today I wanna point out this interesting tool, called DECAF. It’s an anti Microsoft Computer Online Forensic Evidence Extractor (COFEE).
As many of you probably remember ….
Computer Online Forensic Evidence Extractor (COFEE), designed exclusively for use by law enforcement agencies. COFEE brings together a number of common digital forensics capabilities into a fast, easy-to-use, automated tool for first responders. And COFEE is being provided—at no charge—to law enforcement around the world.
With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.
DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.
DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE’s presence by sending the application into a ‘Spill the cofee’ type mode. Simulation gives the user an opportunity to test his or her configuration before going live.
Future versions will have text message and email triggers so in case the computer needs to enter into lockdown mode the user can do it remotely. It will also have notification services where in the case of an emergency, someone can be notified (private torrent tracker admins). DECAF’s next release is going to be available in a more light-weight version and/or a windows service.
This is the main screen about the “Lock Down” option.
Well, people who don’t want “be investigate” need to install this “tiny” and “dirty” DECAF-software, BUT they must be aware that exist plenty other ways to investigate into their Windows machine.