New tool deCOFEEnates Windows systems
Hackers have released Decaf, a tool which hinders the work of Microsoft's 'Computer Online Forensic Evidence Extractor' (COFEE). COFEE was developed for use by law enforcement agencies and collects system-wide information about the PC under investigation. It starts an automatic scan after a COFEE-containing USB flash drive is inserted into a USB port and the program generates a report when the scan has finished. The tool, intended exclusively for investigative agencies, entered the public domain in November.
Decaf (Detect and Eliminate Computer Assisted Forensics) attempts to detect when a USB drive containing COFEE is inserted and launch countermeasures. It's reportedly able to disable the USB flash drive and rapidly stop pre-defined processes. In the event of an 'attack', Decaf can, if required, also delete log files, browsing history, cookies and the browser cache and even whole directories. It's also able to automatically delete torrent clients such as Azureus when COFEE activity is detected on a system. Additionally, the tool is reported to be able to spoof the computer's MAC address.
To do all this, Decaf, which is only 181 KB in size, uses Microsoft's devcon.exe, a command line device manager which is not a standard Windows component. It's not clear who's behind Decaf, but it could be the work of developers involved in work on other forensic tools, for whom COFEE is a thorn in their side. The developers behind Decaf have told a UK media source that they developed the tool to show law enforcement agencies that it is not a good idea to rely solely on Microsoft tools.
- A first impression of Microsoft's forensic tools that got away, a report from The H.