HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 57 guests and 3 members online
EH-Net News Feeds
Latest Additions
 
Advertisement

You are here: Home arrow Forum arrow Resourcesarrow News from the Outside Worldarrow DECAF for your COFEE?
EH-Net
February 09, 2012, 07:48:29 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Advertise on EH-Net!! - Reasonable Rates, Highly Targeted Audience.
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: DECAF for your COFEE?  (Read 4676 times)
0 Members and 1 Guest are viewing this topic.
BillV
Hero Member
*****
Offline Offline

Posts: 1790


View Profile WWW
« on: December 15, 2009, 09:13:44 AM »
Hackers Take Aim At COFEE With DECAF
Anti-forensics tool promises to inhibit popular law enforcement software

Full Article
DECAF Website

Quote
A pair of hackers says it has developed a defense for a popular computer forensics tool used by many law enforcement agencies.

The anti-forensics tool, which is called DECAF, is designed to obstruct Computer Online Forensic Evidence Extractor (COFEE), a cybercrime forensics tool that is broadly distributed by Microsoft for use by law enforcement agencies.

"DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications," the hackers say on their Website. "Upon finding the presence of COFEE, DECAF performs numerous user-defined processes, including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
Logged
sgt_mjc
Sr. Member
****
Offline Offline

Posts: 294


View Profile
« Reply #1 on: December 15, 2009, 09:20:13 AM »
lol and who said crackers don't have a sense of humor. 
Logged
Mike Conway
CISSP
CompTia Security +
C|EH
nightmare44
Newbie
*
Offline Offline

Posts: 10


View Profile
« Reply #2 on: December 15, 2009, 10:43:50 AM »
DECAF much like COFFEE is useless..

I have a script similar to Coffee that is more indepth (geared towards malware) and is a simple batch file. DECAF does not prevent the log generation that includes most of the same commands that COFFEE invokes. It appears that DECAF blocks the COFFEE executable and that’s it. As you know the COFFEE executable is merely a pretty front-end for those afraid of the command line and scripts out commands that can be run from the prompt but adds in a pretty more presentable analysis (read: html)

The commands each profile of Coffee Runs:
"Volatile Data"
ipconfig, nbtstat, net, pslist, whoami, quser, psloggedon, netstat, sclist, showgrps, systeminfo

"Incident Response"
at, autoruns, getmac, handle, hostname, ipconfig, msinfo32, nbtstat, net, netdom, netstat, openfiles, pslist, psloggedon, psservice, pstat, psuptime, quser, route, sc, sclist showgrps, srvcheck, tasklist, whoami

All are readily available free from SysInternals, MS Resource Kits, and the internet.... MS is so gracious enough to include the switch operators for each command though!
Logged
3PIL0GU3
Newbie
*
Offline Offline

Posts: 38


View Profile
« Reply #3 on: December 17, 2009, 01:48:50 AM »
I heard about Anitforensic tools built into the Metasploit Framework a while ago under the name of MAFIA that allowed Timestamps on files to be changed and did various other things is this project still going
Logged
----------------------------
CEH
BillV
Hero Member
*****
Offline Offline

Posts: 1790


View Profile WWW
« Reply #4 on: December 18, 2009, 10:28:48 PM »
And... it's gone.

DECAF Neutralized
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.16 | SMF © 2011, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.274 seconds with 23 queries.
 

gk_static-ad_feb2012.jpg
Global Knowledge Training: Build Security Skills to Protect and Defend

offsec_130x200-2_jan-feb2012.png
Offensive Security
AWE Live in the Caribbean!
March 5 - 9, 2012

SANS Deals 4 EH-Netters
$150 OFF Any SANS Course in Any Format!
Coupon Code: Refer_EHN
Including SANS Phoenix 2012, SANS 2012
Recent Forum Topics

cbtnuggets_logo_125.jpg
Try CBT Nuggets Free!

Vote For EH-Net

Add to Technorati Favorites
technorati fave

 
         
Advertisement

© 2012 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.