Carnivore

Carnivore, also referred to as the Carnivore Diagnostic Tool or the Carnivore Electronic Communication Collection System, is the name of a series of suites of software developed by the Federal Bureau of Investigation (FBI) for authorized collection of electronic data for law enforcement purposes. It is an example of packet-sniffing software. Carnivore was designed by the FBI to intercept and copy data packets to and from suspects at the site of an Internet service provider (ISP) with the cooperation of the ISP. The term “Carnivore” is also commonly used to describe the successors to that series of software, even though the FBI dropped the name Carnivore in 2001 to adopt the more neutral name of DCS1000 to describe the intercept suite. Unlike furtively employed and developed tools, Carnivore has been openly discussed by the FBI on its website and by other U.S. government institutions. For example, it has been subject to congressional review, and there was even an appraisal of the software under the auspices of the Department of Justice carried out by the Illinois Institute of Technology Research Institute.
With the advent of widespread public use of the Internet as a communications network, it became clear to the FBI that for law enforcement purposes agents would have to use tools to intercept network data traffic in much the same way that phone taps are used to gather evidence of criminal activity. This need for data-intercept tools led to the development of Carnivore’s predecessors during the 1990s.
The FBI is reputed to have developed its first packet capture system in the mid-1990s, but little is publicly known about this first system. The second incarnation, Omnivore, was developed in 1997 for the Solaris x86 platform at a cost of around $900,000. It was designed to give government agencies the ability to capture Internet traffic based on users’ identities and to print captured electronic mail in real time. In addition, Omnivore was configured to save the captured e-mail to an 8 mm tape backup. Through a project named Phiple Troenix, the FBI developed Carnivore to replace Omnivore. This redevelopment was driven by the need for a more modern system that could be run on personal computers, and this project led to the development of the Carnivore suite at a cost of $800,000 to run on the Microsoft Windows NT operating system.
From Omnivore to DSC1000, the Carnivore-type systems seem to have operated in fundamentally the same way. A system is installed in the machine room of an ISP under the administration of an FBI agent. All the Transmission Control Protocol/Internet Protocol (TCP/IP) data (the way in which information is coded and packaged to communicate on the Internet) traveling past the Carnivore insertion point are captured as a copy of the data stream. There is not an interruption of the data; rather, the data are merely mirrored as they flow past. As the TCP/IP data are captured, they are written to a buffer in order to temporarily store the copies of the packet data, typically to a shared memory area of the system. As the memory area begins to fill, the Carnivore software sifts through the information collected, applying user-defined filters to the buffered packet data. Thus, if Carnivore were configured to collect all e-mails to mperry@uwo.ca, all the packet data to that address would be written from the buffer to a more permanent storage medium (such as a Zip drive or hard drive), while all other data would be flushed from the buffer. In essence the system replicates all the traffic passing the insertion point but discards anything that does not meet the search criteria. However, Carnivore is more configurable than simply being able to search for an e-mail address, for it can be set to capture sets of data based on fixed or dynamic Internet Protocol (IP) addresses, and can collect all the packets to and from a particular address, or, in “pen-mode,” only the to/from header information. Thus, not only e-mails but also the web pages browsed, the file transfer protocol, or indeed any transfers from a particular computer or suspect can be captured by the system.
In recent years, the FBI seems to have begun to move away from using its own software to using commercially available software. Taking into account the ongoing support and development costs of a home-grown system in a rapidly developing environment, it may be that using a commercial system that can be tailored for a particular enforcement purpose is more effective. The FBI’s Carnivore/DCS1000 report to Congress at the end of 2003 states that during that year the agency deployed surveillance software eight times but did not deploy Carnivore or DCS1000 at all.
There are a number of commercial packet analysis packages available, such as EtherPeek, Ethertest, and Ethereal. These are often employed by network technicians in order to detect network problems and determine network performance. They can also be used in the same way as Carnivore to capture packet data information, and other law enforcement agencies have used EtherPeek. The main weakness with this type of software is that the use of a simple encryption package can defeat content collection, and this has led to the development of keystroke logging software such as Magic Lantern. By inserting a key logging program onto the computer of a suspect, such as by the use of a Trojan horse, which is a surreptitiously installed computer program, enforcement agencies can record the keys typed by the computer user. However, the use of IP masking, IP spoofing, anonymizing proxy servers, and other security techniques, which are all perfectly legal and have legitimate uses, can prevent the easy identification of the target suspect. As with many other areas of computer security, it is essentially an “arms race” between those who wish to obfuscate their data, for legitimate or illicit reasons, and those who seek to use code to uncover the data transmissions and content of others, which may also be legal or illegal.
The history of Carnivore and its successors illustrates that legitimately deployed law enforcement tools that copy targeted digital transmissions have a useful role to play in the law enforcement environment, and they will continue to be used, whether developed by enforcement agencies themselves or by private companies that offer off-the-shelf packages that allow government entities to tailor programs meet their objectives.