

A look at decaf antiforensics anti-cofee tool - mjpinvestor
http://praetorianprefect.com/archives/2009/12/regular-or-decaf-tool-launched-to-combat-cofee/

======
test
COFEE is just an epic failure as a computer forensics tool simply because when
it comes to Forensics the accepted Medium is to switch off the machine, remove
the Hard-Disk and then Mirror the contents of the hard-disk in a secure read
only medium such as LibEWF or Expert Witness Format.

Unfortunately when a tool like COFEE that is inserted into the machine on USB,
whilst it's running, cracking the password as it's inserted, it would access
the RAM on the machine when it got inserted. Which can be construed as Data
Tampering as it would have to Read & Write Data from the Hard-Disk!

By reading and writing to the Suspects computer via a USB device it paves the
possibility of a rouge application spreading via the USB. How can anyone
determine the effects of COFEE if it is closed source and distributes in the
marvelous Self *.exe'cuting Binary .Win32 format?

In Forensics, you read and reconstruct the Data from a Disk-Image of the HDD
or in the Case of a USB device you would Extract the Data from Thumbs.db which
is a hidden file on any Fat16 formatted USB Pen. Only the accepted norm is you
do not tamper with the Data in anyway by allowing your machine to Write to it!

------
tptacek
This problem is isomorphic to the antivirus problem. You can't even trust the
memory controller to tell you the truth about live memory contents. When you
compare Decaf to, say, a modern rootkit, it's apparent how superficial this
forensics conflict really is.

~~~
BearOfNH
Agreed, it's just a scratch on the surface. But if the authors were to open-
source it and develop a plugin scheme they might find a lot of contributors, a
la Firefox or iPhone app store. Maybe not as many, but with similar
enthusiasm.

Not sure I approve of antiforensics because I suspect COFEE could help convict
a lot of criminals. On the other hand it seems an invasion of privacy and the
US 5th Amendment IMO.

