Microsoft Forensic Analysis Tool for Police

Microsoft Has Developed Windows Forensic Analysis Tool for Police

The COFEE, which stands for Computer Online Forensic Evidence Extractor, is a USB “thumb drive” that was quietly distributed to a handful of law-enforcement agencies last June. Microsoft General Counsel Brad Smith described its use to the 350 law-enforcement experts attending a company conference Monday.

The device contains 150 commands that can dramatically cut the time it takes to gather digital evidence, which is becoming more important in real-world crime, as well as cybercrime. It can decrypt passwords and analyze a computer’s Internet activity, as well as data stored in the computer.

It also eliminates the need to seize a computer itself, which typically involves disconnecting from a network, turning off the power and potentially losing data. Instead, the investigator can scan for evidence on site.

Microsoft did not develop the tools:

COFEE, according to forensic folk who have used it, is simply a suite of 150 bundled off-the-shelf forensic tools that run from a script. None of the tools are new or were created by Microsoft. Microsoft simply combined existing programs into a portable tool that can be used in the field before agents bring a computer back to their forensic lab.Microsoft wouldn’t disclose which tools are in the suite other than that they’re all publicly available, but a forensic expert told me that when he tested the product last year it included standard forensic products like Windows Forensic Toolchest (WFT) and RootkitRevealer.

With COFEE, a forensic agent can select, through the interface, which of the 150 investigative tools he wants to run on a targeted machine. COFEE creates a script and copies it to the USB device which is then plugged into the targeted machine. The advantage is that instead of having to run each tool separately, a forensic investigator can run them all through the script much more quickly and can also grab information (such as data temporarily stored in RAM or network connection information) that might otherwise be lost if he had to disconnect a machine and drag it to a forensics lab before he could examine it.

But given that a U.S. Federal court has ruled that U.S. border guards can search laptop computers without cause, this tool might see wider use than Microsoft anticipated.

Chinese Spies in the U.S.A.

Chinese Use Front Companies, Students, Tourists, & Businessmen to Spy

Men with ‘highly sensitive’ cameras arrested at airport

Two men attempting to board a plane to China with nearly a dozen sensitive infrared cameras in their luggage were arrested on Saturday, a federal official said.

Yong Guo Zhi, a Chinese national, and Tah Wei Chao, a naturalized U.S. citizen, were arrested for investigation of trying to take thermal imaging cameras with potential military use to China without the proper export licenses, Weir said.

Chinese Spies Steal US Passport Smart Chip

The US authorities demand that everybody entering their country have a passport and identity documents compliant with their security standards, but when it comes to their own passports, they have a much lower security standard than they demand of other countries.

Outsourcing passports ‘profound liability’

The blank passports travel to Europe where a microchip is inserted in the back cover and then onto Thailand where they are fitted with a radio antenna. The Netherlands company that makes the covers for the passport said in October that China stole the technology for the microchips, the Times said.

Outsourced passports netting govt. profits, risking national security

The Government Printing Office’s decision to export the work has proved lucrative, allowing the agency to book more than $100 million in recent profits by charging the State Department more money for blank passports than it actually costs to make them, according to interviews with federal officials and documents obtained by The Times.

Travelling with Electronic Devices

When I travel for work, I undertake what some people consider extreme measures to protect proprietary client data from theft by officials at international borders. These officials do not need warrants to seize or examine anything in your possession when crossing a border and that makes border officials excellent spies. This issue arose recently regarding the actions of the US border officials:

In Canada, one law firm has instructed its lawyers to travel to the United States with “blank laptops” whose hard drives contain no data. “We just access our information through the Internet,” said Lou Brzezinski, a partner at Blaney McMurtry, a major Toronto law firm. That approach also holds risks, but “those are hacking risks as opposed to search risks,” he said.

Creating a “blank laptop” entails more than just hitting the delete key or even using a utility to overwrite existing data. The hacking risk is also greater than most people realize, especially with wireless connections. Even with secure end-to-end encryption, traffic analysis can yield very useful intelligence.

If you didn’t steal it or get it by secret means, it’s not intelligence

From the Sources And Methods Blog

One of Australia’s oldest and largest newspapers, The Age, recently published a lengthy article (Thanks, Chris!) on the potential value of open source information to the Australian intelligence community and bemoaning the fact that open source isn’t used as much as it should be. Sounds familiar…

Unfortunately, too many people who should know better don’t understand that it is the analysis that matters, not the source of the data.

Dangers of Outsourced Software Development

Nigel Stanley, at Bloor Research article entitled Ounce Labs weighs into rogue code about the dangers of outsourcing software development. The most interesting part of the article follows:

Industrial espionage, or good old fashioned spying, is as alive and well today as it has ever been. In fact, a lot of time and effort from the security agencies is tied up in dealing with this issue, and contacts have assured me it is worse now than it has ever been as developing countries try to steal a march (maybe even literally) against the developed world. Spying between developed nations is also a problem, with some larger European countries having a dreadful reputation for trying to obtain industrial secrets from so called allies. Software development is an obvious target…

The downside of this approach is that decision makers get seduced by green lights whilst their developers look for even more creative ways of inserting malicious code. No sensible person will ever declare that a product such as Ounce 5 will guarantee that your code is 100% secure…

The Problem With Intelligence

In 300 B.C. Chinese princes were told that to rule they must turn the empire into their eyes and ears. “Though he may live in the deepest retreat of his palace, at the end of tortuous corridors, nothing escapes him, nothing is hidden from him, nothing can escape his vigilant watch.” (Levi, Le grand empereur, pp.187).

