Hackers Counter Microsoft COFEE With Some DECAF 154
An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.
The Site... (Score:5, Informative)
http://www.decafme.org/ [decafme.org]
Disable autorun, lock your computer (Score:5, Informative)
AFAIK, if your computer is locked COFEE relies on autorun to work, so disable autorun and lock your computer will pretty much thwart COFEE, since it would somehow require bypassing MS's supplied GINA dll, which given it's Microsoft, might know how to do, but would find it highly unlikely.
Re:So let me get this straight... (Score:4, Informative)
So, set up a VM and then port it through WireShark. It shouldn't be too hard to figure out if it's communicating with some central server.
Re:You're missing the point of COFEE (Score:1, Informative)
I'm sure more competant forensics people don't pull the plug. Instead they would keep the machine up and running and capture it in that state, using clips to keep it fed the voltage as it gets loaded onto a vehicle and until it gets to the forensics area. There, you use a PCI or IEEE 1394 card to dump the box's RAM.
Then, the hard disk gets imaged via a hardware write blocker (very important), the decryption keys in RAM used to decrypt the image of the HDD, and the search for whatever stuff (after ACTA, any music files that don't have DRM most likely because of the guilty until proven innocent provisions) begins.
Re:DECAF: A welcoming news (Score:3, Informative)
Note that the GP didn't say it will put disproportionally fewer innocent people - only that there will be fewer innocent people.
Fixed it for you. You and the OP made the same mistake. It's like nails on a chalk board, honestly!
You can have fewer innocent people or you can have less innocent people, but it means different things. Less innocent people are not as innocent, fewer innocent people are of a smaller number.
Re:You're missing the point of COFEE (Score:1, Informative)
COFEE was not created for forensics people at all but instead for LEA guys. It was created to be used by ordinary policy officers who might encounter a suspicious PC in a live situation. It would be dramatically better if that officer used that COFFE stick on a live PC, before he pulled the plug instead of just pulling the plug and carrying the PC away without saving any volatile information.
Imaging RAM through firewire is pretty uncommon, although possible. Usually, an ordinary Linux CD/DVD is used by forensics people, toghether with "dd" and "nc" to aquire the RAM image and stream it over the network. That way you have the least impact on the life system. Firewire is really cool when you encounter a locked windows PC, forensically speaking, because that way you can copy the RAM without having to unlock the PC, but I doubt that this is actually done often, if ever.
Disclaimer: posting as AC as to not undo my moderation.
Re:Perfect trojan horse (Score:4, Informative)
It's .NET and they ran Dotfuscator over it, so you're going to have to graduate past bovine intelligence on this one.