Over the last few weeks there has been a lot of chatter about a tool we provide in a Beta version to Law Enforcement called COFEE: Computer Online Forensic Evidence Extractor.
Let me give you some information on COFEE and put it into the proper context.
I am personally convinced that every company has its obligation to work towards making the Internet a safer place. Amongst other things, this means a close collaboration with Law Enforcement.
Let's face it: Most of security is about crime prevention!
Now, Microsoft has a team internally working with Law Enforcement running different programs:
Let's come back to COFEE: During LE Tech, a conference in Redmond we organized for Law Enforcement organizations from around the world, we invited a few journalists to some of the sessions. As a result a story appeared in The Seattle Times called Microsoft device helps police pluck evidence from cyberscene of crime. In my opinion, there was a very good quote, attributed to Brad Smith, (Microsoft Senior Vice President and General Counse) on the programs above: "These are things that we invest substantial resources in, but not from the perspective of selling to make money," Smith said in an interview. "We're doing this to help ensure that the Internet stays safe."
The target audience for COFEE is a forensic investigator with very limited knowledge of IT forensics. There are many standard forensic tools that law enforcement officers routinely use to capture information from a computer for analysis. In most investigation scenarios these tools have to be used to extract information at the scene of an investigation as powering down the computer could lead to loss of data and potential evidence.
The COFEE tool automates many of these existing tools and delivers them via a thumb drive making it quick and easy to use in an investigation scenario – as stated above – for the investigator with very limited knowledge on IT forensics.
I have seen and heard a lot of inaccurate information about what COFEE is and does, so wanted to spend some time addressing these misconceptions:
The tool allows law enforcement to run over 150 commands on a live computer system and save the results for later analysis, preserving information that could be lost if the computer had to be shut down and transported to a lab.
So I hope I have been able to show that Microsoft is committed to helping address cybercrime and that our collaboration with law enforcement organisations is an important element of that.