So COFEE has finally been leaked onto the Internet. It was inevitable and it’s a wonder that it wasn’t released sooner, but nevertheless it marks a sad day for the Law Enforcement computer forensics community. COFEE, if you didn’t know, is Microsoft’s LE-only collection of tools for getting volatile data from a live computer. It stands for ‘Laboured Twee Acronym’. It’s not particularly exciting or special or cool, it’s just a handful of tools, all of which are freely available in one form or another, bundled up so that they run nicely from a USB stick. Nothing to see here, please move along.
So why the long face, as the horse said to the Easter Island monolith? It’s the lolz. It’s all about the lolz, and a decrease thereof. Every so often COFEE is mentioned on a geek-news site like The Register or Slashdot, and whenever this happens, the comments come alive with a thousand angry, confused, wounded monkeys, all in an uproar about the existence of this pernicious tool. Whenever the subject’s been raised among colleagues in the LE forensics community, it’s been a source of mild amusement – this torrent of, for the most part, pompous and ill-informed folk riding a wave of their own indignant foamy spit. All this will be lost, like dribble in the rain, now that they know that COFEE is actually a bit crap.
While pondering this it struck me that there’s an observable taxonomy of Internet folk who respond to any news item on the geek sites about computer forensics. For the elucidation of our species, I give you a breakdown.
The Back-Door Men (BDM)
When COFEE is mentioned, these are the ones who gibber about ‘M$’ leaving backdoors in Windows for cops to sneak into. They disapprove of this, but lay some of the blame with the users themselves – any fool knows that you are only safe from The Man if you run Slackjaw Linux, with a custom-rolled kernel that specifically doesn’t load the ‘gubmint_rootkit’ module.
The Man of Few Words (MoFW)
The MoFW will post a comment of no more than 3 words. MoFW has no time for chit-chat, and will post pithy gems like ‘One word: Truecrypt’ or ‘Cops != hackers’. He’s obviously very busy, as he often seems to have read only the first couple of lines of the article and completely misses the point. I like to picture MoFW as the enemy dude from the Southpark ‘World of Warcraft’ episode:
The Cops Ain’t Shit (TCAS)
This specimen isn’t anti-police per se, but he does think that any police officer trying to do computer forensics is automatically out of their depth. Regardless of how far through an MSc the officer is, or how many years he’s spent churning out technical reports that meet evidential tests beyond a reasonable doubt, in the eyes of the TCAS he’s just a thick bobby fit for nothing but truncheoning hoodies outside the off licence.
TCAS is an expert on the shortcomings of the Police analyst, and will often impart advice such as ‘Just use Firefox – the cops don’t even think to look for it, as they only know about Internet Explorer’. TCAS knows more than anyone thanks to his position as chief tape-changer and ink-swapper at the local shoe recycling company, and will happily give advice on how the police should have handled the investigation.
The Bitter Paedo (TBP)
An odd one. TBP will often admit to having had trouble with the law, but will never say whether they were charged or convicted. Over the course of a few posts he’ll eventually rant about the indignities of having his house searched by officers from the local paedophile unit, and the unfairness of a system that ‘is itself confused over its attitude to children’.
TBP will leap into the debate like a coked-up goth in a moshpit, flailing at anything that doesn’t duck in time. Favourite targets are CEOP (and Jim Gamble especially), Law Enforcement, lawyers, courts, CPS, that bastard from down the road who did him some unspecified wrong, his ex-wife and the rest of this cruel, unfeeling world. He will often hint at imminent legal actions that will vindicate him and bring the system crashing down, but this never seems to actually happen.
TBP often accuses the police of creating anti-paedophile laws because they don’t have enough people to arrest.
The Amused LE Officer (TALEO)
TALEO seldom appears in the comments threads, preferring to watch and comment amongst their own kind from the relative civilisation of the forensic forums. TALEO generally regards the proceedings with amused aloofness, having seen it all before. When he does appear, it’s usually to deliver a gentle smackdown to TCAS.
Any more? Stick em in the comments!
Happy as a Monkey 
Synical Sid
November 11, 2009
Interesting but you have (somehow) missed out the LiL’s
They all have a bunch of strange letters after their surname (so long as they don’t follow sequentially like ABC or JKL, no-one minds) they don’t actually know each other but they somehow electronically ‘shake’ hands with each other as if they are the best of pals.
Within the LiL there is a LOT of them!
When I first came across them I was astonished to discover that there were literally hundreds of them. How wrong. There are THOUSANDS and they are all joined together by the hip.
They are ……
The Linked-In Lot ….http://www.linkedin.com/
They all join each others groups, spreading & manifesting quicker than the W32.MyDoom@mm worm.
Before they know it, they have propagated themselves into every Linked In group with the words ‘forensic’ and ‘computers’.
Those seeking to make a fortune will tick a box called ‘available for employment’ and stupidly enough leave a real contact number.
Then comes along a new worm ….W32.MyDoom@employment_agency who has covertly seen the Job Adverts on Forensic Focus and BANG …..you infected daily.
Beware of the LiL
happyasamonkey
November 12, 2009
Good shout. I often think that Linked In is actually the Illuminatii, who decided to use ‘linkedin.com’ because someone had already got illuminatii.com. Damn domain squatters.
Jason
November 13, 2009
After spending 3 days at a forensics conference this week and hanging out with the law enforcement types there, this post cracked me up. COFEE was only mentioned in a single presentation in which a forensics guy from MS was cracking jokes about it. The collective reaction was, “Yawn…” Great classifications.
For the record, I’m a network security guy and am not LE, though I’m in agreement with TALEO.
happyasamonkey
November 13, 2009
That wasn’t the F3 conference, was it? I’d been really eager to get to that, but my name wasn’t drawn from the hat this year. I’m glad you liked the post anyway – I’ll try to keep ’em coming.
Deon
November 20, 2009
Just like to say great post, had a good cackle. I know a number of LE’s and you’ve got them spot on.
ivy
May 25, 2010
Nice Post
John
July 28, 2011
Nice post monkey.
I admit to having a titter at the commentards, obviously reading El Reg has given them the necessary technical and legal nous to be able to comment on the finer points of forensic analysis. I’m always tempted to put my 2p (all I can afford after added pension contributions) but don’t fancy the almighty shitstorm that starts when someone with actual knowledge dares to correct one of these mighty internet warriors.
But don’t these people know? COFEE is sooo yesterday! We’ve moved onto TEA (Total Electronic Analysis) which lets us exploit all the backdoors in Windows, Linux and Truecrypt to get at all those juicy secrets.
@Synical Sid – funny that about LinkedIn, joined it a little while ago as it was getting pimped around my MSc course – I found it wasn’t quite as good as people were making out. Shameless pimp for my own blog: http://www.jhannon.co.uk/?p=94
happyasamonkey
July 28, 2011
Someone (a certain recently retired Grandmaster of LE forensics, I suspect) started picking apart one of the wannabees on a comments thread once, think it was on El Reg – took him to task on basic technical stuff. It was kinda funny 🙂
TEA? Sooooooo 10 minutes ago! All the smart kids are using the Secret Backdoor Rootkit CD now – I accidentally left one on show a while ago https://happyasamonkey.files.wordpress.com/2010/04/grab-bag-contents.jpg