[ISN] Microsoft Forensics Tool For Law Enforcement Leaked Online

[InfoSec News]

http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221600872

By Kelly Jackson Higgins
DarkReading
Nov 09, 2009 

A forensics tool built by Microsoft exclusively for law enforcement 
officials worldwide was posted to a file-sharing site, leaving the 
USB-based tool at risk of falling into the wrong hands.

COFEE is a free, USB-based set of tools, which Microsoft offers only to 
law enforcement, that plugs into a computer to gather evidence during an 
investigation. It lets an officer with little or no computer know-how 
use digital forensics tools to gather volatile evidence.

COFEE was posted, and then later removed, from at least one file-sharing 
site, but security experts say the cat is now out of the bag. While many 
forensics tools with similar functionality as Microsoft's Computer 
Online Forensic Evidence Extractor (COFEE) are available, security 
experts still worry the bad guys will use their access to the tool to 
figure out ways to circumvent it.

Chris Wysopal, CTO at Veracode, says the danger is that a detection tool 
will be written for COFEE so that the bad guys can cover their tracks. 
"Someone will build a detector so that machines will wipe themselves or 
give rootkit-like fake answers if this USB is inserted into a computer," 
Wysopal says.

One researcher who got a copy of COFEE online says bad guys could abuse 
the tool by taking one of its DLLs and loading it into a compromised 
machine's memory, where it then dumps stored clear-text passwords to a 
file.

[...]