Feeds

back to article Hackers declare war on international forensics tool

Hackers have released software they say sabotages a suite of forensics utilities Microsoft provides for free to hundreds of law enforcement agencies across the globe. Decaf is a light-weight application that monitors Windows systems for the presence of COFEE, a bundle of some 150 point-and-click tools used by police to collect …

COMMENTS

This topic is closed for new posts.

Page:

Cache

Don't have any.

Local cache was invented when we were all on dial-up, to avoid

delays/costs re-downloading something you already had.

Now we have broadband, so why bother.

0
1
Joke

Now they have done it

So now the police cant look at pedo's computers, I know exactly what the gov will do now, it goes like this.

Customer Walks into PC world and says: Hi I'd like to buy a laptop.

Staff Member: Sure, follow me this way and we'll do the police check for you.

Customer: What police check

Staff: now now sir, you don't want us selling a laptop to a pedo do you, so we are going to assume you are one until we do the check.

Customer: Is there anyway out of this?

Staff member: Sure, will you be with this laptop for less than two hours per week?

5
0
Joke

cache....

As my broadband is anything but broad at home (I live in the internet backwater that is GB), I need cache.

So does my wallet.... It's Christmas, and I'm broke!

0
0
Black Helicopters

Agreed

Sandbox your browser of choice, and secure wipe the sandbox when done. With such atrocious law making in the UK, it's not worth the risk if you mistakenly click a bit.ly link which is incorrectly described.

1
0
Silver badge
FAIL

Why bother...

... to keep below the download limits your ISP impose?

Or do you like your feed being blocked, or being hit with punitive over-limit fees? The cache tends to hold large static data that would be expensive to download again and again.

0
0

Really?

Because a load from cache is *still* faster that retreval over the net? If it's not then ou need to get a new hard disk as there is something seriously wrong with yours.

Why waste even .5 seconds downloading something that you already have?

0
0

If hackers have COFFEE...

...then surely DECAF is a security suite.

0
0
Joke

Smells like a virus.

Someone press the publish button on next years April fool?

0
0
Anonymous Coward

It was only a matter of time..

since MS was giving c0ffee away like candy, until someone uploaded it to the net. Besides, if you're worried about LEOs rooting through your PC, use encryption (I know, keys can be subpoenaed, you can be detained until you cough them up, etc.), and/or Linux (at least until they learn how to use a proper OS or hire some geeks who know their arse from their elbow.

0
0
Happy

Cache? Torrent Client?

Does it log into my squid (running inside a vm) or torrent-client (running inside a vm) to nuke those? Obtw, those VM's are stored ... places that are unavailable to the usb port...

:)

0
0
Silver badge

This is so stereotype

But I wonder whether COFEE comes with doughnuts?

0
0
Silver badge

"DECAF is licensed, not sold."

Licensed by whom, to whom, exactly?

::crickets::

That's what I thought ... The MS tool wasn't a real tool, and DECAF isn't really anything worth reporting ... Dan, PLEASE take a few real security classes. You are embarrassing yourself.

0
1
Linux

Obvious answer?

Now I know why I don't run Windows. .

Topsy

0
1

You will not use DECAF for illegal purposes

Unreal.

This is exactly the kind of "tool" that should be illegal to use at all. Whilst there are many arguments for legitimate tools, a piece of software designed specifically to disable law enforcement's forensic tools has to be illegal.

1
12

@TIn Pot

"a piece of software designed specifically to disable law enforcement's forensic tools has to be illegal"

But the police are not the only ones who have access to these tools.

1
0
FAIL

So, let's start a list of things which should be illegal.

By that reckoning the following should be illegal:

Linux

Apple OSs

PGP

Bitlocker

Truecrypt

Tor

Skype

"clear cache on exit" options on all browsers

ifconf

HTTPS for porn or other non-government sites

...

Fire

Water

Alcohol-Based cleaners

Gloves

...

3
2
Thumb Up

and don't forget the heinous crimes of...

emptying your recycle bin!

