AO 106 (REV 4/10) Affidavit for Search AUSA Andrew J.

Dixon, (312) 697-4063

Warrant

UNITED STATES DISTRICT COURT

NORTHERN DISTRICT OF ILLINOIS, EASTERN DIVISION

UNDER SEAL

In the Matter of the Search of: Case No. 22 M 528

The Google accounts bobbycrimo@gmail.com (Subject

Account 1), bobbytdamac@gmail.com (Subject
Account 2), sleepysquadmgmt@gmail.com (Subject
Account 3), memoryregion@gmail.com (Subject
Account 4), sophierosaro@gmail.com (Subject
Account 5) (the “Subject Accounts”), further
described in Attachment A
APPLICATION AND AFFIDAVIT FOR A SEARCH WARRANT

I, Barrett J. Rife, a Special Agent of the Federal Bureau of Investigation, request a search warrant and state
under penalty of perjury that I have reason to believe that on the following property or premises:
See Attachment A
located in the Northern District of California, there is now concealed:
See Attachment A, Part III
The basis for the search under Fed. R. Crim. P. 41(c) is evidence and instrumentalities.
The search is related to a violation of:
Code Section Offense Description
Title 18, United States Code, Section 2332a(a)(2)(A),(D) Threatening, attempting, or conspiring to use a weapon
of mass destruction without lawful authority against any
person or property within the United States, using the
mail or a facility of interstate commerce in furtherance
of the offense and which threat, attempt, or conspiracy
would have affected interstate commerce.
The application is based on these facts:
See Attached Affidavit,
Continued on the attached sheet.

/s/ Barrett J. Rife (MDW with permission)

Applicant’s Signature

BARRETT J. RIFE, Special Agent

Federal Bureau of Investigation
Printed name and title
Pursuant to Fed. R. Crim. P. 4.1, this Application is presented by reliable electronic means. The above-named agent
provided a sworn statement attesting to the truth of the statements in the Application and Affidavit by telephone.

Date: July 12, 2022

Judge’s signature

City and State: Chicago, Illinois M. DAVID WEISMAN, U.S. Magistrate Judge
Printed name and title
UNITED STATES DISTRICT COURT )
)
NORTHERN DISTRICT OF ILLINOIS )

AFFIDAVIT

I, Barrett J. Rife, being duly sworn, state as follows:

1. I am a Special Agent with the Federal Bureau of Investigation (“FBI”).

I have been in this position since 2018. I am currently assigned to the Chicago Field

Office, West Resident Agency, Squad CT-2. As a part of my duties as a FBI Special

Agent, I investigate criminal violations relating to Domestic Terrorism, including

criminal violations including, but not limited to Title 18, United States Code, Sections

841, 842, 875, 922, 924, 2332a, and Title 26 United States Code, Section 5861. I have

been involved with various electronic surveillance methods, the debriefing of subjects,

informants, and witnesses, as well as others who have knowledge of weapons of mass

destruction investigations and bombing matters. I have participated in multiple

federal search and arrest warrants.

2. This affidavit is made in support of an application for a warrant to

search, pursuant to Title 18, United States Code, Sections 2703(a), 2703(b)(1)(A) and

2703(c)(1)(A), for information associated with certain accounts that are stored at the

premises owned, maintained, controlled, or operated by Google, a free web-based

electronic mail service provider located at 1600 Amphitheatre Parkway, Mountain

View, California, 94043. The accounts to be searched are bobbycrimo@gmail.com

(“Subject Account 1”), bobbytdamac@gmail.com (“Subject Account 2”),

sleepysquadmgmt@gmail.com (“Subject Account 3”), memoryregion@gmail.com

(“Subject Account 4”), and sophierosaro@gmail.com (“Subject Account 5”),

(collectively, the “Subject Accounts”) 1, which are further described in the following

paragraphs and in Part II of Attachment A. As set forth below, there is probable

cause to believe that in the accounts, described in Part II of Attachment A, in the

possession of Google, there exists evidence and instrumentalities of violations of Title

18, United States Code, Section 2332a(a)(2)(A),(D) (the “Subject Offense”).

3. The statements in this affidavit are based on my personal knowledge,

and on information I have received from other law enforcement personnel and from

persons with knowledge regarding relevant facts. Because this affidavit is being

submitted for the limited purpose of securing a search warrant, I have not included

each and every fact known to me concerning this investigation. I have set forth facts

that I believe are sufficient to establish probable cause to believe that evidence and

instrumentalities of violations of Title 18, United States Code, Section

2332a(a)(2)(A),(D), are located in the Subject Accounts.

I. BACKGROUND INFORMATION

A. Google

4. Based on my training and experience and information available from

Google’s website (google.com), I have learned the following information about Google

and Gmail:

1On or about July 7, 2022, the FBI sent a preservation letter to Google for the aforementioned
Gmail accounts, pursuant to 18 U.S.C. § 2703(f), requesting that Google preserve data
associated with the Subject Accounts.
2
 a. Google offers a collection of Internet-based services, including

email and online data storage, which is owned and controlled by Google. The services

are available at no cost to Internet users, though there are certain options, such as

additional online data storage, that users may elect to pay money to receive.

