Crackers decaffeinate COFEE

Posted by Nigel Constantine

A group of crackers have released software designed to break a Microsoft-packaged forensic toolkit used by law enforcement agencies to examine a suspect’s hard drive.

Dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor or COFEE. Microsoft developed the suite of more than 150 off-the-shelf forensic tools that run from a single script.

The idea was that police could use the software in the field before they bring a computer back to their forensic lab. All they had to do was plug in a USB stick and the tools scan files and gather information about activities performed on the machine.

DECAF, which is written by two unknown hackers, monitors a computer for any signs that COFEE is operating on the machine. It then deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks.

Later releases DECAF allow computer owners to remotely lock down their machine once they detect that it has fallen into law enforcement paws.

But the effectiveness of COFEE has been called into question by police forensic experts, including TG Daily's Tom Shellbag, who describes it as 'Just a packaged-up bunch of sysinternals tools'.

See Also
COFEE spillage no big deal