Emptying your REAL bin

Flushing to toilet

Cleaning your shoes

Washing your hair/having a shower/bath, cleaning your teeth

Basically CLEANING or DISPOSAL of ANYTHING should

(surely indicative of terrorist tendencies, after all - if you have nothing to hide.......) :-)

One of these days somebody will actually explain the difference between SECRECY and PRIVACY to our sh**ty government - until then they see PRIVACY = SECRECY = TERRORIST/PEDO = ILLEGAL = JAIL

BIG FAIL

5
0
Paris Hilton

@Cameron, @Paul

Cameron, mate... careful with that Earth/Wind/Fire stuff; next thing you know the powers that be will classify CO2 as a pollutant.

Paul, IIRC, there was a story a few years back of a pedo using a Commodore 64 for all his work. Stumped the plods at first, meanwhile a lot of us eight-bitters were secretly hoping Sherlock Holmes would show up on our door step begging us to use our classic 1541 to reveal the 170k of secrets obfuscated by obsolete equipment.

Never happened, sadly.

Paris, yeah, that never happened, either.

0
0
Ejl

"Illegal software"

The whole idea of "illegal software" is obviously flawed. Programs are sequences of 0s and 1s that cause computers to shift bits around in their RAM. _Criminals_ do illegal things, not streams of non-conscious data. (at least, I don't *think* that there are hyper-intelligent AIs capable of actively committing crimes yet *adjusts tin-foil hat*)

2
1
Silver badge
Thumb Down

A case could be made...

Now that COFFE has been leaked on the net, anyone, not just the cops, could use it to snoop around your PC, and so there's a legitimate need to protect yourself from it.

0
0
Linux

Forgot one

BSD

0
0
Thumb Down

Popularity

Great, my first comment gets a 12 thumbs downt on 1 up. :D

The fact that further criminal activity my steal law enforcement's tools does nothing to change the fact that the developers are admitting they have written it to disable law enforcement activity. Nor does it legitimize my prevention of those tools working should a law enforcement officer deploy them.

The fact that I know warrant cards can be forged, moreover that I have no idea how they should look, does not mean I can legitimately deny their authority.

Society works on the basis that it's citizens acept the State has the monopoly on violence, in this case against your precious laptop. If you can't accept that I suggest you move to a State that you trust more, or hide out in the mountains. May I suggest that it be a mountain with none too many bears? No? Fine - I know an excellent vendor of bear traps, though they can be disabled by humans - you may want to remove that feature in case a law enforcement officer tries to make a visit.

0
0

I wonder how long before..

Microsoft finds DECAF is 'full of trojans, and worms, and viruses' (virii?) and shouldn't be used ... please.

In the meantime all the terrorists and paedos will use Linux, or Solaris, or OSX, or will send letters.

ttfn

0
0
Anonymous Coward

No, you're right

its 'viruses'.

Having said that, I considered the new millennium to have begun on 1/1/2000. So swings and roundabouts.

0
0
Big Brother

Paranoia

Of course, this could all just be a ruse to find out who thinks they have reason to worry about a forensic sweep of their machine in the first place, making it easier for law enforcement types to find the miscreants in question...

Big Brother IS watching you!

1
0
Anonymous Coward

Ha!

Yes, just what I was thinking when I downloaded it!

However, 1: not that I'm planning on using it, any more than COFEE (though I must have one), I just bellieve that one ought to archive these things for posterity, and

2: I expect mere possession of it (or a successor) will be considered reason to prosecute before long.

So, basically, arse biscuits.

0
0
Big Brother

nice

I like the way you think.

Its only paranoia if they aren't out to get you.

0
0
Headmaster

***ing Amateur Hour.

It's been dotfuscated, but you can read fairly large chunks using .net Reflector.