Subscribers obtain an account by registering on the Internet with Google and

providing Google with basic information, including name, gender, zip code, and other

personal/biographical information. Subscribers are given a Google account which

ends in “@gmail.com” which is utilized to access these online services.

b. Google maintains electronic records pertaining to the individuals

and entities who maintain Google online subscriber accounts. These records often

include account access information, email transaction information, account

application information, and in some circumstances billing and payment information.

c. Any email that is sent to a Google online account subscriber is

stored in the subscriber’s “mail box” on Google’s servers until the subscriber deletes

the email or the subscriber’s mailbox exceeds the storage limits preset by Google. If

the message is not deleted by the subscriber, the account is below the maximum

storage limit, and the subscriber accesses the account periodically, that message can

remain on Google’s servers indefinitely.

d. When a subscriber sends an email, it is initiated by the user,

transferred via the Internet to Google’s servers, and then transmitted to its end

destination. Google online account users have the option of saving a copy of the email

3
sent. Unless the sender of the email specifically deletes the email from the Google

server, the email may remain on the system indefinitely.

e. Google online account subscribers can store files, including but

not limited to emails, documents, and image files, on servers maintained and/or

owned by Google.

f. Google online account subscribers can also utilize a feature

known as “History” that allows a user to track various historical account activity,

including past Google Internet searches performed, information regarding devices

which have been used to login to the Google online account, and physical location

information regarding from where the Google online account was accessed. Based on

publicly available information, I believe Google collects web history unless the user

opts out.

g. Google keeps records that can reveal accounts accessed from the

same electronic device, such as the same computer or mobile phone, including

accounts that are linked by “cookies,” which are small pieces of text sent to the user’s

Internet browser when visiting websites.

5. Among the specific services offered by Google, I have learned the

following information:

a. Contacts: Google provides an address book for Google Accounts

through Google Contacts. Google Contacts stores contacts the user affirmatively adds

to the address book, as well as contacts the user has interacted with in Google

4
products. Google Contacts can store up to 25,000 contacts. Users can send messages

to more than one contact at a time by manually creating a group within Google

Contacts or communicate with an email distribution list called a Google Group. Users

have the option to sync their Android mobile phone or device address book with their

account so it is stored in Google Contacts. Contacts can be accessed from the same

browser window as other Google products like Gmail and Calendar.

b. Calendar: Google provides an appointment book for Google

Accounts through Google Calendar, which can be accessed through a browser or

mobile application. Users can create events or RSVP to events created by others in

Google Calendar. Google Calendar can be set to generate reminder emails or alarms

about events or tasks, repeat events at specified intervals, track RSVPs, and auto-

schedule appointments to complete periodic goals (like running three times a week).

A single Google Account can set up multiple calendars. An entire calendar can be

shared with other Google Accounts by the user or made public so anyone can access

it. Users have the option to sync their mobile phone or device calendar so it is stored

in Google Calendar. Calendar can be accessed from the same browser window as

other Google products like Gmail and Calendar.

c. Messaging: Google provides several messaging services

including Duo, Messages, Hangouts, Meet, and Chat. These services enable real-time

text, voice, and/or video communications through browsers and mobile applications,

and also allow users to send and receive text messages, videos, photos, locations,

5
links, and contacts.

d. Google Drive: Google Drive is a cloud storage service

automatically created for each Google Account. Users can store an unlimited number

of documents created by Google productivity applications like Google Docs (Google’s

word processor), Google Sheets (Google’s spreadsheet program), Google Forms

(Google’s web form service), and Google Slides, (Google’s presentation program).

Users can also upload files to Google Drive, including photos, videos, PDFs, and text

documents, until they hit the storage limit. Users can set up their personal computer

or mobile phone to automatically back up files to their Google Drive Account. Each

user gets 15 gigabytes of space for free on servers controlled by Google and may

purchase more through a subscription plan called Google One. In addition, Google

Drive allows users to share their stored files and documents with up to 100 people

and grant those with access the ability to edit or comment. Google maintains a record

of who made changes when to documents edited in Google productivity applications.

Documents shared with a user are saved in their Google Drive in a folder called

“Shared with me.”

e. Google Keep: Google Keep is a cloud-based notetaking service

that lets users take notes and share them with other Google users to view, edit, or

comment. Google Keep notes are stored indefinitely unless the user deletes them.

Android device users can also use Google Drive to backup certain data from their

device. Android backups on Google Drive may include mobile application data, device

6
settings, file downloads, and SMS messages.

f. Photos: Google offers a cloud-based photo and video storage

service called Google Photos. Users can share or receive photos and videos with

others. Google Photos can be trained to recognize individuals, places, and objects in

photos and videos and automatically tag them for easy retrieval via a search bar.

Users have the option to sync their mobile phone or device photos to Google Photos.

g. Maps: Google offers a map service called Google Maps which can

be searched for addresses or points of interest. Google Maps can provide users with

turn-by-turn directions from one location to another using a range of transportation

options (driving, biking, walking, etc.) and real-time traffic updates. Users can share

their real-time location with others through Google Maps by using the Location

Sharing feature. And users can find and plan an itinerary using Google Trips. A

Google Account is not required to use Google Maps, but if users log into their Google

Account while using Google Maps, they can save locations to their account, keep a

history of their Google Maps searches, and create personalized maps using Google

My Maps.

h. Location History: Google collects and retains data about the

location at which Google Account services are accessed from any mobile device, as

well as the periodic location of Android devices while they are in use. This location

data can derive from a range of sources, including GPS data, Wi-Fi access points, cell-

site locations, geolocation of IP addresses, sensor data, user searches, and Bluetooth

7
beacons within range of the device. According to Google, this location data may be

associated with the Google Account signed-in or registered to the device when

Location Services are activated on the device and the user has enabled certain global

settings for their Google Account, such as Location History or Web & App Activity

tracking. The data retained may be both precision location data, like latitude and

longitude coordinates derived from GPS, and inferential location data, such as the

inference that a Google Account is in New York because it conducts a series of

searches about places to eat in New York and directions from one New York location

to another. Precision location data is typically stored by Google in an account’s

