COFEE Forensic Tool Leaks To What.cd, Admins Ban It

enigmax
November 8, 2009
146
COFEE,
what.cd
Print

Microsoft’s much sought-after COFEE law-enforcement forensic tool has leaked onto the Internet. One user uploaded it to private tracker What.cd to collect a huge 1.6tb bounty. However, in a sensible move, the admins of the site took action to remove the link and ban further sharing of the tool via the site.

cofee leak “Law enforcement agencies around the world face a common challenge in their fight against cybercrime, child pornography, online fraud, and other computer-facilitated crimes,” says the marketing blurb on Microsoft’s site.

“They must capture important evidence on a computer at the scene of an investigation before it is powered down and removed for later analysis. ‘Live’ evidence, such as active system processes and network data, is volatile and may be lost in the process of turning off a computer. How does an officer on the scene effectively do this if he or she is not a trained computer forensics expert?”

Using COFEE, of course.

The Computer Online Forensic Evidence Extractor (COFEE) is a piece of software designed for the use of law enforcement agencies, and provided to the same free of charge by Microsoft. And, largely because of its mystique, has been a much sought-after piece of code.

Indeed, on the private tracker What.cd, users had offered a huge bounty (a reward for finding and sharing something) of 1.6 terabytes.

During the last day or so, a user – who had only been a member for a matter of weeks – uploaded COFEE.

However, What.cd then took the unusual step of removing the torrent. Not just an unusual step but, in my opinion, a very sensible step indeed.

“Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff,” said What.cd management in a statement.

“And when we did, we didn’t like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again),” they added.

According to the site’s staff, neither them or their host was threatened by Microsoft or law enforcement. The decision was taken purely on the issue of site and member security.

Of course, the tool is now widely available from other sources and while some are saying that the tool is useless to regular Internet users, there are others who disagree. It certainly won’t take long for a detailed analysis to appear.

There will doubtless be lots of finger-wagging and complaints that this tool has become available in this way, but as with unexpected leaks of anything from software, to movies, to music, rarely is the finger pointed at the initial supplier of the material. That is usually way too embarrassing to reveal.

Previous Post | Next Post

Follow @torrentfreak

Comeoncomcast (aka Andrew)

Its on Torrentz lol but that version is a tiny 15MB =S
Anonymous

Also on Piratebay… as usual
Comeoncomcast (aka Andrew)

Sorry Misread ‘To Collect bounty of 1.6tb’ my bad.

It might be Google Cache huh.
Al Ammar

he he downloading now….
lol

I found 5 copies of this torrent.

happy sharing fools.
Mister Toast

Won’t be long before DECAF is released, which will block attempts to use COFEE on your machine, I’m sure.
Paul London UK

ok so now i need to either disable my external usb ports or grab a utility that runs a ‘delete dodgy stuff’ or a ‘restart in 5 seconds’ or a ‘immediately format usb stick’ scipt, everytime an unsigned usb mem stick is inserted. Thanks for the heads up
Comeoncomcast (aka Andrew)

Now I know why Cofee tastes so bad.

@6

I want Sugar in my Decaf. please? (:
Mark

@6 DECAF LOL

Good point though, some people will test this and find ways to stop it.
diarRIAA

Everyone knows…once it’s out there, it’s out there.

The genie is out, compressed, archive and torrented all around the world.

Microsoft is trying to fight “computer related crimes” and yet their OS is used every day to commit crimes. Ridiculous…they are hypocrites and a nicely written ToU and EULA is supposed to make them completely free of being complicite in all computer crimes.

Nonsense. As if criminals read that crap.
Paul London UK

..besides all the good stuff is on my secret hidden linux nas server burried behind a false wall under the stairs that i connect to with wifi, runs with a ups and ive rigged a trip power switch once my little secret area is discovered. the drives in my server have hidden truecrypt drives within them. lol
Anonymous

“Decaf” nice word :)
Anonymous

@11
You bad boy.
California

Pretty anticlimactic, Microsoft is probably having a good laugh about it right now.