Haven't come across anything sinister, but it's a pretty crude bit of code. Shells out to netstat.exe and devcon.exe; heh, shells out to shutdown.exe rather than using any of the shutdown APIs; hard-coded lists of log and temp file dirs and registry keys to delete; none of them securely overwritten, just unlinked - this thing is going to leave forensic traces everywhere, which is hardly a good idea, given the envisaged usage mode: I don't think the cops are going to come round, break your door down, stick their COFEE usb stick in your PC, then go away again without taking your PC along for a full sector-by-sector dump of your HD at their leisure.

Representative line:

info13 = new DirectoryInfo(string.Format(@"C:\Documents and Settings\mjfel529\Application Data\Mozilla\Firefox\Profiles", MyProject.User.Name.Split(new char[] { '\\' })[1]));

Yeah, like that's going to work on anyone except the original author's PC. And even when they fix the bug... well, do you really want it to trash all your profiles entirely, rather than just wipe the sensitive data?

Also, you're screwed if you're using an internationalized version of windows where directory names like "Documents and Settings" are translated into the local language.

So far, it looks like they want to hide the source code out of embarrassment at their horrible VB.net coding skills rather than because there's anything malicious in it, but I am curious about the repeated code chunks that convert some arbitrary base-64 encoded string into binary and write it to a file on disk.

9
0
Silver badge

a sure thing

Having this package obstruct a police enquiry sounds like a guaranteed way to get yourself into trouble - even if you weren't before. However, I'd reckon that most hackers worth their salt are already running BSD or Linux, anyway.

1
0
Go

re.

Don't even joke about that...If that is the case then 'clearing your cache' is illegal, and heaven forbid you use TracksEraser.

This tool is just a harmless track cleaner (and not a particularly good one by the sounds of it). Please don't give the governement ideas that would make 'private browsing' illegal.

PS. Use truecrypt (with hidden volumes) and have a vmware image in a hidden volume. Browse using THAT image - no need for track erasing. Oh. and use TOR too..:-)

0
0
WTF?

genius

I guess creating an better open source version of computer forensics tool than MS was too hard,

so instead, they create something which could potentially be put to use by fraudsters, terrorists and paedos.

Brilliant. And these numbnuts insist on telling us they're the good guys?

1
0
Boffin

Shouldn't be a concern...

...because the investigators should be following proper forensic procedure by turning off any machines and making bit to bit images before attempting to forensically analyse the machine.

This means, of course, that if a machine does 'deploy countermeasures' they can simply start again on the original image.

2
0
Anonymous Coward

So where did you study "proper forensic procedure"?

Both you and lukewarmdog below have missed the point. Proper forensic procedure is to grab a copy of everything that's live in RAM before you switch the machine off, because otherwise whatever evidence it represents will be irretrievably lost. That's exactly the purpose that COFEE was created for in the first place! Once you've done that, they do the disk imaging thing *as well*. But hell, if you kick someone's door in and get to their computer while it is powered it up, they might have passwords entered or encrypted drives mounted or something like that; you'd be crazy to lock yourself immediately out by switching it off and not be able to get back in without having to guess at passwords or attack the crypto.

0
0
WTF?

No...

...seriously.

0
0
Thumb Down

Locked

I'd like to see them try and get anything with a locked computer (as in workstation locked via task manager)

0
0
Badgers

lolwin

Gotta love the fact it has a EULA.

No sympathy for the hapless COFFEE user, remove the computer equipment back to a lab and examine it properly, proper policing should not be a cost saving exercise.

1
0

Cache Pt 2

And can someone tell me, even tho I use Firefox for all my surfing needs (I'm assuming IE is used for updates), whenever I clean my cache files, the IE temp folder is strangely full of stuff again 477 files again this morning, 24 MBs, nothing dodgy as far as I can tell, and a clean system (I hope). Firefox wouldn't use this as cache, would it?

0
0

Firefox

Firefox uses quite a few bits from Internet Explorer to function. Try using Process Explorer once, and check what threads and modules Firefox.exe actually loads. It even loads your system's sound card drivers a second time instead of accessing the APIs properly. It's no small wonder that browser is full of memory leaks, when it does dubious things like that.

