反取证软件DECAF(全名是Detect and Eliminate Computer Assisted Forensics，检测和清除计算机法庭科学证据提取器)。DECAF程序只有181KB，它能删除COFEE的临时文件，杀死其进程，抹掉COFEE 的所有log，禁用USB，为了让COFEE无法追踪它甚至能制造出多种多样的欺骗性的MAC地址。需要提醒的是，DECAF没有提供源代码，所以我们并 不知道它到底对计算机干了什么。DECAF的开发者声称，未来的版本将允许电脑用户通过电子邮件或短消息远程关闭电脑，如果探测到电脑落入执法机关之手的 话。如果情况紧急它还能向同伴发出警告通知。
From decafme.org ：
DECAF is a counter intelligence tool specifically created around the obstruction of the well known Microsoft product COFEE used by law enforcement around the world.
DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.
DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE's presence by sending the application into a 'Spill the cofee' type mode. Simulation gives the user an opportunity to test his or her configuration before going live.
Future versions will have text message and email triggers so in case the computer needs to enter into lockdown mode the user can do it remotely. It will also have notification services where in the case of an emergency, someone can be notified (private torrent tracker admins). DECAF's next release is going to be available in a more light-weight version and/or a windows service.