It looks like a free tool Microsoft is providing to forensics investigators in approximately 190 markets worldwide has found its match. The antidote for Computer Online Forensic Evidence Extractor (COFEE) has been released to web and is currently available for download under the moniker DECAF, an acronym for Detect and Eliminate Computer Assisted Forensics. DECAF comes on the heels of a COFEE leak, after the free forensics tool from the Redmond company made its way into the wild. At the time of this article, the leaked version of COFEE continues to be offered for download on BitTorrent trackers and warez websites. DECAF can be grabbed from a website set up for it by a developer, which for obvious reasons wishes to remain anonymous.
When it first confirmed the COFEE leakage, Microsoft noted that it did not foresee a mitigation being created. “we do not anticipate the possible availability of COFEE for cybercriminals to download and find ways to ‘build around’ to be a significant concern. COFEE was designed and provided for use by law enforcement with proper legal authority, but is essentially a collection of digital forensic tools already commonly used around the world. Its value for law enforcement is not in secret functionality unknown to cybercriminals, its value is in the way COFEE brings those tools together in a simple and customizable format for law enforcement use in the field,” stated Richard Boscovich, senior attorney, Internet Safety at Microsoft Corporation, on November 10th, 2009.
Obviously, the Redmond company was wrong. COFEE is supplied to authorities in the United States via the National White Collar Crime Center (NW3C) distributor, and worldwide through the International Criminal Police Organization (Interpol). The official Computer Online Forensic Evidence Extractor label is designed to describe nothing more than a data collection tool for live Windows systems. COFEE was created so that even non-technical members of Law Enforcement can be trained in a matter of minutes, to use it and extract precious information that is lost in the eventuality of s system restart or power off, namely volatile data. The tool is preloaded on a USB which needs only be connected to the Windows machine from which it extracts a disk image.
DECAF is, in this context, the anti-COFEE. “DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world," reads the official description of the tool. “DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.”
DECAF will obfuscate all the information COFEE is attempting to harvest and transform into evidence, but per the official description, will also delete data and block access to hardware components. For the time being the anti-COFEE provides end users with the possibility to customize the tool, and even to simulate a situation in which COFEE is attempting to extract data from their machine. In the future, DECAF will evolve with additional triggers, such as SMS or emails, for remote connectivity and control.
DECAF Lockdown Mode features:
- Contaminate MAC Addresses: Spoof MAC addresses of network adapters,
- Kill Processes: Quick shutdown of running processes,
- Shutdown Computer: On the fly machine power down,
- Disable network adapters,
- Disable USB ports,
- Disable Floppy drive,
- Disable CD-ROM,
- Disable Serial/Printer Ports,
- Erase Data: Quick file/folder removal (Basic Windows delete),
- Clear Event Viewer: Remove logs from the Event Viewer,
- Remove Torrent Clients: Removes Azureus and BitTorrent clients,
- Clear Cache: Remove cookies, cache, and history.