Follow Slashdot stories on Twitter


Forgot your password?

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

Microsoft Security Software Technology

Hackers Counter Microsoft COFEE With Some DECAF 154

Posted by kdawson
from the please-mister-moto dept.
An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.
This discussion has been archived. No new comments can be posted.

Hackers Counter Microsoft COFEE With Some DECAF

Comments Filter:
  • The Site... (Score:5, Informative)

    by JBG667 (690404) on Tuesday December 15, 2009 @10:48PM (#30453750)
  • by OverlordQ (264228) on Tuesday December 15, 2009 @10:51PM (#30453770) Journal

    AFAIK, if your computer is locked COFEE relies on autorun to work, so disable autorun and lock your computer will pretty much thwart COFEE, since it would somehow require bypassing MS's supplied GINA dll, which given it's Microsoft, might know how to do, but would find it highly unlikely.

  • by Bios_Hakr (68586) < minus herbivore> on Tuesday December 15, 2009 @11:05PM (#30453842) Homepage

    So, set up a VM and then port it through WireShark. It shouldn't be too hard to figure out if it's communicating with some central server.

  • by Anonymous Coward on Wednesday December 16, 2009 @01:27AM (#30454570)

    I'm sure more competant forensics people don't pull the plug. Instead they would keep the machine up and running and capture it in that state, using clips to keep it fed the voltage as it gets loaded onto a vehicle and until it gets to the forensics area. There, you use a PCI or IEEE 1394 card to dump the box's RAM.

    Then, the hard disk gets imaged via a hardware write blocker (very important), the decryption keys in RAM used to decrypt the image of the HDD, and the search for whatever stuff (after ACTA, any music files that don't have DRM most likely because of the guilty until proven innocent provisions) begins.

  • by Rysc (136391) * <> on Wednesday December 16, 2009 @07:20AM (#30456156) Homepage Journal

    Note that the GP didn't say it will put disproportionally fewer innocent people - only that there will be fewer innocent people.

    Fixed it for you. You and the OP made the same mistake. It's like nails on a chalk board, honestly!

    You can have fewer innocent people or you can have less innocent people, but it means different things. Less innocent people are not as innocent, fewer innocent people are of a smaller number.

  • by Anonymous Coward on Wednesday December 16, 2009 @08:27AM (#30456632)
    You are basically right.

    COFEE was not created for forensics people at all but instead for LEA guys. It was created to be used by ordinary policy officers who might encounter a suspicious PC in a live situation. It would be dramatically better if that officer used that COFFE stick on a live PC, before he pulled the plug instead of just pulling the plug and carrying the PC away without saving any volatile information.

    Imaging RAM through firewire is pretty uncommon, although possible. Usually, an ordinary Linux CD/DVD is used by forensics people, toghether with "dd" and "nc" to aquire the RAM image and stream it over the network. That way you have the least impact on the life system. Firewire is really cool when you encounter a locked windows PC, forensically speaking, because that way you can copy the RAM without having to unlock the PC, but I doubt that this is actually done often, if ever.

    Disclaimer: posting as AC as to not undo my moderation.

  • by b4dc0d3r (1268512) on Wednesday December 16, 2009 @05:00PM (#30464824)

    It's .NET and they ran Dotfuscator over it, so you're going to have to graduate past bovine intelligence on this one.

Documentation is the castor oil of programming. Managers know it must be good because the programmers hate it so much.