|
Recently was told by a reader about anti-forensics efforts to stimy a Microsoft produced digital forensics set of tools called COFEE. Computer Online Forensic Evidence Extractor (COFEE) is mainly designed as a first responder data collection tool for Law Enforcement to run on a live Windows system. The data collected can be analyzed back at the lab by more technical staff. The system could then be powered off and presumably a disk image could be taken without all of the volatile forensic data being lost. Detect and Eliminate Computer Assisted Forensics (DECAF) is specifically designed to delete, deny access, or obfuscate the evidence that COFEE would try to obtain. Anti-forensics isn't particularly new. In the physical world it has existed since before Sir Conan Doyle's time. In the digital world, where forensics is arguably is much newer and less developed science the active destruction of evidence or forensic counter-measures are also somewhat new. DECAF monitors for the use of or introduction of COFEE, performs predetermined actions, and otherwise obstruct access to digital evidence. Interesting stuff. At this time illegal copies of COFEE appear to be available for download. DECAF is available from its web site. Both are rather easy to find using your search engine of choice. I prefer green tea.
Thanks for writing in Paul! Cheers, |
Adrien de Beaupre 353 Posts ISC Handler Dec 14th 2009 |
| Thread locked Subscribe |
Dec 14th 2009 1 decade ago |
|
Does Decaf deny the output of the underlying programs that Coffee scripts out? Because one could always script everything that coffee does anyhoo because it's a glorified batch script..
|
Anonymous |
| Quote |
Dec 14th 2009 1 decade ago |
|
nope just tested it..I have a script similar to Coffee that is more indepth (geared towards malware) and is a simple batch file. DECAF does not prevent the log generation that includes most of the same commands that COFFEE invokes. Decaf as useless as Coffee..
|
Anonymous |
| Quote |
Dec 14th 2009 1 decade ago |
|
Interesting.
Before I retired this May, I was I.T. Director for a city government. I tried several times over a year's time to get a copy of COFEE for our detectives. It was being distributed solely by Interpol, and they required you to jump over so many bureaucratic hurdles to get a legitimate copy that I finally gave up. All this for what appeared to be a collection of readily obtainable OS software with a simplified UI. So much for "Security by obscurity"! Walt |
Walt S 3 Posts |
| Quote |
Dec 15th 2009 1 decade ago |
|
Walt these are the commands each profile of Coffee Runs:
"Volatile Data" ipconfig, nbtstat, net, pslist, whoami, quser, psloggedon, netstat, sclist, showgrps, systeminfo "Incident Response" at, autoruns, getmac, handle, hostname, ipconfig, msinfo32, nbtstat, net, netdom, netstat, openfiles, pslist, psloggedon, psservice, pstat, psuptime, quser, route, sc, sclist showgrps, srvcheck, tasklist, whoami All are readily available free from SysInternals, MS Resource Kits, and the internet.... MS is so gracious enough to include the switch operators for each command though! |
Walt S 7 Posts |
| Quote |
Dec 15th 2009 1 decade ago |
|
Go get Windows Forensic Toolchest which is a relatively cheaply available super-batch file that runs all the tools from sysinternals, resource kits, and other places and creates an HTML report for you.
Not restricted to law enforcement and very easy to use. |
Jasey 93 Posts |
| Quote |
Dec 15th 2009 1 decade ago |
|
Guys, have you tried AVZ? its interesting tool (english version) and easy to read the results
|
Jasey 10 Posts |
| Quote |
Dec 16th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
