Computer Online Forensic Evidence Extractor

Martin Brinkmann
Apr 29, 2008
Updated • Dec 8, 2014

The Computer Online Forensic Evidence Extractor (Cofee) is a USB thumb-drive developed by Microsoft that was distributed to more than 2000 law-enforcement officers in 15 countries including the United States, Germany, New Zealand and Poland.

Software on the device supports more than 150 commands that eliminate the need to seize the computer from the scene because it can gather the evidence right there.

The commands can be used to decrypt passwords, analyze the Internet activity and data that is stored on the computer. The advantage of this method is that data can be analyzed while the computer is still connected to a network or the Internet which is not be possible if the computer is seized.

Some blogs have gone so far as to assume that Microsoft would give Vista backdoor keys to the police but the original article at the Seattle Times did not mention that at all. The tools on the USB device provide a set of commands that speed up the evidence gathering process and allow that process to be started while the computer is still running in its local environment.

The original Seattle Times article seems to support that by quoting the head of the Special Assault Unit in the King County Prosecuting Attorney's Office.

The 35 individual law-enforcement agencies in King County, for example, don't have the resources to investigate the explosion of digital evidence they seize, said Johnson, who attended the conference.

"They might even choose not to seize it because they don't know what to do with it," she said. "... We've kind of equated it to asking specific law-enforcement agencies to do their own DNA analysis. You can't possibly do that."

I think it is fair to assume that Microsoft is providing the tools and probably even the training, or at least training manuals, so that law-enforcement agents won't face the decision of what to do with the computers.

Update: Cofee leaked in 2009 to various torrent websites and other sites on the Internet where it has been available for download. The download itself is no use however as it requires other tools only available to law enforcement agencies.

Additional information about Cofee can be found on Wikipedia.


Previous Post: «
Next Post: «


  1. TRiAD said on December 26, 2008 at 7:53 am

    COFEE is not only limited to extract evidence to big-time cybercrime commiters but also pirates and filesharers. Anyway, downloading music, movies, articles, and software without paying it is considered a ‘cybercrime’ to copyright holders. I guess the music, movie, and software companies is gonna be excited on how much they can earn in putting people to jail. COFEE can even see that you have copy-pasted your homework from Wikipedia.

  2. sinesurfer said on May 4, 2008 at 5:51 am

    So….. this thing from MS is going to disclose passwords on PCs…. that run Mac OSX or Linux??!??.

    I would be very surprised.

  3. Transcontinental said on May 3, 2008 at 11:30 am

    Why encrypt the OS, for instance ? I mean, one may keep his data only encrypted without bothering to have the whole disk jailed in and out! Unless we refer to COFEE and Associates, of course!

    I think being on the WWW may drive very naturally minds to paranoia. I dot care not being a sucker, but I care even more – should I have to choose – not becoming insane! Problem is, what is insanity ? After all, like Woody Allen stated, “It’s not because I’m paranoid that it means I have no enemy”!

    This is a mad, mad world. Not always! Let us remain cautious in order to avoid being suspicious!

  4. Jerry said on May 2, 2008 at 11:22 pm

    Privacy to me is a very big deal. Where I live, (Not so good area) Mail box thefts and dumpster diving is at all time high here. After being a victim of both of these tactics, I decided to have all checks, bills, and banking statements stopped being mailed to me and went paperless on-line banking and bill pay.

    This is the main reason I use full disk encryption on a removable drive. Also, me owning a laptop computer for business just shouts out the words, “STEAL ME, PERSONAL INFORMATION INSIDE.” WHHAAAHOOOO

    Deciding weather or not to use encryption is up to you. If you only use your computer for gaming and surfing, don’t bother. But if you do banking, taxes, and bill pay where is you download your statements and store on computer, Oh…Yeah, encryption is a must.

    Thats my two-cents worth. (^_^)/

  5. Transcontinental said on May 2, 2008 at 9:58 pm

    Frankly, if the outcome concerns not highly confidential, not to say classified documents (the later having seldom a private status!), then what is really our relation to privacy?

