The growing use of encryption by cyber criminals has led Microsoft to develop a set of tools, used recently in one New Zealand case, that allow police to access and extract computer-based evidence, executives at the company say.
Microsoft first released the toolset, called the Computer Online Forensic Evidence Extractor (COFEE), to law enforcement last June and it's now being used by about 2,000 agents around the world, says Anthony Fung, senior regional manager for Asia Pacific in Microsoft's Internet Safety and Anti-Counterfeiting group. The software is given to agents for free.
Agents in 15 countries including Poland, the Philippines, New Zealand and the US are now using it, Microsoft says. In New Zealand, a forensics examiner recently used COFEE to find evidence that led to the arrest of an individual involved in trading child pornography, Brad Smith, general counsel at Microsoft, says.
While Microsoft can point to wide usage of COFEE, some experts are sceptical about using that type of tool to recover data, and even the developer of the product at Microsoft acknowledges that it's not accepted by some users.
Fung, who initiated the creation of COFEE, spent 12 years as a police officer in Hong Kong, with the final seven dedicated to fighting cybercrime. When he joined Microsoft, he sought to devise a way that agents could do better at finding valuable information on computers.
When he was an officer, the protocol for handling computer crime was to remove a computer from the scene of the crime, taking it back to the lab where computer scientists would search it for information. In many regions of the world this is still the standard procedure. "At that time everybody followed that principle, but they knew that once they unplugged the computer, which was the guideline, a lot of potential information was lost," Fung says.
That's because data on an encrypted system is accessible to police only as long as the criminal has logged on and the PC remains on. If police shut the system down, they need to have the criminal's password to get past the encryption software when the computer boots back up. The release of Vista has exacerbated the problem because BitLocker, a data encryption feature, comes with Windows Vista Enterprise and Ultimate versions, Fung says.
"Criminals are taking advantage of these technologies like BitLocker," Fung says. "BitLocker was the real driving force because it's becoming ubiquitous." In addition to BitLocker, other hard disk encryption methods, such as the one from PGP, also frustrate agents, he says.
While COFEE doesn't break BitLocker or open a back door, it captures live data on the computer, which is why it's important for agents not to shut down the computer first, he says.
COFEE is a set of software tools that can be loaded onto a USB drive. Smith calls it a "Swiss Army knife for law enforcement officers", because it includes 150 tools. A law enforcement agent connects the USB drive to a computer at the scene of a crime and it takes a snapshot of important information on the computer. It can save information such as what user was logged on and for how long and what files were running at that time, Fung says. It can be used on a computer using any type of encryption software, not just BitLocker.
Previously, an officer might spend three or four hours digging up the information manually, but COFEE lets them do it in about 20 minutes, he says.
Still, COFEE has its foes. Some experts say that running any program causes memory contamination that affects the data agents are looking for on the computers. "Any time you're touching a live computer you're changing it in some way," said Chris Ridder, a residential fellow at the Stanford Center for Internet and Society.
One reason some agents prefer to take the computer back to the lab and create an exact image of it is because they can later compare that image to the actual computer. "You've got the original computer locked away in an evidence safe somewhere, so if someone questions the integrity of the image you can verify it against the original," he says.
Agents can't compare data that they collect on a live machine at a crime scene with the computer later because the act of powering down the machine changes it, he says.
Ridder, who was not familiar with COFEE specifically, also worries that any forensic software is vulnerable to hacking. "A forensic software maker needs to be very careful to make their software as resistant to tampering as possible," he says. Ridder wrote a paper last year about vulnerabilities in forensic software.
Rather than take the risk of tainting evidence by using products such as COFEE, authorities have alternatives. They can get court orders permitting them to hack into a password-protected file or they may be able to convince a defendant to disclose the password, Ridder says.
Microsoft's Fung says the use of software like COFEE depends on the laws and regulations of countries that may forbid its use. "It's based on their principles and what is required from the court," he says.
Ridder finds it ironic that Microsoft built BitLocker and is now providing law enforcement agents with ways to get around it. "Maybe Microsoft should spend its efforts making BitLocker more secure," he says.
For example, maybe users should have the option of requiring a password that allows access to a USB drive. While some users might find that onerous, others might like to have the option, he says.
He also suggests that BitLocker and other encryption products probably aren't as widely used as Fung says — by cyber criminals or honest computer users. Many people are reluctant to use them because they can slow down a computer or because they worry they might forget their passwords.
"My sense is it's not nearly as big a threat as they would suggest," he says.
— Robert McMillan in San Francisco contributed to this report