COFEE, DECAF and all that crap

Posted on December 21, 2009

3



Apologies for the semi-serious post. There’ll be a funny Christmas one along soon.

First there was COFEE. I wrote about COFEE in my first blog on here, but it was mostly as a way of introducing a piss-taking article about the different groups who comment on computer forensics in the online geek press.

In case you don’t know, COFEE is a bundle of freely available, mundane volatile-data collection tools released by Microsoft to LE only. It isn’t exciting, but the fact that it was shrouded in mystery at Microsoft’s behest made for some hugely entertaining speculative column inches on t’internet.

Then a few weeks ago, COFEE was leaked onto said t’internet and merriment ensued. At first the frenziedly self-polluting masses whooped with joy at the release of this pernicious tool – it was Darth Vader’s helmet, the eye of Sauron, Freddy’s claws, Silas’s cilice, the evil Nazi’s monocle – and it was IN THEIR GRASP! This’d really stick it to the man! Yeah! Then they paused for a bit (while other people who actually knew what they were doing had a look at COFEE and reported back), and they realised that it was a bit crap really.

The mob by this time were in a witch-burning mood, and they weren’t going to be thwarted by the fact that their bride of Satan was revealed to be just some unpopular bint with a hook nose. So they created an effigy, and this effigy was given a non-too-subtle  placard reading ‘Law Enforcement Computer Forensics Practitioners’. ‘Look!’, they howled, ‘this thumbdrive of Sysinternals apps is the SUM TOTAL OF POLICE KNOWLEDGE! This is the only forensic tool that the police have ever used, ever, in their lives, ever! Ever! They go swanning into houses, plug in this thing and send people to prison…with this crap!’

And lo, the LE forensics folk said ‘LOL’. And most of the private sector folk had already realised that they’d never actually been called on to look at evidence gathered with COFEE by the police, and they weren’t too bothered either, particularly when they attended a mixed-class live forensics course (such as the excellent ones run by Nick Furneaux) and realised that everyone was using the same tools anyway.

And then there was DECAF. This was released as an antidote to COFEE, a set of tools that would detect when some jackbooted minion of the state plugged COFEE into a computer, and drive a stake through its cold, black heart. The ignorant masses rejoiced again, for they had found a witchfinder general who would stop the evil minions of The Man from erm… using their lawful powers to catch criminals. Whatever. Comments threads in news articles were positively dripping with the froth expelled by these people, as they did their utmost to imitate the taxonomy I’d set out in my first post (don’t believe me?)

In the latest instalment of this saga, the authors of DECAF have revealed that their toolkit was a stunt (along with what surely wins the prize for ‘most incongruously placed proselytizing‘). It’s not a hoax as such – the tools work, if you can be bothered to reactivate them – but they seem to have released their set of mundane, push-button tools to make a point about governments relying on mundane, push-button tools to do their work for them. DECAF, like COFEE, is a bit crap. As this excellent article at Praetorian Prefect points out, the time that paedos spend trying to get it work is time away from their offending – and if it gives them a false sense of security, all the better. I can just imagine them howling with rage as their computers are taken out in black bin bags “You didn’t use COFEE! Go on, plug COFEE in and see what happens! Not fair! Some tape-changer on Slashdot said that you all use COFEE”

DECAF’s purpose is very noble, and it’s hard to argue with the sentiment…except that as far as I can see, we haven’t been “relying on a tool to automate the process of forensics”, not in the way that the DECAF authors meant anyway. I work in the UK, and I’ve never heard of anyone using COFEE in anger. Just because MS released it to LE, doesn’t mean we use it. It’s one of the options out there, but there are toolkits that do more, do it better, and do it with tools that have been widely tested and that don’t rely on secrecy to protect them (from what? I don’t know, MS never said). Automating’s fine, and no one working in LE has the luxury of approaching every job with nothing but a hex editor and DD in their hand any more, but you’ve also got to be able to understand and validate your findings. That’s the message that they should have been trying to get across.

COFEE was never a tool for forensics people, it was a tool for untrained first responders, probation officers, sex offender units etc. The argument about whether these people should be touching a suspect’s computer is one for another day (and probably another blog), but my feeling is that if the circumstances dictate, the powers to search are there and it’s the difference between getting some vital evidence on an offender and not getting it, then the evidence should be got and the technical provenance can be discussed reasonably by the experts before court.

Tagged: ,