@11 paranoid much? one wonders what you’re doing to need all that security for :/
jon7272

yes the more security you have the more it tracks atention to yourself lol
Giwrgos

@11
Dont forget the deam man’s portable emp killswitch that has to be pushed every 30 minutes :)
xen

@14 I think he’s just holding on to the last bit of privacy he got in the UK.
MissedMemories

@14, he just needs to be sure he isn’t caught…. Standart procedure.

@6: and then, there will be someone that makes something to avoid Decaf..

@post: Omg.. Hope they don’t run it over here.
pod333

One wonders how long it will be before the tools used in COFEE are re-engineered for black-hat hacking? Still, yet another reason for avoiding Windows if you have anything of ANY value. I am thinking here of personal data, company information, etc, and not just copyrighted stuff.
anagor

So, the best defense, after seeing the tool and it’s source code, is …
to run Linux :)
This cofee, will work only on win2k and later windows.
However, in US, the fact that you run Linux is incriminating enough for some over zealous detectives.
Zush

Milk and sugar, please.
barista

That’s my favourite kind of software.
pod333

I guess one burning question is if the tool has any “back door” capabilities, and not just relying on the officer at the scene being able to run it with admin rights. If so, there will be some interesting issues for MS security model to answer for.
pod333

Before anyone else adds to this, remember that even LINUX can be attacked with a lock tool if you have a firewire port:

http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation

But that is a hardware issue, and not one that is (easily) addressed by OS changes. Via USB it seems you need the OS’s “cooperation” on the matter.
Sendaii

@20: Don’t you think that they will have forensics tools for Linux and OS X too?
nope

it was banned because it isn’t music you moron

damn TF, you shouldn’t even get to speak what’s name in front of these public barbarians.
T.H.E. S.W.A.R.M.

nice addition to our collection

thanks to the uploader :D
Removed

Post moderated
anagor

@25
I’m talking about this specific tool, which only works on windows.

Maybe they have similar tools for OS X and Linux, maybe they don’t.
However, on Linux, there isn’t that much you can do without admin password. And preventing firewire modules from using DMA will render that hack that @24 posted useless also. :)

BTW: I commented mostly as a joke.
I do run Linux as my only OS and this fact alone leaves police “computer experts” baffled, as I’ve seen first hand. :)
Removed

Post Moderated
Removed

Post Moderated
info_hash: 6448DBC2A0AE2EF2F074BB893E53D78A26711143

“THIS IS A WHAT.CD EXCLUSIVE RELEASE! IF CAUGHT UPLOADING THIS ANYWHERE ELSE, YOU WILL BE DISABLED!!”

Why? Elitist pricks.
M

@26, banned because it wasn’t music? They have an Applications category you know.
Jemas

What has no such rule of keeps things exclusive. If that was written, whoever wrote that is a tool.
Jemas

They don’t allow cracking/hacking apps, I believe, but they made an exception to allow cofeee to remain in the request section, perhaps as a joke since it was hard to find. And when it was finally uploaded, staff acted like pus sies.
Anonymous

@32 That comment was not approved by What.CD staff. It was the uploader who wrote that comment.

@26 What.CD has application and comics sections.
Lol

You can do more damage with Backtrack3/4 than with COFEE. Seriously it doesn’t grab much of value whatsoever aside from one or two items. It really was just a way for an officer who doesn’t know how to do anything computer related to get a bit of info.

Also, the 15MB torrent is real, it was never any bigger. Can’t comment on all those “FIXED” torrents, but the fix just involves using an MSI extractor on the .msi file.
pod333

@29 Yes, disabling the firewire modules will stop all of that, but that is not really an option if you actually need those ports for normal use (e.g. if you have a DV camera or HDD, etc).
Removed

Post Moderated
Jasper van Weerd

Just wondering… what if it is uploaded by microsoft and tracked around the world?

*paranoid mode…*
Anonymous

I’m a ICEDTEA user myself.

