Cache
Don't have any.
Local cache was invented when we were all on dial-up, to avoid
delays/costs re-downloading something you already had.
Now we have broadband, so why bother.
Hackers have released software they say sabotages a suite of forensics utilities Microsoft provides for free to hundreds of law enforcement agencies across the globe. Decaf is a light-weight application that monitors Windows systems for the presence of COFEE, a bundle of some 150 point-and-click tools used by police to collect …
So now the police cant look at pedo's computers, I know exactly what the gov will do now, it goes like this.
Customer Walks into PC world and says: Hi I'd like to buy a laptop.
Staff Member: Sure, follow me this way and we'll do the police check for you.
Customer: What police check
Staff: now now sir, you don't want us selling a laptop to a pedo do you, so we are going to assume you are one until we do the check.
Customer: Is there anyway out of this?
Staff member: Sure, will you be with this laptop for less than two hours per week?
since MS was giving c0ffee away like candy, until someone uploaded it to the net. Besides, if you're worried about LEOs rooting through your PC, use encryption (I know, keys can be subpoenaed, you can be detained until you cough them up, etc.), and/or Linux (at least until they learn how to use a proper OS or hire some geeks who know their arse from their elbow.
Great, my first comment gets a 12 thumbs downt on 1 up. :D
The fact that further criminal activity my steal law enforcement's tools does nothing to change the fact that the developers are admitting they have written it to disable law enforcement activity. Nor does it legitimize my prevention of those tools working should a law enforcement officer deploy them.
The fact that I know warrant cards can be forged, moreover that I have no idea how they should look, does not mean I can legitimately deny their authority.
Society works on the basis that it's citizens acept the State has the monopoly on violence, in this case against your precious laptop. If you can't accept that I suggest you move to a State that you trust more, or hide out in the mountains. May I suggest that it be a mountain with none too many bears? No? Fine - I know an excellent vendor of bear traps, though they can be disabled by humans - you may want to remove that feature in case a law enforcement officer tries to make a visit.
By that reckoning the following should be illegal:
Linux
Apple OSs
PGP
Bitlocker
Truecrypt
Tor
Skype
"clear cache on exit" options on all browsers
ifconf
HTTPS for porn or other non-government sites
...
Fire
Water
Alcohol-Based cleaners
Gloves
...
emptying your recycle bin!
Emptying your REAL bin
Flushing to toilet
Cleaning your shoes
Washing your hair/having a shower/bath, cleaning your teeth
Basically CLEANING or DISPOSAL of ANYTHING should
(surely indicative of terrorist tendencies, after all - if you have nothing to hide.......) :-)
One of these days somebody will actually explain the difference between SECRECY and PRIVACY to our sh**ty government - until then they see PRIVACY = SECRECY = TERRORIST/PEDO = ILLEGAL = JAIL
BIG FAIL
Cameron, mate... careful with that Earth/Wind/Fire stuff; next thing you know the powers that be will classify CO2 as a pollutant.
Paul, IIRC, there was a story a few years back of a pedo using a Commodore 64 for all his work. Stumped the plods at first, meanwhile a lot of us eight-bitters were secretly hoping Sherlock Holmes would show up on our door step begging us to use our classic 1541 to reveal the 170k of secrets obfuscated by obsolete equipment.
Never happened, sadly.
Paris, yeah, that never happened, either.
The whole idea of "illegal software" is obviously flawed. Programs are sequences of 0s and 1s that cause computers to shift bits around in their RAM. _Criminals_ do illegal things, not streams of non-conscious data. (at least, I don't *think* that there are hyper-intelligent AIs capable of actively committing crimes yet *adjusts tin-foil hat*)
Yes, just what I was thinking when I downloaded it!
However, 1: not that I'm planning on using it, any more than COFEE (though I must have one), I just bellieve that one ought to archive these things for posterity, and
2: I expect mere possession of it (or a successor) will be considered reason to prosecute before long.
So, basically, arse biscuits.
It's been dotfuscated, but you can read fairly large chunks using .net Reflector.
Haven't come across anything sinister, but it's a pretty crude bit of code. Shells out to netstat.exe and devcon.exe; heh, shells out to shutdown.exe rather than using any of the shutdown APIs; hard-coded lists of log and temp file dirs and registry keys to delete; none of them securely overwritten, just unlinked - this thing is going to leave forensic traces everywhere, which is hardly a good idea, given the envisaged usage mode: I don't think the cops are going to come round, break your door down, stick their COFEE usb stick in your PC, then go away again without taking your PC along for a full sector-by-sector dump of your HD at their leisure.
Representative line:
info13 = new DirectoryInfo(string.Format(@"C:\Documents and Settings\mjfel529\Application Data\Mozilla\Firefox\Profiles", MyProject.User.Name.Split(new char[] { '\\' })[1]));
Yeah, like that's going to work on anyone except the original author's PC. And even when they fix the bug... well, do you really want it to trash all your profiles entirely, rather than just wipe the sensitive data?
Also, you're screwed if you're using an internationalized version of windows where directory names like "Documents and Settings" are translated into the local language.
