Comments on: COFEE Forensic Tool Leaks To What.cd, Admins Ban It

By: blahrg

blahrg — Fri, 20 Nov 2009 16:15:22 +0000

I hope they ban you, you faggot.

By: Starbucks

Starbucks — Fri, 20 Nov 2009 10:47:47 +0000

Why are people freaking out about cofee being used on them by cops? It could be a good thing for criminals. Decaf?, I prefer the name “Cofee Creamer”. Break down the code, write a program to detect cofee attempting to be ran. Cofee creamer blocks cofee and brings up a fake cofee interface and shows the 20 minute data copy dump. While cofee creamer is faking the stuff, it’s instead shredding files in the background. 20 minutes later, “thanks for destroying all the incriminating evidence for me”.

By: Hot Penny Stocks Otc Stock Picks » Blog Archive » Brief: Point-and-click forensics tool leaks to Net

Mon, 16 Nov 2009 22:20:48 +0000

[...] Several security researchers reported that they had been able to download a program from sources on the Internet that claimed to be the forensics software. The program first appeared on what.cd, according to news reports. [...]

By: Russ, wait here! I’ll get help! » Blog Archive » COFFEE leaked

Russ, wait here! I’ll get help! » Blog Archive » COFFEE leaked — Mon, 16 Nov 2009 21:26:02 +0000

[...] http://torrentfreak.com/cofee-forensic-tool-leaks-to-what-cd-admins-ban-it-091108/ http://www.geek.com/articles/news/mysterious-forensics-software-designed-by-microsoft-for-law-officers-hits-bittorrent-sites-20091114/ [...]

By: bullsballs

bullsballs — Thu, 12 Nov 2009 23:17:41 +0000

With Linux, I can work cross OS without any need for passwords, as passwords usually are not used with encryption of data on an average users drive.
I just add the suspect drive and read it as standard data. What is funny, I can’t do that with windows trying to read a Linux drive, but Linux reads windows, no added software needed!
I have saved much data on a drive that the windows OS has failed by doing this! Also found some fun stuff too! Makes people pay for my services quicker!
Encryption usually falls fast using a dictionary password generator… Especially using a vulgar words first!

By: Dummy Cakes

Dummy Cakes — Thu, 12 Nov 2009 04:23:23 +0000

@TimeLord

FTK doesn’t do anything more than the Sysinternals suite of applications does, + Sysinternals is free.

By: Wayne

Wayne — Thu, 12 Nov 2009 00:11:03 +0000

This is hilarious. It only is of danger to those poor bastards running Windows. Once again, Microsoft screws their customers.

By: Impersonation

Impersonation — Wed, 11 Nov 2009 22:31:04 +0000

This http://torrentfreak.com/cofee-forensic-tool-leaks-to-what-cd-admins-ban-it-091108/#comment-614187 person is not n3td3v, its someone using n3td3v’s name. I want the moderator to remove the person using n3td3v’s name to post comments on this blog.

By: Chris S.

Chris S. — Wed, 11 Nov 2009 15:05:49 +0000

Doesn’t What.CD have rules against uploading random apps that have nothing to do with anything? They’re pretty strict about what can and can’t be uploaded, it’s not surprising they took this down. The same thing would happen if you uploaded a movie.

By: Anonymous

Anonymous — Wed, 11 Nov 2009 04:45:12 +0000

Here’s what COFEE does by default in case anyone is interested. Very underwhelming to say the least. Interesting that this version only performs around 45 operations…the full version was reputed to have 150+ tools. I smell a planned leak of a crippled tool. I’ll bet the real one can exploit the vulnerabilities that M$ obviously left in Windows.

