.

,

. ,
. .

.

,

,

.
,

,

,.

,,

,
.
,

,

FTO~:(

1 CCIPS
ch.Z,20033
,

, ,

. . .
,

,. ,
'

LAW ENFORCEMENT SENSITIVE. . FOR OFFICIAL USE ONLY .
'

,

.

,

,

"

,

.

b6

, ,

.
-

,

, '

,

'

..
'

,

DA&: 00-12-7008 b7C , CLASSIFIED by 6 0 3 2 2 ~ ~ l p / ~ t ~ / r d a,, ,, bi :: ~ A S ~ N1.4.1~1 : b2 . . f i ~ c ~ n s s x ~ r 08-i2-2033, ON: ..b7E , , , ,
'

.
'

,

,

,

'

,

,

,

of you b o w , some investigators have begun to use . investig'ativctechique referred, n " While the technique is of '. . tbas 'm"lhtemet Pratoc,ol,Address Verifier" aWa a ' indispmble value'i C& n kiids'bf cases, we at seei"g indications thk it is behg used needlessly by . agencies, unneceisdly raising d i m l t legal plrstions (and a,d+ of su~prnsion) without my ., .,, . . . , , countervailing benefit. ' .
As

(w).
, , ,

'.
'

,

, ,

.

, ,

.

.,

.

.

,

,

,

,

.

,

I

I

'

. .. . . , , . . . . . .. . . . . . . I' , ,. , , . ... , , , . .. . . ., .,.. . ,. . ,.. .. ,,:. , . . , ,.,. , ,., . . . . . . . . , . . . . . ,. ., . . . . . . , . , , ..,. . ., . , ., . , . , ; . . . i . . . .. . . . . . . . . . . . . . . ., ,,. , . : . , , ,., , . , . , . , , , . . . . .. . , , , , ,. . , , , ,, :. . ,, . .. . . . .' ,, , ., ,. ., . . , . . . , , ., , , , . ,, , . ., .. , . , . .. ,,,, . ,, , . , , , , . . ,
.
,
'

..

I

,

,

.

' ,

.

.

.. .
,

. : ., n n q : 03-lg-zoos ...
,

,.
8.'

. .
:,

,

I

.

. .,
'

'

,
''

.
' .

'

.
,

'

,

. .......
,
!', ,

I.

. ,

.

, ,
' I

.'

,

,

: : I'.~~ctrss~n'oy: 03'19-2033 ,.; . , :, ' , . , . ... , . . . .,.i . . , ..' .: . ' ........ , .,: , . . ., ,, , . :, ' , ,, . , :;.,; .bl'. . .' .. . .. . .. . . . , . . . . . , , . . . .. , . , , , ., . ., . . . , . , . ' ' ;
I .

. '.' ' F i ~ s ~ ~ ~ ~ m ~ : ' ~ s ~ .0', ',3 z t ~ . sow: 1 . . 4 , ( . ~,,' ' j . , : ,,, .,, ' . ....
,
I

m1 'INFO. ' .

' . . .:. . . . . , . , '.
;

,

.,

,,

,

'

'

. .

...
'

'

.',
,

\.

I:,

.. . . . .
, , '

.".
, : , .
, ' ,

. .

.

,

, ..
,

'.'
,.

.,
,

,

,.

.
,,
,

.

..

,

, , . ~ ,

.

..,
'..

' , ,,

, ,,.,, '

,

i

, ,

.. .. ,

,,

. , . . . . ... . .

,

. :..
,

.
. ,
, ,

,,
. ,
. ,

.
. ... ,

.

.

. ,.

,

.

,

. ,'

.
I I.

.

,

.

',
'

:

, ,
. . I

, ,
, ,

.. .

.,

,

.
.,
'

. ., .
,
,

,.

,

,

, ,

.

. . . . .

.

,

. .

,..

,

,

,

,

. . . . .
.
,

.. ., . I' : , " . '. '. , " , . ,.,, . .:.. . . . I.. .. . . . .. . . , , .. #, . . ., .. . . ,,, , , , , . . . , .. . , , ;. . . . . . . . . . !' .'.^ . , . , . , ,. . . . . . . . ., , , .,, . . , ..,. , , . . . . . ' . :, ,. , . .. , , .,. . . . ., . , , , . .. ' , ,. .. . . ., , . ' , : . .. . .. . . . . . . .,., , . . . .. . . . . . '.' . " . . , . , ., , . ., , :. b i ' , , , , , , , . . . . . . ., , . . ' , 1 ,, , . b6 1 .,. . . ., . . . ..b7C . . . . . . , . , . , ., . . ., , . . . . ., . , . , ,, .;.,, .. , . ' , , : ... ....I ';.. ,. . . . . . . . . . . . . . . . . .. . , , . ,: . .. . , , , , . , ,, . . , .. , ', . ' ..
,

,

;,

. . . . . .
, ' '

. .

., ,

,

.

. . . . ,. : , .
,

,

.

'

.

. . . . ... , . . . . . . . " . , ,. .,, . . . ,, , . . , .. .. . ,, ' . , , . . , , a, . : .. .
, , ,
'
! I " .

,

,

I

'

.

',

.

' , .

,;, ,, .

, , ,.

'

I

,

,

.

,

.. . .'."bl
'

.

, . .

., ,.

.

I : , .

.

1 ; .

I

..'I

'

,

"

, '
.

.

,.I..

I

'

'

. .

. i

;

.

.

.. . ,, .
.,

,

,..

.,,. .

1 : 1 :1
j
!
!

'bl

I

.

,
I .

,

. .,

,

.
'.
8

1

. ,

,

..

:.
,.
,

: I

.

, .

.
,

.
.
,.

,,',
I . I

. ,

. I

. .
, ,

,

. ..
, ,

.
,',

,.

,

,

.

,

.
, , ,
I

, ,
, ,

.
'

,

.,
,

.

,

.,.
,

.
'. , ,

,.
.,
,'

., .
,

,,,

.

,

. ,.

.

.

.,,

.
. .

,

,

,

,

.

.

,

,

,,

.,

. ... . . .. . . ., . . ,.',, . . .
'

'

.

2 . .

.

.

,,

'

,

'

.
,

.

,.

,

.
, ,
,

. .
,
. ,
,

, . .., , ,
,
,

.

,,

,

classified by: , . , Jamts -liPCLICe .. Reason: . ,.., ,, ~eclassifjl on;, . , . ., ..: . ' ., !:;. ': . .'.. : ,., . : , , .. ., . . .. . . .. ,, ,
, , , ,

,, . .

,

. ..

,

,

,
,

.

,

, , . . . ,. . ..

,

,
I

., , ,
"

. :

. : .

. ',;
'

.

. .. ,
,

, .
,

.

,

,
,

.
'

.
i

,

,i

.
.

,.

,

'

;

,

.
,
,I

Poli~v.OlPR . I, . . DOJ' .
. . . . .,

.
' ,

, ,

. ,:.

..

,

.

'I

"

'

,

,

, ,

,

. ,,,

: .
'

,
.

.,

.
I

, .. ,

,.
,

,

.
,.,

,

,

., , .. . . . . , . , . . ., . . . .. . . , : , :
"

., . . . .
,

..
,

,, .
I

'

, ' , . . , , ,.. , , . , . , . , . . . . ., .. , , , . ' . , , . .. ,, _ ' . ' .'. , .. .......... , , , ,,., , . . . . .'. . , , , . , , , . , , ., , , , ,. ,. .!. . ., .. .., .. .. ... . , , , . ,
"'
I.

.,

.. . ,
,

... ,. ,
/

'..'

, ,

.

., ,

. .. ,
..I..

..

., .
,

.
,

,, .

.

. ,

:

.

'

,

I

./.

I

I

, I

;

.

VNCLASSLFIED/FOR O W I C L ~ USE ONLY
CEAU Priprity is: TBD CEAU ID: 20070727T13746 Group I Program: SDG / DEP Grou Supervisor:
'

A ( 1

contact ~umberj-1

E-mail Address:

Universal Fiie.Number: UCFN Serial Number: Record Status: Open Start Date: 27 Jul2007 Due Date: 01 Aug 2007 Request Open For: 5 days, 21 hours,' 22 minutes
Origin of Request: ~~f~riority: Description: ~ a & rall documents that reference 'CIPAV'

as:

Primary Technical 'Lead:
Secondary Technical Lead:

CEAU Staff Involved:

Other Contacts:

** Not Assigned
Legal Information

ALL INFORHRTLOW COKTAImED HEREIN IS rnCLASSTFZED DATE 08-06-2008 BY 603Z2UC/LP/STP/919

UNCLASSIFIEDIFOR OFFICIAL USE O
CEAU Priority is: Green CEAU ID: 200705 16-1 3566 Group I Program: SDG / DEP Group Supervisor:

m

-1-

Contact N u m b w ( 1 - E-mail Address:

w

e File Number: 1964-RQ-1515692

UCFN Serial Number:
Record Status: Inquiry Start Date: 07 May 2007

Due Date: TBD Request Open For: 87 days, 12hours, 49 minutes Origin of Request: Ur~knpwn
TMA

rna nrurm m r r 0 p a w

I
Primary Technical Lead:
Secondary Technical Lead:

b1 b2 b7E

CEAU Staff Involved:

Other Contacts:

Legal Information Record Logs:
05/07/2007, 1:30 PM Spoke with SA 4 s ) - . . ...advi'$gZfrhnt.th).. ,...,,
b6 b7C

Cyber-Forensic Trainingdlliancs (ZYCFTA)who I

bl . b2

IS1

b7E

.,'...,

ALL IBFOWTION. C O ~ ~ A I W E D
H"PBFT1 T S

IINCLASSIRIED EXCEPT

D m 08-15-2008 A : CLASSIFIED BY 60322UCIIP/5TP/gjg

UNCLASSLIVEDLFOR OFFICIAL USE ONLY
CEAU Priority is: TBD CEAU ID: 20070502-12602 Group I Program: DG I DE ,b SuPervisor: Grou ,

I

,

Contact Nurnber~-~

E-mail Address:

UCFN serial em umber:

niversal Case File Number: 288A -pH-100637

Record Sutus; Completed Start Date: 22 M r 2006 a Due Date: TBD Request Open For: 498 days, 1l hours, 48 minutes Origin of Request: U.S. FBI Priorily: PROTECT THE UNITED STATES AGAINST CYBER-BASED ATTACKS AND HIOH TEC Description: On 3.22.06, S vised that a viotimUs hotmail account,

b6

b7c

[ S ] . , . \.
Primary Technical Lead:
Secondary Technical Lead:

bl
b2 blE

b6 b7c

CEAU Staff Involved:

O h r Contacts: te

Legal Information Submission ~ e t i i : Description: Client #I-

ALL TWmRFIRTION COElTAIMD ZIEREJN IS UNCLASSIFIED EXCEPT WHERE SHOWN UTEZRWISE b2 b7E

A 08-15-2008 CLASSIFIED BY 60322UC/LP/STP/gjg

Status: Closed

Technical Lead: Start date: 03/22/2006 Due Date: TBD Finish Date: 05/04/2007 Wamnt Expiration dak. No Expiration Date ~ e s c r i ~ t i o n : [ l Status: Closed ~echnicnl Lead: Start date: 03/22/2006 Due Date: TBD Finish Date: 05/04/2007 Warrant Expiratioa date: No Expiration D t ae
L

Record Logs:
04/01/2006,8:00 No evidence received

AM-1-1

'

%

UNCLASSIFIED/FOR OFFICIAL USE ONLY

CEAU Prioriiy is: TBD CEAU ID: 20070502-12594

r--V

Group I Program: Grou Su e 'sor: UCFN Serial,Numbek

contact ~umberl-1-

E-mail Address:

h E i Z l T d e File Number: 174C-LV-39242

Record Status: Completed Start Date: 22 Dec 2005 Due Date: TBD Request Open For: 588 days, 1.1 hours, 47 minutes

-,+"

.
..

Origin of Request: U.S. FBI Priority: SUPPORT FEDERAL,STATE,COUNTY,M[INICIPAL, AN&

INTERNATIONALPARTNERS'

b7C

~escription: (U) On 12.21.05, ~ ~ r b i s that ad e casino received a threat.

bl b2 b7E b6 b7C

Primary Technical Lead:

Secondary Technical Lead:

CEAU Staff Involved:
ALL INFOAEIATIOI CONFAINeD H F I Y I5 UNCLASSIFIED EXCEPT E &# WHERE SHOW DTXZRWISE
b6 b7C

Other Contacts:

I

** Not assigned
Legal ~nfokation

DATE: 08-15-2008 CLASSIFIED BY 60322lTC/IP/STP/Uj0. REASON: 1.4 (C) ,DECLASSZFY Om: 08-15-2033

Submission Details: Description: Client #l Status: Open Technical Lead: Start date: 12/22/2005 Due Date: TBD Finish Date: TED Warrant Expiration date: No Expiration Date ~escri~tioni
Statua: Open

I

Technical Lead: Start date: 12/22/2005 Due Date: TBD Finish Date: TBD Warrant Expimtion date: No Expiration Date

Record Logs:
b1

=sent
to begat Moscow.

lead

UNCLASSIFIEDIFOR OFFICIAL USE ONLY
CEAU Priority is: TBD CEAU ID: 20070523-13619 Group / Program:

1Contact ~urnber~-[~-rnail

Address:

Bile'Number: 288A -LV-39208 UCFN Serial Number:
Record Status: Completed Start Date: 02 Dec 2005 DueDate: TBD
Request Open For: 608 days, 11 hours, 47 minutes

Origin o f Request: U.S.

b6 b7C

Primary Technical Lead:

I

Secondary Technical Lead:

CEAU staff Involved:

None Assigned

Other Contacts:

Legal Information

ALL INFDaElATfORT COhTAINED EIERETP IS UNCLASSIFIED EXCEPT m m SAOWRI OrnRWISE

DATE; 08-15-2900

CLASSIFIED BY 60322UC/LP/BTPJgjg
REASOBI: 1.4 I.C .)

