Hackers Brew Self-Destruct Code to Foil Police Forensics

[snowdrift]

http://feeds.wired.com/~r/wired/inde...kY/decaf-cofee

[snowdrift]

Detect and Eliminate Computer Assisted Forensics (DECAF)

http://www.decafme.org/

[snowdrift]

Three words:

Full. Disk. Encryption.

[I no more]

Ho hum. Let's see. Obstruction. Tampering. Contributing to the overall appearance of guilt. And all around pointless.

Let's see. Did I miss anything? Oh yeah. It doesn't even cover the biggest weakness of WDE, which is the memory attack problem.

[Searching_ _ _]

Which charge would be scarier to face;
1. Obstructing an investigation.
2. Conspiring to commit bank fraud.

If I had to face being charged, I would choose #1 over #2.
Their is a 10 or more year difference.

Using such a program as anti-forensic, only proves you are paranoid, not criminal.

[I no more]

Quote:

Originally Posted by Searching_ _ _

Which charge would be scarier to face;
1. Obstructing an investigation.
2. Conspiring to commit bank fraud.

If I had to face being charged, I would choose #1 over #2.
Their is a 10 or more year difference.

Using such a program as anti-forensic, only proves you are paranoid, not criminal.

If you're that paranoid, then you've already encrypted your disk, thus rendering everything this program can offer redundant and pointless. snowdrift already pointed this out.

Unless you can name something that this can do better than WDE.

Quote:

Contributing to the overall appearance of guilt.

The stated burden of proof in criminal matters in the US is "beyond a reasonable doubt." The real standard is closer to the preponderance of evidence (i.e. which side is more likely correct). When you use a program that's designed specifically to defeat computer forensics, you might as well reserve yourself a jail cell. That's where you're headed. Not only for obstruction and tampering but also for the original charge. You're just adding jail time.

[I no more]

Let me add something else.

Don't put it past law enforcement to create software like this to entrap people "colorful" enough to use it. They know when you go to court with this on your computer, they've got you by the "horns". Don't be a "noodle".


*words in quotations are substitutions for what I really wanted to say

[noone_particular]

A lot of what that software does can be done with batch files. I have several that use the Eraser 5.7 launcher component. The batch files not only overwrite the items I want eliminated, they also overwrite themselves. Users who are concerned about eliminating usage tracks, "evidence", and apps supposedly used for questionable purposes should master the use of command line, scripts and batch files. They can be used to launch and send instructions to most any application or utility and be used to run apps in sequence. The only limits are your imagination.

[axle00]

Quote:

Originally Posted by I no more than U

Ho hum. Let's see. Obstruction. Tampering. Contributing to the overall appearance of guilt. And all around pointless.

Let's see. Did I miss anything? Oh yeah. It doesn't even cover the biggest weakness of WDE, which is the memory attack problem.

This is a joke right!??

[I no more]

Quote:

Originally Posted by axle00

This is a joke right!??

Not at all. But since you didn't specify which part you think is a joke, I guess I'll have to elaborate about all of it.

The program is called "Detect and Eliminate Computer Assisted Forensics". It's designed specifically to thwart police forensic techniques. It doesn't just do a one-time thing when you tell it to. It waits for the police forensic device to be used, it detects it, then it starts destroying "evidence".

If you think that the police are going to knock on your door, examine your computer, then call it quits because DECAF saved your butt, you're in for a surprise. Really. Don't expect the charges to be only limited to obstruction and tampering because this device did such a good job. The jury is going to eat up every word about how the evil hacker thwarted the police with this advanced tool designed specifically to keep them from doing their job.

I ask you again to look at the title and look at the description and think about what an ignorant (they all are) jury is going to think. This forum and the real world are two very different places.

[snowdrift]

The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

http://tech.slashdot.org/story/09/12...ith-Some-DECAF

[Nebulus]

Reality check, people. If police will use COFEE on your computer, they won't just come to you, ask you to let you run a little program from their USB stick and then say goodbye. After they will collect all LIVE forensic data, they will probably turn off your computer and take it with them to make an EnCase image of your HDD. When they will analyze that image, they will find DECAF, and at this moment, I have to agree with "I no more than U": you are toast.

[lordraiden]

http://www.decafme.org/

Join now xD

[axle00]

Quote:

Originally Posted by I no more than U

Not at all. But since you didn't specify which part you think is a joke, I guess I'll have to elaborate about all of it.

The program is called "Detect and Eliminate Computer Assisted Forensics". It's designed specifically to thwart police forensic techniques. It doesn't just do a one-time thing when you tell it to. It waits for the police forensic device to be used, it detects it, then it starts destroying "evidence".

If you think that the police are going to knock on your door, examine your computer, then call it quits because DECAF saved your butt, you're in for a surprise. Really. Don't expect the charges to be only limited to obstruction and tampering because this device did such a good job. The jury is going to eat up every word about how the evil hacker thwarted the police with this advanced tool designed specifically to keep them from doing their job.

I ask you again to look at the title and look at the description and think about what an ignorant (they all are) jury is going to think. This forum and the real world are two very different places.

I thought you were referring to the post immediately above yours which said "full disk encryption".

[I no more]

Quote:

Originally Posted by axle00

I thought you were referring to the post immediately above yours which said "full disk encryption".

Yeah, that makes sense. I should have quoted.

[stap0510]

Quote:

Originally Posted by snowdrift

Three words:

Full. Disk. Encryption.

Yep, it beats every kind of computer forensics. Rendering it useless.
Also given that the FDE-software you use doesn't has an enduser- and a master-password.
McAfee FDE enterprise solution has this for example.

[stap0510]

Also it only addresses Coffee, while most LEA forensic specialists, that I know personally, use FTK.
And besides FTK also another big brand who existed for atleast a decade is being used by LEA. Whose name I've forgotten.

[hierophant]

OK, he thinks, "what's FTK?". OK, he sees that it's from AccessData Corp. And then he reads about Enterprise 3.0, "[t]he industry’s first enterprise investigations platform to enable the remote search of memory on computers across the network" <http://www.accessdata.com/downloads/media/ad_enterprise_3-0.pdf>.

FMHBJ! I wonder WTF it's gotta install on targets to do that.

[Meriadoc]

Quote:

Originally Posted by snowdrift

Three words:

Full. Disk. Encryption.

Quote:

FTK

I've had the pleasure of using FTK (version 3) and is a very nice tool, really simplifies the output in respect of categorizing views. Best place to have a look at FTK is AccessDataCorp youtube videos.