UserGuideforCOFEEv1.1.

ReleaseDate:September2009
CopyrightReserved

TableofContents
Introduction..................................................................................................................................................1
WhatisCOFEE?.........................................................................................................................................2
DigitalForensicsAttributesandPrinciples...........................................................................................2
VolatileInformationCollected..............................................................................................................2
WhyUseCOFEE?.......................................................................................................................................3
WhoShouldUseCOFEE?..........................................................................................................................3
HowtoUseCOFEE....................................................................................................................................3
ToolGenerationPhase..........................................................................................................................4
DataAcquisitionPhase.........................................................................................................................4
ReportGenerationPhase......................................................................................................................5
Installation....................................................................................................................................................6
Prerequisites.............................................................................................................................................7
InvestigatorMachine............................................................................................................................7
USBRemovableDevice.........................................................................................................................7
TargetMachine.....................................................................................................................................7
InstallationSteps.......................................................................................................................................8
InstallationTroubleshooting...................................................................................................................14
OperationInstructionsforDeviceGeneration...........................................................................................15
ProgramStartup......................................................................................................................................16
GUIInterface...........................................................................................................................................16
FormatDevice.........................................................................................................................................17
GeneratingaCOFEEThumbDrive..........................................................................................................18
ToolGeneration..................................................................................................................................18
CaseNotes..........................................................................................................................................19
USBGenerationSteps.........................................................................................................................19
AdvancedOperations..............................................................................................................................20
OutputUSB.........................................................................................................................................20
MoreOptions(Advanced)...................................................................................................................20
USBGenerationTroubleshooting...........................................................................................................25
FormatTroubleshooting.....................................................................................................................25

ii

GenerationTroubleshooting...............................................................................................................26
OperationInstructionsfortheCOFEEUSBDevice.....................................................................................27
BeginningtheCOFEEProcess.................................................................................................................28
WithAutorunEnabled........................................................................................................................28
WithoutAutorunEnabled...................................................................................................................28
RemovingtheUSBDevice.......................................................................................................................30
GeneratingaReportoftheCollectedData................................................................................................31
CreateaReportfromtheCollectedData...............................................................................................32
InterpretationofReports........................................................................................................................34
MenuNavigation.................................................................................................................................35
ReportTroubleshooting..........................................................................................................................38
Appendix.....................................................................................................................................................39
NW3CVolatileDataProfile..................................................................................................................40
Programs&Arguments.......................................................................................................................40
NW3CIncidentResponseProfile.........................................................................................................41
Programs&Arguments.......................................................................................................................41
COFEEVersionChangeLog.....................................................................................................................43

This project was supported by Grant No. 2008-CE-CX-0001 awarded by the Bureau of Justice Assistance. The
Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of
Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the
Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent
the official position or policies of the United States Department of Justice.

iii

Introduction

WhatisCOFEE?
COFEE consists of three major components: the GUI interface for the investigator, the commandline
applicationtobeexecutedonthetargetmachine,andtheindividualtoolswhicharemanagedbyCOFEE
andthecommandlineapplication.
TherearetwomajortypesofliveforensicsinvestigationtoolsLiveInformationAcquisitiontoolsand
Remote Online Acquisition tools. Computer Online Forensic Evidence Extractor (COFEE) is a live
informationandvolatiledataforensicsacquisitionsystem.
TheGUIinterfacewasdevelopedformanagingthetoolselection,generatingscripts,loadingprograms
ontoaUSBdevice,and creatingareportfromthecollecteddata.Thecommandlineapplicationwas
developedforcontrollingandexecutingasetofselectedtoolsonthetargetmachine.

DigitalForensicsAttributesandPrinciples
In any digital forensics investigation, digital forensics
specialists and legal advisors should ensure the balance
between the three main attributes: Reconnaissance,
RelevancyandReliabilityofthedigitalevidence.Inanydigital
forensicsinvestigation,theinvestigatorshouldalwaysattempt
to achieve the maximum amount of data acquisition while
having a minimal effect on the integrity or accuracy of the
data.
When applying Reconnaissance, Relevancy and Reliability to the live forensics investigation
environment,itisparamountthatanyinvestigativetoolusedshouldoperateintheleastintrusiveway.
It is also vital that all operations conducted on a target machine be documented to the best extent
possible.Thisaidsinthereliabilityofthecollecteddata,aswellastheintegrityofthetargetmachine.
GreateffortwastakentoensurethattheCOFEEexecutionprocessleavesthesmallestfootprintpossible
onthetargetmachine.