Sorry, couldn’t resist. :)
Latecia Huff

or does the app require to be cracked @39-30
#YLS#

A very interesting turn of events indeed…

In all fairness tho, I think these tools aren’t really that big a threat to the average techie, if you don’t want to be caught with something you’ll know what your doing, even with something like Windows.
Anonymous

Yes, there’s not just music on what.cd, there’s apps, comics, ebooks, e-learning videos.

And yes, there are a lot of ‘hacking’ tools already available.

The reason people are angry that it was deleted was because before this no other torrent had been removed (at least ones that hadn’t broke the rules), this was an application that people really wanted, and for a long time.

People had put in lots of their own upload credit and that was what became the 1.6tb bounty.

Then it was removed when it went up.

Thankfully people uploaded it to public trackers afterwards.
MeAgain

does anyone know of a utility that when i right click on highlited text i would get an option to ‘google this’. i seem to spend a lot of time selecting text, copying, opening browser, pasting, searching?????
pod333

@44 Use Opera as your web browser, it has that feature, as well as a “got to web address” if you have highlighted a URL that is not a hyperlink, and an option to translate text by right-click.
MeAgainAgain

long live firefox
Charlie Brown

@33:
disabled… Lolz. Like a mild limp or something more serious like birth defects??
Ben

@44
Yes, it’s called Google Chrome
Anonymous Coward

@24

Just use a computer with a IOMMU and enable its memory protection, with it enabled correctly no device can do DMA to where it should not.
http://www.torrentfreak.com enigmax

Please stop posting links to the software in question.

If anyone wants to find or research it, please use Google.

Many thanks
Trelew

My thinking is with corporates running around crying foul, how long would it take them to get the government to have the police use a tool like this to snoop out copyrighted material to be passed to Big Business for them to make a profit in the courts?
CoolMate

Hi Enigmax,

Sorry mate,Internet is said to be about freedom and you have to allow links or for the matter of fact anything related to software.You cant say MPAA/RIAA are bullshits (though they are) on the one hand and then put some restrictions here.If u r right in ur sense then so are MPAA.You have to maintain neutrality
Pingback: Had a Birthday | Pirated.(me)
Anon

@52

Are you referencing Neutrality here, or Net neutrality?

If you’re referencing neutrality, then what TF is doing is nearly the textbook definition, they are neither for or against you accessing that information. Providing direct links to it on their site would constitute being “for” you obtaining it, censoring that it exists would be “against” you having it. They don’t allow direct links while telling you where you can look at it…neutral.

And I’m sure you’re not talking about net neutrality since TF isn’t an ISP and can’t discriminate against the data you send across the internet.

In summation, your post is nonsense, their website is their baby, they can say what happens on it, just as I can tell you what you can or can not do in my home. What they can NOT do is tell you what you can or can not do outside of their site. That’s what the **AA’s do.
Anonymous

Amusing how most of the commenters here are crackheads on this. It’s a tool for the cops to do basic searches for cops that have no IT knowledge. That’s it. Get over it …
Redeemer

@52 this is not the place to post crap.

Anyone crazy for this stuff can find it using google.
Anonymous

@11:
Professionals rig the whole building with explosives. Just in case.
Jay

@54

I don’t know much about this, but it seems to me that the significance of the software leak is that once the public knows the methods used by law enforcement then those with questionable material on their computers can protect themselves from it somehow.

I’m willing to bet that lots of people in this country are incriminated through the use of this kind of software — potentially disrupting this is a major blow to law enforcement.

Say, for instance, that “hackers” come out with a program that scrambles or fakes the information that law enforcement routinely extracts for evidence — that evidence can no longer be used in a court case due to contamination.