Location History and is assigned a latitude-longitude coordinate with a meter radius

margin of error. Inferential data is stored with an account’s Web & App Activity.

i. Google Pay: A subsidiary of Google, Google Payment

Corporation, provides Google Accounts an online payment service called Google Pay

(previously Google Wallet), which stores credit cards, bank accounts, and gift cards

for users and allows them to send or receive payments for both online and brick-and

mortar purchases, including any purchases of Google services.

j. Chrome and My Activity: Google offers a free web browser

service called Google Chrome which facilitates access to the Internet. Chrome retains

a record of a user’s browsing history and allows users to save favorite sites as

bookmarks for easy access. If a user is logged into their Google Account on Chrome

and has the appropriate settings enabled, their browsing history, bookmarks, and

8
other browser settings may be saved to their Google Account in a record called My

Activity.

k. Google Play: Google Accounts can buy electronic media, like

books, movies, and music, and mobile applications from the Google Play Store. Google

Play records can include records of whether a particular application has been or is

currently installed on a device.

l. Google Voice: Google offers a service called Google Voice

through which a Google Account can be assigned a telephone number that can be

used to make, record, and forward phone calls and send, receive, store, and forward

SMS and MMS messages from a web browser, mobile phone, or landline. Google

Voice also includes a voicemail service.

m. YouTube: Google also offers a video platform called YouTube

that offers Google Accounts the ability to upload videos and share them with others.

Users can create a YouTube channel where they can upload videos, leave comments,

and create playlists available to the public. Users can subscribe to the YouTube

channels of others, search for videos, save favorite videos, like videos, share videos

with others, and save videos to watch later. More than one user can share control of

a YouTube channel. YouTube may keep track of a user’s searches, likes, comments,

and change history to posted videos. YouTube also may keep limited records of the

IP addresses used to access particular videos posted on the service. Users can also

opt into a setting to track their YouTube Watch History.

9
 6. Further, Google typically retains certain transactional information

about the creation and use of each account on their systems. This information can

include the date on which the account was created, the length of service, records of

log-in (i.e., session) times and durations, the types of service used, the status of the

account (including whether the account is inactive or closed), the methods used to

connect to the account (such as logging into the account via Google’s website), and

other log files that reflect usage of the account. In addition, Google often has records

of the IP address used to register the account and the IP addresses associated with

particular logins to the account. Because every device that connects to the Internet

must use an IP address, IP address information can help to identify the computers or

other devices used to access the email account.

7. In addition, Google collects device-specific information, such as a user’s

hardware model, operating system version, unique device identifiers, and mobile

network information including phone number. Google states it also may collect and

process information about a user’s location, based on IP address, GPS, and other

sensors that, for example, may provide Google with information on nearby devices,

Wi-Fi access points and cell towers.

8. Therefore, the computers of Google are likely to contain all the material

just described, including stored electronic communications and information

concerning subscribers and their use of Google, such as account access information,

transaction information, and account application. In order to accomplish the

10
objective of the search warrant with a minimum of interference with the business

activities of Google, to protect the rights of the subjects of the investigation and to

effectively pursue this investigation, authority is sought to allow Google to make a

digital copy of the entire contents of the information subject to seizure specified in

Section II of Attachment A. That copy will be provided to me or to any authorized

federal agent. The contents will then be analyzed to identify records and information

subject to seizure pursuant to Section III of Attachment A.

II. FACTS SUPPORTING PROBABLE CAUSE TO SEARCH THE

SUBJECT ACCOUNTS

The Mass Shooting in Highland Park

9. According to publicly available information and witness interviews, on

July 4, 2022, the City of Highland Park, Illinois, hosted an Independence Day parade

in the downtown Highland Park area. Citizens observing the parade were gathered

along the route lining Central Avenue. The parade began at approximately 10:00

a.m.

10. Based on the investigation to date, including forensic evidence, witness

interviews, and firearm trace information, at approximately 10:10 a.m., an individual

later identified as Robert E. CRIMO III (“CRIMO”), located on the roof of Company

A, a cosmetics shop, located on the 600 block of Central Avenue, Highland Park,

Illinois, opened fire using a semi-automatic rifle on the crowd gathered to watch the

parade. In the span of approximately four minutes, CRIMO shot numerous

paradegoers, resulting in the deaths of at least seven individuals and injuries to

11
dozens more. CRIMO was observed fleeing the area on foot, was captured on a

surveillance video dropping a rifle out of his bag, and a Smith & Wesson rifle model

M&P 15 purchased by CRIMO was recovered in the vicinity of the attack. CRIMO’s

prints were recovered on the rifle, and his DNA was found on the rifle as well as three

rifle magazines. Law enforcement reviewed the public facing website of Company A

and observed that Company A sells products from a company that manufactures its

products outside of the United States.

11. According to law enforcement reports, at approximately 6:25 p.m.,

CRIMO was arrested by local law enforcement near North Chicago, Illinois, after his

vehicle was spotted in the area. CRIMO was taken to the Highland Park Police

Department, where he was informed of his rights and gave a voluntary statement to

law enforcement in which, among other things, he admitted to responsibility for the

shooting.

