Vulnerabilities / Threats

Hackers Take Aim At COFEE With DECAF

Anti-forensics tool promises to inhibit popular law enforcement software

A pair of hackers says it has developed a defense for a popular computer forensics tool used by many law enforcement agencies.

The anti-forensics tool, which is called DECAF, is designed to obstruct Computer Online Forensic Evidence Extractor (COFEE), a cybercrime forensics tool that is broadly distributed by Microsoft for use by law enforcement agencies.

"DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications," the hackers say on their Website. "Upon finding the presence of COFEE, DECAF performs numerous user-defined processes, including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

"DECAF is highly configurable, giving the user complete control to on-the-fly scenarios," the Website continues. "In a moment's notice, almost every piece of hardware can be disabled, and predefined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE's presence by sending the application into a 'Spill the cofee' type mode. Simulation gives the user an opportunity to test his or her configuration before going live."

The two hackers plan to enhance DECAF over time, the Website says. "Future versions will have text message and email triggers, so in case the computer needs to enter into lockdown mode, the user can do it remotely," the site says. "It will also have notification services where in the case of an emergency, someone can be notified. DECAF's next release is going to be available in a more lightweight version and/or a Windows service."

One of the hackers attempted to explain the rationale for DECAF. "We want to promote a healthy, unrestricted free flow of Internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding," the hacker told a reporter in an article published by The Register.

Some of the source code for COFEE was reportedly leaked to the Web last month, and experts expressed concern that hackers would reverse-engineer the tool and develop defenses against it.

DECAF is free, but users who want to download it must agree to a license stating they will not use it for illegal purposes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.