IR   PARTE 3

IR A PARTE 1

 

3.1.3 FOREIGN INTELLIGENCE SURVEILLANCE ACT

The Foreign Intelligence Surveillance Act (FISA) provides for electronic surveillance of foreign powers and agents of foreign powers in the United States for the purpose of obtaining foreign intelligence information. If no "United States person" likely will be overheard, then no court order is required, only certification by the Attorney General.xvii

.EL ACTO DE VIGILANCIA DE 3.1.3 INTELIGENCIA EXTRANJERA 
El Acto de Vigilancia de la Inteligencia Extranjera (FISA) mantiene vigilancia electrónica de poderes extranjeros y agentes de poderes extranjeros en los Estados Unidos con el propósito de obtener la información de inteligencia extranjera. Si ninguna "persona de Estados Unidos" probablemente se oirá por casualidad, entonces ningún orden judicial se requiere, sólo certificación por el Abogado General.xvii 

If a United States person is involved, however, FISA requires an order issued by a special foreign intelligence surveillance court. A judge of the special court must approve the electronic surveillance if it is found that the requirements of the statute have been satisfied.xviii The order if must specify the identity or provide a description of the target of the electronic surveillance, the nature and location of each facility or place at which electronic surveillance will be directed, the type of information sought to be acquired and the type of communications or activities to be subjected to the surveillance, the means by which the electronic surveillance will be effected and whether physical entry will be used to effect the surveillance, the period of time during which the electronic surveillance is approved, and, when more than one surveillance device is used under the order, the authorized coverage of each device and the minimization procedures to be applied.xix

.Si una persona de Estados Unidos está envuelta, sin embargo, FISA requiere un orden emitido por la corte de vigilancia de una inteligencia extranjera especial. Juez de la corte especial debe aprobar la vigilancia electrónica si se encuentra que los requisitos del estatuto han sido satisfied.xviii El orden si debe especificar la identidad o debe proporcionar una descripción del blanco de la vigilancia electrónica, la naturaleza y situación de cada facilidad o debe poner a que la vigilancia electrónica se dirigirá, el tipo de información buscó ser adquirido y el tipo de comunicaciones o actividades ser sujetado a la vigilancia, los medios por que la vigilancia electrónica se efectuará y si la entrada física se usará efectuar la vigilancia, el periodo de tiempo durante que la vigilancia electrónica es aceptado, y, cuando más de uno el dispositivo de vigilancia se usa bajo el orden, el fondos autorizado de cada dispositivo y los procedimientos de minimización para ser applied.xix

 The order also must direct that the minimization procedures be followed and may direct third parties to furnish law enforcement authorities with necessary information, facilities, or technical assistance necessary to accomplish the electronic surveillance in a manner that will protect its secrecy and interfere minimally with the services of the subject of that order.xx

.El orden también debe dirigir que los procedimientos de minimización se sigan y pueden dirigir terceras fiestas para amueblar las autoridades de entrada en vigor de ley con la información necesaria, medios, o ayuda técnica necesario lograr la vigilancia electrónica de una manera que protegerá su secreto e interferirá mínimamente con los servicios del asunto de ese order.xx 

Applications for FISA orders may be made only with the approval of the Attorney General and upon a certification by the Assistant to the President for National Security Affairs, or other designated national security officials, that the information sought is foreign intelligence information and that such information cannot reasonably be obtained by normal investigative techniques.xxi Finally, foreign intelligence pen trap devices may be installed and used pursuant to orders by the special court or a specially designated United States Magistrate Judge and requires similar findings and directions.xxii

.Sólo pueden hacerse aplicaciones para los órdenes de FISA con la aprobación del Abogado General y en una certificación por el Ayudante al Presidente para los Asuntos de Seguridad Nacionales, u otros oficiales de seguridad nacionales designados que la información buscada son la información de inteligencia extranjera y esa tal información no puede obtenerse razonablemente por techniques.xxi Finally investigador normal, los dispositivos de trampa de pluma de inteligencias extranjeras pueden instalarse y pueden usarse consiguiente a los órdenes por la corte especial o un Estados Unidos especialmente designados Magistrado Judge y requiere resultados similares y directions.xxii

 

3.2 THE ELECTRONIC SURVEILLANCE PROCESS

3.2.1 THE DECISION TO USE CARNIVORE

A decision to use electronic eavesdropping comes only after a criminal investigation has proceeded substantially. This timing of the decision is true for a number of reasons. First, the FBI must demonstrate to the satisfaction of a judge probable cause that a crime has been committed or is about to be committed and that the surveillance is necessary to obtain relevant information. Even to obtain authorization for pen-trap surveillance, the FBI must show the relevance of the information sought. Second, the FBI in the electronic surveillance context must explain why traditional enforcement methods are insufficient to obtain the information desired. Third, in order to obtain a court order authorizing electronic eavesdropping, the FBI must amass significant details. For instance, the FBI must discover the identity of the target's ISP, the target's e-mail address, etc. Fourth, given the typical 4-6 month delay in receiving authorization for an electronic wiretap, FBI investigators are not likely to seek to deploy such means except in large ongoing investigations after substantial material has already been unearthed. Finally, use of electronic surveillance is expensive in terms of resources, making it much more likely that FBI agents will use electronic surveillance as a last resort.

If a case agent in the midst of a national security or criminal investigation determines that electronic surveillance may be needed, the agent contacts the Chief Division Counsel (CDC)xxiii and a Technically Trained Agent (TTA) in the field office for advice. The FBI separates responsibility for administration of technical surveillance from those pursuing leads in a criminal or national security investigation. That separation minimizes the chance that technical surveillance will be used prematurely. TTAs are experienced Special Agents who have been selected for advanced training. CDCs are familiar with the statutory requirements for eavesdropping. The TTA and CDC may counsel the Special Agent about what information might ultimately be necessary should a court order be sought, whether it is information identifying the URL of a web site engaged in money laundering or a target's ISP. After continued consultation with the CDC and TTA, the case agent, with field office supervisory approval, may then determine that electronic surveillance is required. These procedures are formalized in the MIOG,xxiv and evidently have been consistently followed. In. the case of electronic wiretapping for content, the case agent must clear the application with superiors within the field office, with FBI Headquarters, and then with the DoJ.xxv This chain of command has been formalized.

3.2 EL PROCESO DE VIGILANCIA ELECTRÓNICO 
3.2.1 LA DECISIÓN PARA USAR EL CARNÍVORO 
Una decisión para usar el escuchando detrás de las puertas electrónico sólo viene después de que una investigación delictiva ha procedido substancialmente. Esto cronometrando de la decisión es verdadero por varios razones. Primero, el FBI debe demostrar a la satisfacción de un juez causa probable que un crimen se ha comprometido o se ha sido sobre ser comprometido y que la vigilancia es necesaria obtener la información pertinente. Incluso para obtener la autorización para la vigilancia del pluma-trampa, el FBI debe mostrar la relevancia de la información buscada. Segundo, el FBI en el contexto de vigilancia electrónico debe explicar por qué los métodos de la entrada en vigor tradicionales son insuficientes obtener la información deseada. Tercero para obtener un orden judicial que autoriza el escuchar detrás de las puertas electrónico, el FBI debe juntar los detalles significantes. Por ejemplo, el FBI debe descubrir la identidad del ISP del blanco, la dirección del e-mail del blanco, el etc. Cuarto, dado el 4-6 retraso del mes típico en la autorización receptor para un wiretap electrónico, no es probable que investigadores de FBI busquen desplegar cosas así significa excepto en las investigaciones continuadas grandes después de que el material sustancial ya se ha desenterrado. Finalmente, el uso de vigilancia electrónica es caro por lo que se refiere a los recursos, mientras haciéndole muy más probablemente ese agentes de FBI usarán la vigilancia electrónica como un último recurso. 
Si agente del caso en medio de una seguridad nacional o la investigación delictiva determina esa vigilancia electrónica puede necesitarse, el agente avisa el Consejo de la División Principal (CDC)xxiii y un Técnicamente el Agente Especializado (TTA) en la oficina del campo para consejo. El FBI separa la responsabilidad por la administración de vigilancia técnica de esas primacías siguiendo en un delincuente o la investigación de seguridad nacional. Esa separación minimiza la oportunidad que la vigilancia técnica se usará prematuramente. TTAs son Agentes Especiales experimentados que han sido seleccionados para el entrenamiento avanzado. CDCs están familiarizados con los requisitos estatutarios por escuchar detrás de las puertas. El TTA y CDC pueden aconsejar al Agente Especial sobre qué información podría ser finalmente necesario deba un orden judicial se busque, si es información que identifica el URL de un sitio de tejido comprometida en laundering de dinero o el ISP de un blanco. Después de la consultación continuada con el CDC y TTA, el agente del caso, con la oficina del campo la aprobación de supervisión, puede determinar entonces esa vigilancia electrónica se requiere. Estos procedimientos se formalizan en el MIOG,xxiv y evidentemente se siguen de forma consistente. En. el caso de wiretapping electrónico para el volumen, el agente del caso debe aclarar la aplicación con los superiores dentro de la oficina del campo, con la Oficina principal de FBI, y entonces con el DoJ.xxv Esta cadena de orden se ha formalizado. 

 

The procedures to obtain authorization for a pen-trap surveillance are less rigorous. The case agent must justify in writing the need for pen-trap surveillance rather than more conventional investigative techniques. This justification, initialed by a supervisor, is placed in the case file and pen-register control file.xxvi The division counsel may be consulted on application language and the TTA must be consulted regarding availability of equipment.xxvii

The application for a court order in either context is authored by FBI attorneys in conjunction with those at DoJ (or the U.S. Attorney's Office if the objective is a pen-trap) based on information furnished by the case agent. Advice on the language in the application is widely sought and received from each level in the review process.

The court determines in both sets of circumstances (electronic monitoring or pen trap) whether to grant the application ex parte. If satisfied that the Title III requirements have been met the court typically issues two orders: one authorizing the intercept and the second directing the relevant ISP to cooperate in the venture. The second order usually contains less information than the first omitting, for example, the purpose of the investigation and sometimes the name of the target.

3.2.2 DEPLOYMENT OF CARNIVORE

In discussions with the ISP, the TTA and Special Agent determine how best to ensure implementation. The ISP may have means available to obtain the target information narrowly and precisely. For instance, if all the information sought can be obtained by setting up a clone e-mail account, most ISPs can comply. Problems, however, may exist if the ISP lacks the technology to narrow sufficiently the information retrieved to comply with the court order, or conversely, if it cannot retrieve sufficient information. (At times, the FBI also is concerned about disclosing too much information to the ISP, as in a sensitive national security investigation.) If the ISP cannot comply fully with the court order, then application of Carnivore represents the first stage of minimization, as described elsewhere. Carnivore limits the information retrieved to that specified in the court order. The TTA engages in discussions with ISP representatives to explain the functionality of Carnivore and assure the integrity of the ISP's network.

If Carnivore is selected as the most appropriate means of complying with the court order, the TTA assumes responsibility for its deployment. Given that use of Carnivore has been limited, highly trained personnel from FBI Headquarters have, so far, played a critical role in the implementation process, although there is no procedural requirement for their participation. The TTAs -- with or without help from headquarters -- then configure the system according to the specifications in the court order.

If the order, for instance, specifies intercepting e-mail to and from adam@mailserve.com, an agent must enter that e-mail address into the appropriate field of the Carnivore input screen. If the order specifies intercepting all traffic between port 25 of a specific Internet server and an IP address assigned to a particular target, the agent must enter the appropriate alphanumeric string into the appropriate field in the input screen for Carnivore to specify the server and port 25; and also enter the appropriate values to specify -- or to allow the hardware and software to determine -- the IP address assigned to the target in a particular session by Dynamic Host Configuration Protocol (DHCP) or RADIUS. The mapping is usually straightforward, although IITRI learned of one case in which the FBI requested the U.S. Attorney to obtain a new Title III order to eliminate ambiguities. The configurations programmed can be retrieved later to ensure compliance with the court order. Nonetheless, the potential for human error cannot be discounted -- agents must program Carnivore to match the potentially ambiguous information in the court order.

The work area at the ISP is secured, and substantial precautions are taken to ensure that no ISP staff members have access to the unit. Precautions are taken so that no one in the area can manipulate the hardware to see the data as it is retrieved. If individuals, despite the precautions, could access the information released by Carnivore, they could reassemble it using readily-available software to reveal its contents. Under FBI practice, the TTA does not receive any of the information retrieved via Carnivore. These procedures again are not formalized, but security is important to ensure that the chain of custody is not broken. Currently, all Carnivore units are maintained at FBI Headquarters and returned there after a session has been completed.

