back to article Hackers declare war on international forensics tool

Hackers have released software they say sabotages a suite of forensics utilities Microsoft provides for free to hundreds of law enforcement agencies across the globe. Decaf is a light-weight application that monitors Windows systems for the presence of COFEE, a bundle of some 150 point-and-click tools used by police to collect …


This topic is closed for new posts.
  1. ShaggyDoggy


    Don't have any.

    Local cache was invented when we were all on dial-up, to avoid

    delays/costs re-downloading something you already had.

    Now we have broadband, so why bother.

    1. Anonymous Coward

      Now they have done it

      So now the police cant look at pedo's computers, I know exactly what the gov will do now, it goes like this.

      Customer Walks into PC world and says: Hi I'd like to buy a laptop.

      Staff Member: Sure, follow me this way and we'll do the police check for you.

      Customer: What police check

      Staff: now now sir, you don't want us selling a laptop to a pedo do you, so we are going to assume you are one until we do the check.

      Customer: Is there anyway out of this?

      Staff member: Sure, will you be with this laptop for less than two hours per week?

    2. Anonymous Coward


      As my broadband is anything but broad at home (I live in the internet backwater that is GB), I need cache.

      So does my wallet.... It's Christmas, and I'm broke!

    3. The Original Ash
      Black Helicopters


      Sandbox your browser of choice, and secure wipe the sandbox when done. With such atrocious law making in the UK, it's not worth the risk if you mistakenly click a link which is incorrectly described.

    4. Peter Gathercole Silver badge

      Why bother...

      ... to keep below the download limits your ISP impose?

      Or do you like your feed being blocked, or being hit with punitive over-limit fees? The cache tends to hold large static data that would be expensive to download again and again.

    5. David Barrett


      Because a load from cache is *still* faster that retreval over the net? If it's not then ou need to get a new hard disk as there is something seriously wrong with yours.

      Why waste even .5 seconds downloading something that you already have?

  2. MonkeyBot

    If hackers have COFFEE...

    ...then surely DECAF is a security suite.

  3. Antony Riley

    Smells like a virus.

    Someone press the publish button on next years April fool?

  4. Anonymous Coward
    Anonymous Coward

    It was only a matter of time..

    since MS was giving c0ffee away like candy, until someone uploaded it to the net. Besides, if you're worried about LEOs rooting through your PC, use encryption (I know, keys can be subpoenaed, you can be detained until you cough them up, etc.), and/or Linux (at least until they learn how to use a proper OS or hire some geeks who know their arse from their elbow.

  5. Anonymous Coward

    Cache? Torrent Client?

    Does it log into my squid (running inside a vm) or torrent-client (running inside a vm) to nuke those? Obtw, those VM's are stored ... places that are unavailable to the usb port...


  6. Evil Auditor Silver badge

    This is so stereotype

    But I wonder whether COFEE comes with doughnuts?

  7. jake Silver badge

    "DECAF is licensed, not sold."

    Licensed by whom, to whom, exactly?


    That's what I thought ... The MS tool wasn't a real tool, and DECAF isn't really anything worth reporting ... Dan, PLEASE take a few real security classes. You are embarrassing yourself.

  8. Topsy

    Obvious answer?

    Now I know why I don't run Windows. .


  9. Tin Pot

    You will not use DECAF for illegal purposes


    This is exactly the kind of "tool" that should be illegal to use at all. Whilst there are many arguments for legitimate tools, a piece of software designed specifically to disable law enforcement's forensic tools has to be illegal.

    1. Niall 1

      @TIn Pot

      "a piece of software designed specifically to disable law enforcement's forensic tools has to be illegal"

      But the police are not the only ones who have access to these tools.

      1. Tin Pot
        Thumb Down


        Great, my first comment gets a 12 thumbs downt on 1 up. :D

        The fact that further criminal activity my steal law enforcement's tools does nothing to change the fact that the developers are admitting they have written it to disable law enforcement activity. Nor does it legitimize my prevention of those tools working should a law enforcement officer deploy them.

        The fact that I know warrant cards can be forged, moreover that I have no idea how they should look, does not mean I can legitimately deny their authority.

