After the leak of Microsoft COFFEE into the 'wild' a tool emerges that will supposedly make life very difficult for a forensic investigator using COFFEE.
The tool is titled DECAF and is freely available, although not open source.
The tool does not to be installed, and when configured in 'LockDown Mode' offers a set of Counter-Forensics functions upon detecting a COFFEE process running on the computer. The following options Counter-Forensics functions are available:
- Contaminate MAC Addresses - Modify MAC addresses of network adapters to possibly throw investigators off course in the investigation
- Kill Processes - Eliminates
- Shutdown Computer - Self evident if possible evidence are in memory
- Disable network adapters - most forensic tools send their evidence onto a trusted network share - this will stop all external communication
- Disable USB ports - the basic blockade step to prevent COFFEE from working properly
- Disable Floppy drive - should you use floppy for evidence collection or COFFEE execution
- Disable CD-ROM - Same as USB and Floppy
- Disable Serial/Printer Ports - Got lost here, unless you have some specific tools or choose to print evidence this is not very useful
- Erase Data - Basic Windows delete of folders which you know may incriminate you. Won't do much good though since it can be
- Clear Event Viewer - Remove logs from the Event Log
- Remove Torrent Clients - nobody wants these found, especially on their company computer
- Clear Cache - Remove cookies, cache, and history from everywhere
According to information from the site, future versions will have text message and email triggers so in case the computer needs to enter into lock down mode the user can do it remotely. Also there is a suggested possibility to run as a windows service.
But DECAF is far from being a magic bullet: In it's present form it has a lot of realistic issues that will prevent it from being successful. Here is my top list of issues
- Related to one product and it's current mechanism of operation - DECAF is designed to react to COFFEE, and is built to react to the leaked version of the COFFEE code. In the long run, Microsoft can modify the way COFFEE processes operate which may render DECAF useless. DECAF needs to expand into an automated 'evidence eraser' independent of COFFEE.
- Needs to be run under administrator context to be most efficient - You can't erase Event Log not change MAC address unless you are the local administrator. So usual corporate employees need to understand that their protection is limited to what their account is permitted to do.
- It doesn't 'live' as a service - you need to run the process for it to be active. And any forensic investigator can see the tray icon and the process in task manager. While DECAF developers announce that it will run as service, as it is now it is as visible as a zit in the middle of a teenagers nose.
- Fails on certain platforms - running it on Windows XP (virtual environment test) produced an error and failed the application. While this may not be the case with all WinXP, there is a probability that DECAF will fail on some computers.
Talkback and comments are most welcome
New Helix3 Forensic CD - Welcome
Digital Forensics Framework - A Perspective Forensics Tool
Tutorial - Computer Forensics Process for Begginners
Tutorial - Computer Forensics Evidence Collection
Scalpel - File Carving from Partially Wiped Evidence Disk