April 30, 2008, 10:17 AM — The growing use of encryption software -- like Microsoft's own BitLocker
-- by cyber criminals has led Microsoft to develop a set of tools that law enforcement
agents can use to get around the software, executives at the company said.
Microsoft first released the toolset, called the Computer
Online Forensic Evidence Extractor (COFEE), to law enforcement last June
and it's now being used by about 2,000 agents around the world, said Anthony
Fung, senior regional manager for Asia Pacific in Microsoft's Internet Safety
and Anti-Counterfeiting group. Microsoft gives the software to agents for free.
While Microsoft can point to wide usage of COFEE, some experts are skeptical
about using that type of tool to recover data, and even the developer of the
product at Microsoft acknowledges that it's not accepted by some users.
Fung, who initiated the creation of COFEE, spent 12 years as a police officer
in Hong Kong, with the final seven dedicated to fighting cybercrime. When he
joined Microsoft, he sought to devise a way that agents could do better at finding
valuable information on computers used by cyber criminals.
When he was an officer, the protocol for handling computer crime was to remove
a computer from the scene of the crime, taking it back to the lab where computer
scientists would search it for information. In many regions of the world this
is still the standard procedure. "At that time everybody followed that
principle, but they knew that once they unplugged the computer, which was the
guideline, a lot of potential information was lost," Fung said.
That's because data on an encrypted system is accessible to police so long
as the criminal has logged on and the PC remains on. But if police shut the
system down, they need to have the criminal's password to get past the encryption
software when the computer boots back up. The release of Vista has accelerated
the problem because BitLocker, a data encryption feature, comes with Windows
Vista Enterprise and Ultimate versions, Fung said.
"Criminals are taking advantage of these technologies like BitLocker,"
Fung said. "BitLocker was the real driving force because it's becoming
ubiquitous." In addition to BitLocker, other hard disk encryption methods,
like one from PGP, also frustrate agents, he said.
While COFEE doesn't break BitLocker or open a back door, it captures live data
on the computer, which is why it's important for agents not to shut down the
computer first, he said.
COFEE is a set of software tools that can be loaded onto a USB drive. Brad
Smith, general counsel at Microsoft, called it a "Swiss Army knife for
law enforcement officers," because it includes 150 tools. A law enforcement
agent connects the USB drive to a computer at the scene of a crime and it takes
a snapshot of important information on the computer. It can save information
such as what user was logged on and for how long and what files were running
at that time, Fung said. It can be used on a computer using any type of encryption
software, not just BitLocker.
Previously, an officer might spend three or four hours digging up the information
manually, but COFEE lets them do it in about 20 minutes, he said.
Still, COFEE has its foes. Some experts say that running any program causes
memory contamination that affects the data agents are looking for on the computers.
"Any time you're touching a live computer you're changing it in some way,"
said Chris Ridder, a residential fellow at the Stanford Center for Internet
and Society.
One reason some agents prefer to take the computer back to the lab and create
an exact image of it is because they can later compare that image to the actual
computer. "You've got the original computer locked away in an evidence
safe somewhere, so if someone questions the integrity of the image you can verify
it against the original," he said.
Agents can't compare data that they collect on a live machine at a crime scene
with the computer later because the act of powering down the machine changes
it, he said.
