About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly named DECAF, has been released as an anti-forensics tool to prevent the use of COFEE for data collection.

“We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding,” one of the two hackers behind Decaf told The Register in explaining the objective of the project.

DECAF Details

DECAF is written in Visual Basic 2005 and consists of a single executable and an XML configuration file called decaf.exe.config which contains the application settings (an XML is also created in the user’s profile directory for each user’s specific settings).

When launched, it displays the user license agreement and asks for confirmation. When agreed, it writes the following registry entry:

Key: HKU\SOFTWARE\DECAFme
Value: AcceptedEULA
Data: true

The program then connects via HTTP to 208.68.237.165 to check the current version number and receives the following response: 1.0.0|http://www.decafme.org/|

If the application does not have a network connection, it will crash upon starting up with the following event:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

Decaf Menu

I produced this initially when I had my virtual host’s network interface disabled.

Starting the monitor puts the application in detection mode, looking for the presence of COFEE. It waits for the launch of runner.exe, the launcher in COFEE, and will perform an action based on the configuration settings. It appears the tool checks the MD5 hash of runner.exe (ab9e68c7e71ebb2d6a5b8d17e9bd6b33). In addition to detecting the launch of runner.exe, the tool performs a WMI query to detect the COFEE USB thumb drive. The WMI query used for this type of action is:

SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE TargetInstance ISA "Win32_DiskDrive"

And since the thumb drive has the COFEE label, finding its presence should not be an issue.

Notification finding COFEE

When COFEE is found, a notification is sent over to decafme.org (note I changed the rip field to invalid IP addresses):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

When clicking Simulate, it mimics what would happen if coffee is found, and the sim field is set to true:

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_051522PM-5&sim=true HTTP/1.1

The Configuration Menu

Lockdown Settings

In the configuration menu, there are checkboxes in the Monitor section to “Monitor USB” and “Monitor COFEE”. As discussed, these options enable checking for runner.exe and detection of the USB thumb drive. The Notification section contains options for notifying the user when detection occurs. The Actions section is the interesting part, especially editing the Lockdown Mode. Here, you can set what happens when detection occurs. Some of the options are:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

The configuration settings are stored per user in an XML file located in:

%USERPROFILE%\local settings\application data\DECAFme.org\Decaf.exe_Url_5fokqfogt1qso5vyeabunvhsigozqvpo\1.0.2.0>

If the config for the user does not exist, the default in the launch directory is used.

Conclusion

When I first heard of the tool, I assumed it would also include detection of the default OS commands and Sysinternal utilities that COFEE typically runs, such as pslist.exe or tcpvcon.exe, however, in its current version this is not the case. An anti-forensics tool which expands into detecting the typical collection tools will affect investigations that use various toolkits (Helix, IRCR, etc), not just COFEE. However, as quoted by The Register, the DECAF brewer’s intentions are not to derail just any collection suite, but for law enforcement to expand beyond using what Microsoft provides them.

This version of decaf is still very bitter and has quite a ways to go in its development. The authors of Decaf are promising a more light-weight version or a windows service in the next release and text message and email triggers to enter lockdown mode remotely in future versions. However, Decaf provides a good example of how anti-forensic tools continue to evolve and can become serious roadblocks for digital forensic investigators.

Updates

The authors of Decaf have shut down the project and have said they are starting a forum for those interested in further discussing related matters. Considered a spoof, stunt, hoax, and many other names in the media, we have discussed the matter in the following post.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• WinPE 3.0 & Forensics
• March’s Patch Tuesday
• Press F1 for Help, pwned.

My initial advice, after being a little surprised, was that she needed to go down to the bank branch to get this straightened out. She returned telling me that the teller said that it was fraud, that the fraud department was not answering the teller’s calls, and that my friend could call the fraud department directly. She asked me if I thought this could actually be fraud, a transfer made by some bad actor. I replied that I didn’t think a bank would honor any manner of withdraw of nearly a million dollars from an account that can’t cover the amount, and that this is likely not fraud but a clerical error of some kind.

