Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Anti-forensics, COFEE vs. DECAF - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Anti-forensics, COFEE vs. DECAF

Recently was told by a reader about anti-forensics efforts to stimy a Microsoft produced digital forensics set of tools called COFEE. Computer Online Forensic Evidence Extractor (COFEE) is mainly designed as a first responder data collection tool for Law Enforcement to run on a live Windows system. The data collected can be analyzed back at the lab by more technical staff. The system could then be powered off and presumably a disk image could be taken without all of the volatile forensic data being lost. Detect and Eliminate Computer Assisted Forensics (DECAF) is specifically designed to delete, deny access, or obfuscate the evidence that COFEE would try to obtain. Anti-forensics isn't particularly new. In the physical world it has existed since before Sir Conan Doyle's time. In the digital world, where forensics is arguably is much newer and less developed science the active destruction of evidence or forensic counter-measures are also somewhat new. DECAF monitors for the use of or introduction of COFEE, performs predetermined actions, and otherwise obstruct access to digital evidence. Interesting stuff. At this time illegal copies of COFEE appear to be available for download. DECAF is available from its web site. Both are rather easy to find using your search engine of choice.

I prefer green tea.

Thanks for writing in Paul!

Adrien de Beaupré Inc.

I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defence Australia 2022

Adrien de Beaupre

353 Posts
ISC Handler
Dec 14th 2009
Does Decaf deny the output of the underlying programs that Coffee scripts out? Because one could always script everything that coffee does anyhoo because it's a glorified batch script..
nope just tested it..I have a script similar to Coffee that is more indepth (geared towards malware) and is a simple batch file. DECAF does not prevent the log generation that includes most of the same commands that COFFEE invokes. Decaf as useless as Coffee..
Before I retired this May, I was I.T. Director for a city government. I tried several times over a year's time to get a copy of COFEE for our detectives. It was being distributed solely by Interpol, and they required you to jump over so many bureaucratic hurdles to get a legitimate copy that I finally gave up. All this for what appeared to be a collection of readily obtainable OS software with a simplified UI. So much for "Security by obscurity"!

Walt S

3 Posts
Walt these are the commands each profile of Coffee Runs:
"Volatile Data"
ipconfig, nbtstat, net, pslist, whoami, quser, psloggedon, netstat, sclist, showgrps, systeminfo

"Incident Response"
at, autoruns, getmac, handle, hostname, ipconfig, msinfo32, nbtstat, net, netdom, netstat, openfiles, pslist, psloggedon, psservice, pstat, psuptime, quser, route, sc, sclist showgrps, srvcheck, tasklist, whoami

All are readily available free from SysInternals, MS Resource Kits, and the internet.... MS is so gracious enough to include the switch operators for each command though!
Walt S
7 Posts
Go get Windows Forensic Toolchest which is a relatively cheaply available super-batch file that runs all the tools from sysinternals, resource kits, and other places and creates an HTML report for you.

Not restricted to law enforcement and very easy to use.

93 Posts
Guys, have you tried AVZ? its interesting tool (english version) and easy to read the results
10 Posts

Sign Up for Free or Log In to start participating in the conversation!