DECLASSIFY ON: 08-15-2053

UNCLASSIFED/FOR OWFXCIAL USE ONLY
CEAU Priority is: TED CEAU ID: 20070502-12599 Group I Program: Group Supervisor:

Contact Number:l-v-mail

Address:

'Universal Case !ile Number: 279~-EP-36918 UCFN Serial Number: Record Status: Completed Start Date: 20 Oct 2005 Due Date: TED bque'st Open For: 65 1 days, 12 hours, 46 minutes

Origin of Request: U.S. FBI Priority: PROTECT THE UNITED STATES FROM TERRORIST ATTACK Description: On 10.19.2005,~4-ladvised that he is wing to locate the specific computer(s) b e d a by subject of WMD (bomb & anthrax) . , w t subiect via e ih Hormail~&~& show

b6 b7C
bZ b7E

m.

I

Primary Technical Lead:

ALL INPOREIRTIOB
HFRELI I9 UNCLASSIFIED EXCEPT S H OO~RWISE ~

Secondary Technical Lead:

I b6 DATE: 09-18-2008 b7C CLASSIFIED BY 60322 UC/LP/STP/gjg mA50N:
DECLASSIFY ON: 09-18-2033

CEAU Staff Involved:

Other Contacts:

* * Not Assigned
Legal Information
Submission Derails: Description: Client #I Status: Closed

Technical Lead Start date: 10/20/2005 Due Date': TED Finish Date: 05/04/2007 Warrant Expiration date: No ~ x ~ i r a t i 6 n Date
Description: Stabs; Closed

1-

Technical Lead: Start date; 10/20/2005 Due Date: TED Finish Date: 05/04/2007 Warrant Expiration date: No Expiration Date

UNCLASSZIFIED/FOR OFFICIAL USE ONLY
CEAU Priority is: TED

e -

*
Dut Date: TDD

CEAU ID: 20070523 13617 Group I Program: S ~ I G DEP Crou Su erviaor:

- contact ~umbwf-1

E-mail Address:

File Number: 288A -HO-647RO

UCPN Serial Number:
Rf~corrl Status: Compl~tcd
Start Date: 15 Aug 2005

fiequest Open For: 717 days, 12 hours. 45 minutes
Origin of Request: U.S. FBI Priority: PROTECT THE L N T E D STATES A F A W S T CYBER-BASED ATTACKS AND HIGH TECHNOLOOY CRIMES On 4,29 05, SA T b d v i ~ e that a hacker deleted a database and d D-criptira:

IS 1
(9).

421
I
Primary Technical Lead: Smondary ~tchnicrrl Lead:
I

CEAU Staff Involved:

** Not A s s i p d

Legal Information
'

DATE; 98-&$-1Q08 CLBSSIFm BY 60333VC/LP!STP/gjg PXA50D? 1.4 tCI .. UECLAS$LEY ON? 08-15-2033

S

~

.

T

ALL INFORITATTON CbETATNED F E E I N IS UNCLASSIFIED EXCEPT

UNCLASSIFlEDlFOR OFFICIAL USE ONLY

* -

CEAU Priority is: TED CEAU ID: 30070523 13616 Group I Program: SDG / DEP Grov Su ervkor:
Universal Cage File Nurnher: UCFN Serial Number:

b6 I E-mail Address: ~ o n t a~nrxrhol-1 ~ tb7C

Record Status: Complctcd Start Date: 09 Au8 2005 Duc Date: TBD Request Open For: 723 days, 12hours,44 minutes
Origin df Request: U.S. FBI Priority: SUPPORT FEDERAS. STATE, COlJNTY,MUNICIPAL. AND , INTERNATIONAL PARTNERS that an IM subject met teenage girl for Description! x n n 7.6.05, S from subjcctOs cmuil no sex and is now threatening to 1 - - - . .............................. ........................
b6

b7C

I

&d,

[ S 1 .,'"

mvidcd to S

wBjs'swsw

bl

o n , , ~ ~ ~ ~ f i v # . ! ~b2 ~ b76 ~

Primary Technical Load:
Seoondary Technical Lead:

CEAU Staff Involved:
None Assigned

Other Contach:

Legal Information

Record Logs;

PATE1 08-15-3008 CLA33IFTED DY GO32ZUC~fP,'JTP/$'jp HEASPI: L.4 I C )
D E C L A S S I N DN: 0 8 - 1 5 - 2 0 3 3 ALL INFOMATTON COIITATNED

.

I

,
UNCLASSEIEDIFOR OFFICIAL USE ONLY
CEAU Priority is: TBD

,
1 Dl9

CEAU ID: 20070521-1361 1
Group I P r o ~ a m : G~oUD Su~ervisor:

1contact ~

u m b e r rE-mail Address: l

ls 6 b7C

F i e Number: 288A -BP-38289 .UCFN Serial Number: Record Status: Completed Start Date: 06 Apr 2005 Due Date: TED Request Open For: 848 days, 12 hour$, 43 minutes

Origin of Request: US. FBI Priorihr: PROTECT THE UNITED STATES AGAINST CYBER-BASED ATTACKS "ANI~ HIGH TECHNOLOW CRIMES Description: ( ) Identify ttue IP address of subje U harass people online. Subject is using email aecoun executed on said account. Logs indicate subject is

I
w affidavit received.a.n.3..

05 and provided to A

G

C SW signed on 4.6.05 and ~

lnd
bl

.

.

Primary Technical Lead:
Secondary Technical Lead:

CEAU Staff Involved:
None Assigned

Other Contacts:

** Not Assigned
Legal Information
DAfi: 08-06-2008 CLASSIFIED BY 60322VC/LP/BTP/Vjg

REASON: 1.4 (b,cl
DECLASSTIY ON; 08-06-2033

ALL INFOFIWATION CONTAINED HERETI 15 VQCtA54IFZED EXCEPT WHeRe SHOW OTTERWISE

UNCLASSIFIEDAWR OFFICIAL USE ONLY

CEAU Priority is: TBD CEAU I D 20070518-13603 Group 1 Program: SDG I DEP lor:

1 -

Contact ~ u m b e r jE-mail Address: l

File Number; 9A-IS-94729 UCFN Serial Number:

Record Status: Completed Start Date:. 14 Feb 2005 Due Date: TED Request Open For: 899 days, 1 1 hours, 41 minutes
Origin of Request: U.S.

I

I

Primary Technical Lead:
.Secoadary Technical Lead:

CEAU Staff Involved:
None Assigned

Other Contacts:

** Not Assigned
Legal Information

PATE; 08-15-2008
CLASSIFIED BY 60322VC/LP/STP/gjg
REASON: 1 . 4 ( C ] DECLAsSIH ON: 08-15-2033

ALL

IIFDREULTION

CO~AIIWED

IZERFIB IS UNCLASZIFIED EXCEPT

Record Logs:
b7C

lweb page

4

advised that he obtained a new W o n 2.1 7.05. Collection was terminated on 2.20.05 at 1:30pm in compliance with initial d w and no howledge of the new warrant. S@ lidentified a 1 ..........................subiect.fioi.am.~. b d collection restarted on 2.21.05.SA .... I ~eiecom) which wwar the Q ~ r n i IP address assigned t o a customer in 1 c law to obtain and execute a Y W on that customer[lr residunc! on ..

.

b2 b7E

1

b6
b7C

UNCLASSIFIED~R OFFICIAL USE ONLY

I

- dCEAU Priority is: TBD CEAU ID: 2007051813601 Group I Program: SDG I D P Group Supervisor:
I

Contact Numb-

- E-mail Address:

Universal Case File Number: 2881 -pH-98358 UCFN Serial Number:

Record Status: Completed Start Date: .09 Feb 2005 DueDatfx TBD Request Open For: 904 days, 11 hours, 39 minutes
Origin of Request: U.S.

MBAT MAJOR WHITE-COLLAR CRLME stealing identities froma sensitive database and established email account 1 I Subject using ............... ~.::for..an~nymizers~..Pl~g on a or . n . a s ; . s ~ 2. ............................. 8 Z9. to get slw S/W obtained on 5) Qe F * i7 9,Tqqm p*T"fiff"'r'
I

Primary Technical Lead: Secondary Technical Lead:

:

CEAU S a fIevolved: tf
None Assigned

,

Other Contacts:

0
.
Legal Information

Record Logs:
b6
'b7C

Is)

...........................

( ]

s

Wpz~,.was,. reviewed signed S/W
..............................

b1
b2 b7E

"

'

DATE: 08-15-2008

CLASSIFIED BY 6032ZUC/IP/STP/qjg
I L L INFOPEiTION COXTATNED B R E I N 19 WCLASSIFTED EXCEPT

-----

-"> .

.

REASON; 1 . 4 [C) .DECLASSIFY ON: 08-15-2033

,
I

CEAU Pkiority is: TBD CEAU ID: 200705 18-13590 Group / Program: SDGID P
Group S u u e r v p

C o n t y NumberIC

E-mi; AddreSS:

Universal cask File Number: 166C-EP-36737 UCFN Serial Number:

Record Status: On-Hold Start Date: 07 Feb 2005
Due Date: TBD Request Open For: 906 days, 11 hours, 37 minutes

O i i of Beq,uest: U.S. rgn

FBI priority: COMBAT SIGNIFICANTVIOLENT CRTME

Primary Technical Lead:
Secondary Technical Lead:

CEAU Staff Involved:
None Assigned

Other Contacts:
Not Assigned

Legal Information

ALL IWOREVITIO?J CONTATbED
MREIRI IS UWCLASSIFIED EXCEPT WZIERE 5H04rm DTHERWTlE

DATE; 08-15-2008
CLASSIFIED BY 60322UC/LP/STP/qjg REasonr: 1.4 (CI DECLASSIFI ON: 08-L5-2033

WNCLASSIFIED/FOR OFFICIAL USE ONLY
CBAIl m: 2007057.1 13608

CEAU Priority is: TBD

contact ~lunber]-i

E-mail ~ddress: '

b6

h7C

UCFN Scrial Numbcr:
Record Status: Completed StnW Date: 19 Jan 2005 Due Date: TBD Requent Open For: 925 days, 11 haw, 36 miautes

Origin o f Requesr: U.S. FBI Priority: PROTECT THE UNITED STATES AaAlNST CYRER-BASED ATTACKS IIIGII ECI-INOLOGY CRIMES

d

tern lata S/W &davit to Ewe a ent upon reccipt of omc s u m m q . On 2/18/05, SSA spoke with S4 7 LA, and explained options again. M a t h is a CyberICI

Primary Teahnicnl L w d ~
Secondary Technical Lead:

CEAU staff Involved:

Other Contacts:

DATE: 08-15-2008
CLASSIFIED BY
6032211!TJC/T.P/5W/~jg

** Not Assinned

REASON; 1.4 ( c l

I L TIFOmTIOW COmAINED L
E R E I N IS UNCLASSTFLED EXCEPT

Legal Information

-

UNCLASSIFIEDIFOR OFFICIAL USE ONLY

CEAU Priority is: TBD

A yFile Number: nwersal Case
UCFN Serial Number:

CEAU ID: 200705 18-1 3596 Group / Program: SDG / DEP Gron Su ervkar: 1 -

contact ~umberi-1

E-mail Address:

288A -CE121918

Record Status: Completed Start Dote: 09 Nov 2004 Due Date: TED Request Open For: 996 days, 1 1 hours, 35 minutes
Origin of Request: U.S. ,FBIPriority: PROTECT THE UNITED STATES AGAINST CYBER-BASED ATTACKS AND HIGH TECHNOLOGY CRIMES

'Primary Technical Lead:

Secondary Technical Lead:

CEAU Staff Involved:
None Assigned

Other Contacts:

** Not Assigned
Legal Information
DAIE: 08-15-2008 CLASSSFIED BY 60322UC/IP/STP/gjg REASON; 1.4 (C) DECLASSIFY ON? 08-15-2033

ALL ISFOREIILTION

CONPATNED

EbZTRT IS UNCLASSIFIED EXCEPT WWeRE SHOW D m R W I S E

UNCLASSIFIEDlFOR OFFICIAL USE ONLY CEAU Priority b: TED CEAU ID: 20070518-13595 Group I Program: SDG I DEP

n N l u n b e r j y - E-mail Address: Contact .

Universal Case File Number: 288A -SE-89989 UCFN Serial Number:

Record Status: Completed Start Date: 01 Sep.2004 Due Dstc: TBD Request Open For: 1065 days, 12 horn, 33 minutes Origin of Request: UU. FBI Prioritv PROTECT THE UNITED STATES AGAINST CYEER-BASED . .
4

I

e d as victim in Major Case 216. ISearch warrants renewed in 10-day increments Search warraut renewals enaea d mid-Dee 004.SA b6 -was advised to download collected data for elsur. b7C
MS w

9

IS .-

,

Primary Technical Lead:
Secondary Technical Lead:

CEAU Staff Invohed.
None Assigned

Other Contack

Legal information
DATE:
oa-~5-200~

CLASSIFIED BY 60322UC/LP/STP/gjg
REASON: 1 . 4 ( C ) D E C L A S S I N ON! 0 8 - 1 5 - 2 0 3 5

ALL INFOPJUTION CONTAINED HERETN 15 UNCLA5SITIED EXCEPT

-

7 f 22 am

Notes: Completed changes suggested at working groupoorporated "

DATES 08-12-2008 CLASSIFIED BY 6032tu~lp/l~p/Tds REASON; 1.4 (el
PECUSSIFI OW; 08-12-2033

bl . b2 b7E

nil INF~RMATIONC O E T A I ~ HEREIN 15 UNCLASSIFIED EXCEPT WRERE SHOWN OE-ERWISE

Law Enforcement DATE5 '00-L3-2008 CLASSIFIED BY 60322ucL0/'rtp)rds
REASON: 1 . 4 ( e )

.,

DECLASSIFY ON! 08-13-2033

Case Support Standard Operating Procedures (SOF)

ALL INFOBMATION COWAINED HERETN IS WCLASSTFIED EXCEPT WHERE SHOWN OTFIERWTSE

-L

E o r Official I J ROnlv ~

Law Enforcement SensihnlSen~ltive ~ H f i e c I But For Omcial Use Only

-

-

Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU)

.

.

.

,---.

',[S) i
i.

i,
!,

',
i;

\

!

\
'\
' !

\!

,'

i;

!.
!.
' !

i i.

,' 1

bl b2 b7E

1.
1
' :

!
; ,

Page 2 of 4 Pages Law Enforcement SensitiveISensitive But
Wnr t3m0i.l HISL n - I ,

~ a 'Enforcement Sensitive/Sensitive But brnc w

Bor Official Use Only

Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU)

>.<

ifled
!

\Is)
I ,

\
\!,
!
i
!