3.2.3 ANALYSIS OF THE INFORMATION RETRIEVED BY CARNIVORE

The information retrieved can be reassembled by the case agent using specially designed software called CoolMiner and Packeteer, collectively known as DragonWare. The case agent can obtain the intercepted information remotely as it is received by Carnivore, or can await until the information is retrieved on the Jazz disk in the computer.

The case agent then carries out a second round of minimization. On a PC on which DragonWare is installed, the agent determines which information is relevant and which is not. The irrelevant information is deleted immediately and no copies are kept. The relevant information becomes part of the working papers of the investigation. There are no checks of which IITRI is aware to monitor the extent of this second minimization. The original disk (with information not reassembled) is sealed and stored. The disk is not tamper-proof. None of the information in the original disk is entered into a database. Pursuant to Title III, the court at the conclusion of the investigation must notify any target of the electronic search -- and apparently at its discretion any other individual whose communications were frequently intercepted during the Carnivore session -- about the fact of interception. The judge who authorized the interception retains jurisdiction over the intercept and often monitors in a general way the conduct of the surveillance.

Finally, if the information obtained has been encrypted, the case agent must determine whether to apply decryption techniques to the encrypted messages received. Carnivore itself has no power to decrypt. Thus, depending upon the perceived importance of the information, the case agent may contact FBI headquarters for help in decrypting the information retrieved by Carnivore.

.Los procedimientos para obtener la autorización para una vigilancia del pluma-trampa son menos rigurosos. El agente del caso debe justificar la necesidad por escrito por la vigilancia del pluma-trampa en lugar de las técnicas investigadoras más convencionales. Esta justificación, firmada con iniciales por un supervisor, se pone en el archivo del caso y mando del pluma-registro que file.xxvi que El consejo de la división puede consultarse en el idioma de la aplicación y el TTA debe consultarse con respecto a la disponibilidad de equipment.xxvii 
La aplicación para un orden judicial en cualquier contexto está el authored por abogados de FBI junto con aquéllos en DoJ (o la Oficina del Abogado americano si el objetivo es un pluma-trampa) basado en información amueblada por el agente del caso. Consejo en el idioma en la aplicación se busca ampliamente y recibió de cada nivelado en el proceso de la revisión. 
La corte determina en ambos juegos de circunstancias (supervisando electrónico o escribe la trampa) si para conceder la parte de ex de aplicación. Si satisfizo que el Título que se han reunido III requisitos típicamente la corte emite dos órdenes: uno que autoriza el intercepte y el segundo que dirige el ISP pertinente para cooperar en la ventura. El segundo orden normalmente contiene menos información que el omitiendo primero, por ejemplo, el propósito de la investigación y a veces el nombre del blanco. 
3.2.2 DESPLIEGUE DE CARNÍVORO 
En las discusiones con el ISP, el TTA y el Agente Especial determinan qué el mejor para asegurar la aplicación. El ISP puede tener los medios disponible obtener la información designado estrechamente y precisamente. Por ejemplo, si toda la información buscada puede ser obtenida preparando una cuenta de e-mail de clon, la mayoría del ISPs puede cumplir. Los problemas, sin embargo, pueden existir si al ISP le falta la tecnología para estrechar la información recuperada para obedecer el orden judicial suficientemente, o recíprocamente, si no puede recuperar la información suficiente. (A veces, el FBI también se preocupa por descubrir la demasiada información al ISP, como en una investigación de seguridad nacional sensible.) Si el ISP no puede obedecer el orden judicial totalmente, entonces la aplicación de Carnívoro representa la primera fase de minimización, como descrito en otra parte. El carnívoro limita la información recuperada a eso especificado en el orden judicial. El TTA compromete en las discusiones con representantes de ISP explicar la funcionalidad de Carnívoro y asegurar la integridad de la red del ISP. 
Si el Carnívoro se selecciona como los medios más apropiados de obedecer el orden judicial, el TTA asume la responsabilidad por su despliegue. Dado ese uso de Carnívoro ha sido el personal limitado, muy especializado de la Oficina principal de FBI, hasta ahora, ha jugado un papel crítico en el proceso de aplicación, aunque no hay ningún requisito procesal para su participación. El TTAs--con o sin la ayuda de la oficina principal--entonces configure el sistema según las especificaciones en el orden judicial. 
Si el orden, por ejemplo, especifica interceptando el e-mail a y de adam@mailserve.com, un agente debe entrar en esa dirección del e-mail en el campo apropiado del Carnívoro entre la pantalla. Si el orden especifica interceptando todo el tráfico entre puerto 25 de un servidor de Internet específico y una dirección de IP asignó a un blanco particular, el agente debe entrar en el cordón alfanumérico apropiado en el campo apropiado en la pantalla de la entrada para el Carnívoro especificar el servidor y poner a babor 25; y también entra en los valores apropiados para especificar--o para permitir el hardware y software para determinar--la dirección de IP asignó al blanco en una sesión particular por el Anfitrión Protocolo de la Configuración Dinámico (DHCP) o RADIO. La cartografía es normalmente sincera, aunque IITRI aprendió de un caso en que el FBI le pidió al Abogado americano que obtuviera un nuevo Título III orden para eliminar las ambigüedades. Pueden recuperarse las configuraciones programadas después para asegurar la complacencia con el orden judicial. No obstante, el potencial para el error humano no puede descontarse--agentes deben programar el Carnívoro para emparejar la información potencialmente ambigua en el orden judicial. 
El área de trabajo al ISP es se toman las precauciones asegurado, y sustanciales para asegurar que ningún ISP provee de personal que los miembros tienen el acceso a la unidad. Se toman las precauciones que para que nadie en el área pueda manipular el hardware para ver los datos como él se recupera. Si los individuos, a pesar de las precauciones, pudieran acceder la información soltada por el Carnívoro, ellos podrían volverlo a montar usando el software prontamente-disponible para revelar sus volúmenes. Bajo la práctica de FBI, el TTA no recibe cualquiera de la información recuperado vía el Carnívoro. Estos procedimientos no se formalizan de nuevo, pero la seguridad es importante asegurar que la cadena de custodia no esté rota. Actualmente, todas las unidades del Carnívoro se mantienen en la Oficina principal de FBI y volvieron allí después de que una sesión se ha completado. 
3.2.3 ANÁLISIS DE LA INFORMACIÓN RECUPERADO POR EL CARNÍVORO 
La información recuperada puede ser vuelta a montar por el agente del caso que usa el software especialmente diseñado llamó CoolMiner y Packeteer, colectivamente conocido como DragonWare. El agente del caso puede obtener la información interceptada remotamente como él se recibe por el Carnívoro, o puede esperar hasta la información se recupera en el disco del Jazz en la computadora. 
El agente del caso lleva a cabo una segunda ronda de minimización entonces. En un PC en que DragonWare se instala, el agente determina qué información es pertinente y qué no es. La información no pertinente se anula inmediatamente y ninguna copia se guarda. La información pertinente se vuelve parte de los papeles activos de la investigación. Hay ningún cheque de que IITRI es consciente supervisar la magnitud de este segundo minimización. El disco original (con información no vuelta a montar) se sella y guardó. El disco no es ninguna manosear-prueba. En ninguno de la información en el disco original se entra en un banco de datos. Consiguiente para Titular III, la corte a la conclusión de la investigación debe notificar cualquier designado de la búsqueda electrónica--y al parecer a su discreción cualquier otro individuo cuyo frecuentemente se interceptaron las comunicaciones durante la sesión del Carnívoro--sobre el hecho de interceptación. El juez que autorizó la interceptación retiene la jurisdicción encima del intercepte y a menudo los amonestadores de una manera general la conducta de la vigilancia. 
Finalmente, si la información obtenida ha sido el encrypted, el agente del caso debe determinar si aplicar las técnicas del decryption a los mensajes del encrypted recibieron. El carnívoro él no tiene el poder al decrypt. Así, dependiendo en la importancia percibida de la información, el agente del caso puede avisar la oficina principal de FBI para la ayuda en decrypting que la información recuperó por el Carnívoro. 

3.3 EXTERNAL AND INTERNAL CHECKS ON THE PROCESS

There are innumerable external and internal checks overseeing federal law enforcement authorities' use of Carnivore. Outside the law enforcement agency, both judges and Congress monitor implementation of electronic surveillance. Within the agency, there are checks of intensive training for personnel, structural separation between technical and case agents, and inspections. These checks taken together reduce the possibility that Carnivore will be abused.

3.3.1 EXTERNAL CHECKS

3.3.1.1 JUDICIAL OVERSIGHT

Judges are involved in the Carnivore process throughout. They discharge a critical function at the court-order stage, monitor minimization, and, duration during the surveillance, exercise oversight of record keeping and provide notice to targets after the investigation has completed.xxviii

As an initial matter, only Article III judges can authorize Title III and FISA intercepts. This requirement unlike in the conventional warrant or pen-trap contexts, limits the number of judicial officials who can approve intercept orders. Also, Article III judges are more immune from political pressures because of their job tenure and protection from salary diminution.

Moreover, before law enforcement agencies can obtain authorization for an intercept from the court, they must submit substantial information to the supervising judge. The judge must be satisfied that the FBI has demonstrated probable cause that a crime has been committed, that the information sought cannot be determined in any conventional manner, and that probable cause exists to believe that relevant information will be retrieved by the intercept. The court also ensures that efforts at minimization have taken place. After the interception has started, the court often spot-checks minimization, ensures that the interception does not continue longer than is necessary, and that the information obtained is sealed. At the conclusion of the investigation, the court also determines which parties to notify of the fact of interception. The notification increases the chance that those subject to surveillance will mount a legal challenge to the propriety of the investigation, as mentioned below. Judicial involvement is pervasive, and minimizes the risk that electronic surveillance will be unnecessary, overbroad, or too lengthy.xxix Similar protections exist in the FISA context.

3.3.1.2 CRIMINAL AND CIVIL SANCTIONS

Congress also has exerted significant control over the electronic surveillance process by providing for civil and criminal sanctions. Under Title III, any person whose electronic communication is wrongfully intercepted can recover actual damages, punitive damages (in appropriate cases), and attorney fees.xxx Even if actual damages cannot be shown, statutory damages for the greater of $100 per day or $10,000 can be recovered.xxxi The interceptor can block the suit by showing good faith reliance on a court order or statutory authorization. Criminal penalties are imposed on any individual who intentionally intercepts wire communications without authorization or discloses the contents having reason to know that the information was obtained through an illegal interception under 18 U.S.C. § 2511. Defendants can include law enforcement officials who abuse their authority to intercept electronic communications or divulge their contents. Under FISA, as well, individuals are guilty of an offense if they engage in unauthorized electronic surveillance or disclose information having reason to know that the information was obtained in an unauthorized manner.xxxii A defense is provided if a court order sanctioned the interception or disclosure.xxxiii Finally, anyone knowingly violating the restrictions on pen devices can be fined, imprisoned for not more than one year, or fined and imprisoned.xxxiv In short, Congress provided for deterrence of misconduct by creating a civil remedy in the electronic communication and FISA contexts and criminal sanctions in all three contexts.xxxv

3.3.1.3 APPLICABILITY OF EXCLUSIONARY RULE

FISA provides for suppressing any evidence illegally obtained through either electronic intercepts or pen-trap devices.xxxvi The exclusionary remedy provides a deterrent against overbroad or vindictive surveillance. In contrast, the electronic communications and pen register schemes do not provide for exclusion of evidence in a criminal trial if the procedures of the governing statutes are violated. Although Title III does include an exclusionary rule for interception of wire and oral communication,xxxvii no comparable rule is included for interception of electronic communication.xxxviii Defendants in criminal trials can move to suppress the electronic communication on the ground that they were subject to an unreasonable search or seizure within the meaning of the Fourth Amendment,xxxix but cannot rely on any procedural violation of the statute itself Note, however, that the availability of an exclusionary rule does not offer direct protection for those not suspected of criminal or foreign intelligence activity who may be caught within the web of surveillance.

3.3.1.4 REPORTING REQUIREMENT

Congress also exercises control by imposing reporting requirements. Under 18 U.S.C. § 2519, the supervising judge of electronic intercepts pursuant to Title III must report to the Administrative Office of the United States the fact and type of intercept order requested and granted or denied. Moreover, the Attorney General must independently report the same information in the aggregate each year to the Administrative Office. Under the pen trap provisions, the Attorney General shall annually report to Congress on the number of pen register orders and trap and trace devices applied for each year.xl Under FISA, the Attorney General must transmit to the Administrative Office each year a report of the total number of applications made for orders and extension of orders and the total numbers of such orders and extensions granted.x1i Congress has also required the Attorney General to report to congressional committees, on a semiannual basis, the extent of its electronic surveillance activities under FISA. These extensive reporting requirements permit Congress more information with which to assess the efficacy of the surveillance systems. Although to a lesser extent than the criminal and civil sanctions discussed above, the reporting provisions add some deterrence to misconduct.

