Microsoft’s forensic thumb drive not as evil as first thought
Redmond (WA) – The initial uproar over news of Microsoft’s forensic USB thumb-drive appears to be misplaced. Microsoft has confirmed that the drive is just a compilation of publically available tools and adds that the USB-based toolkit does not “backdoor” or bypass any of Window’s security features.
Seattle Times reporter Benjamin Romano wrote about Microsoft’s COFEE (Computer Online Forensic Evidence Extractor) device yesterday. Microsoft’s General Counsel Brad Smith described the small USB thumb drive to more than 350 law enforcement officers at a company conference on Monday. Approximately 2000 officers are currently using COFEE which Microsoft gives away for free.
COFEE helps authorities copy sensitive data and contains 150 commands and tools that can analyze data and help decrypt passwords. Smith said police don’t need to physically seize a computer anymore with this device – they can simply pluck the data out and run.
As expected there was some backlash from the public. Some computer users feared the device could bypass all encryption which implicitly meant that Microsoft had inserted a backdoor into the operation system. Moreover, others believed the device could fall into the wrong hands.
Microsoft’s Smith and Associate General Counsel Tim Cranton followed up with the Seattle Times and described the device as basically a collection of publically available tools much like live security distributions such as Remote Exploit’s Backtrax CD (a great CD by the way). Cranton added that the device doesn’t contain any new tools, but is rather just an easy to use forensic tool. A Microsoft spokeswoman also told Romano that does not circumvent any operating system protections like Vista’s BitLocker.
So there you have it – Microsoft basically created a USB thumbdrive with a bunch of pre-existing security tools and probably goosed it up with a dialog box interface (Visual Basic anyone??) Not really a big deal from a security viewpoint, but police departments are always strapped for cash and greatly appreciate any free tools they can get.
However, there is a big problem. There’s no mention of the COFEE device going through any discovery challenges in court. Many of the commercial forensic tools (like Encase and Access Data) have been used thousands of times in local, state and federal court and have survived numerous hearings and objections. It will be interesting to see how well this device is doing.