Wednesday, December 30, 2009

DECAF is Back


Hey Folks today I wanna report the DECAF history:




We originally pulled the app because of legal pressure. With DECAF v1 originally set out to restrict forensic extractions made by Microsoft COFEE, it raised major concerns with its ethical nature and potential hazard to the disruption of criminal investigations. By us disabling the application, it freed us from any damage that might have happened in the event DECAF v1 was used to block forensic examiners from extracting data. We used the words "publicity stunt" because when we pulled DECAF v1 offline and disabled the applications, we had a lot of media attention. We decided to use that channel to raise awareness for better security and more privacy tools.

After the interview with Cyberspeak, we had a nice long phone conversation. During that time, they informed me of my hazardous circumstances and gave me excellent advice; take DECAF down. Of course, if you know anything about them over at Cyberspeak, you would know they are very intelligent on more then just forensics. They are pretty well versed with federal statues. It would be silly of me to think that I knew more then them, so I followed their advice and pulled the app.

As you know, this caused major conflict in the underground scene. We started getting denial of serviced, flamed on forums, and even SoldierX did a pretty good job re-activating DECAF v1. We are definitely not mad at SoldierX for that, can you blame them? Everyone wants privacy. Not to mention DECAF v2 was already cookin' in the kitchen so it was only a bit of time before it would be released.

Now I want to address the phone home feature in DECAF v1. As you know, we were going to tailor the app towards the p2p private tracking scene. We were going to use the phone home feature to notify private tracker admins of a seeder/node who had COFEE ran on his/her machine. This feature was not complete before release but we did have it semi-working, hence the COFEE usage reporting. Some seen this as a privacy issue, which from that perspective I can see why. We decided v2 will not report usage back. We also do not perform automated version checking.

The disabling of v1 was NOT a hook in the application. It was bad coding. I did not use a try/catch on the version checking so if it failed, the app failed. Of course the app was only coded in a 1-2 day timeframe, so can you blame me? Bad practice I guess. Anyhow, when I adjusted the versioncheck on the server side, it caused the application to return a null string, causing an unhandled exception.

Version 2 is finished. We are now monitoring Microsoft COFEE, Helix, EnCase, Passware, Elcomsoft, FTK Imager Port, Forensic Toolkit, ISOBuster, and ophcrack. We also give the user the ability to add their own custom signatures. We have also added CD-Rom monitoring. We no longer execute a "self destructive lock-down mode" but rather give the user the ability to execute files, to disable the device where the signatures were found, and start-up in monitor mode.



Thank you DECAF's team for you amazing job, I really appreciated you effort. Now, may I ask you a question, What about the source code ? is it available ?


Here the direct link (no adv) to DECAF

1 comment:

Anonymous said...

I honoustly do not understand why you would want to montitor IsoBuster ? IsoBuster is your live savier in many cases ... so why block it out ?