{"id":130223,"date":"2009-12-16T16:48:00","date_gmt":"2009-12-16T20:48:00","guid":{"rendered":"tag:blogger.com,1999:blog-7196788127833928948.post-7143750009553907461"},"modified":"2009-12-16T16:48:00","modified_gmt":"2009-12-16T20:48:00","slug":"decaf-counter-forensics-tool-that-must-grow","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/130223","title":{"rendered":"DECAF &#8211; Counter Forensics Tool That Must Grow"},"content":{"rendered":"<p><a onblur=\"try {parent.deselectBloggerImageGracefully();} catch(e) {}\" href=\"http:\/\/1.bp.blogspot.com\/_Hu1rpxRsqcU\/SylOEOBNrkI\/AAAAAAAAAdE\/2bkqIp2pgKs\/s1600-h\/decaf.png\"><img decoding=\"async\" style=\"margin: 0pt 0pt 10px 10px; float: right; cursor: pointer; width: 200px; height: 185px;\" src=\"http:\/\/1.bp.blogspot.com\/_Hu1rpxRsqcU\/SylOEOBNrkI\/AAAAAAAAAdE\/2bkqIp2pgKs\/s200\/decaf.png\" alt=\"\" id=\"BLOGGER_PHOTO_ID_5415945861279362626\" border=\"0\" \/><\/a>After the leak of Microsoft COFFEE into the &#8216;wild&#8217; a tool emerges that will supposedly make life very difficult for a forensic investigator using COFFEE.<\/p>\n<p><a href=\"http:\/\/www.decafme.org\/\">The tool is titled DECAF and is freely available, although not open source. <\/a><\/p>\n<p>The tool does not to be installed, and when configured in &#8216;<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_0\">LockDown<\/span> Mode&#8217; offers a set of Counter-Forensics functions upon detecting a COFFEE process running on the computer. The following options Counter-Forensics functions are available:<\/p>\n<ul>\n<li><span style=\"font-weight: bold;\">Contaminate MAC Addresses<\/span> &#8211; Modify MAC addresses of network adapters to possibly throw investigators off course in the investigation<\/li>\n<li><span style=\"font-weight: bold;\">Kill Processes<\/span> &#8211; Eliminates<\/li>\n<li><span style=\"font-weight: bold;\">Shutdown Computer <\/span>&#8211; Self evident if possible evidence are in memory<\/li>\n<li><span style=\"font-weight: bold;\">Disable network adapters<\/span> &#8211; most forensic tools send their evidence onto a trusted network share &#8211; this will stop all external communication<\/li>\n<li><span style=\"font-weight: bold;\">Disable <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_1\">USB<\/span> ports<\/span> &#8211; the basic blockade step to prevent COFFEE from working properly<\/li>\n<li><span style=\"font-weight: bold;\">Disable Floppy drive<\/span> &#8211; should you use floppy for evidence collection or COFFEE execution<\/li>\n<li><span style=\"font-weight: bold;\">Disable CD-ROM <\/span>&#8211; Same as <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_2\">USB<\/span> and Floppy<\/li>\n<li><span style=\"font-weight: bold;\">Disable Serial\/Printer Ports<\/span> &#8211; Got lost here, unless you have some specific tools or choose to print evidence this is not very useful<\/li>\n<li><span style=\"font-weight: bold;\">Erase Data<\/span> &#8211; Basic Windows delete of folders which you know may incriminate you. Won&#8217;t do much good though since it can be<\/li>\n<li><span style=\"font-weight: bold;\">Clear Event Viewer <\/span>&#8211; Remove logs from the Event Log<\/li>\n<li><span style=\"font-weight: bold;\">Remove Torrent Clients<\/span> &#8211; nobody wants these found, especially on their company computer<\/li>\n<li><span style=\"font-weight: bold;\">Clear Cache<\/span> &#8211; Remove cookies, cache, and history from everywhere<\/li>\n<\/ul>\n<p>Since most user&#8217;s don&#8217;t have COFFEE copies to test DECAF, it includes a simulator that triggers the reaction as if COFFEE process is active.<\/p>\n<p>According to information from the site, future versions will have text message and email triggers so in case the computer needs to enter into <span class=\"blsp-spelling-corrected\" id=\"SPELLING_ERROR_3\">lock down<\/span> mode the user can do it remotely. Also there is a suggested possibility to run as a windows service.<\/p>\n<p><span style=\"font-weight: bold;\">But DECAF is far from being a magic bullet:<\/span><span style=\"font-weight: bold;\"> <\/span><span style=\"font-weight: bold;\">In it&#8217;s present form it has a lot of realistic issues<\/span><span style=\"font-weight: bold;\"> that will prevent it from being successful. Here is my top list of issues<\/span><\/p>\n<ol>\n<li><span style=\"font-weight: bold;\">Related to one product and it&#8217;s current mechanism of operation<\/span> &#8211; DECAF is designed to react to COFFEE, and is built to react to the leaked version of the COFFEE code. In the long run, Microsoft can modify the way COFFEE processes operate which may render DECAF useless. <span style=\"font-weight: bold; font-style: italic;\">DECAF needs to expand into an automated &#8216;evidence eraser&#8217; independent of COFFEE<\/span>.<\/li>\n<li><span style=\"font-weight: bold;\">Needs to be run under administrator context to be most efficient <\/span>&#8211; You can&#8217;t erase Event Log not change MAC address unless you are the local administrator. So usual corporate employees need to understand that their protection is limited to what their account is permitted to do.<\/li>\n<li><span style=\"font-weight: bold;\">It doesn&#8217;t &#8216;live&#8217; as a service<\/span> &#8211; you need to run the process for it to be active. And any forensic investigator can see the tray icon and the process in task manager. While DECAF developers announce that it will run as service, as it is now it is as visible as a zit in the middle of a teenagers nose.<\/li>\n<li><span style=\"font-weight: bold;\">Fails on certain platforms<\/span> &#8211; running it on Windows <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_4\">XP<\/span> (virtual environment test) produced an error and failed the application. While this may not be the case with all WinXP, there is a probability that DECAF will fail on some computers.<\/li>\n<\/ol>\n<p><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_5\">Talkback<\/span> and comments are most welcome<\/p>\n<p>Related posts<br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/11\/new-helix3-forensic-cd-welcome.html\">New Helix3 Forensic CD &#8211; Welcome<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2009\/11\/digital-forensics-framework-perspective.html\">Digital Forensics Framework &#8211; A Perspective Forensics Tool<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/07\/tutorial-computer-forensics-process-for.html\">Tutorial &#8211; Computer Forensics Process for <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_6\">Begginners<\/span><\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2008\/07\/tutorial-computer-forensics-evidence.html\">Tutorial &#8211; Computer Forensics Evidence Collection<\/a><br \/><a href=\"http:\/\/www.shortinfosec.net\/2009\/01\/scalpel-file-carving-from-partially.html\">Scalpel &#8211; File Carving from Partially Wiped Evidence Disk<\/a><\/p>\n<div class=\"blogger-post-footer\"><img width='1' height='1' src='https:\/\/blogger.googleusercontent.com\/tracker\/7196788127833928948-7143750009553907461?l=www.shortinfosec.net' alt='' \/><\/div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/shortinfosec\/~4\/cie_vsRE0pc\" height=\"1\" width=\"1\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>After the leak of Microsoft COFFEE into the &#8216;wild&#8217; a tool emerges that will supposedly make life very difficult for a forensic investigator using COFFEE. The tool is titled DECAF and is freely available, although not open source. The tool does not to be installed, and when configured in &#8216;LockDown Mode&#8217; offers a set of [&hellip;]<\/p>\n","protected":false},"author":5679,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-130223","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/130223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/5679"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=130223"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/130223\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=130223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=130223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=130223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}