The FBI's conduct of electronic surveillance is not unchecked. Both courts and Congress exercise significant oversight responsibility, lessening the possibility that law enforcement officials will use Carnivore in an unauthorized or careless manner.

3.3.2 INTERNAL CHECKS

In addition to the external checks, the FBI has itself placed many checks on the conduct of electronic surveillance. These internal checks further minimize the chance for abuse.

3.3.2.1 THE NEED FOR APPROVAL FROM SUPERIORS

Only certain authorized attorneys of the United States can approve a request for an Article III intercept, ensuring a measure of internal scrutiny and deliberation. With respect to electronic communication,xlii only the Attorney General, Deputy Attorney General, Associate Attorney General, any Assistant Attorney General, or several others specially designated by the Attorney General may authorize application for an electronic intercept.xliii With respect to FISA, only the Attorney General can authorize the intercept. This centralized authority prevents widely dispersed law enforcement officials from making the intercept decision on their own volition.xliv

3.3.2.2 TRAINING AND STRUCTURAL SEPARATION OF CASE AGENTS FROM TECHNICAL AGENTS

Electronic surveillance cannot be conducted under FBI procedures without the involvement of Technical Advisors (TAs), TTAs, and the Electronic Surveillance Technology Section (ESTS) of the Laboratory Division.

TAs and TTAs are assigned to field offices. The TA is a TTA assigned to the Special Agent in Charge of a field office to advise on all aspects of electronic surveillance. "The TA must be actively involved in all office management decisions concerning the application of technical investigative techniques."x1v The TA monitors the conduct of the TTAs.

TTAs are experienced agent investigators with a minimum of two years experience who have applied and been selected for TTA training and certification. TTA candidates complete one year of on-the-job training under the supervision of the TA, followed by formal training at the FBI's Engineering Research Facility on basic electronics, computer and networking technology, basic architecture of telephone networks, switch-based intercepts, and data intercepts. To be designated a TTA, candidates must pass all examinations and practical problems, after which they are assigned as TTAs to a field office.xlvi In order to maintain their certification, TTAs must spend at least 20 percent of their time on technical investigative support matters and attend technical in-service training. TTAs may never be used as monitoring agents of court-ordered intercepts.xlvii

"All technical equipment in the field office is under the care, custody and control of the TA."xlviii "Technical equipment can only be sent from FBI Headquarters to the TA. Technical equipment is never sent to Special Agents who are not TTAs.xlix The TA maintains a control system for equipment accountability. No part or function of any equipment may be altered without specific FBI headquarters authorization.1

The TTA is responsible for ensuring that proper authority has been obtained for technical equipment use and for maintaining a file which contains the documented authority (court orders, SAC, or supervisory approval). TTAs may not permit the use of technical equipment until such court order or other authority has been seen or orally verified from supervisory personnel. Such oral verification must be documented and maintained in the file with the court orders.li In short, both the training and separation of personnel into case and technical groupings minimize the chance that the Carnivore power will be abused.

3.3.2.3 INTERNAL DISCIPLINE

Finally, law enforcement agents sometimes face discipline within their agencies for arbitrary or excessive searches. Many field offices have established internal mechanisms to oversee conduct of case agents. Offices may recognize that illegal searches can be counterproductive and jeopardize the agency's reputation in the public eye. In addition, FBI senior officials from FBI headquarters periodically inspect the practices of each field office. Such inspections commonly focus on the practices and procedures used in electronic surveillance.

.3.3 CHEQUES EXTERNOS E INTERIORES EN EL PROCESO 
Hay cheques externos e interiores innumerables que vigilan el uso de autoridades de entrada en vigor de ley federales de Carnívoro. Fuera de la agencia de entrada en vigor de ley, jueces y " aplicación de amonestador de Congreso de vigilancia electrónica. Dentro de la agencia, hay cheques de entrenamiento intensivo para el personal, la separación estructural entre técnico y agentes del caso, e inspecciones. Estos cheques tomados juntos reducen la posibilidad que el Carnívoro se abusará. 
3.3.1 CHEQUES EXTERNOS 
3.3.1.1 VIGILANCIA JUDICIAL 
Jueces están envueltos en el proceso del Carnívoro a lo largo de. Ellos descargan una función crítica en la fase del corte-orden, el minimización del amonestador, y, duración durante la vigilancia, vigilancia del ejercicio de registro que guarda y proporciona el aviso a los blancos después de que la investigación tiene completed.xxviii 
Como una materia inicial, sólo Artículo III jueces pueden autorizar el Título III y FISA intercepta. Este requisito diferente en la garantía convencional o contextos del pluma-trampa, límites el número de oficiales judiciales que pueden aprobar intercepta los órdenes. También, Artículo III jueces son más inmunes de las presiones políticas debido a su tenencia del trabajo y protección de la disminución del sueldo. 
Es más, antes de las agencias de entrada en vigor de ley la autorización puede obtener para un intercepte de la corte, ellos deben someter la información sustancial al juez dirigiendo. El juez debe satisfacerse que el FBI ha demostrado causa probable que un crimen se ha comprometido, que no puede determinarse la información buscada de cualquier manera convencional, y esa causa probable existe para creer que la información pertinente se recuperará por el intercepte. La corte también asegura que los esfuerzos al minimización han tenido lugar. Después de que la interceptación ha empezado, la corte a menudo el minimización de los mancha-cheques, asegura que la interceptación no continúa más mucho tiempo que es necesario, y que la información obtenida se sella. A la conclusión de la investigación, la corte determina también qué fiestas para notificar del hecho de interceptación. La notificación aumenta la oportunidad que aquéllos sujeto a la vigilancia montarán un desafío legal a la conveniencia de la investigación, como mencionado debajo. El envolvimiento judicial es penetrante, y minimiza el riesgo que la vigilancia electrónica será innecesaria, el overbroad, o también lengthy.xxix que los protections Similares existen en el contexto de FISA. 
3.3.1.2 SANCIONES DELICTIVAS Y CIVILES 
El congreso también ha ejercido el mando significante encima del proceso de vigilancia electrónico manteniendo las sanciones civiles y delictivas. Bajo el Título III, cualquier persona cuya comunicación electrónica se intercepta injustamente puede recuperar los daño y perjuicios reales, los daño y perjuicios punitivos (en los casos apropiados), y abogado fees.xxx aun cuando no pueden mostrarse los daño y perjuicios reales, los daño y perjuicios estatutarios para el mayor de $100 por día o $10,000 recovered.xxxi puede ser Los interceptor pueden bloquear el traje mostrando la confianza de fe buena en un orden judicial o la autorización estatutaria. Se imponen las multas delictivas en cualquier individuo que intencionalmente intercepta las comunicaciones del alambre sin la autorización o descubre los volúmenes que tienen la razón para saber que la información se obtuvo a través de una interceptación ilegal bajo 18 U.S.C. § 2511. Los demandados pueden incluir a oficiales de entrada en vigor de ley que abusan su autoridad para interceptar las comunicaciones electrónicas o divulgar sus volúmenes. Bajo FISA, también, los individuos son culpables de una ofensa si ellos comprometen en la vigilancia electrónica desautorizado o descubren información que tiene la razón para saber que la información se obtuvo en un manner.xxxii desautorizado que UNA defensa se proporciona si un orden judicial sancionara la interceptación o disclosure.xxxiii Finally, cualquiera violando las restricciones a sabiendas en los dispositivos de la pluma pueden multarse, no encarcelado para más de un año, o multó e imprisoned.xxxiv para abreviar, el Congreso mantuvo disuasión de mala conducta creando un remedio civil en la comunicación electrónica y contextos de FISA y sanciones del delincuente en todos los tres contexts.xxxv 
3.3.1.3 PERTINENCIA DE REGLA DE EXCLUSIONARY 
FISA mantiene suprimiendo cualquier evidencia u obtenida a través de electrónico ilegalmente intercepta o pluma-trampa devices.xxxvi El remedio del exclusionary proporciona un disuasivo contra overbroad o la vigilancia vindicativa. En el contraste, las comunicaciones electrónicas y esquemas de registro de pluma no mantienen exclusión de evidencia en un ensayo delictivo si se violan los procedimientos de los estatutos gobernantes. Aunque el Título III incluyen una regla del exclusionary para la interceptación de alambre y communication,xxxvii del oral ninguna regla comparable es incluido para la interceptación de Demandados de communication.xxxviii electrónicos en los ensayos delictivos puede mover para suprimir la comunicación electrónica en la tierra que ellos estaban sujeto a una búsqueda irrazonable o cogida dentro del significado del Cuarto Amendment,xxxix pero no puede confiar en cualquier violación procesal del propio estatuto la Nota, sin embargo, que la disponibilidad de una regla del exclusionary no ofrece protección directa para aquéllos no sospechados de delincuente o la actividad de inteligencia extranjera que pueden ser cogidos dentro del tejido de vigilancia. 
3.3.1.4 REQUISITO INFORMANDO 
El congreso también ejerce el mando el informando imponiendo los requisitos. Bajo 18 U.S.C. § 2519, el juez dirigiendo de electrónico intercepta consiguiente Titular III deben informar a la Oficina Administrativa de los Estados Unidos el hecho y tipo de intercepte orden pedido y concedió o negó. Es más, el Abogado General debe informar la misma información independientemente en el agregado cada año a la Oficina Administrativa. Bajo los comestibleses de trampa de pluma, el Abogado General informará anualmente al Congreso en el número de registro de la pluma pide y la trampa y dispositivos del rastro solicitaron cada year.xl Bajo FISA, el Abogado General debe transmitir a la Oficina Administrativa cada año un informe del número total de aplicaciones constituido los órdenes y extensión de órdenes y los números totales de cosas así pide y extensiones el Congreso de granted.x1i también ha requerido al Abogado General informar a los comités del congreso, en una base semestral, la magnitud de sus actividades de vigilancia electrónicas bajo FISA. Estos requisitos informando extensos permiten más información al Congreso con que para evaluar la eficacia de los sistemas de vigilancia. Aunque en menor grado que las sanciones delictivas y civiles discutieron sobre, los comestibleses informando agregan un poco de disuasión para dirigir mal. 
La conducta del FBI de vigilancia electrónica no es desenfrenada. Cortes y " ejercicio del Congreso la responsabilidad de vigilancia significante, disminuyendo la posibilidad que oficiales de entrada en vigor de ley usarán el Carnívoro de una manera desautorizado o descuidada. 
3.3.2 CHEQUES INTERIORES 
Además de los cheques externos, el FBI se tiene puesto muchos cheques en la conducta de vigilancia electrónica. Estos cheques interiores minimizan la oportunidad más allá para el abuso. 
3.3.2.1 LA NECESIDAD PARA LA APROBACIÓN DE LOS SUPERIORES 
Sólo ciertos abogados autorizados de los Estados Unidos pueden aprobar una demanda para un Artículo que III interceptan, mientras asegurando una medida de escrutinio interior y deliberación. Con respecto al communication,xlii electrónico sólo el Abogado General, Diputado Abogado Abogado General General, Asociado, cualquier Abogado General Auxiliar, o algunos que especialmente otros designaron por el Abogado General pueden autorizar la aplicación para un intercept.xliii electrónico con respecto a FISA, sólo el Abogado General puede autorizar el intercepte. Esto centralizó la autoridad les impide a los oficiales de entrada en vigor de ley ampliamente dispersados hacer el intercepte la decisión en su propio volition.xliv 
3.3.2.2 ENTRENAMIENTO Y LA SEPARACIÓN ESTRUCTURAL DE AGENTES DEL CASO DE LOS AGENTES TÉCNICOS 
No puede dirigirse la vigilancia electrónica bajo los procedimientos de FBI sin el envolvimiento de Consejeros Técnicos (TAs), TTAs, y la Sección de Tecnología de Vigilancia Electrónica (ESTS) de la División del Laboratorio. 
Se asignan TAs y TTAs para presentar las oficinas. El TA es que un TTA asignó al Agente Especial en el Cargo de una oficina del campo aconsejar en todos los aspectos de vigilancia electrónica. "El TA debe ser involucrado activamente en todas las decisiones de dirección de oficina acerca de la aplicación de técnicas investigadoras técnicas. "el x1v El TA supervisa la conducta del TTAs. 
TTAs son los investigadores del agente experimentados con un mínimo de dos experiencia de los años que ha aplicado y ha seleccionado para TTA que entrena y certificación. Candidatos de TTA completan un año de en-el-trabajo que entrena bajo la vigilancia del TA, siguió por el entrenamiento formal al FBI está Diseñando la Facilidad de la Investigación en la electrónica básica, computadora y tecnología de la gestión de redes, la arquitectura básica de redes del teléfono, interruptor-basado intercepta, y el datos intercepta. Candidatos deben pasar todos los exámenes y los problemas prácticos después de que ellos se asignan como TTAs a un campo office.xlvi para mantener su certificación ser designado un TTA, TTAs debe gastar 20 por ciento de su tiempo por lo menos en las materias de apoyo investigadoras técnicas y debe asistir al entrenamiento del en-servicio técnico. TTAs nunca puede usarse como supervisar a agentes de intercepts.xlvii corte-pedido 
"El equipo todo técnico en la oficina del campo está bajo el cuidado, custodia y mando del TA. "xlviii "que sólo pueden enviarse los equipos Técnicos de la Oficina principal de FBI al TA. Nunca se envía el equipo técnico a Agentes Especiales que no son TTAs.xlix El TA mantiene un sistema del mando para la responsabilidad de equipo. Ninguna parte o función de cualquier equipo pueden alterarse sin la oficina principal de FBI específica authorization.1 
El TTA es responsable para asegurar esa autoridad apropiada se ha obtenido para el equipo técnico use y por mantener un archivo que contiene la autoridad documentada (los órdenes judiciales, BOLSA, o la aprobación de supervisión). TTAs no puede permitir el uso de equipo técnico hasta el tal orden de la corte u otra autoridad se ha visto u oralmente se ha verificado del personal de supervisión. La tal comprobación oral debe documentarse y debe mantenerse para abreviar en el archivo con el orders.li judicial, el entrenamiento y " separación de personal en el caso y las agrupaciones técnicas minimizan la oportunidad que el poder del Carnívoro se abusará. 
3.3.2.3 DISCIPLINA INTERIOR 
Finalmente, agentes de entrada en vigor de ley a veces enfrentan la disciplina dentro de sus agencias para las búsquedas arbitrarias o excesivas. Muchos presentan que las oficinas han establecido los mecanismos interiores para vigilar conducta de agentes del caso. Las oficinas pueden reconocer que ese búsquedas del ilegal pueden ser contraproducentes y pueden arriesgarse la reputación de la agencia en el ojo público. Además, FBI los mayores oficiales de la oficina principal de FBI inspeccionan las prácticas de cada oficina del campo periódicamente. Las tales inspecciones normalmente enfocan en las prácticas y procedimientos usados en la vigilancia electrónica. 

