send trained computer forensics examiners to the crime scene to gather live data or risk losing evidence by having untrained officers gather evidence or remove the computer from the crime scene.

COFEE does not provide new forensic tools, but is rather an easy to use, automated tool for first responders. It’s the ease of use, speed, and consistency of evidence extraction that is key. The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.

In April 2009 Microsoft and INTERPOL announced that, as a result of its leading position among worldwide law enforcement agencies and with the knowledge that INTERPOL has the infrastructure in place to both efficiently distribute the tool and to understand the unique requirements and technical needs of its diverse affiliated regional agencies, INTERPOL would serve as the principal global distributor for COFEE. While Microsoft is still working to announce a distributor within the United States, with the INTERPOL announcement COFEE is available at no charge to law enforcement in 187 countries worldwide today.

For training, Microsoft and INTERPOL are working with the School of Computer Science and Informatics at the University College Dublin, which houses the university’s Cybercrime Center. The center’s staff has experience training law enforcement in computer forensics, and is in the process of expanding its curriculum in this area. In fact, the Cyber Crime Center actively engages with INTERPOL, and other law enforcement agencies, to develop training modules that cover all aspects of computer forensics. UCD’s experience in the field makes it a perfect fit for developing training modules on COFEE that can be delivered efficiently to law enforcement agencies worldwide. Moreover, given the university’s expertise in the forensics field, INTERPOL will have a knowledgeable partner to help configure the tool to meet the individual needs and requirements of all of INTERPOL’s affiliated regional agencies.

COFEE is currently available in six languages: English, French, German, Chinese, Russian and Spanish.

The Microsoft Law Enforcement Portal, launched in September 2006, is a web “portal” that provides law enforcement with secure online access to a centralized resource containing Internet crime-related information as well as tools, training, and technical support to assist in cyber crime investigations. We believe technological solutions like these that facilitate the sharing of resources can be a powerful weapon in the fight against cybercriminals.

The LE Portal is designed to be a resource for law enforcement officials focused on cyber crime investigations. The fundamental idea is to give cyber crime focused law enforcement officials a designated contact point for Microsoft in order to support their efforts. The LE Portal is not designed to replace enterprise support arrangements, but rather to be a resource for those customers/partners who do not have a designated support contact at Microsoft.

The LE Portal offers targeted technical and investigative support resources, information on specific threats, information on Microsoft enforcement programs and contact information for various Microsoft teams. The Portal also includes online training modules, as well as a calendar of upcoming training sessions, conferences and LE collaborations.

The Microsoft Internet Safety Enforcement team manages the LE Portal with contributions from several groups across Microsoft. It is updated constantly as new information becomes available.

Since the LE Portal is a Microsoft Extranet application all users need a Microsoft Partners Account. For access law enforcement should e-mail leportal@microsoft.com.

These programs are just the latest example of Microsoft’s ongoing commitment to helping to create a safer, more trusted Internet experience for everyone, not just Microsoft’s customers. As a company, we believe that public-private partnerships are essential to address the increasing complexities of cybercrime; no one can do it alone. One of the things we hear from government and law enforcement officials is that they need access to the latest training and they need better tools that can aid in sharing information between different agencies. Microsoft provides law enforcement with resources, expertise and information to help them to prosecute cybercrime, not only because it is the right thing to do, but because it also helps keep the Internet safer.