After the leak of Microsoft COFFEE into the 'wild' a tool emerges that will supposedly make life very difficult for a forensic investigator using COFFEE.
But DECAF is far from being a magic bullet In it's present form it has a lot of realistic issues that will prevent it from being successful. Here is my top list of issues
1. Related to one product and it's current mechanism of operation - DECAF is designed to react to COFFEE, and is built to react to the leaked version of the COFFEE code. In the long run, Microsoft can modify the way COFFEE processes operate which may render DECAF useless. DECAF needs to expand into an automated 'evidence eraser' independent of COFFEE.
2. Needs to be run under administrator context to be most efficient - You can't erase Event Log not change MAC address unless you are the local administrator. So usual corporate employees need to understand that their protection is limited to what their account is permitted to do.
3. It doesn't 'live' as a service - you need to run the process for it to be active. And any forensic investigator can see the tray icon and the process in task manager. While DECAF developers announce that it will run as service, as it is now it is as visible as a zit in the middle of a teenagers nose.
4. Fails on certain platforms - running it on Windows XP (virtual environment test) produced an error and failed the application. While this may not be the case with all WinXP, there is a probability that DECAF will fail on some computers.
Best regards
Bozidar Spirovski
http//
Not having chance to use COFFEE myself its a little difficult to comment however I woulg definately agree that the DECAF tool, in its current state, is little or no use at all.
One main thing I would say is that anyone who genuinely wants to hide something or at least attempt to remove certain items/obstruct the COFFEE tool loses their 'plausable deniability' as soon as a copy of DECAF is found on on their system.
Software such as Truecrypt provides the user with the ability to create hidden volumes, which as I understand it, if are installed correctly are virtually impossible to detect.
I will be interesting to see how this tool develops and whether any source code is released……..you can make your own mind up why this has been held back.
One main thing I would say is that anyone who genuinely wants to hide something or at least attempt to remove certain items/obstruct the COFFEE tool loses their 'plausable deniability' as soon as a copy of DECAF is found on on their system.
Software such as Truecrypt provides the user with the ability to create hidden volumes, which as I understand it, if are installed correctly are virtually impossible to detect.
To be truly plausibly deniable no trace of the software can be left on the system. There is a good article written by Bruce Schneier called "TrueCrypt's Deniable File System."
Features and screenshots of DECAF http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=5052
Maybe we are looking at this in the wrong way….
Possibly the question 'What benifit does DECAF have to someone who wants to disrupt/obstruct the examination of a Windows OS?' is a better area of discussion??