Skip to content

Does COFEE intrude on Office?

Microsoft has a new tool to peek into computers and intended for law enforcement agencies. But what can it do with Microsoft Office documents and data?

Microsoft is now talking about COFEE, a tool they have released to some law enforcement agencies to let them take a look at Windows computer in a faster, less intrusive way that’s easy to use.

COFEE stands for “Computer Online Forensic Evidence Extractor” and details about what it can do are thin on the ground. That’s understandable from a law enforcement perspective but when you combine a lack of hard facts to a distrust of Microsoft and some government agencies you get plenty of rumor, guesswork and outright paranoia all across the Internet.

Benjamin J Romano at the Seattle Times has good overall coverage of the story quoting facts not supposition and guesswork.

Microsoft says the tools come on a USB ‘stick’ which can be inserted into any running Windows computer – a series of scripts can gather information about what’s on the machine and save it directly to the hard drive. It’s said the tool is useful because it can be used to gather information while the machine is powered on-site and before it’s turned off and removed.

Of course that also means that COFEE could be used on a covert basis to quickly ‘peek’ into a computer and gather information without the owner knowing.  Great for corporate spying on rival companies.

Microsoft says that COFEE is meant for use “by law enforcement only with proper legal authority” but they can’t be so naïve as to believe the tools won’t spread to other people and be used without legal approval. After all, Microsoft hasn’t been able to control piracy of their other products.

It may be that COFEE simply gives easy access to information that a computer professional can already gather.  However it’s that ease of access that makes COFEE a concern to some people – it increases the availability of private information to people with less computer skills but the interest (legal or not) in what’s on someone else’s computer.  The speed benefit alleged with COFEE makes it more useful for secret spying on a computer compared with traditional tools.

For a long time there have been rumors that Microsoft includes a ‘backdoor’ in many of their products – that means a secret method of bypassing password and encryption features to allow unfettered access to a Windows computer. There has never been any proof that Microsoft backdoors exist and the claims seem to have more to do with suspicion of government and Microsoft by the proponents than any hard facts.

Microsoft has said that COFEE doesn’t include any ‘backdoor’ methods of bypassing the encryption systems included in Windows – for example the Bitlocker hard drive encryption in Windows Vista. However there are other password protection features in Windows, Office and other Microsoft applications.

All the web talk about COFEE is focused on web browsing investigation, perhaps because the weight that Microsoft seems to put on the tool being used against child abusers. But there seems to be nothing in COFEE tools that limits their use to just that narrow, but important, part of law enforcement.  The claims about the use of the tool against child abusers and before computers are removed seem calculated to divert attention from the broader use and possibly abuse of COFEE.

Every tool that agencies have is capable of both proper and improper use.  That applies to wiretaps, intercepting mail and many other investigative methods – the difference with COFEE is that computer users don’t really know what could grabbed from their computer.  If the tools are simply a distillation of things that are publicly available then there’s no reason for secrecy.  Microsoft owes it to their customers to make it clear what is and isn’t accessible by COFEE.


COFEE and Microsoft Office

At Office Watch our particular interest, as always, is how COFEE might affect Microsoft Office users. So we’ve asked Microsoft for comment on how COFEE can be used to open password protected files generated by MS Office applications – that includes the older Office 2003 document formats, Office 2007 OOXML document plus less obvious things like password protected Outlook data stores and Access databases.

We’ve asked Microsoft about this but they have declined our invitation to let their Microsoft Office customers know about any changes to the accessibility of documents made with their software.

In short: Microsoft isn’t even saying if they’ve released a tool which can spy on password protected data made with Office applications.  They’ve excluded breaking Vista’s Bitlocker encryption from COFEE’s abilities but is otherwise silent.

There are already commercial products that can unlock password locked documents, files and even computers so it’s never been true that encrypted files are fully safe from snooping. 

Microsoft says there’s no ability “undermine any protections in Windows through secret “backdoors” or other undocumented means”.  Microsoft statements are always carefully worded so look again at that phrase.  It only refers to Windows – no mention of MS Office or any other Microsoft program (what about ‘Internet Explorer’, ‘Outlook Express’ or other program bundled with Windows?).  The words ‘undocumented means’ opens the door for COFEE to break password protections in ways already available in commerical products but made easy and more acessible with Microsoft’s tool.

COFEE and Microsoft’s carefully worded statement leaves open the possibility that there’s now a free, Microsoft developed & sanctioned tool to de-crypt your Office documents.

EXTRA: You can read our questions to Microsoft and Microsoft’s full statement on COFEE on our web site.


What this means for Microsoft’s customers

So where does this leave Microsoft’s paying customers – for Windows or Office?

COFEE is a concern to anyone interested in maintaining some level of privacy in their personal and professional lives.  Microsoft may have done this with the best of intentions but it’s hard to judge when they won’t openly disclose what they have made available.


Your view

Office Watch reader COFEE questions and comments to date seem to depend on the level of trust each person has in their government, law enforcement bodies and Microsoft itself. 

We’d like to know what you think — email us at [email protected] – we’ll publish a selection in a future article.  As always, all reader emails are kept anonymous – no names are published.

About this author