Reuter, who spent eight years researching the book, moves from the broken survivors of the childrens' suicide brigades in the Iran-Iraq war of the 1980s, to the war-torn Lebanon of Hezbollah, to Israeli-occupied Palestinian land, and to regions as disparate as Sri Lanka, Chechnya, and Kurdistan. He tells a disturbing story of the modern globalization of suicide bombing--orchestrated, as his own investigations have helped to establish, by the shadowy Al Qaeda network and unintentionally enabled by wrong-headed policies of Western governments. In a final, hopeful chapter, Reuter points to today's postrevolutionary, post-Khomeini Iran, where a new social environment renounces the horrific practice in the very place where it was enthusiastically embraced just decades ago.
Most public discussions of intelligence address operations—the work of spymasters and covert operators. Current times, in the wake of September 11th and the intelligence failure in the runup to the war in Iraq, are different.1 Intelligence analysis has become the subject. The Weapons of Mass Destruction (WMD) Commission was direct, and damning, about intelligence analysis before the Iraq war: “This failure was in large part the result of analytical shortcomings; intelligence analysts were too wedded to their assumptions about Saddam’s intentions.” To be sure, in the Iraq case, what the United States did or did not collect, and how reliable its sources were, were also at issue. And the focus of post mortems on pre-September 11th was, properly, mainly on relations between the Central Intelligence Agency (CIA) and the Federal Bureau of Investigation (FBI) and on the way the FBI did its work. But in both cases, analysis was also central. How do the various agencies perform the tradecraft of intelligence analysis, not just of spying or operations? How is that task different now, in the world of terrorism, especially Islamic Jihadist terrorism, than in the older world of the Cold War and the Soviet Union?
The difference is dramatic and that difference is the theme of this report. The United States Government asked RAND to interview analysts at the agencies of the U.S. Intelligence Community and ask about the current state of analysis. How do those analytic agencies think of their task? In particular, what initiatives are they taking to build capacity, and what are the implicit challenges on which those initiatives are based? Our charter was broad enough to allow us to include speculations about the future of analysis, and this report includes those speculations. This report is a work in progress because many issues—the state of tradecraft and of training and the use of technology and formal methods—cry out for further study. This report was long delayed in the clearance process. It has been updated and remains a useful baseline in assessing progress as the Intelligence Community confronts the enormous challenges
Microsoft has distributed thousands of COFEE devices to police and military intelligence personnel in the United States, and some foreign countries. COFEE was developed mainly to assist the investigation of Internet based crime. But military intelligence operators find it very useful in uncovering enemy plans.
COFEE is a USB drive that allows law enforcement to run more than 150 commands on a live computer system and save the results on the portable drive for later analysis. This preserves valuable information that could be lost if the computer had to be shut down and transported to a lab--files that are stored in active memory would otherwise be lost, for example.
COFEE was developed in 2006 by Ricci Ieong and Anthony Fung, both members of the High Tech Crime Investigators Associate's (HTCIA) Asia South Pacific Chapter. Fung now works for Microsoft's Internet Safety Enforcement team in Hong Kong and used to be on the police force there. Ieong is founder and principal consultant for eWalker Consulting.
COFEE consists of plain text scripts; the data collected from these scripts is routed to a provided USB drive. Although intended for use with a command line, there is also an option for GUI. Raw text captures generate either SH1 or md5 checksums. The results for an acquisition are then presented in either plain text or HTML. Each operation produces its own log file to help investigators.
Although Microsoft would not confirm any specific tools included within COFEE, it did say that all the tools were publicly available. A quick search by CNET revealed several free Windows-based digital forensic tool kits available for download. These include:
- Incident Response Collection Report (IRCR)
- First Responder Evidence Disk (FRED)
- Windows Forensics Toolchest (WFT)
- Forensic Acquisition Utilities
- Windows Forensic Toolkit
- Windows Memory Forensics Toolkit
- The Forensic Toolkit (Windows NT 4.0 SP3)
Several news reports have suggested that Microsoft is also providing law enforcement with new tools to defeat BitLocker in Windows Vista or access to a secret back door within Windows. A Microsoft spokesperson denied this, saying, "COFEE does not circumvent Windows Vista BitLocker encryption or undermine any protections in Windows through secret 'backdoors' or other undocumented means." Microsoft also stressed that COFEE is still in beta.
"The key to COFEE is not new forensic tools," said Tim Cranton, associate general counsel for Microsoft, "but rather the creation of an easy to use, automated forensic tool at the scene. It's the ease of use, speed, and consistency of evidence extraction that is key."
More than 2,000 officials are using it worldwide, according to Microsoft.
Q&A with Tim Cranton, Associate General COunsel for Microsoft at the Law Enforcement Technology 2008 conference: Microsoft Calls on Global Public-Private Partnerships to Help in the Fight Against Cybercrime
Blackbird Data Surveyor/Scavenger
Digital Intelligence FRED-L
High Tech Crime Institute EDAS FOX