Hackers Counter Microsoft COFEE With Some DECAF 154
An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.
no source? it's a trap! (Score:1, Interesting)
Re:Disable autorun, lock your computer (Score:2, Interesting)
So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.
Yeah, it does... in Windows 95.
You're missing the point of COFEE (Score:1, Interesting)
The point of COFEE is to grab things that would be lost when the computer is shut down (passwords stored in ram, temporary files, etc) before they pull the plug and take it back to headquarters.
(Pull the plug, not just tell it to shut down, because it may have a shutdown process in place to wipe evidence.
And yes, you could use linux live CDs to remove passwords, but that involves changing what is on the disk, thereby ruining it as evidence. There are strict procedures in place to prevent the evidence from being corrupted. (ie: drive is duplicated, and then only the copy of the original drive is worked on...)
Re:Perfect trojan horse (Score:1, Interesting)
"they could just post any old source code and claim it was used to generate the executable." ... which is why you read the code, and if you approve of the code, compile it yourself. If your C.S. skills aren't up to that level, then check with someone you trust as competent to do that code analysis/compilation.
It's essentially the same with every program.
But yeah, this looks like an exploit opportunity, and I won't run DECAF on any of my boxes (uh, wait... do I *have* any Windows boxes? Oh, yeah, my gaming box!) without first carefully isolating the code and analyzing what it does.
Re:So let me get this straight... (Score:3, Interesting)
I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?
But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade [hak5.org]," especially if it can run on Vista/7 which aren't as vulnerable to these attacks. I'd imagine COFEE uses some secret backdoor.