The for Detect and Eliminate Computer Assisted Forensics (DECAF) counter intelligence tool was specifically created around the obstruction of the well known Microsoft product Computer Online Forensic Evidence Extractor (COFEE) used by law enforcement around the world. From the DECAF About page:
DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE’s presence by sending the application into a ‘Spill the cofee’ type mode. Simulation gives the user an opportunity to test his or her configuration before going live.
DECAF can perform the following things to effectively complicate the forensics process:
This tool was designed specifically to combat COFEE but could be updated in the future with more advanced features. One thing that I do not believe this tool is able to do, at this time, is alter the MAC times of files. This tool may fool, or at least complicate, the analysis performed by automated tools, but using proven timeline analysis techniques as a starting point should continue to be an effective first step in the forensic analysis process.
The DECAF tool can be found here. I encourage you to download it and see how much it changes your own forensic analysis techniques.