12. Following the shooting, according to CRIMO’s recorded statement,

CRIMO fled on foot to his mother’s house 2 where he got in a vehicle. According to

security video obtained from his father’s residence, CRIMO arrived at his father’s

residence at approximately 10:37 a.m. According to CRIMO’s statement and an

interview with CRIMO’s associate, Individual A, CRIMO then traveled to Individual

A’s residence in Northbrook, Illinois, arriving at approximately 11:00 a.m. According

2Based on the recorded statement, CRIMO’s parents are separated and live separately from
each other.
12
to CRIMO’s recorded interview he then traveled to the Madison, Wisconsin, area.

Pursuant to an emergency disclosure request to Verizon, cellular telephone location

data was provided to law enforcement which showed the device associated with

CRIMO in the Madison, Wisconsin area. According to CRIMO’s recorded statement,

CRIMO buried the phone in the Madison, Wisconsin, area before returning to Illinois,

where he was taken into custody.

Search of CRIMO’s Residence and Recovery of Bomb Making Materials

13. According to FBI reports, at approximately 4:00 p.m., on July 4, 2022,

law enforcement arrived at CRIMO’s residence in Highwood, Illinois. CRIMO’s

father was present at the residence and provided law enforcement with consent to

search the premises. 3 Among other things, the search resulted in the recovery from

CRIMO’s living area of indicia of residence for CRIMO, multiple firearms, and bomb-

making materials.

3 CRIMO’s residence consisted of a two-story single-family home with basement, an attached

rear apartment with separate entrances, and two detached sheds on the premises. On July
4, 2022, CRIMO’s uncle, who shared the residence, stated that CRIMO resided on the second
floor of the single-family home. On July 4, 2022, CRIMO’s father stated that CRIMO resided
in the rear apartment but that he (CRIMO’s father) had access to the apartment and could
come and go as he pleased. CRIMO’s father further stated that he (CRIMO’s father) had a
key to the rear apartment, but did not know where it was. On July 7, 2022, CRIMO’s father
stated that both he and CRIMO had complete access to the single-family home, rear
apartment, and detached sheds. CRIMO’s father identified the rear apartment as CRIMO’s
primary residence, though CRIMO maintained access to, and stored personal effects in, the
single-family home and detached sheds. Consent searches of the residence on July 4, 2022,
and July 7, 2022, found personal effects belonging to CRIMO in both the single-family home,
and rear apartment. During his recorded interview, CRIMO stated he resided in the rear
apartment, and kept personal effects on the second floor of the single-family home.

13
 14. According to FBI reports, in CRIMO’s rear apartment, law enforcement

recovered bomb-making materials, such as electronic components, including a remote

initiator, two plastic jugs with ammunition attached to the outside, a funnel, and two

boxes of Tannerite. 4 Pictured below is the remote initiator (top left), containers of

Tannerite (top right), one of the boxes of Tannerite (middle left), and jugs with

attached ammunition (middle right and bottom):

4CRIMO’s DNA was recovered on the cap of one of the jugs as well as a Tannerite container,
and his prints were found on a Tannerite packaging slip, shipping container, and pamphlet.
14
 15. Further, based on FBI reports, on July 4, 2022, in an upstairs bedroom

of the single-family home to which CRIMO had access and stored personal effects,

law enforcement found additional bomb making components, including electrical

components, an electronic timer, and electric matches. On July 7, 2022, CRIMO’s

father consented to an additional search by the FBI that resulted in the further

recovery from the same bedroom of batteries, electrical wiring, a capacitor, circuit

boxes, a servo, and remote switches.

16. Based on my training, experience, and discussions with Special Agent

Bomb Technicians, I know that the above components are explosive precursors that

15
can be assembled into an Improvised Explosive Device (“IED”) for use as a weapon of

mass destruction.

17. Based on information provided by FBI explosive experts and publicly

available information, I know that Tannerite is binary explosive legally marketed

and sold in many states. It consists of a combination of oxidizers (prilled ammonium

nitrate) and fuel (finely powdered aluminum powder). As long as the fuel is not mixed

with the oxidizers there is no hazard; however, if mixed and subject to severe force—

such as an impact from a bullet fired from a rifle—the substance becomes a high

explosive designed to produce a visual and audible display often used in targets for

firearms practice.

18. Based on my training and experience, I know that the components of

Tannerite can be used in constructing an IED. In particular, a binary mixture of

ammonium nitrate and aluminum powder, such as contained in Tannerite, can be

used as an explosive main charge to be initiated with the shock from a blasting cap

or high-velocity bullet strike from a rifle round.

19. According to the company’s website, Tannerite, Inc. is located in Eugene,

Oregon. In the consent search of CRIMO’s residence, the Tannerite was found in its

original shipping packaging. The FedEx packaging labels indicate that there were

two shipments, one on May 3, 2022, and one on June 1, 2022. Both shipments were

sent to CRIMO at CRIMO’s residence. The shipping labels also indicate that the

Tannerite was shipped from Oakridge, Oregon.

16
 20. On or about July 5, 2022, CRIMO signed a Consent to Search Form and

gave written and verbal consent to search his cellular telephone (“Phone 1”). During

the search of Phone 1, law enforcement found two screenshots of invoices from

Tannerite.com. One of the invoices specified a purchase of ten pounds of Tannerite

on June 1, 2022, approximately one month before the attack.

Post-Arrest Interview of CRIMO

21. Based on a recording of a law enforcement interview of CRIMO on July

4, 2022, following his arrest, CRIMO was informed of his rights and gave a voluntary

17
statement to law enforcement. During the course of that statement—which took

place over two interviews on July 4 and July 5, 2022—CRIMO confessed to the

shooting in Highland Park. 5

22. Based on the recording, during the interview, CRIMO described

purchasing the Tannerite and other IED components consistent with the items

recovered from his residence. He described making explosive devices in the preceding

years and learning how to construct explosive devices containing a mixture of

ammonium and aluminum on the internet. CRIMO was asked if he used devices

other than his cellular telephone to access the internet and he answered in the

negative. CRIMO’s cellular telephone was later recovered by FBI. 6 CRIMO also

stated that he viewed videos of Tannerite explosive devices on YouTube.