Here goes:

arp.exe ?a
at.exe
autorunsc.exe
getmac.exe
handle.exe ?a
hostname.exe
ipconfig.exe /all
msinfo32.exe /report %OUTFILE%
nbtstat.exe ?n
nbtstat.exe ?A 127.0.0.1
nbtstat.exe ?S
nbtstat.exe ?c
net.exe share
net.exe use
net.exe file
net.exe user
net.exe accounts
net.exe view
net.exe start
net.exe Session
net.exe localgroup administrators /domain
net.exe localgroup
net.exe localgroup administrators
net.exe group
netdom.exe query DC
netstat.exe ?ao
netstat.exe ?no
openfiles.exe /query/v
psfile.exe
pslist.exe
pslist.exe ?t
psloggedon.exe
psservice.exe
pstat.exe
psuptime.exe
quser.exe
route.exe print
sc.exe query
sc.exe queryex
sclist.exe
showgrps.exe
srvcheck \127.0.0.1
tasklist.exe /svc
whoami.exe

By: Network Security Blog » Network Security Podcast, Episode 173

Network Security Blog » Network Security Podcast, Episode 173 — Tue, 10 Nov 2009 23:07:14 +0000

[...] COFEE Forensic tool leaked to What.cd, admins ban it – It’s an interesting toy, but the open source community can do better. [...]

By: Network Security Podcast » Blog Archive » Network Security Podcast, Episode 173

Tue, 10 Nov 2009 23:06:21 +0000

[...] COFEE Forensic tool leaked to What.cd, admins ban it – It’s an interesting toy, but the open source community can do better. [...]

By: TimeLord

TimeLord — Tue, 10 Nov 2009 18:03:11 +0000

get HELIX from e-fense.com or FTK from accessdata.com and you’ll have better Windows volatile forensic tool than COFEE from M$.

By: Anonymous

Anonymous — Tue, 10 Nov 2009 17:51:21 +0000

@45

If you want to hilight text and right click and select Google Search, use Google Chrome browser. It has that, amongst hundredths of other useful functions.

By: Fisherman

Fisherman — Tue, 10 Nov 2009 14:53:21 +0000

Blimey, its not rocket science is it? It was taken down because the site didn’t want the attention that the tool would bring rather than what the absolute pile of crap software can or cant do. Good decision. Shame about that text file though eh?

By: what?

what? — Tue, 10 Nov 2009 13:35:23 +0000

The uploader was banned from what…..

By: Anonymous

Anonymous — Tue, 10 Nov 2009 12:31:11 +0000

@81

ohh look it was on the internets @July 31, 2008. So surprise surprise you are wrong. Now stfu

http://209.85.229.132/search?q=cache:np48qVEGLtQJ:www.filefactory.com/file/1f752b/n/COFEE_7z+COFEE.7z&cd=1&hl=en&ct=clnk&gl=uk

By: Anonymous

Anonymous — Tue, 10 Nov 2009 08:02:32 +0000

was originally emailed to the uploader by the good people at http://www.nw3c.org/

Just a lil piece of trivia for ya

By: Anonymous

Anonymous — Tue, 10 Nov 2009 04:03:03 +0000

I was really afraid of COFEE.. :(

I actually installed two small blocks of thermite over the ram and hard drive of my computer. The trigger was attached to a track phone that charged off the computers power pack and could last 2 days after shutdown…

If the cops came all i had to do was hit speed dial #1…

This makes me sad…

Well.. on the bright side at least i wont have replace 2 stories of floor boards that the thermite would have burned a hole through.

By: Prefect

Prefect — Tue, 10 Nov 2009 00:41:32 +0000

There really isn’t much new to this the COFEE tool. Here is a full analysis of what it does:

http://praetorianprefect.com/archives/2009/11/more-cofee-please-on-second-thought/

By: Rob

Rob — Mon, 09 Nov 2009 23:21:13 +0000

Just another piece of software “leaked on to the net” – how I wonder? and who does it ms employees?

Rob
http://www.webworth.info

By: technomage

technomage — Mon, 09 Nov 2009 19:20:49 +0000

Does it run on my linux box?

By: JMK

JMK — Mon, 09 Nov 2009 17:42:55 +0000

Yes, TF. Why in the world would you name the torrent site? Couldn’t you simply refer to it as “a popular music sharing tracker” or some other anonymous name?

DOH!

By: Tom

Tom — Mon, 09 Nov 2009 16:30:39 +0000

Way to go TorrentFreak for sharing with the world the original source where this program was uploaded to!

Do you guys know nothing?

Remove it.

By: UNF

UNF — Mon, 09 Nov 2009 14:53:08 +0000

well said by Jimmy @93

Enigmax, why exactly are you deleting links to torrents of this piggie spytool?