3.4 SYSTEM ARCHITECTURE

The Carnivore system architecture comprises: (1) a one-way tap into an Ethernet data steam; (2) a general purpose computer to filter and collect data; (3) additional general purpose computers to control the collection and examine the data; (4) a telephone link to the collection computer; and (5) DragonWare software written by the FBI. DragonWare includes Carnivore software to filter and record IP packets and Packeteer and CoolMiner, two additional programs that reconstruct e-mail and other Internet traffic from the collected packets.

3.4.1 THE ETHERNET TAP

Carnivore is connected to a 10Base-T Ethernet using a Century Tap made by Shoniti System. In. a typical installation (see Figure 3- 1), an existing line is disconnected from a hub or switch and plugged into port A of the tap. A new line is run from port B to the hub/switch. The tap passes the traffic along the line from A to B and from B to A as if it were a standard cable. At the same time, it takes a copy of the transmit data in each direction and feeds it to ports 1 and 2.

.3.4 ARQUITECTURA DEL SISTEMA 
La arquitectura de sistema de Carnívoro comprende: (1) una palmadita sentido único en un Ethernet datos vapor; (2) una computadora del propósito general para filtrarse y coleccionar los datos; (3) las computadoras del propósito generales adicionales para controlar la colección y examinar los datos; (4) un eslabón del teléfono a la computadora de la colección; y (5) software de DragonWare escrito por el FBI. DragonWare incluye el software del Carnívoro para filtrarse y registro los paquetes de IP y Packeteer y CoolMiner, dos programas adicionales que reconstruyen e-mail y otro tráfico de Internet de los paquetes reunido. 
3.4.1 LA PALMADITA DE ETHERNET 
El carnívoro se conecta a un 10Base-T Ethernet que usan una Palmadita del Siglo hizo por el Sistema de Shoniti. En. una instalación típica (vea la Figura 3 - 1), una línea existente está desconectada de un cubo o interruptor y tapó en el puerto UN de la palmadita. Una nueva línea se corre del puerto B al hub/switch. La palmadita pasa el tráfico a lo largo de la línea de UN a B y de B a UN cuando si fuera un cable normal. Al mismo tiempo, toma una copia del transmita los datos en cada dirección y alimentos él a los puertos 1 y 2. 

Figure 3-1. Pinouts for Century Tap

Additional cables connect ports 1and 2 to a standard hub. The cable used to connect port 2 to the hub must either be a cross-connect cable, or connect to the uplink port of the hub. This connection ensures that both sides of the communication on the Ethernet appear at the hub, but no data can be sent from the hub. The Carnivore system is then connected to any open port on the hub. This cabling arrangement and the Shoniti tap ensure Carnivore is in a receive-only mode. The transmission lines from the Ethernet adapter are not connected to anything inside the tap. The tap has a latency of only 1 bit time at 100 Mbps, so network performance should not be affected.

The FBI technicians who install Carnivore work with ISP personnel to have Carnivore connected to the smallest bandwidth pipe possible that ensures gathering the traffic of the individual for whom the court order was obtained.

3.4.2 COMPUTERS

Carnivore employs a generic Pentium-class PC, with a generic 100 Mbps Ethernet adapter. The adapter is set to promiscuous mode and acquires all the traffic that comes across the network to which it is connected via a read-only tap. As each packet is acquired, Carnivore software tests it against filter settings selected using graphical user interface (GUI) controls. Packets that pass through the filters are saved to a removable Jazz disk. The data that do not meet the filter criteria are discarded without being saved to any disk.

Jazz drive is located behind a key-lockable panel on the Carnivore box. While this panel is not tamperproof, it does provide a degree of control over who can remove the Jazz disk from the computer. Only FBI personnel have the keys to the lock. When the Jazz disk is removed, it is placed in a container that is sealed and then taken to the judge that granted the court order permitting the collection.

There is no time synchronization among Carnivore computers. All time stamps are based on the local system clock. Coordination of times relies on the various system clocks having been synchronized prior to the start of collection and operating correctly during collection.

3.4.3 TELEPHONE LINK

The collection computer is installed without a keyboard or monitor and, in operational use, Carnivore might not be physically accessible to case agents. However, each Carnivore computer is equipped with an off-the-shelf 56-kbps modem allowing it to communicate via a standard analog telephone link.

Once Carnivore has been installed at the ISP, it is normally controlled remotely. The Carnivore collection computer modem is connected to a dedicated analog voice line installed especially for the Carnivore deployment. It does not use one of the modems from the ISP's modem pool, nor is it controllable via the Internet. PCAnywhere, a standard commercial product from Symantec Inc., is installed on the collection computer to allow the additional computers to control the collection computer via the telephone link. PCAnywhere is run as a service. If the collection computer loses power and reboots when power is restored, PCAnywhere will start automatically; the FBI does not need to visit the ISP, nor do ISP personnel have to access Carnivore. PCAnywhere is set up to use PCAnywhere Identification and Authentication, with each person using the collection computer having a separate ID and password. PCAnywhere is also set to use symmetric encryption to protect the data transfer. The host PCAnywhere software is set to start all connections with the screen locked.

The telephone line is protected by an electronic key; only a computer with a matching key can connect. The keys are COTS Challenger Security Products (CSP) from Computer Peripheral Systems, Inc., which have demonstrated capability to protect the link from sustained attempts at penetration. IITRI contacted Challenger to determine how many possible combinations of Lock and Key were possible. Challenger replied that the CSP is a random number generator that expands the base system code, which is different 'in each secure system. This code, along with other variables, changes with each call. The result is about one billion possible combinations. Each time a CSP lock is called, it issues a different challenge. The corresponding key is expected to accept the challenge and, through one of its many algorithms, use the modified base code and other variables to reply properly. A case agent controlling the Carnivore collection computer from an external computer must know the correct telephone number and have an appropriately- keyed CSP device, PCAnywhere software, a valid user name and password, and the Administrator password for the Carnivore collection box. Once connected, the agent can use Carnivore as if the agent were physically at the Carnivore collection box; starting or stopping collection and downloading collected data. An additional password is required to access the advanced setup features and change the filter settings. Data are downloaded by using the file transfer features of PCAnywhere. Files can also be uploaded to the collection computer using the same features, though there is no operational reason to do so.

3.4.4 CARNIVORE SOFTWARE PROGRAM

Carnivore is the name of the software program running on the collection computer that filters and records IP packets. When the collection computer is started, it automatically logs in as the Administrator. The Carnivore program is in the start-up group for the Administrator, so it also starts automatically. If the Carnivore program was collecting when the system was last shut down, it will begin collecting again automatically. This automatic reboot feature was set up so that data lost because of a power failure would be held to a minimum.

Carnivore has two levels of functionality: a main screen and an advanced screen. When the program is started, the agent sees the main screen (Figure 3-2) with four functions implemented via button selections. One set of buttons starts and stops collection. Another toggles the collection details display. A third forces collection to start using a new file, making the current file available for downloading. The fourth is used to access the advanced screen (filter settings). The program has a separate password for accessing the filter settings. A case agent, can access the collection device via remote dial-in to start and stop collection, cause the collection to start into a new file, and download the collected data. However, that agent does not need to know the password that allows the filter settings to be changed.

