‘AO 106 (Rev 03110) Appleton oa Seach Warant UN! D STATES DISTRICT COURT forthe District of Massachusetts In the Matter of the Search of (Briel describe the property 1o be searched hn tbr Bn ole Martin Gottesfeld, who lives at 28 Albion Strect, Apartment 1, Somerville, Massachusetts, as descrived in Attachment A cweno. Y- M3- 1933-1187 APPLICATION FOR A SEARCH WARRANT |. federal law enforcement officer or an attorney for the government, request a search warrant and state under Penalty of perjury that | have reason to believe that on the following person or property ridenif the person or desrie te, "te Sees EI <2. a deserted n Attachment A, located inthe __ District of Massachusetts person or describe the property ta be seed «there is now concealed ‘identify te Evidence. fruits, and instrumentalitios of violations of 18 U.S.C. § 1030(a),5)(A) (intentionally causing damage toa Protected computer) and 18 U.S.C. § 371 (conspiracy), as descrived in Attachment B. ‘The basis for the search under Fed. R. Crim, P.41(@) is (check one oF mare) W evidence ofa crime; contraband, fruits of crime, or other items ilegally possessed; property designed for use, intended for use, or used in committing a crime; 1 aperson fo be arrested or a person who is unlawfully restrained, ‘The search is related to a violation of: Code Section Offense Description J8USC. § 71030(a\5\A) Intentionally causing damage to a protected computer 18USC.§371 Conspiracy ‘The application is based on these facts: ‘See attached Affidavit of Michael W. Tunick & Continued on the attached sheet. 5 Delayed notice of __ days (give exact ending date if more than 30 days: _ __) is requested under 18 U.S.C. § 3103a, the basis of which is set forth on the attached sheet ‘Swom to before me and signed in my presence. Date: o9s0r2014 City and state: Boston, MA Tied name and ile Gottesteldo1303AFFIDAVIT OF MICHAEL W. TUNICK IN SUPPORT OF AN APPLICATION FOR A SEARCH WARRANT I, Michael W. Tunick, state: INTRODUCTION AND AGENT BACKGROUND lL Tam a Special Agent with the Federal Bureau of Investigation, and have been so employed since 2012. I am currently assigned to the Cyber Crimes Squad of the Boston Field Office of the FBI. As amember of this squad, my responsibilities include investigating criminal offenses including computer intrusions, wire fraud, and conspiracy. ‘Through my training and experience, obtained both prior to and while being employed with the FBI, | am knowledgeable about computer systems, computer networks, networking hardware and software, network security, telecommunication systems, and the means by which individuals use ‘computers, Software applications and information networks to commit cyber offenses. During my tenure as @ Special Agent, I have participated in the execution of numerous search warrants involving computer equipment, documents, and electronically stored information. Before joining the FBI, 1 worked in the area of information technology, and computer and network security. 2. Jam currently investigating violations of 18 U.S.C. § 1030(a)(5)(A) (intentionally. causing damage to a protected computer) and 18 U.S.C. § 371 (conspiracy) relating to attacks against the Boston Children’s Hospital computer network and other related network attacks, i I submit this affidavit in support of an application for warrants to search the residence and person of Martin $. Gottesfeld, :t a Massachusetts (the “Premises to be Searched”), as described in Attachment A to cach warrant, because there is probable cause to believe that the residence and Gottesfeld’s person contain evidence, fruits, and instrumentalities of the crimes listed above, as described in Attachment B. Gottosfeld013044 The facts in this affidavit come from my personal observations and review of records, my training and experience, and information obtained from other agents and witnesses. This affidavit is intended to show merely that there is probable cause for the requested search warrant and does not set forth all of my knowledge about this matter. THE BOSTON CHILDREN’S HOSPITAL DDOS ATTACK 5. Boston Children’s Hospital (BCH) is a hospital in Boston, and, with approximately 25,000 inpatient admissions each year, is one of the largest pediatric medical centers in the United States. 6. BCH reported a Distributed Denial of Service (DDOS) attack against its public internet web page www.childrenshospital.org, IP address 134,174.13.5, on April 20, 2014. This attack may have begun a week earlier, continued through at least April 24, 2014, and consisted of large amounts of malicious internet traffic, originating from many IP addresses, directed at the BCH web site, 7. From my training and experience, the attack experienced by BCH is consistent @ sophisticated DDOS attack. The intent of these attacks is to overwhelm the target’s computer networking equipment to render it useless and consequently disrupt online services, 8. The incoming traffic resulted in significant disruptions to the BCH website and additional disruption to the network on which BCH and other Harvard University-affiliated hospitals communicate. To prevent greater damage, BCH decided to temporarily shut down several online service portals used by patients, providers and physicians, ‘The loss of these services and the impact on the network impacted the ability of BCH to care for its patients. 