Saturday, December 19, 2009

DECAF and COFEE, and a brush


I’ve been pondering for some time what to say regarding the COFEE / DECAF events of the past month or so.

Stick with me and I’ll get back to the personal touch-stone shown above.  It’s all related.

First let’s pour a cup of COFEE

Back in early November the Computer Online Forensic Evidence Extractor, a forensics tool made by Microsoft and distributed to law-enforcement groups, was released (accidentally or otherwise) and like so many photos of celebrities on a binge, quickly made its way across the Net in a firestorm.

Microsoft scurried to damage-control while others who weren’t privy to the law enforcement (LE) only tool salivated at the chance to break it down.   Curiously, when details on building the Windows Forensic Edition (FE) version of Windows PE (which by some reports, seemed to also include a COFEE package) made their way onto the web, nary a eye was raised or key typed regarding this “release” of forensic tool information.

Maybe it was because the COFEE spill came during a slow news cycle.  Or maybe because it was USB based and fairly auto-executing it was “relatable” and something that the masses could quickly digest.   Compare that to doing the heavy lifting understanding how to and executing the build of a custom Win PE disk, with registry tweaking and bundling of George M Garner Jr.’s Forensic Acquisition Utilities; all of which are CLI-based.  Nothing at all sexy here.

And yet I would argue that this Win FE tool, in the hands of a skilled investigator, is loads more threatening to the underworld than COFEE could hope to be.

Anyway, I digress.  Some folks cheered the release as it was proof that M$ was in cahoots with the goberment suits, enforcers, and MiB.  Other’s moaned that this was a body-blow to computer forensics and now criminals would run amok coming up with anti-COFEE techniques.  Pandora’s box was opening.

Sure enough: New tool deCOFEEnates Windows systems - The H Security: News and Features  (one of many).

DECAF swept the Net blog-o-sphere like wildfire.  But just what really was going on with both?

As far as I can tell, COFEE just manually or auto-executes a slew of publically available system administration and “forensic-type” utilities and allows those results to be saved as log-files back to the USB stick containing COFEE.  It’s pretty much “plug-n-play.”  No in-depth analysis.  No sirens going off or “look what I found Mr. Policeman”.  Just raw and dirty data-collection and logging.  Someone still has to sift though it all.

Simon Price outlines its features simply in his More COFEE Please, on Second Thought… post

Make yours DECAF?

Thought was that some baddie could install this program, let it just sit there monitoring the system for the door-busting entry-team with their COFEE laden USB dongles ready to thwart nefarious LE attacks.

Simon then actually took the time to break down exactly what it did on his Praetorian Perfect blog: Regular or Decaf? Tool launched to combat COFEE.  Really?  Not much.  It is an interesting read.  Thank you, Simon, for the time it took to share this.  I appreciated it.

Despite the few folks who were trying to assess the real merit and worth of DECAF, many still bought into the hype and excitement of DECAF.

Fortunately or unfortunately, it all came crashing down this week: DECAF Was Just a Stunt, Now Over – Slashdot.

It may never be clear what the true motive and direction those responsible for DECAF had in mind.  Needless to say, the site closed up shop in a somewhat bizarre rant, and a few sour-grapes from those who got taken.

Perspectives That Matter

Simon Price (again) spent some time tossing up a post showing that it really wasn’t “disabled” but is rendered non-functional because it calls home when launched.  No response from the mother-ship? No workie!  Only Simon showed how it can be done anyway…not that anyone really would care to do so.

In Simon’s post, he offers a number of valuable points from this whole COFEE/DECAF drama:

If you have a serious computer crime to deal with, get a serious computer forensics investigator, who uses sets of real computer forensics tools based on the situation he or she is faced with.


part of the unnecessary nonsense generated around the leak of COFEE and all that followed was the inappropriate way it was originally released and marketed as “only for law enforcement”. Forensics tools must be well known, analyzed by experts, and their effects on target systems well documented. Thus releasing a closed source tool to a small community meant that COFEE could never be used seriously to present evidence in court. That is if it did anything novel, but it doesn’t, COFEE allows the user to run existing tools, system utilities, from a USB stick.

The promise of COFEE, how it was marketed, has sold a number of people on why its so important that it was leaked and subverted. Standardization of incident response tools (as in only a couple are used) would be a nice idea, but would be an effort faced with serious challenges because heterogeneous non-complex IT environments are a thing of the distant past. Having less skilled people “run a tool” that allows them to perform data capture is a nice idea, albeit even a little more dubious. What lawyer could not get evidence from a computer thrown out that’s collected by someone who doesn’t understand a computer? The reasons why it would be a positive is clear, forensic data would not be lost even if an investigator lacks computer forensics skills, and frankly there are not that many good computer forensic investigators to go around.

But COFEE does not deliver on either of these aspirations, as much as some might wish it does. And it was easily countered, meaning any bad actor could have done it. And tools aren’t evil, the people who use them are.

Well said, Simon.

Windows forensic author and guru, Harlan Carvey has been rather silent on the whole thing until now. Gotta respect his patience and wisdom.  That’s a mark of a pro.  He’s probably been hanging out with the other real computer forensics experts, watching from his porch the COFEE/DECAF train-wreck litter his lawn with spilled beans.  He also has shared his thoughts:

It's long been known that subversive tools and techniques, colloquially referred to as "anti-forensics" tools, haven't been directed at subverting other, tools such as timestomp aren't meant to subvert EnCase or even NTFS. What's being targeted here is the analyst and their training.


