Wednesday, December 30, 2009

DECAF 2 Launched, Takes on More Than Just COFEE

Via -

DECAF has returned, and COFEE is not the only forensic set that it will monitor. After the first version of DECAF was pulled on December 18, with a notice that it was all a “stunt” and anyone who downloaded the software discovered it wasn’t working. Now it’s back, with new features, and an explanation as to why it was really pulled. Legal fears.


The removal caused issues, the statement noted, including a DoS attack on the site. After that, another researcher and programmer (SoldierX) reactivated DECAF and enabled it for use. There was also talk about a phone home feature, which wasn’t at all malicious as originally speculated.

“We were going to use the phone home feature to notify private tracker admins of a seeder/node who had COFEE ran on his/her machine. This feature was not complete before release but we did have it semi-working, hence the COFEE usage reporting…We decided v2 will not report usage back. We also do not perform automated version checking,” the statement said.

The new version of DECAF will monitor for the usage of Microsoft COFEE. At the same time it will also watch for Helix, EnCase, Passware, ElcomSoft, FTK Imager Port, Forensic Toolkit, ISOBuster, and ophcrack. In addition, users can add their own custom signatures, as well as CD-Rom monitoring and the ability to execute files, to disable the device where the signatures were found, and start-up in monitor mode.

Tools like DECAF can be used by criminals, but so can tools like TrueCrypt. Does that mean TrueCrypt is something to be shunned? If not, then why shun DECAF? A tool is just a tool; the person using it determines its risk. The automation of evidence collection with tools is nice, but most experts will tell you that those tools are only one part of the process.

No comments:

Post a Comment