9. Based on evidence discussed below, I believe that the attack against BCH is related to an activist effort concerning the custody battle over teenage medical patient Justina Gottesfeld01305Pelletier. ‘This custody battle involved the Commonwealth of Massachusetts’s taking custody of Justina Pelletier from her parents due to her serious medical condition. She was in Massachusetts custody for 16 months, much of which she spent at BCH, until her release in June 2014. 10. On March 23, 2014, someone using the name “Shutdown Logan River Academy” posted a YouTube video entitled, “Anonymous #OpJustina Press Release Video.” This video claimed to be from the hacking group Anonymous, was a call for action against BCH, and was accompanied by an online posting. The 5 minute and 20 second video is located at the URL hitp:/youtube.com/watch?v=-Chnly_54Jo. 11, The video is narrated by a computer-generated voice, which states, among other things, that Anonymous or others with similar views “will punish all those held accountable and will not relent until Justina is free.” In addition, the imagery contained in the video is consistent with the group Anonymous. I know from my training and experience that the group Anonymous is known for numerous hacking attacks, many of which involve DDOS attacks. 12. The video specifically identifies BCH, stating “To the Boston Children’s Hospital why do you employ people that clearly do not put patient's first? We demand that you terminate Alice W. Newton from her employment or you to shall feel the full unbridled wrath of Anonymous. Test us and you shall fail.” 13. The online posting on the site pastebin.com, referenced in the video and located at http://pastebin.com/tiew3Hn6, lists detailed information about BCH, including: ‘Name: Boston Children’s Hospital Address: 300 Longwood Ave. Boston, MA 02115 Phone: (617) 355-6000 Website: www.childrenshospital.org IP Address: 134.174.13.5 Gottesfel401208Server Type:Microsoft-IIS/7.5" 14. This information is enough to implement or coordinate a DDOS attack, and the IP address listed in the posting, 134.174.13.5, is the IP address of BCHYs server that was subsequently hit with the DDOS attack. THE CONNECTION TO GOTTESFELD AND THE PREMISES TO BE SEARCHED 15. [have reviewed BCH webserver logs from the time of the DDOS attack. ‘These Jogs showed hundreds of IP addresses flooding the BCH network with malicious traffic, The IP addresses sending this malicious traffic resolve to geographically dispersed locations. I know that this is consistent with a sophisticated DDOS attack where the perpetrators are masking their physical location. 16. Records for the account that posted the Youtube video calling for the attack, show this account is owned and managed by Martin $, Gottesfeld. ‘Those records also show that the IP address 209.6.193.140 was used to post this video on March 23, 2014 and log in to the account on April 1, 2014, 17, Records for RCN, the cable company that controls that IP address, list Martin S. Gottesfeld as the customer assigned to that IP address from at least March 23 to April 1, 2014 RON records show that Gottesfeld receives his internct service at i MIR «sso chiusetts (the Premises to be Searched). 18. Based on my training and experience, I know that this means that someone at the Premises to be Searched used a computer, tablet, smartphone, or other intemet-enabled device on March 23, 2014 to post the YouTube video. Gottesfel40130719. Gotes1d hs I 1.4 tisted as his address of record with the Registry of Motor Vehicles. 20. Additionally, surveillance conducted from September 8, 2014 through September 12, 2014, has identified Gottesfeld and his registered vehicle, a 1995 white Honda Civic, License plate [IIE at the Premises to be Searched. 21, I have reviewed the results of a Pen Register/Trap and Trace court order for Gottesfeld’s RCN account for the period from August 6, 2014 until September 15, 2014, These records show the IP addresses for all internet traffic for the Premises to be Searched, 22. These records show intemet traffic going to/from the Virtual Private Network service operated by www.risenp.net. This service is described by riscup.net as providing “a service for censorship circumvention, location anonymization and traffic encryption, To make this possible, it sends all your internet traffic through an encrypted connection to riseup.net, where it then goes out onto the public internet.” 23. This traffic through riseup.net was observed every day of the coverage period except August 28- September I (Labor Day weekend) and lasted for hours at a time. 24, In addition to the riseup.net traffic, The Onion Router (TOR) traffic was also observed. The TOR network is another tool used to browse the internet anonymously. 