Decaf loses sting in Cofee attack

Software that supposedly blocks Microsoft's cyber-forensics tool has been disabled, but owners insist it works. Redmond says Cofee still "great value" to police.
Written by Vivian Yeo, Contributor on

A controversial tool that claims to render useless a cyber-forensics program used by law enforcement agencies, remains a hot topic on the Internet even after it has been removed by its owners.

A pair of hackers reportedly developed Detect and Eliminate Computer Assisted Forensics (Decaf), touting it to be able to detect Microsoft's Computer Online Forensic Evidence Extractor (Cofee) and obstruct the program by, among other activities, locking down a machine, according to an article on the Dark Reading Web site on Dec. 14.

Distributed by Interpol, Cofee is used by law enforcement agencies worldwide, including the Hong Kong Police Force. The software was officially made available last October and according to various reports, it code was leaked on the Internet in November.

Decaf since removed
Since the public announcement of Decaf, its developers have professed the move was a publicity stunt to "raise awareness for security and the need for better forensics tools". The software download on its Web site was also removed.

In a YouTube video posted on Dec. 16, a spokesperson for the Decaf creators maintained they were "not hackers". The duo simply wanted to put a stop to Cofee, as other "pretty good" forensics tools were overlooked.

"We saw Microsoft release Cofee and it got leaked, and we checked it out just like any kid's first day at the fair, where you walk up and you see that cotton candy machine," he said. "And it smells so good and you see it's all fluffed up…you get up there and you bite into it--there's nothing in your mouth. That's the same thing we did with Cofee."

An update released Dec. 22 on the Decaf Web site further asserted that Decaf does indeed exist. "It did what it was set out to do and did it well," said the creators, adding that they "did not remove the tool because of Microsoft".

Richard Boscovich of Microsoft Digital Crimes Unit, noted in an e-mail interview with ZDNet Asia that, despite the emergence of Decaf, Cofee is still relevant to forensics work.

"Not only do we believe the current Cofee technology still holds great value for law enforcement use in the field, we will of course also continue to work with our industry and academic partners to evolve and update tools like Cofee, to meet the needs of law enforcement over time," Boscovich said.

Pointing out "there are far more effective and responsible ways of advancing forensics", he added: "Feedback and constructive criticism are the cornerstones of any development process, and we remain committed to working with experts in this area in the responsible manner required to effectively address digital crime."

Editorial standards