There have been some very odd things going on in computer forensics over the last few weeks.
First, Microsoft’s COFEE incident response tool leaked onto the internet. COFEE had previously only been available to law enforcement organisations, so having it leak to the public kicked up a bit of storm with people trying to work out just exactly what it is capable of doing. The answer turned out to be “not very much”. Rather than being the ultimate secret backdoor that some early media reports made it out to be, COFEE is more like a glorified shell script that pulls down volatile memory to a USB stick.
Inevitably, someone released a tool aiming to disrupt COFEE’s execution. DECAF was released earlier this week, but a couple of things about it seemed a little strange. It’s website offered the tool for download, but in a binary only distribution. Perhaps it’s just me, but I find it quite hard to trust security tools that don’t release their source code. Another quirk was that the DECAF website contained an EULA for the software prohibiting reverse engineering or disassembly (Which also contained references to Skype of all things!). It all seemed to go against the ethos of full disclosure in computer security.
I downloaded a copy, and planned to play with it over this weekend (I’ve just handed in my final piece of MSc coursework for the semester today!), but there’s another twist:
The DECAF website has been updated to remove any links to the software and instead shows an odd message claiming that all copies of DECAF have been disabled, ending with a passage from the Bible!
As I’ve been writing this I’ve been listening to an interview with DECAF’s developer on the Cyberspeak podcast which seems to have been recorded before the tool was taken down. It’s interesting, but it doesn’t really make things any clearer with regard to the developers motivations or the manner in which the tool was released.
