1.The FBI has a reasonable suspicion that someone is engaged in
criminal activities and requests a court order to view the suspect's online activity.
2.A court grants the request for a full content-wiretap of e-mail traffic only and issues an order. A "content-wiretap"
means that everything in the packet can be captured and used. The other type of wiretap is a trap-and-trace, which means that the FBI can only
capture the destination
information, such as the e-mail account of a message being sent out or the Web-site address that the suspect is
visiting. A reverse form of trap-and-trace, called pen-register, tracks where e-mail to the suspect
is coming from or where visits to a suspect's Web site originate.
3.The FBI contacts the suspect's ISP and
requests a copy of the back-up files of the suspect's activity.
4.The FBI sets up a Carnivore computer
at the ISP to monitor the suspect's activity.
5.The FBI configures the Carnivore
software with the IP Address of the suspect so that Carnivore will only capture packets
from this particular location. It ignores all other packets.
6.Carnivore copies all of the packets
from the suspect's system without impeding the flow of the network traffic.
7.Once the copies are made, they go
through a filter that only keeps the e-mail packets.
8.The surveillance cannot continue for
more than a month without an extension from the court.
9.Once complete, the FBI removes the
system from the ISP.
10.If the results provide enough
evidence, the FBI can use them as part of a case against the suspect.