23. CRIMO described the devices he created, and which were recovered from

his room, as consisting of milk jugs, bullets, duct tape, and Tannerite. In describing

the composition of the IED, CRIMO said that he could have used BBs (ball bearings),

5 This Affidavit contains summaries of certain material covered during the recorded interview
of CRIMO. This Affidavit does not include references to all of the topics covered during the
course of the interview. For some of the material covered in this Affidavit from the interview,
I have interpreted portions of the conversation, which are at times shown below in brackets
based upon (a) the contents and context of the conversations, (b) my experience and training
as a law enforcement officer, (c) the experience and training of other law enforcement officers
involved in this investigation, and (e) the other information gathered during the course of the
investigation.
6 During the interview, CRIMO described having buried his cellular telephone to avoid
detection by law enforcement. CRIMO described the location the telephone was buried,
specified the manufacturer was Samsung, gave his telephone number as 224-477-8741, and
gave the passcode for the device. The telephone was recovered by law enforcement near the
location specified by CRIMO, was a Samsung device with telephone number 224-477-8741,
and the phone had the same passcode as given by CRIMO.
18
but he already had bullets so he “might as well just tape the bullets together.” Based

on my training and experience, and discussions with Special Agent Bomb

Technicians, I know that ball bearings are common components used in an explosive

device or weapon of mass destruction designed to create shrapnel when explosively

projected from an explosive device. Accordingly, I believe CRIMO intended the

bullets taped to the containers to act as shrapnel.

24. According to the recording, CRIMO further stated in the interview that

he kept the jugs with bullets affixed to them locked in a backpack because he did not

want anyone else in the home to encounter them and hurt themselves. When asked

to describe the jugs, CRIMO said, “They are supposed to be a binary explosive.” When

asked what he was going to use an explosive for, CRIMO responded, “You know,

whatever happens, happens . . . if I were to use it, it would be by chance because, you

know, they are heavy, you can only carry so many things.”

25. CRIMO walked from his residence to the parade on the morning of July

4, 2022. Based on my training and experience, I believe CRIMO was saying that the

explosive devices were too heavy to carry to the parade, but he considered using them

if the opportunity arose. CRIMO also said that he made electrical circuits in the past,

“Of course I had the idea in my mind that it could be used for nefarious reasons.”

26. Later in the interviews, CRIMO was asked about his intent for the IED

components. CRIMO responded, “It could have been used for an incident, it could

have been used but it wasn’t.” CRIMO continued, “It could have been planted if it

19
worked, in theory it could have been planted . . . somewhere where it could cause

harm.” CRIMO also stated, “If it worked, I might have planted it early, or I might

have just sat down, left the bag there, and walked away.” CRIMO referred to that

statement as a “theory.” CRIMO further elaborated that he had to fit all the

Tannerite in the two jugs and that the IED would weigh about 20 pounds, the weight

of which would be too much because he was also carrying his rifle.

27. As a follow up to whether he would have used the IEDs, CRIMO

explained, “For this one [attack], no, I had just, you know, possibly if the situations

were to line up correctly, maybe.” CRIMO continued, “If everything lined up correctly

then I would use it, but it didn’t.” The interviewer asked CRIMO if CRIMO was

referring to things lining up for the attack that just occurred on the parade and

CRIMO responded in the affirmative. CRIMO described not using the devices

because the plastic milk jugs could have cracked had he thrown them off the roof.

CRIMO said that had he used the devices, they would “explode” and affect “a handful”

of people. He further stated that one pound of ammonium nitrate is equal to a stick

of TNT.

28. Based on the recorded interview, CRIMO stated he did not think long

about using the explosives for this incident and at one point asked if the question was

for a “thought crime[s].” He also stated he probably would not have followed through

because the materials were unstable. Conversely, at another point in the interview,

20
CRIMO affirmed he wanted the IED to work and so he purchased commercially

available Tannerite rather than using an alternative source of ammonium nitrate.

29. Based on the recorded interview, CRIMO stated he prepared the

components a couple of months ago and kept it locked up so family members would

not get hurt and because it looked nefarious. He continued, “I was either going to rip

it up and throw it away or use it but, it, the situation didn’t arise for it to be used.”

Based on the investigation to date, I understand CRIMO to be referring to the IED

components and/or any IED he assembled.

30. As the examples of the interview above demonstrate, at times, CRIMO

provided law enforcement with conflicting information related to his plans for any

IED and the components. Through my training and experience, I know that subjects

can lie to investigators in order to obfuscate their intentions, mitigate their

culpability, or obstruct investigations.

Identification of the Subject Accounts

31. During the search of Phone 1, law enforcement found a number of Gmail

accounts utilized by CRIMO. In particular, based on my training and experience, and

my consultation with other law enforcement officers with expertise in forensic phone

extractions, when a user types in their Google username and password to log into

their Gmail account via their phone, Gmail creates a token that is then cached on the

phone that associates those specific login credentials with that specific device. Thus,

the user does not have to reenter their login credentials every time they access the

21
account. Those cached tokens can be identified during a forensic extraction on the

phone, which, in other words, indicates that a given Google account was logged into

using the phone and the username and password saved in the form of a credential

token. In this case, the forensic extraction of Phone 1 led to the identification of the

following accounts as utilized by Phone 1: bobbycrimo@gmail.com (Subject Account

1) 7, bobbytdamac@gmail.com (Subject Account 2), sleepysquadmgmt@gmail.com

(Subject Account 3), memoryregion@gmail.com (Subject Account 4), and

sophierosaro@gmail.com (Subject Account 5).

