DECAF

Detect and Eliminate Computer Acquired Forensics (DECAF) is a counter intelligence tool specifically created around obstructing the well known Microsoft product COFEE used by law enforcement around the world.[1] However, the tool does not prevent access by other more advanced computer forensics tools, and so computers protected with DECAF can still be examined by non-COFEE tools.

On December 18, 2009, the authors remotely disabled the software, with the aim of convincing security professionals to "band together" to offer better support to government entities.[2] The tool was patched and re-enabled by a group called SOLDIERX on December 23, 2009.[3][4]

DECAF provides real-time monitoring of COFEE signatures on USB devices and in running applications.[2] When a COFEE signature is detected, DECAF performs numerous user-defined processes. These may include COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC addresses.[5]

References

  1. Zetter, Kim (14 December 2009). "Hackers Brew Self-Destruct Code to Counter Police Forensics". Wired.com. Retrieved 15 December 2009.
  2. 2.0 2.1 "Game Over". decafme.org. 18 December 2009. Retrieved 18 December 2009.
  3. "DECAF hacked and re-enabled by SX". SOLDIERX. 23 December 2009. Retrieved 23 December 2009.
  4. "Reactivating DECAF in Two Minutes". Preorian Prefect. 18 December 2009. Retrieved 19 December 2009.
  5. Goodin, Dan (14 December 2009). "Hackers declare war on international forensics tool". The Register. Retrieved 15 December 2009.