, '

Page 3 of 4 Pages
Law Enforcement SeositiveISensitive But For Official Use Onlv

-

Law ~ n f ~ r c e ~Sensitive/Senaitive But U ent * h Official Use Only r

Page 4 of 4 Pages

Law ~uiforcement SensitivdSluitive But *r n U

FEDERAL BUREAU OF INVESTIGATION

Precedence:

PRIORITY

Date:

06/07/2007

TO:

Cyber

International Operations

Attn: Attn: Attn:

uc
Europe Unit
Legat ALAT-d
CEAU

bG b7c

Rome
Operati~nalTechnology

SS

From:

Seattle

Cyber Squad Il Contact: D r L e c ~ i v e )
-.I

-

Approved BY; Drafted By:

,

n
-: b 1n s
(pending)

I

C ~ G C #: 288A-SE-NEW ID Title:

UNSUB (s) F TIMBERLINE SCHOOL DISTRICT (VICTIM); C O M W T E R INTRUSION - INTERNET EXTORTION
t-n

Synopsis: Requast
'~dministrative:

open captioned investigation.

Reference the following cOrMtlUnicdtions:

06/07/2007 t e l c a l befwsen ~etective) ivision Cybes Task Force, and ROmE A L A T ~

I

1
b6

L7C

06/07/2007 cwlckl between Eeilttle Division, and 3 5 ~
betails:

SAY
7 CACU. 1

On 06/06/2007, S~?at.I-.l nivi xion was castacted by Lacey F! P r i l i c e Department (LPD), Lacey, WA, regarding numerou3 bomb

threats and D D O S attacks received at the Timberline Sbhoal District, Laery, WA. Below are s time-line of events:

05/30/2007 - Timberline nigh school evacuation due to hand written bomb threat nuLu.
DATE: 09-12-2008 - - - CLASBIFIED BY 60322UC/LP/STP/gjg

REASON: 1.4 (GI
INFORMBTIoN c~~~~~~~ DECLASSIFY OM; 09-12-2033 HERETN IS WCLASSIFLED EXCEPT

Re:

To: Cyber From: Seattle 288A-SE-NEW. 06/07/2007

due to 06/04/2007 bomb threat email from sender: UNSUB (s) also advised a computer which resulted in a DDOS attack totaling over 80,000,000 hits. b6
06/05/2007 Timber1 bomb threat email from sender:

-

b7C

arion due to

06/06/2007 Timberline Hiqh School evacuation due to bomb threat email from sender: 1 06/07/2007 Timberline High School received additional email from UNSUB(6). Details unknown at present time.

-

LPD and the Washington state Patrol (WSP) continue to perform school evacuations and bomb sweeps with negative results. Parents and school district: employees have informed local television stations and newspapers, which aired the story on June, 6. 2007. LPD has requested investigative assistance from the Northwest Cybes Crime Task Force.
LPIJ has student at Timberline High School, amears not to be the and teachers from Timberline High School provided a list s who may be attack,

,
I

rf,

b7C

advising "Keep your head up." a self proclaimed school computer security measures. custody and forensic results are pending. provided negative results.

computer is in LPD Initial interview of

I

I

On '06/07/2007.~etective (

'Warn, Western Dsrc it!t
captioned matter.

, Seattle Oivis~on, contacted . ! U S A

WSP, and SA

b6

Katheryn of Washirigton, who agreed to pxosecute

t7c

To: Re:

Cyber rim: Seattle 288A-SE-NEW. 06/07/2007

To:

Re:

.Cyber From: Seattle 288A-SE-NEW, 06/07/2007

LEAD (s) :
S e t Lead 1;
,

(Info)

CYBER AT WASHINGTON, DC

For information.
S e t Lead 2:
I

(Info)

AT WASHINGTON. DC
For information.

Set Lead 3:

(Action)

E m Q
AT ROME. ITALY
I

Set Lead 4:

(Info)

OPERATIONAL TECHNOLOGY

AT OUANFICO. VA
For information.

Precedence : PRIORITY
To:

Operational Technology

Cyber

From: Tampa

Approved By: Drafted By:

Case

TD

#:

Title:

Synopsis: Request the deployment of a Computer Verifier (CIPAV)

Details:

Attn:

FEDERAL BURRAU O F INVEST1GATION
Date:

03/08/2007

Cryptologic & Electronic l ~ a l ~ s Unit i s
I

,

b6 b7C

Attn;

~ S A CY

Squad 8

Contact:

SA

1-

neL-

'

(Pending)

.

&

IF Address

,

BACKGROUND

DATE: 05-07-2008

CLASSIFIED BY 60325UC/IP/PLJ/gjg
REASON: 1 . 4 ( C ) DECLASSIFY ON: 05-07-2033 ALL LIFORFIPTTOW CDPITAINED HEREIN. 15 mCLA551FIED EXCEPT

To: Re:
.

chnology From: , 03/08/2007
-

Tampa

-

Tampa is currently drafting the search warrant necessary to obtain the requested CXPAV, which Tampa hopes to denloy on or around 03/15/2007.

TO:

Re:

chnoiogy From: 03/08/2007

Tampa

Set Lead 1:

(Action)

OPERATIONAL TECHNOLOGY

AT OUANTICO. VIRGINIA
The Cryptologic & Electronic Analysis Unit is requested to facilitate the deployment of a CIPAV to support captioned Group I1 UCO.
Set Lead 2:
.

(Info)

AT WASHINGTON. D.C.

For information, read and clear.

,

(Rcv. 01-31-2003)

.
FEDEmL BUREAU OF INVESTIGATION

Precedence: ROUTINE

Date: 02/23/2007

TO:

Cyber

Attn: C ~ I U - 2
ssA

OTD
Chicago

Attn:

DES/CEAU
rrr

n
b6

Prom: Cincinnati
Squad 13

Contact : S - A
Approved By:

Drafted By: Case ID #: Title:

1-

jk

(Pending)

Synopsis: CIPAV operations have ended. Reference:

Details: Cincinnati has employed a Computer and Internet Protocol Address Identifier ("CIPAV")to gather evidence concerning
b 7A

b7E

b7A

DATE: 09-22-2006
CLASSIFIED BY 60322PC/LP/STPlq$g

ALL INFOFXATIOB COWTALNED HEREIN 13 UNCLASSIFIED EXCEPT
",**rrnF evnrnr n-nn*.a

To: Re:

1

Cvber

From:

Cincinnati

1

02/23/2007

TO: Cyber
Re:

From:

Cincimati

1 02/23/2007

LEAD($) :
Set Lead 1:

(Info)

Read and clear.
Set Lead 2:

(Action)

End CIPAV operations i n support of t h i s e a s e and $end evidence to Cincinnati.

Set ~ e a d 3:

(Action)

CHTCAGO

with this

Discontinue supper t of url$drcovar accounts associated Cldse and send bill for services to Cincinnati.

,

(Rev. 01-31-2003)

FEDERAL BUREILU OF INVESTlGATION

Precedence:

PRIORITY

To:

Operational Technology

From: Houston CT- 3. Contact: SA Approved By:

Drafted
Case ID Title:

By:

&: w-

#!'w
s

7
(Pending)

Attn:
SSA

Date:

12/14/2006

Cryptologic & Electronic
b7C

1 (

Full Investigation Initiated: 01/11/2005 (USPER).
~eferenco!"~

[ I

,IS1
I

bl b6 b7C

DATE: 09-22-2008 CLASSIFIED BY 60322VC/LP/STP/q]y WASON: 1.4 [ C ) PECLASSIFI ON: 09-22-2033

ALL INFOPJUTION COEiTAINED

ogy

From; Houston 12/14/2006

Details:

BACKGROUND

u

ational Tech ology

From:

Houston

la/lr,2oo6

O W

From: Houston 12/14/2006

b1 b2 b7E
b6 b7C

b7D b7A

Witness

(u) Houston ~ i v i s i o nhas developed a Confidential
(CW)

,;(El
i

who is willins to asaist with this investisation by

1

TO:

Re: l l 0 M

Oper

'

'"7
Ogy

From: Houston 12/14/2006

Set Lead 1:

(Action)

OPERATIONAL TECHNOLOGy

.

ATTOLOGIC ~~ECTRONIC ANALYSIS

rur -

X

IT
bl

Precedence; PRIORITY

Date:

12/07/2006
&

TO:

Operational Technology

Attn: Cryptologic

Electronic

From: Houston
CT-1. Contact:

SA
,

Approved By:

1- r
y
I

Drafted By: Case ID #: (S) Title:

k

~
I

d

b

I

I

(Pending)

Full Investigation Initiated: 01/11/2005 (USPER).
Reference: (S)

(UI
--iz----3
ueclassify Uw-#QZ/2031

-

L

i4Sl

i
I

I
bl b6 b7C
b7A

DATE: 09-22-2008 CLAssTFTED BY 60322UC/LP/STP/gjg PEASON: 1 . 4 ( C ) ' DECLASSIFY ddl; 03-22-2033
ALZ TIFORFIATIOV COliTAIliTD

KERFTI 1 5 WCLA551FIED EXCEPT

From:
12/07/2006

Houston

To: Opera
Re:

'

Tec

gy

From: Houston 12/07/2006

b7A b2

ogy

From: Houston 12/07/1006

(U) Houston Division has developed a Confidential Witness (CW) who is willinq to assist with thia investisation by

.IS]!
\:

I

i:

To:
Re:

operational Technology 1 w -

From: Houston 12/07/2006

Set Lead 1:

(Action)

OPERATIONAL TECHNOLOGY
AT CRYPTOLOGIC & ELECTRONIC ANALYSIS UNIT
'

I

.(Rev. OI-31-2003)
FEDERAL BUREAU OF lNVEgTlGATlON

..

,

Precedence:
To:

IMMEDIATE

Date: 10/25/2006
~ t t n : Cryptologic
&

Operational Technology

Electronic

From:

Cincinnati
Squad 13 Contact: SA
' J

Approved By:

Drafted By: Case ID'#:1 1 -

I

laow

(Pending)

Synopsis: To request the ass Electronic Analysis Unit in

as part of a

Details:

BACKGROUND

SDG PRODU
updated:

June 28, 2006 by

GGAL PROCESS

Consent criminal, PThT Court order 60 day expiration FISA court order 90 day expirati~n

,,3s)
;
1 j

!

.

consent Criminal Search warrant 10 day eipiration FISA court 'order 90 d,ay expiration
b1 b2 b7E

i
Consent

I

1

I

;

criminal Search warrant lo day expiration FISA C O u f t order 90 day expiration
ALL IWFORMATION COTXXNED , EREIN IS UNCLA331F:ED MCEPT W E IAOW OTHERUIEE R

DATE: 09-23-2000 CLASSIFIED BY 60322 UC LP/STP REASON; 1.4 LC) DECLASSIFY ON: 09-2'1-2033

-

DATE: 09-22-2006

ALL THFOWT

day expiration Consent Criminal T-IIT court order typically 90 day expiration FLSA c o u r t order 90 day expiration Consent Criminal T-I11 C O U r t order typically 90 day expiration b 3. FISA c o u r t order 90 b2 day expiration b7E

r
NA

NA

CEAU Assistance to Seattle Case:

,

TIMBERLINE SCHOOL DLSTRICT (VICTIM);
COMPUTER INTRUSION INTERNETEXTORTION

UNSUB(s);

.

-

On June 6,2007, the Seattle Division was contacted by the Lacey Policc Department (LPD), Lacey, WA, regarding numerous bomb threats and Distributed Denial of Senice (DDOS) attacks received at the Timberline School District, Lacey, WA. The threats ' began on May 30,2001 and persisted through June 4,2007. The t h a t s necessitated the daily evacuation of Timberline High School. The LPD and the Washington State Patrol
(WSP) performed school evacuations and bomb sweeps with negative results. Parents and school district employees informed local television stations and newspapers, which -- . aired the story on J& 6,2007. As a result, the LPD requested investigative assistance from the Northwest Cvber Crime Task Force (NCCTFI. headed by the FBI Seattle Division. In.turn,the ~eattle Field Office reql$sted assistance fmbthe OTDICRAU to attempt to geo-physically locate the UNSUB(s). Assistance Provided CEAU deployed a Cornput& Intemet Protocol Address Verifier (CIPAV) to a MySpace account identified as possibly belonging to the WNSUB. The CIPAV returned several I' F - addresses, one of whikh resolved back to Comcast Cable in Seattle, Washiapton. Subscriber informarion obtained from Comcast led to the issuine of a search and arrest -ant. A 15 year old male student h m Timberline High ~ c h i owas taken into custody l without incident at his home at approximately 2 A.M. June 14,2007. The minor het, ee confessed to issuing the bomb threats. Future bomb t r a s dated June 14,2007, w r found oe the minor's cornam. The minor's computer equipment warr seized and the arrest was made without kcident. Following an &tervi& with the minor, the LPD was able t solve mother threat case. as the minar confessed to issuinn teleohone death o ^ threats to teachers and others, inh"'&nling pawits, earlier in 20G. his

Last Update 10 July 2007

Draft CEAU Combined Capabilities

(Former SDC;, Pilaster, and SPU)
10 July 2007

Version 0.1

Last Update 10 July 2007

Version Control
Changed By
10 July 07
Version # 0.1

Changes Draft Baseline

kTC6-

Last Update 10 July 2007

CEAU Combined Capabilities

(Former SDG, Pilaster, and SPU)
July 2007

Last Update 10 July 2007
Version Conwl

(Rev. 0 -3 1-2003) 1

FEDERAL BUREAU OF INVESTIQILTION

Precedsaca:

ROUTINE

Date; 07/05/2007
Attn:
SA

To:

Seattle Cyber

From:

Operational Technology Division/ Electrnni r S ~ ~ r vl\l i e ante Technology Section/ Cryptologic and Electronic Analysis Unit DiClemente Anthony P 3earcy William 1x1

Approved By:

Drafted By:

1-

kld

Case ID 8: 2b8-HQ-1305912
Title;

- SM? 298~-SE-93709

(Pendina)
(Pending)

CRYPTOLOGIC ELECTRONIC ANALYSIS UNIT (CEAU) ASSISTANCE TO THE SEATTLE FIELD OFFICE
UNSUB(S); TIMBERLINE SCHOOL DISTRICT (VIC'l'lM) ; COMPUTER INTRUSTON - IBT~RNETEXTORTION

Syrlopsis: ALteJ! A c t i o n Report for efLcctuating remote delivery of a Computer Internet protocol ~ddrensV ~ r i f i c r (CIPAV) to geophysically i ~ c a k o subject who ha^ ~ E E U C ~ a multiple bomb threats against a, local high s c h u u l .

