Most people will have heard of Microsoft COFEE (Computer Online Forensics Evidence Extractor), the free forensics tool that has been handed out to law enforcement to aid in investigations. This tool was leaked online a month or so ago, and has been met with varying opinions in the security community.
A couple of hackers released (for a short period of time) a counter tool DECAF, this tool apparently provided various countermeasures to detect and impact the presence of COFEE.
Decaf boasts a huge variety of user-driven countermeasures against COFEE. In addition to nuking temporary files within seconds of detecting files or processes associated with the investigative tool, Decaf can also clear all COFEE logs, disable USB drives, and contaminate or spoof a variety of MAC addresses
I personally never saw this tool, and have not done any searching to find a copy, but the developers have now removed the tool.
DECAF wasn’t fake. It did what it was set out to do and did it well, we just respect authority and experts in the field and would rather promote a positive move then a negative one.
Some will understand, some will not. We did not remove the tool because of Microsoft. In fact, they did not even release a statement until after the tool was pulled offline. Going after major corporations like Microsoft is no easy task. Just understand we did what we feel is best for the safety and well being of our nation and other governments.
The forums are up, come check us out: www.cruxt.org
This may have been short lived, but its certainly interesting.