Microsoft hits DECAF with DMCA take-down notice

by Steve Ragan - Feb 4 2010, 17:00

DECAF, an application that defends a system from forensic tools such as EnCase and Helix, as well as Microsoft’s COFEE, earned a good bit of attention towards the end of 2009. Apparently, it earned too much attention, because after the initial hype died down, Microsoft finally acted and served the team behind DECAF with a DMCA notice, causing their hosting provider to pull their site.

The Computer Online Forensic Evidence Extractor (COFEE) is a tool created by Microsoft to help law enforcement with forensic investigations. COFEE isn’t the only tool law enforcement can use, as many use EnCase or Helix. DECAF is a tool that will detect, and depending on how it is configured, prevent those forensic tools from working properly.

While DECAF was initially pitched as an anti-COFEE product, revisions of the tool have expanded the scope of what it can do. However, one thing that the creator of DECAF, Mike, was adamant about, is that it never used COFEE code and “no laws or end user license agreements were broke” in its creation.

Soon after DECAF started gaining massive attention, The Tech Herald asked Mike if Microsoft had contacted him about the new tool. At the time, mid-December, he said that there had been no contact from Redmond about DECAF, and if they did reach out and attempt to force the tool offline, he wasn’t sure what would happen.

Now the world will get to find out. According to James Young, Microsoft’s Internet Investigator, in a DMCA take-down notice, the DECAF project is, “offering unlicensed copies of, or is engaged in other unauthorized activities relating to copyrighted works published by Microsoft,” by providing DECAF to the public.

Mike said that he went back and forth with Microsoft over the notice, which caused him to lose his hosting account for the decafme.org site, and then they stopped talking. He has since asked the EFF to help him, and after a meeting, they agreed.

“If there is no MS code in DECAF then the take down letter was inappropriate. The law gives Mike the option of counter-noticing, at which point his provider should put the non-infringing material back up,” Jennifer Granick, the Civil Liberties Director for the Electronic Frontier Foundation told us.

Since the DMCA notice cost him the use of his initial hosting account, maintained by GoDaddy, Mike said he has moved his domain to another provider who won’t bend as easily to take-down notices.

So what is it that Microsoft finds offending? Anyone who has examined both tools knows that there is no COFEE code in DECAF, so where is the issue?

According to Mike, whom The Tech Herald spoke to in regards to the DMCA notice, DECAF protects user’s privacy through the detection of known anti-privacy tools such as COFEE, Helix, and EnCase. It is broken down into three sections, monitoring, signatures, and activation.

It is during the monitoring mode’s activation that DECAF hooks into the system through the Windows Management Instrumentation (WMI) to listen to USB and CD-ROM activity. Once this happens, the signature mode comes into play.

“The signatures are DECAF's way of identifying known applications. Each application carries a different signature similar to the way anti-Virus software scans a computer...,” Mike explained to us.

“The end user can use the pre-defined list of signatures or create their own list in the case of monitoring other applications. DECAF has a built-in signature platform that allows the user to add and save new signatures through the loading of a file into the signature generator.”

Once a signature is matched, activation mode triggers. “Activation is what DECAF does when it accurately matches a specific application to a signature. The user has the ability to immediately lock the workstation, disable the device (USB/CD-ROM), or execute a pre-defined program.”

Microsoft said that the offending content is the software, not the use of the acronym COFEE, but the software itself. At the same time, Microsoft has not said what exactly the software does or is using that violates their Intellectual Property (IP).

In a statement about the DMCA notice, Richard Boscovich, with the Microsoft Digital Crimes Unit said that, “These takedown notices are intended to address technologies we believe to be using Microsoft IP without proper rights for such distribution. If a site owner believes a notice is in error, we are committed to working directly with them on appropriate resolution.”

About the only thing DECAF does that could be considered a violation of IP is a checksum comparison. DECAF comes with a list of known checksums (hashes) for COFEE, EnCase, and Helix.

When DECAF is hooked into the WMI, it generates a checksum the second a USB or CD-ROM process runs. If the 32-bit string just created matches one on the included list, then DECAF is activated. The thing is, doing a one way hash of even copyrighted code cannot be considered a copyright violation.

If this is what Microsoft is pressing the DMCA notice over, and we’re not completely sure it is, we’ve been unable to locate a successful lawsuit related to checksum usage where IP violations are concerned. You can’t copyright a hash, considering that collision research has proven them easily cloned.

As mentioned, Microsoft isn’t spelling out what it is that is considered a violation of their IP, only that it is the software. A search for “James Young” using his listed title turns up a few examples of take-down notices that raise a few eyebrows.

We’ll keep up on the progress of the EFF’s efforts and update this story as more information is made available.

Around the Web