32. Law enforcement also observed a Google Drive application on Phone 1.

As noted above, Google Drive is an application that allows users to store, access, and

share data as well as back up and access files from mobile devices. On the Google

Drive within Phone 1, law enforcement observed a number of documents as well as

several thumbnail images and videos of an individual who appears to be CRIMO

holding firearms in various poses. As the device was not logged into the Google Drive,

the videos could not be played.

33. Additionally, during the search of Phone 1, law enforcement observed

the internet browser Google Chrome. As mentioned above, CRIMO informed law

enforcement that he viewed internet videos about Tannerite IEDs, made purchases

via the internet, and conducted his online activity on his mobile telephone.

7Data recovered from the phone indicates the Tannerite was purchased using Subject
Account 1.
22
 34. Further, law enforcement observed the Google Maps application on

Phone 1. During the search of Phone 1, law enforcement recovered turn-by-turn voice

prompts for driving directions on the day of the shooting, July 4, 2022. Based on my

training and experience, I know that Google may retain additional information

related to the Maps application that is not stored on the phone. Additionally, during

the recorded interview, CRIMO said that in the years preceding the attack, CRIMO

traveled throughout the United States to meet and stay with associates he met

through an online forum. This travel to out of state acquaintances has been

corroborated by law enforcement interviews with associates outside of the state of

Illinois. However, additional location information associated with CRIMO’s

movements may assist law enforcement in identifying additional individuals CRIMO

met with or received assistance from, in the months and years leading up to the

attack.

35. I believe evidence and instrumentalities of the Subject Offense are

contained in the Subject Accounts. For example, based on my training and

experience:

a. I know that individuals who commit or attempt to commit mass

acts of violence with weapons of mass destruction take photographs and videos of

themselves planning, preparing, rehearsing, and conducting reconnaissance for their

plans or actions. Indeed, based on a witness interview, law enforcement believes that

CRIMO visited Company A on or about June 26, 2022, in order to conduct

23
reconnaissance in advance of the July 4, 2022, attack. Additionally, CRIMO stated

during the recorded interview that he had been planning to commit the attack for

years. As previously noted, Google provides Cloud-based storage for photos and

videos and, based on a search of Phone 1, it is clear that CRIMO utilized Google’s

Cloud-based services (such as Google Drive) to store at least images. Accordingly, I

believe the Subject Accounts are likely to contain such information.

b. I know that individuals who commit or attempt to commit mass

acts of violence with weapons of mass destruction write documents containing a

manifesto, supplies, notes, schematics for the design of destructive devices, and

instructions for combining explosive precursors. These written documents may

include information about the motivation beyond the plans to commit violence,

including malice toward a particular person or group of people. They may also include

information about other planned attacks which either were not, or not yet, completed.

As previously noted, Google’s cloud services (which CRIMO utilized), such as Google

Drive and Google Keep allow users to save notes and documents to Google’s servers.

Accordingly, I believe the Subject Accounts are likely to contain such information.

c. I know that individuals who commit or attempt to commit, mass

acts of violence with weapons of mass destruction perform research online to learn

about how best to conduct the attack, including how to assemble and operate

explosive devices. Indeed, during his recorded interview, CRIMO told law

enforcement that he conducted online research on IEDs online and, in particular,

24
viewed YouTube videos on Tannerite IEDs. As previously noted, unless a user opts

out, Google will record users’ historical browsing history, including search history,

and may also record a users’ YouTube watch history. Accordingly, I believe the

Subject Accounts are likely to contain such information.

d. I know that individuals who commit, or attempt to commit, mass

acts of violence with weapons of mass destruction may communicate with others,

including via email, about their plans and preparations and to seek assistance or

encouragement. As CRIMO appears to have utilized multiple Google email accounts,

I believe it is likely that to the extent CRIMO communicated with others about his

planned attack via email, those communications are likely contained in the Subject

Accounts.

e. I know that individuals who commit, or attempt to commit, mass

acts of violence with weapons of mass destruction may communicate with others, may

also conduct travel in furtherance of the attack, such as to meet with coconspirators,

gather supplies, and conduct reconnaissance. Indeed, as previously noted, during his

recorded interview, CRIMO told law enforcement that in the years preceding the

attack, he travelled the country and stayed with various individuals he had met on

an online forum. As previously noted, Google collects and retains data about the

location at which Google Account services are accessed from any mobile device.

Google Maps—which CRIMO utilized at least on the day of the attack—also collects

25
and retains certain location data about Google users. Accordingly, I believe the

Subject Accounts are likely to contain such information

III. SEARCH PROCEDURE

36. In order to facilitate seizure by law enforcement of the records and

information described in Attachment A, this affidavit and application for search

warrant seek authorization, pursuant to 18 U.S.C. §§ 2703(a), 2703(b)(1)(A) and

2703(c)(1)(A), to permit employees of Google to assist agents in the execution of this

warrant. In executing this warrant, the following procedures will be implemented:

a. The search warrant will be presented to Google personnel who

will be directed to the information described in Section II of Attachment A;

b. In order to minimize any disruption of computer service to

innocent third parties, Google employees and/or law enforcement personnel trained

in the operation of computers will create an exact duplicate of the computer accounts

and files described in Section II of Attachment A, including an exact duplicate of all

information stored in the computer accounts and files described therein;

37. Google employees will provide the exact duplicate in electronic form of

the information described in Section II of the Attachment A and all information stored

in those accounts and files to the agent who serves this search warrant; and

38. Following the protocol set out in the Addendum to Attachment A, law

enforcement personnel will thereafter review all information and records received

from Google employees to locate the information to be seized by law enforcement

personnel pursuant to Section III of Attachment A.