VolatileInformationCollected
ThespecificinformationcollectedbyCOFEEvariesdependinguponwhichprofileisselected,however
thetypeofvolatileinformationcollectedincludes:

DateandTime
Opennetworkconnectionsandadditionalnetworkrelatedinformation
Useraccountinformation(includingthecurrentlyloggedonuser)
Currentprocessesandservices
Openfilesandregistryinformation

WhyUseCOFEE?
InCOFEE,theGUIinterfaceisusedforthe preparationoftheforensicstoolsandtheassigningofthe
digital forensics execution order. According to live forensics guidelines, investigators should take into
accounttheorderofevidencevolatility,whilehavingminimalinteractionwiththetargetmachine.
COFEEhasbeendesignedtoprovidetheinvestigatortheabilitytocollectevidencefromatargetsystem
withtheminimumofuserinteraction.AftertheGUIinterfacegeneratesaCOFEEUSBdevice(copiesall
scripts and programs), the investigator can take the device and easily insert it onto a target machine,
andbeginthecollectionprocessbyexecutingasingleprogram.
Whilespecificprogramshavebeenselectedaspartoftheincludedprofiles,COFEEallowsaseasoned
investigator to add or remove any program they desire, as well as create any profile to meet their
specificinvestigativeneeds.

WhoShouldUseCOFEE?
COFEEwasdesignedtomeettheneedsoftwodistinctclassesofusers:theforensicexaminerandthe
frontlineinvestigator.TheGUIconsole,whichallowstheusertocreateprofilesandgenerateCOFEE
USB devices, was designed to be operated by a computer forensic examiner. The creation of profiles
requiresthattheuserhaveafirmunderstandingofthetoolstobeexecutedandthereasonbehindtheir
inclusionwithintheprofile.Thecommandlineapplication,however,requiresminimaltrainingbecause
the scripting process has already been designed by a forensic examiner. This allows any frontline
investigator to use this tool and collect data. Once the data is collected, the USB device should be
returnedtotheforensicexaminerforanalysis.

HowtoUseCOFEE
The COFEE execution process is divided into three phases: Tool Generation, Data Acquisition, and
ReportGeneration.

ToolGenerationPhase
DigitalForensicsSpecialistshavetheabilitytoselectdesiredtoolstorunagainstatargetmachinebased
ontheindividualcaserequirements.Thiscanbedonebyeitherselectingapredefinedprofile,orby
manuallycreatingaprofileandselectingwhichtools(includingswitches)aretoberunagainstthetarget
machine.

DataAcquisitionPhase
AftergenerationoftheCOFEEdevice,investigatorscantaketheUSBdeviceandinsertitintothetarget
machine.ExecutionofCOFEEonthesuspectmachinewillthencompleteandallcollecteddatawillbe
storedontheUSBdevice.

ReportGenerationPhase
After the collection of the volatile information from the target machine, investigators can load that
informationbackintotheGUIconsoleontheinvestigatorsmachineandgenerateareportbasedupon
thedata.

Installation

Prerequisites
Before installing COFEE v1.1.2, please refer to the following hardware and software requirements for
theInvestigatorMachine,USBRemovableDevice,andtheTargetMachine.
InvestigatorMachine
Hardware:
Pentium4orAbove

512MBRAM

USB1.1orhigher

50MBfreeharddrivespace
Software:

WindowsXPorAbove
.NETFramework3.5orhigher

USBRemovableDevice
Hardware:
Minimum1GBDevice

Recommended2GBorlarger
FileSystem:

FAT32FileSystemisrecommended

TargetMachine
Hardware:
USBPortEnabled
Software:

WindowsXP*

*Windows XP is currently the only supported operating system. It is possible that COFEE will work on additional operating
systems,buttheseoperatingsystemshavenotbeentested,andarenotsupported.

InstallationSteps

Step1ExecutetheInstallationProgramCOFEEv1.1.2Installer.msi.

Step2Asetupwizardisdisplayed.ClickNexttocontinue.

Step3TheCOFEELicenseAgreementisdisplayed.Readtheagreementcarefully,selectIAgree,and
clickNexttocontinue.

Step4SelectthefolderinwhichtoinstallCOFEE.Bydefault,theprogramswillbeinstalledto
C:\ProgramFiles\COFEEv1.1\.TheDiskCostbuttonwilldisplaytheamountofspacetheCOFEE
installationwilltakeupontheinvestigatorscomputerbasedupontheinstallationfolderselected.After
selectingtheinstallationfolder,clickNexttocontinue.

10

Step5ClickNexttocontinue.

11

Step6Waitfortheinstallationtofinish.

12

Step7InstallationComplete.ClickClosetoexit.

COFEEwillinstallashortcutontheinvestigatorsdesktop,aswellascreateaprogramgroupunderthe
startmenu.EithercanbeusedtostartCOFEE.

13

InstallationTroubleshooting
Ifduringtheinstallationprocess,thefollowingscreenappears,thesystemdoesnotcurrentlyhavethe
requiredversionofthe.NETframework.COFEEv1.1.2requires.NET3.5whichcanbedownloadedfrom
Microsoft.

Toupgrade,clickYes.ThiswillrequireaworkingInternetconnection.ClickingYeswillopenaweb
browserandnavigatetoaMicrosoftwebpagewhichcontainstheinstallationforthemostrecent
versionofthe.NETframework.ClicktheInstallbutton,andfollowtheinstallationinstructions.Once
the.NETframeworkisinstalled,trytheCOFEEinstallationagain.

14

OperationInstructionsfor
DeviceGeneration

15

ProgramStartup
ThefirststeptorunningCOFEEistoconnecttheUSBdeviceintotheinvestigatorsmachine,andensure
thatWindowshasproperlyrecognizedthedrivepriortolaunchingCOFEE.Afterthedrivehasbeen
recognized,launchCOFEE.