        Society works on the basis that it's citizens acept the State has the monopoly on violence, in this case against your precious laptop. If you can't accept that I suggest you move to a State that you trust more, or hide out in the mountains. May I suggest that it be a mountain with none too many bears? No? Fine - I know an excellent vendor of bear traps, though they can be disabled by humans - you may want to remove that feature in case a law enforcement officer tries to make a visit.

    2. Cameron Colley

      So, let's start a list of things which should be illegal.

      By that reckoning the following should be illegal:


      Apple OSs






      "clear cache on exit" options on all browsers


      HTTPS for porn or other non-government sites




      Alcohol-Based cleaners



      1. Anonymous Coward
        Thumb Up

        and don't forget the heinous crimes of...

        emptying your recycle bin!

        Emptying your REAL bin

        Flushing to toilet

        Cleaning your shoes

        Washing your hair/having a shower/bath, cleaning your teeth

        Basically CLEANING or DISPOSAL of ANYTHING should

        (surely indicative of terrorist tendencies, after all - if you have nothing to hide.......) :-)

        One of these days somebody will actually explain the difference between SECRECY and PRIVACY to our sh**ty government - until then they see PRIVACY = SECRECY = TERRORIST/PEDO = ILLEGAL = JAIL

        BIG FAIL

      2. Alan W. Rateliff, II
        Paris Hilton

        @Cameron, @Paul

        Cameron, mate... careful with that Earth/Wind/Fire stuff; next thing you know the powers that be will classify CO2 as a pollutant.

        Paul, IIRC, there was a story a few years back of a pedo using a Commodore 64 for all his work. Stumped the plods at first, meanwhile a lot of us eight-bitters were secretly hoping Sherlock Holmes would show up on our door step begging us to use our classic 1541 to reveal the 170k of secrets obfuscated by obsolete equipment.

        Never happened, sadly.

        Paris, yeah, that never happened, either.

      3. TimeMaster T

        Forgot one


    3. Ejl

      "Illegal software"

      The whole idea of "illegal software" is obviously flawed. Programs are sequences of 0s and 1s that cause computers to shift bits around in their RAM. _Criminals_ do illegal things, not streams of non-conscious data. (at least, I don't *think* that there are hyper-intelligent AIs capable of actively committing crimes yet *adjusts tin-foil hat*)

    4. Pablo
      Thumb Down

      A case could be made...

      Now that COFFE has been leaked on the net, anyone, not just the cops, could use it to snoop around your PC, and so there's a legitimate need to protect yourself from it.

  10. Paul_Murphy

    I wonder how long before..

    Microsoft finds DECAF is 'full of trojans, and worms, and viruses' (virii?) and shouldn't be used ... please.

    In the meantime all the terrorists and paedos will use Linux, or Solaris, or OSX, or will send letters.


    1. Anonymous Coward
      Anonymous Coward

      No, you're right

      its 'viruses'.

      Having said that, I considered the new millennium to have begun on 1/1/2000. So swings and roundabouts.

  11. Big Al
    Big Brother


    Of course, this could all just be a ruse to find out who thinks they have reason to worry about a forensic sweep of their machine in the first place, making it easier for law enforcement types to find the miscreants in question...

    Big Brother IS watching you!

    1. Anonymous Coward
      Anonymous Coward


      Yes, just what I was thinking when I downloaded it!

      However, 1: not that I'm planning on using it, any more than COFEE (though I must have one), I just bellieve that one ought to archive these things for posterity, and

      2: I expect mere possession of it (or a successor) will be considered reason to prosecute before long.

      So, basically, arse biscuits.

    2. TimeMaster T
      Big Brother


      I like the way you think.

      Its only paranoia if they aren't out to get you.

  12. Anonymous Coward

    ***ing Amateur Hour.

    It's been dotfuscated, but you can read fairly large chunks using .net Reflector.

    Haven't come across anything sinister, but it's a pretty crude bit of code. Shells out to netstat.exe and devcon.exe; heh, shells out to shutdown.exe rather than using any of the shutdown APIs; hard-coded lists of log and temp file dirs and registry keys to delete; none of them securely overwritten, just unlinked - this thing is going to leave forensic traces everywhere, which is hardly a good idea, given the envisaged usage mode: I don't think the cops are going to come round, break your door down, stick their COFEE usb stick in your PC, then go away again without taking your PC along for a full sector-by-sector dump of your HD at their leisure.

