TechScrawl.com

COFEE Leaked? It looks like the COFEE utility (Computer Online Forensic Evidence Extractor) that I blogged about in April might have finally been leaked. Recall this tool is a Microsoft developed suite of pre-existing utilities designed for computer forensics and analyzation, meant for the law enforcement community. The files can be found here. I downloaded it and ran it against a Server 2008 virtual machine and it seems to be pretty comprehensive in the data it gathers. It’s worth noting that this might not actually be COFEE, when the program starts this text is displayed: “W.O.L.F. Incident Response Toolkit”. W.O.L.F apparently stands for Windows Online Forensics, which I found a small number of search results for, dating back to 2005. Looks like it could be a Microsoft pre-cursor to COFEE. Either way, seems like a decent toolset to work with until the real COFEE is leaked.

NTFS Alternate Data Streams. In my years in IT and working with Windows systems I had never heard of alternate data streams (ADS) until I saw this blog. ADS, or hidden streams, is a functionality of the NTFS file system that allows a file to be attached to another file, in essence hiding the existence of the attached file. The attached file can be executable, even if the original is not. Just imagine hiding Malware.exe in GroceryList.txt. From what I’ve read, certain virus scanners don’t always pick up these threats. The potentials for malicious use are numerous; thankfully Microsoft has helped decrease that potential in Vista & Server 2008 by making ADS files easier to find and not allowing those files to be executable. Click the link above for the entire blog post with all the details.

Full DNS Vuln Notes – Kaminsky Presentation. Now that the details of the DNS vulnerability found by Dan Kaminsky have been released, you can find a good summary of it in this blog post on his site; the Power Point slides from his presentation are a must read for a good understanding of the associated implications.