Random Article
The Carnivore Process
Now that you know a bit about what Carnivore was, let's take a look at how it worked:
- The FBI has a reasonable suspicion that someone is engaged in criminal activities and requests a court order to view the suspect's online activity.
- A court grants the request for a full content-wiretap of e-mail traffic only and issues an order.
A term used in telephone surveillance, "content-wiretap" means that everything in the packet can be captured and used. The other type of wiretap is a trap-and-trace, which means that the FBI can only capture the destination information, such as the e-mail account of a message being sent out or the Web-site address that the suspect is visiting. A reverse form of trap-and-trace, called pen-register, tracks where e-mail to the suspect is coming from or where visits to a suspect's Web site originate.
- The FBI contacts the suspect's ISP and requests a copy of the back-up files of the suspect's activity.
- The ISP does not maintain customer-activity data as part of its back-up.
- The FBI sets up a Carnivore computer at the ISP to monitor the suspect's activity. The computer consists of:
- A Pentium III Windows NT/2000 system with 128 megabytes (MB) of RAM
- A commercial communications software application
- A custom C++ application that works in conjunction with the commercial program above to provide the packet sniffing and filtering
- A type of physical lockout system that requires a special passcode to access the computer (This keeps anyone but the FBI from physically accessing the Carnivore system.)
- A network isolation device that makes the Carnivore system invisible to anything else on the network (This prevents anyone from hacking into the system from another computer.)
- A 2-gigabyte (GB) Iomega Jaz drive for storing the captured data (The Jaz drive uses 2-GB removable cartridges that can be swapped out as easily as a floppy disk.)
- The FBI configures the Carnivore software with the IP address of the suspect so that Carnivore will only capture packets from this particular location. It ignores all other packets.
- Carnivore copies all of the packets from the suspect's system without impeding the flow of the network traffic.
- Once the copies are made, they go through a filter that only keeps the e-mail packets. The program determines what the packets contain based on the protocol of the packet. For example, all e-mail packets use the Simple Mail Transfer Protocol (SMTP).
- The e-mail packets are saved to the Jaz cartridge.
- Once every day or two, an FBI agent visits the ISP and swaps out the Jaz cartridge. The agent takes the retrieved cartridge and puts it in a container that is dated and sealed. If the seal is broken, the person breaking it must sign, date and reseal it -- otherwise, the cartridge can be considered "compromised."
- The surveillance cannot continue for more than a month without an extension from the court. Once complete, the FBI removes the system from the ISP.
- The captured data is processed using Packeteer and Coolminer.
- If the results provide enough evidence, the FBI can use them as part of a case against the suspect.
 |
The example above shows how the system identified which packets to store.