    Representative line:

    info13 = new DirectoryInfo(string.Format(@"C:\Documents and Settings\mjfel529\Application Data\Mozilla\Firefox\Profiles", MyProject.User.Name.Split(new char[] { '\\' })[1]));

    Yeah, like that's going to work on anyone except the original author's PC. And even when they fix the bug... well, do you really want it to trash all your profiles entirely, rather than just wipe the sensitive data?

    Also, you're screwed if you're using an internationalized version of windows where directory names like "Documents and Settings" are translated into the local language.

    So far, it looks like they want to hide the source code out of embarrassment at their horrible coding skills rather than because there's anything malicious in it, but I am curious about the repeated code chunks that convert some arbitrary base-64 encoded string into binary and write it to a file on disk.

  13. Pete 2 Silver badge

    a sure thing

    Having this package obstruct a police enquiry sounds like a guaranteed way to get yourself into trouble - even if you weren't before. However, I'd reckon that most hackers worth their salt are already running BSD or Linux, anyway.

    1. Anonymous Coward


      Don't even joke about that...If that is the case then 'clearing your cache' is illegal, and heaven forbid you use TracksEraser.

      This tool is just a harmless track cleaner (and not a particularly good one by the sounds of it). Please don't give the governement ideas that would make 'private browsing' illegal.

      PS. Use truecrypt (with hidden volumes) and have a vmware image in a hidden volume. Browse using THAT image - no need for track erasing. Oh. and use TOR too..:-)

  14. Anonymous Coward


    I guess creating an better open source version of computer forensics tool than MS was too hard,

    so instead, they create something which could potentially be put to use by fraudsters, terrorists and paedos.

    Brilliant. And these numbnuts insist on telling us they're the good guys?

  15. Anonymous Coward

    Shouldn't be a concern...

    ...because the investigators should be following proper forensic procedure by turning off any machines and making bit to bit images before attempting to forensically analyse the machine.

    This means, of course, that if a machine does 'deploy countermeasures' they can simply start again on the original image.

    1. Anonymous Coward
      Anonymous Coward

      So where did you study "proper forensic procedure"?

      Both you and lukewarmdog below have missed the point. Proper forensic procedure is to grab a copy of everything that's live in RAM before you switch the machine off, because otherwise whatever evidence it represents will be irretrievably lost. That's exactly the purpose that COFEE was created for in the first place! Once you've done that, they do the disk imaging thing *as well*. But hell, if you kick someone's door in and get to their computer while it is powered it up, they might have passwords entered or encrypted drives mounted or something like that; you'd be crazy to lock yourself immediately out by switching it off and not be able to get back in without having to guess at passwords or attack the crypto.

      1. Anonymous Coward



      2. Gaz 6
        Thumb Down


        I'd like to see them try and get anything with a locked computer (as in workstation locked via task manager)

  16. lukewarmdog


    Gotta love the fact it has a EULA.

    No sympathy for the hapless COFFEE user, remove the computer equipment back to a lab and examine it properly, proper policing should not be a cost saving exercise.

  17. Tony Paulazzo

    Cache Pt 2

    And can someone tell me, even tho I use Firefox for all my surfing needs (I'm assuming IE is used for updates), whenever I clean my cache files, the IE temp folder is strangely full of stuff again 477 files again this morning, 24 MBs, nothing dodgy as far as I can tell, and a clean system (I hope). Firefox wouldn't use this as cache, would it?

    1. thejynxed


      Firefox uses quite a few bits from Internet Explorer to function. Try using Process Explorer once, and check what threads and modules Firefox.exe actually loads. It even loads your system's sound card drivers a second time instead of accessing the APIs properly. It's no small wonder that browser is full of memory leaks, when it does dubious things like that.

      Windows itself also stores various information in the IE cache area, since IE is integrated into the OS. The Windows Search function, etc all stores query information, temporary .dat files, folder thumbnails, etc all in that same cache area. The normal Explorer.exe process also stores temporary data there, such as the icon cache for the system tray.

      I know some website cookies, etc are hard-coded by lazy website developers to store themselves in that directory, as well, and Firefox does indeed access that area from time to time to read/write data.

