The misinformation on DECAF being shut down and a hoax is alarming and the quality of reporting on this security topic actually worse than usual. Earlier tonight we noticed this update from @slashdot on Twitter: “DECAF Was Just a Stunt, Now Over”, along with this: “Anti-COFEE tool taken down & d/l’ed copies disabled.”. Ok, fair enough, releasing DECAF was a stunt according to its two creators. We listened to this bizarre podcast where the developer was asked to take DECAF down. Finally we saw this train wreck of an article by Nick Eaton, the Microsoft Reporter over at the Seattle PI Blogs. So now we’re going to respond, because the incorrect DECAF as a big hoax story, a tool that supposedly never worked, is propagating through the Intertubes. DECAF was a working tool that can be easily re-enabled, because the shut down appears to only be a call back to decafme.org that is now disabled, but is easily spoofed, and we’ll demonstrate how.

The story is this, users visiting the http://www.decafme.org/ were treated to the screenshot shown below stating that DECAF “no longer works” because the release “was a stunt to raise awareness for…the need for better forensic tools”. The thought process isn’t terrible, DECAF is a simple, clearly quickly written, and unsophisticated Visual Basic 2005 application designed to show the simplicity of thwarting the COFEE forensics tool. You can also see where Microsoft and others have a problem with the application. The application is designed to detect the presence of the Microsoft released forensic tool (largely a wrapper around known utilities) called COFEE and be able to then execute certain actions as specific by the user.

We’ve covered both topics in full, and aside from being good security theater, both the COFEE leak and DECAF release are much ado about nothing:

• Regular or Decaf? Tool launched to combat COFEE
• More COFEE Please, on Second Thought…

Repent, and you shall be Saved

So things started out ok, a proof of concept tool to combat unreasonable hype, until crazy came to town. Users visiting the site are presented with this bizarre message about Jesus:

A message of peace.

How to Reactivate DECAF in Two Minutes

Remember that DECAF calls home when launched via HTTP to 208.68.237.165.

If it doesn’t receive this response, it crashes.

1.0.0|http://www.decafme.org/|

The crash returns this error:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

So not serving this page is what appears to be “the deactivation”, the URL does not return the right response, and the application crashes. To counter this we:

Set up a virtual host in Apache:

<VirtualHost *:80>
ServerName decafeme.org
ServerAlias www.decafeme.org
RewriteEngine On
RewriteRule ^.*$ /index.php [L]
DocumentRoot "/var/www/decafeme/
<Directory "/var/www/decafeme/">
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<IfModule mpm_peruser_module>
ServerEnvironment apache apache
</IfModule>
</VirtualHost>

Add this php file as ‘index.php’:

<?php
echo("1.0.0|http://www.decafme.org/|");
?>

Modify your hosts file by adding this entry (swapping out the IP for wherever you put the virtual host):

127.0.0.1 www.decafme.org

And we’re back to kicking off a set of processes when COFEE is detected on a system such as:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

We verified this by performing all the steps above, re-running DECAF, and doing a system shutdown upon detection of COFEE.

Lockdown Settings

Reporting that is an Epic Fail

Looking at what sites were misreporting such as CrunchGear and Slashdot the story seems to all flow back to this Seattle pi blogs article by Nick Eaton. Nick reports that DECAF “is fake”, that numerous media outlets were “duped” and that we were all manipulated. Except whatever the two developers reasons were for creating DECAF, publicity stunt or tool release followed by threat of legal action and quick pull back, DECAF was released as a working tool that still works.

Nick goes on:

There was something suspicious about the DECAF Web site before it switched to spoof mode Friday morning. The developers posted an explanatory video, highlighted DECAF’s supposed features, promised pie-in-the-sky updates (such as the ability to send DECAF a text message to trigger “Lockdown Mode”) and appealed to expert developers for help in making better forensics tools. It all seemed a little too legitimate and focused for an anti-policing tool.

Then there is this podcast, devoid of actual information about COFEE and DECAF but that fills in the blanks with nonsense about child molesters and terrorists. In their defense, we’re told this show is usually pretty good, so we’ll call this a bad night.

So never let the facts get in the way of a good story.