GUIInterface

ToolGenerationGUI

1. MenuSystem
a. FileMenu
i. FormatDeviceAllowstheusertoformat(andwipe)aUSBdeviceasFAT32
ii. ExitClosesCOFEE
b. HelpMenu
i. LogWilldisplaytheCOFEElogfile
ii. AboutDisplaystheAboutscreen
2. TabSelection
i. TooltabUsedtogenerateaCOFEEthumbdrive
ii. ReporttabUsedtocreateareportfromcollecteddata(willbediscussedin
adifferentsection)

16

3. ToolGenerationSettheoptionsfordevicegeneration
4. CaseNotesAllowstheinvestigatortoenterinformationaboutthecasethatwillappearinthe
finalreport
5. GenerateThisbuttonwillgeneratethethumbdrivebasedupontheoptionsselected
6. MessageboxThissectiondisplaysinformationaboutcurrentCOFEEprocesses

FormatDevice
ThemenuoptionFormatDevicewillopenanewwindowwhichwillallowtheusertoformatandwipe
anyattacheddevice.COFEEwillformattheselecteddeviceasFAT32,andwillonlyallowdevices1GBor
largertobeformattedorwiped.Ifthedeviceisbetween1GB2GB,COFEEwilldisplayamessage
remindingtheuserthattherecommendeddevicesizeforCOFEEis2GBorlarger.

Step1Selectthedevicetoformatfromthedropdownbox.
Step2ChecktheboxWipeandFormatDrivetowipethedeviceaswellasformat.Skipthisstepif
onlyaformatisdesired.

17

Step3Clickthebuttontoproceed(thebuttontextwillvarydependingonwhethertheuserisonly
formattingorconductingawipeaswell).

ClickFormatifonlyaformatisrequired

ClickFormatandWipetoformatandwipethedevice

GeneratingaCOFEEThumbDrive
TheprimarypurposeofCOFEEistogenerateathumbdrivewhichrunsapredeterminedsetof
programsthatcollectsvaluabledatafromasuspectsmachine.
ToolGeneration
BelowisalistingofthefieldsintheToolGenerationSectionofCOFEE(seeSection3oftheTool
GenerationGUIscreenshot):
1. COFEESourceThissectionisautomaticallyfilledinduringtheinstallationprocess.
2. COFEEUSBThissectionallowstheusertoselectwhichdevicebecomestheCOFEEdevice(i.e.,
selectthedevicetosendtheCOFEEUSBfilesto).
3. OutputUSBThisisanadvancedoptionwhichallowstheusertoselectaseconddeviceforthe
storageofthesaveddata.
a. Thisoptionisnotrecommended
4. ModeTheprofileusedtogeneratetheUSBdevice.
a. Aprofilecontainsalistingofprogramsandswitchesthatwillbecopiedtothethumb
drive,whichwillthenberunagainstthesuspectsmachine.
5. MoreOptions(Advanced)Anadvancedoptionwhichallowsuserstomodifyorcreatetheir
ownprofile(s).

18

a. Thissectionrequirestheusertohaveathoroughknowledgeoftheprogramsandtheir
switches.Ifanyswitchorprogramisaddedincorrectly,itcanseverelydamagethe
suspectsmachine,aswellastheintegrityofanyevidencecollected.
6. USBLabelAllowstheusertoselectthevolumelabelofthegeneratedthumbdrive.The
defaultlabelisCOFEE.
7. ChecksumInfo/RefreshWheneveranewtoolisaddedtoaprofile,thisbuttonneedstobe
clickedsothatCOFEEcanobtainachecksumvalueofthatfile.
a. Duringthegenerationprocess,COFEEautomaticallyusesthechecksumvaluestoensure
theproperfilesarecopiedtotheUSBdevice.
CaseNotes
Thissectioncontainsfivefieldswhichcanbefilledinbytheinvestigator(seeSection4oftheTool
GenerationGUIscreenshot).Noneoftheseitemsaremandatory,howeverthecontentsofthesefields
(whetherfilledinornot)willappearinthefinalreport.Theuserhastheoptionofentering:
1. CaseType
2. CaseID
3. ConsoleOperator
4. USBOperator
5. CaseDescription

USBGenerationSteps
ThefollowingaretherecommendedstepsnecessarytocreateaCOFEEUSBDevice,assumingthatthe
userhasalreadyconnectedthedesiredUSBdevice(andthatWindowshasfinishedrecognizingit),and
hasalreadylaunchedCOFEE.
Step1(Ifnecessary)Format/WipetheUSBDevice
Step2SelecttheUSBDeviceundertheCOFEEUSBdropdownbox
Step3LeavetheOutputboxunchecked
Step4SelectthedesiredprofilefromtheModedropdownbox
Step5Enteranyrelevantcasenoteinformation
Step6ClickGenerate
AfterallitemshavebeentransferredtotheUSBdeviceamessagewhichsaysDonewillappear.The
generationprocessisthencomplete.

19

AdvancedOperations
OutputUSB
TheOutputUSBoptionallowsausertodecouplethelocationtowhichtheCOFEEprograms(the
programsthatarecopiedwhenaUSBdeviceisgenerated)andtheacquireddataarestored.To
separatethelocations,checktheOutputUSBoptionandselectadifferentdeviceforthestorageof
theacquireddata.However,itisHIGHLYrecommendedthatthesamedevicebeusedforboththe
storageoftheCOFEEprograms,aswellastheacquireddata.
MoreOptions(Advanced)
TheMoreOptions(Advanced)buttonallowsausertocreateand/ormodifynondefaultprofiles.
COFEEcomeswithtwodefaultprofiles:NW3CIncidentResponseandNW3CVolatileData.Tocreate
ormodifyaprofile,followthesesteps:
Step1SelectaprofiletouseasabasetemplateintheModedropdownlist(seeSection3oftheTool
GenerationGUIscreenshot)
Step2ClicktheMoreOptions(Advanced)button,andthefollowingscreenwillappear

TheToolSelectionScreen

20


Thetoolselectionscreenconsistsoftwoprimarylistsoffiles:ApplicationsListandRunningSequence.
TheRunningSequenceistheprofile.Theapplications(withswitches)listedherearetheprograms
thatwillrunaspartoftheprofile,andwillruninthatparticularorder.TheApplicationsListconsistsof
allapplicationsandswitcheswhichhavebeenenteredintoCOFEE(typicallyaspartofapreviousprofile
creation).Eachiteminthelistconsistsofacombinationofoneapplicationanditsswitch(es).A
programmayalsobeenteredwithoutaswitch.Asingleapplicationmaybelistedmultipletimesifeach
instanceusesadifferentswitch(orcombinationofswitches).Forexample,inthescreenshotabove,
net.exeislistedintheprofilefivetimes,buteachtimewithadifferentswitch.Anyoneitemfromthe
ApplicationListcanonlybeaddedoncetotherunningsequence.Ifthatitemalreadyexistsinthe
runningsequence,itwillbegrayedoutintheApplicationListandwillnotallowittobecopiedagain.
ApplicationsListMenu
IftheuserrightclicksonanitemwithintheApplicationsList,thefollowingmenuappears:

1.
2.
3.
4.
5.
6.

Remove:ThiswillremovetheselecteditemfromtheApplicationList
SortByCommand:SortstheitemsintheApplicationList
NoGrouping:Itemsaredisplayedbyapplicationname
GroupByFamily:Organizesprogramsbyfamily
GroupBySelection:GroupsbyAvailableorAlreadySelected(forthecurrentprofile)
Property:Displaysthepropertyscreenforthatentry

AddingPreDefinedProgram(s)toRunningSequence
Addingapredefinedprogram(includingpredefinedswitches)totheRunningSequenceisasimple
process.
Step1SelectthedesiredtoolintheApplicationList
Step2ClickthesinglerightarrowThisaddstheselecteditemtotheRunningSequence

21

TheusercanalsochoosetoaddalloftheavailableprogramsintotheRunningSequencebyclickingon
thedoublerightarrow.

RemovingProgram(s)fromRunningSequence
Removingapredefinedprogramfromtherunningsequenceisdoneintheoppositewaythatapre
definedapplicationisadded.
Step1SelectthedesiredtoolintheRunningSequence
Step2ClickthesingleleftarrowThisremovestheselecteditemfromtheRunningSequence

TheusercanalsochoosetoremovealloftheprogramsfromtheRunningSequencebyclickingonthe
doubleleftarrow.

AddingaNewToolorNewSwitchtotheApplicationList
Instanceswillarisewhenaninvestigatorwillwishtouseeitheratoolwhichwasnotincludedwith
COFEE,oruseaswitchwhichdidnotcomepredefinedbyCOFEE.Theprocessforeitherofthese
optionsisthesame:
Step1ClickAddTool(seetheToolSelectionScreenscreenshot)thefollowingscreenappears

22

Step2Enteradescriptionforthetool.Thisdescriptionwillshowupinthefinalreportandisdesigned
tostatethepurposeoftheapplication.
Step3Selectthetool.
Step3aIfthetoolisOSindependent,ensurethattheUsethesametoolforallOSoptionis
checked,andthenclickonthetopbrowsebutton(inlinewithXP).Astandardfile
locationdialogboxwillopen.Findandselectthetool,thenclickOK.Thiswillpopulateallthree
boxesofthetoolsection.
Step3bIfthetoolisntOSindependent,yetthereisaversionofthesoftwareavailablefor
eachOS(e.g.,netstat.exe),theuserhastheoptionofusingaseparateprogramforWindowsXP,
2000,and2003.WhentheprogramsarerunaspartoftheCOFEEprocess,theprogramwill
determinewhatOSiscurrentlyrunning,andusetheappropriatefile.Todothis,ensurethatthe
UsethesametoolforallOSoptionisunchecked,andthenloadthefileforeachOSbyclicking
onitscorrespondingbrowsebutton().Iftheapplicationisunavailableforanyofthelisted
OSs,uncheckthatparticularbox(XP,2000,2003).
Step4Enterallofthedesiredswitchesfortheprogram.Theusercanleavethisboxemptyifno
argumentsareused.
Step5Selectthefamilyforwhichthisprogramwillbelong.Thefamilyrepresentsthepurposeof
thetool,andisusedbyCOFEEtoorganizetheacquireddata.Forexample,theprogramnetstat.exe
belongstothefamilynetwork,whiletheprogramquser.exebelongstothefamilyusers.The
familyoptionsare:network,process,services,users,password,policy,registry,log,file,memory,
opt_tool,andmisc.
Step6Selecttheoutputformatextensionofthetool.Thisaffectstheoutputformatofthetool.For
example,theoptionTextexpectstheoutputoftheprogramtobetext.Thecompletelistofavailable
outputformatsare:Text,Image,Directory,andMemoryDump.
Step7TheinformationenteredintheVendorNameandVendorLinkfieldswillbelistedinthefinal
report.
Step8Enteranyadditionalrequiredfiles.Forexample,someprogramsrequirespecificDynamic
LinkedLibrary(DLL)filestobeincludedfortheprogramtorunproperly.ThissectiontellsCOFEEwhat
otherprogramstoputontheUSBdeviceotherthantheselectedprogram.
Step9EnsurethatRandomizingToolNameischecked.Thisensuresthattheprogramscopiedto
theUSBdevicehaveauniquefilename,minimizinganypossibilityofrunningaprogramfromthe
suspectsmachine.
Step10ClickOK

23

Ifanynewprogramsareadded,ensurethattheCheckSumInfoRefreshbuttonisclickedwhen
returningtothemainCOFEEGUIscreen.IfanewCheckSumisntcreated,theprocesswillcreatean
errorwhentryingtogenerateaUSBdevice.
SavingaModifiedProfile
Aninvestigatormaywantdifferentsetsofprofilesfordifferentscenarios.Aftertheconfigurationofa
newrunningsequence,COFEEprovidestheabilityforausertosavethenewprofile.
Step1ClickSaveOrderbuttononthemainToolSelectionscreen(seeToolSelectionScreen
screenshot)andthefollowingscreenappears

Step2IntheSaveAssection,typethenameofthenewprofile
Step3ClickAccept
LoadingaProfiletoModify
Bydefault,theMoreOptionswindowwillloadwhicheverprofileisselectedonthemainwindow.
However,theuserhastheoptiontoloadadifferentprofiletoworkonbyclickingtheLoadOrder
buttonandselectingwhichprofiletheywishtomodify(orview).

24

USBGenerationTroubleshooting
FormatTroubleshooting
1. Ifthefollowingscreenappears,thisindicatesthatthedriveisundertherequiredsize,andwill
notlettheusercontinue.Tocorrectthisproblem,usealargerUSBdevice.

2. Ifthefollowingscreenappears,thisindicatesthatthedriveisbetween1GBand2GB.This
warningindicatesthatthedriveisbelowtherecommendedsize;however,COFEEwillallowthe
usertocontinue.

3. Thisfollowingerrormostoftenoccursiftheuserhasthedeviceopen(e.g.,openinWindows
Explorer).Thedrivetobeformattedcannotbeopen,norcananyfileonthedevicebeopenfor
formattoproperlyoccur;ensurethattheyareallclosed,andtryagain.

25

4. Anerrorsimilartothatdisplayedinitem3abovewilloccuriftheuserattemptstoformatthe
devicepriortoWindowscompletingthedriverinstallationforthatdevice.
GenerationTroubleshooting
AmessageboxstatingInterruptedappears.Thisindicatesthatsomeprocess,duringthegeneration
oftheUSBdevice,failedandneedstoberemedied.Todeterminetheexacterrorlookatthetextinthe
whitemessagebox(seeSection6oftheToolGenerationGUIscreenshot)ontheCOFEEmainscreen.
ChecksumMismatchThismostcommonlyoccurswhenanew,orupdated,programfileisaddedbya
user.ThisproblemiseasilyremediedbyclickingontheChecksumInfoRefreshbutton.Afterthis
processcompletes,theusercangothroughthegenerationprocessagain.Thefollowingexample
indicatesthattherewasachecksumerrorwiththefileipconfig.exe:
The checksum of following file(s) do(es) not match
C:\Program Files\COFEE v1.1\bin\Win2k\ipconfig.exe
Generation is stopped due to hash mismatch
Please verify or remove above problem file(s)
If validated, click [Refresh Checksum]

26

OperationInstructionsfor
theCOFEEUSBDevice

27

BeginningtheCOFEEProcess
Similartorunningontheinvestigatorsmachine,thefirststeptorunningtheCOFEEUSBDeviceisto
connecttheUSBdeviceintothesuspectsmachine,andensurethatWindowshasproperlyrecognized
thedrive.
Oncethedeviceisconnected,therearetwopossiblemethodsforexecutingtheCOFEEprocess:If
autorunisenabledonthesuspectmachine,orifitisnt.Bothmethodsaredescribedbelow:
WithAutorunEnabled
Ifautorunisenabled,thefollowingscreenwillappearafterWindowshasfinishedrecognizingtheUSB
device:

TobegintheCOFEEprocess,ensuretheoptionExecuterunner.exeisselectedandclickOK.
WithoutAutorunEnabled
Iftheabovescreendoesnotappear,thenitislikelythatAutorunisnotenabledonthesuspects
machine.TobegintheCOFEEprocess,followthestepsbelow:
Step1OpenMyComputer.Thiscanbedonebyeitheropeningtheicononthesuspectsdesktop,or
byselectingSTARTandthenMyComputer.
Step2SelectandOpentheCOFEEUSBDevice.Thedevicecaneasilybeidentifiedbyboththevolume
label,aswellastheiconassociatedwiththedrive.Inthefollowingexample,theE:driveistheCOFEE
USBDevice.

28


Step3Findandexecutethefilerunner.exeAtthispoint,theCOFEEprocesshasbegun.

29

RemovingtheUSBDevice
WhiletheCOFEEprocessisrunning,awindowsimilartothatbelowwillbedisplayed.Whenthe
windowcloses,theprocesshascompleted.

Whentheprocessiscomplete,followstandardprocedurestosafelyremovethedevice.Atthispointall
informationhasbeencaptured,andtheUSBdevicecanbereturnedforreportgenerationandanalysis.
Note:Forindividualswhowouldlikefurtherverificationthattheprocesshasproperlycompleted,the
investigatoratthescenecanviewtheCOFEE.logfilewhichislocatedinthedatastoragedirectory(See
GeneratingaReportoftheCollectedDataformoreinformationconcerningthedatastorage
directory).Thefinaliteminthelogfileshouldbe[End].

30

GeneratingaReportofthe
CollectedData

31

CreateaReportfromtheCollectedData
Oncethedatahasbeenacquiredfromthesuspectsmachine,anHTMLbasedreportcanbegenerated
ofthecollecteddata.Tobegintheprocess,clickontheReportTabonCOFEEsmainscreen.

Step1ConnecttheUSBdrivetotheinvestigatorscomputer.
Step2SelectanInputFolderClickthebrowsebutton()underRawInputFolderandselectthe
acquireddatasoutputfolder.ThestandardconventionwillhavethedatastoredontheUSBdevice
underthefollowingfolder:
out[ComputerName][YYMMDDHHMMSS]
(e.g.,outadministrator2009092110213)
TheComputerNamewillbetheComputerNameofthesuspectmachine,whilethe
date/timewillbewhentheCOFEEprocessstartedonthesuspectmachine.
Step3SelectanOutputFolderClickthebrowsebutton()underOutputFolderandselectthe
desiredfolderinwhichtogeneratethereport(theusercanalsocreateafolderinthebrowsescreen).

32

Step4FillinanyCaseNotes.Thesefieldsareoptionalandwillappearinthefinalreport.
Step5ClickGenerate.
Step6Whenthereportisfinishedgenerating,COFEEwillaskiftheuserwantstoopenthetarget
folder.Atthispoint,thereportisgenerated;clickingYeswilldirecttheusertothefoldercontaining
thereport.IftheuserclicksNo,thereportcanstillbefoundinthefolderidentifiedinStep3.

Step7Opentheindex.htmlfiletoviewthereport.

33

InterpretationofReports
TheCOFEEreportisgeneratedinanXMLformatandisdisplayableinallmajorwebbrowsers(e.g.,
InternetExplorerandFirefox).Thereportisgeneratedintwoframes:theleftframecontainsa
navigationalmenutoviewthereport,whiletherightcontainstheactualreportdata.

ScreenshotofSampleReport

34

MenuNavigation
MenuFolders
TheCOFEEnavigationframe(left)isdividedinto14sections.Thereisonefolderforeachofthe12
families:network,process,services,users,password,policy,registry,log,file,memory,opt_tool,and
misc.Thesefolderscontaintheresultsofanyfilethatwasdesignatedaspartofthatparticularfamily.
TheMainfoldercontainstheCOFEElogfilewhichisgeneratedwhentheprocessisrunonthesuspect
machineandanycasenoteswhichwereentered(eitherduringtheUSBdevicegenerationorduringthe
reportgeneration).
TheCorrelationfoldercontainsuptothreereportsthataregeneratedbaseduponwhatprogramsare
run:Lsof,Services_Correlation,andProcesses_Correlation.
1. LsofListOpenedFileswithNetworkConnection:ShowstheProcess,PortNumber,andopen
filescorrelation.Theinformationcollectedcomesfromthefollowingprograms:pslist.exe,
openports.exenetstat,andhandle.exea.Ifnoneoftheseprogramsarerun,thisreport
willnotbedisplayed;ifonlyaportionofthefilesarerun,thisreportwillbebasedononlythe
programsthatran.
2. Services_CorrelationCorrelateDifferentCommandsamongServices:Thisreportdisplaysthe
servicesasreportedbydifferentprograms.Thefollowingprogramsareusedbythisreport:
dumpsec.exe/computer=%COMPUTERNAME%/rpt=services/saveas=tsv/outfile=%Outfile%,
psservice.exe,sclist.exe,andsc.exequery.Thisreportwilllistserviceswhichwere
reportedbytheprograms,withacheckmarkoranXindicatingwhetheraparticulartool
reportedaspecificservice.Liketheothercorrelationreports,onlythoseprogramswhichwere
actuallyrunwillshowupinthisreport(oftheprogramslistedabove).

