Escolar Documentos
Profissional Documentos
Cultura Documentos
. , , . ,
,. , LAW ENFORCEMENT
.,
SENSITIVE. ' . ,
. .
, . ' . ,FOR OFFICIAL USE ONLY "
, , . . b6
,,
, , . ,
. ,
FTO~:( 1 CCIPS , , . , DA&: 00-12-7008 b7C ,
CLASSIFIED by 6 0 3 2 2 ~ ~ l p / ~ t ~ / r d a,, '
.
'
,
- ' ~ A S ~ N1.4.1~1
: ,, bi :: ,
, ' , f i ~ c ~ n s s xON:
~ r 08-i2-2033, b2 . .
.. ..b7E
ch.Z,20033 , ,
, , ,
,
' ' , ,
, ,
of you b o w , some investigators have begun to use .ninvestig'ativctechique referred,
As
tbas 'm"lhtemet Pratoc,ol,AddressVerifier"
indispmble value'in C&
aWa a ' (w).
" While the technique is of '. .
kiids'bf cases, we at seei"g indications thk it is behg used needlessly by '
'.
, .
,
,
. agencies, unneceisdly raising d i m l t legal plrstions
., (and a,d+ of su~prnsion)without my , ,
, .
.,, . . . ., . . , ,
countervailing benefit. ' . , , ,
I
, . , , , ,
I '
,. . , .,
. , . .. . . , , . . .. . . ,.. . . .. .. . . . . . . : ., n n q : 03-lg-zoos
... 8.' . ,
.' . . :. . . . . ;
' I' , ,. , ,, . ... , , , . . . . . ,. ,
. . . . . ,,:. ,
. . . .. , m1 'INFO. ' .
. '.' , :,
,
. , '. I
,,. ,
. . . . .. ., , , , , ,. . , , ,
, . , ' ,
, . : : I'.~~ctrss~n'oy: 03'19-2033 ,.; . , :,
, , :.
. .. . . .
. , , I. ' . , ' I ,
. . .,.i . . , ..' .: . '
I . ' ,
........
. , . ... , .
.
,,
. , ,. ,. . . . . . . , ,
.,: , . . ., ,, , .
, , ' , , , . , ., :, ' , ,, . :;.,; .bl'. . .' .. . .. . .. . . . , . . . .
. ., .. , .
, , ,
, .
,
, ,
.. . , . .. , . , , . .
, . . , , .
., . .,, . . . , . , .
.......
, , , , , , , ,
' ;
,
. , '
. . . . ... , . . . . .
... ' .', , . . . " . , ,. . ,
. . ' \. , I:, .". .,, . ,
. . ,
.. . . . .
!', , , : ,, '
., . , . . ,
, ..
,.
,
.., ! I " .
, , ' . , '.'
,
.
,, ..
.
, .
, ' , ' , ,, .
,, , . , , ' ' . ,
:
..
..
, ,
.. . .. , a
, .. , , I
, ,
,. , ,
, , . ~ , . ,
. . . . ,. :. ,
' . '
,
i
,
, .. , . , . . . . ... . .
,
', . . .,, ,
. ,
',
. ., ,.
. . , . ,
, ,
. ,.
, . ,
. ,' I.
.
I
.
,
.
' :
;,
. . . . . . .
, ..,
,
. .. . .'."bl
.,
.
, . .
" , . ,.,,
., , , . . , . , , ; . . . . . .. . .. .. . .. . . .. # ! ' . . .. .' .. ^.
,
,,,
, ..
. , . ...
. , , 1 ; .
, ,. , .
. , .
, .,, . . . . . . . ., ,
, . ..,. , . .
, , , ,
. .
. . I
. . ' . :, ,. , .
, ..
. . . ., .
.. , , .,.
. . .. ' , , .. ,, .
, : . .. . .. . . . ..,.,.
, , , , I
, .,
'
'.' . " . . , . . .. .. .. .. . .. . . ..'I
, . , ., , . ., , :. b i ' , , , , , , , . . . . . . ' ,
., , . . ' , ,,1 , . b6 1 .,. "
. . . . . ., .
, . . ..b7C . . . . . . , .
. ., .
,. . . . . .
.
,
, . .
,
., ,
, ,
. .,
,
. . . .. . , . ,
,
, ., .
, '
. ,.I..
.;.,, , , ,
.. , . . i
' ,.. ,
'
: ...';.. ....I
, ,
. . . . . . . . . . . . . . . . .. .,. , , . ,:
I . ' '
. .
,
, , . .. . , , , , . , ,,
,
. . , .. ,
', . ' ..
. . . . .
. ,
; . .
... , , .
., ,
,.. 1 'bl
: 1
.,. ,. :1 ,
I
j . I
. ,
! . .,
, .
!
'.
1
8
. , , ..
:. : I
,.
,
.
,
. . .
, .
. ,
,,',
I . I .I
. ... . . .. . . ., .. . ,.',, . .
,.
. .
. . ,. , , , , ,
,
,
,, ' '
., , , . . .
.
, , , , , ,. ,
. .. . , , ., , . ., . ,. . ..
,
. ,.
,
,',
. . .
, I
, . ,
. .
, ,
, , . .. , , , , ' i
, . , , , ., , ,. ., ,,, , .,, . , . . ,
,.
. ,
. ., , ,, . .
2 . .
,
..
. : . : .
. ',; I " ,
,i . , '
;
.,. . . . . . .. ., . .
. classified by: -liPCLICe
, . , Jamts Poli~v.OlPR
. I,. . . DOJ' . . .. ,
' , ,' ' ' , ,, . .
. ,,
. . .. .. . , ,
. ,
, , ' ' .
.
,.
, Reason: . . ,.., ,, '. , ,
, ,
., , .. ..
,
, ., .
. . .
,
.
' , . . , , .,
,.. , , . , . ,
,
,
...
,. ,
/ '..'
,
,
., ,
. . . ., , "'
..: . ' ., !:;. ':
I.
. . ~eclassifjlon;, . , . ., . . . , . . . . ., .. , , , .
