The creator of the program is former LEO himself. Anthony Fung, senior regional manager for Asia Pacific in Microsoft's Internet Safety and Anti-Counterfeiting group, spent 12 years as a police officer in Hong Kong, with the final seven dedicated to fighting cybercrime. According to IDG, "When he joined Microsoft, he sought to devise a way that agents could do better at finding valuable information on computers used by cyber criminals."
COFFEE was spawned due to the advent of encryption software such as BitLocker which requires a password to gain access to a computer's encrypted data. Most law enforcement agencies are using a procedure which calls for the computer to be turned off and taken back to a lab. Security experts will tell you this is the last thing to do when dealing with an encrypted system. The courts have now allowed for the examination/imaging of computers while on-scene so officers and technicians can conduct a proper search.Encryption software such as BitLocker or TrueCrypt use very advanced encryption algorithms. So advanced it would take a supercomputer countless years to even decrypt the data. Depending on the size of the drive and the level of encryption it would take a significant leap in computer technology to begin the decryption for most law enforcement agencies.
The article explains that COFEE is actually a set of software tools that can be loaded onto a USB drive.
Brad Smith, general counsel at Microsoft, called it a "Swiss Army knife for law enforcement officers," because it includes 150 tools. A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung said. It can be used on a computer using any type of encryption software, not just BitLocker.
Previously, an officer might spend three or four hours digging up the information manually, but COFEE lets them do it in about 20 minutes, he said.
Taking the computer back to the lab is not a bad pratcice. It does have some advantages such as evidence integrity. You always ahve a copy of the original drive. You may not have the time in the field to make such an image.
COFFEE may or may not be tamper resistant and that causes some concern. Rather than depend on programs such as COFFEE, law enforcement can and should in some circumstances use standard evidence collection procedures along with some good old-fashioned police work. It should be noted agents in 15 countries including Poland, the Philippines, New Zealand and the U.S. are using COFEE, Microsoft said. In New Zealand, a forensics examiner recently used COFEE to find evidence that led to the arrest of an individual involved in trading child pornography, said Smith.
Smith and others spoke on Monday at the start of a three-day conference Microsoft is hosting for law enforcement officials at its Redmond, Washington headquarters, inviting U.S. and international police, prosecutors and representatives from agencies like the Federal Bureau of Investigation. Microsoft has been hosting the conferences, which invite feedback from the law enforcement agents, since 2006, Smith said.