25, I have reviewed Twitter records for the Twitter accounts @AnonMercurial and @PacketSignal, both of which tweeted at or about DDOS vietims, including BCH, during and after attacks. These records show the account subscribers using both TOR IP addresses as well as IP addresses run by riseup.net to log in to these accounts. 26. Iknow, from my training and experience, that while anonymizing services such as TOR and riscup.net can be used to hide one’s location for privacy reasons, criminals routinely Gottesfola01208use these services to hide their true IP addresses while committing, discussing or planning crimes, in an effort to evade law enforcement. They will attempt to maintain “operational security” by using these services while doing anything related to the crime but may not use them while doing things related to their non-criminal social or personal life. Gottesfeld’s Connection to Other Related DDOS Attacks 21. ince the attack against BCH in April 2014, the FBI has leamed of other DDOS attacks against entities associated with BCH, the Justina Pelletier custody battle, and the troubled teen industry.’ Additional victims include: NSTAR (which has a relationship with BCH), Wayside Youth and Family Support Network, Judge Rotenberg Educational Center, Greatschools.org, Sorenson’s Ranch, and Logan River Academy. ‘These victims all experienced similar service disruptions. 28. _ Interviews with the additional victims have revealed that Gottesfeld has had direct email contact with two of them, Logan River Academy and Greatschools.org. 29. — Gottesfeld sent an email in October 2013 informing the owner of Logan River Academy that a petition had been started on Change.org for Logan River Academy to stop the use of solitary confinement. Logan River Academy experienced a direct DDOS attack in November 2013 and an online service they use for records management, BestNotes.com, was hit ‘was a DDOS attack in March 2014, 30. In addition to the Change.org petition against Logan River Academy, Gottesfeld ‘has been linked 0 the Facebook (account: shutdownloganriver), Twitter (account stoplogantiver) and Youtube (account: shutdownloganriver) accounts which advocate shutting ' The term “troubled teen industry” is used to describe facilities, hospitals, schools, therapy centers, education centers, otc., that deal with children and teens with physical, emotional or ‘mental disabilities. Many of these are private institutions. Gottesfeld01309down Logan River Academy. This is in addition to building and maintaining the website www. shutdownloganriver.com which Gottesfeld has admitted, in online postings, to operating. 31. Gottesfeld sent an email in October 2013 asking that Greatschools.org, a website which lists rating for various schools, no longer list Logan River Academy on its website. In this e-mail, Gottesfeld threatened that he would add Greatschools.org to his campaign against Logan River Academy and would report the website to certain associations. Greatschools.org experienced a DOS attack in July 2014, ‘SEIZURE OF COMPUTER EQUIPMENT AND DATA 32. From my training, experience, and information provided to me by other agents, I am aware that individuals commonly store records of the type described in Attachment B in computer hardware (including tablets and smartphones), computer software, and storage media, ‘Some storage media, such as thumb drives, can be smaller than a stick of gum and can therefore be stored almost anywhere. 33. Based on my knowledge, training, experience, and information provided to me by other agents, I know that computer files or remnants of such files can be recovered months or ‘even years after they have been written, downloaded, saved, deleted, or viewed locally or over the Internet, This is true becau: a. Electronic files that have been downloaded to a storage medium can be stored for years at little or no cost. Furthermore, when users replace their computers, they can easily transfer the data from their old computer to their new computer. b, Even after files have been deleted, they can be recovered months or years later using forensic tools. This is so because when a person "deletes" a file on a Gottesfeld01310computer, the data contained in the file does not actually disappear; rather, that data remains on the storage medium until it is overwritten by new data, which might not occur for long periods of time. In addition, a computer's operating system may also keep a record of deleted data in a "swap" ot "recovery" file. c. Wholly apart from user-generated files, computer storage media—in particular, computers’ internal hard drives—contain electronic evidence of how the computer has been used, what it has been used for, and who has used it. This evidence can take the form of operating system configurations, artifacts from operating system or application operation, file system data structures, and virtual memory "swap" or paging files. It is technically possible to delete this information, but computer users typically do not erase or delete this evidence because special software