.Figure 3-1. Pinouts para la Palmadita del Siglo 

Los cables adicionales conectan pone a babor 1and 2 a un cubo normal. El cable o conectaba puerto 2 al cubo debe ser un cruz-conecte el cable, o conecte al puerto del uplink del cubo. Esta conexión asegura que ambos lados de la comunicación en el Ethernet aparecen al cubo, pero ningún datos puede enviarse del cubo. El sistema del Carnívoro se conecta entonces a cualquier puerto abierto en el cubo. Esto cablegrafiando arreglo y el Shoniti taladran asegure el Carnívoro está en un modo recibir-único. La transmisión linea del adaptador de Ethernet no se conecta a nada dentro de la palmadita. La palmadita tiene una latencia de sólo 1 tiempo del pedazo a 100 Mbps, para que la actuación de la red no debe afectarse. 
Los técnicos de FBI que instalan el trabajo del Carnívoro con el personal de ISP tener el Carnívoro conectados al bandwidth más pequeño conducen por tuberías posible que eso asegura la recolección el tráfico del individuo para quien el orden judicial fue obtenido. 
3.4.2 COMPUTADORAS 
El carnívoro emplea un Pentium-clase genérico PC, con un 100 Mbps genéricos el adaptador de Ethernet. El adaptador se pone al modo promiscuo y adquiere todo el tráfico que se encuentra con la red a que se conecta vía un leer-sólo palmadita. Cuando cada paquete es adquirido, el software del Carnívoro lo prueba contra las escenas del filtro seleccionó usando la interface del usuario gráfica (GUI) los mandos. Se ahorran paquetes que atraviesan los filtros a un disco del Jazz trasladable. Se desechan los datos que no se encuentran el criterio del filtro a menos que ahorrándose a cualquier disco. 
El paseo del jazz se localiza detrás de un importante-lockable el tablero en la caja del Carnívoro. Mientras este tablero no es ningún tamperproof, proporciona un grado de mando encima de quién puede quitar el disco del Jazz de la computadora. Sólo personal de FBI tiene las llaves a la cerradura. Cuando el disco del Jazz está alejado, se pone en un recipiente que se sella y entonces tomado al juez que concedió el orden judicial que permite la colección. 
No hay ninguna sincronización de tiempo entre las computadoras del Carnívoro. Todas las estampas de tiempo son basado en el reloj del sistema local. La coordinación de tiempos confía en los varios relojes del sistema se habido sincronizado anterior a la salida de colección y operando correctamente durante la colección. 
3.4.3 ESLABÓN DEL TELÉFONO 
La computadora de la colección se instala sin un teclado o amonestador y, en el uso operacional, el Carnívoro no podría ser físicamente accesible embalar a agentes. Sin embargo, cada computadora del Carnívoro está provista con un fuera de-el-estante 56-kbps módem que le permite comunicar vía un eslabón del teléfono analógico normal. 
Una vez el Carnívoro se ha instalado al ISP, normalmente se controla remotamente. El Carnívoro colección computadora módem se conecta a una línea de la voz analógica especializada instalada sobre todo para el despliegue del Carnívoro. No usa uno de los módemes de la piscina del módem del ISP, ni es él controlable vía el Internet. PCAnywhere, un producto comercial normal de Symantec Inc., se instala en la computadora de la colección para permitirles a las computadoras adicionales controlar a la computadora de la colección vía el eslabón del teléfono. PCAnywhere se corre como un servicio. Si la computadora de la colección pierde poder y reboots que cuando el poder se restaura, PCAnywhere empezará automáticamente; el FBI no necesita visitar el ISP, ni hace el personal de ISP tiene que acceder el Carnívoro. PCAnywhere es fijo a usar Identificación de PCAnywhere y Autenticación, con cada persona que usa a la computadora de la colección que tiene un ID separado y contraseña. PCAnywhere también se pone para usar el encryption simétrico para proteger el traslado de los datos. El organizador que el software de PCAnywhere se pone para empezar todas las conexiones con la pantalla cerró con llave. 
La línea telefónica es protegido por una llave electrónica; sólo una computadora con una llave emparejando puede conectar. Las llaves son los SITIOS PARA ANIMALES DOMÉSTICOS Desafiador Seguridad Productos (CSP) de la Computadora los Sistemas Periféricos, Inc., qué ha demostrado la capacidad para proteger el eslabón de los esfuerzos sostenidos a la penetración. IITRI avisó al Desafiador para determinar cuántas posibles combinaciones de Cerradura y Llave eran posibles. El desafiador contestó que el CSP es un generador de número de azar que extiende el código del sistema bajo que es diferente ' en cada sistema seguro. Este código, junto con otras variables, los cambios con cada llamada. El resultado es aproximadamente una mil millones posibles combinaciones. Cada tiempo que una cerradura de CSP se llama emite un desafío diferente. Se espera que la llave correspondiente acepte el desafío y, a través de uno de su muchos algoritmos, use el código bajo modificado y otras variables para contestar propiamente. Un agente del caso que controla a la computadora de colección de Carnívoro de una computadora externa debe saber el número del teléfono correcto y debe tener un apropiadamente - codificó dispositivo de CSP, software de PCAnywhere, un nombre del usuario válido y contraseña, y la contraseña del Administrador para la caja de colección de Carnívoro. Una vez conectado, el agente puede usar el Carnívoro como si el agente estaba físicamente en la caja de colección de Carnívoro; empezando o deteniendo la colección y transmitiendo los datos reunido. Una contraseña adicional se exige acceder el arreglo avanzado ofrece y cambia las escenas del filtro. Los datos son transmitidos usando los rasgos de traslado de archivo de PCAnywhere. Los archivos también pueden ser los uploaded a la computadora de la colección que usa los mismos rasgos, aunque no hay ninguna razón operacional para hacer para que. 
3.4.4 PROGRAMA DE SOFTWARE DE CARNÍVORO 
El carnívoro es el nombre del programa del software que corre en la computadora de la colección que se filtra y graba los paquetes de IP. Cuando la computadora de la colección se empieza, anota automáticamente en como el Administrador. El programa del Carnívoro está en el grupo salida-despierto para el Administrador, para que también empieza automáticamente. Si el programa del Carnívoro estuviera coleccionando que cuando el sistema estaba abajo en último lugar cerrado, empezará coleccionando de nuevo automáticamente. Este rasgo del reboot automático era fijo a que para que los datos perdieran debido a un fracaso de poder se sostendría a un mínimo. 
El carnívoro tiene dos niveles de funcionalidad: una pantalla principal y una pantalla avanzada. Cuando el programa se empieza, el agente ve la pantalla principal (Figura 3-2) con cuatro funciones llevadas a cabo vía las selecciones del botón. Uno puso de salidas de los botones y colección de las paradas. Otro las barras traviesas la colección detalla el despliegue. Una tercera colección de fuerzas para empezar usando un nuevo archivo, haciendo el archivo actual disponible para transmitir. El cuarto se usa para acceder la pantalla avanzada (las escenas del filtro). El programa tiene una contraseña separada por acceder las escenas del filtro. Agente del caso, puede acceder el dispositivo de la colección vía remoto dial-en empezar y detener la colección, cause la colección para empezar en un nuevo archivo, y transmita los datos reunido. Sin embargo, ese agente no necesita saber la contraseña que permite cambiar las escenas del filtro. 


Figure 3-2. Carnivore Main Screen

IITRI discovered that the password to the advanced screen is compiled into the source code. Apparently, a password is selected and implemented for each Carnivore deployment. There is no mechanism in Carnivore software to change the password. However, IITRI was able to use a Hex Editor to find and change the current advanced password.
.Figure 3-2. El carnívoro la Pantalla Principal 

IITRI descubrió que la contraseña a la pantalla avanzada se compila en el código de la fuente. Al parecer, una contraseña se selecciona y llevó a cabo para cada despliegue del Carnívoro. No hay ningún mecanismo en el software del Carnívoro cambiar la contraseña. Sin embargo, IITRI pudo usar a un Editor del Hechizo para encontrar y cambiar la contraseña avanzada actual. 


Figure 3-3. Carnivore Advanced Menu

The Carnivore advanced menu (Figure 3-3) allows a precise description of the parameters of the data to be collected. Packets can be filtered on IP address, protocol, text strings, port, and e-mail address. IP address filtering can be based on either fixed or dynamically- assigned addresses. If IP filtering is not turned on, all packets that pass the other filters are collected regardless of what IP address those packets may have. The advanced menu also allows the operator to save and recall filter settings, to specify the location of the output files, and specify the maximum file size of each output file.

3.4.4.1 FILTERING

3.4.4.1.1 FIXED IP FILTERING

The simplest form of collection is one based on a fixed IP address. If the subject is using a computer that has a fixed IP address, [REDACTED: clause relating to operational methods XXXXXXXXXXXXXXXXXXXXX][in original], this feature can be used. On the advanced menu screen, the agent inputs the IP address, or a range of IP addresses, to be collected. There is no limit to this range; a range of 0.0.0.0 through 255.255.255.255 will be accepted by the program, but this range is the same as not selecting any IP filtering. In actual practice, the agent would select only what is specified by the court order. All packets that pass the P address filter are kept for further processing. Other filters, as described below, may cause the packet to be discarded before writing to the disk.

3.4.4.1.2 DYNAMIC IP FILTERING

Where fixed IP collection is not possible, Carnivore supports collection of dynamically-allocated IP addresses that are made via either RADIUS or DHCP. For DHCP, the Media Access Control (MAC) address of the machine to be collected must be input, and for RADIUS, the user name must be input. A range of valid IP addresses must also be specified for RADIUS. The menu screen allows inputting a starting IP address, which would be used if the target subject was already logged on when collection is started. This starting IP address is required because the protocol that sets the IP address (either DHCP or RADIUS) is only used once at the start of the session. Carnivore would be unable to collect anything until the next DHCP or RADIUS exchange. If the current IP address of the target cannot be determined, this extra selection allows collection to start immediately. However, although this feature is on the menu screen, it is not supported by the underlying code. It does not matter what values are entered into this field; it is ignored. Dynamic IP filtering does not start until after the first DHCP or RADIUS protocol packets for the input MAC address are read.

3.4.4.1.3 PROTOCOL FILTERING

There are settings to select which protocols to collect. The three options are TCP, UDP, and ICMP. Each cf these can be set to full, pen, or none. The full setting collects all packets for the specified IP addresses (see paragraphs 3.4.1.1 and 3.4.1.2) that use the protocol. The pen mode setting only collects address information appropriate for the protocol, e.g., FROM and TO fields of SMTP e-mail or IP address for FTP and HTTP traffic). If address-only information is not available within a given protocol, no packets are collected. In addition to the addresses, Carnivore collects the packets associated with the collected communications, but replaces the actual data with Xs. This data replacement allows CoolMiner to report byte counts for the TCP sessions, even in pen mode. In addition, if the Carnivore raw output is examined using a hexadecimal editor, the byte counts for various fields of a protocol (such as Subject) can be determined. If none is selected, no packets for that protocol are collected. The default setting for each of these protocols is none.

3.4.4.1.4 TEXT FILTERING

Carnivore can be set to check for specific text strings. For example, a setting could be made to collect all TCP packets from a specific IP address that contains the text string "FBI". There is also an option to collect the entire TCP transmission for any packet that contains the given text string. This collection of packets starts with the packet that contains the string and continues for the remainder of that TCP session until the end, whether or not the text string is in each packet. Every packet is checked and then either saved or discarded before checking the next packet. If the search word appears in the next to last packet of a TCP transmission, only the last two packets are collected when this feature is used. Carnivore cannot go back and retrieve the packets that were examined and discarded earlier.

Text filtering capability allows the FBI to capture Internet e-mail such as Hotmail. For example, Carnivore can be set to filter HTTP packets looking for the string "&login=username" where username represents the target of the court order.

3.4.4.1.5 PORT FILTERING

For TCP or UDP filtering, any or all ports can be selected. If only ports 25 (SMTP), 80 (HTTP), and 110 (POP3) are of interest, only those three need be selected. Ports can be selected using a pull-down menu or by typing in the port number or range of port numbers. It is possible to select all ports.

3.4.4.1.6 E-MAIL ADDRESS FILTERING

Carnivore can filter SMTP or POP3 traffic based upon the e-mail address. The proper mode must be selected and the email address to be collected must be entered. If SMTP or POP3 ports are selected (see paragraph 3.4.4.1.5) and no e-mail address is selected, Carnivore collects all packets for those ports.

3.4.4.2 FILTER PRECEDENCE

While it might be intuitive to drink that all of the filters are joined by a Boolean AND, they are not. The following describes the interaction of the various filters:

3.4.4.3 OUTPUT DIRECTORY AND ARCHIVE FILE SIZE

All packets that have passed all the filters are saved to a file. This file is typically stored on a 2-Gbyte Jazz disk. However, there is nothing in the program to prevent collection from being stored on the hard drive. The storage location is a selection made at setup time and is any valid path name for Windows NT. Three files are stored. One is a ".vor" file that contains the actual collected data, along with a short header. Another is a ".output" file that contains a human readable version of the settings used to collect that data in the corresponding ".vor" file. The third is a ".error" file and contains any error messages that may be generated during the collection session.

File names contain the date and time that collection was started, as determined by the system time. The ".vor" files may also have an extension if more than one file was used for collection.

Data is buffered prior to output. Carnivore writes the data to the output buffer, which is flushed to disk when the block size appropriate for the media selected has been reached, when the "next file" button is clicked, or when collection has been stopped. The block size for collection to fixed media is 128 kbytes and for removable media is 64 kbytes.

As a part of the settings, a maximum file size for the collected data can be chosen. When this limit is reached, the collected data file is closed, and a new file is created. This feature is useful for downloading the data (see paragraph 3.4.3) in smaller increments. The input value for the maximum file size must be an integer. If a floating-point number is entered, only the integer part is used. If zero (or a decimal number less than 1) is chosen, then there is no maximum files size (other than what the physical media can hold).

3.4.4.4 ANALYSIS SOFTWARE

DragonWare includes two programs for analysis of packets obtained from Carnivore. These programs are called Packeteer and CoolMiner. The Packeteer program takes the collection of IP packets in ".vor" files, reconstructs the TCP session, and creates a series of files that can be viewed with CoolMiner. The CoolMiner program is used by the case agent to further select which data to view. For example, CoolMiner can be set to show only certain types of packets (e.g., HTTP). The purpose of this setting is not to limit collection, but to make it easier to view, analyze, and minimize the collected data. The agent first might want to look at the HTTP traffic and then later look at the e-mail traffic. By using CoolMiner, the agent does not have to look at everything at one time.

IITRI used Packeteer and CoolMiner to simplify the testing procedures. Although these programs are outside the scope of the evaluation, IITRI did verify their operation by examining the input and output files with a hexidecimal editor. IITRI discovered software bugs in both programs that caused them to fail to display correctly some of the data collected by Carnivore. When notified about the bugs, the FBI corrected some of them. Other bugs are still under investigation as of the date of this report.

3.4.4.5 THROUGHPUT

IITRI attempted to determine the throughput capacity of Carnivore both experimentally and analytically. Experimental attempts failed to drive sufficient traffic across the local area network to make Carnivore drop packets; traffic never reached the point where packets were dropped. From IITRI's analysis and discussion with the FBI, it was determined the true throughput limitation is based on output to the recording device. Limits are discussed in paragraph 4.2.8.

3.5 SOFTWARE ARCHITECTURE

The Carnivore software consists of four components

1. TapNDIS driver (written in C) derived from sample source code provided with Win32 Network Driver Interface Specification (NDIS) Framework (WinDis 32), a product of Printing Communications Associates, Inc. (PCAUSA, http://www.pcausa.com/) The license for WinDis 32 prevents the FBI from releasing the source code for this driver, and possibly for TapAPI.dll, to the public. The relevant portions of the WinDis 32 license are shown in Appendix D.

