Sunday, November 08, 2009

Oops! Spilled COFEE, USB flash write/block thoughts, and nice tips


“spilled the goodness” flickr cc image by Fricke_K

In case you haven’t seen it yet…

COFEE stands for the Computer Online Forensic Evidence Extractor which is a forensics tool made by Microsoft and distributed to law-enforcement groups.  As such it seems to have a strange aura about it and sometimes generates discussions along the lines of the MiB.

AFAIK, it is just another tool that builds on Win PE technology and incorporates some automated tools (many of which are reported to be commonly available and free system and forensics utilities).  For most non-law-enforcement folks it is something like “dark-magic”.  I suspect for most forensics pros, it’s just one of many tools in the toolbox.

Anyway, seems that it accidentally got leaked onto the Net via a/some Torrent sites and is now in the wild.  And it seems it is providing more yawns than MiB snatchings from those who have cared to download it.

So far, only Martin over on his Network Security Blog has posted a thoughtful consideration on the impact, if any, this spill has: » Ethics of spilled COFEE

I’ve not bothered to download it, and probably won’t.  I’ve already got more than enough Windows PE boot systems, Linux Forensic LiveCD distros, and freeware forensics and system utilities that allow me more than enough avenues to take while assessing and analyzing a system; some but not all of which are automated.

In the end, while such tools can greatly aid the investigator sorting through ever-growing drive content volume, discovery and accurate analysis remain the domain not of automated tools, but of the skill and understanding of forensic investigators.  Even the best tools can often lead justice astray in the name of forensics investigations of Windows systems if the investigator isn’t fully clued in to what they are observing.

Topic Shift…USB storage write-blocking solutions

Miles over at the wonderfully informative and inspirational TinyApps.Org Blog tipped me off to the above forensic WriteBlocker.  At around $199, it is quite a nice pricepoint and doesn’t require the normal slew of cables and connectors other write-block devices frequently require.

Miles noted this product in particular not just for the write-block protection it can provide in imaging seized USB storage devices during an investigation or incident response, but as an alternative to a endangered tech species: USB flash drives with write/lock switches.  My work-issued Kangaroo brand drive has a write-block switch on it. Miles has found a few others.  The value of these is that they allow us to attach a USB stick loaded with tools/utilities to a suspect or infected system without fear of cross-contamination of the USB.  It’s a critical feature that is getting harder and harder to find on USB sticks.  Thus this tool might provide an (albeit expensive) solution for that bleak future.

One alternative might be to pick up a SD flash card as many of these still have write-block switches on them. Couple that with a SD card reader or USB SD card housing and you might hack-n-stien one together in a pinch.

Update: TinyApps bloggist Miles quickly responded with some valuable experiences and research on the effectiveness (or lack thereof) of the SD write/no-write switch.

Takeaway…yes SD write protected cards on a USB connection/reader “might” be fairly safe but with the correct software, it is demonstrably not a 100% bullet-proof solution.  So again, an optical disk-based boot system (Linux LiveCD/WinPE) or a physical write-block device specifically designed for that purpose may yet still be the only viable solutions.  Looks like this is a subject for more research and investigation!

Thanks Miles!

If anyone else has any linkage to offer on the subject of flash-based write/block effectiveness, please drop your tips in the comments!

I’m wondering (and might request a USB WriteBlocker for review) if it could be coupled with a USB2.0 Adapter For IDE/SATA Device to effectively make an ultra-micro physical write-block tool to use with image-capture of IDE/SATA drives.  Not sure.

Recent WindowsIR Goodness

Finally the Windows Incident Response blog has had two great posts of late:

In which Harlan tips us to this gem of an update:

Rifiuti, the tool from FoundStone for parsing Recycle Bin INFO2 files, has a version available for Vista Recycle Bins called rifiuti2. This is actually a rewrite of the original code, according to the Google Code page. And yes, there is a version available for Windows.

Equally informative as Harlan tips us to some development in RegRipper (I can’t wait to see since getting to use it recently in a live-fire incident response).  Also included were suggestions on just how RegRipper could be used with both images or against a remote (live) system.

Good stuff all the way around.

Now where did I put those handy paper towels?

--Claus V.

No comments: