Professional Documents
Culture Documents
User Guide For COFEE v1.1.2
User Guide For COFEE v1.1.2
User Guide For COFEE v1.1.2
ReleaseDate:September2009
CopyrightReserved
TableofContents
Introduction..................................................................................................................................................1
WhatisCOFEE?.........................................................................................................................................2
DigitalForensicsAttributesandPrinciples...........................................................................................2
VolatileInformationCollected..............................................................................................................2
WhyUseCOFEE?.......................................................................................................................................3
WhoShouldUseCOFEE?..........................................................................................................................3
HowtoUseCOFEE....................................................................................................................................3
ToolGenerationPhase..........................................................................................................................4
DataAcquisitionPhase.........................................................................................................................4
ReportGenerationPhase......................................................................................................................5
Installation....................................................................................................................................................6
Prerequisites.............................................................................................................................................7
InvestigatorMachine............................................................................................................................7
USBRemovableDevice.........................................................................................................................7
TargetMachine.....................................................................................................................................7
InstallationSteps.......................................................................................................................................8
InstallationTroubleshooting...................................................................................................................14
OperationInstructionsforDeviceGeneration...........................................................................................15
ProgramStartup......................................................................................................................................16
GUIInterface...........................................................................................................................................16
FormatDevice.........................................................................................................................................17
GeneratingaCOFEEThumbDrive..........................................................................................................18
ToolGeneration..................................................................................................................................18
CaseNotes..........................................................................................................................................19
USBGenerationSteps.........................................................................................................................19
AdvancedOperations..............................................................................................................................20
OutputUSB.........................................................................................................................................20
MoreOptions(Advanced)...................................................................................................................20
USBGenerationTroubleshooting...........................................................................................................25
FormatTroubleshooting.....................................................................................................................25
ii
GenerationTroubleshooting...............................................................................................................26
OperationInstructionsfortheCOFEEUSBDevice.....................................................................................27
BeginningtheCOFEEProcess.................................................................................................................28
WithAutorunEnabled........................................................................................................................28
WithoutAutorunEnabled...................................................................................................................28
RemovingtheUSBDevice.......................................................................................................................30
GeneratingaReportoftheCollectedData................................................................................................31
CreateaReportfromtheCollectedData...............................................................................................32
InterpretationofReports........................................................................................................................34
MenuNavigation.................................................................................................................................35
ReportTroubleshooting..........................................................................................................................38
Appendix.....................................................................................................................................................39
NW3CVolatileDataProfile..................................................................................................................40
Programs&Arguments.......................................................................................................................40
NW3CIncidentResponseProfile.........................................................................................................41
Programs&Arguments.......................................................................................................................41
COFEEVersionChangeLog.....................................................................................................................43
This project was supported by Grant No. 2008-CE-CX-0001 awarded by the Bureau of Justice Assistance. The
Bureau of Justice Assistance is a component of the Office of Justice Programs, which also includes the Bureau of
Justice Statistics, the National Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, and the
Office for Victims of Crime. Points of view or opinions in this document are those of the author and do not represent
the official position or policies of the United States Department of Justice.
iii
Introduction
WhatisCOFEE?
COFEE consists of three major components: the GUI interface for the investigator, the commandline
applicationtobeexecutedonthetargetmachine,andtheindividualtoolswhicharemanagedbyCOFEE
andthecommandlineapplication.
TherearetwomajortypesofliveforensicsinvestigationtoolsLiveInformationAcquisitiontoolsand
Remote Online Acquisition tools. Computer Online Forensic Evidence Extractor (COFEE) is a live
informationandvolatiledataforensicsacquisitionsystem.
TheGUIinterfacewasdevelopedformanagingthetoolselection,generatingscripts,loadingprograms
ontoaUSBdevice,and creatingareportfromthecollecteddata.Thecommandlineapplicationwas
developedforcontrollingandexecutingasetofselectedtoolsonthetargetmachine.
DigitalForensicsAttributesandPrinciples
In any digital forensics investigation, digital forensics
specialists and legal advisors should ensure the balance
between the three main attributes: Reconnaissance,
RelevancyandReliabilityofthedigitalevidence.Inanydigital
forensicsinvestigation,theinvestigatorshouldalwaysattempt
to achieve the maximum amount of data acquisition while
having a minimal effect on the integrity or accuracy of the
data.
When applying Reconnaissance, Relevancy and Reliability to the live forensics investigation
environment,itisparamountthatanyinvestigativetoolusedshouldoperateintheleastintrusiveway.
It is also vital that all operations conducted on a target machine be documented to the best extent
possible.Thisaidsinthereliabilityofthecollecteddata,aswellastheintegrityofthetargetmachine.
GreateffortwastakentoensurethattheCOFEEexecutionprocessleavesthesmallestfootprintpossible
onthetargetmachine.
VolatileInformationCollected
ThespecificinformationcollectedbyCOFEEvariesdependinguponwhichprofileisselected,however
thetypeofvolatileinformationcollectedincludes:
DateandTime
Opennetworkconnectionsandadditionalnetworkrelatedinformation
Useraccountinformation(includingthecurrentlyloggedonuser)
Currentprocessesandservices
Openfilesandregistryinformation
WhyUseCOFEE?
InCOFEE,theGUIinterfaceisusedforthe preparationoftheforensicstoolsandtheassigningofthe
digital forensics execution order. According to live forensics guidelines, investigators should take into
accounttheorderofevidencevolatility,whilehavingminimalinteractionwiththetargetmachine.
COFEEhasbeendesignedtoprovidetheinvestigatortheabilitytocollectevidencefromatargetsystem
withtheminimumofuserinteraction.AftertheGUIinterfacegeneratesaCOFEEUSBdevice(copiesall
scripts and programs), the investigator can take the device and easily insert it onto a target machine,
andbeginthecollectionprocessbyexecutingasingleprogram.
Whilespecificprogramshavebeenselectedaspartoftheincludedprofiles,COFEEallowsaseasoned
investigator to add or remove any program they desire, as well as create any profile to meet their
specificinvestigativeneeds.
WhoShouldUseCOFEE?
COFEEwasdesignedtomeettheneedsoftwodistinctclassesofusers:theforensicexaminerandthe
frontlineinvestigator.TheGUIconsole,whichallowstheusertocreateprofilesandgenerateCOFEE
USB devices, was designed to be operated by a computer forensic examiner. The creation of profiles
requiresthattheuserhaveafirmunderstandingofthetoolstobeexecutedandthereasonbehindtheir
inclusionwithintheprofile.Thecommandlineapplication,however,requiresminimaltrainingbecause
the scripting process has already been designed by a forensic examiner. This allows any frontline
investigator to use this tool and collect data. Once the data is collected, the USB device should be
returnedtotheforensicexaminerforanalysis.
HowtoUseCOFEE
The COFEE execution process is divided into three phases: Tool Generation, Data Acquisition, and
ReportGeneration.
ToolGenerationPhase
DigitalForensicsSpecialistshavetheabilitytoselectdesiredtoolstorunagainstatargetmachinebased
ontheindividualcaserequirements.Thiscanbedonebyeitherselectingapredefinedprofile,orby
manuallycreatingaprofileandselectingwhichtools(includingswitches)aretoberunagainstthetarget
machine.
DataAcquisitionPhase
AftergenerationoftheCOFEEdevice,investigatorscantaketheUSBdeviceandinsertitintothetarget
machine.ExecutionofCOFEEonthesuspectmachinewillthencompleteandallcollecteddatawillbe
storedontheUSBdevice.
ReportGenerationPhase
After the collection of the volatile information from the target machine, investigators can load that
informationbackintotheGUIconsoleontheinvestigatorsmachineandgenerateareportbasedupon
thedata.
Installation
Prerequisites
Before installing COFEE v1.1.2, please refer to the following hardware and software requirements for
theInvestigatorMachine,USBRemovableDevice,andtheTargetMachine.
InvestigatorMachine
Hardware:
Pentium4orAbove
512MBRAM
USB1.1orhigher
50MBfreeharddrivespace
Software:
WindowsXPorAbove
.NETFramework3.5orhigher
USBRemovableDevice
Hardware:
Minimum1GBDevice
Recommended2GBorlarger
FileSystem:
FAT32FileSystemisrecommended
TargetMachine
Hardware:
USBPortEnabled
Software:
WindowsXP*
*Windows XP is currently the only supported operating system. It is possible that COFEE will work on additional operating
systems,buttheseoperatingsystemshavenotbeentested,andarenotsupported.
InstallationSteps
Step1ExecutetheInstallationProgramCOFEEv1.1.2Installer.msi.
Step2Asetupwizardisdisplayed.ClickNexttocontinue.
Step3TheCOFEELicenseAgreementisdisplayed.Readtheagreementcarefully,selectIAgree,and
clickNexttocontinue.
Step4SelectthefolderinwhichtoinstallCOFEE.Bydefault,theprogramswillbeinstalledto
C:\ProgramFiles\COFEEv1.1\.TheDiskCostbuttonwilldisplaytheamountofspacetheCOFEE
installationwilltakeupontheinvestigatorscomputerbasedupontheinstallationfolderselected.After
selectingtheinstallationfolder,clickNexttocontinue.
10
Step5ClickNexttocontinue.
11
Step6Waitfortheinstallationtofinish.
12
Step7InstallationComplete.ClickClosetoexit.
COFEEwillinstallashortcutontheinvestigatorsdesktop,aswellascreateaprogramgroupunderthe
startmenu.EithercanbeusedtostartCOFEE.
13
InstallationTroubleshooting
Ifduringtheinstallationprocess,thefollowingscreenappears,thesystemdoesnotcurrentlyhavethe
requiredversionofthe.NETframework.COFEEv1.1.2requires.NET3.5whichcanbedownloadedfrom
Microsoft.
Toupgrade,clickYes.ThiswillrequireaworkingInternetconnection.ClickingYeswillopenaweb
browserandnavigatetoaMicrosoftwebpagewhichcontainstheinstallationforthemostrecent
versionofthe.NETframework.ClicktheInstallbutton,andfollowtheinstallationinstructions.Once
the.NETframeworkisinstalled,trytheCOFEEinstallationagain.
14
OperationInstructionsfor
DeviceGeneration
15
ProgramStartup
ThefirststeptorunningCOFEEistoconnecttheUSBdeviceintotheinvestigatorsmachine,andensure
thatWindowshasproperlyrecognizedthedrivepriortolaunchingCOFEE.Afterthedrivehasbeen
recognized,launchCOFEE.
GUIInterface
ToolGenerationGUI
1. MenuSystem
a. FileMenu
i. FormatDeviceAllowstheusertoformat(andwipe)aUSBdeviceasFAT32
ii. ExitClosesCOFEE
b. HelpMenu
i. LogWilldisplaytheCOFEElogfile
ii. AboutDisplaystheAboutscreen
2. TabSelection
i. TooltabUsedtogenerateaCOFEEthumbdrive
ii. ReporttabUsedtocreateareportfromcollecteddata(willbediscussedin
adifferentsection)
16
3. ToolGenerationSettheoptionsfordevicegeneration
4. CaseNotesAllowstheinvestigatortoenterinformationaboutthecasethatwillappearinthe
finalreport
5. GenerateThisbuttonwillgeneratethethumbdrivebasedupontheoptionsselected
6. MessageboxThissectiondisplaysinformationaboutcurrentCOFEEprocesses
FormatDevice
ThemenuoptionFormatDevicewillopenanewwindowwhichwillallowtheusertoformatandwipe
anyattacheddevice.COFEEwillformattheselecteddeviceasFAT32,andwillonlyallowdevices1GBor
largertobeformattedorwiped.Ifthedeviceisbetween1GB2GB,COFEEwilldisplayamessage
remindingtheuserthattherecommendeddevicesizeforCOFEEis2GBorlarger.
Step1Selectthedevicetoformatfromthedropdownbox.
Step2ChecktheboxWipeandFormatDrivetowipethedeviceaswellasformat.Skipthisstepif
onlyaformatisdesired.
17
Step3Clickthebuttontoproceed(thebuttontextwillvarydependingonwhethertheuserisonly
formattingorconductingawipeaswell).
ClickFormatifonlyaformatisrequired
ClickFormatandWipetoformatandwipethedevice
GeneratingaCOFEEThumbDrive
TheprimarypurposeofCOFEEistogenerateathumbdrivewhichrunsapredeterminedsetof
programsthatcollectsvaluabledatafromasuspectsmachine.
ToolGeneration
BelowisalistingofthefieldsintheToolGenerationSectionofCOFEE(seeSection3oftheTool
GenerationGUIscreenshot):
1. COFEESourceThissectionisautomaticallyfilledinduringtheinstallationprocess.
2. COFEEUSBThissectionallowstheusertoselectwhichdevicebecomestheCOFEEdevice(i.e.,
selectthedevicetosendtheCOFEEUSBfilesto).
3. OutputUSBThisisanadvancedoptionwhichallowstheusertoselectaseconddeviceforthe
storageofthesaveddata.
a. Thisoptionisnotrecommended
4. ModeTheprofileusedtogeneratetheUSBdevice.
a. Aprofilecontainsalistingofprogramsandswitchesthatwillbecopiedtothethumb
drive,whichwillthenberunagainstthesuspectsmachine.
5. MoreOptions(Advanced)Anadvancedoptionwhichallowsuserstomodifyorcreatetheir
ownprofile(s).
18
a. Thissectionrequirestheusertohaveathoroughknowledgeoftheprogramsandtheir
switches.Ifanyswitchorprogramisaddedincorrectly,itcanseverelydamagethe
suspectsmachine,aswellastheintegrityofanyevidencecollected.
6. USBLabelAllowstheusertoselectthevolumelabelofthegeneratedthumbdrive.The
defaultlabelisCOFEE.
7. ChecksumInfo/RefreshWheneveranewtoolisaddedtoaprofile,thisbuttonneedstobe
clickedsothatCOFEEcanobtainachecksumvalueofthatfile.
a. Duringthegenerationprocess,COFEEautomaticallyusesthechecksumvaluestoensure
theproperfilesarecopiedtotheUSBdevice.
CaseNotes
Thissectioncontainsfivefieldswhichcanbefilledinbytheinvestigator(seeSection4oftheTool
GenerationGUIscreenshot).Noneoftheseitemsaremandatory,howeverthecontentsofthesefields
(whetherfilledinornot)willappearinthefinalreport.Theuserhastheoptionofentering:
1. CaseType
2. CaseID
3. ConsoleOperator
4. USBOperator
5. CaseDescription
USBGenerationSteps
ThefollowingaretherecommendedstepsnecessarytocreateaCOFEEUSBDevice,assumingthatthe
userhasalreadyconnectedthedesiredUSBdevice(andthatWindowshasfinishedrecognizingit),and
hasalreadylaunchedCOFEE.
Step1(Ifnecessary)Format/WipetheUSBDevice
Step2SelecttheUSBDeviceundertheCOFEEUSBdropdownbox
Step3LeavetheOutputboxunchecked
Step4SelectthedesiredprofilefromtheModedropdownbox
Step5Enteranyrelevantcasenoteinformation
Step6ClickGenerate
AfterallitemshavebeentransferredtotheUSBdeviceamessagewhichsaysDonewillappear.The
generationprocessisthencomplete.
19
AdvancedOperations
OutputUSB
TheOutputUSBoptionallowsausertodecouplethelocationtowhichtheCOFEEprograms(the
programsthatarecopiedwhenaUSBdeviceisgenerated)andtheacquireddataarestored.To
separatethelocations,checktheOutputUSBoptionandselectadifferentdeviceforthestorageof
theacquireddata.However,itisHIGHLYrecommendedthatthesamedevicebeusedforboththe
storageoftheCOFEEprograms,aswellastheacquireddata.
MoreOptions(Advanced)
TheMoreOptions(Advanced)buttonallowsausertocreateand/ormodifynondefaultprofiles.
COFEEcomeswithtwodefaultprofiles:NW3CIncidentResponseandNW3CVolatileData.Tocreate
ormodifyaprofile,followthesesteps:
Step1SelectaprofiletouseasabasetemplateintheModedropdownlist(seeSection3oftheTool
GenerationGUIscreenshot)
Step2ClicktheMoreOptions(Advanced)button,andthefollowingscreenwillappear
TheToolSelectionScreen
20
Thetoolselectionscreenconsistsoftwoprimarylistsoffiles:ApplicationsListandRunningSequence.
TheRunningSequenceistheprofile.Theapplications(withswitches)listedherearetheprograms
thatwillrunaspartoftheprofile,andwillruninthatparticularorder.TheApplicationsListconsistsof
allapplicationsandswitcheswhichhavebeenenteredintoCOFEE(typicallyaspartofapreviousprofile
creation).Eachiteminthelistconsistsofacombinationofoneapplicationanditsswitch(es).A
programmayalsobeenteredwithoutaswitch.Asingleapplicationmaybelistedmultipletimesifeach
instanceusesadifferentswitch(orcombinationofswitches).Forexample,inthescreenshotabove,
net.exeislistedintheprofilefivetimes,buteachtimewithadifferentswitch.Anyoneitemfromthe
ApplicationListcanonlybeaddedoncetotherunningsequence.Ifthatitemalreadyexistsinthe
runningsequence,itwillbegrayedoutintheApplicationListandwillnotallowittobecopiedagain.
ApplicationsListMenu
IftheuserrightclicksonanitemwithintheApplicationsList,thefollowingmenuappears:
1.
2.
3.
4.
5.
6.
Remove:ThiswillremovetheselecteditemfromtheApplicationList
SortByCommand:SortstheitemsintheApplicationList
NoGrouping:Itemsaredisplayedbyapplicationname
GroupByFamily:Organizesprogramsbyfamily
GroupBySelection:GroupsbyAvailableorAlreadySelected(forthecurrentprofile)
Property:Displaysthepropertyscreenforthatentry
AddingPreDefinedProgram(s)toRunningSequence
Addingapredefinedprogram(includingpredefinedswitches)totheRunningSequenceisasimple
process.
Step1SelectthedesiredtoolintheApplicationList
Step2ClickthesinglerightarrowThisaddstheselecteditemtotheRunningSequence
21
TheusercanalsochoosetoaddalloftheavailableprogramsintotheRunningSequencebyclickingon
thedoublerightarrow.
RemovingProgram(s)fromRunningSequence
Removingapredefinedprogramfromtherunningsequenceisdoneintheoppositewaythatapre
definedapplicationisadded.
Step1SelectthedesiredtoolintheRunningSequence
Step2ClickthesingleleftarrowThisremovestheselecteditemfromtheRunningSequence
TheusercanalsochoosetoremovealloftheprogramsfromtheRunningSequencebyclickingonthe
doubleleftarrow.
AddingaNewToolorNewSwitchtotheApplicationList
Instanceswillarisewhenaninvestigatorwillwishtouseeitheratoolwhichwasnotincludedwith
COFEE,oruseaswitchwhichdidnotcomepredefinedbyCOFEE.Theprocessforeitherofthese
optionsisthesame:
Step1ClickAddTool(seetheToolSelectionScreenscreenshot)thefollowingscreenappears
22
Step2Enteradescriptionforthetool.Thisdescriptionwillshowupinthefinalreportandisdesigned
tostatethepurposeoftheapplication.
Step3Selectthetool.
Step3aIfthetoolisOSindependent,ensurethattheUsethesametoolforallOSoptionis
checked,andthenclickonthetopbrowsebutton(inlinewithXP).Astandardfile
locationdialogboxwillopen.Findandselectthetool,thenclickOK.Thiswillpopulateallthree
boxesofthetoolsection.
Step3bIfthetoolisntOSindependent,yetthereisaversionofthesoftwareavailablefor
eachOS(e.g.,netstat.exe),theuserhastheoptionofusingaseparateprogramforWindowsXP,
2000,and2003.WhentheprogramsarerunaspartoftheCOFEEprocess,theprogramwill
determinewhatOSiscurrentlyrunning,andusetheappropriatefile.Todothis,ensurethatthe
UsethesametoolforallOSoptionisunchecked,andthenloadthefileforeachOSbyclicking
onitscorrespondingbrowsebutton().Iftheapplicationisunavailableforanyofthelisted
OSs,uncheckthatparticularbox(XP,2000,2003).
Step4Enterallofthedesiredswitchesfortheprogram.Theusercanleavethisboxemptyifno
argumentsareused.
Step5Selectthefamilyforwhichthisprogramwillbelong.Thefamilyrepresentsthepurposeof
thetool,andisusedbyCOFEEtoorganizetheacquireddata.Forexample,theprogramnetstat.exe
belongstothefamilynetwork,whiletheprogramquser.exebelongstothefamilyusers.The
familyoptionsare:network,process,services,users,password,policy,registry,log,file,memory,
opt_tool,andmisc.
Step6Selecttheoutputformatextensionofthetool.Thisaffectstheoutputformatofthetool.For
example,theoptionTextexpectstheoutputoftheprogramtobetext.Thecompletelistofavailable
outputformatsare:Text,Image,Directory,andMemoryDump.
Step7TheinformationenteredintheVendorNameandVendorLinkfieldswillbelistedinthefinal
report.
Step8Enteranyadditionalrequiredfiles.Forexample,someprogramsrequirespecificDynamic
LinkedLibrary(DLL)filestobeincludedfortheprogramtorunproperly.ThissectiontellsCOFEEwhat
otherprogramstoputontheUSBdeviceotherthantheselectedprogram.
Step9EnsurethatRandomizingToolNameischecked.Thisensuresthattheprogramscopiedto
theUSBdevicehaveauniquefilename,minimizinganypossibilityofrunningaprogramfromthe
suspectsmachine.
Step10ClickOK
23
Ifanynewprogramsareadded,ensurethattheCheckSumInfoRefreshbuttonisclickedwhen
returningtothemainCOFEEGUIscreen.IfanewCheckSumisntcreated,theprocesswillcreatean
errorwhentryingtogenerateaUSBdevice.
SavingaModifiedProfile
Aninvestigatormaywantdifferentsetsofprofilesfordifferentscenarios.Aftertheconfigurationofa
newrunningsequence,COFEEprovidestheabilityforausertosavethenewprofile.
Step1ClickSaveOrderbuttononthemainToolSelectionscreen(seeToolSelectionScreen
screenshot)andthefollowingscreenappears
Step2IntheSaveAssection,typethenameofthenewprofile
Step3ClickAccept
LoadingaProfiletoModify
Bydefault,theMoreOptionswindowwillloadwhicheverprofileisselectedonthemainwindow.
However,theuserhastheoptiontoloadadifferentprofiletoworkonbyclickingtheLoadOrder
buttonandselectingwhichprofiletheywishtomodify(orview).
24
USBGenerationTroubleshooting
FormatTroubleshooting
1. Ifthefollowingscreenappears,thisindicatesthatthedriveisundertherequiredsize,andwill
notlettheusercontinue.Tocorrectthisproblem,usealargerUSBdevice.
2. Ifthefollowingscreenappears,thisindicatesthatthedriveisbetween1GBand2GB.This
warningindicatesthatthedriveisbelowtherecommendedsize;however,COFEEwillallowthe
usertocontinue.
3. Thisfollowingerrormostoftenoccursiftheuserhasthedeviceopen(e.g.,openinWindows
Explorer).Thedrivetobeformattedcannotbeopen,norcananyfileonthedevicebeopenfor
formattoproperlyoccur;ensurethattheyareallclosed,andtryagain.
25
4. Anerrorsimilartothatdisplayedinitem3abovewilloccuriftheuserattemptstoformatthe
devicepriortoWindowscompletingthedriverinstallationforthatdevice.
GenerationTroubleshooting
AmessageboxstatingInterruptedappears.Thisindicatesthatsomeprocess,duringthegeneration
oftheUSBdevice,failedandneedstoberemedied.Todeterminetheexacterrorlookatthetextinthe
whitemessagebox(seeSection6oftheToolGenerationGUIscreenshot)ontheCOFEEmainscreen.
ChecksumMismatchThismostcommonlyoccurswhenanew,orupdated,programfileisaddedbya
user.ThisproblemiseasilyremediedbyclickingontheChecksumInfoRefreshbutton.Afterthis
processcompletes,theusercangothroughthegenerationprocessagain.Thefollowingexample
indicatesthattherewasachecksumerrorwiththefileipconfig.exe:
The checksum of following file(s) do(es) not match
C:\Program Files\COFEE v1.1\bin\Win2k\ipconfig.exe
Generation is stopped due to hash mismatch
Please verify or remove above problem file(s)
If validated, click [Refresh Checksum]
26
OperationInstructionsfor
theCOFEEUSBDevice
27
BeginningtheCOFEEProcess
Similartorunningontheinvestigatorsmachine,thefirststeptorunningtheCOFEEUSBDeviceisto
connecttheUSBdeviceintothesuspectsmachine,andensurethatWindowshasproperlyrecognized
thedrive.
Oncethedeviceisconnected,therearetwopossiblemethodsforexecutingtheCOFEEprocess:If
autorunisenabledonthesuspectmachine,orifitisnt.Bothmethodsaredescribedbelow:
WithAutorunEnabled
Ifautorunisenabled,thefollowingscreenwillappearafterWindowshasfinishedrecognizingtheUSB
device:
TobegintheCOFEEprocess,ensuretheoptionExecuterunner.exeisselectedandclickOK.
WithoutAutorunEnabled
Iftheabovescreendoesnotappear,thenitislikelythatAutorunisnotenabledonthesuspects
machine.TobegintheCOFEEprocess,followthestepsbelow:
Step1OpenMyComputer.Thiscanbedonebyeitheropeningtheicononthesuspectsdesktop,or
byselectingSTARTandthenMyComputer.
Step2SelectandOpentheCOFEEUSBDevice.Thedevicecaneasilybeidentifiedbyboththevolume
label,aswellastheiconassociatedwiththedrive.Inthefollowingexample,theE:driveistheCOFEE
USBDevice.
28
Step3Findandexecutethefilerunner.exeAtthispoint,theCOFEEprocesshasbegun.
29
RemovingtheUSBDevice
WhiletheCOFEEprocessisrunning,awindowsimilartothatbelowwillbedisplayed.Whenthe
windowcloses,theprocesshascompleted.
Whentheprocessiscomplete,followstandardprocedurestosafelyremovethedevice.Atthispointall
informationhasbeencaptured,andtheUSBdevicecanbereturnedforreportgenerationandanalysis.
Note:Forindividualswhowouldlikefurtherverificationthattheprocesshasproperlycompleted,the
investigatoratthescenecanviewtheCOFEE.logfilewhichislocatedinthedatastoragedirectory(See
GeneratingaReportoftheCollectedDataformoreinformationconcerningthedatastorage
directory).Thefinaliteminthelogfileshouldbe[End].
30
GeneratingaReportofthe
CollectedData
31
CreateaReportfromtheCollectedData
Oncethedatahasbeenacquiredfromthesuspectsmachine,anHTMLbasedreportcanbegenerated
ofthecollecteddata.Tobegintheprocess,clickontheReportTabonCOFEEsmainscreen.
Step1ConnecttheUSBdrivetotheinvestigatorscomputer.
Step2SelectanInputFolderClickthebrowsebutton()underRawInputFolderandselectthe
acquireddatasoutputfolder.ThestandardconventionwillhavethedatastoredontheUSBdevice
underthefollowingfolder:
out[ComputerName][YYMMDDHHMMSS]
(e.g.,outadministrator2009092110213)
TheComputerNamewillbetheComputerNameofthesuspectmachine,whilethe
date/timewillbewhentheCOFEEprocessstartedonthesuspectmachine.
Step3SelectanOutputFolderClickthebrowsebutton()underOutputFolderandselectthe
desiredfolderinwhichtogeneratethereport(theusercanalsocreateafolderinthebrowsescreen).
32
Step4FillinanyCaseNotes.Thesefieldsareoptionalandwillappearinthefinalreport.
Step5ClickGenerate.
Step6Whenthereportisfinishedgenerating,COFEEwillaskiftheuserwantstoopenthetarget
folder.Atthispoint,thereportisgenerated;clickingYeswilldirecttheusertothefoldercontaining
thereport.IftheuserclicksNo,thereportcanstillbefoundinthefolderidentifiedinStep3.
Step7Opentheindex.htmlfiletoviewthereport.
33
InterpretationofReports
TheCOFEEreportisgeneratedinanXMLformatandisdisplayableinallmajorwebbrowsers(e.g.,
InternetExplorerandFirefox).Thereportisgeneratedintwoframes:theleftframecontainsa
navigationalmenutoviewthereport,whiletherightcontainstheactualreportdata.
ScreenshotofSampleReport
34
MenuNavigation
MenuFolders
TheCOFEEnavigationframe(left)isdividedinto14sections.Thereisonefolderforeachofthe12
families:network,process,services,users,password,policy,registry,log,file,memory,opt_tool,and
misc.Thesefolderscontaintheresultsofanyfilethatwasdesignatedaspartofthatparticularfamily.
TheMainfoldercontainstheCOFEElogfilewhichisgeneratedwhentheprocessisrunonthesuspect
machineandanycasenoteswhichwereentered(eitherduringtheUSBdevicegenerationorduringthe
reportgeneration).
TheCorrelationfoldercontainsuptothreereportsthataregeneratedbaseduponwhatprogramsare
run:Lsof,Services_Correlation,andProcesses_Correlation.
1. LsofListOpenedFileswithNetworkConnection:ShowstheProcess,PortNumber,andopen
filescorrelation.Theinformationcollectedcomesfromthefollowingprograms:pslist.exe,
openports.exenetstat,andhandle.exea.Ifnoneoftheseprogramsarerun,thisreport
willnotbedisplayed;ifonlyaportionofthefilesarerun,thisreportwillbebasedononlythe
programsthatran.