Windows itself also stores various information in the IE cache area, since IE is integrated into the OS. The Windows Search function, etc all stores query information, temporary .dat files, folder thumbnails, etc all in that same cache area. The normal Explorer.exe process also stores temporary data there, such as the icon cache for the system tray.

I know some website cookies, etc are hard-coded by lazy website developers to store themselves in that directory, as well, and Firefox does indeed access that area from time to time to read/write data.

0
0
FAIL

No.

>"It even loads your system's sound card drivers a second time instead of accessing the APIs properly."

No it doesn't. That's not even possible if you wanted to do it on purpose. Complete gibberish.

There's not a lot of use patting yourself on the back for being so leet and knowing how to use process explorer if you don't understand what you're seeing. (Hint: it's most likely some shell helper DLL that gets loaded into every process. My firefox instances don't have handles to whatever the hell it is that you think you're referring to, but the injected nvidia desktop dll opens handles to a bunch of nView mutants and sections. I do not call this "loading the graphic drivers a second time". Try killing whatever audio helper applets you have running in your systray?)

0
0
Pirate

Cookies in a Directory?

>I know some website cookies, etc are hard-coded by lazy website developers to store themselves in that directory, as well, and Firefox does indeed access that area from time to time to read/write data.

How do you do that? I'm a lazy website developer, and I never figured out how to plant files into specific directories on visitor machines.

0
0
FAIL

About that EULA...

>"The end user license agreement that accompanies the software states:"

Yeh. It also states that "You acknowledge and agree that the entire risk arising out of Your use of the Skype Software remains with You, to the maximum extent permitted by law."

ROFL.

1
0
Headmaster

More about that EULA....

Correct me if I'm wrong but I'm sure I remember being told that in Skype's small print is a statement along the lines of "We reserve the right to record and retain all calls/data and use them how we bloody well see fit"

It must be in there somewhere as that's the reason we don't allow the sales droids to install it!

0
0
Thumb Up

@ ShaggyDoggy

Turn your disk caches off too. Disks are fast, so why bother? It just uses up precious memory.

Also, turn your CPU caches off (L1, L2, etc.) Memory is fast too.

Dial-up may be dead, but we can still recreate the experience today!

0
0
Black Helicopters

Why bother?

Any crim with a grain of intelligence would be using a linux box or simply disable their usb ports. Plenty of commercial s/w which allows the enable/disable of usb ports. Stops your average plod in their tracks...

0
0

Interesting

Although, I wouldn't actually class this as hacking, more like, counter measures, or even, just basic security that one should have in place on ones machines to start with.

One of the many pre-requisites of security should be to disable USB devices to autorun by default, a step on from that, and a practice enforced by a lot of companies I believe, is to completely disable USB stick function anyway.

Apart from which, there are a whole plethora of freely available tools to scrub your machine of POSSIBLY incriminating evidence IF you were of the persuasion to be a miscreant, AND who didn't know BASIC steps to take to prevent being FOUND OUT.

0
0

@ AC 11:08

Don't be silly - those things are memory stored, not disk stored, so no point switching them off "for privacy and security reasons"

0
0
Black Helicopters

But Seriously

Anyone who has an ounce of sense knows first thing plod does is pull the plug.

Just try and screw with your data when the plug is pulled!

then back to the lab, extract the drive and image....

What you really need is a Battery backed up Scsi Card with custom FW... now that'll do a better job! but I doubt you could shred the entire drive from a Scsi battery..

What you really need is some kind of Degausser Coil inside the drive case and a nice phat capacitor/battery to power a one shot drive kill... but you'd need to put a 2.5 inch drive into a 3.5 inch case to hide that lot.... Ooops said too much..

0
0
Black Helicopters

Piece of cake

Everything is written using an ephemeral key that dies when the plug is pulled.

0
0
Anonymous Coward

Forensics

I work in computer forensics for the police and no one I know actually uses COFEE

0
0
Thumb Up

perhaps...

..they have it just EnCase (bad pun...sorry...couldn't resist).

2
0

Page:

This topic is closed for new posts.