2. TapAPI.dll (written in C++) provides the API for accessing the NDIS driver functionality from other applications.

3. Carnivore.dll (written in C++) provides functionality for controlling the intercept of raw data.

4. Carnivore.exe (written in Visual Basic) is the GUI for Carnivore.

3.5.1 TAPNDIS DRIVER

TapNDIS is a kernel-mode driver that captures the Ethernet packets as they are received, applies some filtering to the packet, and copies the packet to a shared memory buffer if the conditions of the filter are satisfied. The contents of the shared memory buffer are available to the Carnivore application through calling TAPgetFrames (entry point to TapAPI.dll). Writing selected packets to a data file is also handled through the driver.

The source code for TapNDIS is contained in 13 files totaling 10,322 noncomment lines of code (13,162 total lines). Nine of the source files, or approximately 40 percent of the code, were apparently borrowed intact, or with only minor changes, from WinDis 32 sample programs as they contain comment blocks asserting PCAUSA's copyright. Only five of these files have comments indicating where minor changes were made for Carnivore. Two small files were generated by Microsoft Developer Studio according to the comment block at the beginning of each file. The remaining two files (tapndis.c and tapndis.h) do not contain any comments to indicate whether they are mostly original code or were borrowed from WinDis 32 sample programs. These files contain all of the logic for the driver-level filters and for writing data to a file. IITRI assumed, therefore, they are the core of the Carnivore implementation. It appears from the contents of tapndis.h that FBI developers intend to move all filtering for Carnivore to TapNDIS, but only the first stages have been implemented in version 1.3.4.

Outline of filtering algorithm

1. If filtering is suspended then ignore the packet

2. If all packets are requested then intercept the packet

3. For 802.3 Ethernet, if the protocol matches a requested protocol, then intercept the packet

4. For Version 2 Ethernet, filter on the following items as requested, in the given order, rejecting immediately on the first failure: protocol, source, and destination Ethernet addresses, protocol within protocol (UDP, TCP, ICMP, etc.) and, for IPV4, source and destination IP addresses; combined IP address and port; combined Ethernet address and port; combined Ethernet address and protocol; and text string search with wildcard.

IITRI discovered that TapAPI calls for steps 1 and 2 are never made from Carnivore.dll. The implication is Carnivore is not intended to: (1) collect all packets or (2) suspend packet collection (e.g., because buffers are full versus stop collection).

Primary packet filtering is confined to a single function. If the packet satisfies the filtering criteria, a function is called to copy the packet to the shared memory buffer. If there is enough room in the buffer, copying succeeds and the status count is incremented by the length of the packet. Otherwise, status counts for frames overflowed and frames missed are both incremented by one. The count of frames missed is requested by Carnivore.dll and reported as packets lost. If the data rate were sufficiently high, it is likely that the driver could miss packets without detecting the miss. Appendix D provides descriptions of the primary TapNDIS functions.

3.5.2 TAPAPI DRIVER

The TapAPI driver provides the API for accessing the functionality of the driver TapNDIS. The source code for TapAPI is contained in six files totaling 4,120 noncomment lines of code (6,889 total lines). TapAPI provides 45 entry points callable from Carnivore.dll. In Carnivore version 1.3.4, only 22 are used to

Appendix D provides complete descriptions of the API entry points.

3.5.3 CARNIVORE.DLL

This DLL controls the collection of data by Carnivore in response to a parameter file established by the user interface and commands from the user interface. Nine entry points are provided; 13 classes are used internally. The source code is contained in 41 files totaling 6,278 noncomment lines of code (9,954 total lines). Two of the source code files (mediaSupport.cpp and mediaSupport.h) contain code that is Iomega proprietary, preventing them from being made public. Entry points and classes are defined in Appendix D.

Once started, Carnivore runs an infinite loop. The following algorithm is performed each time through the loop:

1. If collection is not running, do nothing.

2. If shared memory buffer overflow in the TapNDIS driver has been detected and filtering is on for DHCP or RADIUS, reset the filters, flush the buffer, and redownload the filters to the driver to restart collection. Regardless of DHCP or RADIUS filtering, reset the memory buffer overflow flag. (At this point, the program does not call the driver interface to check for an overflow. Instead, it is using a flag that is set by the function GetStatus, which is called by the GUI on a timer running at intervals of approximately 0.25 seconds. This timing interval does leave a small window for problems to occur if Carnivore processes packets between the time the buffer overflows and GetStatus is called and the program never detects the buffer overflow. The only indication that this overflow might have happened would be if the value of nPktsLostUser was nonzero and there were no messages in the output.txt file about the buffer being filled.)

3. If media full has not been detected, attempt to retrieve and process packets. (Again, the program is checking for media full based on a flag set by the function GetStatus.) Apply the remaining filter criteria (not handled by the TapNDIS driver) to each packet. If the packet is rejected by a filter, it is discarded. Otherwise, if Carnivore is being used in pen mode, the packet is truncated as specified in Table 3-1. Then the packet (or truncated packet in pen mode) is passed back to the TapNDIS driver (via a call to TAPputData) to be written to the output file. The remaining filter criteria are applied in the following order:

i. RADIUS

ii. DHCP

iii. SMTP

iv. POP3

v. Telnet

vi. FTP

vii. Text (includes TCP, UDP, and ICMP)

Table 3-1. Pen Mode Packet Information

.Figure 3-3. Carnivore Advanced Menu

The Carnivore advanced menu (Figure 3-3) allows a precise description of the parameters of the data to be collected. Packets can be filtered on IP address, protocol, text strings, port, and e-mail address. IP address filtering can be based on either fixed or dynamically- assigned addresses. If IP filtering is not turned on, all packets that pass the other filters are collected regardless of what IP address those packets may have. The advanced menu also allows the operator to save and recall filter settings, to specify the location of the output files, and specify the maximum file size of each output file.
3.4.4.1 FILTERING
3.4.4.1.1 FIXED IP FILTERING
The simplest form of collection is one based on a fixed IP address. If the subject is using a computer that has a fixed IP address, [REDACTED: clause relating to operational methods XXXXXXXXXXXXXXXXXXXXX][in original], this feature can be used. On the advanced menu screen, the agent inputs the IP address, or a range of IP addresses, to be collected. There is no limit to this range; a range of 0.0.0.0 through 255.255.255.255 will be accepted by the program, but this range is the same as not selecting any IP filtering. In actual practice, the agent would select only what is specified by the court order. All packets that pass the P address filter are kept for further processing. Other filters, as described below, may cause the packet to be discarded before writing to the disk.
3.4.4.1.2 DYNAMIC IP FILTERING
Where fixed IP collection is not possible, Carnivore supports collection of dynamically-allocated IP addresses that are made via either RADIUS or DHCP. For DHCP, the Media Access Control (MAC) address of the machine to be collected must be input, and for RADIUS, the user name must be input. A range of valid IP addresses must also be specified for RADIUS. The menu screen allows inputting a starting IP address, which would be used if the target subject was already logged on when collection is started. This starting IP address is required because the protocol that sets the IP address (either DHCP or RADIUS) is only used once at the start of the session. Carnivore would be unable to collect anything until the next DHCP or RADIUS exchange. If the current IP address of the target cannot be determined, this extra selection allows collection to start immediately. However, although this feature is on the menu screen, it is not supported by the underlying code. It does not matter what values are entered into this field; it is ignored. Dynamic IP filtering does not start until after the first DHCP or RADIUS protocol packets for the input MAC address are read.
3.4.4.1.3 PROTOCOL FILTERING
There are settings to select which protocols to collect. The three options are TCP, UDP, and ICMP. Each cf these can be set to full, pen, or none. The full setting collects all packets for the specified IP addresses (see paragraphs 3.4.1.1 and 3.4.1.2) that use the protocol. The pen mode setting only collects address information appropriate for the protocol, e.g., FROM and TO fields of SMTP e-mail or IP address for FTP and HTTP traffic). If address-only information is not available within a given protocol, no packets are collected. In addition to the addresses, Carnivore collects the packets associated with the collected communications, but replaces the actual data with Xs. This data replacement allows CoolMiner to report byte counts for the TCP sessions, even in pen mode. In addition, if the Carnivore raw output is examined using a hexadecimal editor, the byte counts for various fields of a protocol (such as Subject) can be determined. If none is selected, no packets for that protocol are collected. The default setting for each of these protocols is none.
3.4.4.1.4 TEXT FILTERING
Carnivore can be set to check for specific text strings. For example, a setting could be made to collect all TCP packets from a specific IP address that contains the text string "FBI". There is also an option to collect the entire TCP transmission for any packet that contains the given text string. This collection of packets starts with the packet that contains the string and continues for the remainder of that TCP session until the end, whether or not the text string is in each packet. Every packet is checked and then either saved or discarded before checking the next packet. If the search word appears in the next to last packet of a TCP transmission, only the last two packets are collected when this feature is used. Carnivore cannot go back and retrieve the packets that were examined and discarded earlier.
Text filtering capability allows the FBI to capture Internet e-mail such as Hotmail. For example, Carnivore can be set to filter HTTP packets looking for the string "&login=username" where username represents the target of the court order.
3.4.4.1.5 PORT FILTERING
For TCP or UDP filtering, any or all ports can be selected. If only ports 25 (SMTP), 80 (HTTP), and 110 (POP3) are of interest, only those three need be selected. Ports can be selected using a pull-down menu or by typing in the port number or range of port numbers. It is possible to select all ports.
3.4.4.1.6 E-MAIL ADDRESS FILTERING
Carnivore can filter SMTP or POP3 traffic based upon the e-mail address. The proper mode must be selected and the email address to be collected must be entered. If SMTP or POP3 ports are selected (see paragraph 3.4.4.1.5) and no e-mail address is selected, Carnivore collects all packets for those ports.
3.4.4.2 FILTER PRECEDENCE
While it might be intuitive to drink that all of the filters are joined by a Boolean AND, they are not. The following describes the interaction of the various filters:

Fixed IP, DHCP, and RADIUS all work in parallel. Packets that have IP addresses, as selected by any of those three filters, are held for further processing. These packets might eventually be discarded by another filter.
If fixed IP is chosen along with SMTP or POP collection for a specific e-mail address or POP user, Carnivore collects only packets for that email address or POP user that also have the chosen IP address.
If RADIUS or DHCP is chosen along with SMTP or POP collection for a specific e-mail address or POP user, Carnivore first checks for the RADIUS or DHCP protocols to determine the IP address. Nothing is collected prior to the IP address being determined. Once determined, Carnivore collects only packets for that e-mail address or POP user that also have the chosen IP address.
If SMTP or POP collection is specified without providing an IP address (either fixed or dynamic), all e-mail messages that match the user names specified are collected regardless of IP address.
The text string search is a Boolean AND function with all other filters, except for SMTP and POP. The text string match is ignored if SMTP or POP collection is chosen for a specific e-mail address or user.
3.4.4.3 OUTPUT DIRECTORY AND ARCHIVE FILE SIZE
All packets that have passed all the filters are saved to a file. This file is typically stored on a 2-Gbyte Jazz disk. However, there is nothing in the program to prevent collection from being stored on the hard drive. The storage location is a selection made at setup time and is any valid path name for Windows NT. Three files are stored. One is a ".vor" file that contains the actual collected data, along with a short header. Another is a ".output" file that contains a human readable version of the settings used to collect that data in the corresponding ".vor" file. The third is a ".error" file and contains any error messages that may be generated during the collection session.
File names contain the date and time that collection was started, as determined by the system time. The ".vor" files may also have an extension if more than one file was used for collection.
Data is buffered prior to output. Carnivore writes the data to the output buffer, which is flushed to disk when the block size appropriate for the media selected has been reached, when the "next file" button is clicked, or when collection has been stopped. The block size for collection to fixed media is 128 kbytes and for removable media is 64 kbytes.
As a part of the settings, a maximum file size for the collected data can be chosen. When this limit is reached, the collected data file is closed, and a new file is created. This feature is useful for downloading the data (see paragraph 3.4.3) in smaller increments. The input value for the maximum file size must be an integer. If a floating-point number is entered, only the integer part is used. If zero (or a decimal number less than 1) is chosen, then there is no maximum files size (other than what the physical media can hold).
3.4.4.4 ANALYSIS SOFTWARE
DragonWare includes two programs for analysis of packets obtained from Carnivore. These programs are called Packeteer and CoolMiner. The Packeteer program takes the collection of IP packets in ".vor" files, reconstructs the TCP session, and creates a series of files that can be viewed with CoolMiner. The CoolMiner program is used by the case agent to further select which data to view. For example, CoolMiner can be set to show only certain types of packets (e.g., HTTP). The purpose of this setting is not to limit collection, but to make it easier to view, analyze, and minimize the collected data. The agent first might want to look at the HTTP traffic and then later look at the e-mail traffic. By using CoolMiner, the agent does not have to look at everything at one time.
IITRI used Packeteer and CoolMiner to simplify the testing procedures. Although these programs are outside the scope of the evaluation, IITRI did verify their operation by examining the input and output files with a hexidecimal editor. IITRI discovered software bugs in both programs that caused them to fail to display correctly some of the data collected by Carnivore. When notified about the bugs, the FBI corrected some of them. Other bugs are still under investigation as of the date of this report.
3.4.4.5 THROUGHPUT
IITRI attempted to determine the throughput capacity of Carnivore both experimentally and analytically. Experimental attempts failed to drive sufficient traffic across the local area network to make Carnivore drop packets; traffic never reached the point where packets were dropped. From IITRI's analysis and discussion with the FBI, it was determined the true throughput limitation is based on output to the recording device. Limits are discussed in paragraph 4.2.8.