DECAF vs. COFEE debate from the Developer (Video)

We couldn’t get through the whole thing, but here it is:

Finally

DECAF is not the most sophisticated piece of software, but it did work, and still works. COFEE is not used by legitimate forensic investigators. “But pedophiles will use DECAF to thwart law enforcement!”. We can all only hope that they do because the time they spend trying to get DECAF to work properly will be time spent away from committing felonies and hopefully it will give them a false sense of confidence such that they do not use more effective methods to hide their crimes like encryption. That would actually benefit investigators, as in “hey, this moron thought that having DECAF installed was going to stop us from being able to find out what he was up to”. The fact is bringing up wild child molester, pedophile, and terrorist scenarios is a cheap, dramatic tactic, designed to rile people up emotionally preventing us from having a dispassionate discussion about the facts of the situation.

If you have a serious computer crime to deal with, get a serious computer forensics investigator, who uses sets of real computer forensics tools based on the situation he or she is faced with.

But Microsoft may never build another COFEE, and transparency will stop! Be serious, part of the unnecessary nonsense generated around the leak of COFEE and all that followed was the inappropriate way it was originally released and marketed as “only for law enforcement”. Forensics tools must be well known, analyzed by experts, and their effects on target systems well documented. Thus releasing a closed source tool to a small community meant that COFEE could never be used seriously to present evidence in court. That is if it did anything novel, but it doesn’t, COFEE allows the user to run existing tools, system utilities, from a USB stick.

The promise of COFEE, how it was marketed, has sold a number of people on why its so important that it was leaked and subverted. Standardization of incident response tools (as in only a couple are used) would be a nice idea, but would be an effort faced with serious challenges because heterogeneous non-complex IT environments are a thing of the distant past. Having less skilled people “run a tool” that allows them to perform data capture is a nice idea, albeit even a little more dubious. What lawyer could not get evidence from a computer thrown out that’s collected by someone who doesn’t understand a computer? The reasons why it would be a positive is clear, forensic data would not be lost even if an investigator lacks computer forensics skills, and frankly there are not that many good computer forensic investigators to go around.

But COFEE does not deliver on either of these aspirations, as much as some might wish it does. And it was easily countered, meaning any bad actor could have done it. And tools aren’t evil, the people who use them are.

Now if you have time, have a read of an article about the evolving state of real forensics tools.

Update

12/23/2009 – SoldierX

The guys over at Soldierx.com have taken the next logical step and removed the phone home component (that now crashes) from the DECAF program and re-released it.

Note also per our original analysis that when COFEE is found, DECAF sends a request back to decafme.org as follows (our IP address is changed):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

It appears to basically be a tracking mechanism, however the SoldierX guys didn’t like that it was doing that from a privacy perspective, and removed that piece also.

DECAF developers have also posted new messages, including the newest one indicating that a version 2 is now on the way:

12/23/2009 – DECAFme.org

Well, with Christmas right around the corner we felt it was an opportunity for DECAF to bring an application back on the scene. DECAF v2 is in the kitchen cookin’ as we speak. As you know, DECAF v1 did do what it said it would do even though some people seemed to report it didn’t. Some might not use V2, some might. We really don’t care either way. If you are scared to use V2, thats ok; run it through a VM.

Now that we let the cat out the bag, be sure to keep checking back and look for V2 within the next few days. This is the start of something big…

12/21/2009

DECAF was not a spoof, it was a “stunt”. We have got an amazing amount of positive feedback. We have had MANY requests for the source code of DECAF but do not feel its release would promote a positive move.

We have not been able to settle with our buyer for DECAF and DECAFme.org. If there is anyone seriously interested in purchasing, send an email to mike@DECAFme.org. Serious inquiries only.

12/19/2009

With all the recent buzz about DECAF lately, there have been many requests for the visibility of DECAF source code. These have been from the early days of its release to the current “stunt” news. My purpose of DECAF is over. There are many out there who think we are feds cough John Young cough and some who think we are lunatic, religious nuts cough John Young cough. But then again we still have 95% of the other readers who encourage and compliment us. Oh ya.. and we finally heard that Microsoft seems to have finally broke the silence about the hype. I am not quite sure where they stand as I was expecting to hear from Richard Boscovich myself but didn’t. Anyhow, on to my point…

We have reason to believe DECAF source code and domain will be purchased this week by an unnamed buyer. We can’t be sure of the plans or really make sense of their motive but we are considering it. If this does happen, we will not be able to release the source to the community. Feel free to stay tuned as these next 48 hours pan out.