Are you trying to train your readers on this chicken ranch that links to links = guilt by association and thus liability?

Is it due to the precious copyright or is your real name just CensorMax GutlessWonder PreEmptor BootLick?

Also, your ‘reportage’ and this ad-click vehicle site sum to less-than-worthless shit.

AdBlockPlus is my silver bullet for your lazy, parasitical and cowardly scheme.

By: Genieguy

Genieguy — Mon, 09 Nov 2009 13:57:37 +0000

@108

What.cd didn’t offer anything – the users did by voting.

By: Kickass_Sid

Kickass_Sid — Mon, 09 Nov 2009 13:51:31 +0000

Isn’t this software kind of a breach of privacy?

Hope the dacaf will be online soon

By: Se filtra COFEE, la aplicación usada por agencias forenses para pelear contra los delitos en internet

Mon, 09 Nov 2009 13:03:11 +0000

[...] pocos días COFEE se filtró y se subió a What.cd, uno de los trackers de BitTorrent más famosos del mundo por un usuario que se había [...]

By: Tea

Tea — Mon, 09 Nov 2009 11:03:14 +0000

#1 The real version is only around 15 mb aswell.And it was confirmed to be true at what.cd

By: DJ Sketch@133X.org

DJ Sketch@133X.org — Mon, 09 Nov 2009 11:01:07 +0000

Why offer a big 1.6TB bounty and then remove the offending torrent?

Does What.cd think they are going to stop the distro if this?

Dont make much sense to me, its just information in my opinion.

There are many tools available for free that do a better job than Cofee.

By: MS forensic tool leaked-TorrentFreak « FACT – Freedom Against Censorship Thailand

Mon, 09 Nov 2009 09:47:37 +0000

[...] http://torrentfreak.com/cofee-forensic-tool-leaks-to-what-cd-admins-ban-it-091108/ [...]

By: Microsoft's COFEE forensics tool leaks online - Digiex

Microsoft's COFEE forensics tool leaks online - Digiex — Mon, 09 Nov 2009 09:43:53 +0000

[...] [...]

By: DrWeird

DrWeird — Mon, 09 Nov 2009 08:31:27 +0000

its real.

http://i34.tinypic.com/2rh5mxf.png

By: Bannato il Cofee tanto desiderato

Bannato il Cofee tanto desiderato — Mon, 09 Nov 2009 08:05:34 +0000

[...] Torrent Freak Condividi articolo con i tuoi amici [...]

By: Tub Brumber

Tub Brumber — Mon, 09 Nov 2009 07:45:36 +0000

@93 Jimmy

Since when has this NEWS site ever allowed links to warez? They write about them, not help to spread them you imbecile

By: the seashore

the seashore — Mon, 09 Nov 2009 06:44:34 +0000

I’m with Soundwave, sounds a bit fishy to me. Its either the obsoleted version or its cheese for the trap!

And if what you say is true there Cup Cakes, you might be the one that is PWNT!

Who’s that knocking on your door?

By: LOL CAKES

LOL CAKES — Mon, 09 Nov 2009 05:46:05 +0000

I know the guy who posted it on pirate bay in the first place. He found it on a microsoft server. Yep, Microsoft sure stuffed up big time.

By: Dummy Cakes

Dummy Cakes — Mon, 09 Nov 2009 03:52:06 +0000

Ok so I downloaded this SHIT! You people are so retarded. Did you even look in the archive to see what it contains? It contains all of the simple command line tools that come with windows, and thats it. Anyone can type the names of these tools in a CMD prompt, and get the same result. This is homemade it is not even real. Much less could it do any real forensic stuff.

LOL LOL LOL LOL with a fake pdf file to boot, clearly hand made by someone. The EXE isn’t even digitally signed by microsoft. Which, if it was real, it would be. You all just got PWNT!

By: amma

amma — Mon, 09 Nov 2009 02:29:25 +0000

HijackThis can do 90% of this tool’s job, and it’s wildly used to help examine operating system errors.
So basically This tool is only to help cover the idiocy of the investigators and it will help them not to make any further false accusations.
this tool gained it fame from it’s flashy name to many ******.

