MS unleashes legal attack dogs to lick up COFEE spill

Microsoft unleashed its legal attack dogs to remove its leaked forensics tool from a respected security site, it has emerged.

Cryptome.org was issued with a take-down notice shortly after Microsoft's point-and-click "computer forensics for cops" tool leaked onto the web earlier this month. Redmond's lawyers acted over allegations that Cryptome was offering copies of its COFEE computer forensics utility via its website and days after acknowledging the utility was at least briefly available via BitTorrent.

COFEE (Computer Online Forensic Evidence Extractor) is a package of forensics utilities bundled onto a specially adapted USB stick, and is designed to allow police officers to collect digital evidence from a suspect's PC at a scene of crime or during a raid. The technology can be used to recover internet activity, scan files and obtain a list of processes running on an active computer at the scene of an investigation without interfering with the machine.

Redmond makes the utility (actually a bundle of 150 applications) available at no charge to law enforcement agencies via Interpol. The leak of the tool earlier this month created fears that the software might fall into the hands of miscreants and spur the development of countermeasures.

Microsoft responded to these fears by stressing that the utility was a bundle of commercially available applications and that no secret data was leaked. A statement issued on behalf of Richard Boscovich, senior attorney of Microsoft's Internet Safety Enforcement Team, also acknowledged the software had been made available through BitTorrent, a development that meant anyone might have been able to download the software.

We have confirmed that unauthorised and modified versions of Microsoft’s COFEE tool have been improperly posted to bit torrent networks for public download. We strongly recommend against downloading any technology purporting to be COFEE outside of authorised channels – both because any unauthorised technology may not be what it claims to be and because Microsoft has only granted legal usage rights for our COFEE technology for law enforcement purposes for which the tool was designed. Note that contrary to reports, we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around’ to be a significant concern. COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals; its value is in the way COFEE brings those tools together in a simple and customisable format for law enforcement use in the field.

In cooperation with our partners, we will continue to work to mitigate unauthorised distribution of our technology beyond the means for which it’s been legally provided and, again, would strongly discourage people from downloading unauthorised versions of the tool. As always, law enforcement wishing to use COFEE can safely get the latest released version of the tool free of charge through the established channels with both NW3C and INTERPOL by contacting NW3C at www.nw3c.org or INTERPOL.

Microsoft supplied this statement of 11 November two days before firing off its legal nastygram to Cryptome.org on 13 November. Since COFEE was already available via BitTorrent the legal action might seem slightly overboard, though consistent with Redmond's promise to chase unauthorised distribution of the code.

Security experts we quizzed on this point, however, said Microsoft was well within is rights to ask sites to stop offering copies of the tool for download. In any case, Cryptome.org complied with Microsoft's order. Copies of correspondence pertaining to the COFEE take-down order have been posted by Cryptome here. ®