    In Amsterdam, an old tradition keeps some people not putting curtains in their home, a way of expressing the idea of having nothing to hide. I wouldn’t go that far, but …

    Now, I don’t know if you feel the same, but what really bothers me is less having my privacy stolen than having it made public. What I mean is that, as long as those who would have sneaked into my life ignore that I’m aware of their curiosity, I believe they will be more likely to shut up about what they may have found.

    The idea is that, if both parties remain silent, after all, who cares? :)

  6. Jesse said on May 2, 2008 at 7:29 pm

    *nix sounds better and better every day.

    But I’m sure some law enforcement somewhere has to let this one slip. I’m curious as to what’s on it.

  7. CrazyD said on May 1, 2008 at 6:11 pm

    Not to be outdone by COFEE, Apple has joined the law enforcement support bandwagon by announcing the release of its own forensic application called the Digital Online Numeric Unscrambler Technology (DONUT).
    No word yet on which agency will get a crack at testing the software first or how many flavors the app will be realeased in, but interest is already high among local forces.
    “COFEE & DONUT” said one high ranking officer who wants to remain anonymous, “will definitely take a bYte out of cyber crimes.” He quipped, noting the play-on-word, then adds, “And it sounds delicious!”

  8. Jerry said on April 30, 2008 at 11:42 pm


    Acronis is another good product. I used it a few times. Encryption is not just for classified use anymore. Bottom line is, a lot of people now use it to protect their data from prying eyes.

    TrueCrypt is what I use for my removable USB drives, and it’s 100% free. PGP makes a good full disk encryption too. But, the bottom line is this, want to defeat all those root kits that snatch your password files off your hard disk in order to bypass your Admin passwords to allow someone to get into your computer, then full disk encryption is the only way.

    Just make sure you do lots of research on what name brand to use for your encryption and make sure that company is fully trusted, meaning they don’t slip backdoors and hidden NSA keys in their software.

    Also. you want at least 256 Bit. anything less is just nonsense. One last thing, if you guys all do video capturing, then fully encrypt the partition windows is in, but do not encrypt other partitions that your video capture dumps will goto. If you dump a real time capture in a partition that is encrypted, you’ll get huge frame drops.

  9. Transcontinental said on April 30, 2008 at 8:11 pm

    I use Acronis True Image Home ver. 10, which backups files. I also have version 11 which has the option of to copy sector by sector, but I prefer ver.10 (quicker, enough for me).

    I understand that backing up a partition is the wisest approach.

    I’m only trying to evaluate. I never take a one-way ticket. Before I go further, I try to understand, and keep the option of reversing. But a disk encryption is a tempting idea, should it be only for the idea (no classified documents here!)

  10. Jerry said on April 30, 2008 at 7:52 pm


    There’s a freeware program called, “Drive Image XML” It allows you to make a full compressed image of your Windows, while at the desktop. The only problem is your data will be unencrypted as a image, and you can only restore if your using a boot CD called, “Bart’s Boot Disk”

    There is another way and that would be to use a linux boot disk called, “PMagic – Partitiong Software” Just copy the whole partition from one hard drive to another. The only deal here is if you have a 500GB SATA drive, it’s going to copy the whole drive.

    When I backup, I just clone all partitions on my first hard disk to second hard disk and call it a day. This way nothing is in the open. Just make sure to make a copy of your boot sector or you wont be able to boot your encrypted hard disk if you ever had to restore a partition.

    Before you take my word 100% here, please run some local tests on your own machine to find that ideal plan that works the best for you.

    Good Luck.

  11. Martin said on April 30, 2008 at 7:18 pm

    Update: Via email, a Microsoft spokeswoman said COFEE is a compilation of publicly available forensics tools, such as “password security auditing technologies” used to access information “on a live Windows system.” She cited rainbow tables as an example of other such tools, and “was NOT confirming that COFEE includes Rainbow Tables.”

    Here is an update on the post

  12. Martin said on April 30, 2008 at 7:15 pm

    Transcontinental yes they do work, the data is still encrypted though.

  13. Transcontinental said on April 30, 2008 at 7:04 pm

    Do Drive Image softwares work on encrypted disks? I guess those which backup sectors rather than files should, but not sure.