: . , , . .. ' .
,., . : , , .. ., . . .. . . .. ,,. ,
, ,, ,
. .: ' . . , .......... ,, _ ' . ' .'. , .. '
.
..
"
,
,, .
'I "
, . , ,
,
, . .., , ,
, .
. . ., . . . .. . . ,: :, ,
, ' '
. .,
,I
. . . . .'. , ..I.. I
. ,:. : . , , ,,., ,
. , , ., , , , ,. ,. .!. . ., .., .., .. .. ... . , ,
, , . , , , . ,
.. ,
,. , I
, , ,
. ,
. , ./.
. ,,, ' , I
, , , , , , , , , . I , , ,., , I , I . , ; .
VNCLASSLFIED/FOR O W I C L ~USE ONLY
CEAU Priprity is: TBD '
Origin of Request:
~~f~riority:
Description: ~ a & rall documents that reference 'CIPAV'
Other Contacts:
** Not Assigned
Legal Information
Other Contacts:
Legal Information
Record Logs:
b6
b7C
05/07/2007, 1:30 PM -
4 s ) - . . ...advi'$gZfrhnt.th)..
Spoke
,...,,
with SA Cyber-Forensic Trainingdlliancs (ZYCFTA)who
I
bl
. b2
b7E
IS1 .,'...,
Grou Su ,
CEAU ID: 20070502-12602
Group I Program: DG I DE
I
,b , Pervisor: Contact Nurnber~-~
bl
[ S ] . , . \. b2
blE
b6
Primary Technical Lead: b7c
Other Contacts:
A 08-15-2008
CLASSIFIED BY 60322UC/LP/STP/gjg
Status: Closed
Technical Lead:
Start date: 03/22/2006
Due Date: TBD
Finish Date: 05/04/2007
Wamnt Expiration dak. No Expiration Date
~ e s c r i ~ t i o n : [ l
Status: Closed
~echnicnlLead:
Start date: 03/22/2006
Due Date: TBD
Finish Date: 05/04/2007
Warrant Expiratioa date: No Expiration Date
L
Record Logs:
04/01/2006,8:00 AM-1-1
No evidence received
' %
bl
b2
b7E
b6
b7C
Legal ~nfokation
Submission Details:
Description: Client #l
Status: Open
Technical Lead:
Start date: 12/22/2005
Due Date: TBD
Finish Date: TED
Warrant Expiration date: No Expiration Date
~escri~tioni
Statua: Open
I
Technical Lead:
Start date: 12/22/2005
Due Date: TBD
Finish Date: TBD -
Warrant Expimtion date: No Expiration Date
Record Logs:
b1
=sent lead
to begat Moscow.
UNCLASSIFIEDIFOR OFFICIAL USE ONLY
CEAU Priority is: TBD
CEAU ID: 20070523-13619
Group / Program:
1Contact ~urnber~-[~-rnail Address:
-
Primary Technical Lead:
Other Contacts:
Legal Information
ALL INFDaElATfORT COhTAINED
EIERETP IS UNCLASSIFIED EXCEPT
m m SAOWRI OrnRWISE
DATE; 08-15-2900
CLASSIFIED BY 60322UC/LP/BTPJgjg
REASOBI: 1.4 I.C .)
DECLASSIFY ON: 08-15-2053
UNCLASSIFED/FOR OWFXCIAL USE ONLY
CEAU Priority is: TED
CEAU ID: 20070502-12599
-
Group I Program:
Group Supervisor: Contact Number:l-v-mail Address:
I b6
Primary Technical Lead: ALL INPOREIRTIOB DATE: 09-18-2008 b7C
CLASSIFIED BY 60322 UC/LP/STP/gjg
HFRELI I9 UNCLASSIFIED EXCEPT mA50N:
Secondary Technical Lead: S H O O~ ~ R W I S E
DECLASSIFY ON: 09-18-2033
Other Contacts:
* * Not Assigned
Legal Information
Submission Derails:
Description: Client #I
Status: Closed
Technical Lead
Start date: 10/20/2005
Due Date': TED
Finish Date: 05/04/2007
Warrant Expiration date: No ~ x ~ i r a t i 6Date
n
Description:1-
Stabs; Closed
Technical Lead:
Start date; 10/20/2005
Due Date: TED
Finish Date: 05/04/2007
Warrant Expiration date: No Expiration Date
UNCLASSZIFIED/FOR OFFICIAL USE ONLY
CEAU Priority is: TED
CEAU ID: 20070523 13617
*Crou Su erviaor:
e-
DEP
Group I Program: S ~ I G
- contact ~umbwf-1
File Number: 288A -HO-647RO
E-mail Address:
IS 1
(9).
421
I I
Primary Technical Lead:
Smondary ~tchnicrrlLead:
** Not A s s i p d
Legal Information
DATE; 98-&$-1Q08
' CLBSSIFm BY 60333VC/LP!STP/gjg
..
PXA50D? 1.4 tCI
-
-
* Group I Program: SDG / DEP
Grov Su ervkor: I ~ t-
~ o n t a~nrxrhol-1
I sex
&d,
mvidcd to S
wBjs'swsw
1 - - - . .............................. ........................
and is now threatening to from subjcctOs cmuil no
o n , , ~ ~ ~ ~ f i v # . ! ~b2
~ ~
b76
bl
[ S 1 .,'"
Primary Technical Load:
Other Contach:
Legal Information
Record Logs;
PATE1 08-15-3008
CLA33IFTED DY GO32ZUC~fP,'JTP/$'jp
HEASPI: L.4 I C )
D E C L A S S I N DN: 0 8 - 1 5 - 2 0 3 3
ALL INFOMATTON COIITATNED . I
,
UNCLASSEIEDIFOR OFFICIAL USE ONLY
CEAU Priority is: TBD ,
CEAU ID: 20070521-1361 1
Group I P r o ~ a m : 1 Dl9
G~oUD Su~ervisor: 1contact ~ u m b e r rE-mail
l Address: ls 6
b7C
Other Contacts:
** Not Assigned
Legal Information
DAfi: 08-06-2008
CLASSIFIED BY 60322VC/LP/BTP/Vjg
REASON: 1.4 (b,cl
DECLASSTIY ON; 08-06-2033
I I
Primary Technical Lead:
.Secoadary Technical Lead:
Other Contacts:
PATE; 08-15-2008
** Not Assigned CLASSIFIED BY 60322VC/LP/STP/gjg
REASON: 1 . 4 ( C ]
Legal Information DECLAsSIH ON: 08-15-2033
lweb page
.
b2
terminated on 2.20.05 at 1:30pm in compliance with initial d w and no howledge of the b7E
4 new warrant. S@
1 ..........................
