The misinformation on DECAF being shut down and a hoax is alarming and the quality of reporting on this security topic actually worse than usual. Earlier tonight we noticed this update from @slashdot on Twitter: “DECAF Was Just a Stunt, Now Over”, along with this: “Anti-COFEE tool taken down & d/l’ed copies disabled.”. Ok, fair enough, releasing DECAF was a stunt according to its two creators. But then we saw this train wreck of an article by Nick Eaton, the Microsoft Reporter over at the Seattle PI Blogs. So now we’re going to respond, because the incorrect DECAF as a big hoax story, a tool that supposedly never worked, is propagating through the Intertubes. DECAF was a working tool that can be easily re-enabled, because the shut down appears to only be a call back to decafme.org that is now disabled, but is easily spoofed, and we’ll demonstrate how.
In November, Microsoft’s forensics tool called COFEE (Computer Online Forensic Evidence Extractor) was leaked on torrents for download. The news coverage was much hype about nothing, as many free tools already out there exceed COFEE in features and functionality.
About a month ago, there was much news about the release of COFEE into the torrent wild. I even gave my two cents about the much hyped forensics toolkit which is provided to law enforcement for the purposes of easily capturing volatile data from personal computers during evidence collection. A tool to counter COFEE, aptly [...]