DECAF

DECAF

Detect and Eliminate Computer Acquired Forensics (DECAF) is a counter intelligence tool specifically created around obstructing the well known Microsoft product COFEE used by law enforcement around the world.[1] However, the tool does not prevent access by other more advanced computer forensics tools, and so computers protected with DECAF can still be examined by non-COFEE tools.

On December 18, 2009, the authors remotely disabled the software, with the aim of convincing security professionals to "band together" to offer better support to government entities.[2] The tool was patched and re-enabled by a group called SOLDIERX on December 23, 2009.[3][4]

DECAF provides real-time monitoring of COFEE signatures on USB devices and in running applications.[2] When a COFEE signature is detected, DECAF performs numerous user-defined processes. These may include COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.[5]

References

  1. ^ Zetter, Kim (14 December 2009). "Hackers Brew Self-Destruct Code to Counter Police Forensics". Wired.com. http://www.wired.com/threatlevel/2009/12/decaf-cofee/. Retrieved 15 December 2009. 
  2. ^ a b "Game Over". decafme.org. 18 December 2009. http://decafme.org/. Retrieved 18 December 2009. [dead link]
  3. ^ "DECAF hacked and re-enabled by SX". SOLDIERX. 23 December 2009. http://www.soldierx.com/news/DECAF-hacked-and-re-enabled-SX. Retrieved 23 December 2009. 
  4. ^ "Reactivating DECAF in Two Minutes". Preorian Prefect. 18 December 2009. http://praetorianprefect.com/archives/2009/12/reactivating-decaf-in-two-minutes/. Retrieved 19 December 2009. 
  5. ^ Goodin, Dan (14 December 2009). "Hackers declare war on international forensics tool". The Register. http://www.theregister.co.uk/2009/12/14/microsoft_cofee_vs_decaf/. Retrieved 15 December 2009.