Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Hackers Take Aim At COFEE With DECAF

Anti-forensics tool promises to inhibit popular law enforcement software

A pair of hackers says it has developed a defense for a popular computer forensics tool used by many law enforcement agencies.

The anti-forensics tool, which is called DECAF, is designed to obstruct Computer Online Forensic Evidence Extractor (COFEE), a cybercrime forensics tool that is broadly distributed by Microsoft for use by law enforcement agencies.

"DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications," the hackers say on their Website. "Upon finding the presence of COFEE, DECAF performs numerous user-defined processes, including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

"DECAF is highly configurable, giving the user complete control to on-the-fly scenarios," the Website continues. "In a moment's notice, almost every piece of hardware can be disabled, and predefined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE's presence by sending the application into a 'Spill the cofee' type mode. Simulation gives the user an opportunity to test his or her configuration before going live."

The two hackers plan to enhance DECAF over time, the Website says. "Future versions will have text message and email triggers, so in case the computer needs to enter into lockdown mode, the user can do it remotely," the site says. "It will also have notification services where in the case of an emergency, someone can be notified. DECAF's next release is going to be available in a more lightweight version and/or a Windows service."

One of the hackers attempted to explain the rationale for DECAF. "We want to promote a healthy, unrestricted free flow of Internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding," the hacker told a reporter in an article published by The Register.

Some of the source code for COFEE was reportedly leaked to the Web last month, and experts expressed concern that hackers would reverse-engineer the tool and develop defenses against it.

DECAF is free, but users who want to download it must agree to a license stating they will not use it for illegal purposes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...
PUBLISHED: 2021-01-15
Docker Desktop Community before on macOS mishandles certificate checking, leading to local privilege escalation.
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, there is a critical vulnerability which can lead to pre-auth remote code execution. AttachmentUploadServlet deserializes untrusted data from the `Attachment-Support` header. This Servlet does not enforce any authentication or a...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, AttachmentUploadServlet also saves user controlled data (`request.getInputStream()`) to a user specified location (`request.getHeader("File-Name")`). This issue may lead to arbitrary file upload which can be used to u...
PUBLISHED: 2021-01-15
OneDev is an all-in-one devops platform. In OneDev before version 4.0.3, the REST UserResource endpoint performs a security check to make sure that only administrators can list user details. However for the `/users/` endpoint there are no security checks enforced so it is possible to retrieve ar...