Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Microsoft Security Software Technology

Hackers Counter Microsoft COFEE With Some DECAF 154

Posted by kdawson from the please-mister-moto dept.
An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.
This discussion has been archived. No new comments can be posted.

Hackers Counter Microsoft COFEE With Some DECAF More

Hackers Counter Microsoft COFEE With Some DECAF

Comments Filter:

  • no source? it's a trap! (Score:1, Interesting)

    by FunkyRider ( 1128099 ) on Tuesday December 15, 2009 @11:46PM (#30453736)
    Maybe DECAF is a double agent blocking COFEE and collecting it's own things in the inventor's in interest. It's a trap!

  • Re:Disable autorun, lock your computer (Score:2, Interesting)

    by MaximKat ( 1692650 ) on Wednesday December 16, 2009 @01:03AM (#30454130)

    So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

    Yeah, it does... in Windows 95.

  • You're missing the point of COFEE (Score:1, Interesting)

    by Anonymous Coward on Wednesday December 16, 2009 @01:09AM (#30454158)

    The point of COFEE is to grab things that would be lost when the computer is shut down (passwords stored in ram, temporary files, etc) before they pull the plug and take it back to headquarters.

    (Pull the plug, not just tell it to shut down, because it may have a shutdown process in place to wipe evidence.

    And yes, you could use linux live CDs to remove passwords, but that involves changing what is on the disk, thereby ruining it as evidence. There are strict procedures in place to prevent the evidence from being corrupted. (ie: drive is duplicated, and then only the copy of the original drive is worked on...)

  • Re:Perfect trojan horse (Score:1, Interesting)

    by Anonymous Coward on Wednesday December 16, 2009 @02:23AM (#30454552)

    "they could just post any old source code and claim it was used to generate the executable." ... which is why you read the code, and if you approve of the code, compile it yourself. If your C.S. skills aren't up to that level, then check with someone you trust as competent to do that code analysis/compilation.

    It's essentially the same with every program.

    But yeah, this looks like an exploit opportunity, and I won't run DECAF on any of my boxes (uh, wait... do I *have* any Windows boxes? Oh, yeah, my gaming box!) without first carefully isolating the code and analyzing what it does.

  • Re:So let me get this straight... (Score:3, Interesting)

    by GameboyRMH ( 1153867 ) <gameboyrmh&gmail,com> on Wednesday December 16, 2009 @09:04AM (#30456438) Journal
    What if someone actually wanted to secure a VM with this app?

    I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?

    But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade [hak5.org]," especially if it can run on Vista/7 which aren't as vulnerable to these attacks. I'd imagine COFEE uses some secret backdoor.

Slashdot Top Deals

You have a message from the operator.

Close