Uetails; On 06/06/2007, the Seattle n i v i s i o n was contacted by tho Lacey Police Department (LPD), Lacey, WA, regarding numerous bomb threats a i D i u L r - i b u b e d D e r i i a l of Sesvlce (DDOS) attacks received rd at tne 'rimberlifleSchool District, Lacey, WA. The threats began on 05/?,0/21ln7a n d persisted through 06/04/2007. The threat= neccocitatcd the daily evacuation of Timberline nigh S c l ~ u o l .The LPD and L h a wa~hingtonState Patrol (WSP) perfomea school evacuations andbomb sweegs with negative results. P a r e n t s and schonl. d i f i t - r i ~ t amplnyees informed lqcal folevision statione and newspapera, which aired the story on June 6, 2007. Ab: a result, ~llo LPD requested investigative assistance from the Nbrthwest Cyber Crime Task Force (NCCTF) headed by the Seattle Division. In turn, the S n a t k l - FIe7d n f f i c e requested assistance from the CEAU w i t h locating the WNSUB,

ALL TEJFORWATION CONTAINED

ZIGWIM IS U'NCLAS5IFIED DATE D9-19-2008 BY 60322UC/LP/STP/uju

To: Seattle From: Operational Technology Division/ Re: 268-BQ-1305912 - SDG, 07/05/2007

OBJECTIVE
The objective of this operation was to deploy a CIPAV to locate the subject issuing bomb threats to the Timberline High School, Lacy, Washington. The CIPAV was deployed in the usual way.
SUMMARY OF

EVENTS

C m -~
~

oncur ence for the operation was obtained from Case Agent and Kathryn A. Warn, Assistant United y , western District of Washington. In addition, Office of the General Counsel. concurred with the b7C oneration followino his review of the affidavit and warrant. signed by ~ a m e i i . Donobue, United States Magistrate Judge,' United States District Court,,Western District of Washington, dated 6/12/2007.
- ~-

CONCLUSION
CEAU deployed a CLPAV to a MySpaee account identified as possibly belonging to the UNSUB. The CIPAV returned several IP Addresses, one resolving back to Comcast Cable in Seattle, Washington. Subscriber information obtained from Comcast confirmed the suspicions of Law Enforcement and led to the issuing of a search warrant and arrest warrant. A 15 year old male student from Timberline High School'was taken into custody without incident at his home at approximately 2 A.M. on 6/14/2007. The minor confessed to issuing the bomb threats. Bomb threats dated 6/14/2007,were found on the minor's computer. The minor's computer equipment was seized and the arrest was made without incident. Following an interview with the minor, the LPD was able to clear another threat case, as the minor confessed to issuing telephone death threats to teachers and others, including his parents, earlier this year.

'

To: Seattle From: Operational Technology Division/ R e : 268-HQ-1305912 SDG, 07/05/2007

-

LEAD (s) :

Set Lead 1 :

(Action)

SEATTLE A T SEATTLE. WA'
Lead covered at OTD/ESTS/CEAU. Read and Clear
Set Lead 2:

(Action)

AT WASHINGTON. DC

Read and Clear..

(Rev. 01-31-2003)

H
FEDERAL BUREAU OF INVESTIGATION
ROUTINE
Date:

Precedence:

06/13/2007

From: Operational Technology D i ' v i~iu11
Electronic Surveillance Technology Section/ Crygtologic and Eleetroni? Ana1,ysis unit

Contact: SSA Approved By: Drafted By:
C a ~ oID H :

1-

senrry

William 111

2 6 8 IIQ-1305912-SW

Iitle:

CRYPTQLOGIC ELECTRONIC ANALYSTS TNTT (CEAU) ASSISTANCE TO THE SEATTLE FIELD OFFICE

Synopsls! operations Order to assist the Seattle ~ i s l d Office with effectuating remote delivery bf a C ~ w u t s rInternet Protocol Addrefis Verificr (CIFAV) to geophysically locate a subjecl who has issued multiple bulrb threat against a local high school.
Details: The Seattle Field O f f i c e has requested aofiiotancc from the CEAU with gcophynically locating a subject engaged in issuing b u n b Lllreats via the Internet to Timberline High SChdol, Lacey, Washxnaton. The objective of the operation i n t.o remotely deploy a C f P A v tn geophysically locate tho subjaof.

BACKGROUND
Qn 96/96/2007, the S e a t t l e Division waa contacted by Leccy Police Department (LPD), Lacey, WA, regarding numerous born threats and UDUS attacks faCeived at the Timberline School Bisttict, Lacey, WA. Relow a r e a t i m e - l i n e of events:

05/30/2007

hand written bomb threat fiote.
06/04/2007 Timber1 b o d threat 'entail f r u ~ nsender! aLiurl due to a6 UNSUB (l) also b7C

-

Timnberline nigh School evacuation due to

DATE; 08-14-2000
CLASSIFIED BY bU922UC/LP/STP/wjg 1.4 ( C J DECLASSIFY DO: 08-14-2033

REASON:

ALL IWFOWATIOfl CbWT&IWED H E W I N IS UNCLASSIFIED EXCEPT

To: Operational Technology From: Operational Technology Re: 268-HQ-1305912-SDG, 06/13/2007

advised a cnmprlt&r attack will hit thc Lacey School D i s l r i c t , which resulted in a DDOS attack totaling o v e r 80,000,000 hits.
06/05/2007 Timberli bomb threat email from sender: 06/06/2007 - Timber1
bomb threat email from sander:

-

nh Schnol

nvar

ation due to

06/07/2007 ~imberlineHigh School received additional m a l l from UNSUB(s). Details unknown a r present time.

LPD and the washington S t a t e .Pacrbl ( w ~ P ) continue t o perform sclluul evacuations and bomb sweeps with negative results. Parents and school district emplnyees have informed local t e l e v i n i n q stations and nswsgapero, which aired the story on June 6, 2007. LFD has requested ir~vcrtigaEive assistance from the Northwest Cyber Crime Task Force. k6
b7C

p w
\

LPP has conducted numerous tholrouulr ir~terviewsof a atudent at Tirnlrarlirle nigh school, appears not to be the subrect respLnslble tnr bonh threats! and teachers from Timberline High School provided a liut s who m y ba re6p011siLLe POT

received a t e x t messa e from
e r d up."

""'

advising uKeep your

- D

Qn

is described by teachers as

06/03/3007,

a self proclaimed computer hacker L h a t routinely bypaSlbs the schoul computer security measufbs. 1 computer is in LpD forensic rmsults are pendipg. Initial interview of ovided negative reeulta.

I

On 06/07/2007, Detective) IWS!?, and SA 1, sqattle D i v ~ ~ i o n , contacted AUSA Kdtheryn I Warma, wcaternTiatrict of Wsrrhir~gtun,who agreed to prosecute
captioned n l a t t e r .

I

To:

Re:

Operational Technology From: Operational Technology 268-wQ-1305912-SDG, 06/13/2007

CONCEPT OF THE OPERATION
Deployment npqrations Personnel (DOC) will deploy a CIeAV to geophysically locate the subject issuing bomb threats to the Timberline High SclluoL, Lacy, Washington. The CIPAV w i l l be deployed v i a a Uniform kesource Locator (URL) address posted to the subject's private chat room on WySpace.com (S'popular social networking web~itc)

.

ALL

INEO~TI~N comts~

FERELN IS ,UNCLASSIFIED DATE 03-18-2008 BY 609221p/pl¶/rtla

STATE OF WASNINGTON
COUNTY OF KING
Norman B. Sanders Jr., Wig duly sworn on oarh,'deposes and says:

I am a Spaid Agent for the Federal Bureau of Investigation ("PBII*), and have been such for the past five years. Prior t becoming a Special Agent. I was o
.

.

1.'

employed by the FBI as a Computer Forensic Examiner, for six and one-half years. I

sm currently assigned to fhe Seattle Office's Cybet Crime Squad, which investigates.
various computer, and Internet-related federal crimes.
2.

My experience as an m Agent has included the investigation of cases 1

involvhg ~omputer~ntruions. Extortion, Internet Fraud; Identity Theft, Crimes

ahst st Children, htellechlal Property Rights, and other federal violations involving
computers and the Internet. I Pave also received specialized training and gained experience in interviewing and interrogation tedmiques, arrest procedures, search warrant applications. the execution of searches and seizures, cyber crimes computer evidence identification, computer evidence seizure and forensic processhg, and various

other criminal laws and procedures. I have personally participated in the execution of mest warrants and search warrants involving the search and seizure of computers and
electronic evidence, as well as paper documents z personal belongings. h
3.

I am an investigative or law enforcement officer of the united States

within the meaning of Section 2510(7) of Title 18, united States Code, in hat I am enipowered by law m conduct investigations and to make arrests for federal felony offenses.

. Relative t this investigation, my duties include the investigation of o offeqes including violations of Title 18, United States Cade, Sections 87S(c) aterstate Transmission of Communication containing Threat to Injure), and 1030(a)(S)(A)(ij and
4.
Affidavit of Norm Sanders for ClPAV USAW 2W7R00791

Pngt I of 17 Pages

1
2

I

(B)(iv) (Computer Intrusion Causing a Threat to Public Safety).
5.
!

I submit this affidavit in support of the amlication of the United States for :
This search warrant pertains to the Government's pIanned use of a

a. search warrant.

specialized kchnique in a pending criminal investigation. hentially, if a warmnt is
approved, a communication will be Sent to the computer being used to administer www.mvspace.m'iu ' ("Myspace") user account 'Timberlinebombinfo".
,
'

Thecommunication to be sent i s designed to cause rhe above referenced

computer to transmit data, in response, that will identify,the computer andlor the
user(s) of the computer.2. In this aanner, the FBI m y be able t identify the computer o
and/or user .of the computer that are involved in committing criminal violations of
'

United States Code specifically. Title 18, United States Code, Sections 875(c)
(hmtate Transmission of Communicarion Containing Threat

.

4Injure). and

1030(a)(S)[A)(i) and (B)(iv) (Computer Intrusion causing a Threat to Public Safety).

More specScaIly, the U i e States is applying for a search warraut authorizing: ntd
a).
I

the use of a Computer & Internet Protocol Address3 ("IP address")

.
Myspace is a international free setvim that u ss the Internet for online communicalion through uc an interacavc social network of photos, videos, weblogb, user pmfdes, blogs, e-mail, instant messaging. web f r m ,and groups, as well as other medi* formats. MySpace users an capable of ous customizing their user webpage and profile. Users arc also capable of searching or browsing olhcr Myspace webfmges an4 adding other users 8s 'friends*. If mE person identified approves your %end" requeat, he or she will be added t your list of friends. Uscrs are capable of sending Myspace o
'

mesqes and posting commnls on olhEt user's MySpacc webpages.

ln submining thin request, the Gmemment regpeethrlly d m not eoncsdc!that a reasonable expectation of privacy exists in the internet protocol address &signed by a network service provider. or

orher provider t a specif% User and used ro address aud route c1ecrioi.i~ o cocommicati011~ and kom to that'uscr. Nor do= the government c o n d e rhat a reasanable expcctabn of privacy is abridged by UIC Use Of this convnunication technique, M Cat the use of lhis mchniiue to collect a ~omputeT'8TP addtcu, MAC address or other variablea that nre.broadcast by the computer whenever it is c o m t e d to Ute Internet, ~0nstitUks search or wizure. a Concepprsuy. IP addresses arc similar a telephone numbers, in that lhey are used to identify compufen rhat exchange information over the Internet. An I address is a unique numeric address F ~ S e d dircct information over tho Inrrrnet and is a series of four nuinkem, each in the range 0-255. to separated by periods (e.g., 121.56.97.178). In general, informarion sent over the lutemet must
3

cwtain qn Originating IP address and a destination IP addnss. which identify the w m p ~sending s and ncelving the information. Section 216 of (hc USA Patriot Act (P.L. 107-56) amended 18 U.S.C. 503121 et scq to sp~iflcally authorize rht recovery of "addressing" and 'routing" infomtion of Affidavit of Norm Sanders for CIPAV USAO# 2 0 0 7 W 9 1
Page 2 of 17 Page%

.

Verifier ("CIPAV*) in conjunction w t any camputt* that administers MySpace user ih account 'Timberlinebombinfo"
of the CIPAV;

., mm ://www.mns~ace.~dm/tl~lberlinebmb~pl,

without prior announcement within ten days from the date this Court authorizes the use that the CIPAV may cause any computer. wherever located - ehat

b. )

activates any CIPAV authorized by this Court (an "activating computer" t tond o network level messages4containing the activating computer's IP address a W o r M4C
addresl~,~ environment viriables, and certain repistry-rype informstion' to a other cornpurer comolled by the FBI;
c).
that the FBI may receive and read within ten days from the date

this Court authorizes the use of the CIPAV, at any tinie of day or night, the information
that any CIPAV &uses to be sent to the computer conboUd by the FBI; and

d).

that, pursuant to 18 U.S.C.83103a@)(3), b qatisfy the notification

?lutronicAs used here, a network-level message refers to an exchange of technical i n b m t i o n b t w n wmpurers. communications by a pen regisrer/trap & uace order.

'

Such -ge* work in established network pro-Is, dctcrmIniag, for e.urmple, how 9 given ;ommunication will be sent and received. Everv time a cmuur come~tCdo a lccal aRB MIWOIk t [LAN)O Fthe Internet ~lnn&rsto another computer on thd LAN ot rhe Intrm~t,iibm8dcasB ~ ReWorL-level w a g e s , including its F address, a d o r media access control.(MAC) address, andlor ~rher c n v i r o ~ nvariables." A MAC addmss is an uniquc numeric addnss o the network intenkc " t f card in a computer; Envimnment variables rhat may be mmilted include: operaring system rypc and vemion, browsw type and version, h e language the browser is using, etc. These network-level mmges also 0% convey network addressing information, includiag origin and desllnaIillion 1 iffOtma(ion. Networblevel messages are used to make networb opcrace properly, transparendy, and ;onaistently.