26
IV. CONCLUSION

39. Based on the above information, I respectfully submit that there is

probable cause to believe that evidence and instrumentalities of violations of Title

18, United States Code, Section 2332a(a)(2)(A),(D) are located within one or more

computers and/or servers found at Google, headquartered at 1600 Amphitheatre

Parkway, Mountain View, California, 94043. By this affidavit and application, I

request that the Court issue a search warrant directed to Google allowing agents to

seize the electronic evidence and other information stored on the Google servers

following the search procedure described in Attachment A and the Addendum to

Attachment A.

FURTHER AFFIANT SAYETH NOT.

____________________________
/s/ Barrett J. Rife (MDW with permission)
Barrett J. Rife
Special Agent
Federal Bureau of Investigation

Sworn to and affirmed by telephone 12th day of July, 2022

Honorable M. David Weisman

United States Magistrate Judge

27
 ATTACHMENT A

I. SEARCH PROCEDURE

1. The search warrant will be presented to Google personnel, who will be

directed to isolate those accounts and files described in Section II below.

2. In order to minimize any disruption of computer service to innocent

third parties, company employees and/or law enforcement personnel trained in the

operation of computers will create an exact duplicate of the computer accounts and

files described in Section II below, including an exact duplicate of all information

stored in the computer accounts and files described therein.

3. Google employees will provide the exact duplicate in electronic form of

the accounts and files described in Section II below and all information stored in those

accounts and files to the agent who serves the search warrant.

4. Following the protocol set out in the Addendum to this Attachment, law

enforcement personnel will thereafter review information and records received from

company employees to locate the information to be seized by law enforcement

personnel specified in Section III below.

II. FILES AND ACCOUNTS TO BE COPIED BY EMPLOYEES OF GOOGLE

To the extent that the information described below in Section III is within the

possession, custody, or control of Google, which are stored at premises owned,

maintained, controlled, or operated by Google, headquartered at 1600 Amphitheatre

Parkway, Mountain View, California, 94043, Google is required to disclose the

following information to the government for the following accounts:

 • bobbycrimo@gmail.com (“Subject Account 1”)

• bobbytdamac@gmail.com (“Subject Account 2”)

• sleepysquadmgmt@gmail.com (“Subject Account 3”)

• memoryregion@gmail.com (“Subject Account 4”)

• sophierosaro@gmail.com (“Subject Account 5”) (collectively, the

“Subject Accounts”)

a. All available account contents from inception of account to

present, including e-mails, attachments thereto, drafts, contact lists, address books,

calendars, and search history, stored and presently contained in, or maintained

pursuant to law enforcement request to preserve.

b. The contents of all text, audio, and video messages associated

with the Subject Accounts, including Chat, Duo, Hangouts, Meet, and Messages

(including SMS, MMS, and RCS), in any format and however initially transmitted,

including, but not limited to: stored, deleted, and draft messages, including

attachments and links; the source and destination addresses associated with each

communication, including IP addresses; the size, length, and timestamp of each

communication; user settings; and all associated logs, including access logs and

change history.

c. The contents of all records associated with the Subject Accounts

in Google Drive (including Docs, Sheets, Forms, and Slides) and Google Keep,

including: files, folders, media, notes and note titles, lists.

2
 d. All Internet search and browsing history, and application usage

history, including Web & App Activity, Voice & Audio History, Google Assistant, and

Google Home, including: search queries and clicks, including transcribed or recorded

voice queries and Google Assistant responses; browsing history, including application

usage; bookmarks; passwords; autofill information; alerts, subscriptions, and other

automated searches, including associated notifications and creation dates; user

settings; and all associated logs and change history.

e. All Google Voice records associated with the Subject Accounts,

including: forwarding and other associated telephone numbers, connection records;

call detail records; SMS and MMS messages, including draft and deleted messages;

voicemails, including deleted voicemails; user settings; and all associated logs,

including access logs, IP addresses, location data, timestamps, and change history.

f. A record of the account’s YouTube Watch History, including:

accessed URLs and their associated duration, privacy settings, edits, comments,

likes, chats, and other interactions, including associated URLs; search history;

channels; subscriptions; subscribers, friends, and other contacts; IP addresses,

change history, location information, and uploading account or identifier; the logs for

each access by the account, including IP address, location, timestamp, and device

identifier; and change history.

g. All activity relating to Google Play, including: downloaded,

installed, purchased, used, and deleted applications.

