Deprecated: implode(): Passing glue string after array is deprecated. Swap the parameters in /var/www/tgdaily.com/wp-content/plugins/cp-link-nofollow/includes/CP_LNF_Post_Type.php on line 172
There’s a fair amount of wailing and gnashing of teeth following the leak of Microsoft’s forensic diagnostics package onto the web. But acccording to our tame computer forensics guy, COFEE is “Just a packaged-up bunch of sysinternals tools. Nothing interesting. It’s for untrained first responders rather than nerdy types.”
Now read on…
So COFEE has finally been leaked onto the Internet. It was inevitable and it’s a wonder that it wasn’t released sooner, but nevertheless it marks a sad day for the Law Enforcement computer forensics community. COFEE, if you didn’t know, is Microsoft’s LE-only collection of tools for getting volatile data from a live computer. It stands for ‘Labored Twee Acronym’. It’s not particularly exciting or special or cool, it’s just a handful of tools, all of which are freely available in one form or another, bundled up so that they run nicely from a USB stick. Nothing to see here, please move along.
So why the long face, as the horse said to the Easter Island monolith? It’s the lolz. It’s all about the lolz, and a decrease thereof. Every so often COFEE is mentioned on a geek-news site like Slashdot and whenever this happens, the comments come alive with a thousand angry, confused, wounded monkeys, all in an uproar about the existence of this pernicious tool. Whenever the subject’s been raised among colleagues in the LE forensics community, it’s been a source of mild amusement – this torrent of, for the most part, pompous and ill-informed folk riding a wave of their own indignant foamy spit. All this will be lost, like dribble in the rain, now that they know that COFEE is actually a bit crap.
While pondering this it struck me that there’s an observable taxonomy of Internet folk who respond to any news item on the geek sites about computer forensics. For the elucidation of our species, I give you a breakdown.
The Back-Door Men (BDM)
When COFEE is mentioned, these are the ones who gibber about ‘M$’ leaving backdoors in Windows for cops to sneak into. They disapprove of this, but lay some of the blame with the users themselves – any fool knows that you are only safe from The Man if you run Slackjaw Linux, with a custom-rolled kernel that specifically doesn’t load the ‘gubmint_rootkit’ module.
The Man of Few Words (MoFW)
The MoFW will post a comment of no more than 3 words. MoFW has no time for chit-chat, and will post pithy gems like ‘One word: Truecrypt’ or ‘Cops != hackers’. He’s obviously very busy, as he often seems to have read only the first couple of lines of the article and completely misses the point. I like to picture MoFW as the enemy dude from the Southpark ‘World of Warcraft’ episode.
The Cops Ain’t Shit (TCAS)
This specimen isn’t anti-police per se, but he does think that any police officer trying to do computer forensics is automatically out of their depth. Regardless of how far through an MSc the officer is, or how many years he’s spent churning out technical reports that meet evidential tests beyond a reasonable doubt, in the eyes of the TCAS he’s just a thick bobby fit for nothing but truncheoning hoodies outside the off licence.
TCAS is an expert on the shortcomings of the Police analyst, and will often impart advice such as ‘Just use Firefox – the cops don’t even think to look for it, as they only know about Internet Explorer’. TCAS knows more than anyone thanks to his position as chief tape-changer and ink-swapper at the local shoe recycling company, and will happily give advice on how the police should have handled the investigation.
The Bitter Paedo (TBP)
An odd one. TBP will often admit to having had trouble with the law, but will never say whether they were charged or convicted. Over the course of a few posts he’ll eventually rant about the indignities of having his house searched by officers from the local paedophile unit, and the unfairness of a system that ‘is itself confused over its attitude to children’.
TBP will leap into the debate like a coked-up goth in a moshpit, flailing at anything that doesn’t duck in time. Favourite targets are CEOP (and Jim Gamble especially), Law Enforcement, lawyers, courts, CPS, that bastard from down the road who did him some unspecified wrong, his ex-wife and the rest of this cruel, unfeeling world. He will often hint at imminent legal actions that will vindicate him and bring the system crashing down, but this never seems to actually happen.
TBP often accuses the police of creating anti-paedophile laws because they don’t have enough people to arrest.
The Amused LE Officer (TALEO)
TALEO seldom appears in the comments threads, preferring to watch and comment amongst their own kind from the relative civilisation of the forensic forums. TALEO generally regards the proceedings with amused aloofness, having seen it all before. When he does appear, it’s usually to deliver a gentle smackdown to TCAS.
This story originally appeared on the author’s blog, here.