~-.
~ ~

~

-

-

C q u t e r s Uldt access, and cotttmunicae on LANs do po via a acework hterfaec card (NIC) installed in Ulc cornpuler. The N1C is a hardware device and every NIC w n t a k its own uniquc MAC addnss. Every rime a computer connected lo a LAN c ~ m ~ l n i c a tons the LAN,the c m p u e e broadcam iu hiAC address.

'

As used hem* "registiytype iufo~alion" refers t infozmtion stored on the internal hud o f i v e of a urmputer that defmes that computer's coufiguration as it relates t a user's profile. This o information includes, for example, the name of the registered owner of the computer and rhe serial number of t naprating system sohare installed. Registq information can be provided by a k mmpnter connected t the Interact, for example, when that camputer connects lo the InfPmef tQ teqU1:st o a s o h a m upgrade from im sofwart vendor.
Affidavit of Nann Sanders for CIPAV USAW 2W7RW791

Page 3 of 17 Pages

requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may M i y providiq a copy of the search warranf and the receipt for any property taken until no
,

more than thirLy (30) days after such time as the name a d location of the owner or user of t@ activating computer is positively identified or a latte~ as the court may, for date
.

good cause shown, authorize. h v i s i o n of a copy of the search warrant and receipt

may, in addition to any other methods allowed by law, be effectuated by electronic
delivery of true an& accurate electronic copies (e.g. Adobe PDF tile) of the fully
exccutd documents.

6.

I a rhoroughly familiar with the information contained in this Affidavit, k

which I Pave learned through investigation conducted with other law enfmement officers, review of documents, and discussions with computer experts. Because this an
application for-a search warrant and pen register, not every fact known about the investigation is set forth, but only &se that are pertinent to the application. As a result
of the investigation, 1 submit there Is probable cause to believe the MySpace

"Timberlinebombinfo" account, e-mail account udouebri~es123&3~maitCom"; e-mail account =mail.~nl";

e-mail account "dou~bbriees234~rnnail.com"; email

account "thisisfromidalv&email.com"; and e-mal account
'tirnberlin_e.suc~mail,co~ " have been used to trausmit interstate communicafions

containing thteats to injure, and involve computer intnrsion causing a threat to public

safety in violation of Title 18, U i e States Code, Sections875(c) and 1030(a)(S)(A)(i) ntd
and (B)(iv). I further submit that there is probable c a w to believe that using a CIPAV

in conjunction with the target MySpace account (Timberlinebombinfo) will assist in
identifying the individual(6) using the activating computer to commit the= violations of

the United States Code.
7.

In general, a CPAV u i i e standard Internet cornpurer bmmands tlzs

commonly used commercially over local area networks (LANs) and the Internet to
request that an activating computer respond to the ClPAV by sending network level
Rffldavit of Nonn Sandcn for CIPAV
USAW 2W7R00791

Pagc 4 of 17 Pages

messages, andlor other variables, a a o r regisfry Wonnation, over the Intent7 t a o computer coatrolled by the FBI. The exact nature of these commands, processes, capabilities, and their confiration is classified as a law enforcm?nt sensitive investigative technique, the disclosure of which would likely jeopardize other on-going hvestigatious andlor future use of the t d d q u e . As such,.the property to be sccessed
by the CIPAV request is the portion of the activating computer that contains

environmental variables andtor certain registry-type' information; such as the computer's true assigned IP address, MAC address, open communication potts, list of
runniug p w s , operating system (type, version, and serial hnmber), internet

browser and version, language encoding, registered computer name,registered company name, -ent
,8.

logged-ln user Mme, and Uaifoml ~

S O U Locator ( U ~ C ~ U )

tbat the target'computer was previously connected KO.
An Internet Service Provider QSP) innally conkols a ratige of several

(or even thousands) of IP addresses, whicb it use6 to identify its customers' Computers.

P addresses are usually ass-

"dynabhllyW: rime the user each

connects to the Internet, the customer's computer is randomly -assignedone of the

avaiIable I addresses contrc~lled the ISP. The customer's computer retains lhar IP P by
address until the user disconnects, and the I address cannot be assigned to another P

user during that period. Once Te user disco~ects, h however, mat IP address becomes
available to other customers who connect thereafter. ISP business customers will

commonly have a permanent, 2dhour Internet coanection.to which a "sratic" (i.e., fixed) IP address is assigned. Practices for assigning IP addresses to Internst uskrs I

wt many providers assigning semi-persistent numbers that may be allocated to a ih single,userfor a period of days or weeks.
vary,

9.
1

Every time a computer accesses the Internet and connects to a web site,

'Ihe "lnternec"is a global computer network, which ektronically connect~ computers and allows comrmaicatio~ d unnsfero of data and information across scar and national boundaries. To a !Pin access m the Internet, an individual utilizes an Internet Service Prwidm (ISP). Tbrsc ISP's are available worldwide.

Pam 5 Of 17 Pages

that computer broadcasw its IP ad&w along with oh& environment variables.

Environment variables, such as what language t h user is communicating in, gllows the ~
web site to mmmunicate back ;nd display information in a f o m i that the comp&r

atcessing the web site can understand. These enviconment variables, including but not
limited to, the I address and the language used by the computer', may assist in locating P

the camputer, as well as provide infarmation that may help identify the user sf the computer.
10.

The hard drives of some computers contain regisw-rype information. A

regisay contains, among other things, information about what operating system software and version i installed, the product serial numby of that software, s

and.h e

name of the registered user ofthe cqmputer. Sometimes when a computer accesses the

Intenet and connects to a software vendor's web site for the purpose of obtaining a. software upgrade, the web site remieves the computer's registry information stored on

.. determining if that computer is running, among other information, a legitimate copy of
their sohare because'the registry infonuation coniains the sofhnrare's product ,.
regismtion number. Regisq itlformatioo. such as the serial 'rmmber of fie hcperatiug

its internal hard drive. The regisby iafomation assists the software vendor i n

rystem software and the computer's registered owner, may assist in locating the :omputer. and identifying its user(s).

11.

On M y 30.2007, a handwritten note was discovered on the premises of a

fie Timber1ine H g School in Lacey,,Washington. Subsequently, school ih idminiitrators ordered an evacuation of rhe students based on the handwritten.bomb
fueat note.
,

,

a). On June 4,2007, Timberlime High School received a bomb threat :-mail from sender: 'douabrie~s1238mail.~om",The Uplinown Subject(s)

IUNSUB) stated in the e-mail "I will be blowing up your school Monday. June 4,
,

.

Affidavit of Norm Sanders for CIPAV USAOi9 2007RW3791

Page 6 or 17 Pages

2 7 T e e are 4 bombs W . hr

throu@wt timberline high school. One in the'math

hall, library hall, &ah office a one portable. The bombs will go off i 5 miwte $ n

intervals at 9:15 AM," fn addition, the UNSUB(~)stated, 'The email server of your iistrict will be offline starting at 8:45 am." The UNSUB(s) launched a Denial-ofSqice (Dm)' attack on the Lamy School Disaicr computer nmork, which caused
3ver 2~,000.000hits on the system within a 24 hour period. School administrators

xdered an evacuation of the school on June 4,2007.

On June 5; 2007, the UNSUB(s) sent an e-mail l?Wr~ b. ) , w p b r 1 g staring the following: . d

< <Read This ASAP > > Now that the schoo! is scared from yemdays fake pomb e t it's now t i t get senous. One in a gym locker. the guls. It's m a o locker Mden under a pile of clothes. The other four I W only ' ! I say the eneral location. One in the Language Hall, One m the b. Oqe ~lndcmerth portable raped wlth s & a m Thy bomb wlll o off if any vibrations are felt. And e kist one Is m a locker. t i s enclosed in a sound roof package, and h a d y undetectable. I have used a vatye of emicals to make the

H

bombs. . They are all dierent

a. sA

YLducbpe

They wl al o off at 10: ISAM. Through remote detonation. il l .Good Luck. And i that fails. a failsafeof 5 mlnutes later.

B

The UNSUB(s) goes on m s u e :
Oh and for the ofice t y t track rb o

.
at.
.,

give you a &t. .Uxouut, from overs* in a foreign country. The gmail ~ccount was created there and h s ernail and ycsarrdays was sent from there. So good luck taljun with Ital about getting the identify of @e person who owns the l h ~ b id&ated server t
c.
3,

officers the t licewas sentyesfirrays emnd7slrntme dislrict K email and technology idotsgmil I The email over a newly made

:

In another e-mail from sender *d0~ebriees234~ail,com

fie UNSUB(s) states the following:
Hello Again: Seeing as how ou're too stu id to trace the email back lets get serious." phe mentions bombs s to . a

UNSU$S)

i

I

A DOS actnek is an Internet based computer attack in which a compromised system auacka a iingle largel, thereby causing I denial of service for vriers of &e l e e t c d computer s y s m The fldod >fincoming messages to the rarget sysfern essentially forces it t shut down. thereby deny& service to o he system t legitiinate users. The DOS attack is generally targeted at a particular ne-k o service, ~uch e-mail o web a as r .

4

I I
u I 1
Y

detonate between 10:45-11:15 AM, and adds1 Seriously, you are not Bill oing to catch me. Sa just give u Maybe you should hire wait 1 hater to tell you t a it is coming& Italy. HAHAHA Oh ht t to alreadv told vou chat. So sm ~ r e t e n d h ~be "trache it" because I where t r a , ~ have already-toldyii it's c o & ~ f i o m Tdy. That is will stop so 'ust stop trying. Oh and this ernail will be behind a proxy b e d tho Italy server. ~ d). School admhktators ordered an e v a c u a of the who01 on June
e).

7

On JUIE 6,2007, Principle Dave Lehnis of Timberline High

8 9

School received an e-mail fromsender: "douebri~vs9~1Amnail.~0m~.e-mail The

contained the following text: 'BNJOY YOUR LIFE ENDING".

lo

ID another email f o B rm UNSUB(s) states the following,
f).

e

d

l l @ m n a i l . c e the

emaifae~'unithat has already been deleted of all information b the time you read his email. Get your.asson a plane to Italy i you want it t stop. o

r

.

g).
I& 6,2007.

School admiuisaators ordered an evacuation of the school on

h). On June 7,2007.Timberline High School recived an e-kid from I sender "rh'isishmiralv@Pmajl.com." The UNSUB(s) states:
Affidavit of Norm Srnden for CIPAV USAW 2007R00791

'There are 3 bombs lanted in the school and they're all dierent kinds. I have rema e these weeks in advance and tested the timp to make sure ey work to exact millisecond. Locking the doors is a good plan, but too late."

2, B

i). s June 7, 2007..

I

School administrators ordered an evacuation of the school on

On June.7,2007, UNSUB(s) posted Wee of the threatening the j). s lie-mails in the comments section of the onlinenews publication service, 'theOlympian".
7
9
lo

I

theolympian.com" IThe adwhiskator fromUNSUB(s) re-postedremoved the threatening e-mail postings., phortly thereafter, the the threatening e-mails. Eventually, the adminiseator of 'rhmlympian.camw disabled the *comments'" section.

12

, ~ 3

14

1s which had rewaled a complaint f k i a person identifed as 40. AG Stated tbat she
14
17

I

I

.I
k
On June 7,2007, Detective Jeremy Knight, Lamy Police

D e p m n t (LPD). received information from the Thurston County Sheriffs O f c , fie

18
19

I
1 I

invitation through myspace.com from the Myspaceprofile of 'tTimberliwbombinfan wanting her to post a URL link t o . . hm://bambe&ls.hvoert)ha. corn on her myspace.com webpage. The UNSTJB(s) advisd her that failure t comply would result in her name being associated with fume o threats. Similarly, Knight received a phone call from a parent alleging that her the same request from the UNSUB(s). According to Knight, 33 students
received
&

u beceived a request from h e UNSUB(S) to post the link on their respective myspace.com 23 webpages. Subsequent interviews performed by Kaight yielded limited information.
25
26
7

On June 7, 2007, V W and BP received Myspace private invitations 1). from an individual utiliiing the MySpace moniker 'Timberlinebombinfo". V W .
and IInstant
from

accepted the invitation an I Message (AIM) fr~m'~~imberlinebombinfo''receivednameAmerica Wine la an iqdividual utilizing AHM screen

09." Communication ceased with "Alexspi3rinp_O9"after VW iaformaion related to the bomb threats. VW believed screen name associated to ALEX SPIERING. a student at Timberline High.

-09" and "Timberlinebombinfo"used to have the
gtaphic on their Myspace webpage. "Timbe~linebombinfo" e d y changed r
from a picture of guns t a o
of a bomb.

m). On June 7,2007, Thurston County School District reported ALEX 9 QSPIERING resides at 6133 Winnwood Loop SE,Olympia, WA, 98513, teleph,one (360) 10 p 5 9 of birth- 6 date 0 . 19I.

:IS

19

"1
21

"I I "1
I2
14

n). On J p e 8, 2007. Comcast Internet. Thorofiire. New Jersey. 13 b o r t e d that residential address 6133 Winhwood Loop SE, Olympia, WA, 98515
received Comcast Internet services for the following subscriber:

Sam Spiering 6133 W i w o o d Loop SE, Lacey, WA 98513 Telephdne (360) 455-0569
Dynamically Assigned Active Account Account Number: 8498380070269681
0). On June 8. 2007, Thurston County School District received two

17

-

-

P additional bomb lhreat e-mails h

,. m "Timhe~Iine.Suck@~m ail.cam." which resulied i n

u the evacuation of the Timberline High School.
24

25
26
27

On June 4.2007. Cioogle provided subscriber, registration. and IF Address log history for e-mail address "douebriggS11236email.corn"with the following results:
Status:
*

12.

E a l d (user deleted account) nbe

28

Setvims: Talk, Search History, Gmail
AMdavit of Nom S d e for CIPAV adn

USAW 2007R00791

Name: Doug Briggs 'SecondaryErnail: created & 03-~un:2007
Lang: en

P : 80.76.80.103 P LOGS:.All times are'displayed in UTCJGMT
gpugtvicasl23~~mail.com
DatelTime

IP

063~-2007 05:47:29,am

81.27.207:243 80.76.80.103
80.76.80.103

04-Sun-2007 05:43: 14 am '
03-Sun-2007 1944 am 06:

On June 6,2007,a SmartWbIs lookup of IP Address 80.76.80.103 a). !solved t Sonic S.R.L.Via S.Rocco 1, 240@, Grumello Del Monte, Italy. o

horn: +39035M91296, E-mail:Staffmsonic.it. Your affiant connected t o
@://sonic.ita which dispiayed an Italian busin& webpage for sonic SRL Inremet.

