Microsoft’s COFEE decaffeinated!
Hackers declare war on Microsoft’s international forensics tool. COFEE, which stands for “Computer Online Forensic Evidence Extractor”. The COFEE program has been found on bittorrent sites and available for download.
With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.
Hackers have released software, appropriately named “Decaf” that they say sabotages the suite of forensics utilities Microsoft provides for free to hundreds of law enforcement agencies across the globe.
Apparently, Decaf is a light-weight application that monitors Windows systems for the presence of COFEE, a bundle of some 150 point-and-click tools used by police and other law enforcement officials to collect digital evidence at crime scenes. When a USB stick containing the Microsoft software is attached to a protected PC, Decaf automatically executes a variety of countermeasures.
Last month, when COFEE leaked to the internet, Microsoft downplayed concerns the breach would allow hackers to create countermeasures and Redmond representatives weren’t immediately available for comment. By the time Microsoft lawyers demanded the removal of COFEE from sites such as Cryptome, the genie was already out of the bottle.
Decaf boasts a huge variety of user-driven countermeasures against COFEE. In addition to nuking temporary files within seconds of detecting files or processes associated with the investigative tool, Decaf can also clear all COFEE logs, disable USB drives, and contaminate or spoof a variety of MAC addresses. Future versions promise to add features that allow users to remotely lock down protected systems.
While the hackers are making the Decaf executable available, they are not releasing the source code for fear, they say, that the signatures used will be reverse engineered. The end user license agreement that accompanies the software states: “You will not disassemble, decompile, or reverse engineer it, in whole or in part, except to the extent expressly permitted by law. You will not use DECAF for illegal purposes. You will comply with all export laws. DECAF is licensed, not sold.
More information is available via a google search.