.... 1
b d collection restarted on 2.21.05.SA lidentified a
subiect.fioi.am.~. I
c address assigned t o a customer in 1
~eiecom)which wwar the Q ~ r n i IP b6
b7C
. . execute a Y W on that customer[lr residunc! on
law to obtain and
UNCLASSIFIED~ROFFICIAL USE ONLY
- d-
CEAU Priority is: TBD
CEAU ID: 2007051813601
Group I Program: SDG I D P
Group Supervisor: Contact Numb- - E-mail Address:
I I
Universal Case File Number: 2881 -pH-98358
UCFN Serial Number:
Record Status: Completed
Start Date: .09 Feb 2005
DueDatfx TBD
Request Open For: 904 days, 11 hours, 39 minutes
None Assigned
Other Contacts:
0
. Legal Information
Record Logs:
b6
'b7C
,
I
Group / Program: SDGID P
Group S u u e r v p C o n t y NumberIC E-mi; AddreSS:
Universal cask File Number: 166C-EP-36737
UCFN Serial Number:
Other Contacts:
Not Assigned
Legal Information
DATE; 08-15-2008
CLASSIFIED BY 60322UC/LP/STP/qjg
REasonr: 1.4 (CI
DECLASSIFI ON: 08-L5-2033
WNCLASSIFIED/FOR OFFICIAL USE ONLY
CEAU Priority is: TBD
CBAIl m: 2007057.1 13608
tern lata S/W &davit to Ewe a ent upon reccipt of omc s u m m q . On 2/18/05, SSA
d spoke with S7
4
- LA, and explained options again. M a t h is a CyberICI
Primary Teahnicnl L w d ~
Secondary Technical Lead:
Other Contacts:
** Not Assigned
Legal Information
DAIE: 08-15-2008
CLASSSFIED BY 60322UC/IP/STP/gjg
REASON; 1.4 (C)
DECLASSIFY ON? 08-15-2033
CONPATNED
ALL ISFOREIILTION
EbZTRT IS UNCLASSIFIED EXCEPT
WWeRE SHOW D m R W I S E
- USE ONLY
UNCLASSIFIEDlFOR OFFICIAL
CEAU Priority b: TED
CEAU ID: 20070518-13595
Group I Program: SDG I DEP
n-
Contact N l u n b e r j y - E-mail Address:
Universal Case File Number: 288A -SE-89989 .
UCFN Serial Number:
Record Status: Completed
Start Date: 01 Sep.2004
Due Dstc: TBD
Request Open For: 1065 days, 12 horn, 33 minutes
I ISearch warrants
renewed in 10-day increments Search warraut renewals enaea d mid-Dee 004.SA
b6
-was advised to download collected data for elsur. b7C
Primary Technical Lead:
Other Contack
Legal information
DATE: oa-~5-200~
CLASSIFIED BY 60322UC/LP/STP/gjg
REASON: 1 . 4 ( C )
D E C L A S S I N ON! 0 8 - 1 5 - 2 0 3 5
DATES 08-12-2008
CLASSIFIED BY 6032tu~lp/l~p/Tds
REASON; 1.4 (el
PECUSSIFI OW; 08-12-2033
bl
. b2
b7E
nil INF~RMATIONC O E T A I ~
HEREIN 15 UNCLASSIFIED EXCEPT
WRERE SHOWN OE-ERWISE
DATE5 '00-L3-2008 Law Enforcement
CLASSIFIED BY 60322ucL0/'rtp)rds
REASON: 1 . 4 ( e ) ., Case Support Standard Operating Procedures (SOF)
DECLASSIFY ON! 08-13-2033
\!
,'
i;
!.
!.
'!
i
,'
i. bl
b2
b7E
1
1.
1
':
!
;
,
Page 2 of 4 Pages
Law Enforcement SensitiveISensitive But
Wnr t3m0i.l HISL n - I ,
~ a 'Enforcement
w
Bor Official Use Only >.<
Sensitive/Sensitive But brnc
I ,
\
\!,
!
i
!
,'
Page 3 of 4 Pages
-
Law Enforcement SeositiveISensitive But
For Official Use Onlv
Law ~ n f ~ r c e ~Sensitive/Senaitive
ent But U
*
hr Official Use Only
Page 4 of 4 Pages
Law ~uiforcementSensitivdSluitive But *nUr
FEDERAL BUREAU OF INVESTIGATION
TO: Cyber
bG
International Operations Attn: uc b7c
Europe Unit
Rome Attn: Legat
ALAT-d
Operati~nalTechnology Attn: CEAU
SS
From: Seattle
Squad Il Cyber -
Contact: D r L e c ~ i v e )
-.I I
Approved BY; , n
Drafted By: -1:nbs
C ~ G CID #: 288A-SE-NEW (pending)
DATE: 09-12-2008
- - - -
CLASBIFIED BY 60322UC/LP/STP/gjg
REASON: 1.4 (GI
INFORMBTIoN c~~~~~~~ DECLASSIFY OM; 09-12-2033
HERETN IS WCLASSIFLED EXCEPT
To: Cyber From: Seattle
Re: 288A-SE-NEW. 06/07/2007
06/04/2007 - due to
bomb threat email from sender: UNSUB (s) also
advised a computer
which resulted in a DDOS attack totaling over 80,000,000 hits. b6
b7C
-
06/05/2007 Timber1 arion due to
bomb threat email from sender:
-
06/06/2007 Timberline Hiqh School evacuation due to
bomb threat email from sender: 1
-
06/07/2007 Timberline High School received additional
email from UNSUB(6). Details unknown at present time.