%-vice Provider.

On June 7,2007, a request to MySpace for subscriber and IP ddress l&s for Myspace user "Timberlinebombinfo"provided the foilowing results:
b. )
User I : D
199219316

Fs Name: it r
last Name: ,
Gender;

Doug
Briggs

Male
14

.

Dt of B r h ae i t :
"

12110J1992

Age;
couq:

US
Law

City:

rffiddvil of Nonn Smdera for ClPAV JSAOC 2W7ROM91

Page I I of 17 Page$

Postal Code: Region:

985003

Western Australia
tirnberljne.sucksB~mai1 .corn

Email'Address:'
User Name:

timberlinebambinfo
80.76.80.103
Juae 7,2007 7:49PM

Sign up I Address: P
Sign up Date:
Delete Date: Login Date
10
11

NIA
June 7,20077:49:32:247 PM I Address 80.76.80.103 P

I

o).

FBI Seattle Division contacted FBI: Legate Attache Rome,Italy and

an official request was providcd t the Italian ~ a t i o hPolice requesting assistance h o l contacting Sonic SRL and locating the cornpromisad kmputer utilizing IP Address
80.76.80.103. d). m,June7, 2007, the S y s m Administrator for the 1vm~ian.k advised the posting of the bomb threat ehails originated porn
192.135.29.30. A Smartwhois lookup resolved 192.135.29.30to 'The
.

12
13

14

'

,

titute of Nuclear Physics (INFN).

-

Labratori Naziatdi di hgnaro,

Based on my B a W , expMence, aud the investigation described hereiq!,1 owing among other things: a). that network level messages, including the originating TP address
'

ess, other variables, and ce,&h regism-ripe infomation of a computer

sist in identifying the individual@)using that comptw; and

b: )

the kidividual(3) using the aforementioned activated computer

sed computers to conceal their true originating fP address and thereby

iting the individual(s)' identification. ,Compromised comp.ukrsare
w t computer viruses, trojans, or other malevolent programs. which ih
ability to conirol computet(s) on the Internet or particular selvic~s
A f f i v i t of N m Sandera Eor ClPAV o
USAO# zMnROW9 1

Page 12 of 17 Pages

compromised computer(s) without authorization. It is common for individuals

aged in illegal activity to access and control coinpromised computer(s) to p ro ef m icious acb in order to conceal their origktiug IP addresses.
14.

Based on mining, experience, and the investigation described herein, 1 t the PBf t determine the identities of the individual($) using tbe o

concluded that wing a CIPAV on the target MySpace 'Timberlinebombinfo" ring computer. A CIPAV7s'aetivationwill Muse the activating computer t send o

P level messages, including tbe activating computer's originating I address and
ss, other variables. and certain registry-type information. This information
in identifying the individual($)using the activating computers.
15.
,

The C P A V wiU k deployed through an electronic messaging program

conaolled by ;he FBI. The computers sendink and receiving the be machines controlled by the FBI. The electtonic message deploying
nly be directed to the administrator(s) of the "Timberlinebambinfo"

a).

Electronic messaging accouuts commonly require a unique user
same and password.

b. )

Once the CIPAV is successfully deployed, it will conduct a onetime search of the activat'ing computer and capture the information
desctibed in paragraph seven.

c).
,

The captured information will be forwarded to a computer
conmlled by the FBI located within the Eastern Disuicc of

d).

Virginia. After the onetime search, the CIPAV will function asa pen register device anxl record the muting and destination addressing information

for electronic communications originating f o the activahg rm
computer.
Affmvit of Norm Sadeta for CIPAV USAW'lW7R00791

Page 13 of 17 Pages

e).

The pen register will recod PB address, dates, m d times of the

electronic comwnicatiom, but not the aoutents of such
ccmmunieatioas or the contents contained on the computer, and

U'mard the

address data to a computer cantroned by bh ye

FBI,P r p d o d of (60) days. w
CQNCLUSIOM
16.

Ikrsed upon my review of the evidence, my training and experience, and
,

iformation I have gathered from various computer experts, I have probable cause to
elieve that deploying a ClPAV in an electronic message directed to the administrator(s)

f the MySpace 'Timberlinebombinfo" account will assist in identifying a computer and

idividual(s) using the computer m transmit bomb mats and related wmmunications in iolation of Title 18,United States Code Swtions 875(c) and 1030(a)(S)(A)(i) and

3)(iv).
17.

Becawe notice as required by Federal Rule of drimid Procedure

l(Q(3) would jeopardize the success of the investigation, and because the hvestigation

a not identified & appropriate person to whom such notice can be given, I hereby s I
quest aumorizatioo to delay suoh notice until an appropriate person b identifA.

h e r , assuming providing notice wollld still jeopardize the iuv&tigatioion after rur
~ropriate person to receive notice is identified. I request~permission ask this Court to
1 authorize an additional delay

in notification. In any event, the Unitwl States

Dvcrnment will notify thii Court when it identifies an appropriateperson to whom to
ive notice, sa that this Court m i y determine whether notice shall be given at that h e .

Because there are legitimate law enforcem~nt interests that justify an nanuounced use of the CIPAV and rev$w of the messages generared by the aciivathg
18.

,

4Wdavit of Nom ~adcn' CIPAV for

JSAW 2007RMn91

.ter in this case: I ask this ~ o u rto authorize the proposed use of a CPAV t
t the prior announcement of its use. One of these legitimam law enforcement

is that announcing the use of the CIPAV would assist a person conaolling the

,

computer(#)to evade revealing its true IP address, other variables, and certain e infDrmation - thereby defeating the ClPAV's purpose. 19. Rule 41(eX2) requires that (A) the warrant command the PBI ''to execute
'within a specified time no. longer thsn 10 days" and (B) "execute the .

the d a y w e unlesa the judge for good cause expressly authorizes

r time.. ." In order to comply with Rule 41, the Government will
between the hours of 6:00 a.m. and 10:OO p.m. (PST)during an

. However, the Government seeks permission to d any messages
"ahg computer as a result of a CTPAVat any dme of day or night
period. T i is because the individuals using the activating hs

and e CIPAV after 10:OO p.m. or before 6:00 a.m., law
read the h e m t i o n it receives as soon as-it is aware of the

emergent nature of this investigation. If the C

W is not

O-day period, the Government wl seek further authorization il

n sent to the computer controlled by the FBI as a from the date the Court authorizes the use of the
20.

Because the FBI tannot predict whether any particular fom111ationof a

s) mnkolling the activating computer40 activate rize the FBI to continue using additional
ySpace accwnt (for up to 10 days after this been activated by the activating &puter.

Aff~davilof Nom Sandm for CIPAV USAW2mm791

Page I5 d 17 Pages

dl.

Accordingly, it is respectfully requested that thiscourt issue a search

a m t authorizing the following:
the use of multiple CIPAVs until one CIPAV is activated by the a). tivating computer in o~njunctioa. the target kIyspace *TimbedinebombiafoW with
,

, &ithour prior,annou~lcernent, within 10 days from the date this Court authorizes

the CIPAV may cause an activathg computer - wherever located b. ) etwark level messages containing the activating computer's 1P address, andlor

s, andlar orher variables. a m o r certain regisay.*lpe information to a
led by the FBI and located within the Eastern Di~Uict f Virginia; O c).
that the FBI may receive and read, at any time of day or night,

'

m the date the Court authorizes of use of h e CIVAV, the information
ses to be sent to the computer controlled by the FBI;

d). that once the FBI bas received an initial ClPAV response from the ivating computer consisting of network level messages contawg the activating

rs IP address, andlot MAC address, and/or olher variables, andlor c m i n ' information, the FBI will thereafter only be collecting the Q ~ s of
routing information that can be collected pwmnt t a pw register o
.

.

e).

that. pursuant to 18 U.S.C. 63103a(b)(3). to satisfy the notification

Pederal M e of ~ r & l Y e w 41(f)(3), the FBI may delay md
y of the search warrant and the receipt for any property talcen until no
(30) days after such time as the name and location of the individual(s)
ug computer is positively identifd or a latter date as the court may,

n, authorize. Provision of a copy of the search warrant and receipt
ny ocher methods allowed by law, be effectuated by electconic

curare electronic copies (e.g. Adobe PDF file)of the fully
Affidavit ot Norm Spndcrs for CIPAV USAW urwRWl91

.

Page 16 of 17 Pages

?

22.

It is fuaher requested that this Application and the related documZnt6 be

filed under seal. The information to be obtained is relevant to an on-going invesqgation.

Remature disclosure of this Application and related documents may jeopardize the
iucces8 of

the above-described investigation.

WHEREFORE,Affiant respectWly requests that a warrant be issued authorizing
b FBI ro utilizt: a CIPAV and receive the attendant information according to the terms
st fonh in this Affidavit.

TIXIS APPEPCATTORI DQES NOT SEEK AUTRQHPPZATIQN TO O B P 1 iBE ~ O N l % N T ANY ELECTROMC COi+vfMDMCAmONS,AND 'FWE OF WARRANT WlLL SO SECU'Y.

me &is

iworn t an subscribed before . o day of June. 2007

. n#

~fidldavitof h r m S d e r s for CIPAV

USAW 2CO7R00791

Page 17 of I f b e ¶

SECRET

(3

caea: Atd-GIanu

4.37 ~

4 - 7

-

UA

1

IS)

DIIIL: 08-14-2008 CIIISSInH) BY 60322UElp1Sq /L& A50Q: 1.4 I s )

CLAS4TFI MT: 08-14-2033

ALL TWPOPEATZ31 COXTkZNED

SECRET

tlERt7U T9 ETCtA357tTE0 EXCEPT SHOGW OIEERUISE

Precedence:

ROUTINE

Date:

09/05/2007
b6
b7c

TO :

Records ~anagement Attn: ~ ~ ~ S / w ~ ~ / ~ i n c h e s t2, GR N23 Site e r
Office Special Technology Special Technolosies and Applications Office
Contact:

From:

1

approved -By:

I
-:w,~~
(Pending)
~

..

Drafted By:

' ~ a a e #: ID

130-HQ-C1547903
~ ~

/w d
ALL INFORMATTON ~ 0 i m ~ 1 m ~
HEREIN IS UI$CLA5SIFIED DATE 03-19-2008 BY 603221p/plj/rds
.
,

Title:

FREEDOM OF INFORMATION ACT REQUEST FROM WIRED NEWS
----------

ELECTIjllNIC FRONTIER,AND C~ET ,NETWORKS-

.

,

Synopsis: To advise Records ~anagementof results of the Special Technologies'and Applications Office (STAO) search for responsive documents pertai.ningmto the Computer and Internet Protocol Address Verifier ,($IPAV)tool pursuant to captioned Freedom of Information Act. (F6IA)p request. . .

.:
,i
:,.

Reference:

190-~~-d1547903 Serial 49

Enclosure(s): Enclosed under separate cover for Records Management are: one (1) compact disk containing an electronic copy of "Magic Quadrant for Information Access Technology." aqd, ,,(I) packetof all STAO IAU held CIPAV tool materials.

!'

Detaile : !Pureuant to Records Management request detailed in referenced communication, STAO canvassed all unit personnel for any and all documentarion, correspondence, and materiala concerning the CIPAV tool. The response w a s negative for all STAO entities with the exception of the Investigative Analysis Unit (IAU). IAU has provided copies of all unit resident information concerning the CIPAV tool. The requested information has been forwarded under separate cover to Records Management. Inasmuch as the Records Management request for a search for any and all CIPAV materials was conducted, with t h resultant te materials forwarded to OTD, STAO considers the matter satisfied and the lead covered.

,

To:
Re:

??

Prom:

,,. , .?

,

,

,

,

,

Office sp&cial Technology
09/05/200d7

190-HQ-C1547903,

LEZ+D(a):

Set Lead 1:

(Info)

RECORDS MANAGEMENT
AT RIDS/~PU/WINCI-~ESTERSITE 2 , GR ~ 2 3

Read and C l e a r .

(Rev. 01-3 1.2003)

Precedence: To:

ROUTINE

Cyber

Cincinnati
Indianapolis Evansville RA

; r j \
I SSA )
i jjb
ALL INPORNATLON CONTAINED b6 H R I T IS UNCLASSIFIED E ER b7C DATE 03-19-2006 BY 603221p/pljlrds

Las Vegas

From: OFFICE SPECIAL TECHNOLOGY
STAO/STOU
Cootaot :

Approved By:

Drafted By:

G

Case,ID
Title:

#

:

l

I

(Pending)

cTPAv nPPT,nYMrNT '

Synopsis:

To f o r w a r d results

of analysis a n d to cover lead.

r:
Enelesura(s):

F i n a l report of f i n d i n g s dated May 23, 2001.

Details: he r e f e r e n c e d analyze 1

1

irequested that STAO

Previous analvsis of CIPAV data resulted in the
b2
b7E b7A

To:
Re :

ICE SPECIAL TECHNOLOGY 05/25/2007

Enclosed is a final report of findings. This report supercedes any preliminary reports that were provided electronically/telephonically prior to the publication of the final report. Please note that the final page of the report includes a customer satisfaction survey and.that, time permitting, STAO/STOU would appreciate candid feedback in order t o ensure the satisfaction of its customers.
STOU considers this Lead covered.

SPECIAL TECHNOLOGY

05/25/2007

LEAD ( a ) :
Sea Lead 1:

(Info)

CYBER
A'ILR#SH.I.NGTON.

DC.

Read and Clcar.

sat uILd 2 ;

(Action)

CTNrTN,ty$TI

AT CINCINNATI. 0 1 0 11
Read and C l e a r .
S b t laad 3!

(Info)

LAS VEGAS
AT LAS VEGAS. NEVADA

Road and Clear.

set wad

4 ~ :

(Info)

INDIANAPOLIS
A'I' E V A N S U E
INDIANA

Read and Clear,

August 28,2007

RMS Request Number:
I D :0116159

Performance Xndlcator :Technical exprtlr Opened : 11/17/2006 3:41:39PM

Stntus :Closed

Closed :5/14/2007 9:43:57AM
b6

Requestor Name
Phone

I[: -

I-:

office : HOUSMN
Offlcs t o d m :3290-0000

b7C

-

I

Case Clasrifiratlon Number :315A Investigative Pmgrsm : NRP-lT Assigned t Name o Figned TO fmup : CEAU
Program Manager

b6 b7C

I -:

.