3.5 SOFTWARE ARCHITECTURE
The Carnivore software consists of four components
1. TapNDIS driver (written in C) derived from sample source code provided with Win32 Network Driver Interface Specification (NDIS) Framework (WinDis 32), a product of Printing Communications Associates, Inc. (PCAUSA, http://www.pcausa.com/) The license for WinDis 32 prevents the FBI from releasing the source code for this driver, and possibly for TapAPI.dll, to the public. The relevant portions of the WinDis 32 license are shown in Appendix D.
2. TapAPI.dll (written in C++) provides the API for accessing the NDIS driver functionality from other applications.
3. Carnivore.dll (written in C++) provides functionality for controlling the intercept of raw data.
4. Carnivore.exe (written in Visual Basic) is the GUI for Carnivore.
3.5.1 TAPNDIS DRIVER
TapNDIS is a kernel-mode driver that captures the Ethernet packets as they are received, applies some filtering to the packet, and copies the packet to a shared memory buffer if the conditions of the filter are satisfied. The contents of the shared memory buffer are available to the Carnivore application through calling TAPgetFrames (entry point to TapAPI.dll). Writing selected packets to a data file is also handled through the driver.
The source code for TapNDIS is contained in 13 files totaling 10,322 noncomment lines of code (13,162 total lines). Nine of the source files, or approximately 40 percent of the code, were apparently borrowed intact, or with only minor changes, from WinDis 32 sample programs as they contain comment blocks asserting PCAUSA's copyright. Only five of these files have comments indicating where minor changes were made for Carnivore. Two small files were generated by Microsoft Developer Studio according to the comment block at the beginning of each file. The remaining two files (tapndis.c and tapndis.h) do not contain any comments to indicate whether they are mostly original code or were borrowed from WinDis 32 sample programs. These files contain all of the logic for the driver-level filters and for writing data to a file. IITRI assumed, therefore, they are the core of the Carnivore implementation. It appears from the contents of tapndis.h that FBI developers intend to move all filtering for Carnivore to TapNDIS, but only the first stages have been implemented in version 1.3.4.
Outline of filtering algorithm
1. If filtering is suspended then ignore the packet
2. If all packets are requested then intercept the packet
3. For 802.3 Ethernet, if the protocol matches a requested protocol, then intercept the packet
4. For Version 2 Ethernet, filter on the following items as requested, in the given order, rejecting immediately on the first failure: protocol, source, and destination Ethernet addresses, protocol within protocol (UDP, TCP, ICMP, etc.) and, for IPV4, source and destination IP addresses; combined IP address and port; combined Ethernet address and port; combined Ethernet address and protocol; and text string search with wildcard.
IITRI discovered that TapAPI calls for steps 1 and 2 are never made from Carnivore.dll. The implication is Carnivore is not intended to: (1) collect all packets or (2) suspend packet collection (e.g., because buffers are full versus stop collection).
Primary packet filtering is confined to a single function. If the packet satisfies the filtering criteria, a function is called to copy the packet to the shared memory buffer. If there is enough room in the buffer, copying succeeds and the status count is incremented by the length of the packet. Otherwise, status counts for frames overflowed and frames missed are both incremented by one. The count of frames missed is requested by Carnivore.dll and reported as packets lost. If the data rate were sufficiently high, it is likely that the driver could miss packets without detecting the miss. Appendix D provides descriptions of the primary TapNDIS functions.
3.5.2 TAPAPI DRIVER
The TapAPI driver provides the API for accessing the functionality of the driver TapNDIS. The source code for TapAPI is contained in six files totaling 4,120 noncomment lines of code (6,889 total lines). TapAPI provides 45 entry points callable from Carnivore.dll. In Carnivore version 1.3.4, only 22 are used to

Connect to the driver for packet collection or terminate collection
Open or close an output file to which raw data will be written
Set packet filters
Retrieve packet data and write it to the output file
Stop and reset collection, including functions to halt collection when a dynamic IP address is no longer valid
Request status or retrieve error messages
Appendix D provides complete descriptions of the API entry points.
3.5.3 CARNIVORE.DLL
This DLL controls the collection of data by Carnivore in response to a parameter file established by the user interface and commands from the user interface. Nine entry points are provided; 13 classes are used internally. The source code is contained in 41 files totaling 6,278 noncomment lines of code (9,954 total lines). Two of the source code files (mediaSupport.cpp and mediaSupport.h) contain code that is Iomega proprietary, preventing them from being made public. Entry points and classes are defined in Appendix D.
Once started, Carnivore runs an infinite loop. The following algorithm is performed each time through the loop:
1. If collection is not running, do nothing.
2. If shared memory buffer overflow in the TapNDIS driver has been detected and filtering is on for DHCP or RADIUS, reset the filters, flush the buffer, and redownload the filters to the driver to restart collection. Regardless of DHCP or RADIUS filtering, reset the memory buffer overflow flag. (At this point, the program does not call the driver interface to check for an overflow. Instead, it is using a flag that is set by the function GetStatus, which is called by the GUI on a timer running at intervals of approximately 0.25 seconds. This timing interval does leave a small window for problems to occur if Carnivore processes packets between the time the buffer overflows and GetStatus is called and the program never detects the buffer overflow. The only indication that this overflow might have happened would be if the value of nPktsLostUser was nonzero and there were no messages in the output.txt file about the buffer being filled.)
3. If media full has not been detected, attempt to retrieve and process packets. (Again, the program is checking for media full based on a flag set by the function GetStatus.) Apply the remaining filter criteria (not handled by the TapNDIS driver) to each packet. If the packet is rejected by a filter, it is discarded. Otherwise, if Carnivore is being used in pen mode, the packet is truncated as specified in Table 3-1. Then the packet (or truncated packet in pen mode) is passed back to the TapNDIS driver (via a call to TAPputData) to be written to the output file. The remaining filter criteria are applied in the following order:
i. RADIUS
ii. DHCP
iii. SMTP
iv. POP3
v. Telnet
vi. FTP
vii. Text (includes TCP, UDP, and ICMP)

Table 3-1. Pen Mode Packet Information

4. If no packets were available for processing, free some stale nodes from the processing objects and sleep for 1 ms (freeing the CPU for any queued events).

5. If either Start or Stop has been called from the GUI, handle it as described in Appendix D.

6. If NextFile has been called from the GUI, close out the current output data file and start a new file.

7. If PrepareToStop has been called from the GUI, reset the filters in the TapNDIS driver so no more packets are intercepted.

8. If Shutdown has been called from the GUI, set flag to prevent executing the loop again.

9. If collection is running and the agent has pressed the eject button on the removable drive, do the following: close out the current output data file; eject disk and wait for new disk to be available; create directory for output files and open new files (.output.txt, error.txt, and data files); write header to new data file; if DHCP or RADIUS filtering is on and shared memory buffer overflow has occurred in the TapNDIS driver (checked by call to driver interface), reset the filters, flush the buffer, and redownload the filters to the driver to restart collection; and check for available space on the removable media.

Output from Carnivore 1.3.4 is written to three files as follows:

3.5.4 CARNIVORE.EXE

All agent interaction with Carnivore is provided through a GUI written in Visual Basic. The main form (frmMain) is used for starting and stopping collection and for displaying status information. The button labeled "Advanced..." is used to access a second form (frmAdvanced) that is used to set up the collection filters and create the user configuration file for Carnivore. There are six additional forms that are dialog boxes for various user responses. Two other forms included in the program are a splash screen displayed on startup and a full-screen solid background displayed whenever Carnivore is running. There are also 15 classes that are used in the GUI, mostly for storing filter parameters, and a module file that includes a few auxiliary functions, global variables, and declarations for all Win32 API calls used in the GUI and the exported functions from Carnivore.dll. In addition, there are four forms included in the program and nine associated classes that have all code commented out because a decision was made not to implement the features they were to provide (a scheduling capability for collections that were supposed to be limited to certain hours, some more sophisticated filters, and a real-time viewer for viewing data packets in the vor file), but they have been left 'in the program. The source directory provided to IITRI also included five form files and two class files that are not used in compiling Carnivore. One of the forms appears to be for a feature (adding case tracking information) that was dropped from the design but may be implemented in the future.

3.5.5 DEVELOPMENT PROCESS

No formal development process was followed for the development of Carnivore through version 1.3.4. The Carnivore program was a quick-reaction capability program developed to meet the needs of the FBI for operational cases. None of the existing network sniffers (such as EtherPeek) could collect the proper amount of data (only what is allowed; nothing more, nothing less). This type of development is appropriate as a "proof of concept" but it is not appropriate for operational systems. Because of this lack of development methodology, important considerations, such as accountability and audit, were missed.

3.6 LABORATORY TESTS

Carnivore was designed to collect target communication authorized by court orders. According to the FBI, not every feature that Carnivore provides has been used in real collection cases. Carnivore is a case tool, not a COTS product. To achieve the purpose of evaluating the entire capability of Carnivore, the test cases are divided into two parts:

1. Test cases one through five examine typical collection cases, i.e., the model scenarios requested in the Statement of Work (SOW).

2. Test cases six through thirteen examine the general capability of Carnivore. Features that may have not been used by the FBI 'in real collection cases, but are provided by Carnivore, are included in these test cases. The following paragraphs summarize the test cases.

Details, including screen shots of the filter set up, are provided in Appendix C. The information includes the rationale that was used when designing the test cases and the tests results. For each of the test cases that did not pass, or partially passed, an explanation of the failure is provided.

3.6.1 TEST 1 NONCONTENT E-MAIL COLLECTION

Description: Collect noncontent fields on e-mail sent to and from a target. This test is for pen mode e-mail collection on SMTP (TCP port 25), and POP3 (port 110). The target's e-mail ID is a required input to the filter for this test.

Objective: Verify that Carnivore does collect the e-mail addresses that were sent from and to a target, and does not collect any of the target's e-mail subject and content.

Expected result: Carnivore will collect only the FROM and TO addresses of the e-mail that was sent from and to a target.

Result: Carnivore did not collect any fields other than TO and FROM, but in some trials failed to collect FROM and TO information. One problem is a known weakness in Carnivore detailed in paragraph 4.2.8. IITRI also observed that in some instances, Packeteer misclassifies the POP3 messages as SMTP and this misclassification causes CoolMiner to display the wrong information. This misclassification is not a Carnivore bug.

IITRI observed that time-stamps for packets collected appeared to be incorrect possibly because of a problem with conversion from Microsoft internal date format to the standard UNIX format (used by CoolMiner), and possibly in the conversion between Greenwich Mean Time (GMT) and local time.

IITRI observed that in pen mode Carnivore replaces e-mail header information with Xs. When the data are viewed in CoolMiner it is easy to determine the length of each field in the header and the length of the entire message.

Retest: The FBI provided a patch for the time-stamp problem and a new version of CoolMiner. A retest shows the time-stamp problem is fixed and is consistent with the system collection time. The Carnivore raw data for SMTP looked correct, however there still are possible problems with information displayed by CoolMiner. For SMTP traffic, the FROM e-mail address (the target's in this test case) is correctly displayed, but the TO address is not shown (the nontarget's in this test case). Packeteer and CoolMiner appear to be looking for the other e-mail addresses in the TO and FROM lines in the e-mail message, which Carnivore has purposely blanked out to avoid collecting information about communication between nontargeted entities. IITRI believes the program should instead be looking for the RCPT-TO lines, which Carnivore properly collects.

3.6.2 TEST 2 NONCONTENT WEB BROWSING COLLECTION

Description: Collect the source and destination IP addresses for a target's web browsing activities. This test is a pen mode collection on HTTP (TCP port 80).

Objective: Verify that Carnivore does collect the target's HTTP web browsing activity source and destination IP address, does not collect the URL and content of the target's web activities, and does not collect other users' communication.

Result: Passed.

IITRI observed that CoolMiner provides information on how many bytes are transferred between the client and the server. The data sizes can also be counted from the Carnivore raw data.