By: DarKnight

DarKnight — Mon, 09 Nov 2009 02:28:23 +0000

I havnt downloaded this program or seen what it is but from all the comments and reading of the article, it appears to be roughly the same thing as the more widely used EnCase and Sleuth kit (which is open source)

or is it different? someone care to clear it up for me.

By: Goblin of Openbytes

Goblin of Openbytes — Mon, 09 Nov 2009 01:30:47 +0000

Not wanting to spoil the fun here but it should be considered thats theres alot of excitement about nothing. All this COFEE system does is snapshot a live rig and has the ability to produce a report. Theres nothing magical or secret here and the tools on offer (or similar) can be found legally on the net (and mostly FOSS)

Presumably MS have included some handshaking code when its plugged into a Windows based system, but it does beg the question how it would handle a Linux rig.

At the end of the day a simple Linux LiveCD and memory stick combo would certainly scupper any collection of evidence (with COFEE)…again, this is not secret , its basics and it begs the question: why on earth is this considered by some as such a great leak?

Goblin.
http://www.openbytes.wordpress.com

By: Jeff

Jeff — Mon, 09 Nov 2009 01:01:10 +0000

@ #83:

It is only a matter of time before that happens, and COFEE gets used by cybercriminals in a malicious manner.

Combine it with a banking trojan like Zeus, and you can image the amount of damage they could do with it.

By: Anon

Anon — Mon, 09 Nov 2009 01:00:23 +0000

So I’m guessing they deleted it because it’s a tool used by the **AA and other anti-piracy groups for investigations, so having it on the site would pose a “security risk” somehow.

Doesn’t it ever occur to them that if what.cd (or any private tracker) has been infiltrated, the people responsible would almost certainly already have this tool, and vertainly wouldn’t be downloading from the very tracker they’re targetting? Knee-jerk reaction if ever I saw one.

By: prawncommander

prawncommander — Mon, 09 Nov 2009 00:53:57 +0000

The most interesting part of the COFEE fake/real mystery is that if you are in fact able to run the installer (a small minority only) it connects to a specific IP owned by Cambridge university. However, no further connection is made when running the application, nor on uninstallation.

By: Soundwave (Have A Cigar)

Soundwave (Have A Cigar) — Mon, 09 Nov 2009 00:47:16 +0000

If it’s really as weak as you guys say, then I think that the COFEE leak was intentional.

With Windows 7 here, they obviously have a newer one – probably a more powerful one that can discover more information.

Just a thought.

By: Microsoft COFEE law enforcement tool leaked « AFKnews

Microsoft COFEE law enforcement tool leaked « AFKnews — Mon, 09 Nov 2009 00:26:05 +0000

[...] http://torrentfreak.com/cofee-forensic-tool-leaks-to-what-cd-admins-ban-it-091108/ November 8th, 2009 | Tags: cofee, leak, leaked | Category: Tech [...]

By: Soundwave (Have A Cigar)

Soundwave (Have A Cigar) — Sun, 08 Nov 2009 23:55:29 +0000

That’s nice Jimmy, now hopefully you won’t post again.

By: n3td3v

n3td3v — Sun, 08 Nov 2009 23:52:59 +0000

hmmm..let’s see…some minimal tools doing jobs done better even by sysinternals suite. No FE worth his/her salt will be using this for any examination.

As for this being dropped from a private tracker, of course they don’t want to danger the gravy train. a tracker with 50000 members take in 5-10K$ in donations every month

By: Jimmy

Jimmy — Sun, 08 Nov 2009 23:48:19 +0000

I guess the people that run What.cd are total pussies, along with whoever keeps censoring LINKs from these comments.

Are they such gelded cowards that even a LINK gets removed? Maybe they’ve been watching too much 24 and think Jack Bauer is going to kick in their door… you know, because this here police software is ‘serious business’. Wow, just wow.

What a pack of boot-licking pussies. My respect for this site has dropped from like 0.01 to 0.001.

By: public

public — Sun, 08 Nov 2009 23:30:28 +0000

@PirateWill
for some reason you seem like a complete twat. they did the right thing and just about every member on what.cd agrees with their decision – it is not worth risking the entire index of the site for one stupid torrent.

and im sure you totally had a vision of this headline coming a year ago mr visionary man. once again…i just think your a twat for some reason.