Related Posts:

• WinPE 3.0 & Forensics
• Forensics: Beverages Aside, A Look at Incident Response Tools
• Regular or Decaf? Tool launched to combat COFEE
• Taxonomy of Forensics Geeks
• More COFEE Please, on Second Thought…

In November, Microsoft’s forensics tool called COFEE (Computer Online Forensic Evidence Extractor) was leaked on torrents for download. The news coverage was much hype about nothing, as many free tools already out there exceed COFEE in features and functionality. However, that did not stop statements such as “now that COFEE has leaked, hackers can reverse engineer to see what it does.” Well, I can save them time and tell them it launches OS commands and sysinternals tools to collect information, using a simple method that law enforcement can easily launch from a thumb drive. I also hesitate to call it Microsoft’s tool, as I believe it has more development coming from The National White Collar Crime Center (NW3C.org) than from Microsoft. Ok, let’s move on to DECAF.

Then There Was DECAF

Just recently, with the COFEE hype behind us, a tool called Decaf was released to combat the use of COFEE. A VB.Net application which detects for the use of COFEE and then reacts by ways configurable by the user, such as shutting down the system, clearing event logs, or disabling the network, USB, CDROM, and more. The authors of Decaf shared my distaste for COFEE and its hype, and though the press coined them hackers, they informed me that they are developers who have a passion for security, forensics, privacy, and free flow of information online.

Let’s Talk Tools

I want to put aside the media hoopla of COFEE and DECAF and discuss some great tools for forensic analysis out there worth discussing. I want to try and focus on volatile data collection (grabbing important information from a live running system) but many of the tools mentioned can be used in offline analysis as well. If you are familiar with digital forensics, you most likely have used these tools in many cases, and if you are new to this area I hope this provides some groundwork for you to try some of these tools out.

The List

Before getting into it, I want to share this Excel spreadsheet that contains a good amount of various tools that can be used in the forensic analysis process. Any prices listed have either been found online or are estimates from VARs, but please check with the specific vendors for exact pricing. The tools discussed throughout the article are in this spreadsheet along with links to their respective websites. Also note this is Windows focused and this is by no means a complete list, but I feel its a good start for anyone interested in forensic analysis.

Don’t use a Sledgehammer to Hang a Picture – Use this comprehensive list of tools for reference

One last note before discussing the tools, it is important to know your situation and choose the right tool for the task at hand. You may grab the Helix CD, test it, and become very familiar with it where it becomes your tool of choice; but, know that it may not be suitable for all situations and you should have as many options as possible and be familiar with all that is available so you can be prepared with the right instruments. For instance, inserting the Helix CD may autorun the GUI menu system, then clicking through the menus to run acquisition tools generates many changes to the contents of memory, whereas a method to immediately run a memory acquisition tool would be less of an impact.

Frameworks

Let’s start by talking about what I refer to as forensics frameworks. These are programs or scripts that are wrappers to commands used to collect data. They organize a collection of common tools, handle the output of the tools, verify the tools are trusted, and provide some basic reporting. The Helix collection from e-fense includes several frameworks to choose from, including The Incident Response Collection Report (IRCR) by John McLeod, Windows Forensics Toolchest (WFT) by Foolmoon Software and more. Another popular framework is by Harlan Carvey, author of Windows Forensic Analysis (Syngress Publishing) and the Windows IR blog, called the Forensic Server Project (FSP) which uses a client (FRUC) that runs the collection of tools and sends the output to a listening server (FSU).

I’ve also written a framework based on collating various features from the tool sets mentioned above as well as including some of my own ideas. The common theme in these, as in COFEE, is that they collect data using a suite of tools including commands available with the OS (such as netstat, net, systeminfo), Sysinternal utilities (such as pslist, listdlls, handle), and well-known utilities available freely (such as fport, autorunsc, pmdump, etc).

