Last November, the code for Microsoft’s Microsoft’s COFEE (Computer Online Forensic Evidence Extractor) forensics tool was leaked to the Internet. COFEE is distributed free to law enforcement agencies all over the world and used to gather digital evidence from computers that are seized in connection with criminal activity. Microsoft does not make it available to those outside the law enforcement community.
Then in December, several sites reported on the release of software called DECAF that could detect the presence of COFEE and delete its files and processes as well as clearing its log files. You can read more about DECAF here:
On December 18, that first version was pulled by its makers and it was labeled as fake. Now a new version, DECAF 2, is out there. The new version doesn’t limit itself to COFEE, but also detects other forensics software including EnCase, Helix, Forensic Toolkit and more. DECAF developers say the first version did work and was removed because of legal concerns, and that they were trying to raise awareness for “better security and more privacy tools.”