Services_CorrelationScreenshot

35

3. Processes_CorrelationCorrelateCommandsamongProcesses:Similartotheservices
correlationreport,butcorrelatesrunningprocessesversusservices.Theprogramsusedto
generatethereportare:pslist.exe,tasklist.exe/svc,cmdline.exe,andpstat.exe.

Processes_CorrelationScreenshot

ProgramReports
EachprogramrunhasitsownreportwithinthefullCOFEEreport.Iftheprogramnameishighlightedin
blue,thenCOFEEwasabletoobtainvalidoutputfromthatprogram.Iftheprogramnameishighlighted
ingray,thentherewaslikelyanerrorincollectionandthereisnocollecteddataforthatparticularfile.

Forexample,inthelistingontheleft:
net.exeviewValiddatawascollectedandisinthereport
net.exesessionNodatawascollectedduetoanerror

36


Eachreporthasthefollowingsections:
1. Description: Displays a listing of the program run, and the description of that particular
program.
2. Hash Matching Result: A hash of all of the stored data is created and compared to the hash
whichwascreatedwhenthedatawasoriginallycollected.Thissectiondisplaystothereader
whether the two hash values matched. If the values do not match, this could indicate that
someonehasmodifiedthatparticularoutputfile.
3. StartTime:Thetimetheprogramstartedonthesuspectmachine.
4. EndTime:Thetimetheprogramendedonthesuspectmachine.
5. Output:Thiscontainsthestoredoutputofthatprogram.
Ifanerroroccurred,asixthsectionwillbedisplayed:
6. Error: Displays what error occurred when the program attempted to run (e.g., Access
Denied).

37

ReportTroubleshooting
Often,aJavaScriptwarningwilldisplaywhenattemptingtoviewthereportinInternetExplorer.

Tocorrectthisproblem:
1. RightClickontheWarningBar
2. SelectAllowBlockedContent

3. ClickYes
4. Thereportshouldreloadwithnoproblems.

38

Appendix

39

NW3CVolatileDataProfile
TheNW3CVolatileDataProfilewasdevelopedtoallowaninvestigatortocollectpotentiallyimportant
volatiledatapriortoseizingamachineforafullforensicexamination.Thisprofilewasdesignedsothat
noneoftheprogramsruncausesanydirectwritestothesuspectsfilesystem.
Programs&Arguments
Application
ipconfig.exe
nbtstat.exe
net.exe
net.exe

Argument
/all
n
user
file

Description
ListNetworkConfiguration
ListslocalNetBIOSnames
Displaysusersonthecomputerand/ordomain
Displayopenedsharedfilesontheserver

net.exe
net.exe

accounts
share

Adjustaccountsettings.DisplaysinfosuchasPasswordage,minimum
length,Lockoutthreshold,etc.
LocalNetworkShares

net.exe
pslist.exe
pslist.exe
whoami.exe
quser.exe
psloggedon.exe

use
t

Connectsordisconnectsyourcomputerfromasharedresourceor
displaysinformationaboutyourconnections
Displaysprocesstree
ProcessInformationLister
Displaystheuserthesystemiscurrentlyloggedinas
Displaysinformationaboutusersloggedontothesystem
LogonSessionDisplayer

ao

DisplaysprotocolstatisticsandcurrentTCP/IPnetworkconnections.
Displaysallconnectionsandlisteningports,andtheowningprocessID
associatedwitheachconnection

no

DisplaysprotocolstatisticsandcurrentTCP/IPnetworkconnections.
Displaysaddressesandportnumbersinnumericalform,andthe
owningprocessIDassociatedwitheachconnection
Displaysservicelistforlocalmachine
Displaysgroupsthatusersaremembersof

netstat.exe

netstat.exe
sclist.exe
showgrps.exe

systeminfo.exe

Displaysoperatingsystemconfigurationinformationforalocalor
remotemachine,includingservicepacklevels

40

NW3CIncidentResponseProfile
TheNW3CIncidentResponseProfilewasdesignedforIncidentResponseinvestigationsinwhichthe
investigatorisnotabletoperformaforensicanalysisonthetargetmachine.Thisprofilewasdesigned
tohaveminimalimpactonthesuspectsfilesystem.
Programs&Arguments
Program