2. Services_CorrelationCorrelateDifferentCommandsamongServices:Thisreportdisplaysthe
servicesasreportedbydifferentprograms.Thefollowingprogramsareusedbythisreport:
dumpsec.exe/computer=%COMPUTERNAME%/rpt=services/saveas=tsv/outfile=%Outfile%,
psservice.exe,sclist.exe,andsc.exequery.Thisreportwilllistserviceswhichwere
reportedbytheprograms,withacheckmarkoranXindicatingwhetheraparticulartool
reportedaspecificservice.Liketheothercorrelationreports,onlythoseprogramswhichwere
actuallyrunwillshowupinthisreport(oftheprogramslistedabove).
Services_CorrelationScreenshot
35
3. Processes_CorrelationCorrelateCommandsamongProcesses:Similartotheservices
correlationreport,butcorrelatesrunningprocessesversusservices.Theprogramsusedto
generatethereportare:pslist.exe,tasklist.exe/svc,cmdline.exe,andpstat.exe.
Processes_CorrelationScreenshot
ProgramReports
EachprogramrunhasitsownreportwithinthefullCOFEEreport.Iftheprogramnameishighlightedin
blue,thenCOFEEwasabletoobtainvalidoutputfromthatprogram.Iftheprogramnameishighlighted
ingray,thentherewaslikelyanerrorincollectionandthereisnocollecteddataforthatparticularfile.
Forexample,inthelistingontheleft:
net.exeviewValiddatawascollectedandisinthereport
net.exesessionNodatawascollectedduetoanerror
36
Eachreporthasthefollowingsections:
1. Description: Displays a listing of the program run, and the description of that particular
program.
2. Hash Matching Result: A hash of all of the stored data is created and compared to the hash
whichwascreatedwhenthedatawasoriginallycollected.Thissectiondisplaystothereader
whether the two hash values matched. If the values do not match, this could indicate that
someonehasmodifiedthatparticularoutputfile.
3. StartTime:Thetimetheprogramstartedonthesuspectmachine.
4. EndTime:Thetimetheprogramendedonthesuspectmachine.
5. Output:Thiscontainsthestoredoutputofthatprogram.
Ifanerroroccurred,asixthsectionwillbedisplayed:
6. Error: Displays what error occurred when the program attempted to run (e.g., Access
Denied).
37
ReportTroubleshooting
Often,aJavaScriptwarningwilldisplaywhenattemptingtoviewthereportinInternetExplorer.
Tocorrectthisproblem:
1. RightClickontheWarningBar
2. SelectAllowBlockedContent
3. ClickYes
4. Thereportshouldreloadwithnoproblems.
38
Appendix
39
NW3CVolatileDataProfile
TheNW3CVolatileDataProfilewasdevelopedtoallowaninvestigatortocollectpotentiallyimportant
volatiledatapriortoseizingamachineforafullforensicexamination.Thisprofilewasdesignedsothat
noneoftheprogramsruncausesanydirectwritestothesuspectsfilesystem.
Programs&Arguments
Application
ipconfig.exe
nbtstat.exe
net.exe
net.exe
Argument
/all
n
user
file
Description
ListNetworkConfiguration
ListslocalNetBIOSnames
Displaysusersonthecomputerand/ordomain
Displayopenedsharedfilesontheserver
net.exe
net.exe
accounts
share
Adjustaccountsettings.DisplaysinfosuchasPasswordage,minimum
length,Lockoutthreshold,etc.
LocalNetworkShares
net.exe
pslist.exe
pslist.exe
whoami.exe
quser.exe
psloggedon.exe
use
t
Connectsordisconnectsyourcomputerfromasharedresourceor
displaysinformationaboutyourconnections
Displaysprocesstree
ProcessInformationLister
Displaystheuserthesystemiscurrentlyloggedinas
Displaysinformationaboutusersloggedontothesystem
LogonSessionDisplayer
ao
DisplaysprotocolstatisticsandcurrentTCP/IPnetworkconnections.
Displaysallconnectionsandlisteningports,andtheowningprocessID
associatedwitheachconnection
no
DisplaysprotocolstatisticsandcurrentTCP/IPnetworkconnections.
Displaysaddressesandportnumbersinnumericalform,andthe
owningprocessIDassociatedwitheachconnection
Displaysservicelistforlocalmachine
Displaysgroupsthatusersaremembersof
netstat.exe
netstat.exe
sclist.exe
showgrps.exe
systeminfo.exe
Displaysoperatingsystemconfigurationinformationforalocalor
remotemachine,includingservicepacklevels
40
NW3CIncidentResponseProfile
TheNW3CIncidentResponseProfilewasdesignedforIncidentResponseinvestigationsinwhichthe
investigatorisnotabletoperformaforensicanalysisonthetargetmachine.Thisprofilewasdesigned
tohaveminimalimpactonthesuspectsfilesystem.
Programs&Arguments
Program
Arguments
arp.exe
at.exe
autorunsc.exe
getmac.exe
handle.exe
hostname.exe
ipconfig.exe
/all
msinfo32.exe
nbtstat.exe
/report%OUTFILE%
n
nbtstat.exe
A127.0.0.1
nbtstat.exe
nbtstat.exe
net.exe
c
share
net.exe
net.exe
net.exe
use
file
user
net.exe
accounts
net.exe
view
net.exe
start
Description
DisplayscurrentARPentriesbyinterrogatingthecurrent
protocoldata.Ifinet_addrisspecified,theIPand
Physicaladdressesforonlythespecifiedcomputerare
displayed.IfmorethanonenetworkinterfaceusesARP,
entriesforeachARPtablearedisplayed.
