Difference between pages "First Responder's Evidence Disk" and "COFEE"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 +
{{expand}}
 +
 
{{Infobox_Software |
 
{{Infobox_Software |
   name = FRED |
+
   name = COFEE |
   maintainer = Jesse Kornblum |
+
   maintainer = Microsoft |
   os = {{Linux}}, {{Windows}} |
+
   os = {{Windows}} |
 
   genre = {{Incident response}} |
 
   genre = {{Incident response}} |
   license = {{commercial}} |
+
   license = {{GPL}} |
   website = [http://darkparticlelabs.com/projects darkparticlelabs.com/projects] |
+
   website = [http://www.microsoft.com/industry/government/solutions/cofee/default.aspx www.microsoft.com] |
 
}}
 
}}
  
The First Responder's Evidence Disk, or FRED, is a script based [[Incident Response|incident response]] tool. It was designed to capture volatile information from a computer system for later analysis without modifying anything on the victim. It consists of a batch file used to execute a set of known good tools that gather the state of a victim computer system. It was similar to the [[IRCR]] program and has been widely imitated by other tools. Many other incident response tools used names similar to FRED.
+
'''Computer Online Forensic Evidence Extractor (COFEE)'''
 
+
== Usage ==
+
 
+
The program was distributed as a compressed 1.44 MB floppy image. The examiner runs this image on a safe system and writes the FRED program out to a piece of removable media such as a floppy disk or USB device. The examiner then connects this device to the victim machine. When run, the FRED program writes information out to an audit file on the removable device. The examiner takes this audit file back to the safe system for later analysis. The audit file can also be sent to other investigators if desired.
+
 
+
== History ==
+
 
+
FRED was developed by [[Jesse Kornblum]] for the [[Air Force Office of Special Investigations]] starting in the fall of 2000 and was first released in 2001. The tool was publicly unveiled the following year at the [[Digital Forensic Research Workshop|DFRWS Conference]]. Although the component parts of FRED were not released, mostly due to licensing restrictions, Kornblum did present a paper, ''[http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders]'', that included the FRED script.
+
 
+
A version of the FRED script was later incorporated into the [[Helix]] disk.
+
 
+
There was a proposal for a program to process the audit files into [[HTML]], but this never came to fruition.
+
 
+
Since 2004 FRED has been maintained by the [[Air Force Computer Emergency Response Team]]. The current version of FRED (version 4) has been redesigned as a single executable, with remote collection capabilities, and uses Native API functions. The audit file uses PKI for encryption to protect the contents from tampering and disclosure. The publicly available version has the remote functionality as well as the PKI encryption capabilities turned off.
+
  
== Trivia ==
+
COFEE is a piece of Microsoft software designed to all the easy capture of important "live" computer evidence at the scene in cybercrime investigations, without special forensics expertise.
  
The desire for a recursive [[MD5]] program for FRED inspired the development of [[md5deep]].
+
The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation.
 +
To help combat the growing number of ways that criminals use computers and the Internet to commit crimes, Microsoft is working with INTERPOL and the National White Collar Crime Center (NW3C) to provide COFEE at no cost to law enforcement agencies in 187 countries worldwide. INTERPOL and NW3C are also working with Florida State University and University College Dublin to continue the research and development that will help ensure that COFEE serves the needs of law enforcement, even as technology evolves.
  
== See Also ==
+
Law enforcement can get COFEE from NW3C at www.nw3c.org or by contacting INTERPOL at COFEE@interpol.int.
* [[IRCR]]
+
* [[COFEE]]
+
  
 
== External Links ==
 
== External Links ==
* [http://darkparticlelabs.com/projects Project site]
+
* [http://www.microsoft.com/industry/government/solutions/cofee/default.aspx Official web site]

Revision as of 05:36, 18 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

COFEE
Maintainer: Microsoft
OS: Windows
Genre: Incident Response
License: GPL
Website: www.microsoft.com

Computer Online Forensic Evidence Extractor (COFEE)

COFEE is a piece of Microsoft software designed to all the easy capture of important "live" computer evidence at the scene in cybercrime investigations, without special forensics expertise.

The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation. To help combat the growing number of ways that criminals use computers and the Internet to commit crimes, Microsoft is working with INTERPOL and the National White Collar Crime Center (NW3C) to provide COFEE at no cost to law enforcement agencies in 187 countries worldwide. INTERPOL and NW3C are also working with Florida State University and University College Dublin to continue the research and development that will help ensure that COFEE serves the needs of law enforcement, even as technology evolves.

Law enforcement can get COFEE from NW3C at www.nw3c.org or by contacting INTERPOL at COFEE@interpol.int.

External Links