Originally posted by astcell
View Post
Ravager taking evasive action
xor
-
Re: Microsoft's COFEE
Is this what you are referring to Astell :-)
Ravager taking evasive action
xor -
Re: Microsoft's COFEE
So what they are basically saying is that if you are doing something illegal that you should use an encrypting(preferably custom/home grown) file system/boot partition, and make sure you don't leave your computer on all the time, and/or pull the plug and/or have some sort of power down tripwire setup incase of unauthorized entry.
So I guess this invalidates the FBI play book of cut the power during a stand off.
You are better off coming in covertly over the wire when available, securing said system from further tampering, and then busting in.
xorLeave a comment:
-
Re: Microsoft's COFEE
Originally posted by the_wodon View Post
So very, very true. I understand the secret sauce in COFEE is that (1) it requires administrative privileges and (2) it automates over 150 different commands.
Some of those already available products are listed here:
http://www.news.com/8301-10789_3-9932600-57.htmlLeave a comment:
-
Re: Microsoft's COFEE
Users ought to defend themselves by Taking Evasive Action (TEA).Leave a comment:
-
Re: Microsoft's COFEE
Although a nice little tool which I am sure they will find helpful, there are already a plethora of commercial and open source products which do pretty much the same thing.
COFEE only deals with live, logged on machines that you have not only physical access to but can also interact with. It is a preconfigured set of batch files which run lots of already available tools.
Helix can do pretty much the same thing and is open source, alternatively there is the Encase FIM.
The bit regarding getting around encryption refers to the fact that you use this on a running system with its drives already decrypted, not a LEO back door as some think.Leave a comment:
-
Re: Microsoft's COFEE
Someone will be passing around a CD/VD at Defcon with the tools on it I am sure.Leave a comment:
-
Re: Microsoft's COFEE
I'm waiting to hear if Deviant has had the latex glove analysis.
The /.'ers were all upset over this yesterday. I don't see any problem with with it. Once they have physical possession of the machine, there isn't much that can be done to stop them from reading everything on it.
Unless of course, you're using full drive encryption, and only a terrorist would use that ;)Leave a comment:
-
Microsoft's COFEE
This sounds rather neat. According to an MS spokesman in one of the stories, it is a compilation of publicly available forensics tools. It would be interesting to learn which tools that the people at MS like for this work.
http://seattletimes.nwsource.com/htm...msftlaw29.html
http://blog.seattletimes.nwsource.co...ee_device.html
http://www.dbtechno.com/computers/20...ty-in-windows/
http://gizmodo.com/385476/microsoft-...-your-computer
As an aside, I loved Gizmondo's opening line. It reads like Deviant is in trouble.
You know how in cop shows they seize deviants' computers and bring them back to the lab for some good ol' latex gloved analysis ...
Leave a comment: