HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 29 guests online
 
Advertisement

You are here: Home arrow Resourcesarrow News from the Outside Worldarrow DECAF for your COFEE?
EH-Net
May 23, 2013, 02:20:10 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: DECAF for your COFEE?  (Read 5800 times)
0 Members and 1 Guest are viewing this topic.
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« on: December 15, 2009, 09:13:44 AM »
Hackers Take Aim At COFEE With DECAF
Anti-forensics tool promises to inhibit popular law enforcement software

Full Article
DECAF Website

Quote
A pair of hackers says it has developed a defense for a popular computer forensics tool used by many law enforcement agencies.

The anti-forensics tool, which is called DECAF, is designed to obstruct Computer Online Forensic Evidence Extractor (COFEE), a cybercrime forensics tool that is broadly distributed by Microsoft for use by law enforcement agencies.

"DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications," the hackers say on their Website. "Upon finding the presence of COFEE, DECAF performs numerous user-defined processes, including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
Logged
sgt_mjc
Sr. Member
****
Offline Offline

Posts: 294


View Profile
« Reply #1 on: December 15, 2009, 09:20:13 AM »
lol and who said crackers don't have a sense of humor. 
Logged
Mike Conway
CISSP
CompTia Security +
C|EH
nightmare44
Newbie
*
Offline Offline

Posts: 10


View Profile
« Reply #2 on: December 15, 2009, 10:43:50 AM »
DECAF much like COFFEE is useless..

I have a script similar to Coffee that is more indepth (geared towards malware) and is a simple batch file. DECAF does not prevent the log generation that includes most of the same commands that COFFEE invokes. It appears that DECAF blocks the COFFEE executable and that’s it. As you know the COFFEE executable is merely a pretty front-end for those afraid of the command line and scripts out commands that can be run from the prompt but adds in a pretty more presentable analysis (read: html)

The commands each profile of Coffee Runs:
"Volatile Data"
ipconfig, nbtstat, net, pslist, whoami, quser, psloggedon, netstat, sclist, showgrps, systeminfo

"Incident Response"
at, autoruns, getmac, handle, hostname, ipconfig, msinfo32, nbtstat, net, netdom, netstat, openfiles, pslist, psloggedon, psservice, pstat, psuptime, quser, route, sc, sclist showgrps, srvcheck, tasklist, whoami

All are readily available free from SysInternals, MS Resource Kits, and the internet.... MS is so gracious enough to include the switch operators for each command though!
Logged
3PIL0GU3
Newbie
*
Offline Offline

Posts: 38


View Profile
« Reply #3 on: December 17, 2009, 01:48:50 AM »
I heard about Anitforensic tools built into the Metasploit Framework a while ago under the name of MAFIA that allowed Timestamps on files to be changed and did various other things is this project still going
Logged
----------------------------
CEH
BillV
Hero Member
*****
Offline Offline

Posts: 1892


View Profile WWW
« Reply #4 on: December 18, 2009, 10:28:48 PM »
And... it's gone.

DECAF Neutralized
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.074 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.