Computer forensic and auditing tool is used by law enforcement agency to gather and extract information, traces and usage evidences from a computer. One such tool is COFEE (Computer Online Forensic Evidence Extractor), a USB key flash drive-based application which is provided for free by Microsoft to police and investigators around the world.

However, there may be chance that hackers and people with malicious intents uses the COFEE computer forensic tool as a backdoor to access and track private or sensitive data, temporary files, online activity traces, browsing histories and decrypted passwords. Most anti-virus, anti-spyware or anti-malware probably won’t detect and show the forensic utility as a threat.

For users who want to be informed when such a forensic tool is been used or applied on the computer, DECAF is a light-weight application anti-COFEE tool that can detect and sabotage the COFEE suite of forensic utilities, which bundles more than 150 point-and-click tools to college digital evidence at crime scenes.

DECAF works by comparing against signature of COFEE application files or processes. When a USB stick or USB flash drive running COFEE is inserted or plugged into the computer’s USB port, DECAF can detect the presence of COFEE, and automatically execute a series of pre-configured countermeasures. The actions that can be taken include nuke and remove temporary files created by COFEE, clear all COFEE logs, disable USB drives, contaminate or spoof a variety of MAC addresses. Features that currently developers working on include ability to remotely lock down protected system on detection of COFEE.

DECAF can be downloaded from, and click on Download link.