The growing use of encryption software– like Microsoft’s own BitLocker– by cyber criminals has led Microsoft to develop a set of tools that law enforcement agents can use to get around the software, executives at the company said.
Microsoft first released the toolset, called the Computer Online Forensic Evidence Extractor (COFEE), to law enforcement last June and it’s now being used by about 2,000 agents around the world, said Anthony Fung, senior regional manager for Asia Pacific in Microsoft’s Internet Safety and Anti-Counterfeiting group. Microsoft gives the software to agents for free.
While Microsoft can point to wide usage of COFEE, some experts are skeptical about using that type of tool to recover data, and even the developer of the product at Microsoft acknowledges that it’s not accepted by some users.
Fung, who initiated the creation of COFEE, spent 12 years as a police officer in Hong Kong, with the final seven dedicated to fighting cybercrime. When he joined Microsoft, he sought to devise a way that agents could do better at finding valuable information on computers used by cyber criminals.
While COFEE doesn’t break BitLocker or open a back door, it captures live data on the computer, which is why it’s important for agents not to shut down the computer first, he said.
COFEE is a set of software tools that can be loaded onto a USB drive. Brad Smith, general counsel at Microsoft, called it a “Swiss Army knife for law enforcement officers,” because it includes 150 tools. A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung said. It can be used on a computer using any type of encryption software, not just BitLocker.