Arguments

arp.exe
at.exe
autorunsc.exe
getmac.exe

handle.exe
hostname.exe
ipconfig.exe

/all

msinfo32.exe
nbtstat.exe

/report%OUTFILE%
n

nbtstat.exe

A127.0.0.1

nbtstat.exe

nbtstat.exe
net.exe

c
share

net.exe
net.exe
net.exe

use
file
user

net.exe

accounts

net.exe

view

net.exe

start

Description
DisplayscurrentARPentriesbyinterrogatingthecurrent
protocoldata.Ifinet_addrisspecified,theIPand
Physicaladdressesforonlythespecifiedcomputerare
displayed.IfmorethanonenetworkinterfaceusesARP,
entriesforeachARPtablearedisplayed.
Listsscheduledevents
Displaysprogramsscheduledtoautorunduringboot
DisplaysMACAddress
Everwonderedwhichprogramhasaparticularfileor
directoryopen?Handleistargetedatsearchingforopen
filereferences.Dumpinformationaboutalltypesof
handles,notjustthosethatrefertofiles.Othertypes
includeports,Registrykeys,synchronizationprimitives,
threads,andprocesses.
ListHost(Computer)Name
ShowsdetailedIPCONFIGinformation
Willcreateareportofmsinfo32.Essentiallysystem
information
ListsLocalNETBIOSNames
ListstheremotemachinesnametablegivenitsIP
address(localhost)[NETBIOSoverTCP/IP]
ListssessiontablewiththedestinationIP[NETBIOSover
TCP/IP]
ListsNBT'scacheofremote[machine]namesandtheir
IPs[NETBIOSoverTCP/IP]
LocalNetworkShares
Connectsordisconnectsyourcomputerfromashared
resourceordisplaysinformationaboutyour
connections.
Displayopenedsharedfilesontheserver.
Displaysusersonthecomputerand/ordomain.
Adjustaccountsettings.DisplaysinfosuchasPassword
age,minimumlength,Lockoutthreshold,etc.
Displaysalistofcomputersinaspecifiedworkgroupor
thesharedresourcesavailableonaspecifiedcomputer.
Startthespecifiednetworkservice.WillListStarted
Services

41

net.exe

Session

net.exe

localgroupadministrators/domain

net.exe
net.exe

localgroup
localgroupadministrators

net.exe

group

netdom.exe

queryDC

netstat.exe

ao

netstat.exe

no

openfiles.exe
psfile.exe
pslist.exe
pslist.exe
psloggedon.exe
psservice.exe

/query/v

pstat.exe
psuptime.exe

quser.exe
route.exe

print

sc.exe

query

sc.exe
sclist.exe
showgrps.exe
srvcheck
tasklist.exe
whoami.exe

queryex

\\127.0.0.1
/svc

Displayallsessionsconnectedtothecomputerand
deletesthemifspecified.
Listsmembersofadministratorsgroupforthedomain.
Errorprintedifnodomainexists
DisplayslistofGroupAliasesforSystem(e.g.,Guests,
Administrators,PowerUsers,etc.)
Listsmembersoftheadministratorsgroup
Add,delete,view,andotherwisemanagenetwork
workgroups.
OnlyworkswithaDomainControllerputinthe"DC"
spot
DisplaysprotocolstatisticsandcurrentTCP/IPnetwork
connections.Displaysallconnectionsandlistening
ports,andtheowningprocessIDassociatedwitheach
connection
DisplaysprotocolstatisticsandcurrentTCP/IPnetwork
connections.Displaysaddressesandportnumbersin
numericalform,andtheowningprocessIDassociated
witheachconnection.
Listsfilesandfoldersthathavebeenremotelyopened
onthesystem.Musthaveadminprivileges
LocalandRemoteNetworkFileLister
ProcessInformationLister
Displaysprocesstree
LogonSessionDisplayer
Listsservicesonalocalorremotesystem
Pstat.exeisaResourceKitutilitythatprovides
informationabouttheprocessesanddriversthatare
currentlyrunningonyourcomputer.Fordiagnostic
purposes,themostusefulinformationisthelistof
loadeddriversattheendoftheoutput.
Displaysthesystemscurrent"uptime"
Displaysinformationaboutusersloggedontothe
system
Displaysroutinginformation
Queriesthestatusforaservice,orenumeratesthe
statusfortypesofservice
Queriestheextendedstatusforaservice,or
enumeratesthestatusfortypesofservice
Displaysservicelistforlocalmachine
Displaysgroupsthatusersaremembersof.
CheckServerInformation
Displaysserviceshostedoneachprocess
Displaystheuserthesystemiscurrentlyloggedinas

42

 COFEEVersionChangeLog

Version1.1

NW3CUpdatestooriginalCOFEE(includesremovalofFCIVandPIPE,aswellas
modificationofFORMAT/WIPEandthecreationofNW3Cprofiles).
ASHA1hashingutilitycreatedandimplementedtoreplaceFCIV.
AQuickFAT32FormatutilitycreatedtoreplaceFormat/Wipeissues.
ModifiedCOFEEtouseCiphertowipeunallocatedareaofthethumbdrive.

Version1.1.1 ModifiedtheWipeportion.WipenowFormats,thenWipeswithSDELETE(withthec
argument),andthenFormatsagain.
ModifiedsourcecodetoremoveCipherandreplacewithSDeleteoptiontooverwrite
unallocatedareaofthumbdrivewithonepassofzeroes.
Version1.1.2 Fixedbugwhichwouldnotallowdriveswithdrivelabelstobeformattedorwiped.

43