3
 h. All existing printouts from original storage of all the electronic

mail described above.

i. All transactional information of all activity of the electronic mail

addresses and/or individual accounts described above, including log files, dates,

times, methods of connecting, ports, dial-ups, and/or locations.

j. All business records and subscriber information, in any form kept,

pertaining to the electronic mail addresses and/or individual accounts described

above, including applications, subscribers’ full names, all screen names associated

with the subscribers and/or accounts, all account names associated with the

subscribers, methods of payment, telephone numbers, addresses, and detailed billing

and payment records.

k. All records indicating the services available to subscribers of the

electronic mail addresses and/or individual accounts described above.

l. All payment and transaction data associated with the Subject

Accounts, such as Google Pay and Google Wallet, including: records of purchases,

money transfers, and all other transactions; address books; stored credit; gift and

loyalty cards; associated payment cards, including any credit card or bank account

number, PIN, associated bank, and other numbers; and all associated access and

transaction logs, including IP address, time stamp, location data, and change history.

m. The contents of all media associated with the Subject Accounts

in Google Photos, including: photos, GIFs, videos, animations, collages, icons, or other

4
data uploaded, created, stored, or shared with the account, including drafts and

deleted records; accounts with access to or which previously accessed each record; any

location, device, or third-party application data associated with each record; and all

associated logs of each record, including the creation and change history, access logs,

and IP addresses.

n. All account contents previously preserved by Google, in electronic

or printed form, including all e-mail, including attachments thereto, and Google Drive

stored electronic files for the Subject Accounts described above.

o. All subscriber records for any Google account associated by

cookies, recovery email address, or telephone number to the Subject Accounts

described above.

p. All Google Maps data including commute routes, commute

settings, and labeled places;

q. All Google Location History / Google Timeline data for any devices

associated with the Subject Accounts described above, including the GPS

coordinates and the dates and times of all location recordings.

Pursuant to 18 U.S.C. § 2703(d), the service provider is hereby ordered to

disclose the above information to the government within 10 days of the signing of this

warrant.

5
III. Information to be Seized by Law Enforcement Personnel

All information described above in Section II that constitutes evidence and

instrumentalities concerning violations of Title 18, United States Code, Section

2332a(a)(2)(A),(D) (the “Subject Offense”), as follows:

1. Items related to the identity of the user or users of the Subject

Accounts.

2. Items indicating the state of mind of the user of the Subject Accounts,
e.g., intent, absence of mistake, or evidence indicating preparation or planning,
related to the criminal activity under investigation;

3. Items concerning how and when the Account was accessed or used, to
determine the geographic and chronological context of account access, use, and events
relating to the crime under investigation and to the Account user;

4. Items related to the motivation for the use of a weapon of mass

destruction, including malice toward any individual or group of individuals.

5. Items relating to the identification of persons who either (i) collaborated,

conspired, or assisted (knowingly or unknowingly) the commission of the Subject
Offense; or (ii) communicated about matters relating to the Subject Offense,
including records that help reveal their whereabouts;

6. Items relating the city of Highland Park, Illinois including information

related to mass public gatherings, including any maps or diagrams of the city or its
parade route, or presence at Highland Park, Illinois on or around July 4, 2022,
including any planning, preparation, or travel;

7. Items relating to materials, devices, tools, plans, or strategies to

assemble a weapon or destructive device designed or intended to cause death or
serious injury;

8. Items relating to the use of communication devices or encrypted “apps”;

9. Items relating to any conspiracy, planning, or preparation to commit the

Subject Offense, or efforts to conceal evidence of the Subject Offense from law
enforcement, or to flee prosecution for the Subject Offense;

6
 10. Items related to the receipt or possession of explosive devices, including
materials, components, and tools used to make explosive devices, including but not
limited to explosive precursors, accelerants, incendiary materials, electronic
components, fused and initiating materials, shrapnel, and containers, and any other
chemicals or compounds which alone or in combination with other materials can be
used to form a destructive device;

11. Items relating to the use of destructive devices;

12. Items related to the physical location of the users of the Subject
Account;

13. Items related to the identities and contact information of participants in

or witnesses to the Subject Offenses;

14. All of the non-content records described above in Section II.

7
 ADDENDUM TO ATTACHMENT A

Pursuant to Rule 41(e)(2)(B) of the Federal Rules of Criminal Procedure, this

warrant requires the recipient of the warrant to copy and produce the contents of an
electronic account so that they may be reviewed in a secure environment for
information consistent with the warrant.

The account provider shall provide the government only data that fall within
the criteria as described in Attachment A(I), which may either be the entire contents
of an account or only a subset of an account.

The government’s review of the data shall be conducted pursuant to the

following protocol:

The government must make reasonable efforts to use methods and procedures
that will locate only those categories of data, files, documents, or other electronically
stored information that are identified in the warrant, while minimizing exposure or
examination of categories that will not reveal the items to be seized in Attachment
A(III).

The review of electronically stored information contained in the account

described in Attachment A may include the below techniques. These techniques are
a non-exclusive list, and the government may use other procedures that minimize the
review of information not within the list of items to be seized as set forth in
Attachment A(III):

a. examination of categories of data contained in the account to determine

whether that data falls within the items to be seized as set forth in Attachment A(III);

b. searching for and attempting to recover any deleted, hidden, or encrypted

data to determine whether that data falls within the list of items to be seized as set
forth in Attachment A(III);

c surveying various file directories and folders to determine whether they

include data falling within the list of items to be seized as set forth in Attachment
A(III);

d. opening or reading portions of files, and performing key word or concept

searches of files, in order to determine whether their contents fall within the items to
be seized as set forth in Attachment A(III); and

8
 e. using forensic tools to locate data falling within the list of items to be seized
as set forth in Attachment A(III).

Law enforcement personnel are not authorized to conduct additional searches

for any information beyond the scope of the items to be seized by this warrant as set
forth in Attachment A(III). To the extent that materials produced by the account
provider pursuant to this search warrant contain evidence of crimes not within the
scope of this warrant appears in plain view during the government’s review, the
government shall submit a new search warrant application seeking authority to
expand the scope of the search prior to searching portions of that data or other item
that is not within the scope of the warrant. However, the government may continue
its search of that same data or other item if it also contains evidence of crimes within
the scope of this warrant.