Dealing with Memory

Any actions on a system generated by the operating system or the user constantly change the contents of memory. Thus if the first thing you do on a live system is running tools, you will be significantly modifying the memory contents. A good detailed primer on physical memory analysis by Mariusz Burdach can be found here. An important fact to note is the possible hardware methods available to collect the contents of memory without interacting with the operating system. The tools I list in the spreadsheet for this purpose are software based, thus their execution and their changes to memory will be in the image that is captured.

Acquisition

To acquire an image containing the contents of memory, start by looking at the following two tools: WinDD by Matthieu Suiche and MDD by ManTech International. Both provide a CLI tool that can be incorporated into your preferred framework which can be used to create an image of the contents of physical memory prior to running additional tools. WinDD will create a raw dump or a crash dump file which can be analyzed with standard debugging tools like WinDbg from Microsoft. A commercial tool with a nice price point from HBGary called FastDump Pro acquires memory and includes probing features for malware analysis. The folks at HBGary state that Fastdump has a lighter footprint than other tools and acquires the contents of all physical memory (a community version is available which works on 32-bit systems only).

Analysis

Memory analysis has come a long way since running “strings” against an image created from a memory dump. This presentation notes how strings can produce 50 to 80 megabytes of unusable text from a 512MB memory dump. One exciting project, founded by Aaron Walters, is The Volatility Framework, an amazing collection of tools written in Python and used for analyzing memory dumps. With it, you can extract very specific data from the memory dump files obtained using the tools mentioned earlier (MDD, WinDD, etc). The screenshot shows how volatility pulls the process list from a memory dump called mal.dmp. Notice the last process on the list is actually MDD.

Volatility Example

Volatility can extract the following information:

• Image date and time
• Running processes
• Open network sockets
• Open network connections
• DLLs loaded for each process
• Open files for each process
• Open registry handles for each process
• A process’ addressable memory
• OS kernel modules
• Mapping physical offsets to virtual addresses (strings to process)
• Virtual Address Descriptor information
• Scanning examples: processes, threads, sockets, connections,modules
• Extract executables from memory samples

The framework is open source, fully written in python, and also modular in the use of plugins. Michael Hale Ligh has produced some great plugins including malfind2 which helps detect hidden/injected code in usermode processes. Here are some more plugins, and here is a plugin that can help find TrueCrypt passphrases and suspicious processes.

Registry

You wouldn’t spend time poking around in the registry during live analysis (many CLI tools, such as autorunsc.exe, will pull pertinent information automatically from the registry), but I wanted to include this section to talk about another great tool out there. This one is also by Harlan Carvey and is called RegRipper. RegRipper is intended for use against offline registry hive files to extract information from the registry helpful to your analysis. For example, you can extract data from the registry to determine USB disks previously used on the system or wireless networks joined. The examples are numerous and the use of plugins to extract particular keys and values for information make the tool very extensible. Harlan and many others have written various plugins for RegRipper.

F-Response

F-Response

Disk Imaging

There are many options for disk imaging, both live and offline. Here are some of the
popular commercial suites:

• FTK
• EnCase
• ProDiscover
• X-Ways Forensics
• and more…

Choose the platforms that suit you as each package has its benefits, however I will go over a method that utilizes the freely available dd.exe with netcat. Yes, this is free, but this option may not suit you in many situations, such as attempting to image large disks in a certain time frame.

You need a computer which will have netcat listening and retrieve the disk image. On this machine, run netcat with the following options:

nc.exe -l -p 8888 -w 5 > diskimage.dd

The -l puts netcat in listen mode, -p specifies the port number (8888 in the example) and -w specifies the timeout for connects and final net reads. Be sure that if this host has a firewall enabled, the port you specify is open for incoming connections.

On the workstation which you are taking a disk image from, you need to have dd.exe and nc.exe, which can be stored on a CD (such as Helix) or a USB thumb drive for use. If you are imaging an entire disk, you need the physical drive number for the dd command. In this example, we are imaging the OS drive, which is physical drive 0, and sending to a listening netcat instance created in the previous step, which has an IP address of 192.168.100.25:

dd if=\\.\PHYSICALDRIVE0 conv=noerror bs=1024 | nc.exe 192.168.100.25 8888

The if parameter specifies the input file to be imaged, in this case it is PHYSICALDRIVE0. The conv=noerror parameters tells dd to continue processing after read errors and the bs=1024 specifies a buffer size of 1 megabyte. Since no output file is specified (of) we are piping to netcat and sending the data to the IP address listening on port 8888.

