DECAF
Encyclopedia
Detect and Eliminate Computer Acquired Forensics (DECAF) is a counter intelligence tool specifically created around obstructing the well known Microsoft
product COFEE
used by law enforcement around the world. However, the tool does not prevent access by other more advanced computer forensics tools, and so computers protected with DECAF can still be examined by non-COFEE tools.
On December 18, 2009, the authors remotely disabled the software, with the aim of convincing security professionals to "band together" to offer better support to government entities. The tool was patched and re-enabled by a group called SOLDIERX on December 23, 2009.
DECAF provides real-time monitoring of COFEE signatures on USB
devices and in running applications. When a COFEE signature is detected, DECAF performs numerous user-defined processes. These may include COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC address
es.
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
product COFEE
Computer Online Forensic Evidence Extractor
Computer Online Forensic Evidence Extractor is a tool kit, developed by Microsoft, to help computer forensic investigators extract evidence from a Windows computer. Installed on a USB flash drive or other external disk drive, it acts as an automated forensic tool during a live analysis...
used by law enforcement around the world. However, the tool does not prevent access by other more advanced computer forensics tools, and so computers protected with DECAF can still be examined by non-COFEE tools.
On December 18, 2009, the authors remotely disabled the software, with the aim of convincing security professionals to "band together" to offer better support to government entities. The tool was patched and re-enabled by a group called SOLDIERX on December 23, 2009.
DECAF provides real-time monitoring of COFEE signatures on USB
Universal Serial Bus
USB is an industry standard developed in the mid-1990s that defines the cables, connectors and protocols used in a bus for connection, communication and power supply between computers and electronic devices....
devices and in running applications. When a COFEE signature is detected, DECAF performs numerous user-defined processes. These may include COFEE log clearing, ejecting USB devices, and contamination or spoofing of MAC address
MAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
es.