A portable toolbox for network admins, software developers, and IT road warriors               over 750 free power-tools in an organized structure you can customize, extend, and carry in your pocket !

Flash Demo - T.E.A. - The Examiner's Application ( WMV media player version )

    Microsoft offers a product called 'COFEE', 'for law enforcement use only' ( FBI, Interpol, etc ). "Law enforcement can get COFEE from NW3C at www.nw3c.org or by contacting INTERPOL at COFEE@interpol.int.", they say on their public website. You can read more about it at http://www.microsoft.com/industry/government/solutions/cofee/default.aspx   I do not have the program 'COFEE', and I do not know where to get it other than asking Microsoft, or the email addresses I just offered above.  So don't ask, I won't reply if you do.

They call it COFEE "Computer Online Forensic Evidence Extractor ". There's actually nothing 'online' about it, that I know of. It has ZERO 'online' functionality at all ( unless they built some kind of 'phone home' stealth functionality into it - I don't know if they did or did not ). I DO know I don't do things like that ! You won't EVER find ANYTHING like that in my programs !

As I understand COFEE from reading about it on the Web, when they released it, COFEE was rumored to be some kind of 'Super Duper Gary Cooper' Top Secret Spy stuff.

There was apparently quite a bit of hysteria on the part of Microsoft when the product quickly leaked to the Web, via WikiLeaks and other sources. Even the User's Guide ( yes, the PDF instruction manual 'Microsofts Global Criminal Compliance Handbook.pdf' ) was declared 'Verbotten'. The lawyers quickly kicked into gear, according to reports at TheRegister and many other websites, issuing Take Down notices under the DMCA, getting entire domains shut down and disconnected via DNS, etc. They even forced WIKILEAKS to pull the file ( and THAT ain't easy to do ! ) !!! They managed to have BitTorrents on various sites taken down, too ! That is some SERIOUS legal muscle !!!! http://www.theregister.co.uk/2009/11/24/ms_forensic_tool_take_down/

So, what's the big deal ? What does this Magic Mystery Tool do ? Here's what I understand about it ( in somewhat superficial non-technical terms ) :

It lets you format a USB thumb drive. Wow.

Then it strings together a bunch of basic common DOS-type commands to run in a sequence ( as you would normally do in a *.BAT file ) ( IPCONFIG, NETSTAT, NET, NBSTAT, etc ) with command switches, and >> 'pipe to disk'.

It copies these programs to the USB drive ( why ? Most of these are already present on any Windows computer ? ) I understand that a few of them, like PSFILE.EXE ( freely available from Microsoft at http://technet.microsoft.com/en-us/sysinternals/bb897552.aspx ) are not part of normal Windows distros ( and thus need copying to the USB drive ), but why copy DOS utilities ?? Anyway, that's what they do.

It creates a little EXE called 'Runner.exe', and an autorun.inf file ( so that idiots who leave auto-run enabled on their computers save the LEO officer the trouble of having to open the USB drive in MyComputer and click 'runner.exe' )

It collects the output of the sequence of commands in a disk file on the USB drive ( whoopedy do ! ). It has a 'Report' feature that can show that file in various formats ( TXT, HTML, etc )

In summary - it does what any computer-literate admin, programmer, or forensic examiner could do ( and they do it every day ), but puts it all under one button, on a USB stick, so 'Joe Cop On The Beat' can get a 5 minute training session ( plus a three hour doughnut break ) "This is a USB flash drive. Stick it in the computer. Run the program that's on it. Bring it back here and give it to us.' OK, I fully understand the benefit of that. I 'get it'. Very cool. But why such a secret ? Is opening a command window and typing in 'IPCONFIG /ALL' a National Security issue ? How about if you put it in a *.BAT file, and add " >MyFile.txt" to it to pipe the output to disk ? I mean, this has only been around since DOS 1.0 .  Secret ?  Give me a break. I think Bill Gates was still enrolled at Harvard when he wrote THAT one !

Well, some of us prefer T.E.A. ! ( disclaimer - I'm a big coffee drinker, although I drink tea, too ). So, I added an option called T.E.A. ( The Examiners Application ) to my program PMToolindex. It does everything COFEE can do, and then some ! Rather a lot of 'and then some', actually. And it's not 'secret', it's free, and it's everything you ever dreamed of in a refreshing hot beverage!

LINKS ( as provided by the Google search http://www.google.com/search?hl=en&q=microsoft+cofee ) Also, selecting 'Images' on that same Google search will show various screen shots of the COFEE program, etc.

http://tech.slashdot.org/story/09/11/08/1340208/Microsoft-COFEE-Leaked?from=rss says "reviews have ranged from 'disappointing' to 'useless." - I tend to agree, 100 %.  It's pretty much mundane, and Soooo 'yesterday' ! COFEE is 'basic machine examination for dummies 101'. Most admins, programmers, and other computer specialists have probably written MANY scripts, batch files, etc, over the years that do basically the same thing as COFEE.

http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail?blogid=150&entry_id=51360 says "COFEE was so sought after in the computer underground that an enormous bounty of 1.6 terabytes of capacity was offered to the first one who would upload the software. " ( what a waste of media ! ) and "Richard Boscovich, a member of Microsoft's internet safety team said, "Its value for law enforcement is not in secret functionality unknown to cybercriminals. Its value is in the way Cofee brings those tools together in a simple and customisable format for law enforcement use in the field." (I agree with him completely).

http://arstechnica.com/microsoft/news/2009/11/pirates-get-to-taste-microsoft-cofee.ars says "a Microsoft spokesperson told Ars. "COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals, its value is in the way COFEE brings those tools together in a simple and customisable format for law enforcement use in the field." - I again agree 100 %. Opening a command window and running commands like 'NET', ARP' etc, and piping the output to disk is not exactly ground breaking news.

http://www.theregister.co.uk/2009/12/14/microsoft_cofee_vs_decaf/ talks about some supposed 'counter-COFEE' tool creatively named 'DECAF' that 'protects against COFEE' or something. I'm guessing ( I haven't looked into it, and I don't intend to ) it does silly little mundane things like erasing cookies, browser caches, stored passwords, logs, etc. WOW I'm impressed ( not ! ). What a joke. Just as the 'Super Dooper Gary Cooper' Top Secret characterization of COFEE that seems to have become popular folklore of the day is a joke.