I don’t know how these things work (obviously), but people a lot smarter than me could probably figure it out.
Anon

Wow… just a box of win here.
duek

@37
backtrack may be more effective, but its not user friendly.
This USB thing is make for cops that aren’t geeks, that makes me think that this is also fast at what it does, if its eazy to replicate then it may be usefull.
LarrySDonald

Huh? Anticlimactic doesn’t describe it. Basically all it does is pre-run stuff from a USB drive. Most of *what* is runs are things that are installed on a default windows box anyway, the rest have freeware alternatives everywhere. I’m sure it’s good if you need an idiot to run a brief system summary without messing up, but keeping this super-secret is absurd – any exploit or system diagnose/repair site will have quiv tools legally.
Hom3r

and yet another reason why private sites suck
mustangx

downloaded it out of curiosity and it’s nothing special in any way shape or form, only a noob or a cop would get excited over it. SIW and many other free tools give as much information and more. It’s just this particular app has been closely guarded and kept out of the hands of the public for nearly 2 years, it has developed some “hype” is all.
ultraleetj

from the user guide:
“Great effort was taken to ensure that the COFEE execution process leaves the smallest footprint possible
on the target machine.” … funny how with the microsoft operating systems this is I’m afraid not possible. Especially with unconfigured machines microsoft keeps that inside the .dat files on the user folder (registry), the MRU lists, the temp files, ETC. Lets keep reading:
“The specific information collected by COFEE varies depending upon which profile is selected, however” . another flaw–this means that with some tweaking into a guest account and the mpaa cops this tool might just.. not work at all, this is the intro, lets keep going. Looking at the requirements we, the wanted targets also must have a USB port enabled, as if these people weren’t smart enough to put that into other mediums. What happens whe the USB is gone? and what if people have switched to windows 7? that’s another flaw on their wonderful marketting skills package. They should offer a huge prize tag for this… its hard to believe cops would fall for this sort of thing. There’s a complete system encryption already offered w/ other programs so I don’t understand why this tool’s so great either. I have autoplay for my removable drives off as a security precaution and if I wanted I could allow just my USB devices to be put inside this machine. Additionally, I could delete the my computer entries from appearing and switch all system fonts to braille, which many people disregard and don’t know one or 2 things about. There are some more ways to counteract this tool and keeping your stuff on encrypted external hard drives is one of them. Anyway.. they can access the registry dat (I’m sure this is a replacement for regedit since the cops can’t b smart enough to use the standard babysiting tool) … but whatever. There must e better thigns out there
Fry

@26

Your an idiot. There is plenty of content on what.cd that isn’t music. Get your facts straight before running your mouth.
ltr

but did he get the bounty or not?
Burt Renynolds

“does anyone know of a utility that when i right click on highlited text i would get an option to ‘google this’. i seem to spend a lot of time selecting text, copying, opening browser, pasting, searching?????”

http://www.mediafire.com/file/wtgjiwtiy4m/Right Click Google.zip
late

anyone that’s getting errors, there’s a pre-extracted version on Gu1337
google

here’s a google search that may help you.
http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&source=hp&q=site%3Agu1337.com+cofee&btnG=Google+Search
bored

This is news? This tool has been on the interenets for an age……
Nick

I’m sure this is debatable, but I think it would have been a nice courtesy to avoid outing the name of the site. I mean, it’s even in the headline. Clearly, TF doesn’t mind exposing private communities. Is that good for people that are a part of them? Probably not.
Rabbit80

@66 Burt

I know I’m gonna get flamed – but use IE8 + Google accelerator…
PirateWill

I laugh at the fools that what.cd admins are.

They ALL knew about this huge bounty for at least a year and now they don’t allow the app to be on the site? Even after it is in the wild anyway?

I hope they didn’t cheat the uploader out of his bounty, but knowing what.cd wouldn’t be too shocked if they did.

The uploader did the right thing, in a free society people need to know how the police gathers their evidence.

This incident also shows that it is good to have a site like TPB where the admins aren’t little girls that break under pressure.

Shame on you what.cd!
Anonymous

I just downloaded COFEE and I am going to collect evidence against Vivendi Universal and Ruper Murder.
Pingback: Staatsfeind? (staatsfeind) 's status on Sunday, 08-Nov-09 19:01:00 UTC - Identi.ca
Hom3r

And yeah I downloaded it – It’s nothing special.
In fact the info it collects is pretty basic and probably wouldn’t even do any good in a court case. There are many free utilities out there that will collect much more detailed info than this
Rboy

Next tool to be banned MS knife which pops out and whacks off an offending member off when someone is doing a certain something in front of a computer screen.

