Here’s our questions to Microsoft about COFEE and the full, unedited, response from Microsoft to those questions.
Office Watch likes to present facts not supposition – and in the case of the COFEE tool there’s far too much guesswork going on. That fact and our specific interest in Microsoft Office issues had up pose a series of questions to Microsoft. Here’s the questions and then the full response from Microsoft.
When you read ‘facts’ about COFEE you might find it useful to compare it with the exact words used by Microsoft plus what questions they choose to answer (or not).
Office Watch questions to Microsoft:
- Does COFEE allow access to password protected documents (Word / Excel / Powerpoint) – this applies to ‘old’ .doc formats as well as the OOXML/Office 2007 formats.
- Does COFEE allow access to Access password protected files in any format?
- Does COFEE allow access to password protected Outlook data stores?
- What measures or assurances has Microsoft to ensure that COFEE is used (by the law enforcement agencies they’ve issued them to) in manners that are entirely legal and proper?
- What measures has Microsoft put in place to ensure that COFEE isn’t distributed to non-approved persons or bodies for illegal, improper or at least unintended use?
- Microsoft has spent a lot of time and money developing privacy features into Office and Windows (password protected access to files, NTFS file/folder encryption, BitLocker and beyond). What does the company say to customers who feel those features are now worthless with Microsoft giving away a tool to circumvent those privacy protections.
Here’s the full Microsoft response to the above questions:
“COFEE (Computer Online Forensic Evidence Extractor) is a framework for first-responders to customize a set of common forensic tools. It is a framework operating from a USB storage device that law enforcement can use to leverage publically available forensic tools and access information on a live Windows system. COFEE works by being plugged into a running system where a user has already logged on. It enables law enforcement to expedite the evidence gathering process by automating over one hundred different commands that would otherwise have to be typed by hand. COFEE saves the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.
COFEE is designed for use by law enforcement only with proper legal authority. It does not contain new forensic tools, but rather is an easy to use, automated forensic tool at the scene. COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret “backdoors” or other undocumented means.
Because COFEE is designed to be used by law enforcement officials in investigations that deal with highly sensitive evidence and information, the exact methods by which the COFEE tool works cannot be disclosed.
History of the tool:
• Microsoft believes that global public-private sector partnerships are essential to successfully fighting cybercrime in the Web 2.0 environment. Using technology, strategic partnerships, and a foundation of trust, our goal is to turn the positive opportunities which are created by Web 2.0 technologies against the cybercriminals trying to exploit them. COFEE is part of the tools and training that Microsoft provides to law enforcement around the world. It is designed to be used only in circumstances where proper legal authority has been given, such as a court ordered warrant. COFEE is reserved specifically for law enforcement.
• COFEE was first conceived in 2006 by Anthony Fung, formerly of the Hong Kong Cybercrime Police Unit, as a way to simplify the collection of critical volatile evidence at computer crime scenes. With important support from both Microsoft and fellow law enforcement personnel, COFEE achieved a limited release in the summer of 2007 and is now used by forensic examiners in countries the world over.
“