LPD and the Washington state Patrol (WSP) continue to
perform school evacuations and bomb sweeps with negative results.
Parents and school district: employees have informed local
television stations and newspapers, which aired the story on June,
6. 2007. LPD has requested investigative assistance from the
Northwest Cybes Crime Task Force.
LPIJ has
student at Timberline High School,
rf,
amears not to be the
, attack,
and teachers from Timberline High School provided a list
s who may be
a self proclaimed
school computer security measures. computer is in LPD
custody and forensic results are pending. Initial interview of
provided negative results.
I I
I
(
On '06/07/2007.~etective WSP, and SA b6
, Seattle Oivis~on,contacted .!USA Katheryn t7c
'Warn, Western Distr!ct of Washirigton, who agreed to pxosecute
captioned matter.
To: Cyber rim: Seattle
Re: 288A-SE-NEW. 06/07/2007
To: .Cyber From: Seattle
Re: 288A-SE-NEW, 06/07/2007
LEAD (s) :
S e t Lead 1; , (Info)
-
CYBER
AT WASHINGTON, DC
For information.
S e t Lead 2: (Info)
I
AT WASHINGTON. DC
For information.
Set Lead 3: (Action)
EQm
AT ROME. ITALY
I
AT OUANFICO. VA
For information.
-
FEDERAL BURRAU O F INVEST1GATION
Precedence : PRIORITY
To: Operational Technology
Cyber
Attn:
Attn;
Date:
l ~ a l ~ s Unit
~ S A
i s ,
03/08/2007
Cryptologic & Electronic
I
b6
b7C
CY
From: Tampa
Squad 8
Contact: SA I
Approved By:
Drafted By:
Case TD 1-
#:
neL- ' (Pending)
Title:
Details:
BACKGROUND
DATE: 05-07-2008
CLASSIFIED BY 60325UC/IP/PLJ/gjg
REASON: 1 . 4 ( C )
DECLASSIFY ON: 05-07-2033
ALL LIFORFIPTTOW CDPITAINED
HEREIN. 15 mCLA551FIED EXCEPT
To: chnology From: Tampa
Re: , 03/08/2007
-
. - - - -
AT WASHINGTON. D.C.
OTD Attn:
ssA
DES/CEAU
n
Attn: C ~ I U - 2
rrr b6
Chicago
Prom: Cincinnati
Squad 13
- :A S
Contact
Approved By:
Drafted By: 1- jk
Case ID #: (Pending)
Title:
b 7A
b7E
b7A
LEAD($) :
Set Lead 1: (Info)
-
FEDERAL BUREILU OF INVESTlGATION
-
Precedence: PRIORITY Date: 12/14/2006
To: Operational Technology Attn: Cryptologic & Electronic
SSA b7C
From: Houston
CT- 3.
Contact: SA 1 (
Approved By:
Drafted By: &w:-
#!'w
Case ID
Title: s 7 (Pending)
,IS1
I
bl
b6
b7C
DATE: 09-22-2008
CLASSIFIED BY 60322VC/LP/STP/q]y
WASON: 1.4 [ C )
PECLASSIFI ON: 09-22-2033
Details:
BACKGROUND
ational Tech ology From: Houston
u la/lr,2oo6
b1
b2
O W From: Houston b7E
12/14/2006 b6
b7C
b7D
b7A
(u) Houston ~ i v i s i o nhas developed a Confidential ,;(El
Witness (CW) who is willins to asaist with this investisation by i
1
'"7
'
TO: Oper Ogy From: Houston
Re: l0lM 12/14/2006
. A T T O L O G I C ~ ~ E C T R O N IANALYSIS
C IT
rur - X bl
Precedence; PRIORITY Date: 12/07/2006
TO: Operational Technology Attn: Cryptologic & Electronic
From: Houston
CT-1.
Contact: SA
Approved By: 1- r ,
Drafted By: y k ~ d b
I I
Case ID #: (S) I I (Pending)
Title:
(UI
--iz----3 -
- ueclassify Uw-#QZ/2031 L
i4Sl
I
i
I
bl
b6
b7C
b7A
DATE: 09-22-2008
CLAssTFTED BY 60322UC/LP/STP/gjg
PEASON: 1 . 4 ( C ) '
DECLASSIFY ddl; 03-22-2033
.IS]!
\:
I
i:
To:
Re: 1operational
w- Technology From: Houston
12/07/2006
OPERATIONAL TECHNOLOGY
I
.. ,
.(Rev. OI-31-2003)
FEDERAL BUREAU OF lNVEgTlGATlON
From: Cincinnati
Squad 13
Contact: SA
' J
Approved By:
1 - 1
Case ID'#: (Pending)
Details:
BACKGROUND
SDG PRODU
updated: June 28, 2006 by
GGAL PROCESS
Consent
criminal, PThT Court
order 60 day
expiration
FISA court order 90
day expirati~n
,,3s)
consent
Criminal Search
warrant 10 day
;
!
j . eipiration
FISA court 'order 90
d,ay expiration
1
b1
I
b2
1 b7E
I
i
Consent
; criminal Search
warrant lo day
expiration
FISA C O u f t order 90
day expiration
DATE: 09-23-2000
CLASSIFIED BY 60322 UC LP/STP
REASON; 1.4 LC)
DECLASSIFY ON: 09-2'1-2033
-
DATE: 09-22-2006 ALL THFOWT
-
day expiration
Consent
Criminal T-IIT court
order typically 90
day expiration
FLSA c o u r t order 90
day expiration
Consent
Criminal T-I11 C O U r t
order typically 90
day expiration b 3.
r FISA c o u r t order 90 b2
day expiration b7E
NA
NA
CEAU Assistance to Seattle Case: ,
UNSUB(s); .