I think admins were just a little paranoid of the attention the app might bring to the site. They did not do it out off some social conscience bs.

I am certain there are plenty of forensic apps out there that are much better but are mostly useless to the average user
Anonymous

@72, I believe the admins still pay the server costs. If you want to do your free speach thing (which is good), do it elsewhere.
Just a little extra quote from the announcement;
‘(…) So much so that user after user voted for the request, adding to the ever-increasing bounty. Everyone seemed to have a good laugh with it, figuring that no one would ever get their hands on it and actually upload it. That was the staff consensus, at least. Several imitators were uploaded and removed, users were warned, and the bounty remained. (…)’

I can also note to you that this user did not get the bounty taken from him/her.
Pingback: Billy (seeds) 's status on Sunday, 08-Nov-09 19:18:28 UTC - Identi.ca
Anonymous

@72
The uploader kept the bounty. The admins never expected for anyone to upload COFEE, which is why thy left the request up there for more than a year.
PirateWill

@76: If the admins pay for the server, why are they asking for donations? ;)

Let’s face it, the what.cd admins are not that stupid, they knew that this request would be filled sooner or later. But once it got filled they got scared and acted like fools to try to cover it up or make it go away.

When I saw that request on what.cd over a year ago I knew that it would make headlines once it got filled. And it was obvious that it would bring a lot of attention to what.cd, too.
RIAAtarded

A lot of private sites have declined to upload this. Proper forensic tools are available if you just google them. They are free and 1000 times better then this windows based crap. Plus they work cross platform. You just need to learn linux.

As for pulling it I’m not sure it should have been allowed in the first place but that is what.cd call they should award the bounty though if it is true that they did not.
audri

@69 “This is news? This tool has been on the interenets for an age……”

lol whatever. if that’s the case, then why couldn’t anyone find it until now? multiple blog posts about a leak don’t happen to shit that’s been floating around for ages. And I guarantee that a 1.6TB(!) bounty wouldn’t have stood for so long if it was available.
DigChrono

@20 Really!? Thats pretty f*cked up…
lol

People don’t be tards for once TF has got it right banning links to this program. This is not a cool thing to be using. To the guy who talked about reverse engineering this tool for black hats, I have seen many people talking about using this as a major rootkit tool. Yeah it is available all over public sites but don’t you think that the authorties are going to be watching it closely. But hey its cool coz you use a vpn lol
Tub Brumber

@70

Google “COFEE” + “What.cd” and take a look at the half a dozen forums that ‘broke’ this news before Torrentfreak before you criticise them for revealing anything
ahaha

cannot see the hype here. its nothing that special. Scan processes running, files, etc. generate checksum to prove no data tampering/alteration has taken place.

There are already similar programs out there that do the same already…

:/
Verthik

@44

Best plugin for Firefox that adds a highlighted text search feature is Hyperwords https://addons.mozilla.org/en-US/firefox/addon/1941
Playboyman

Got it. Might use it. hehe
Pingback: Recent Comments by theanphibian – The Business Insider « C.S.C
Anon

Paranoia is caution without reason. Clearly, there is enough reason.

I use Deep Freeze and everything I download or do not only is deleted when I reboot but all settings are reverted and everything I download is added to TrueCrypt containers and the original is “erased” with schneiers 7 pass + 1 pseudo random pass.

I have an “emergency dismount and wipe cache then shut down” script. It forces dismount of open containers and forces Windows to immediately shut down instead of asking nicely.

Plus, I use an offshore VPN service and I wear a fake beard when I’m on the internet.
villain accelerate

what is the best VPN service out there these days??
some guy

Useless tool. Utterly useless, see for yourself if you don’t believe me.
Pingback: COFEE & Mixing Private/Public Sector « OPEN BYTES – cave quid dicis, quando, et cui.
Tard

@32
” “THIS IS A WHAT.CD EXCLUSIVE RELEASE! IF CAUGHT UPLOADING THIS ANYWHERE ELSE, YOU WILL BE DISABLED!!”