is typically required for that task. 4. Similarly, files that have been viewed over the Internet are sometimes automatically downloaded into a temporary Internet directory or "cache." The browser often maintains a fixed amount of hard drive space devoted to these files, and the files are overwritten only as they are replaced with more recently viewed Intemet pages or if.a user takes steps to delete them. 34. Based on my knowledge and training and the experience of other agents with whom I have spoken, I am aware that in order to completely and accurately retrieve data maintained in computer hardware, computer soflware or storage media, to ensure the accuracy and completeness of such data, and to prevent the loss of the data either from accidental or programmed destruction, it is often necessary that computer hardware, computer software, and storage media (“computer equipment”) be seized and subsequently processed by a qualified Gottesteld01311computer specialist in a laboratory setting rather than in the location where it is seized. This is true because of: a The volume of evidence — storage media such as hard disks, flash drives, CD-ROMs, and DVD-ROMs can store the equivalent of thousands or, in some instances, millions of pages of information. Additionally, a user may seek to conceal evidence by storing it in random order or with deceptive file names. Searching authorities may need to examine all the stored data to determine which particular files are evidence, fruits, or instrumentalities of criminal activity. ‘This process can take weeks or months, depending on the volume of data stored, and it would be impractical to attempt this analysis on-site, b. Technical requirements — analyzing computer hardware, computer software or storage media for criminal evidence is a highly technical process requiring expertise and a properly controlled cnvironment. The vast array of computer hardware and software available requires even computer experts to specialize in some systems and applications. Thus, it is difficult to know, before the search, which expert possesses sufficient specialized skill to best analyze the systom and its data. Furthermore, data analysis protocols are exacting procedures, designed to protect the integrity of the evidence and to recover even "hidden," deleted, compressed, password-protected, or encrypted files. Many commercial computer software programs also save data in unique formats that are not conducive to standard data searches. Additionally, computer evidence is extremely vulnerable to tampering or destruction, both from external sources and destructive code imbedded in the system as a "booby trap.” Gottesteld01312Consequently, law enforcement agents may either copy the data at the premises to be searched or seize the computer equipment for subsequent processing elsewhere, 35. The premises may contain computer equipment whose use in the crime(s) or storage of the things described in this warrant is impractical to determine at the scene. Computer equipment and data can be disguised, mislabeled, or used without the owner's knowledge. In addition, technical, time, safety, or other constraints can prevent definitive determination of their ownership at the premises during the execution of this warrant. If the things described in Attachment B are of the type that might be found on any of the computer equipment, this application seeks permission to search and seize them on-site or off-site in order to determine their true use or contents, regardless of how their contents or ownership appear or are described by others at the scene of the search, 36. Because the owners of smartphones and portable storage devices (such as thumb drives) often carry them in their pockets, it will be necessary to search Gottesfeld to ensure that agents are able to seize these items. CONCLUSION 37. Based on the information described above, I have probable cause to believe that the DDOS attacks on BCH, as well as the related network attacks, constitute violations of 18 US.C. § 1030(2)(5)(A) (intentionally causing damage to a protected computer) and 18 U.S.C. § 371 (conspiracy). 38. also have probable cause to believe that evidence, fruits, and instrumentalities of these crimes, as described in Attachment B, are contained in the Premises to be Searched, as described in Attachment A to the Premises warrant, and on the person of Gottesfeld, as described Gottesfeldn1313in Attachment A to the Gottesfeld warrant, ‘Sworn to under the pains and penalties of perjury, i Michael W. Tunick Special Agent, FBI Subscribed and sworn-ta.before me on September avs. Gottosfeld01314ATTACHMENT A MARTIN GOTTESFELD Martin Gottesfold is an individual living t es Massachusetts. He is 30 years old, approximately 5°7” tall, with Brown hair and Brown eyes, according to Registry of Motor Vehicles records. Gottesfeld01315ATTACHMENT B ITEMS TO BE SEIZED 1. All records, in whatever form, and tangible objects that constitute evidence, fruits, or instrumentalities of violations of 18 U.S.C. § 1030(a)(5)(A) (intentionally