DECAF renders Microsoft’s COFEE Obsolete

In retaliation against Microsoft’s Computer Online Forensic Evidence Extractor (COFEE), which frequently helps law enforcement officials extract data from password-protected or encrypted sources, two talented developers have created what they call “Detect and Eliminate Computer Assisted Forensics” (DECAF), to be used as a counter intelligence tool. It was specifically designed to thwart the Microsoft forensic toolkit. DECAF works by monitoring the computer it’s been installed on for any indications that COFEE may be operating on the machine and does everything in its power- which is quite a bit- to stop COFEE from getting through.

More specifically, the program goes about deleteing COFEE’s temporary files, killing its processes, erasing all COFEE logs, disabling USB drives, and even contaminating or spoofing a variety of MAC addresses in order to muddy its own forensic tracks. DECAF can be directed to disable almost every single piece of hardware on a machine while deleting pre-defined files in the background. The 181KB DECAF program even has a ‘Spill the cofee’ mode, in which it simulates COFEE’s presence, a kind of playing against the computer, to allow the user an opportunity to test his or her configuration before even putting the program to use.

The source code for DECAF has not been made available to the public as of yet, and this is because the authors fear it might be reverse engineered. This leaves it unclear as to  what else the tool might be capable of and whether or not it is completely safe to use. DECAF’s developers say they want future versions of the program to allow computer owners to remotely lock down their machine via text message or e-mail if they ever detect that it has somehow fallen into the hands of law enforcement. It will even be able to send out notifications to other parties in the case of such an emergency. Courtesy of  arstechnica.com