Why? Elitist pricks.”

It was a joke u freakin’ tool
public

@PirateWill
for some reason you seem like a complete twat. they did the right thing and just about every member on what.cd agrees with their decision – it is not worth risking the entire index of the site for one stupid torrent.

and im sure you totally had a vision of this headline coming a year ago mr visionary man. once again…i just think your a twat for some reason.
Jimmy

I guess the people that run What.cd are total pussies, along with whoever keeps censoring LINKs from these comments.

Are they such gelded cowards that even a LINK gets removed? Maybe they’ve been watching too much 24 and think Jack Bauer is going to kick in their door… you know, because this here police software is ‘serious business’. Wow, just wow.

What a pack of boot-licking pussies. My respect for this site has dropped from like 0.01 to 0.001.
n3td3v

hmmm..let’s see…some minimal tools doing jobs done better even by sysinternals suite. No FE worth his/her salt will be using this for any examination.

As for this being dropped from a private tracker, of course they don’t want to danger the gravy train. a tracker with 50000 members take in 5-10K$ in donations every month
Soundwave (Have A Cigar)

That’s nice Jimmy, now hopefully you won’t post again.
Pingback: Microsoft COFEE law enforcement tool leaked « AFKnews
Soundwave (Have A Cigar)

If it’s really as weak as you guys say, then I think that the COFEE leak was intentional.

With Windows 7 here, they obviously have a newer one – probably a more powerful one that can discover more information.

Just a thought.
prawncommander

The most interesting part of the COFEE fake/real mystery is that if you are in fact able to run the installer (a small minority only) it connects to a specific IP owned by Cambridge university. However, no further connection is made when running the application, nor on uninstallation.
Anon

So I’m guessing they deleted it because it’s a tool used by the **AA and other anti-piracy groups for investigations, so having it on the site would pose a “security risk” somehow.

Doesn’t it ever occur to them that if what.cd (or any private tracker) has been infiltrated, the people responsible would almost certainly already have this tool, and vertainly wouldn’t be downloading from the very tracker they’re targetting? Knee-jerk reaction if ever I saw one.
Jeff

@ #83:

It is only a matter of time before that happens, and COFEE gets used by cybercriminals in a malicious manner.

Combine it with a banking trojan like Zeus, and you can image the amount of damage they could do with it.
Goblin of Openbytes

Not wanting to spoil the fun here but it should be considered thats theres alot of excitement about nothing. All this COFEE system does is snapshot a live rig and has the ability to produce a report. Theres nothing magical or secret here and the tools on offer (or similar) can be found legally on the net (and mostly FOSS)

Presumably MS have included some handshaking code when its plugged into a Windows based system, but it does beg the question how it would handle a Linux rig.

At the end of the day a simple Linux LiveCD and memory stick combo would certainly scupper any collection of evidence (with COFEE)…again, this is not secret , its basics and it begs the question: why on earth is this considered by some as such a great leak?

Goblin.
http://www.openbytes.wordpress.com
DarKnight

I havnt downloaded this program or seen what it is but from all the comments and reading of the article, it appears to be roughly the same thing as the more widely used EnCase and Sleuth kit (which is open source)

or is it different? someone care to clear it up for me.
amma

HijackThis can do 90% of this tool’s job, and it’s wildly used to help examine operating system errors.
So basically This tool is only to help cover the idiocy of the investigators and it will help them not to make any further false accusations.
this tool gained it fame from it’s flashy name to many ******.
Dummy Cakes

Ok so I downloaded this SHIT! You people are so retarded. Did you even look in the archive to see what it contains? It contains all of the simple command line tools that come with windows, and thats it. Anyone can type the names of these tools in a CMD prompt, and get the same result. This is homemade it is not even real. Much less could it do any real forensic stuff.

