Detect and Eliminate Computer Acquired Forensics (DECAF) is a counter intelligence tool specifically created around obstructing the well known Microsoft product COFEE used by law enforcement around the world.[1] However, the tool does not prevent access by other more advanced computer forensics tools, and so computers protected with DECAF can still be examined by non-COFEE tools.

On December 18, 2009, the authors remotely disabled the software, with the aim of convincing security professionals to "band together" to offer better support to government entities.[2] The tool was patched and re-enabled by a group called SOLDIERX on December 23, 2009.[3][4]

DECAF provides real-time monitoring of COFEE signatures on USB devices and in running applications.[2] When a COFEE signature is detected, DECAF performs numerous user-defined processes. These may include COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.[5]


  1. ^ Zetter, Kim (14 December 2009). "Hackers Brew Self-Destruct Code to Counter Police Forensics". Retrieved 15 December 2009. 
  2. ^ a b "Game Over". 18 December 2009. Retrieved 18 December 2009. [dead link]
  3. ^ "DECAF hacked and re-enabled by SX". SOLDIERX. 23 December 2009. Retrieved 23 December 2009. 
  4. ^ "Reactivating DECAF in Two Minutes". Preorian Prefect. 18 December 2009. Retrieved 19 December 2009. 
  5. ^ Goodin, Dan (14 December 2009). "Hackers declare war on international forensics tool". The Register. Retrieved 15 December 2009.