Evidence Handling

An excerpt from Government Computer News specifies that because digital data is easily altered and it is difficult to distinguish between original data and copies, extracting, securing and documenting digital evidence requires special attention. The guidelines lay out the following general principles for handling digital evidence:

1. The process of collecting digital evidence should not alter it or raise questions about its integrity.
2. Examination of digital evidence should be done by trained personnel.
3. All actions in processing the evidence should be documented and preserved for review.
4. Examination should be conducted on a copy of the original evidence. The original should be preserved intact.

The numbering above is not meant to signify priority, but rather for discussing each bullet point. Starting with number one, I’ve been a part of many discussions related to which tools are permissible in a court of law, and the answer is that evidence collected in a reliable manner and obtained legally is permissible. The reliable manner is where the tool becomes important. For example, if you are a hobbyist developer and wrote a tool to list processes with Visual Studio, you can be challenged on the accuracy of the processes running which you’ve collected. If you used pslist.exe from Sysinternals, verified the MD5 hash of the executable, and properly tagged, timestamped, labeled, and handled its output, you would have a better case in proving your process list is accurate and reliable.

Point number two specifies that trained personnel should be responsible for evidence examination. The point here is that systems administrators or related expertise on the operating system is not equivalent to “trained in forensic examinations”. Additionally, such internal IT resources may have difficulty being questioned and cross-examined in a court of law. One who is experienced specifically in digital forensics is better able to handle evidence and participate in the litigation.

Points three and four are related and involve documentation, and the processing and handling of the evidence. Every step taken in the analysis must be meticulously documented and timestamped. You should have a standard and repeatable process for this. A UK based firm has an editor type application called Forensic CaseNotes to assist in documenting and tracking your case notes. In addition to careful documentation, an examination and analysis should be performed on duplicates. It is not dramatic step to take the original hard disk, and one additional hard disk containing an untouched block by block copy, and seal them in plastic bags marked with time, date, who collected the drives, and identification numbers. A third hard disk with a block by block copy can be used for further examination.

Proof of preservation can be maintained with MD5 hashing. In the exercise where we acquired an image of the hard disk, we can obtain an MD5 hash of the image file created and log that in our case notes. If that image is tampered with, the MD5 hash will change and the evidence is not reliable and thus can be dismissed. Output logs from the various tools run during an analysis should be hashed as well.

Conclusion

There is no conclusion to learning about digital forensics as the world of analysis techniques evolves and continuously changes. New operating system releases (Windows 7 and 2008 R2), progress in anti-forensics technologies, and sophistication of malware and rootkits continue to challenge forensic investigators. My purpose for this primer is to hopefully detract the sensationalism of COFEE being released, and DECAF to counter it, and take a look at some great aspects of forensic tools that are out there and continue to grow.

Updates

The intention of this article was to reflect on some of the great tools out there that have been around and growing before any word of COFEE. I feel its important to understand what is available and how it works, but one thing I did not touch on was that the tools are a just a subset of the overall process, and it is the process you use in your investigation that is critical to your analysis. Harlan provides some good examples of this in his latest blog entry.

References

• Forensic Focus
• Volatile Systems
• Windows IR Blog
• Forensics Wiki

Related Posts:

• WinPE 3.0 & Forensics
• The “Aurora” IE Exploit Used Against Google in Action
• Scareware Purveyors, Spammers, and Crooks Take Advantage of Haiti Earthquake
• Baidu.com the Latest Victim of Iranian CyberArmy
• JUNOS (Juniper) Flaw Exposes Core Routers to Kernel Crash

About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly named DECAF, has been released as an anti-forensics tool to prevent the use of COFEE for data collection.

“We want to promote a healthy unrestricted free flow of internet traffic and show why law enforcement should not solely rely on Microsoft to automate their intelligent evidence finding,” one of the two hackers behind Decaf told The Register in explaining the objective of the project.

