Free COFEE opens Microsoft BitLocker

Microsoft has released a tool to law enforcement that helps get around the encryption provided by the company’s own BitLocker software, distributed in Windows Vista. PC World has an extensive article about Microsoft's COFEE -- Computer Online Forensic Evidence Extractor – which some 2,000 law enforcement officers have been using since last June.

Microsoft has released a tool to law enforcement that helps get around the encryption provided by the company’s own BitLocker software, distributed in Windows Vista. PC World has an extensive article about Microsoft's COFEE -- Computer Online Forensic Evidence Extractor – which some 2,000 law enforcement officers have been using since last June. It was created by Anthony Fung, a former Hong Kong cop and now a regional manager in Microsoft's Internet Safety and Anti-Counterfeiting group. COFEE changes the basic police protocols for dealing with suspects' machines. The old protocol was to unplug the machine and take it back to headquarters. That meant a lot of valuable information was lost since police couldn't log in as the suspect when the machine was rebooted. COFEE's solution: plug in a USB drive containing the software and record.

While COFEE doesn't break BitLocker or open a back door, it captures live data on the computer, which is why it's important for agents not to shut down the computer first, Fung said. A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung said. It can be used on a computer using any type of encryption software, not just BitLocker. Previously, an officer might spend three or four hours digging up the information manually, but COFEE lets them do it in about 20 minutes, he said.
One critic of the approach is Chris Ridder, a residential fellow at the Stanford Center for Internet and Society, who says COFEE's approach alters the computer. "Any time you're touching a live computer you're changing it in some way," he said. The advantage of taking the computer off and making a complete image of it is integrity, he added. "You've got the original computer locked away in an evidence safe somewhere, so if someone questions the integrity of the image you can verify it against the original," he said. It is, of course, ironic that Microsoft has developed to workaround for its own product – proof, perhaps, that BitLocker isn't all that secure. "Maybe Microsoft should spend its efforts making BitLocker more secure," Ridder said.