Such a system relies not only on the honour of the eyes and ears, but also his subordinates whose capacity for deception and treachery is unbounded.

The weakness of any such intelligence system is the quality of the human resources employed. The problem still exists today, even with technical collection, due to the hypocritical analysts and scheming bureaucrats between the data and the decision-maker.

Botched Background Investigation – Part II

A few weeks ago I wrote about a botched background investigation of a former FBI and CIA Intelligence Analyst who entered into a sham marriage to gain citizenship. It turns out that she had ties to Hezbollah.

Now a US Marine Captain has plead guilty of helping the potential Hezbollah operative gain citizenship in the same way she herself did. Read Hezbollah: Signs of a Sophisticated Intelligence Apparatus to see how an incompetent background investigation can have far-reaching implications.

the cases demonstrate that the FBI, CIA and Marine Corps all failed to detect this web of sham marriages when they conducted background investigations on the women in question, especially since the marriages were within the seven-year investigative window required for Prouty’s FBI clearance and Spinelli’s enlistment in the Marine Corps. A full field background investigation should have been able to determine the nature of the sham marriages, given that the women never lived with their purported husbands.”

China uses cover company to spy on NSA

China’s intelligence service gained access to a secret National Security Agency listening post in Hawaii through a Chinese-language translation service, according to U.S. intelligence officials.

According to officials who spoke on the condition of anonymity, China’s Ministry of State Security, the main civilian spy service, carried out the operations by setting up a Chinese translation service in Hawaii that represented itself as a U.S.-origin company.

Open Source Intelligence

Open Source Intelligence (OSINT) has been around for a very long time, but in recent years its importance has grown. For example, the USA has the Foreign Broadcast Information Service (FBIS), which was established in 1941, transcribing and translating foreign broadcasts. It absorbed the Defense Department’s Joint Publications Research Service, which did a similar function with foreign printed materials, including newspapers, magazines, and technical journals. In November 2005, it was announced that FBIS would become part of the newly-formed Open Source Center, tasked with the collection and analysing of freely-available intelligence.

In Open Source Intelligence by RICHARD S. FRIEDMAN, Ambassador Johnstone’s story about using CNN to gather needed information shows how OSINT often goes unrecognised as a valuable resource. However, that is changing if these are any measure: Pentagon’s “Best Source of Intel”: TV and The Enemy is Me.

In the private sector, we now have companies with experienced handlers using foreign language specialists who read hundreds of newspapers, listen to radio broadcasts, and watch foreign TV news to produce intelligence reports.

A Spy in Your Pocket

An article entitled Stalked by a cell phone: Who’s spying on you? warns of the danger of downloading software to your cell phone, connecting to the Internet from a mobile phone, and the dangers of letting it get out of your sight.

Update: See this at: and

Botched Background Investigation

An ex-FBI & CIA agent with a brother-in-law linked to Hezbollah pleads guilty to database searches, raising questions about the security of top secret files in the war on terror.

The case raises questions about hiring practices and background checks by two of the nation’s most security-sensitive and secretive agencies… “It’s hard to imagine a greater threat than the situation where a foreign national uses fraud to attain citizenship and then, based on that fraud, insinuates herself into a sensitive position in the U.S. government.”

It seems she got somebody to marry her so she could become a citizen. The background investigation did not uncover this, nor did the polygraph examination that the US government places so much trust in.

Since this news broke it seems she held some very responsible positions and her brother, along with Prouty’s sister and others, was charged in 2006 by the U.S. attorney in Detroit with tax evasion in connection with a scheme to conceal more than $20 million in cash… and to route funds to persons in Lebanon with links to Hezbollah.” The sister is currently serving 18 months in a federal prison.

Inter-agency Cooperation Will Save US

Inter-agency cooperation and intelligence sharing seems to need some improvement in the US…

Driven to desperation by restrictive information sharing rules, and concerned about the terrorist threat to their homes and loved ones, at least five American intelligence officers established a domestic espionage ring. The target of their actions: the federal government. The beneficiary of their actions: Los Angeles. How has it come to this, that otherwise patriotic and loyal citizens feel compelled to work against their government in order to serve and protect their communities?

One member of the ring works in the Los Angeles Sheriff’s Department and the other in the LAPD. Maziarz, then an intelligence analyst at Camp Pendleton, was invaluable to the ring because of his ability to regularly access national intelligence databases and pass a steady stream of information to his accomplices on terrorism suspects in the LA area.

For the full story go to ThreatsWatch

Evidence of Chinese Nuclear Sub Found

Blogger and analyst for the Federation of American Scientists (FAS), Hans M. Kristensen, recently discovered a photo of a second and possibly a third Jin-class nuclear-powered submarine at Bohai Shipyard in northeast China. He discovered the image using Google Earth, an online mapping service provided by Internet search engine giant Google, and posted his discovery on his blog on October 4.

The use of Google Earth for this creates some interesting challenges for both governments and private industry. In the private sector, security officials now must consider the loss of proprietary and competitive data through satellite imagery. An example of this might be the construction of new production facilities. In the past, overflights of such facilities have given rise to law suits. Now that the data already exists and  is searchable, how does one protect against a loss of critical information in this manner?

I predict the creative use of camouflage will become normal practice over the next couple of decades.