When you really think about it, DECAF is meant for one subvert the use of COFEE. If the responder is a one-trick pony, and ALL they have is that COFEE over, and DECAF, wait...I wasn't gonna say "done it's job". No, what I was gonna say was the DECAF has demonstrated the shortcomings inherent to types of responders that rely solely on the use of one tool, such as COFEE.

And For more Keydet89 thoughts, continue reading his DF and Disclosure post.

[One of the authors of DECAF] primary issue with COFEE throughout the interview seemed to be that it could be fingerprinted...that there were automatic means by which someone could determine that COFEE was being run on a system. Okay...but isn't that true for just about ANY software? I don't know the inner workings of DECAF, but couldn't the same thing be said for other responder tools? According to an article in The Tech Herald, it appears that COFEE's primary purpose is to automate the use of 150 (wait...150?!?) tools, some of which include tools available from the MS/SysInternals site.

How many other responders use these tools?

How many other toolkits could possibly be affected by tools such as DECAF?

Consider this...why COFEE? Why not Helix? Why not WFT? Why target a tool released by MS, and not one, say, endorsed by SANS? I'm not going to speculate on those...those are for tool authors themselves to consider.

That’s the exactly the same point I made earlier regarding Win FE.

So what does all this have to do with the photo of the makeup brush on the photo at the top of this post?


See, that little brush is the personal fingerprinting brush my Hoover-era FBI agent grandfather carried.  It might look brand new but a close inspect finds specks of dust embedded between the brush hairs. The gloss has been worn away from the center of the bush-handle where it had been spun in his fingers.  Yes, it does look like just another tool, one of many makeup brushes like Alvis or Lavie have on their bathroom counters.  Yet it is different.

In his skilled and trained hands, he could lift prints which would be manually compared against many, many, many held in catalog files. No CSI-eye-candy computer databases back then.  And Grandpa and his colleagues also faced “anti-forensics” in their time too. Crooks wore gloves, wore masks, may have burned their shoes or clothes, tossed the iron into the river. Some even went hard-core and used chemicals or other methods to try to remove their own fingerprints from their fingertips.

Yet with patience, common tools used by common men, with uncommon training and discipline, that “makeup brush” would often lead them directly to their collar.  Same goes for all these system administration tools, utilities, and other “forensics” specialized software applications.  Just tools. Inert and (sometimes) worse than useless unless wielded by a skilled investigator.

Guys like Simon Price and Harlan Carvey get it.  There are many other hard-working forensics women and men who don’t have blogs or books or other stuff who also get it, and get the bad-folks.  They understand that the real threat the bad-folks face and fear isn’t the tools, or programs, or utilities; it’s the knowledge and skills of those who are behind them.

In the end, I believe it never really is about the tools/software. Really.  It all boils down to the skill and knowledge of those that use them. Period.  Everything else is just means to an end.

There will always be specialized tools to help aid LE and forensic/incident responders.  And there will always be others who seek to subvert, disable, or fuzz those tools.  It’s just another arms-race of sorts.  What matters is what we are doing to train and maintain the knowledgebase of those who stand in that thin-gray line, and recruit others to join their ranks in the future.

And with that, I’m raising my cup of decaffeinated coffee, and a simple brush, to dear grandpa.

And yes, that is him in the photo directly underneath the brush…about the time of his retirement from the F.B.I. That man had the strongest and firmest hands I have ever known.  And they almost always had a tool in them…always practicing, always busy.

--Claus V.

More COFEE/DECAF linkage for those who still care..


Troy Larson said...


Thanks for the kind words about Windows FE.


Claus said...

@ Troy - Least I could do. It's very cool and useful!

If I had more time I'd really like to attempt a custom Win FE port like I do for my Win PE 3.0 building that might make it a bit more "sexy" like the Linux LiveCD forensic builds out there (DEFT/RAPTOR/CAINE/HELIX...) but keep the foundation of the Win FE non-auto disk mounting/writing intact.

Are you aware of any builds where someone has attempted to do so?

I think by the very nature of how they boot/access the drive, all of these particular off-line forensic examination tools in that class (offline examination
of the physical disk / system) just don't lend themselves well to the flair and attention that DECAF and COFEE seemed to generate, particularly with the "anti-forensics" slant.

Because it was a live system to begin with, then it was fairly easy to conceptualize and execute some kind of proactive defense against it. Much harder to do with a forensic examiner looking internally at a "dead" system clean "external-run" OS tools (PE/Linux). Not much defense against that except maybe WDE and refusing to give up your passphrase...even then there is a chance it might be breached with the right resources/tools.

Real forensics work/tools isn't quite so sexy and attention getting indeed. ;-) but darn it can be effective!

Haven't seen any defenses against physical write/block device usage either to prevent a forensic specialist from examining a drive. Wouldn't that be the cat's meow for a perp? Some kind of smart-drive/firmware that detected if a write-block was attached and then really did scramble/erase the platter data/sectors as it fed garbage back to capture-source. You wouldn't know you were hosed until you looked at the image hours later...and by then the damage was done.

Good thing indeed....

Except maybe the MiB in Area 51 might just have that capability...

Oh noes!

--Claus V.

DK said...

That was a good read, thank you.

- Guys from Praetorian Prefect.

Claus said...

@ DK - It was my pleasure to write it!

Your analysis was great and what was really needed in the debate and news-flurries.

Only by deconstructing something like that can the hard-data be seen. This hopefully leads to a more reasonable response and reaction.

Dialog is generally a good thing and I hope some positives came out of it.

Keep up the great work! It was an easy call to add your blog to my RSS feeder! Can't wait to see what's next!


--Claus V.

Anonymous said...

This was a very good reading.

Sole DECAF Developer