DECAF Details

DECAF is written in Visual Basic 2005 and consists of a single executable and an XML configuration file called decaf.exe.config which contains the application settings (an XML is also created in the user’s profile directory for each user’s specific settings).

When launched, it displays the user license agreement and asks for confirmation. When agreed, it writes the following registry entry:

Key: HKU\SOFTWARE\DECAFme
Value: AcceptedEULA
Data: true

The program then connects via HTTP to 208.68.237.165 to check the current version number and receives the following response: 1.0.0|http://www.decafme.org/|

If the application does not have a network connection, it will crash upon starting up with the following event:

EventType clr20r3, P1 decaf.exe, P2 1.0.2.0, P3 4b2679b7, P4 decaf,
 P5 1.0.2.0, P6 4b2679b7, P7 115, P8 14d, P9 
system.invalidoperationexception, P10 NIL.

Decaf Menu

I produced this initially when I had my virtual host’s network interface disabled.

Starting the monitor puts the application in detection mode, looking for the presence of COFEE. It waits for the launch of runner.exe, the launcher in COFEE, and will perform an action based on the configuration settings. It appears the tool checks the MD5 hash of runner.exe (ab9e68c7e71ebb2d6a5b8d17e9bd6b33). In addition to detecting the launch of runner.exe, the tool performs a WMI query to detect the COFEE USB thumb drive. The WMI query used for this type of action is:

SELECT * FROM __InstanceOperationEvent WITHIN 10 WHERE TargetInstance ISA "Win32_DiskDrive"

And since the thumb drive has the COFEE label, finding its presence should not be an issue.

Notification finding COFEE

When COFEE is found, a notification is sent over to decafme.org (note I changed the rip field to invalid IP addresses):

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_050704PM-5&sim=false HTTP/1.1

When clicking Simulate, it mimics what would happen if coffee is found, and the sim field is set to true:

GET /decaf.php?&rip=299.297.141.45&rtime=12142009_051522PM-5&sim=true HTTP/1.1

The Configuration Menu

Lockdown Settings

In the configuration menu, there are checkboxes in the Monitor section to “Monitor USB” and “Monitor COFEE”. As discussed, these options enable checking for runner.exe and detection of the USB thumb drive. The Notification section contains options for notifying the user when detection occurs. The Actions section is the interesting part, especially editing the Lockdown Mode. Here, you can set what happens when detection occurs. Some of the options are:

• Shutdown the system
• Kill selected processes
• Disable Network, USB, CD-ROM, ports, floppy
• Clear event viewer
• Erase Data

The configuration settings are stored per user in an XML file located in:

%USERPROFILE%\local settings\application data\DECAFme.org\Decaf.exe_Url_5fokqfogt1qso5vyeabunvhsigozqvpo\1.0.2.0>

If the config for the user does not exist, the default in the launch directory is used.

Conclusion

When I first heard of the tool, I assumed it would also include detection of the default OS commands and Sysinternal utilities that COFEE typically runs, such as pslist.exe or tcpvcon.exe, however, in its current version this is not the case. An anti-forensics tool which expands into detecting the typical collection tools will affect investigations that use various toolkits (Helix, IRCR, etc), not just COFEE. However, as quoted by The Register, the DECAF brewer’s intentions are not to derail just any collection suite, but for law enforcement to expand beyond using what Microsoft provides them.

This version of decaf is still very bitter and has quite a ways to go in its development. The authors of Decaf are promising a more light-weight version or a windows service in the next release and text message and email triggers to enter lockdown mode remotely in future versions. However, Decaf provides a good example of how anti-forensic tools continue to evolve and can become serious roadblocks for digital forensic investigators.

Updates

The authors of Decaf have shut down the project and have said they are starting a forum for those interested in further discussing related matters. Considered a spoof, stunt, hoax, and many other names in the media, we have discussed the matter in the following post.

Related Posts:

• iPhone 4 Ordering and Session Switching
• May’s Patch Tuesday
• WinPE 3.0 & Forensics
• March’s Patch Tuesday
• Press F1 for Help, pwned.