COFEE and DECAF, forensic and counter-measure
Date : January 06, 2010
This article presents a Microsoft investigative tool named COFEE and the counter-attack from the hackers which has been named DECAF.
The COFEE tool
COFEE (Computer Online Forensic Evidence Extractor) is an investigative tool available since June 2008, which Microsoft only had provided to the law enforcement agencies of the 187 Interpol member countries.
This tool allows generating a suite of nearly 150 pieces of software installed and configured on a USB device, which execution is automated.
It has been designed to help police officers who are non computer experts, to conduct a quick and complete inspection of computers suspected of containing digital evidence of criminal activity.
This USB device connected to a computer can bypass all the Windows system protections (including the Bitlocker encryption introduced in Windows Vista) and generate a report on:
Microsoft provides this tool for free via Interpol and the NW3C (National White Collar Crime Center) in order to maintain a secure Internet.
The leak
But early November, this tool designed exclusively for use by law enforcement agencies, was made available on various BitTorrent websites.
This pirated version, which has widespread dissemination, is limited to Windows XP. Many users have been able to get it but its use remains illegal.
Microsoft minimizes the threat that malicious individuals are using the tool, and indicates that this tool is a collection of software already known and used by cyber criminals. The interest in COFEE is, according to Microsoft, to consolidate these programs and make them easily usable.
The DECAF tool
The main threat related to this leak is that it allows cybercriminals to analyze COFEE and to design a counter-measure tool.
That is what happened. One month after the release of COFEE, hackers have posted on the Internet an anti-COFEE software called DECAF (Detect and Eliminate Computer Assisted Forensics).
This application is designed for advanced users. It looks for the COFEE signature on USB key inserted on the computer, and if it detects it, it launches a series of cons-measures (deleting files, ejecting USB drives, automatic locking of the PC, ...) to destroy or to block access to digital evidences.
What's next?
It seems that new COFEE versions are under development at Microsft's. Awaited versions for Windows Vista and Windows 7 are to be distributed to law enforcement during year 2010. It is extremely probable that these versions will try to deactivate DECAF countermeasures, until the latter reinforce them in return. Version 2 of DECAF is told to fight against other well known forensic suites (Helix, EnCase, Forensic Toolkit,etc.). It is probably again a never lasting game.
For more information
The COFEE tool
COFEE (Computer Online Forensic Evidence Extractor) is an investigative tool available since June 2008, which Microsoft only had provided to the law enforcement agencies of the 187 Interpol member countries.
This tool allows generating a suite of nearly 150 pieces of software installed and configured on a USB device, which execution is automated.
It has been designed to help police officers who are non computer experts, to conduct a quick and complete inspection of computers suspected of containing digital evidence of criminal activity.
This USB device connected to a computer can bypass all the Windows system protections (including the Bitlocker encryption introduced in Windows Vista) and generate a report on:
- opened communication ports,
- used passwords,
- visited web sites,
- used software and services,
- the legality of used software licenses,
- configured keys Wi-Fi,
- …
Microsoft provides this tool for free via Interpol and the NW3C (National White Collar Crime Center) in order to maintain a secure Internet.
The leak
But early November, this tool designed exclusively for use by law enforcement agencies, was made available on various BitTorrent websites.
This pirated version, which has widespread dissemination, is limited to Windows XP. Many users have been able to get it but its use remains illegal.
Microsoft minimizes the threat that malicious individuals are using the tool, and indicates that this tool is a collection of software already known and used by cyber criminals. The interest in COFEE is, according to Microsoft, to consolidate these programs and make them easily usable.
The DECAF tool
The main threat related to this leak is that it allows cybercriminals to analyze COFEE and to design a counter-measure tool.
That is what happened. One month after the release of COFEE, hackers have posted on the Internet an anti-COFEE software called DECAF (Detect and Eliminate Computer Assisted Forensics).
This application is designed for advanced users. It looks for the COFEE signature on USB key inserted on the computer, and if it detects it, it launches a series of cons-measures (deleting files, ejecting USB drives, automatic locking of the PC, ...) to destroy or to block access to digital evidences.
What's next?
It seems that new COFEE versions are under development at Microsft's. Awaited versions for Windows Vista and Windows 7 are to be distributed to law enforcement during year 2010. It is extremely probable that these versions will try to deactivate DECAF countermeasures, until the latter reinforce them in return. Version 2 of DECAF is told to fight against other well known forensic suites (Helix, EnCase, Forensic Toolkit,etc.). It is probably again a never lasting game.
For more information
- SANS diary: http://isc.sans.org/diary.html?storyid=7741
- Microsoft presentation: http://www.microsoft.com/industry/government/solutions/cofee/default.aspx
- Wikipedia article: http://en.wikipedia.org/wiki/Computer_Online_Forensic_Evidence_Extractor