Microsoft’s Computer Online Forensic Evidence Extractor package, commonly known simply as COFEE and mounted on a USB key, has been countered by a tool released under the name of “Decaf.”
COFEE caused a stir when it was released to the web-based piracy world at large, with many sites hosting all kinds of dubious content eventually deciding that they’d be a lot happier if the software wasn’t there. Still, COFEE has been passed around a fair bit by now, so it’s not too surprising to see the Register reporting that COFEE has been cracked, with the release of Decaf effectively negating the tool.
Decaf is a relatively simple tool that users can set to run quietly in the background on any machine they’re using. All it does is sit tight until a USB stick with Microsoft’s COFEE is inserted, at which point it launches “a variety of countermeasures” that nullify the Microsoft forensics tool.
For those who have some reason to be particularly guarded about the contents of their machine, it’ll be welcome news, though many will question just why anyone would need such a device for any legal reason.
Still, the brains behind Decaf seem to consider it a point of principal, saying of the tool, “We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding.”
Surely the most curious thing about the whole affair is that the tool comes from Microsoft itself, and that seems to be what the folks behind Decaf take issue with. If nothing else, we’ll be curious to see how long it takes before we hear that there’s a new version of COFEE in use that negates Decaf… it could be the beginning of a bit of a forensics/counter-forensics arms-race.