The Computer Online Forensic Evidence Extractor (COFEE) is a tool created by Microsoft to help law enforcement with forensic investigations. It has caused its share of privacy fear, and when it was leaked to the web, Microsoft wasn’t too worried. However, for those who have the shakes over COFEE, there is a tool to help, DECAF.
COFEE has been available to law enforcement agencies since 2007. Microsoft describes it as a USB-based tool that provides investigators with a means to extract live data from a suspect’s computer at the point of seizure, before turning it off.
“Prior to COFEE the equivalent work would require a computer forensics expert to enter 150 complex commands manually through a process that could take three to four hours. With COFEE, you simply plug into a running computer to extract the data with the click of one button completing the work in about 20 minutes,” Microsoft explained at the time.
COFEE isn’t something Microsoft created. They packaged some 150 tools, and created a launcher script that allows the investigator ease of use, and then handed it out to law enforcement agencies.
In November, COFEE ended up leaking to the web, and one of the sites hosting it was issued a takedown notice. In the end, the notice was pointless, as Wikileaks is now hosting downloads of COFEE, so if you want a copy head here. It is a useful tool, but in our opinion BackTrack is the tool of choice.
Thanks to a new tool, as first mentioned by Dan Goodin over at The Register, there is a bit of protection for those worried about the use of COFEE.
The tool is called DECAF, and according to the site hosting it, DECAF is a “counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.”
“DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.”
Also, in a moments notice “almost every piece of hardware can be disabled and pre-defined files can be deleted in the background,” the site explains. There is even an option that allows users to test their DECAF settings by simulating the presence of COFEE on the system.
The team behind the tool explain that future versions will contain remote functionality, as well as email and text messaging alerts.
You can download DECAF here.
The DECAF project is planning an expansion. The details for those plans, as well as a brief explanation were provided today in a video message by one of the project founders.
“We weren’t out to obstruct the collection of evidence,” the video message explains, offering insight into the thought process behind DECAF’s creation. The point of the project is to push for better forensic tool development, the unnamed member added.
In addition to some background, the video also explains that the DECAF project is expanding and they are looking for help from the community at large. However, there is a catch with the project’s planned expansion, “We’re not looking for hackers. We’re looking for professionals.”
We emailed the crew behind DECAF, and asked a few questions to dig a little bit into the project. The first question we asked was whether or not Microsoft has contacted them about DECAF. As a follow-up, we asked what would happen if they did contact them, and attempted to force the tool offline.
“We have not received any word from Microsoft or anyone representing Microsoft. We do not currently know how it will be dealt with if they do send such a request. The Internet allows for greater communication and information flow than ever before; if we allow companies like Microsoft to restrict us from our freedom, then the free flow of information is at jeopardy,” the DECAF team said in an email.
After that we asked about the project. Did the development of DECAF come about because COFEE leaked to the web?
“Its safe to assume that the release of COFEE directly led to the development of DECAF however no laws or end user license agreements were broke,” we were told.
We asked about testing and the release cycle for the DECAF project, and learned that the testing period was rather short, with the majority of it going towards the tool’s features. At the same time,“We had a flawless success rate at finding COFEE's presence,” they report.
As for new releases, “New versions will be released as we receive feedback, suggestions, and bug reports from users. Version 1.0.2 has just been released.”
If you were wondering about the crew behind DECAF itself, there are two people. They both work on development, and say that for now they will remain anonymous. The code for DECAF, at least for now, is closed. However, “We are considering opening up the DECAF source code to the public through an online forum currently being developed.”