Hackers Counter Microsoft COFEE With Some DECAF

An anonymous reader writes "Two developers have created 'Detect and Eliminate Computer Assisted Forensics' (DECAF). The tool tries to stop Microsoft's Computer Online Forensic Evidence Extractor (COFEE), which helps law enforcement officials grab data from password-protected or encrypted sources. After COFEE was leaked to the Web, Microsoft issued takedown notices to sites hosting the software." The article notes that DECAF is not open source, so you aren't really going to know for sure what it will do to your computer.

Re:Disable autorun, lock your computer

[MaximKat]

So it is actually perfectly reasonable that they used autorun given that it runs stuff even when the screen is locked.

Yeah, it does... in Windows 95.

Re:So let me get this straight...

[GameboyRMH]

What if someone actually wanted to secure a VM with this app?

I assume a program could detect if it's running in a VM by checking hardware and matching it with known VM configurations?

But anyone who's really serious about security shouldn't be running Windows anyways, even with full-disk encryption. What I'm interested in is seeing how COFEE presumably executes with admin privileges on a locked Windows PC with no user input - the technique could be used to make a "super switchblade," especially if it can run on Vista/7 which aren't as vulnerable to these attacks. I'd imagine COFEE uses some secret backdoor.