我在前面的文章中曾经提到过微软开发的犯罪取证工具COFEE,并且在互联网上已经泄露出来,现在里面有了专门针对此工具的反调查工具,不可谓不迅速。
From decafme.org :
DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.
DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
阅读全文