My friend called the fraud department number provided, and connected with an automated message asking her to leave a message with her account number, phone number, and information on the nature of the fraud. By asking for a phone number, the fraud department was leaving the indication that someone would call back. She logged into her online banking account, and showed me the transfer, it was for $888,888.88. The balance was the amount of money she had in the account, minus this bizarre withdraw. I advised her that the money amount looked like a place filler, the kind of data a clerk at a financial institution puts in to fill out a field in an application. As a developer I had watched operations people do this before (usually with all nines) when an application had a required field (you can not move off the screen you are on without putting data in it) but the field is not actually used for anything, just a bad or legacy application problem.

The ATM receipt.

An hour later, no call, and she logged into her online banking account again. The transfer was gone, the account balance was back to normal, and no return call ever came from the fraud department.

So problem solved, but the way it was handled continued to bother me. The people physically at the bank were not empowered to take any action. A bizarre money figure was involved, and a problem was resolved without any further information. As a security professional, incident response is drilled into the collective mind of the industry: making sure people know what to do when emergencies happen, empowering people to respond properly, clearly written policies everyone can access, and ensuring everyone knows what response people to contact and how to reach them. In this case the front line bank professional suggested that the customer was a victim of fraud but there was no opportunity to speak to a person empowered to do any research and the problem was resolved with no further information or explanation.

I decided to see if anyone else had run into this. I started by checking out bankofamerica.com, and searching for the strange money amount $888,888.88. That produced no results. Searching for that money amount on Google exploded with results, some of which are detailed below. Ignoring any vitriol aimed at the institution itself (I have no issue with the bank: one policy or practice does not make an institution and BOA is associated with some key advances in online banking security such as one of the first wide scale mutual authentication implementations), it is clear that placing a negative transfer of this amount is standard operating procedure when fraud is suspected. In my friends case a money transfer came to her account that must have been flagged for some reason initially, and then quickly determined not to be a problem.

This approach has problems. Ostensibly the bank’s goal is to determine if there was fraud and if not to reintegrate the customer, if so get rid of the bad account and perhaps pursue further remedy. For that first case however, the handling of the fraud case that is not fraud will largely determine whether the bank customer remains a customer or not. If a bank appears to be looking out for both your interests as well as their own, the customer can leave with a positive reaction, or at least an understanding one. With this approach, the customer is left agitated.

So some things that might change to make this more palatable:

• A clearly written account alert online and on ATM receipts that indicates the account is in a hold state because of a potential fraud condition.
• Ensuring front line bank personnel, the tellers, can always access fraud personnel to review a case while a customer is in the bank branch.
• Ensuring someone can answer the phone when the fraud department is called, day or night, 24×7.
• Retiring the practice of entering a -$888,888.88 transaction in the account. At some point the bank will be responsible for a heart attack with this practice. More seriously, if the goal is to come to a timely resolution on determining whether fraud has taken place, having the customer start the interaction in a seriously agitated state, the near universal response to seeing that they owe almost a million dollars in their bank account, does not make sense.
• A follow up call if the fraud condition is resolved without the customer present and with a positive outcome (no actual fraud found), letting the customer know why this happened and that such investigations are for the mutual benefit of the bank and the customer.
• Add better information to the web site on what happens when an account is suspected of fraudulent transactions. Not enough where a thief is given a playbook of the bank’s response, but enough so that a customer is not left out in the cold wondering where their money went.

Invariably someone will bring up the cost of fraud is accepted as a cost of doing business, these customers and the associated money they bring in are a rounding error for the bank, and other such specious arguments. This has little to do with the cost of fraud itself, this is the cost of losing customers and potential customers to a strange incident response process. Regarding providing effective support, the fact is that hiring phone personnel or training your existing ones to handle fraud scenarios effectively is not a major expense when balanced against negativity related costs to the brand. If the fraud department of the bank is overwhelmed, more tasks on simple cases must be pushed down to less qualified but more numerous support personnel.

Will this make people happy they can not withdraw money because their account is on a fraud hold? No. It might however avoid losing that customer, and every person that customer talks to as a potential customer. It might make these experiences less life changing for the people involved. Because if the responses below are any indication, people leave this process very upset today. My friend is no exception.

The online responses of other persons:

Related Posts:

• Regular or Decaf? Tool launched to combat COFEE