PmQram/Type :Remote Computer Trace

I

catee~:cEAu
Ibm: Internet Tracer

Derived from: OTHER

DATE: 04-11-2008 CLASSIFIEP BY 60322UCltP/PLJ/gjg REASON: 1.4 ( C )
DECLASSIFY ON: 04-11-2033

ALL 'INFOPJL4TION COETATNED HEPJTRI I5 UNCLASSIFIED EXCEPT
WHERE SHDWN OTHERWISE

August 28,2007

RMS Request Numtrer:
Request I D :0092259
PeMrmance Indicator :~echnical expertise
Opand :9/27/2004 2:28:13PM

1 Status :Closed
Raquestor Name

C l d : 1/13/2005 1:39:50PM

Phone

: n

: n
: n
m

I I

I

Office :'OMAHA

Case Classffleation Number :

lnvertigative Pmgram :
Assigned to Name
- 0 ~

Program Mana er :

~saigned ~ m u : o TO p
:D m

(S)

-ram/-

Item: Internet/ISP intercept

4 S ]1

IffT',I
b2

b 7 ~
-I

27120W 2:28:13 PM
ssigned/forwarded request t

-

o

r

1

u
9/27/2004 2:28:13 P P f y assignedlbnrvarded request b

DATE: 08-14-2006 CLASSIFIED BY 60322UC/LP/STP/gjg
REASOB: 1.4 ( C ) DECLASSIFY ON: 08-14-2033

o h a s Raasslgned or Forwarded th 10/21/2004 1:20:40 PM

ALL f A 1 F O ~ T I O NCOXTATNED
HEREIN TS UDTELA591FIED EXCEPT

WE E fR

mom

OTHERWTSE

Request ID :0096936

Petformane Indlwtor :

IStatus :Completed

d e

Opened :2/1/2005 7:34:18PM

'

Closed :3/25/2005 9:47:31AM

I

I

I'

Case MassifiGstSah : I Imcstlgatlve ~ m iNumberIXZZZ a r nM :

Pmgram Manager

I ( :

;vC

Assigned To Group ; EP CEAU
Categoy :CEAU

Pmgram/Type :DataPole Irrtercept with EnctypWon

Itern: Encryption Technologies

I
1,
n
I

pfrields has Reassigned or Forwarded this
b 3.

3/25/2005 9 4 2 3 1 AM

b2 b7E

Jw Reassigned or Forwarded this 'wue?

I

as Reassigned or Forwanled this request m
DATE: 08-18-2008 CLASSIFIED BY 60322UC/LPISTP/gjg REASON: 1.4 (E) DECLUSIRI ON: 08-11-2033
ALL IlFORElATIOlV COhTAIlED HEWIN IS UNCLASSIFIED EXCEPT
W2 SF t .

2

I

SiIOW$ OWRTJTSE

Page 1 of 1

August 28,2007

RMS Request Number:
Request I D :0097973
Parformanee Indieator :
Opened : 3/8/2005 12:35:09PM
Closed :3/18/2005 2:34:41PM

status :a m p l a

I

RequestDr Name

Phone

: n
I-:

I- :

Ornw :CyDfIINI
Offlw Code : 1813-0000

Cats Classiflcablon Number :315A
r n v w g a t i w Program :NRP-IT
b6 f 1 b7C

Assigned b Name

~rnghm Manager Program/-

Assigned To Group : CEAU
Categoy :CEAU rtem: Internet: Tracer

:Remote Computer Trace

DATE: 08-14-2008

CLASSIFSED BY 60322VC/LP/STP/g>g
REASON: 1.4 ( c ) DECLASSIFY OM: 08-14-2033

ALL INFORFlATION COUTAIIdED HEREIP I5 UNCLA55IFIED EXCEPT n P E SBOWN VTtERWISE

Page 1of 1

August 28,2007

Request I D :0099200

Performance Indicator : Opened :4/25/2005 10:32:21AM
Closed :4/27/2005 8:43:llAM

Status : Completed
Requestor Name Phone

1-

1-1

~ffica BUFFALO :
m c e code : 3110-0000

b6
b7C

Case Classification Number :315A

rnvestigative Progmm : NRP-lT
Assigned to Name

4

1

Program Manager

n

06

b7C

Assigned To Gmup : CEAU
Categoy :CEAU

Prograrnlqpa :Remote Computer Trace

Item: Internet Tracer

.

l~equeaed Support :Buffalo request asslsbnoe wlth UPAV

11 Ilworklog :4/27/2005 8:43:11 AM
I
1

IS) J
bl
b2

b7E
b6 b7C

DATE: 08-L4-2008 CLASSIFIED BY 60322UC/IP/STP/gjg REASOW: 1 . 4 (C) DECLA35Im 08: 08-14-2033

ALL INFOREIATLON CONTAINED
HERETl T5 UNCLASSIFIED EXCEPT WWRE SHOWN OTHERWISE

UN~JASFED
Page 1 of 1

Request 10 :0099477
Status :C o m p l M

Performance Indicator :
Opened : 5/6/2005 9:03:10AM

Closed :5/6/2005 9:04:llAM
Ofiice : PHILADELPHIA

Requestor Name : Phone : I(

n

OFRce Code : 1813-0000

b6 b7C

Case ClassMcalion Number :315A

Investigative Pmgram :NFIP-TT
Assigned to Name h i g n e d To Gmup : CEAU
Category :CEAU

1-4

Program Manager

: n b7C
u6

Program/Typ :Remote Computer Trace

mm: Internet Tracer

DATE: 08-14-2008

CLASSIFIED BY 60322UC/tP/8TP/~j~ REASON: 1.4 ( C 1 DECLASSIFY ON: 08-19-2033

ALL TUFDPWTTON CDETAINED
tiERETN TS UNCLASSIFIED EXCEPT WHERX SHOWN O m R W T S E

SECRET

L

UC ND

Page 1 of 1

RMS Request Number:,
Request I D :0100740

Pertormanee Sndlcator :

1 ststus ! ~

o m p l ~ Opened :6/23/2005 10:33:56AM

Closed :6/23/2005 10:34:25AM
0ffim :NMT ORLEANS

.
b6

Requestor Name : Phone : ICare ClarrMcaDian Number :315A Investigative Program :NRP-TT
I

W k e Code : 1813-0000

b7C

Awigned ta Name

: n

~ & i a m Manager :

n

%6

b7C

-

AWigntd TO Gmup : CEAU

hQr;lm/Type :Remote Computer Trace

Cakgory :CEAU mm: Internet Tracer
..

bC 7-

~ u p p o r l ~ ~ n w a nto t s : sendl to a cyber extortion subject. b1
b2

1 Worklog :6/23/2005 10:34:25 AM
11
&=ant
l T
amplate sw a amdavit to S A n a n d ~ On n 5.23.05, ~ ~ n a d v i s that he b still ed get a warrant to use the technique. On 6.23.05 dvised that case is being closed. COMPLFED

b7E

ALL TWFORELTTOI COMAImED -IN 19 URTCLASSIFIED DATE 09-16-2008 BY 60322UC/LP/STP/gjg

Page 1 of 1

August 28,2007

RMS Request Number:
Request ID :0102202

Perlbrrnanfe Indicator :
Opened :8/12/2005 3:52:28PM

Status :Completed
Requestor Name : Phone

claeed :9/28/2005

12:39:43PM
b6 b7C

: n

7

1

0ma :CLEVELAND omoe Code :3170-woo

Case C l a d f i e o n Number :315A
Investigative Program ;NRP-lT

f
Arsigned To Group : CWU

l
Pmgram/Type :Remote Computer Trace

b7C 6-

I
I

I t n u Internet Tracer

communicating wlth fugithre via Email
b7E
b6

ALL IWFORFUTIORI COliTLTWED HEPEW 3 1 UNCLASSfPIED DATE 09-16-2008 BY 60322UC/LP/STP/gjg

Page 1of 1

August 28,2007

RMS Request Number:
Request I D :0102303

PerPDrrnance Indicabr :
Opened : 8/17/2005 1:10:54PM

Ststus ? Completed

C l o d : 8/17/2005 1:11:12PM

Requestor Name

Phone Cam ClassCReation Numlrer :315A Imastlgatlve Pmgrarn :NFLP-TT
igned Q Name : O

I[: -

: n

m m :C H A R L r n
ORia Code : 1813-0000

migned To Group : CEAU

.

Prmram Manager Pmgram/fypc !'~mI0te Computer Traa

: nb7c
06

Category :CEAU Item: Internet Tracer

DATE: 09-16-2008 CLAssTFIED BY 60322 V C / L P / S T P / ~ ~ ~ EASORT; 1 . 4 ( c l
DECLASSIFJI ON: 09-16-2033 ALL INFOaEIATION CONTATldED HEEIRT I S UNCLASSIFIED EXCEPT WERE SHOWN OTPERWIIE

1 -

1 /

.

Page I I of

RMS Request Number:
Request ID : 0102306
PerPormance Indicator : Opened :8/17/2005 1:26:50PM C l o d :8/17/2005 1:27:02PM

m u :Complekl ts
Requestor Name
Phone :

I: [

OR :LOS ANGELES f m Miice Code : 1813-00W
b6

Case Classification Number :315A
Tnwstigatlve Program : N R P r r Adgnedto Name

b7C

I(:

Pmgram Manager

f -4

i**signed To Group : CEAU

Pmgam/Type :Remote Computer Trace

mtegoy :CEAU

Item: Internet Tracer

ALL IWFOQJWTIDI CONTAINED F I N IS UXCLASSXFfED EXCEPT W W S B O m OTERWISE

Page 1 of 1

August 28,2007

RMS Request Number:
Status :Gornpleted
O m ;10/18/2W5 2:22:16PM

C I U :1W1812005 2:22:32PM

Offiw Code :1813-0000
Case Classification Number :315A

Asslgned To Group : CEAll

~ m g r a m / V l k Remote Computer Race :

m m : Internet Tracer

b6
b7C

ALL INFORHATTflN COBjTAWb mRgm 25 UNCLASSIFIED
D A 09-16-zooa ~

nr

SO~Z~UC/LY/~'~P/W~~

RMS Request Number:
Requert ID :0106847
Status :Cmnpleted
Opanetl: i1/28/2005 i1:02:43AM

Performance Indlcatxlr :
Closed :12/21/2005 2:08:31PM
b6 b7C

I

Requestor Name : IDENVER I MAce phone : Mnw Code :3210-OW0 C m ClassffiUtion Number :315A a Investigative Program :NRP-TT

1-

nssigned TO GWUp : CEAU Category : CEAU
Itsrn: Remote Computer Search/Surveillance

ProgramIType :Computer Exploitation

I
Requested Support :Re hlcall t o 0 1 1 / 2 3 & 2812005. Denver requests use of the CIPAV technique. A draf of an affldavR has been e r n a i l e d a o n 13/28/2005. Additional information wlll follow re method used to deliver the
technique. Questions, please call)

og :12/21/20052;08:31 PM

DATE: 09-16-2UU8 CLASSIFIED BY 60522UClLP/STP/gjg REASON: 1 . 4 ( o ) DECLASSIFY Om? 09-16-2033

ALL IMFORMRTIUll C W I E O AN D E R E I N IS UNCLASSIFTED EXCEPT TiEZFE Si m DTTERWISE I O

Page 1of l

August 28,2007

Seatus :Completed
Requestor Name

Opened : 12/6/2005 4:19:10PM

Closed : 12/6/2005 5:08:04PM

Phone

: n
Number :315A

I: -

DA :PHOENIX f m

I

Miice C d e :3630-0000

Caaa ~la&cati&

InvestigativeProgram :NFIP-TT migned to Name:
'

Assigned To Group : C U m Caregoy :CEAU Itrm: Remote Cornpuhr Search/Surveillance

PmgramlType : Computer ExploitaSon

t S ' I

I

bttempts to get status of intere from land I T A l "]metwlh negatlve m u b o a numzr of mssions. COMPLITE.

I

DATE: 08-14-2008 CLAlSIFSED BY 60322UC/LP/STP/gjg REASON: 1.4 (C]

DECLASSIFY 0 1 : 08-14-2033
ALL INFOREIATION COlK4INED HEREIN I S UNCLASSIFIED EXCEPT WIEW SWOWN VTKCRWISE

Page 1 of 1

August 28,2007

RMS Request Number:
Request I D :0107347
Status :Completed
~eqiestor Name

0107347
Pwlbrmance Indkatur :

Opened : 12/14/2005 5:04:36PM

Closed :2/9/2006 9:32:16AM
O ~ :WASHINGTON K
M R C ~ C O U :3920-0000 ~

: n

I - :

b6 b7C

Cam Classifieatlon Number :315A ~ ~ g a t i Program ;NRP-lT v e

.

Assigned to NameI: Asdgned To Gmup : CEAU Category :CEAU m m : Remote Computer Search/Sutveillanoe

Program Manager :7 1 PmgtamlType :Computer mplohtlon

o6

b7C

Warldog :2/9/2006 9 3 : 6 AM :21 sslms

-

ALL I N W m T I O I COrnAINED
HEREIN I9 ETCLASSIFXED

PATE 04-15-8006

BY 603ZZVC/LP/PLJ/gjg

Page 1 of 1

I

August 28,2007

Request I D :0107566

~eiformaice Indimtor :
Opened :12/21/2005 2 : 1 5 : 1 5 ~ ~Closed : 1/5/2006 4:55:44PM

Status :Completed
~cquegtor Name

I
b6
b7C

I-:

(Iffice :W V G A s
Mnee Code :33806000

p h 0 n e : I l
Case Claslficatlon Number :315A

Investigative Program :NRP-TT
~mgram Manager : Ib7c

Asslgned To Group : CEAU eabegoy :CEAU Itam: Internet Tnwr

DATE: 08-14-ZOO8

CLassIFIED BY GO322UC/LP/STP/gjg REASON: 1 . 4 ( C )
DECLASSIFY ON: 08-14-2033

ALL JRTFOPJUTIDN COmAINED =REIN TS UNCLASSTFIED EXCEPT WIIERF SEOWN OTHERWlSE

Page 1 of 1

RMS Request Number:
Request I D :'0111114

Perfbrmance f ndleator :
Opened : 4/27/2006 10:43:58AM C l d :4/27/2006 10:44:16AM
OflCe :PrrrSBURGH

Status :Completed
R~uastM Name :

I

I

.