So far, it looks like they want to hide the source code out of embarrassment at their horrible VB.net coding skills rather than because there's anything malicious in it, but I am curious about the repeated code chunks that convert some arbitrary base-64 encoded string into binary and write it to a file on disk.
Don't even joke about that...If that is the case then 'clearing your cache' is illegal, and heaven forbid you use TracksEraser.
This tool is just a harmless track cleaner (and not a particularly good one by the sounds of it). Please don't give the governement ideas that would make 'private browsing' illegal.
PS. Use truecrypt (with hidden volumes) and have a vmware image in a hidden volume. Browse using THAT image - no need for track erasing. Oh. and use TOR too..:-)
...because the investigators should be following proper forensic procedure by turning off any machines and making bit to bit images before attempting to forensically analyse the machine.
This means, of course, that if a machine does 'deploy countermeasures' they can simply start again on the original image.
Both you and lukewarmdog below have missed the point. Proper forensic procedure is to grab a copy of everything that's live in RAM before you switch the machine off, because otherwise whatever evidence it represents will be irretrievably lost. That's exactly the purpose that COFEE was created for in the first place! Once you've done that, they do the disk imaging thing *as well*. But hell, if you kick someone's door in and get to their computer while it is powered it up, they might have passwords entered or encrypted drives mounted or something like that; you'd be crazy to lock yourself immediately out by switching it off and not be able to get back in without having to guess at passwords or attack the crypto.
And can someone tell me, even tho I use Firefox for all my surfing needs (I'm assuming IE is used for updates), whenever I clean my cache files, the IE temp folder is strangely full of stuff again 477 files again this morning, 24 MBs, nothing dodgy as far as I can tell, and a clean system (I hope). Firefox wouldn't use this as cache, would it?
Firefox uses quite a few bits from Internet Explorer to function. Try using Process Explorer once, and check what threads and modules Firefox.exe actually loads. It even loads your system's sound card drivers a second time instead of accessing the APIs properly. It's no small wonder that browser is full of memory leaks, when it does dubious things like that.
Windows itself also stores various information in the IE cache area, since IE is integrated into the OS. The Windows Search function, etc all stores query information, temporary .dat files, folder thumbnails, etc all in that same cache area. The normal Explorer.exe process also stores temporary data there, such as the icon cache for the system tray.
I know some website cookies, etc are hard-coded by lazy website developers to store themselves in that directory, as well, and Firefox does indeed access that area from time to time to read/write data.
>"It even loads your system's sound card drivers a second time instead of accessing the APIs properly."
No it doesn't. That's not even possible if you wanted to do it on purpose. Complete gibberish.
There's not a lot of use patting yourself on the back for being so leet and knowing how to use process explorer if you don't understand what you're seeing. (Hint: it's most likely some shell helper DLL that gets loaded into every process. My firefox instances don't have handles to whatever the hell it is that you think you're referring to, but the injected nvidia desktop dll opens handles to a bunch of nView mutants and sections. I do not call this "loading the graphic drivers a second time". Try killing whatever audio helper applets you have running in your systray?)
>I know some website cookies, etc are hard-coded by lazy website developers to store themselves in that directory, as well, and Firefox does indeed access that area from time to time to read/write data.
How do you do that? I'm a lazy website developer, and I never figured out how to plant files into specific directories on visitor machines.
Correct me if I'm wrong but I'm sure I remember being told that in Skype's small print is a statement along the lines of "We reserve the right to record and retain all calls/data and use them how we bloody well see fit"
It must be in there somewhere as that's the reason we don't allow the sales droids to install it!
Although, I wouldn't actually class this as hacking, more like, counter measures, or even, just basic security that one should have in place on ones machines to start with.
One of the many pre-requisites of security should be to disable USB devices to autorun by default, a step on from that, and a practice enforced by a lot of companies I believe, is to completely disable USB stick function anyway.
Apart from which, there are a whole plethora of freely available tools to scrub your machine of POSSIBLY incriminating evidence IF you were of the persuasion to be a miscreant, AND who didn't know BASIC steps to take to prevent being FOUND OUT.
Anyone who has an ounce of sense knows first thing plod does is pull the plug.
Just try and screw with your data when the plug is pulled!
then back to the lab, extract the drive and image....
What you really need is a Battery backed up Scsi Card with custom FW... now that'll do a better job! but I doubt you could shred the entire drive from a Scsi battery..
What you really need is some kind of Degausser Coil inside the drive case and a nice phat capacitor/battery to power a one shot drive kill... but you'd need to put a 2.5 inch drive into a 3.5 inch case to hide that lot.... Ooops said too much..
I know a guy who does forensics. The first thing he does is to carefully make a bitwise copy of all media on the computer WITHOUT booting the computer up. Then he mounts the drive in read-only mode, and has a peek around. At some point they may boot up the original OS, but only on a copy, and only after having examined the contents already.
This kind of thing is required for proper chain of custody for the evidence, apparently.
Your "guy who does forensics" will have a real hard time doing anything on an encrypted volume without the appropriate keys, and that's what COFEE is for. It extracts the keys, pertinent files (memory dump and temporary files) etc from a powered on and booted system at the time of arrest, before the perp has a chance to power off / wipe anything. PC Plod doesn't know jack about computer forensics, but you'd hope he can slot a USB stick into a computer without beating the keyboard with his truncheon.
