How Carnivore Worked

Carnivore was the third generation of online-detection software used by the FBI. While information about the first version has never been disclosed, many believe that it was actually a readily available commercial program called Etherpeek.

In 1997, the FBI deployed the second generation program, Omnivore. According to information released by the FBI, Omnivore was designed to look through e-mail traffic travelling over a specific Internet service provider (ISP) and capture the e-mail from a targeted source, saving it to a tape-backup drive or printing it in real-time. Omnivore was retired in late 1999 in favor of a more comprehensive system, the DragonWare Suite, which allowed the FBI to reconstruct e-mail messages, downloaded files or even Web pages.

DragonWare contained three parts:

­ As you can see, officials never released much information about the DragonWare Suite, nothing about Packeteer and Coolminer and very little detailed information about Carnivore. But we do know that Carnivore was basically a packet sniffer, a technology that is quite common and has been around for a while.

Computer network administrators have used packet sniffers for years to monitor their networks and perform diagnostic tests or troubleshoot problems. Essentially, a packet sniffer is a program that can see all of the information passing over the network it is connected to. As data streams back and forth on the network, the program looks at, or "sniffs," each packet.

Normally, a computer only looks at packets addressed to it and ignores the rest of the traffic on the network. When a packet sniffer is set up on a computer, the sniffer's network interface is set to promiscuous mode. This means that it is looking at everything that comes through. The amount of traffic largely depends on the location of the computer in the network. A client system out on an isolated branch of the network sees only a small segment of the network traffic, while the main domain server sees almost all of it.

A packet sniffer can usually be set up in one of two ways:

­ Packets that contain targeted data are copied as they pass through. The program stores the copies in memory or on a hard drive, depending on the program's configuration. These copies can then be analyzed carefully for specific information or patterns.

When you connect to the Internet, you are joining a network maintained by your ISP. The ISP's network communicates with other networks maintained by other ISPs to form the foundation of the Internet. A packet sniffer located at one of the servers of your ISP would potentially be able to monitor all of your online activities, such as:

In fact, many ISPs use packet sniffers as diagnostic tools. Also, a lot of ISPs maintain copies of data, such as e-mail, as part of their back-up systems. Carnivore and its sister programs were a controversial step forward for the FBI, but they were not new technology.

Now that you know a bit about what Carnivore was, let's take a look at how it worked:

The FBI has a reasonable suspicion that someone is engaged in criminal activities and requests a court order to view the suspect's online activity. A court grants the request for a full content-wiretap of e-mail traffic only and issues an order.

A term used in telephone surveillance, "content-wiretap" means that everything in the packet can be captured and used. The other type of wiretap is a trap-and-trace, which means that the FBI can only capture the destination information, such as the e-mail account of a message being sent out or the Web-site address that the suspect is visiting. A reverse form of trap-and-trace, called pen-register, tracks where e-mail to the suspect is coming from or where visits to a suspect's Web site originate.

The FBI contacts the suspect's ISP and requests a copy of the back-up files of the suspect's activity. The FBI sets up a Carnivore computer at the ISP to monitor the suspect's activity. The computer consists of:

The FBI configures the Carnivore software with the IP address of the suspect so that Carnivore will only capture packets from this particular location. It ignores all other packets. Carnivore copies all of the packets from the suspect's system without impeding the flow of the network traffic. Once the copies are made, they go through a filter that only keeps the e-mail packets. The program determines what the packets contain based on the protocol of the packet. For example, all e-mail packets use the Simple Mail Transfer Protocol (SMTP). The e-mail packets are saved to the Jaz cartridge. Once every day or two, an FBI agent visits the ISP and swaps out the Jaz cartridge. The agent takes the retrieved cartridge and puts it in a container that is dated and sealed. If the seal is broken, the person breaking it must sign, date and reseal it -- otherwise, the cartridge can be considered "compromised." The surveillance cannot continue for more than a month without an extension from the court. Once complete, the FBI removes the system from the ISP. The captured data is processed using Packeteer and Coolminer. If the results provide enough evidence, the FBI can use them as part of a case against the suspect.

The ISP does not maintain customer-activity data as part of its back-up.

The example above shows how the system identified which packets to store.

The FBI planned to use Carnivore for specific reasons. Particularly, the agency would request a court order to use Carnivore when a person was suspected of:

There are some key issues that caused a great deal of concern from various sources:

­ All of these concerns made the implementation of Carnivore an uphill battle for the FBI. The FBI refused to disclose the source code and certain other pieces of technical information about Carnivore, which only added to people's concerns. But, as long as it was used within the constraints and guidelines of ECPA, Carnivore had the potential to be a useful weapon in the war on crime.