Hackers Take Aim At COFEE With DECAF

Anti-forensics tool promises to inhibit popular law enforcement software

Tim Wilson, Editor in Chief, Dark Reading, Contributor

December 14, 2009

2 Min Read
Dark Reading logo in a gray background | Dark Reading

A pair of hackers says it has developed a defense for a popular computer forensics tool used by many law enforcement agencies.

The anti-forensics tool, which is called DECAF, is designed to obstruct Computer Online Forensic Evidence Extractor (COFEE), a cybercrime forensics tool that is broadly distributed by Microsoft for use by law enforcement agencies.

"DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications," the hackers say on their Website. "Upon finding the presence of COFEE, DECAF performs numerous user-defined processes, including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

"DECAF is highly configurable, giving the user complete control to on-the-fly scenarios," the Website continues. "In a moment's notice, almost every piece of hardware can be disabled, and predefined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE's presence by sending the application into a 'Spill the cofee' type mode. Simulation gives the user an opportunity to test his or her configuration before going live."

The two hackers plan to enhance DECAF over time, the Website says. "Future versions will have text message and email triggers, so in case the computer needs to enter into lockdown mode, the user can do it remotely," the site says. "It will also have notification services where in the case of an emergency, someone can be notified. DECAF's next release is going to be available in a more lightweight version and/or a Windows service."

One of the hackers attempted to explain the rationale for DECAF. "We want to promote a healthy, unrestricted free flow of Internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding," the hacker told a reporter in an article published by The Register.

Some of the source code for COFEE was reportedly leaked to the Web last month, and experts expressed concern that hackers would reverse-engineer the tool and develop defenses against it.

DECAF is free, but users who want to download it must agree to a license stating they will not use it for illegal purposes.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights