COFEE. And You Thought You Were Secure?

[Samsonite 189]

If you thought you were secure because you have password protected or encrypted your files, think again!

Ignore the what is said about "DECAF" and notice take note of what it says about COFEE.

More on COFEE here: http://en.wikipedia.org/wiki/Computer_Onli...dence_Extractor

 

http://arstechnica.com/microsoft/news/2009...ome-decaf-1.ars

 

"Protect yourself from COFEE with some DECAF (Updated)

Two developers have created "Detect and Eliminate Computer Assisted Forensics" (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources.

By Emil Protalinski | Last updated December 15, 2009 7:00 PM

Text Size Decrease Text Size Increase Text Size

Print this article

Leave a comment

In response to Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources, two developers have created "Detect and Eliminate Computer Assisted Forensics" (DECAF), a counter intelligence tool designed to thwart the Microsoft forensic toolkit. DECAF monitors the computer it's running on for any signs that COFEE is operating on the machine and does everything it can to stop it.

More specifically, the program deletes COFEE's temporary files, kills its processes, erases all COFEE logs, disables USB drives, and even contaminates or spoofs a variety of MAC addresses to muddy forensic tracks. It can be told to disable almost every piece of hardware on a machine and delete pre-defined files in the background. The 181KB DECAF program even has a 'Spill the cofee' mode in which it simulates COFEE's presence to give the user an opportunity to test his or her configuration before actually using it. Source code for DECAF has not been made available, since the authors fear it will be reverse engineered, making it unclear what else the tool might be doing and whether or not it is completely safe to use.

DECAF's developers say future versions of the program will allow computer owners to remotely lock down their machine via text message and e-mail once they detect that it has fallen into law enforcement hands and even send out notifications to other parties in the case of an emergency. The plan is to make DECAF's next release more light-weight, possibly having it run in the form of a Windows service.

COFEE, a suite of 150 bundled off-the-shelf forensic tools that run from a script, was created by Microsoft to help law enforcement officials gather volatile evidence that would otherwise be lost in traditional, offline forensic analysis. Officers can run the script in the field from a USB stick, before the computer is brought back to the lab, letting them grab data from password-protected or encrypted sources. The forensics tool works best with Windows XP, but Microsoft is working on a new version of COFEE for next year that fully supports Windows Vista and Windows 7.

Microsoft first revealed the 15MB tool back in April 2008, and in April 2009, the company announced that it will aid global law enforcement in fighting cybercrime by providing COFEE free of charge to 187 countries, distributing it through Interpol. Microsoft managed to keep the existence of it quiet until November 2009, when pirates decided it was time to leak the tool so that people other than just government crime-fighters could use it. Weeks later, Microsoft started issuing takedown notices to multiple websites that hosted the tool. It's unclear whether Microsoft will react to the fact that there's now software that aims to render COFEE useless.

Update

Apparently, it was all just a stunt. All copies of DECAF have been disabled. The official site, DECAFme has more information."

[joekicker 53]

Mostly BS. Cofee is used by forensic experts when they come to your home with a warrant to grab your computer. Before they uplug it and walk away with it, they can plug in Cofee and try to get evidence against you and find some of your stash of kiddie pr0n. Then they take it back to THEIR office to work on it.

 

Cofee is not some mysterious roam-the-Internet program, it is a disk-based client "program" (collection of tools with one interface, actually) used to search computer hard drives. It has to be literally and physically plugged in to the machine it is working on.

 

If you are in that deep that the authorities are at your door with a copy of Cofee on their USB drive to plug into your computer, Decaf isn't going to help you half as much as a multi-million dollar lawyer. If you are so deep into it that the authorities are at your door with a search warrant, get a phuocking THERMITE GRENADE for your disk, not some diddly little Decaf software.

 

Otherwise, a tinfoil hat will protect you even better than Decaf, and take up fewer CPU cycles doing it.

 

.

[Samsonite 189]

It is just amazing that there is absolutely nothing in this universe, and, perhaps, beyond, of which you are not knowledgeable and, in turn, able to enlighten we mere mortals with an such authoritative insight.

[BigusDicus 9,927]

Joe is completely accurate in regards to Cofee.

 

Hiding files and such has been discussed on these threads many times.

 

Fact: It does not matter what you do to 'hide' your files. Change names, move to other folders, etc.. 'Shredder/delete' programs will not erase them. If they examine your computer with Cofee or a like program they will find it.

[baht_miser 9]

Best advice is don't store anything on your computer which could cause you problems if seen.

[lespaul5000 15]

  joekicker said:

Mostly BS. Cofee is used by forensic experts when they come to your home with a warrant to grab your computer. Before they uplug it and walk away with it, they can plug in Cofee and try to get evidence against you and find some of your stash of kiddie pr0n. Then they take it back to THEIR office to work on it.

 

Cofee is not some mysterious roam-the-Internet program, it is a disk-based client "program" (collection of tools with one interface, actually) used to search computer hard drives. It has to be literally and physically plugged in to the machine it is working on.

 

If you are in that deep that the authorities are at your door with a copy of Cofee on their USB drive to plug into your computer, Decaf isn't going to help you half as much as a multi-million dollar lawyer. If you are so deep into it that the authorities are at your door with a search warrant, get a phuocking THERMITE GRENADE for your disk, not some diddly little Decaf software.

 

Otherwise, a tinfoil hat will protect you even better than Decaf, and take up fewer CPU cycles doing it.

 

.

Read more  

 

are you the smartest man in the world...wow!

[Samsonite 189]

  BigusDicus said:

....Fact: It does not matter what you do to 'hide' your files. Change names, move to other folders, etc.. 'Shredder/delete' programs will not erase them. If they examine your computer with Cofee or a like program they will find it.

Read more  

Not quite correct.

There are programs that will "scrub" the disk. it is matter of how many times it "writes" over the previously used space. After enough passes, about seven should do it, and it is impossible to read what may have once been written to each sector.

If your files are encrypted and they are not "open" when someone tries to run COFEE, they will not have access to those files. There are several encryption methods available that would take a modern mainframe about 128 years to crack, if then. Now, law enforcement might try to force you to give up the password, but I guess that is a decision one would have to make if they ever found themselves in that position.

As baht_miser has suggested, don't put anything on your hard drive that could cause you trouble.

[frostfire 1,279]

  Quote

Cofee is not some mysterious roam-the-Internet program, it is a disk-based client "program" (collection of tools with one interface, actually) used to search computer hard drives. It has to be literally and physically plugged in to the machine it is working on.

Read more  

 

Almost on this one Joe.

 

It IS a piece of software, that just happens to be on a USB drive. It is usable on any PC, disk, CD, etc if you have a copy of the software. It does not need to be plugged in to work, per se... only executed from any location (disk, internet, etc).

 

  Quote

There are several encryption methods available that would take a modern mainframe about 128 years to crack, if then.

Read more  

 

Incorrect.

 

That is true if you are talking about a private party trying to crack your files... but every single "retail" encryption system on the market uses a very small number of algorithms based on a private key. The FBI (and likely other law enforcement agencies) have these private keys and can use them to bypass your encryption systems in a matter of seconds. All legitimate security software makers assist the FBI when asked, and most companies use a single private key per product, and that key is usually used across most if not all versions of a particular product, so that once the FBI gets the private key, its good forever in cracking encryption created by that software. There are exceptions, but few.

 

If it was me and I needed to hide something, I would use a multi-part RAR archive password protected in a "solid" archive. Doing it that way will prevent most scanners from detecting file names from within the archive, which means most detection software will never even know about the files in the first place, so the actual encryption will never be tested. Keep the file size to less than 5mb if possible, even if that means you need to have several hundred of the multi-part files. Large files raise flags.

 

As was already pointed out... if they are at your door with a warrant in the first place, you are likely fucked no matter what you have or don't have on your computer.

 

Frosty

[BigDUSA 71]

  Samsonite said:

Now, law enforcement might try to force you to give up the password,

Read more  

 

Waterboarding comes to mind.

[joekicker 53]

  frostfire said:

That is true if you are talking about a private party trying to crack your files... but every single "retail" encryption system on the market uses a very small number of algorithms based on a private key. The FBI (and likely other law enforcement agencies) have these private keys and can use them to

Read more  

 

???? Why would you be using a US retail encryption system for your kiddie pr0n business?

 

There are encryption methods and encryption software that are essentially UNcrackable, as several US court cases have shown, not that I buy this neat "128 years on a mainframe" marketing horsepuckey. I do agree that using an off-the-shelf US-retailed program for your secrecy is like, well, NOT using encryption, but "smart" criminals would do no such thing, surely?. Not when non-off-the-shelf non-US-approved programs are so easily available?

 

But there are also means and methods whereby if the government wants to know what is in YOUR files, you will simply hand it over to them with a grim smile, unless you truly like living alone with one hour per week in the exercise yard. You will not keep your files secret AND keep your freedom if the government wants your files.

 

The way you keep your stuff secret from the government is not to get the government at all interested in you. This is why, at the very bottom line, the whole Coffe/Decaf business is total, irrelevant BS. If the gummint is thinking about using Coffe against you, you're phuocked, they ALREADY have evidence.

 

.

[Samsonite 189]

  frostfire said:

....That is true if you are talking about a private party trying to crack your files... but every single "retail" encryption system on the market uses a very small number of algorithms based on a private key. The FBI (and likely other law enforcement agencies) have these private keys and can use them to bypass your encryption systems in a matter of seconds. All legitimate security software makers assist the FBI when asked, and most companies use a single private key per product, and that key is usually used across most if not all versions of a particular product, so that once the FBI gets the private key, its good forever in cracking encryption created by that software. There are exceptions, but few.....

Read more  

Look up a Open Source package called, "Truecyrpt."

[joekicker 53]

  Samsonite said:

Look up a Open Source package called, "Truecyrpt."

Expand   Read more  

 

I don't think your criminal enterprise is going to make it Samsonite. This is a terrific package for business/industry and personal privacy but if the FBI or No Such Agency wants it, you're just finished -- and that was what you started the thread on, when the US government comes after us.

 

Truecrypt is convenient to use, although I like public keys. But if I were a criminal I'd use nothing but one-time pads, which are quite easy to generate these days, so close to true-random that it doesn't matter -- and thus truly unbreakable until you are beaten so badly with so many broken bones that you hand over the key, or you are so stupid that "they" can steal it.

 

.