3.6.3 TEST 3 NONCONTENT FILE TRANSFER ACTIVITY COLLECTION

Description: Collect the source and destination IP addresses for a target's FTP activities. This test is a pen mode collection on FTP (TCP ports 20 and 21).

Objective: Verify that Carnivore does collect the target's file downloading activity source and destination IP address and does not collect the file content and other users' FTP activities.

Result: Passed.

As in tests 1and 2, the amount of data transferred is captured.

3.6.4 TEST 4 FULL COLLECTION ON A FIXED IP ADDRESS

Description: Collect the contents of communications to and from a target, who has a fixed IP address. This test is a full mode collection.

Objective: Verify that Carnivore does collect the target's communication and that no other users' (i.e., other IP addresses) communications can be collected.

Expected result: Web browsing contents, FTP login session, commands and data, and e-mail contents are all captured from the target fixed IP address.

Result: Passed.

3.6.5 TEST 5 E-MAIL CONTENT COLLECTION

Description: Collect the contents of e-mail communications that were sent from and to a target. This test is a full mode collection on the target's e-mail ID.

Objective: Verify that Carnivore does collect the contents of a target's e-mail, but does not collect other users' communications.

Result: Passed.

3.6.6 TEST 6 ALIAS E-MAIL COLLECTION

Description: E-mail collection of a target who has an alias for outgoing e~mail. This test is an e-mail mode collection on SMTP and POP3 (TCP ports 25 and 110). The target's e-mail user ID is entered into the filter for collection.

Objective: A court order authorizes collecting the full content e-mail traffic to and from a target and the ISP determined the target's e-mail address is marydoe@location.org However, the target made an alias "NOBODY" for her outgoing e-mail address. Verify that Carnivore will not collect the target's e-mail by filtering on her real user ID.

Result: Passed.

3.6.7 TEST 7 FILTERING TEXT STRING ON WEB ACTIVITY COLLECTION

Description: Collect the web browsing contents that contain a specific text string. This test is a full mode collection of a given text string on HTTP (TCP port 80).

Objective: Carnivore does collect the target's web browsing contents that contain a specific text string, and only the web pages contain the searched string, not other web browsing pages.

Result: Passed.

3.6.8 TEST 8 POWER FAILURE AND RESTORATION

Description: Power failure and restoration test.

Objective: Verify that after the power is restored, Carnivore automatically starts up and continues to collect what it was originally set up to collect. Also, verify that Carnivore recovers all of the data that was collected before the power outage.

Expected result: After the power is restored, Carnivore recovers to the state where it was before the power failure and continues to use the original filter setup to collect traffic.

Result: Carnivore did not recover to a collecting state as it was supposed to. Two errors were noted: (1) during the restart procedure, a TAP interface error in connecting to the Ethernet card occurred; (2) the data collected before the power failure was lost. This lost data is the result of a trade-off between processing speed, having padding in the collected data, or possibly losing some data. Carnivore does not write collected data into a disk until a block size of data is collected, a user activates the "next file" feature, or Carnivore is stopped.

3.6.9 TEST 9 FULL MODE COLLECTION FOR ALL TCP PORTS

Description: Collect all the user's TCP communications with a minimum filter setup.

Objective: By choosing a minimum filtering, i.e., all TCP ports on full collection mode, Carnivore will collect all the user's TCP communication. Verify that when selecting TCP protocol without selecting any ports, the default to Carnivore is collecting all TCP ports.

Expected result: Carnivore collects all TCP traffic from every device that is attached to the miffing segment

Result: Passed.

3.6.10 TEST 10 COLLECT FROM A DHCP ASSIGNED IP ADDRESS

Description: Collect the contents of communications to and from a target who has a dynamic (DHCP assigned) IP address.

Objective: Carnivore filter GUI provides three entry fields for DHCP setup, i.e., MAC address, Ports (67 and 68), and Startup IP. In order to collect communication from a specific DHCP-configured device, what data must be entered in the filter? Also, it is assumed that the Startup IP field can be used by Carnivore to immediately start collecting the traffic of a user who has already been assigned an IP address without waiting for the next DHCP-based IP assignment.

Expected result: (1) With a known MAC address but without a Startup IP, collection for that target does not begin until after a DHCP-based IP assignment occurs. (2) With a known MAC address and a Startup IP set to the currently-assigned IP address for the target, collection begins immediately.

Result: (1) Both MAC address and DHCP ports are required data entries for the filter to have Carnivore collect communication from a specific DHCP-configured IP address. (2) Data entered to the Startup IP field was totally ignored by Carnivore. A DHCP exchange was always required for Carnivore to collect from a specific dynamic IP address.

3.6.11 TEST 11 FILTERING ON TEXT STRING FOR E-MAIL COLLECTION

Description: Collect e-mail with a key word.

Objective: When filtering on a given text string and the target's IP address (either fixed or dynamic), verify that Carnivore only collects the target's e-mail messages that contain the given text string.

Result: Carnivore behaves exactly as expected. E-mail that contains the search text string is captured and e-mail that does not contain the search text string is not captured. However, this capture condition is not always clear from CoolMiner analysis. If the text string is in the e-mail header (for instance, part of the Subject), then CoolMiner displays the message properly. If the search text string is only in the body of the message, it does not display the message. This condition is because Carnivore does not start collecting packets until it sees the search text string. If the string is only in the body, the header of the message have already passed without being collected. CoolMiner needs the entire set of e-mail protocol packets in order to display properly. CoolMiner displays the collected packets as TCP packets of an unknown application.

The raw output of Carnivore was examined to verify the results shown by CoolMiner.

3.6.12 TEST 12 FILTERING ON TEXT STRING AND E-MAIL ADDRESS OR E-MAIL USERID FOR E-MAIL COLLECTION

Description: Collect e-mail with a key word and a user name.

Objective: When filtering on a given text string and the target's e-mail ID, verify that Carnivore only collects the target's e-mail containing that given text string.

Result: Because of a performance trade-off, Carnivore filters for the text search string at the driver level. Filters for a specific e-mail user is at the application level. After this test was completed, it was learned that the text string search is ignored when filtering for a specific e-mail address.

3.6.13 TEST 13 FILTERING ON TEXT STRING FOR FTP COLLECTION

Description: Collect FTP communication containing a key word.

Objective: When a text string is entered into the filter and FTP ports 20 and 21 are selected, Carnivore should only collect the FTP activities containing that given text string.

Result: Analysis of the raw Carnivore output shows that the correct data was collected. Carnivore either collected the FTP packets that matched the given text strings or collected from the first packet containing the text string to the end of that session (if the Trigger on Full Session check box was checked). In either case, Packeteer failed to assemble all of the packets together for an entire FTP session (because not all packets were collected) and, in turn, CoolMiner could not provide the result of correct collection. The purpose of this test was to determine if Carnivore collects according to its filter setup, not to evaluate the post-processing tools Packeteer or CoolMiner. The Carnivore output was correct.

.4. Si ningún paquete estuviera disponible para procesar, libre algunos nodos rancios de los objetos del proceso y duerme para 1 ms (librando el CPU para cualquiera hicieron cola los eventos). 
5. si Salida o la Parada se ha llamado del GUI, manéjelo como descrito en el Apéndice D. 
6. si NextFile se ha llamado del GUI, cierre fuera los datos del rendimiento actuales archive y empieza un nuevo archivo. 
7. si PrepareToStop se ha llamado del GUI, restableció los filtros en el chófer de TapNDIS para que ningún más paquete se intercepta. 
8. si el Cierre se ha llamado del GUI, la bandera del juego para prevenir ejecutando la vuelta de nuevo. 
9. si la colección está corriendo y el agente ha apretado el arroje el botón en el paseo trasladable, haga a lo siguiente: cierre fuera el archivo de datos de rendimiento actual; arroje el disco y espera por el nuevo disco para estar disponible; cree el directorio para el rendimiento archiva y abre los nuevos archivos (.output.txt, error.txt, y el datos archiva); escriba el título al nuevo archivo de los datos; si DHCP o el RADIO filtrarse es adelante y la memoria compartido la inundación más de color de ante ha ocurrido en el chófer de TapNDIS (verificó por la llamada a la interface del chófer), restablezca los filtros, vacíe el pulidor, y redownload los filtros al chófer para reiniciar la colección; e inspecciona para el espacio disponible los medios de comunicación trasladables. 
El rendimiento de Carnívoro 1.3.4 se escribe a tres archivos como sigue: 

Se escriben los paquetes de los datos crudos a uno o más archivos de .vor. Por completo el modo, se escriben los volúmenes completos de todos los paquetes que no se rechazan por uno de los filtros a los archivos. La mesa 3-1 muestras la información que se escribe a los archivos en el modo de la pluma para paquetes que no se rechazan. 
Se escriben los mensajes operacionales a un archivo de output.txt. Estos mensajes incluyen las descripciones de los filtros usadas para la colección, la salida e indicadores de la parada, e información sobre el rastrear de FTP y sesiones del telnet. Se proporcionan detalles sobre los todo posibles mensajes en la descripción de la clase CLogFile en el Apéndice D. 
Se escriben mensajes del error para todos los errores reconocidos por el Carnívoro a un archivo de error.txt. Se proporcionan detalles sobre los posibles mensajes del error en la descripción de la clase CLogFile en el Apéndice D. 
3.5.4 CARNIVORE.EXE 
Toda la interacción del agente con el Carnívoro se proporciona a través de un GUI escrito en el Elemento esencial Visual. La forma principal (el frmMain) se usa por empezar y detener la colección y por desplegar la información de estado. El botón etiquetó "Avanzado..." se usa para acceder una segunda forma (el frmAdvanced) eso se usa para preparar la colección se filtra y crea el archivo de configuración de usuario para el Carnívoro. Hay seis formas adicionales que son las cajas del diálogo para las varias contestaciones del usuario. Dos otras formas incluidas en el programa son una pantalla de la salpicadura desplegada en el startup y un lleno-pantalla fondo sólido desplegado siempre que el Carnívoro esté corriendo. Hay también 15 clases que se usan en el GUI, principalmente por guardar los parámetros del filtro, y un archivo del módulo que incluye unas funciones auxiliares, variables globales, y declaraciones para todas las Win32 API llamadas usó en los GUI y las funciones exportadas de Carnivore.dll. hay cuatro formas incluidas en el programa y nueve clases asociadas que tienen todo el código comentadas fuera además, porque una decisión era hecho no llevar a cabo los rasgos que ellos eran proporcionar (una capacidad de planificación para colecciones que se suponía que era limitado a ciertas horas, filtros más sofisticados, y un espectador del real-tiempo por ver los paquetes de los datos en el vor archiva), pero ellos han quedado ' en el programa. El directorio de la fuente también proporcionado a IITRI incluyó cinco archivos de la forma y dos archivos de la clase que no se usan compilando el Carnívoro. Una de las formas parece ser para un rasgo (agregando caso que rastrea la información) eso se dejó caer del plan pero puede llevarse a cabo en el futuro. 
3.5.5 PROCESO DE DESARROLLO 
Ningún proceso de desarrollo formal se siguió para el desarrollo de Carnívoro a través de versión 1.3.4. El programa del Carnívoro era un programa de capacidad de rápido-reacción desarrolló para satisfacer las necesidades del FBI por los casos operacionales. Ninguno de los olfateadores de la red existentes (como EtherPeek) podría coleccionar la cantidad apropiada de datos (lo que se permite; nada más, nada menos). Este tipo de desarrollo es apropiado como un "la prueba de concepto" pero no es apropiado para los sistemas operacionales. Debido a esta falta de metodología de desarrollo, las consideraciones importantes, como la responsabilidad e interviene, se extrañó. 
3.6 LABORATORIO PRUEBA 
El carnívoro fue diseñado para coleccionar comunicación designado autorizada por los órdenes de la corte. No según el FBI, cada rasgo que el Carnívoro proporciona se ha usado en los casos de la colección reales. El carnívoro es una herramienta del caso, no un producto de los SITIOS PARA ANIMALES DOMÉSTICOS. Lograr el propósito de evaluar la capacidad entera de Carnívoro, los casos de la prueba son dividido en dos partes: 
1. la prueba embala uno a través de cinco examine la colección típica embala, es decir, los guiones ejemplares pidieron en la Declaración de Trabajo (la CERDA). 
2. la prueba embala seis a través de trece examine la capacidad general de Carnívoro. Rasgos que no se pueden haber usado por el FBI ' en los casos de la colección reales, pero se proporciona por el Carnívoro, es incluido en éstos pruebe los casos. Los párrafos siguientes resumen los casos de la prueba. 
Se proporcionan detalles, incluso los tiros de la pantalla del filtro preparados, en el Apéndice C. La información incluye la razón que se usó cuando diseñando la prueba embala y las pruebas resultan. Para cada uno de