A police officer arrives at the scene of a murder, plugs a thumbdrive into a computer that is still running, and executes some 150 evidence-gathering commands within 15 minutes. A scene from CSI? Not necessarily.
The Hong Kong Police Force's technology crime division is one of many law enforcement departments around the world involved in the testing of Computer Online Forensic Evidence Extractor (Cofee), a free tool from Microsoft which can be loaded onto a portable device such as a USB drive.
Cofee, a program that automates some 150 evidence-gathering commands for computers, was released earlier this year in beta version. Available only to law enforcement agencies, the tool was the brainchild of Anthony Fung, Microsoft's senior regional manager for Internet safety and anti-counterfeiting in the Asia-Pacific region.
Paul Jackson, chief inspector, computer forensics and training, Technology Crime Division, Hong Kong Police Force, told ZDNet Asia Thursday that Cofee is "one of many tools" the force uses to investigate a variety of online crimes and to recover digital evidence.
Data recovered from "live", or running, systems at the scene of a crime have proven to be invaluable in analyzing cases, he said in an e-mail interview.
"Before Cofee was available, similar evidence-gathering functions needed to be carried out using a wider variety of tools," noted Jackson. "Cofee neatly packages these capabilities into one tool which can be swiftly and efficiently deployed--even by non-expert investigators."
According to Jackson, 44 officers in the technology crime division, which falls under the Hong Kong Police's Commercial Crime Bureau, use the tool. Initial usage of the beta software has been in "incidence response" situations, he added, but declined to provide further detail on the nature of the cases.
Cofee, however, is designed to extract information from Windows-based systems. For Linux machines, the Hong Kong Police uses several tools or scripts to collect similar data, which have to be executed by a specialist, said Jackson.
And as the application is still in beta, the investigators do not depend solely on Cofee but also use other tools for validation, noted Jackson.
In an interview with ZDNet Asia last week in Singapore, Microsoft's Fung said law enforcement agencies typically faced challenges in handling computers at the crime scenes, largely due to expensive equipment and lack of trained or expert resources. Hong Kong-based Fung was in the island-state to attend the 13th Annual Conference and General Meeting of the International Association of Prosecutors.
With Cofee, an officer with "no or basic training" can preserve the data in about 15 minutes, and maintain its integrity such that it can be brought back to the forensic labs for analysis, said Fung. In the past, it would take a forensic scientist about three hours to manually execute the commands.
Cofee is based on existing extraction tools, he added. Some of the automated commands include recording the login credentials, providing details of the applications and processes executed at that time, and logging system-to-server communication.
Fung, a former police officer specializing in solving computer-related crimes--having spent 13 years with the Hong Kong Police prior to Microsoft--developed the tool based on his experience in law enforcement and in consultation with police officers in the field. The tool was created by both in-house and external coders.
The software, however, is meant to complement existing tools and is not a silver bullet, stressed Fung. "In fact, in the computer forensics industry, there is no one single tool--[whether available] commercially or through open source code--that can solve all the problems."
According to Fung, the beta phase has closed and Microsoft will issue the release edition "once the legal logistics are complete". The official release does not include support for Windows Vista, but a second version that will come shortly would.
Play video
RAPIER
For those people not lucky enough to be on MSFT's special list to actually get their hands on COFEE, let me suggest you check out RAPIER - you can find it in googlecode.
Open source - does the same things as COFEE.
Posted by anonymous on Tuesday, September 30 2008 07:48 AM