Your Peace of Mind is our Commitment

Contact Us English Recent Articles

COFEE Break

First published: 15th December 2009

A month after Microsoft's free law-enforcement-only live forensics tool, COFEE, was posted to a file-sharing site, Graham Cluley's prediction that someone could write a tool that neutralises it (or wipes sensitive data) when it was used has been fulfilled. DECAF is a lightweight tool, reported to be written in Visual Basic 2005, that waits for COFEE's launcher to be executed, verifies the hash of the launcher and the presence of the COFEE USB, and then performs configurable actions. Possible actions include shutting down the computer, disabling devices, erasing data, events and caches.

One of the authors of DECAF claimed, "We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding". Reinforcing DECAF's positioning as a demonstration, the End User License Agreement includes, "You will not use DECAF for illegal purposes", though criminals wanting to hide incriminating evidence from the Police are unlikely to obey such restrictions.

Allan Dyer, Yui Kee's Chief Consultant, commented, "the authors of DECAF have a point, the Police should not place too much trust on a single, automated tool. But most Police Forces know that already."

No doubt, a new version of COFEE that avoids recognition by DECAF, and that detects it in return, will be soon released.


More Information