Windows 7 Protect yourself from COFEE with some DECAF (Updated)

whoosh

Cooler King
Staff member
Premium Supporter
http://arstechnica.com/microsoft/news/2009/12/protect-yourself-from-cofee-with-some-decaf-1.ars

Two developers have created "Detect and Eliminate Computer Assisted Forensics" (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources.
In response to Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources, two developers have created "Detect and Eliminate Computer Assisted Forensics" (DECAF), a counter intelligence tool designed to thwart the Microsoft forensic toolkit. DECAF monitors the computer it's running on for any signs that COFEE is operating on the machine and does everything it can to stop it.
More specifically, the program deletes COFEE's temporary files, kills its processes, erases all COFEE logs, disables USB drives, and even contaminates or spoofs a variety of MAC addresses to muddy forensic tracks. It can be told to disable almost every piece of hardware on a machine and delete pre-defined files in the background. The 181KB DECAF program even has a 'Spill the cofee' mode in which it simulates COFEE's presence to give the user an opportunity to test his or her configuration before actually using it. Source code for DECAF has not been made available, since the authors fear it will be reverse engineered, making it unclear what else the tool might be doing and whether or not it is completely safe to use.
DECAF's developers say future versions of the program will allow computer owners to remotely lock down their machine via text message and e-mail once they detect that it has fallen into law enforcement hands and even send out notifications to other parties in the case of an emergency. The plan is to make DECAF's next release more light-weight, possibly having it run in the form of a Windows service.
COFEE, a suite of 150 bundled off-the-shelf forensic tools that run from a script, was created by Microsoft to help law enforcement officials gather volatile evidence that would otherwise be lost in traditional, offline forensic analysis. Officers can run the script in the field from a USB stick, before the computer is brought back to the lab, letting them grab data from password-protected or encrypted sources. The forensics tool works best with Windows XP, but Microsoft is working on a new version of COFEE for next year that fully supports Windows Vista and Windows 7.
Microsoft first revealed the 15MB tool back in April 2008, and in April 2009, the company announced that it will aid global law enforcement in fighting cybercrime by providing COFEE free of charge to 187 countries, distributing it through Interpol. Microsoft managed to keep the existence of it quiet until November 2009, when pirates decided it was time to leak the tool so that people other than just government crime-fighters could use it. Weeks later, Microsoft started issuing takedown notices to multiple websites that hosted the tool. It's unclear whether Microsoft will react to the fact that there's now software that aims to render COFEE useless.
Update

Apparently, it was all just a stunt. All copies of DECAF have been disabled. The official site, DECAFme has more information.
 
Back
Top