DECAF – Detect Computer Forensic and Auditing Tool (Anti-COFEE)

Microsoft developed COFEE (Computer Online Forensic Evidence Extractor), a USB key flash drive-based computer forensic and auditing tool which is available to the law enforcement agency. The software is free to police forces around the world and helps access details about crimes such as identity theft, online fraud, child pornography and illegal file sharing before criminals can wipe the information.

However, back few months Microsoft admitted that COFEE was leaked on the internet and was available for download by anyone. This is serious as hackers and people with malicious intents may use COFEE to track and access private data, temporary files, online activity traces, browsing histories and decrypted passwords.

DECAF is an anti-COFEE application that works by comparing against signature of COFEE application files or processes. When a USB flash drive running COFEE is plugged into the computer’s USB port, DECAF can detect COFEE. DECAF will then nuke and remove temporary files created by COFEE, clear all logs files created, disable USB drives, contaminate or spoof a variety of MAC addresses.

You can download DECAF from Just click on the DOWNLOADS link and download file. After downloading, extract and run DECAFv2.exe and load signatures.dat.

Disclaimer: This article is only meant for educational purpose.