TIMBERLINE SCHOOL DLSTRICT (VICTIM);
-
COMPUTER INTRUSION INTERNETEXTORTION
On June 6,2007, the Seattle Division was contacted by the Lacey Policc Department
(LPD), Lacey, WA, regarding numerous bomb threats and Distributed Denial of Senice
(DDOS) attacks received at the Timberline School District, Lacey, WA. The threats
' began on May 30,2001 and persisted through June 4,2007. The t h a t s necessitated the
daily evacuation of Timberline High School. The LPD and the Washington State Patrol
(WSP) performed school evacuations and bomb sweeps with negative results. Parents
- - . which
and school district employees informed local television stations and newspapers,
aired the story on J& 6,2007. As a result, the LPD requested investigative assistance
from the Northwest Cvber Crime Task Force (NCCTFI. headed by the FBI Seattle
Division. In.turn,the ~eattleField Office reql$sted assistance fmbthe OTDICRAU to
attempt to geo-physically locate the UNSUB(s).
Assistance Provided
10 July 2007
Version 0.1
Last Update 10 July 2007
Version Control
10 July 07 0.1
Last Update 10 July 2007
July 2007
Last Update 10 July 2007
Version Conwl
(Rev. 01 -3 1-2003)
Cyber
OBJECTIVE
The objective of this operation was to deploy a CIPAV to
locate the subject issuing bomb threats to the Timberline High
School, Lacy, Washington. The CIPAV was deployed in the usual
way.
SUMMARY OF EVENTS
C
m
-~
oncur ence for the operation was obtained from Case Agent
and Kathryn A. Warn, Assistant United
y , western District of Washington. In addition,
Office of the General Counsel. concurred with the
~ - -
oneration followino
~- - his review of the affidavit and warrant.
b7C
LEAD (s) :
Set Lead 1 : (Action)
SEATTLE
A T SEATTLE. WA'
Lead covered at OTD/ESTS/CEAU. Read and Clear
AT WASHINGTON. DC
Read and Clear..
(Rev. 01-31-2003) H
FEDERAL BUREAU OF INVESTIGATION
-
Electronic Surveillance Technology Section/
Crygtologic and Eleetroni? Ana1,ysis unit
Contact: SSA
Approved By: senrry William 111
Drafted By: 1-
C a ~ oID H : 2 6 8 IIQ-1305912-SW
BACKGROUND
Qn 96/96/2007, the S e a t t l e Division waa contacted by
Leccy Police Department (LPD), Lacey, WA, regarding numerous born
threats and UDUS attacks faCeived at the Timberline School
Bisttict, Lacey, WA. Relow a r e a t i m e - l i n e of events:
05/30/2007 -
hand written bomb threat fiote.
Timnberline nigh School evacuation due to
DATE; 08-14-2000
CLASSIFIED BY bU922UC/LP/STP/wjg
REASON: 1.4 ( C J
DECLASSIFY DO: 08-14-2033
I I
On 06/07/2007, Detective) IWS!?, and SA
I 1, sqattle D i v ~ ~ i o n
contacted
, AUSA Kdtheryn
Warma, wcaternTiatrict of Wsrrhir~gtun,who agreed to prosecute
captioned n l a t t e r .
To: Operational Technology From: Operational Technology
Re: 268-wQ-1305912-SDG, 06/13/2007
STATE OF WASNINGTON
COUNTY OF KING
Pngt I of 17 Pages
(B)(iv) (Computer Intrusion Causing a Threat to Public Safety).
I
1
2 5. ! I submit this affidavit in support of the amlication of the United States for :
a. search warrant. This search warrant pertains to the Government's pIanned use of a
specialized kchnique in a pending criminal investigation. hentially, if a warmnt is
approved, a communication will be Sent to the computer being used to administer '
Page 2 of 17 Page% .
Verifier ("CIPAV*) in conjunction with any camputt* that administers MySpace user
account 'Timberlinebombinfo"
.,
mm ://www.mns~ace.~dm/tl~lberlinebmb~pl,
without prior announcement within ten days from the date this Court authorizes the use
of the CIPAV;
b). that the CIPAV may cause any computer. wherever located - ehat
activates any CIPAV authorized by this Court (an "activating computer" to tond
network level messages4containing the activating computer's IP address a W o r M4C
other environment viriables, and certain repistry-rype informstion' to a
addresl~,~
cornpurer comolled by the FBI;
c). that the FBI may receive and read within ten days from the date
this Court authorizes the use of the CIPAV, at any tinie of day or night, the information
that any CIPAV &uses to be sent to the computer conboUd by the FBI; and
d). that, pursuant to 18 U.S.C.83103a@)(3), b qatisfy the notification
' Such -ge* work in established network pro-Is, dctcrmIniag, for e.urmple, how 9 given
~-.
;ommunication will be sent and received. Everv time a cmuur come~tCdto a lccal aRB MIWOIk
~ ~ ~ - -
[LAN)O Fthe~Internet ~lnn&rsto another computer on thd LAN ot rhe Intrm~t,iibm8dcasB
ReWorL-level w a g e s , including its F address, a d o r media access control.(MAC) address, andlor
~rher" c n v i r o ~ nvariables."
t A MAC addmss is an uniquc numeric addnss of the network intenkc
card in a computer; Envimnment variables rhat may be mmilted include: operaring system rypc and
vemion, browsw type and version, h e language the browser is using, etc. These network-level
mmges also 01% convey network addressing information, includiag origin and desllnaIillion
iffOtma(ion. Networblevel messages are used to make networb opcrace properly, transparendy, and
;onaistently.
C q u t e r s Uldt access, and cotttmunicae on LANs do po via a acework hterfaec card (NIC)
installed in Ulc cornpuler. The N1C is a hardware device and every NIC w n t a k its own uniquc MAC
addnss. Every rime a computer connected lo a LAN c ~ m ~ l n i c a ton e s the LAN,the c m p u e
broadcam iu hiAC address.
' As used hem* "registiytype iufo~alion"refers to infozmtion stored on the internal hud
f i v e of a urmputer that defmes that computer's coufiguration as it relates to a user's profile. This
information includes, for example, the name of the registered owner of the computer and rhe serial
number of t k naprating system sohare installed. Registq information can be provided by a
mmpnter connected to the Interact, for example, when that camputer connects lo the InfPmef tQ teqU1:st
a s o h a m upgrade from im sofwart vendor.
Affidavit of Nann Sanders for CIPAV
USAW 2W7RW791
Page 3 of 17 Pages
requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may M i y
providiq a copy of the search warranf and the receipt for any property taken until no
,
more than thirLy (30) days after such time as the name a d location of the owner or user
of t@ activating computer is positively identified or a latte~date as the court may, for
good cause shown, authorize. h v i s i o n of a copy of the search warrant and receipt
may, in addition to any other methods allowed by law, be effectuated by electronic .
delivery of true an& accurate electronic copies (e.g. Adobe PDF tile) of the fully
exccutd documents.
6. I ak rhoroughly familiar with the information contained in this Affidavit,
which I Pave learned through investigation conducted with other law enfmement
officers, review of documents, and discussions with computer experts. Because this an
application for-a search warrant and pen register, not every fact known about the
investigation is set forth, but only &se that are pertinent to the application. As a result
of the investigation, 1 submit there Is probable cause to believe the MySpace
"Timberlinebombinfo" account, e-mail account udouebri~es123&3~maitCom";
e-mail
account =mail.~nl"; e-mail account "dou~bbriees234~rnnail.com";
email
account "thisisfromidalv&email.com"; and e-mal account
" have been used to trausmit interstate communicafions
'tirnberlin_e.suc~mail,co~
containing thteats to injure, and involve computer intnrsion causing a threat to public
safety in violation of Title 18, United States Code, Sections875(c) and 1030(a)(S)(A)(i)
and (B)(iv). I further submit that there is probable c a w to believe that using a CIPAV
in conjunction with the target MySpace account (Timberlinebombinfo) will assist in
identifying the individual(6) using the activating computer to commit the= violations of
the United States Code.
7. In general, a CPAV utilizes standard Internet cornpurer bmmands
commonly used commercially over local area networks (LANs) and the Internet to
request that an activating computer respond to the ClPAV by sending network level
Pagc 4 of 17 Pages
messages, andlor other variables, a a o r regisfry Wonnation, over the Intent7 to a
computer coatrolled by the FBI. The exact nature of these commands, processes,
capabilities, and their confiration is classified as a law enforcm?nt sensitive
investigative technique, the disclosure of which would likely jeopardize other on-going
hvestigatious andlor future use of the t d d q u e . As such,.the property to be sccessed
by the CIPAV request is the portion of the activating computer that contains
environmental variables andtor certain registry-type' information; such as the
computer's true assigned IP address, MAC address, open communication potts, list of
runniug p w s , operating system (type, version, and serial hnmber), internet
browser and version, language encoding, registered computer name,registered
company name, -ent logged-ln user Mme, and Uaifoml ~ S O U Locator
~ C ~ (UU)
Pam 5 Of 17 Pages
that computer broadcasw its IP ad&w along with oh& environment variables.
~ is communicating in, gllows the
Environment variables, such as what language t h user
web site to mmmunicate back ;nd display information in a f o m i that the comp&r
atcessing the web site can understand. These enviconment variables, including but not
limited to, the IP address and the language used by the computer', may assist in locating
the camputer, as well as provide infarmation that may help identify the user sf the
computer.
10. The hard drives of some computers contain regisw-rype information. A
regisay contains, among other things, information about what operating system
software and version is installed, the product serial numby of that software, and.h e
name of the registered user ofthe cqmputer. Sometimes when a computer accesses the
Intenet and connects to a software vendor's web site for the purpose of obtaining a.
software upgrade, the web site remieves the computer's registry information stored on
its internal hard drive. The regisby iafomation assists the software vendor in
..
determining if that computer is running, among other information, a legitimate copy of
,. because'the registry infonuation coniains the sofhnrare's product
their sohare
regismtion number. Regisq itlformatioo. such as the serial 'rmmber of fie hcperatiug
rystem software and the computer's registered owner, may assist in locating the
:omputer. and identifying its user(s).
Page 6 or 17 Pages
2W7. There are 4 bombs throu@wt timberline high school. One in the'math
hall, library hall, &ah office a$ one portable. The bombs will go off in 5 miwte
intervals at 9:15 AM," fn addition, the UNSUB(~)stated, 'The email server of your
iistrict will be offline starting at 8:45 am." The UNSUB(s) launched a Denial-of-
Sqice (Dm)'
attack on the Lamy School Disaicr computer nmork, which caused
3ver 2~,000.000hits on the system within a 24 hour period. School administrators
xdered an evacuation of the school on June 4,2007.
b). On June 5; 2007, the UNSUB(s) sent an e-mail l?Wr~
,
d w p b r 1 g staring the following: .
< <Read This ASAP > >
Now that the schoo! is scared from yemdays fake pomb e t it's
now t i to get senous. One in a gym locker. the guls. It's m a
locker Mden under a pile of clothes. The other four I W!I only '
say the eneral location. One in the Language Hall, One m the
b&. Oqe ~lndcmertha portable raped wlth sm
Thy bomb wlll o off if any vibrations are felt. And e kist one
H YLducbpe
Is m a locker. t i s enclosed in a sound roof package, and h a d y
as.A
undetectable. I have used a vatye of emicals to make the
bombs. . They are all dierent
They will all o off at 10: ISAM. Through remote detonation.
B
.Good Luck. And i that fails. a failsafeof 5 mlnutes later.
The UNSUB(s) goes on m s u e : .