      1. Anonymous Coward


        >"It even loads your system's sound card drivers a second time instead of accessing the APIs properly."

        No it doesn't. That's not even possible if you wanted to do it on purpose. Complete gibberish.

        There's not a lot of use patting yourself on the back for being so leet and knowing how to use process explorer if you don't understand what you're seeing. (Hint: it's most likely some shell helper DLL that gets loaded into every process. My firefox instances don't have handles to whatever the hell it is that you think you're referring to, but the injected nvidia desktop dll opens handles to a bunch of nView mutants and sections. I do not call this "loading the graphic drivers a second time". Try killing whatever audio helper applets you have running in your systray?)

      2. Anonymous Coward

        Cookies in a Directory?

        >I know some website cookies, etc are hard-coded by lazy website developers to store themselves in that directory, as well, and Firefox does indeed access that area from time to time to read/write data.

        How do you do that? I'm a lazy website developer, and I never figured out how to plant files into specific directories on visitor machines.

  18. Anonymous Coward

    About that EULA...

    >"The end user license agreement that accompanies the software states:"

    Yeh. It also states that "You acknowledge and agree that the entire risk arising out of Your use of the Skype Software remains with You, to the maximum extent permitted by law."


    1. Adam Salisbury

      More about that EULA....

      Correct me if I'm wrong but I'm sure I remember being told that in Skype's small print is a statement along the lines of "We reserve the right to record and retain all calls/data and use them how we bloody well see fit"

      It must be in there somewhere as that's the reason we don't allow the sales droids to install it!

  19. Anonymous Coward
    Thumb Up

    @ ShaggyDoggy

    Turn your disk caches off too. Disks are fast, so why bother? It just uses up precious memory.

    Also, turn your CPU caches off (L1, L2, etc.) Memory is fast too.

    Dial-up may be dead, but we can still recreate the experience today!

  20. Anonymous Coward
    Black Helicopters

    Why bother?

    Any crim with a grain of intelligence would be using a linux box or simply disable their usb ports. Plenty of commercial s/w which allows the enable/disable of usb ports. Stops your average plod in their tracks...

  21. Neal 5


    Although, I wouldn't actually class this as hacking, more like, counter measures, or even, just basic security that one should have in place on ones machines to start with.

    One of the many pre-requisites of security should be to disable USB devices to autorun by default, a step on from that, and a practice enforced by a lot of companies I believe, is to completely disable USB stick function anyway.

    Apart from which, there are a whole plethora of freely available tools to scrub your machine of POSSIBLY incriminating evidence IF you were of the persuasion to be a miscreant, AND who didn't know BASIC steps to take to prevent being FOUND OUT.

  22. ShaggyDoggy

    @ AC 11:08

    Don't be silly - those things are memory stored, not disk stored, so no point switching them off "for privacy and security reasons"

  23. Anonymous Coward
    Black Helicopters

    But Seriously

    Anyone who has an ounce of sense knows first thing plod does is pull the plug.

    Just try and screw with your data when the plug is pulled!

    then back to the lab, extract the drive and image....

    What you really need is a Battery backed up Scsi Card with custom FW... now that'll do a better job! but I doubt you could shred the entire drive from a Scsi battery..

    What you really need is some kind of Degausser Coil inside the drive case and a nice phat capacitor/battery to power a one shot drive kill... but you'd need to put a 2.5 inch drive into a 3.5 inch case to hide that lot.... Ooops said too much..

    1. sqlrob
      Black Helicopters

      Piece of cake

      Everything is written using an ephemeral key that dies when the plug is pulled.

  24. Anonymous Coward
    Anonymous Coward


    I work in computer forensics for the police and no one I know actually uses COFEE

    1. Anonymous Coward
      Thumb Up


      ..they have it just EnCase (bad pun...sorry...couldn't resist).

  25. Elmer Phud
    Gates Horns

    Security Advice Tool?

    Use COFFEE to find out what is relatively easy to get at on your machine and then apply protective measures?

    An anti-hacking advisory app?

    Should be available to all, not just the fuzz.

  26. John Ridley 1

    Only works if the forensics guy isn't doing it right

    I know a guy who does forensics. The first thing he does is to carefully make a bitwise copy of all media on the computer WITHOUT booting the computer up. Then he mounts the drive in read-only mode, and has a peek around. At some point they may boot up the original OS, but only on a copy, and only after having examined the contents already.

