Computer Online Forensic Evidence Extractor (COFEE)

Easily capture important "live" computer evidence at the scene in cybercrime investigations, without special forensics expertise. In year 2006, inspired by WFT, Ricci Ieong started the development of Computer Online Forensic Evidence Extractor (COFEE) (Ieong 2006) COFEE uses batch script to manage a list of existing incident response tools and IT security tools volatile data forensics acquisition system similar to WFT, IRCR and FRED. But all the scripts, programs were stored on USB storage device before data acquisition. Instead of requesting users to key in the output directory, COFEE automatically redirect the output to the inserted USB storage device. With the automatic OS version detection and storage assignment scheme, Operating System dependent program will be automatically selected after the version detection. Investigator only needs to insert the USB storage devices to the target machine and click one to two buttons in order to start the data acquisition process. Another difference between COFEE with other live forensics toolkits is separation of the data acquisition procedures with the data examination procedures. In WFT, the report generation processes are executed immediately after the data acquisition process on the target machine. However, performing report generation on target machine may also alter the memory content in the target machine. As report generation does not necessarily be executed on target machine, therefore, only data acquisition programs, in COFEE, would be

executed on target machines. All program selection, data examination and analysis processes would be performed on investigator machine. Besides, more forensics programs are supported by COFEE such as screen capture and password capture tools.