Oh and for the lice officersand technology idots the dislrict
at.
ofice tryb to track
give you a &t.
t K email yesfirrays emnd7slrntme I
The email was sent over a newly made gmil ., :
.Uxouut,from overs* in a foreign country. The gmail ~ccount was
created there and h s ernail and ycsarrdays was sent from there. So
good luck taljun with Ital about getting the identify of @e person
who owns the l h ~ b id&ated
t server
I
A DOS actnek is an Internet based computer attack in which a compromised system auacka a
iingle largel, thereby causing I denial of service for vriers of &e l e e t c d computer s y s m The fldod
>fincoming messages to the rarget sysfern essentially forces it to shut down. thereby deny& service to
he system to legitiinate users. The DOS attack is generally targeted at a particular ne-k service,
~uchas e-mail or web a-.
detonate between 10:45-11:15 AM, and adds1 Seriously, you are not
oing to catch me. Sa just give u Maybe you should hire Bill
hater to tell you that it is coming& Italy. HAHAHA Oh wait 1
alreadv told vou chat. So stm ~ r e t e n d hto~be "trache it" because I
II
have already-toldyii it's c o & ~ f i o mTdy. That is where t r a , ~
will stop so 'ust stop trying. Oh and this ernail will be behind a
4 proxy b e d tho Italy server.
d). School admhktators ordered an e v a c u a of ~ the who01 on June
emaifae~'unithathas
.
r
already been deleted of all information b the time you read his
email. Get your.asson a plane to Italy i you want it to stop.
g). School admiuisaators ordered an evacuation of the school on
I& 6,2007.
I
s June 7, 2007..
i). School administrators ordered an evacuation of the school on
lo
9
Iphortly
The adwhiskator from theolympian.com" removed the threatening e-mail postings.,
thereafter, the UNSUB(s) re-posted the threatening e-mails. Eventually, the
adminiseator of 'rhmlympian.camw disabled the *comments'" section.
12 .I
, ~ 3 I k On June 7,2007, Detective Jeremy Knight, Lamy Police
14
19
Ihm://bambe&ls.hvoert)ha. corn on her myspace.com webpage. The UNSTJB(s)
advisd her that failure to comply would result in her name being associated with fume
threats. Similarly, Knight received a phone call from a parent alleging that her
&
1I
23 webpages. Subsequent interviews performed by Kaight yielded limited information.
la
I
accepted the invitation fr~m'~~imberlinebombinfo''received an America Wine
Message (AIM)
IInstant
and
an iqdividual utilizing AHM screen name
from
09." Communication ceased with "Alexspi3rinp_O9"after VW
iaformaion related to the bomb threats. VW believed screen name
associated to ALEX SPIERING. a student at Timberline High.
-09" and "Timberlinebombinfo"used to have the
gtaphic on their Myspace webpage. "Timbe~linebombinfo"r e d y changed
from a picture of guns to a of a bomb.
"I
I2 n). On J p e 8, 2007. Comcast Internet. Thorofiire. New Jersey.
13 b o r t e d that residential address 6133 Winhwood Loop SE, Olympia, WA, 98515
14
I
:IS
received Comcast Internet services for the following subscriber:
Sam Spiering
6133 W i w o o d Loop SE, Lacey, WA 98513
17 Telephdne (360) 455-0569
"1
19
Dynamically Assigned Active Account
Account Number: 8498380070269681
"1
21
- - 0). On June 8. 2007, Thurston County School District received two
P additional bomb lhreat e-mails h
,.
ail.cam." which resulied in
m "Timhe~Iine.Suck@~m
u the evacuation of the Timberline High School.
24
Page I I of 17 Page$
Postal Code: 985003
Region: Western Australia
Email'Address:' tirnberljne.sucksB~mai1
.corn
User Name: timberlinebambinfo
Sign up IP Address: 80.76.80.103
Sign up Date: Juae 7,2007 7:49PM
Delete Date: NIA
Login Date June 7,20077:49:32:247 PM IP Address 80.76.80.103
10
11
I o). FBI Seattle Division contacted FBI: Legate Attache Rome,Italy and
an official request was providcd to the Italian ~ a t i o hPolice
l requesting assistance h
12 contacting Sonic SRL and locating the cornpromisad kmputer utilizing IP Address
13 80.76.80.103.
14 d). m,June7, 2007, the S y s m Administrator for the
1 v m ~ i a n . kadvised the posting of the bomb threat ehails originated porn . ' ,
Page 12 of 17 Pages
compromised computer(s) without authorization. It is common for individuals
aged in illegal activity to access and control coinpromised computer(s) to perfom
icious acb in order to conceal their origktiug IP addresses.
14. Based on mining, experience, and the investigation described herein, 1
concluded that wing a CIPAV on the target MySpace 'Timberlinebombinfo"
t the PBf to determine the identities of the individual($) using tbe
ring computer. A CIPAV7s'aetivationwill Muse the activating computer to send
level messages, including tbe activating computer's originating IP address and
ss, other variables. and certain registry-type information. This information
in identifying the individual($)using the activating computers.
15. , The C P A V wiU k deployed through an electronic messaging program
conaolled by ;he FBI. The computers sendink and receiving the
be machines controlled by the FBI. The electtonic message deploying
nly be directed to the administrator(s) of the "Timberlinebambinfo"
Page 13 of 17 Pages
e). The pen register will recod PB address, dates, m d times of the
electronic comwnicatiom, but not the aoutents of such
ccmmunieatioas or the contents contained on the computer, and
U'mard the address data to a computer cantroned by byhe
FBI,Pw r p d o d of (60) days.
CQNCLUSIOM
16. Ikrsed upon my review of the evidence, my training and experience, and
iformation I have gathered from various computer experts, I have probable cause to
,
elieve that deploying a ClPAV in an electronic message directed to the administrator(s)
f the MySpace 'Timberlinebombinfo" account will assist in identifying a computer and
idividual(s) using the computer m transmit bomb mats and related wmmunications in
iolation of Title 18,United States Code Swtions 875(c) and 1030(a)(S)(A)(i) and
3)(iv).
17. Becawe notice as required by Federal Rule of drimid Procedure
l(Q(3) would jeopardize the success of the investigation, and because the hvestigation
as not identified &I appropriate person to whom such notice can be given, I hereby
quest aumorizatioo to delay suoh notice until an appropriate person b identifA.
h e r , assuming providing notice wollld still jeopardize the iuv&tigatioion after rur
~ropriateperson to receive notice is identified. I request~permissionto ask this Court
1 authorize an additional delay in notification. In any event, the Unitwl States
Dvcrnment will notify thii Court when it identifies an appropriateperson to whom to
ive notice, sa that this Court m i y determine whether notice shall be given at that h e .