    This kind of thing is required for proper chain of custody for the evidence, apparently.

    1. The Original Ash

      Reply: Comprehension fail.

      Your "guy who does forensics" will have a real hard time doing anything on an encrypted volume without the appropriate keys, and that's what COFEE is for. It extracts the keys, pertinent files (memory dump and temporary files) etc from a powered on and booted system at the time of arrest, before the perp has a chance to power off / wipe anything. PC Plod doesn't know jack about computer forensics, but you'd hope he can slot a USB stick into a computer without beating the keyboard with his truncheon.

      DECAF detects COFEE running and kills the processes it starts, and deletes the files it looks for.

      This has NOTHING to do with forensic analysis at the station / lab.

  27. Chris Pollard


    As far as I can tell this tool doesn't do anything with favourites.... or browsing history. It just dumps running processes, IP address, netstat etc to a text file. I guess its supposed to show what a computer is doing NOW so it can be switched off and sent back to the lab and examined in detail.

  28. Roger Heathcote 1

    Live response

    I see much outdated thinking and misinfo here. Clearly people here aren't listening to the Cyberspeak forensics podcast!

    Since bitlocker and truecrypt became widespread and various linux distros started offering easy encryption at install time the focus of digital forensics has shifted to "Live Response" i.e. imaging memory.

    If they can get to your computer while it's turned on they can image your memory. MAC, Linux, Solaris, Anything. USB ports or not. There are commercially available devices that let them power your PC while they unscrew your wall sockets, snip the power cables and then transport the whole kit and kaboodle back to HQ where they can image your memory straight from the chips.

    If you're up to no good and they get to your PC with the power on it's game over.

    As long as le fuzz document exactly what they do and use well documented tools they argue live response does not jeopardize the forensic soundness of the results and the courts seem to agree.

    Of course there's umpteen ingenious ways you could booby trap your PC so as to cut the power if you were "raided". That in itself might look pretty suspicious but it may be worth it if you have a lot to hide, or you're just a stubborn bastard!

  29. amanfromMars 1 Silver badge

    And there y'all were, bleating about Phorm whenever Trojans are a covert OS default?

    There are some who have previously downloaded the COFEE file to their computers, only to find that it has later been mysteriously removed, without anyone having physical access to their machines, which would suggest that there is a third party remote control and probable snoop facility built into the operating system they were using ....... with at least one downloader using Windows XP so "assaulted" .

  30. Anonymous Coward

    Forget DECAF...

    anti-forensics tools have been around for years (just lookup MAFIA - )

    And is is very easy to hide things from Cofee and even EnCase (if you wanted to).

  31. Bill Cumming

    In 3...2...1...

    Microsoft logs 'decaf' as a virus in their anti-virus software, closely followed by other AV makers.

  32. The Light of the Silvery Moon

    I used Coffee....

    ... on my machine and it completely f***ed it up! Something to do with hot liquid and electrical components they say.....

  33. A J Stiles

    But what if

    But what if your main PC is a Linux box with some encrypted partitions, readily-available security software e.g. shred (it's in everything with a GNU userland) and truecrypt ..... and you get yourself on the Sex Offenders' register for taking a leak in an alleyway?

    The phrase "most expensive penny you've ever spent" really doesn't cut it.

  34. Anonymous Coward

    Bot Me, PLEASE!

    OK, self-described "hackers" have created a blind executable for use by people who probably won't call the authorities if they notice their machine waking up in the middle of the night...


  35. pctechxp

    Doughnuts is....

    The code name for Service Pack 1 of COFEE

  36. Anonymous Coward

    use ramdrives ...

    simply run everything from a ramdrive. Very quick to nuke that. simply write a checkerboard pattern over it. Gigabytes can be destroyed in sub second timeframe. throw a powercycle on topof that and it's game over...

