Two developers said they created a tool, called DECAF, that compromises Microsoft's COFEE computer-forensics tool by killing its processes, disabling a computer's connection ports and even conjuring up fake MAC addresses.
It's fake.
After numerous media outlets reported this week that there were delinquent hackers trying to thwart COFEE-assisted cyber-crime investigations, the DECAF developers on Friday revealed their creation as a publicity stunt. They said the COFEE tool Microsoft gives to police is luke-warm.
http//
http//
I watched the YouTube video and listened to the CyberSpeak interview.
Nothing appears to indicate that there was anything fake about DECAF or that it's intended to be fake going forward. The decafme.org web site appears to have changed, and the YouTube video says the same thing at the web site.
So…how is/was DECAF 'fake' exactly?
I'll tend to agree with KeyDet….
- A publicity stunt Sure
- An awareness campaign - both on the existence and the thwarting of COFEE Possibly
…but… a spoof or a fake software, I don't know if I can go that far.
Were they going to take it offline eventually? Who Knows.
Was there backlash from the forensic community (primarily Micro$oft and LE) that made them change their minds? Who Knows.
From listening to Michael, it looks like DECAF was very much like an anti-virus program - staying resident and when a COFEE signature was found, it would go active. Technically, its very possible that it would have worked and worked well.
Respectfully….
-=Art=-
Not exactly fake, the seattlepi post didn't do homework. Publicity stunt? Yes, they admitted that they wanted to raise eyebrows about forensics, security awareness, and apparently a religious message posted on their site.
However, the tool is not fake as it was actually written and somewhat works. I say somewhat because the tool was buggy to begin with but yes, it listened for runner.exe and for the USB device with COFEE label to be inserted, and yes, it performed actions when detected.
As far as some magic to remotely disable all working copies, this is false, they simply removed a php file with version info from their site, which if the tool doesn't find it crashes with dotNet errors. I hosted my own version of this php and used the tool again even after the so called deactivation
http//
I'm still surprised that such a big deal was being made over a tool that's not that great to begin with. There are much better tools available to LE (and non-LE alike) that do the job better (I'm speaking more of COFEE than DECAF).
This whole thing seems to be a "Oh look! It came from Microsoft!" sort of thing.
(mind you I haven't listed to the Cyberspeak podcast yet).
Tom
Was there backlash from the forensic community (primarily Micro$oft and LE) that made them change their minds? Who Knows.
Listen to the CyberSpeak Podcast.
Slightly different tact…
http//
Not really sure what the deal was with those guys and the CyberSpeak Pod Cast http//
I think the problem lies in the public sector, and with some in the CF community, that there is notion of a magic bullet tool to do all the work for an investigation and therefore an "anti-tool" can be developed to thwart such attempts.
A computer forensic tool's strength only lies in the person wielding it. I often try to impress upon people who ask what I do that I investigate people and their actions as it relates to technology not the other way around.
Personally, I think that the whole issue is only slightly more newsworthy than the White House gate crashers (and only to us). It appears that this whole issue has been discussed out of proportion to its actual significance, except as an indicator that the National Enquirer might have a market in digital forensics news. roll
Ditto. I am more concerned about what I will have for dinner than DECAF or COFEE…
If you need COFEE, then you are not doing forensics, and most likely don't have sufficient training to use it properly anyway.