.

DECAF for your COFEE?

<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1911

Joined: Mon Dec 11, 2006 3:23 pm

Post Tue Dec 15, 2009 10:13 am

DECAF for your COFEE?

Hackers Take Aim At COFEE With DECAF
Anti-forensics tool promises to inhibit popular law enforcement software

Full Article
DECAF Website

A pair of hackers says it has developed a defense for a popular computer forensics tool used by many law enforcement agencies.

The anti-forensics tool, which is called DECAF, is designed to obstruct Computer Online Forensic Evidence Extractor (COFEE), a cybercrime forensics tool that is broadly distributed by Microsoft for use by law enforcement agencies.

"DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications," the hackers say on their Website. "Upon finding the presence of COFEE, DECAF performs numerous user-defined processes, including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Tue Dec 15, 2009 10:20 am

Re: DECAF for your COFEE?

lol and who said crackers don't have a sense of humor. 
Mike Conway
CISSP
CompTia Security +
C|EH
<<

nightmare44

Newbie
Newbie

Posts: 10

Joined: Mon Jul 13, 2009 7:19 am

Location: Maryland

Post Tue Dec 15, 2009 11:43 am

Re: DECAF for your COFEE?

DECAF much like COFFEE is useless..

I have a script similar to Coffee that is more indepth (geared towards malware) and is a simple batch file. DECAF does not prevent the log generation that includes most of the same commands that COFFEE invokes. It appears that DECAF blocks the COFFEE executable and that’s it. As you know the COFFEE executable is merely a pretty front-end for those afraid of the command line and scripts out commands that can be run from the prompt but adds in a pretty more presentable analysis (read: html)

The commands each profile of Coffee Runs:
"Volatile Data"
ipconfig, nbtstat, net, pslist, whoami, quser, psloggedon, netstat, sclist, showgrps, systeminfo

"Incident Response"
at, autoruns, getmac, handle, hostname, ipconfig, msinfo32, nbtstat, net, netdom, netstat, openfiles, pslist, psloggedon, psservice, pstat, psuptime, quser, route, sc, sclist showgrps, srvcheck, tasklist, whoami

All are readily available free from SysInternals, MS Resource Kits, and the internet.... MS is so gracious enough to include the switch operators for each command though!
<<

3PIL0GU3

Newbie
Newbie

Posts: 38

Joined: Tue Aug 18, 2009 7:48 am

Post Thu Dec 17, 2009 2:48 am

Re: DECAF for your COFEE?

I heard about Anitforensic tools built into the Metasploit Framework a while ago under the name of MAFIA that allowed Timestamps on files to be changed and did various other things is this project still going
----------------------------
CEH
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1911

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Dec 18, 2009 11:28 pm

Re: DECAF for your COFEE?

And... it's gone.

DECAF Neutralized

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software