  14. Jerry said on April 30, 2008 at 6:31 pm


    Yes you are correct, but in most cases I would think all left over data would be flushed from RAM. My concern is having a hard drive in the open that would allow the Cofee USB thumb-drive to locate the PWL files and decrypt them.

    Even if you did manage to get the Windows passwords in RAM, the problem is you don’t have the the dual passwords to boot the encrypted drive that uses its own boot sector software before windows is allowed to boot.

    When your computer is running, you are open to all kinds of attacks, but turned off and power removed, thats another story.

  15. Martin said on April 30, 2008 at 6:16 pm

    Jerry yes full hard drive encryption is the way to go but you still have to be careful. A running computer can still be attacked and even if you did turn off the computer it might be possible to extract information from the RAM.

    Depends how fast they are to cool it. Whoever they are ;)

  16. Jerry said on April 30, 2008 at 6:13 pm

    The only way to defeat this sort of thing would be to use full hard drive encryption, like DriveCrypt Plus, where is the whole drive bit for bit is encrypted and not leaving any files exposed.

    Don’t even bother using WIndows build in encryption as it only encrypts at the file level, still allowing anyone using Linux to view the file contents.

    I’ve been using drivecrypt plus now for a few years and never once had to worry about my data being in the open.

    There are Pros and Cons in using fulll drive encryption. The Pros: The whole hard drive is encrypted, OS and all leaving nothing in the open, and you never worry about sending in a hard drive for repair or exchange and someone looking at the contents (^_^)

    The Cons, you have to enter 2 sets of passwords at bootup, and there is a very small decrease in windows speed, and if you windows crashes and you need to get into the drive to fix a few files, you can’t because whole drive is encrypted.

    My only advice would be to just dump windows all together and go Linux. (:P)

    P.S. even the boot sector is fully encrypted too. If you plan on using this sort of protection, make sure you turn off the computer when you leave the house or when the feds are breaking down your door. Once that OS is turned off, they’re S O L.

  17. Transcontinental said on April 30, 2008 at 4:56 pm

    Microsoft rootkits ? :)

  18. Randy said on April 30, 2008 at 4:33 pm

    This sounds very similar in concept to the USB Hacksaw by Hak5:

    I’m sure the commands aren’t that difficult to determine. Much of this approach is already used by various “security” tools readily available on the internet today. The one thing I find interesting is that it claims to decrypt passwords. I can certainly see that it could quickly and easily dump the locally stored password hash. I expect the password cracking is done later using Rainbow Tables to speed the process.

  19. Dante said on April 30, 2008 at 4:06 pm

    There are already other tools out there that does this kind of thing on the “security” market. That’s why for real sensitive installations, I have high gauss electro-magnets mounted in the PC’s. The wrong sequence of activation will activate the magnet – poof! no more data.

  20. HAL999 said on April 30, 2008 at 2:21 pm

    Hello Martin,

    Would one not then infer that there are either prestored keys or some sort of built in back door into all MS OSes that the vendor ‘provides’ as a ‘service’, to support LEOs ???, i.e., forget the mythical ‘NSA’ key, MS themselves will provide it to you? More validation for MS being the OS of choice for security and trusted applications. Goody goody. HAL999

  21. Beecher Bowers said on April 30, 2008 at 1:45 am

    Hi Martin,
    While the news release doesn’t say they get the keys to the OS, it does say that the tools decrypt the passwords.

    If the tools do indeed decrypt passwords, one would *have* to assume it decrypts them quicker than standard brute force methods to make it any easier on officials and make it unnecessary to move the system.

    This would indicate a backdoor method of access.

    Beecher Bowers

  22. skykid said on April 30, 2008 at 12:30 am

    I wonder when this Cofee will leak in the scene. I would love to play around with it. Most Law Enforcement Agencies are using EnCase now – and I doubt that the tool of Microsoft is better than it.

  23. darkkosmos said on April 30, 2008 at 12:29 am

    When the police are on me I’d probably just pull out the hard drive and send it to north Korea. Let’s see the key work now :D

    1. Joe said on May 6, 2010 at 7:47 pm

      The only real good thing is to just stick a strong magnet on to your HDD then you wont have to worry about anything.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.