Phone :

1-

0mce code :3650-0000

b6 b7C

Case Claasifiation Number :315A
Inveetlgatlve Program :NnP-rT
Assigned to Name
category :CE4U
m m : Internat Tmcer

I(:

~rograrn Manager 4 1-

~6 b7C

Assigned To Group : CEAU

Program/Type :Remote Cornpuber Trace

b6
b7C

ALL IWFOREhTION COEJTAIXTD HEREIN IS UNCLASSIFIED

PATE 04-15-2008 BY 60322UC/LP/PLJ/gjg

Page 1 of 1

August 28,2007

RMS Request Number:
Requesl I D : 0111145

Performance Indicator :
Opened :4/28/2006 9:45:21AM

Status ;Completed
Requastor Name

Closed :4/28/2006 9:45:44AM

Phone

I- :

Office : ( :DM-CRYVrOLOGIC B ELECIR ANALY I
Omce Code ; 1813-OW0

I

CaPe Classlfldon Number : ' 3 1 5 ~
fnwetlgatlve Program :NFIP-lT
Assigned Name :

I
I

1-

Prqjram Manager

4

)

Assigned To Group : CEAU category :

PmgramlTypsl: Remote Computer Trace

mu.

Item: Internet Tracer I
Reauested Support :& 8.31.05. SA) On i

DATE; 04-15-2008

CLASSIFIED BY 60322UC/LP/PLJ/dU REASON; 1.4 (Cl DECLASSIN ON: 04-15-2033

ALL I ~ F O r n T I O NCOrnATNED WEREIN IS UNCLASSIFIED EXCEPT mE 5 n m OrnRWISE R

Page 1. of 1

August 28,2007

RMS Request Number:
Request I D :0115736 Status :Closed
Opened : 11/2/2006 5:14:29PM

Performance Indieator :Technical expertise
Clmed :3/7/2007 10:28:16AM
OW~B :

Rtque~br Name $ 7 Phone

1-1

~rLOUIS

b6
b7C

Office Code :3730-0000

Case ClassHization Number :315A

InvePligative Program :NFIP-TT

-Asslgnd to Name : n
Assigned t o Gmup : CEAU SL
Cetegvy :CEAU

Pmgram Manager : I-

6b7c

Programlfvpe :Computer Exploibtion

-

Item: Remote Computer Search/Surveillance
1

has Reassigned or Fornarcled this q,tCt to
bl

DATE; 09-16-2008 ALL IMFORMATIOM COMTAIUED CLASSIPTED BY 60322UC/LPt3TP/qjg WEREIN IS UNCLASSIFIED EXCEPT PEASON: 1.4 ( c ) WHERe SHOWN O'lEERUISE DECLASSIN CQJ: 09-16-2033

Page .l of

1

August 28,2007

Request ID :0117037 Status :Closed
Opened :1/9/2007 4:16:55PM

Pei'Fannance Inditatar :Technical expemse
C l a d : 5/14/2007 10:04:28AM

I
I

Requestor Name : Phone

: n

n

flee :fl LOUIS

'

b6 b7C

Miice Code :37300000

Cam Clasification Number :315A

ZnwslrgaUve Pragram : NRP-lT

Assigned tm Name j Assigned To Group : CEAU SL Wtegov :CE4U

l
b1

Program Manager 4 Pmgam/Type : Computer Ewpbltation
b2 b7E

b6 -b7C

-

Item Remote Computer Seareh/Surveillance

l l l U Z W 7 8:37;25 AM
j

Ihas Reassigned or Forwarded thibT$uest

b6

to

DATE: 08-14-2008

CLISSLFIED BY bD322UC/IP/STP/gjg

REASON: 1.4 [Cl
DECLASSIPY 01: 08-64-2033

ALL INFDREtATION CONTAINED MREIN IS UNCLA33TFIED EXCEPT m SN0W OTHERWISE R E

smw
DATE: 03-38-2005 CLASSTFIED BY 6 0 3 2 2 1 ~ i v l J l r d a =SO% 1.4 I s ) DECLii5SIA:.0 03-18-20.33
Care Number

Caru: At-A-G~uuc~

ALL IPIOPJNTIOH COrn&IiIEb HmW 19 CWCLASSITIED e I

I

I

2

I
,
, ,, ,,.,'

b7A

3

r
..."

1

J
I

,.,'

IIProgmm Sensitive

bl b2
b7E blA

1

Page 1 of 26

09/14/2006 1722 hrs.

IlPrognm Sensitive

Page 2 N26

Cases; At-A-Glrnee
\

tsj
i !

Pending
I

Csle Nulnber

\

,

b7A

bl

I

b2 b7E
b7A

(5)

09/14/2006 1R22 hrs.

//IPiqram Sensitive

Page 3 of 26

Casa: At-A-GIaace

(s)

09/14/2006 17:22 hro.

IIProgmm Sensitive

Page 4 of 26

SECRET

1
IS)
$1 b2

YE

~ Y A

I s1
5)
(s)

-

09/34/2006 17:22 hrs.

IRrogrnrn Se~sltlve

pate 7 oil6

I
9

UNKNOWN

4s)

t

I

bl

bl b7E
blA

10

1

L,,, ,,

I I2
I3

09/14/2006 17?22hra.

Page 8 of 26

09/14/2006 17:22 hn.

//Program Sensitive

w

-

(5)

1

t
Es1
bl b2 blE

-

:s)

""

( S]
-

W1412006 17:22 hrs.

IIPmgram Sensitive

Page 11 of 26

09/14/2W617:ZZ 1rm.

IIPrognm Sensitive

b~

b2 b7E

Page 12 d 2 6

b6 b7C

Page 17 of 26
bl

b%
blE

1 .

?I - 1

31 s ~ ~ a 5 4 3 a r

ISl

.,'

,,.,. ,..,..

.,...

..,.' . "

...,....

, .,.

.

,,,.,,.

Is

,

-09/14/2006 17:22 hrs.

.,...., ,
,,...."'

....

.,.,..I.'

//Program SenalUve

Page 18 of 26

Page 19 of 26

CMS6D

I

(s)
IS
bl b2 blE
CLOSED
288A.RH-52644

-

-5s)
.,,

I

I

I

I

I

I

Page 20 of 26

IIProgram Sensitive

Page 21 of26

C481i At-A-GIaUCe

CLOSED

174C-LV-39242
I

1 kn .

A

2BBD-W2329M

.'P

msao
bl

31sB.IP.
94772

a)

b2 b7E
CLOSED
~"7-Ti?777

L

C s1
Is
CWSED
Unknown
\,I

-CS)

J
//Program SsnslUve

315N-SF-012606

Page 22 of 26

page 26 of 26

,

DATE: 09-13-2008 CLASSIFIED BY 6032Zuclp/stp/rds
PEAsON: 1.4 ( C ) DECLASSIFY ON: 08-13-2033

ST &

ALL IPFOmTION CONTAINED =IN 1I.UNCLAIBIFIED EXCEPT

suom gmmLs~

Last update 5 June 2007

DATE: 08-13-2006 - ' CLASSIPIEP BY 6032Zuclp/stp/rds
RERSOWI

1.4 (el DECLASSIFY 08: 08-13-2033

ALL INFORMATION C D h T A I m liERGIB 15 UNCLASSIFIED MCEPT WERE SHOWN OITERWISE

Swsitive but U

Version Control
Date

x
I
ChangedBy
Version #

Last Update 5 June 2007

Changes

01 .

Draft Baseline

Sensitive but

%

Last Update 5 June 2007

Law Enforcement SensltivelSeuitive But For Official Use Only ASSSFIED BY 60322uoLp/aw/~d3 Case Support Standard Operating Procedures (SOP) ,A~ON; 1.4 L C ) :CLASISSJN O ~ - L ~ - Z O ~ S OH; Crv~toaraohic Electronic Analysis Unit (CEAU) and
TE: 08-i3-2006

.d '

.*

u~W
\

Law Enforcement ~e;sitlvel~ensltlve But

-

----r-n

nian nnlv

Law Enforcement SensitivelSensitlve But LJDC

For Ofilcial Use Only

Case Suppoe Sbndard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Somare Development Group (5DG) Deployment Operamns Center (DOC)

1 \

4. Case Remote Install

-d , T

Page 2 of 2 Pages Law Enforcement Sensitlve/Sessitive But - -.-E-A..,

Law Enforcement SensitiveISensitlve But Unc DATE: 08-13-2000 CLASSIFIED BY 60322uoLp/stp/rds For Official Use Only REl3rJN: 1.4 ( o ) DECLASSIFY 01: 0~-13-2033 Case Support Standard Operating Procedures (SOP)
Cryptographic and Electronic Analysis Unit (CEAU)

smm
-. -

Y/=/-Q
bl
b2 b 7 ~

7

,

-

*

.

I--,.,

-

El'

1
I

I

I

I

1

ALL INFOFXATTON CONTAINED

Page 1 of 10 Pages HEREIN IS UNCLASSXFIED EXCEPT WAERE SHOWN OTHERWISE Law Enforcement Sensitive/Senaltive But =P&T Rnr nftirinl ITse Onlv

Law Enforcement SensitivelSensitive But

For Official Use Only

b2 b7E

Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Somare Development Group (SDG) Deployment Operations Center (DOC)

2= =I

Page 2 of 10 Pages
d

t a w Enforcement SensitivelSensitive But: Unc e w

'

SEW
'

Law Enforcement Sen1ItiveIS~n6itive U~ But
For Official Use Only

Case Suppo.rt Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Somare Development Group (SDG) Deployment Operations Center (DOC)

bI b2 b7E
,

Ii
j

j
I

I
j
!

1

!

i

j

1 i j i

I

I

I

i

j

j
j

j

1

I

M T

Page 3 of 10 Pages L a w Enlomnent SensitlvdSeasitive But* U
w-"
r.#*"&.I
11"# %.. .I.

Law Enforcement SendivdSensifive But ~k)jas$$ecl
For Official Use Only
Case SuppoR Standard Opeating Procedures (SOP) Cryptographlc and Electronic Analysis Unit (CEAU)

bl b2

b7E

(DOC)

Page 4 of 10 Pages

Law iEi~hnrment knsiLive/Sensitive But* U
Per ChFiini.1

l l r . ~nnlv

Law Enlommmt Sensitive,Sensitive But ~ x f i e d
For Official Use Only
bl

Case Support Standard Operating Procedures (SOP) Cryptographic and Eleamnic Analysis Unit (CEAU), Software Development Group (SDG) Deployment Operatlons Center (DOC)

E:E

Page 5 of 10 Pages Law Enforcement SasEt6ve/Sensitive But U$?p$$l

Law Enforcement Sensitlve/Sensitive But

For Official Use Only
Case Support Standard Operating procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Gmup (SDG] Deployment Operations Center (DOC)
h

Page 6 of 10 Pages Law Enforcement SensitlvelSensltlve But Unc

Law Enforcement Seositive/Sensltive But For Oficial Use Only
Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU)' yrnent Operations Center (DOC)

Page 7 of 10 Pages

Law Bnforcement SwidveISensitive ~ b ~ tn ? y @ $ d

Law Enforcement SeuitiveISensitive But ~ * d ne For O1Ticial Use Only
Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) & h a r e Development Group (SDG)..Peplovrnent Operations Center (DOC)

i

i

1

!

i

Page 8 of 10 Pages

Law Enforcement Sensitive/Sensitive But
For Off~cial Qnlv Use

S T H

Law E~forcement SensitivdSensitive But Unc ified Bar Official Use Only Case Support Standard Operating. Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU)
loyment Operations Center (DOC)

x

Page 9 of 10 Pages Law Enforcement SensitlvelSensitive But

For Official Use Onlv

3

Law Enforcement Iensitive/SeosMve But U *
For Official Use Only

Case Support Standard Operating Procedures (SOP)
Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SDG) Deployment Operations Center (DOC)
-

b1

Page 10 of 10 Pages
Law Enforcement SensitivdSeositive But ~ n h m d

Pittrlburgb II Investigation @merent case then original ongoing one)

. .
*

01/04/2007 SPU referred case to OTD/CEAU 01/31/2007 ITOS requests OTDJCEAUif remate computer attack can be conducted against target 02/07/2007 SPU contacted CEAU to offer assistance regarding case. CEAU advised %2 it may quire a 1which falls in SPVs a & . If so,CEAU wiU c o o ~ t C b 7 ~ w t SPU for the task. ih Present Per Case Agent, CEAU advised Pittsburgh that they could assist w t a wireless ih hack t obtain a frle tree, but not the hard drive content. SPU has not heard anything h m o OTD rcgardjng this. ,.

-

Cincinnati ~nvestigation
Acting Unit Chief, Special Technologies 0 erations Unit (STOU) was contacted w the evening of F e b v r y IJ.2001by 6psi.I Agerd[L1(~quad if C i n c i i t i Division) reqksting urgent support . ~ a a d v i s e that he w s working on a cage d a (288A-CI-76037-WB) which &needed immediate assistance h m STOU in analytitlg data obtained h m a Computer and I~temet Protocpl Address Identifier ("CIPAV") inserted in five d i f f e r e n t t Acording to the Cincinnati's EC, "The CIPAV was previous1 &posed to hackem from 01130/2007 to 02/09/2007 but no information was gathered because
I
DL

1-

b2 b7E b7D

I

I

"During the period o the current search wmranb the ~ & u b f hacker(. r r c c e i s e d n 02/13/2007 a 12:23:08 Eastern Standard Time t I"ESTr9. The Unaubfs) then ~ r o c e e d e j visit the site 29 more timer. I n these instunces, the t~ b ~ ~ dnot deti&iilsrp&bad becrrurc o system incompatibiliry. On 02/15/2007 at i d f

5:29:21 EDT, the s s e w s able to deliver a CIPAV and the CIPAV tetumed data" ytm a

~ ~ a r e ~ u e sSTOU immediately begin analyzing all data recovered by the CIPAV t e d and continue to perform analysis on an ongoing basis until the termination of CPAV operations
.

b2 b7E

b7Q

STOU engineers immediately engaged in the case and began providing data back to SA

0 t h very next day. STOU contiaued to provide daily support until the analysis was
complete.

Sign up to vote on this title
UsefulNot useful