It is all about the COFEE [1] that will keep you awake. In this case, ahead of the game. Microsoft's COFEE (Computer Online Forensics Evidence Extractor) [1] is out and about, making the rounds on the Internet underground (and overground, “freedom of speech” sites). This is what happens when you try to keep something secret, everyone wants it.

I understand the motives to keep it hush hush, but from what I hear the tool set is compromised of basic programs you can find on a Windows OS and at Microsoft online (old Sysinternals tool set, now part of Microsoft).

Will Anti-forensics kick in and destroy your acquisition? Well to be honest if the tools are the ones you find on a Windows OS, then any rootkit installed on the machine will feed any tool talking to the OS false data anyway. Nothing new there! Once again proving that usual computer forensics still will be required to extrapolate the information.

What about the volatile information lost after a shutdown, that has been captured by this tool set. That is why it is called volatile (it lives for a short period) and good luck in piecing things together after imaging the drive. It will provide valuable information that you would not have otherwise but how will it be proven in court is another matter altogether. It would not be a hard subject if everything was handed to you in a silver-platter-report every time.

[1] - http://wikileaks.org/wiki/Microsoft_COFEE_%28Computer_Online_Forensics_Evidence_Extractor%29_tool_and_documentation%2C_Sep_2009