LOL LOL LOL LOL with a fake pdf file to boot, clearly hand made by someone. The EXE isn’t even digitally signed by microsoft. Which, if it was real, it would be. You all just got PWNT!
LOL CAKES

I know the guy who posted it on pirate bay in the first place. He found it on a microsoft server. Yep, Microsoft sure stuffed up big time.
the seashore

I’m with Soundwave, sounds a bit fishy to me. Its either the obsoleted version or its cheese for the trap!

And if what you say is true there Cup Cakes, you might be the one that is PWNT!

Who’s that knocking on your door?
Tub Brumber

@93 Jimmy

Since when has this NEWS site ever allowed links to warez? They write about them, not help to spread them you imbecile
Pingback: Bannato il Cofee tanto desiderato
DrWeird

its real.

http://i34.tinypic.com/2rh5mxf.png
Pingback: Microsoft's COFEE forensics tool leaks online - Digiex
Pingback: MS forensic tool leaked-TorrentFreak « FACT – Freedom Against Censorship Thailand
DJ Sketch@133X.org

Why offer a big 1.6TB bounty and then remove the offending torrent?

Does What.cd think they are going to stop the distro if this?

Dont make much sense to me, its just information in my opinion.

There are many tools available for free that do a better job than Cofee.
Tea

#1 The real version is only around 15 mb aswell.And it was confirmed to be true at what.cd
Pingback: Se filtra COFEE, la aplicación usada por agencias forenses para pelear contra los delitos en internet
Kickass_Sid

Isn’t this software kind of a breach of privacy?

Hope the dacaf will be online soon
Genieguy

@108

What.cd didn’t offer anything – the users did by voting.
UNF

well said by Jimmy @93

Enigmax, why exactly are you deleting links to torrents of this piggie spytool?

Are you trying to train your readers on this chicken ranch that links to links = guilt by association and thus liability?

Is it due to the precious copyright or is your real name just CensorMax GutlessWonder PreEmptor BootLick?

Also, your ‘reportage’ and this ad-click vehicle site sum to less-than-worthless shit.

AdBlockPlus is my silver bullet for your lazy, parasitical and cowardly scheme.
Tom

Way to go TorrentFreak for sharing with the world the original source where this program was uploaded to!

Do you guys know nothing?

Remove it.
JMK

Yes, TF. Why in the world would you name the torrent site? Couldn’t you simply refer to it as “a popular music sharing tracker” or some other anonymous name?

DOH!
technomage

Does it run on my linux box?
Rob

Just another piece of software “leaked on to the net” – how I wonder? and who does it ms employees?

Rob
http://www.webworth.info
Prefect

There really isn’t much new to this the COFEE tool. Here is a full analysis of what it does:

http://praetorianprefect.com/archives/2009/11/more-cofee-please-on-second-thought/
Anonymous

I was really afraid of COFEE.. :(

I actually installed two small blocks of thermite over the ram and hard drive of my computer. The trigger was attached to a track phone that charged off the computers power pack and could last 2 days after shutdown…

If the cops came all i had to do was hit speed dial #1…

This makes me sad…

Well.. on the bright side at least i wont have replace 2 stories of floor boards that the thermite would have burned a hole through.
Anonymous

was originally emailed to the uploader by the good people at http://www.nw3c.org/

Just a lil piece of trivia for ya
Anonymous

@81

ohh look it was on the internets @July 31, 2008. So surprise surprise you are wrong. Now stfu

http://209.85.229.132/search?q=cache:np48qVEGLtQJ:www.filefactory.com/file/1f752b/n/COFEE_7z+COFEE.7z&cd=1&hl=en&ct=clnk&gl=uk
what?

The uploader was banned from what…..
Fisherman

Blimey, its not rocket science is it? It was taken down because the site didn’t want the attention that the tool would bring rather than what the absolute pile of crap software can or cant do. Good decision. Shame about that text file though eh?
Anonymous

@45

If you want to hilight text and right click and select Google Search, use Google Chrome browser. It has that, amongst hundredths of other useful functions.
TimeLord

get HELIX from e-fense.com or FTK from accessdata.com and you’ll have better Windows volatile forensic tool than COFEE from M$.
Pingback: Network Security Podcast » Blog Archive » Network Security Podcast, Episode 173
Pingback: Network Security Blog » Network Security Podcast, Episode 173
Anonymous

Here’s what COFEE does by default in case anyone is interested. Very underwhelming to say the least. Interesting that this version only performs around 45 operations…the full version was reputed to have 150+ tools. I smell a planned leak of a crippled tool. I’ll bet the real one can exploit the vulnerabilities that M$ obviously left in Windows.

