
Hackers Brew Self-Destruct Code to Counter Police Forensics - phsr
http://www.wired.com/threatlevel/2009/12/decaf-cofee/
======
teilo
This whole coffee thing seems like a distraction to me. The Microsoft toolkit
is very primitive. It doesn't do much more than run standard system utilities
that are freely available, and log the results to a USB drive. It is an
amateurish tool for people who know little or nothing about computer
forensics.

Any law enforcement agency worth its salt is going to have a computer
forensics department smart enough to __remove the hard drive __from the
machine in question, and examine it in a non-destructive way. Thus this decaf
toolkit is useless.

~~~
tptacek
Every LEO doing "forensics" is basically an EnCase jockey today. It's not like
they're shipping these things to Quantico for imaging under a scanning
electron microscope.

Regardless, the reason for online tools like Coffee is that you want to
preserve an image of the running system. Removing the hard drive defeats that
objective.

~~~
stse
Sometimes they even leave the encase cd behind ;)

[http://translate.google.se/translate?js=y&prev=_t&hl...](http://translate.google.se/translate?js=y&prev=_t&hl=sv&ie=UTF-8&layout=1&eotf=1&u=http%3A%2F%2Fwarpdrive.se%2F34861&sl=sv&tl=en)
(jar = computer)

------
blahedo
A key sentence lurks at the bottom of the article:

"The hackers, however, have not released source code for the program, which
would make it easy for anyone to see if the program contains malware that
might also harm a computer or allow the attackers to take control of it."

Hmmm.

------
aarongough
Personally I think the most secure option would be to setup a system to
physically destroy the computer's HDD and therefore any information contained
on it.

Perhaps a 1.8" HDD in a 2.5" carrier with the spare space being taken up by
Thermite and an ignition system?

Don't enter the correct BIOS password within 30 seconds of a boot attempt? Buh
Bye, HDD.

~~~
Sukotto
Leading to obstruction of justice, tampering with evidence, and related
charges (no pun intended)... Also likely to weight very heavily on a jury when
they learn you destroyed your computer rather than allow the "good guys" check
it over.

yeah... have a nice time in prison

~~~
epochwolf
Obstruction of justice might be a better charge than the case the police won't
be able to make because they have don't have enough evidence.

Which of course assumes the police have your computer as the significant
evidence. How likely is it that considering they have a warrant for your
computer?

------
jrp
Any real counter-forensics device should be at least as good as the door
electromagnet in Cryptonomicon.

~~~
jws
I'm fairly certain that won't work. With a field strong enough to erase media
in a doorway sized opening, you will feel the effect on objects you are
carrying. The keys in your pocket for instance.

~~~
jrp
Yeah, when I read the book it sounded cool but as I posted it here I wondered
why the cops didn't notice in the story.

------
gaius
Doesn't this sort of rely on there being a OS to host it? How can Decaf run if
the cops have booted off their USB stick and the onboard HD is just being
scanned?

~~~
ErrantX
Coffee is supposed to be run before you shut down the pc. To be honest I don't
imagine it would see much uptake: too much risk of making evidence
inadmissable in court (uk guidelines are quite heavy about that)

~~~
tptacek
Coffee does pretty much the same thing every other LEO forensics toolset does.
I don't think it has admissability problems.

~~~
ErrantX
ACPO guidelines get very ratty about working on live machines. Especially if
you can't demonstrate technical competance.

In my experience the vast majority of police seizing machines can't do that.
It would be a field day for the defence I imagine :-)

~~~
tptacek
The ACPO (Assoc. of UK Police dept's) doesn't ban live recovery, it just says
you have to do it with an approved process and an approved tool, which rather
validates the basic idea behind Cofee.

Suffice it to say, the US isn't as weird about live recovery. The idea that an
untrained LEO should unplug a target computer from the wall is very 1990's-era
guidance.

~~~
ErrantX
Yeh I know you have an easier time of it in the US.

ACPO guidelines are awkwardly worded at best; CPS asks us to steer clear of
live work. This is the crucial line: _In exceptional circumstances, where a
person finds it necessary to access original data held on a computer or on
storage media, what person must be competent to do so and be able to give
evidence explaining the relevance and the implications of their actions._
LEO's hate the idea of what exceptional circumstances could mean. And for the
most part none of the police seizing machines have the competence to explain
what they did and the implications.

Most of the hi-tech crime SOP for law enforcement here (which was co-written
originally by my current boss) asks to avoid live acquisitions.

I obviously cant be specific but very few cases involve live data (of this
type) and those that do usually never make it to court or are dismissed fairly
quickly.

(the main problem are defence teams with no technical knowledge who hire
"specialists"; they will nitpick at every process undertaken if they can't
pick at the evidence. This happens a lot and live evidence would be a field
day for them)

