Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Anti-forensics, COFEE vs. DECAF

Published: 2009-12-14
Last Updated: 2011-02-08 23:48:46 UTC
by Adrien de Beaupre (Version: 1)
6 comment(s)

Recently was told by a reader about anti-forensics efforts to stimy a Microsoft produced digital forensics set of tools called COFEE. Computer Online Forensic Evidence Extractor (COFEE) is mainly designed as a first responder data collection tool for Law Enforcement to run on a live Windows system. The data collected can be analyzed back at the lab by more technical staff. The system could then be powered off and presumably a disk image could be taken without all of the volatile forensic data being lost. Detect and Eliminate Computer Assisted Forensics (DECAF) is specifically designed to delete, deny access, or obfuscate the evidence that COFEE would try to obtain. Anti-forensics isn't particularly new. In the physical world it has existed since before Sir Conan Doyle's time. In the digital world, where forensics is arguably is much newer and less developed science the active destruction of evidence or forensic counter-measures are also somewhat new. DECAF monitors for the use of or introduction of COFEE, performs predetermined actions, and otherwise obstruct access to digital evidence. Interesting stuff. At this time illegal copies of COFEE appear to be available for download. DECAF is available from its web site. Both are rather easy to find using your search engine of choice.

I prefer green tea.

Thanks for writing in Paul!

Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.

6 comment(s)
PostgreSQL 8.4.2, 8.3.9, 8.2.15, 8.1.19, 8.0.23 and 7.4.27 have security fixes http://www.postgresql.org/docs/current/static/release.html
Diary Archives