DECAF detects COFEE running and kills the processes it starts, and deletes the files it looks for.
This has NOTHING to do with forensic analysis at the station / lab.
As far as I can tell this tool doesn't do anything with favourites.... or browsing history. It just dumps running processes, IP address, netstat etc to a text file. I guess its supposed to show what a computer is doing NOW so it can be switched off and sent back to the lab and examined in detail.
I see much outdated thinking and misinfo here. Clearly people here aren't listening to the Cyberspeak forensics podcast!
Since bitlocker and truecrypt became widespread and various linux distros started offering easy encryption at install time the focus of digital forensics has shifted to "Live Response" i.e. imaging memory.
If they can get to your computer while it's turned on they can image your memory. MAC, Linux, Solaris, Anything. USB ports or not. There are commercially available devices that let them power your PC while they unscrew your wall sockets, snip the power cables and then transport the whole kit and kaboodle back to HQ where they can image your memory straight from the chips.
If you're up to no good and they get to your PC with the power on it's game over.
As long as le fuzz document exactly what they do and use well documented tools they argue live response does not jeopardize the forensic soundness of the results and the courts seem to agree.
Of course there's umpteen ingenious ways you could booby trap your PC so as to cut the power if you were "raided". That in itself might look pretty suspicious but it may be worth it if you have a lot to hide, or you're just a stubborn bastard!
There are some who have previously downloaded the COFEE file to their computers, only to find that it has later been mysteriously removed, without anyone having physical access to their machines, which would suggest that there is a third party remote control and probable snoop facility built into the operating system they were using ....... with at least one downloader using Windows XP so "assaulted" .
But what if your main PC is a Linux box with some encrypted partitions, readily-available security software e.g. shred (it's in everything with a GNU userland) and truecrypt ..... and you get yourself on the Sex Offenders' register for taking a leak in an alleyway?
The phrase "most expensive penny you've ever spent" really doesn't cut it.
I like that train of thought, especially as you can now get solid state harddrives which use normal RAM sticks as storage with a backup battery to stop loss of data when the machine is switched off. Such as: http://techreport.com/articles.x/16255
Using this type of drive would mean you could wipe gigabytes of data in a split second - just unplug the power and battery :)
To destroy all evidence when the 'live' computer is leaving the premises, just use a bluetooth proximity detector ( the same system used to block the kb+screen in linux).
If your LIVE computer can't find the BT device (that is embedded in the wall, for example), fire a program thart will trash all the information inside it (RAM first), and overwrite all disks with random data. Several times.
If the plod stops the clock of the CPU to stop any program from running, dram will be erased, because of lack of refresh.
If your system is powered off, it will be enough to have the sensitive data encrypted. Twice.
Not that I would ever need to do something like this, of course. Just speculating.
AC, just in case.
The point of Coffee is that they use it before they or you turn your PC off.
If they left it powered up, say on a UPS, but hauled it out of wherever it was being kept the BT beacon idea would work. It'd probably be a bit clunky, but it would work. Alternative solutions would be to use a pressure switch being used to hold one or more bits on the parallel port or RS232 port high or using a powerline networking system to determine when the computer's not plugged into your home mains supply.
These all require the computer to be removed or tampered with. To ensure this, simply lock your computer. That's Windows Key - L. No USB drives can operate- and if they can there'll be a registry fix for that floating about online. They'll not ask you to unlock the computer as you could very easily have a security system set up or shut down your PC with barely a moment's keyboard clicking.
They'll then either turn off the PC- removing anything that's "live"- or keep it alive on external power to take away to a lab somewhere that they can read the information (meaning your location-based countermeasures kick in). Your hard drive should have any sensitive information encrypted and hidden from view when it's not "live" so your information is now "safe". ish.
Beyond this you're looking at custom hard drive electronics with an "erase" function and battery back-up... which would be effort reserved only for super-secret ultra-paranoid-government types.
Just use VMs, encrypted partitions, don't leave hidden partitions mounted when not at the machine etc. A live image without a hidden partition mounted isn't going to do any good. If you're dodgey or paranoid then all your "private work" is done from a VM in here (as mentioned above).
Oh, and don't use a crap OS like windows as you could definitely throw Balmer and company further than you could trust them.
Simon Prince (Praetorian Prefect web site listed earlier in the comments) has a little analysis of COFEE. As one who knows a bit about Windows internals, this set of "forensic" tools looks fairly lame. And based on what I've read of DECAF, its "hacker" authors are VB noobs. Yes, the COFEE kit will help a moron. And maybe the DECAF kit could defeat a moron, but only if the moron was running DECAF to thwart his immediate usage of COFEE.
If this is the state of the art for forensic software, then the field is wide open for improvement.
As you probably noticed, your copy of DECAF no longer works. We have self destructed every copy of DECAF. We hope that as you realize this was a publicity stunt to raise awareness for security and the need for better forensic tools that you would reconsider cutting corners on corporate security.