causing damage to a protected computer) and 18 U.S.C. § 371 (conspiracy), including those related to: A. The following people, entities, physical addresses, telephone numbers, bank accounts, websites, e-mail addresses, IP addresses: 1. TPaddress 209.6.193.140 2, [Paddress 134.174.13.5 3. Boston Children’s hospital Justina Pelletier 5. Logan River Academy Greatschools.org 7. NSTAR 8. Wayside Youth and Family Support Network 9, Iudge Rotenberg Educational Center 10. Sorenson's Ranch 11, Twitter accounts @AnonMercurial, @AnonMercurial2 or @PacketSignal B. The following topics: 1. DDOS and other computer network attacks 2. The group Anonymous 3. #OpJustina and #Opliberation Gottesfelan13164. Tools and techniques related to hiding online identity, including TOR and Risup.net 5. Troubled teen industry, Treatment centers and associated entities ‘The identity, location, and travel of any co-conspirators, as well as any co- conspirators” acts taken in furtherance of the crimes listed above; For any computer hardware (including smartphones and tablets), computer software, or storage media called for by this warrant or that might contain things otherwise called for by this warrant (“the computer equipment”): 1, evidence of who used, owned, or controlled the computer equipment; 2. evidence of malicious computer software that would allow others ‘o control the computer equipment; evidence of the lack of such ‘malicious software; and evidence of the presence or absence of security software designed to detect malicious software; 3. evidence of the attachment of other computer hardware or storage media; 4. evidence of counter-forensic programs and associated data that are designed to eliminate data; 5. evidence of the times the computer equipment was used; 6. passwords, encryption keys, and other access devices that may be necessary to access the computer equipment; 7. records and tangible objects pertaining to accounts held with companies providing Intemet access or remote storage of either Gottesfela01317data or storage media; and E. Records and tangible objects relating to the ownership, occupancy, or use of the premises to be searched (such as utility bills, phone bills, rent payments, mortgage payments, photographs, insurance documentation, receipts and check registers). I All computer hardware (including smartphones and tablets), computer software, and storage media. Off-site searching of these items shall be limited to searching for the items described in paragraph I. DEFINITIONS For the purpose of this warrant: A. “Computer equipment” means any computer hardware, computer software, computer-related documentation, storage media, and data, B. “Computer hardware" means any electronic device capable of data processing (such as a computer, personal digital assistant, cellular telephone, or wireless communication device); any peripheral inpuoutput device (such as a keyboard, printer, scanner, monitor, and drive intended for removable storage media); any related communication device (such as a router, wireless card, modem, cable, and any connections), and any security device, (such as electronic data security hardware and physical locks and keys). C. "Computer software" means any program, program code, information or data stored in any form (such as an operating system, application, utility, communication and data security software; a log, history or backup file; an Gottosfold01318encryption code; a user name; or a password), whether stored deliberately, inadvertently, or automatically. D. —"Computer-related documentation" means any material that explains or illustrates the configuration or use of any seized computer hardware, software, or related items. E. "Storage media" means any media capable of collecting, storing, retrieving, or transmitting data (such as a hard drive, CD, DVD, USB or thumb drive, or memory card), BR "Data" means all information stored on storage media of any form in any storage format and for any purpose. "A record" is any communication, representation, information or data, A “record” may be comprised of letters, numbers, pictures, sounds ot symbols, RETURN OF SEIZED COMPUTER EQUIPMENT If, after inspecting seized computer equipment, the government determines that the equipment does not contain contraband or the passwords, account information, or personally- identifying information of vietims, and the original is no longer necessary to preserve as evidence, fruits or instrumentalities of a crime, the equipment will be retumed within a reasonable time, if the party seeking retumn will stipulate to a forensic copy's authenticity (but not necessarily relevancy or admissibility) for evidentiary purposes, If computer equipment cannot be returned, agents will make available to the computer system's owner, within a reasonable time period after the execution of the warrant, copies of files that do not contain or constitute contraband; passwords, account information, personally- Gottesfel4o1a19identifying information of victims; or the fruits or instrumentalities of crime. Gottesfel4o1320