    1. Anonymous Coward
      Anonymous Coward

      Re: Ramdrives

      I like that train of thought, especially as you can now get solid state harddrives which use normal RAM sticks as storage with a backup battery to stop loss of data when the machine is switched off. Such as:

      Using this type of drive would mean you could wipe gigabytes of data in a split second - just unplug the power and battery :)

  37. Anonymous Coward
    Anonymous Coward

    Live removal of the computer from your premises

    To destroy all evidence when the 'live' computer is leaving the premises, just use a bluetooth proximity detector ( the same system used to block the kb+screen in linux).

    If your LIVE computer can't find the BT device (that is embedded in the wall, for example), fire a program thart will trash all the information inside it (RAM first), and overwrite all disks with random data. Several times.

    If the plod stops the clock of the CPU to stop any program from running, dram will be erased, because of lack of refresh.

    If your system is powered off, it will be enough to have the sensitive data encrypted. Twice.

    Not that I would ever need to do something like this, of course. Just speculating.

    AC, just in case.

    1. TimeMaster T
      Big Brother

      good idea

      Except the first thing an IT plod is going to do is image the hard disks before powering it on.

      1. Anonymous Coward
        Black Helicopters

        How bout

        Write your own encryption algo. Use two passwords. One passord gets you in, the other you give to the cops and will trigger a self-destruct that erases unwanted stuff but leaves everything in place. Just like nothing happened ;)

      2. Anonymous Coward
        Anonymous Coward

        @TimeMaster T, you're wrong

        The point of Coffee is that they use it before they or you turn your PC off.

        If they left it powered up, say on a UPS, but hauled it out of wherever it was being kept the BT beacon idea would work. It'd probably be a bit clunky, but it would work. Alternative solutions would be to use a pressure switch being used to hold one or more bits on the parallel port or RS232 port high or using a powerline networking system to determine when the computer's not plugged into your home mains supply.

        These all require the computer to be removed or tampered with. To ensure this, simply lock your computer. That's Windows Key - L. No USB drives can operate- and if they can there'll be a registry fix for that floating about online. They'll not ask you to unlock the computer as you could very easily have a security system set up or shut down your PC with barely a moment's keyboard clicking.

        They'll then either turn off the PC- removing anything that's "live"- or keep it alive on external power to take away to a lab somewhere that they can read the information (meaning your location-based countermeasures kick in). Your hard drive should have any sensitive information encrypted and hidden from view when it's not "live" so your information is now "safe". ish.

        Beyond this you're looking at custom hard drive electronics with an "erase" function and battery back-up... which would be effort reserved only for super-secret ultra-paranoid-government types.

  38. Mark 65


    Just use VMs, encrypted partitions, don't leave hidden partitions mounted when not at the machine etc. A live image without a hidden partition mounted isn't going to do any good. If you're dodgey or paranoid then all your "private work" is done from a VM in here (as mentioned above).

    Oh, and don't use a crap OS like windows as you could definitely throw Balmer and company further than you could trust them.

  39. Anonymous Coward
    Anonymous Coward

    More Details on the Tool

    Declare war, very dramatic. Some more details of what decaf does found here:

  40. Bill Cumming


    ...what most of you's are suggesting is to use a linux ''LiveCD'' as your main OS?

  41. Brian Miller

    Anybody bother to read analysis of COFEE?

    Simon Prince (Praetorian Prefect web site listed earlier in the comments) has a little analysis of COFEE. As one who knows a bit about Windows internals, this set of "forensic" tools looks fairly lame. And based on what I've read of DECAF, its "hacker" authors are VB noobs. Yes, the COFEE kit will help a moron. And maybe the DECAF kit could defeat a moron, but only if the moron was running DECAF to thwart his immediate usage of COFEE.

    If this is the state of the art for forensic software, then the field is wide open for improvement.

  42. Anonymous Coward
    Anonymous Coward


    just put your evil anti governement thoughts on a wireless connected hard drive in the ceiling, which only powers up when you turn on the useless spotlight which points at a picture you dont have.on the wall.

  43. ludicrous


    As you probably noticed, your copy of DECAF no longer works. We have self destructed every copy of DECAF. We hope that as you realize this was a publicity stunt to raise awareness for security and the need for better forensic tools that you would reconsider cutting corners on corporate security.

  44. Anonymous Coward

    DECAF hacked and re-enabled by SX

    DECAF has been hacked and re-enabled. It no longer phones home. Thanks!

This topic is closed for new posts.

Other stories you might like