This whole coffee thing seems like a distraction to me. The Microsoft toolkit is very primitive. It doesn't do much more than run standard system utilities that are freely available, and log the results to a USB drive. It is an amateurish tool for people who know little or nothing about computer forensics.
Any law enforcement agency worth its salt is going to have a computer forensics department smart enough to remove the hard drive from the machine in question, and examine it in a non-destructive way. Thus this decaf toolkit is useless.
Every LEO doing "forensics" is basically an EnCase jockey today. It's not like they're shipping these things to Quantico for imaging under a scanning electron microscope.
Regardless, the reason for online tools like Coffee is that you want to preserve an image of the running system. Removing the hard drive defeats that objective.
A key sentence lurks at the bottom of the article:
"The hackers, however, have not released source code for the program, which would make it easy for anyone to see if the program contains malware that might also harm a computer or allow the attackers to take control of it."
Personally I think the most secure option would be to setup a system to physically destroy the computer's HDD and therefore any information contained on it.
Perhaps a 1.8" HDD in a 2.5" carrier with the spare space being taken up by Thermite and an ignition system?
Don't enter the correct BIOS password within 30 seconds of a boot attempt? Buh Bye, HDD.
Fireworks do an almost as solid job with a mechanical trigger; though you do risk hurting someone (and the legal consequences therein).
We had a machine a while back with a Firework strapped to the underside of the HDD and something like a lighter mechanism attached to the case side (it was a dell). Must have been hell to put together safely but when pulled apart the firework lit and went off. Fortunately it dropped off the HDD before exploding properly so the drive was only partially damaged (the platters were ok).
With a bit more of a solid construction it might have been successful.
Well from your perspective it's probably not too bad a thing that people aren't booby-trapping their machines with novel explosive devices... But life would definitely be more novel if they were!
Underwear? Seriously? "It helps with airflow! Duh!"
Leading to obstruction of justice, tampering with evidence, and related charges (no pun intended)... Also likely to weight very heavily on a jury when they learn you destroyed your computer rather than allow the "good guys" check it over.
Obstruction of justice might be a better charge than the case the police won't be able to make because they have don't have enough evidence.
Which of course assumes the police have your computer as the significant evidence. How likely is it that considering they have a warrant for your computer?
I'm well-aware that it's not actually a great idea in practice... Imagine the repercussions if your girlfriend was trying to use your laptop to surf the net and didn't know the password. No more computer, no more girlfriend, hospital bills.
that's why i always have some thermite on hand. it's very cheap too but you have to be super careful storing it, there's a label on the powdered aluminum saying never get it wet as it'll start reacting.
from the Al powder MSDS:
"Dust may form flammable or explosive mixture with air, especially when damp. Reacts violently and/or explosively with water, steam or moisture. May ignite or explode on contact with moist air. May cause eye and skin irritation. May cause respiratory tract irritation. Air sensitive. "
although i'm pretty sure I'm on some FBI watch list now.
I'm fairly certain that won't work. With a field strong enough to erase media in a doorway sized opening, you will feel the effect on objects you are carrying. The keys in your pocket for instance.
Doesn't this sort of rely on there being a OS to host it? How can Decaf run if the cops have booted off their USB stick and the onboard HD is just being scanned?
Coffee is supposed to be run before you shut down the pc. To be honest I don't imagine it would see much uptake: too much risk of making evidence inadmissable in court (uk guidelines are quite heavy about that)
The ACPO (Assoc. of UK Police dept's) doesn't ban live recovery, it just says you have to do it with an approved process and an approved tool, which rather validates the basic idea behind Cofee.
Suffice it to say, the US isn't as weird about live recovery. The idea that an untrained LEO should unplug a target computer from the wall is very 1990's-era guidance.
Yeh I know you have an easier time of it in the US.
ACPO guidelines are awkwardly worded at best; CPS asks us to steer clear of live work. This is the crucial line: In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media, what person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
LEO's hate the idea of what exceptional circumstances could mean. And for the most part none of the police seizing machines have the competence to explain what they did and the implications.
Most of the hi-tech crime SOP for law enforcement here (which was co-written originally by my current boss) asks to avoid live acquisitions.
I obviously cant be specific but very few cases involve live data (of this type) and those that do usually never make it to court or are dismissed fairly quickly.
(the main problem are defence teams with no technical knowledge who hire "specialists"; they will nitpick at every process undertaken if they can't pick at the evidence. This happens a lot and live evidence would be a field day for them)
Any law enforcement agency worth its salt is going to have a computer forensics department smart enough to remove the hard drive from the machine in question, and examine it in a non-destructive way. Thus this decaf toolkit is useless.