Here goes:

arp.exe ?a
at.exe
autorunsc.exe
getmac.exe
handle.exe ?a
hostname.exe
ipconfig.exe /all
msinfo32.exe /report %OUTFILE%
nbtstat.exe ?n
nbtstat.exe ?A 127.0.0.1
nbtstat.exe ?S
nbtstat.exe ?c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators /domain
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe ?ao
netstat.exe ?no
openfiles.exe /query/v
psfile.exe
pslist.exe
pslist.exe ?t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck \127.0.0.1
tasklist.exe /svc
whoami.exe
Chris S.

Doesn’t What.CD have rules against uploading random apps that have nothing to do with anything? They’re pretty strict about what can and can’t be uploaded, it’s not surprising they took this down. The same thing would happen if you uploaded a movie.
Impersonation

This http://torrentfreak.com/cofee-forensic-tool-leaks-to-what-cd-admins-ban-it-091108/#comment-614187 person is not n3td3v, its someone using n3td3v’s name. I want the moderator to remove the person using n3td3v’s name to post comments on this blog.
Wayne

This is hilarious. It only is of danger to those poor bastards running Windows. Once again, Microsoft screws their customers.
Dummy Cakes

@TimeLord

FTK doesn’t do anything more than the Sysinternals suite of applications does, + Sysinternals is free.
bullsballs

With Linux, I can work cross OS without any need for passwords, as passwords usually are not used with encryption of data on an average users drive.
I just add the suspect drive and read it as standard data. What is funny, I can’t do that with windows trying to read a Linux drive, but Linux reads windows, no added software needed!
I have saved much data on a drive that the windows OS has failed by doing this! Also found some fun stuff too! Makes people pay for my services quicker!
Encryption usually falls fast using a dictionary password generator… Especially using a vulgar words first!
Pingback: Russ, wait here! I’ll get help! » Blog Archive » COFFEE leaked
Pingback: Hot Penny Stocks Otc Stock Picks » Blog Archive » Brief: Point-and-click forensics tool leaks to Net
Starbucks

Why are people freaking out about cofee being used on them by cops? It could be a good thing for criminals. Decaf?, I prefer the name “Cofee Creamer”. Break down the code, write a program to detect cofee attempting to be ran. Cofee creamer blocks cofee and brings up a fake cofee interface and shows the 20 minute data copy dump. While cofee creamer is faking the stuff, it’s instead shredding files in the background. 20 minutes later, “thanks for destroying all the incriminating evidence for me”.
blahrg

I hope they ban you, you faggot.

TorrentFreak

The place where breaking news, BitTorrent and copyright collide

COFEE Forensic Tool Leaks To What.cd, Admins Ban It

Related Posts

Previous Post | Next Post

NewsBits

Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

Foxtel Breeds Pirates by Locking Up Game of Thrones

UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

Pirates Can Be Identified Despite Sharing IP Addresses, ISP Claims

MostDiscussed

Pirate Bay Takes Over Distribution of Censored 3D Printable Gun

McAfee Patents Technology to Detect and Block Pirated Content

Pirate Bay Finds Safe Haven in Iceland, Switches to .IS Domain

Copyright Trolls Threaten to Call Neighbors of Accused Porn Pirates

Game Pirates Whine About Piracy in Game Dev Simulator

CopyQuote

PopularArticles

VPN Services That Take Your Anonymity Seriously, 2013 Edition

Top 10 Most Popular Torrent Sites of 2013

Which VPN Service Providers Really Take Anonymity Seriously?

What’s The Best VPN / Proxy for BitTorrent?

BTGuard Review: How Does it Work?

Optimize Your BitTorrent Download Speed