Listsscheduledevents
Displaysprogramsscheduledtoautorunduringboot
DisplaysMACAddress
Everwonderedwhichprogramhasaparticularfileor
directoryopen?Handleistargetedatsearchingforopen
filereferences.Dumpinformationaboutalltypesof
handles,notjustthosethatrefertofiles.Othertypes
includeports,Registrykeys,synchronizationprimitives,
threads,andprocesses.
ListHost(Computer)Name
ShowsdetailedIPCONFIGinformation
Willcreateareportofmsinfo32.Essentiallysystem
information
ListsLocalNETBIOSNames
ListstheremotemachinesnametablegivenitsIP
address(localhost)[NETBIOSoverTCP/IP]
ListssessiontablewiththedestinationIP[NETBIOSover
TCP/IP]
ListsNBT'scacheofremote[machine]namesandtheir
IPs[NETBIOSoverTCP/IP]
LocalNetworkShares
Connectsordisconnectsyourcomputerfromashared
resourceordisplaysinformationaboutyour
connections.
Displayopenedsharedfilesontheserver.
Displaysusersonthecomputerand/ordomain.
Adjustaccountsettings.DisplaysinfosuchasPassword
age,minimumlength,Lockoutthreshold,etc.
Displaysalistofcomputersinaspecifiedworkgroupor
thesharedresourcesavailableonaspecifiedcomputer.
Startthespecifiednetworkservice.WillListStarted
Services
41
net.exe
Session
net.exe
localgroupadministrators/domain
net.exe
net.exe
localgroup
localgroupadministrators
net.exe
group
netdom.exe
queryDC
netstat.exe
ao
netstat.exe
no
openfiles.exe
psfile.exe
pslist.exe
pslist.exe
psloggedon.exe
psservice.exe
/query/v
pstat.exe
psuptime.exe
quser.exe
route.exe
sc.exe
query
sc.exe
sclist.exe
showgrps.exe
srvcheck
tasklist.exe
whoami.exe
queryex
\\127.0.0.1
/svc
Displayallsessionsconnectedtothecomputerand
deletesthemifspecified.
Listsmembersofadministratorsgroupforthedomain.
Errorprintedifnodomainexists
DisplayslistofGroupAliasesforSystem(e.g.,Guests,
Administrators,PowerUsers,etc.)
Listsmembersoftheadministratorsgroup
Add,delete,view,andotherwisemanagenetwork
workgroups.
OnlyworkswithaDomainControllerputinthe"DC"
spot
DisplaysprotocolstatisticsandcurrentTCP/IPnetwork
connections.Displaysallconnectionsandlistening
ports,andtheowningprocessIDassociatedwitheach
connection
DisplaysprotocolstatisticsandcurrentTCP/IPnetwork
connections.Displaysaddressesandportnumbersin
numericalform,andtheowningprocessIDassociated
witheachconnection.
Listsfilesandfoldersthathavebeenremotelyopened
onthesystem.Musthaveadminprivileges
LocalandRemoteNetworkFileLister
ProcessInformationLister
Displaysprocesstree
LogonSessionDisplayer
Listsservicesonalocalorremotesystem
Pstat.exeisaResourceKitutilitythatprovides
informationabouttheprocessesanddriversthatare
currentlyrunningonyourcomputer.Fordiagnostic
purposes,themostusefulinformationisthelistof
loadeddriversattheendoftheoutput.
Displaysthesystemscurrent"uptime"
Displaysinformationaboutusersloggedontothe
system
Displaysroutinginformation
Queriesthestatusforaservice,orenumeratesthe
statusfortypesofservice
Queriestheextendedstatusforaservice,or
enumeratesthestatusfortypesofservice
Displaysservicelistforlocalmachine
Displaysgroupsthatusersaremembersof.
CheckServerInformation
Displaysserviceshostedoneachprocess
Displaystheuserthesystemiscurrentlyloggedinas
42
COFEEVersionChangeLog
Version1.1
NW3CUpdatestooriginalCOFEE(includesremovalofFCIVandPIPE,aswellas
modificationofFORMAT/WIPEandthecreationofNW3Cprofiles).
ASHA1hashingutilitycreatedandimplementedtoreplaceFCIV.
AQuickFAT32FormatutilitycreatedtoreplaceFormat/Wipeissues.
ModifiedCOFEEtouseCiphertowipeunallocatedareaofthethumbdrive.
Version1.1.1 ModifiedtheWipeportion.WipenowFormats,thenWipeswithSDELETE(withthec
argument),andthenFormatsagain.
ModifiedsourcecodetoremoveCipherandreplacewithSDeleteoptiontooverwrite
unallocatedareaofthumbdrivewithonepassofzeroes.
Version1.1.2 Fixedbugwhichwouldnotallowdriveswithdrivelabelstobeformattedorwiped.
43