The Carnivore Process

Now that you know a bit about what Carnivore was, let's take a look at how it worked:

The FBI has a reasonable suspicion that someone is engaged in criminal activities and requests a court order to view the suspect's online activity. A court grants the request for a full content-wiretap of e-mail traffic only and issues an order.

A term used in telephone surveillance, "content-wiretap" means that everything in the packet can be captured and used. The other type of wiretap is a trap-and-trace, which means that the FBI can only capture the destination information, such as the e-mail account of a message being sent out or the Web-site address that the suspect is visiting. A reverse form of trap-and-trace, called pen-register, tracks where e-mail to the suspect is coming from or where visits to a suspect's Web site originate.

The FBI contacts the suspect's ISP and requests a copy of the back-up files of the suspect's activity. The FBI sets up a Carnivore computer at the ISP to monitor the suspect's activity. The computer consists of:

  • A Pentium III Windows NT/2000 system with 128 megabytes (MB) of RAM
  • A commercial communications software application
  • A custom C++ application that works in conjunction with the commercial program above to provide the packet sniffing and filtering
  • A type of physical lockout system that requires a special passcode to access the computer (This keeps anyone but the FBI from physically accessing the Carnivore system.)
  • A network isolation device that makes the Carnivore system invisible to anything else on the network (This prevents anyone from hacking into the system from another computer.)
  • A 2-gigabyte (GB) Iomega Jaz drive for storing the captured data (The Jaz drive uses 2-GB removable cartridges that can be swapped out as easily as a floppy disk.)

The FBI configures the Carnivore software with the IP address of the suspect so that Carnivore will only capture packets from this particular location. It ignores all other packets. Carnivore copies all of the packets from the suspect's system without impeding the flow of the network traffic. Once the copies are made, they go through a filter that only keeps the e-mail packets. The program determines what the packets contain based on the protocol of the packet. For example, all e-mail packets use the Simple Mail Transfer Protocol (SMTP). The e-mail packets are saved to the Jaz cartridge. Once every day or two, an FBI agent visits the ISP and swaps out the Jaz cartridge. The agent takes the retrieved cartridge and puts it in a container that is dated and sealed. If the seal is broken, the person breaking it must sign, date and reseal it -- otherwise, the cartridge can be considered "compromised." The surveillance cannot continue for more than a month without an extension from the court. Once complete, the FBI removes the system from the ISP. The captured data is processed using Packeteer and Coolminer. If the results provide enough evidence, the FBI can use them as part of a case against the suspect.

The ISP does not maintain customer-activity data as part of its back-up.

The example above shows how the system identified which packets to store.