18. Because there are legitimate law enforcem~ntinterests that justify an
nanuounced use of the CIPAV and rev$w of the messages generared by the aciivathg ,
computer(#)to evade revealing its true IP address, other variables, and certain
e infDrmation - thereby defeating the ClPAV's purpose.
19. Rule 41(eX2) requires that (A) the warrant command the PBI ''to execute
. . longer thsn 10 days" and (B) "execute the
'within a specified time no
the d a y w e unlesa the judge for good cause expressly authorizes
r time.. ." In order to comply with Rule 41, the Government will
between the hours of 6:00 a.m. and 10:OO p.m. (PST)during an
. However, the Government seeks permission to d any messages
"ahg computer as a result of a CTPAVat any dme of day or night
period. This is because the individuals using the activating
e CIPAV after 10:OO p.m. or before 6:00 a.m.,and law
read the h e m t i o n it receives as soon as-it is aware of the
emergent nature of this investigation. If the C W is not
O-day period, the Government will seek further authorization
n sent to the computer controlled by the FBI as a
from the date the Court authorizes the use of the
20. Because the FBI tannot predict whether any particular fom111ationof a
s) mnkolling the activating computer40 activate
rize the FBI to continue using additional
ySpace accwnt (for up to 10 days after this
been activated by the activating &puter.
Page I5 d 17 Pages
dl. Accordingly, it is respectfully requested that thiscourt issue a search
a m t authorizing the following:
, a). the use of multiple CIPAVs until one CIPAV is activated by the
tivating computer in o~njunctioa.with the target kIyspace *TimbedinebombiafoW
, &ithour prior,annou~lcernent,within 10 days from the date this Court authorizes
led by the FBI and located within the Eastern Di~UictOf Virginia;
c). that the FBI may receive and read, at any time of day or night,
m the date the Court authorizes of use of h e CIVAV, the information
ses to be sent to the computer controlled by the FBI;
d). that once the FBI bas received an initial ClPAV response from the
ivating computer consisting of network level messages contawg the activating
r's IP address, andlot MAC address, and/or olher variables, andlor c m i n
information, the FBI will thereafter only be collecting the Q ~ s of
routing information that can be collected pwmnt to a pw register
. .
. Page 16 of 17 Pages
?
22. It is fuaher requested that this Application and the related documZnt6 be
filed under seal. The information to be obtained is relevant to an on-going invesqgation.
Remature disclosure of this Application and related documents may jeopardize the
iucces8 of the above-described investigation.
WHEREFORE,Affiant respectWly requests that a warrant be issued authorizing
b FBI ro utilizt: a CIPAV and receive the attendant information according to the terms
st fonh in this Affidavit.
UA
IS)
DIIIL: 08-14-2008
CIIISSInH) BY 60322UElp1Sq /L&
A50Q: 1.4 I s )
CLAS4TFI MT: 08-14-2033 ALL TWPOPEATZ31 COXTkZNED
tlERt7U T9 ETCtA357tTE0 EXCEPT
SECRET SHOGW OIEERUISE
Precedence: ROUTINE Date: 09/05/2007
b6
TO : Records ~anagement Attn: b7c
~ ~ ~ S / w ~ ~ / ~ i n c hSite e rGR N23
e s t2,
From: Office Special Technology
Special Technolosies and Applications Office
Contact: 1
approved -By:
Drafted By:
I
-:w,~~
..
ID #:
'~aae 130-HQ-C1547903 (Pending) /w d
Title: FREEDOM OF INFORMATION ACT
~ ~ ------- ~ ----
LEZ+D(a):
Set Lead 1: (Info)
RECORDS MANAGEMENT
AT RIDS/~PU/WINCI-~ESTERSITE 2 , GR ~ 2 3
Read and C l e a r .
(Rev. 01-3 1.2003)
Precedence: ROUTINE
To: Cyber
Cincinnati
Indianapolis Evansville RA
; r j \
Las Vegas
From: OFFICE SPECIAL TECHNOLOGY
STAO/STOU
Cootaot : I SSA )
Approved By:
ALL INPORNATLON CONTAINED b6
HEREIRT IS UNCLASSIFIED b7C
DATE 03-19-2006 BY 603221p/pljlrds
Drafted By: G i jjb
Case,ID # : l I (Pending)
LEAD ( a ) :
Sea Lead 1: (Info)
CYBER
A'ILR#SH.I.NGTON. DC.
Read and Clcar.
CTNrTN,ty$TI
AT CINCINNATI. 01110
Read and C l e a r .
S b t laad 3! (Info)
LAS VEGAS
AT LAS VEGAS. NEVADA
Road and Clear.
set wad 4 ~ : (Info)
INDIANAPOLIS
A'I' E V A N S U E INDIANA
office : HOUSMN
b6
b7C
-
PhoneI-[: Offlcs t o d m :3290-0000
Case Clasrifiratlon Number :315A b6
b7C
Investigative Pmgrsm : NRP-lT
Assigned to Name
Figned TO fmup : CEAU
Program Manager I -:
PmQram/Type :Remote Computer Trace
. I
catee~:cEAu
Ibm: Internet Tracer
DATE: 04-11-2008
CLASSIFIEP BY 60322UCltP/PLJ/gjg
REASON: 1.4 ( C )
DECLASSIFY ON: 04-11-2033
Office :'OMAHA
I
Phone :n
Case Classffleation Number :
lnvertigative Pmgram :
I
Assigned to Name :n Program Mana er :
~saignedTO ~ m u :p o
- 0 ~ :D m
Item: Internet/ISP intercept
m
4 S ]1
(S) -ram/-
IffT',I b2
b 7 ~
-
27120W 2:28:13 PM
-I
ssigned/forwarded request t o r 1
u
9/27/2004 2:28:13 P P f y
assignedlbnrvarded request b
DATE: 08-14-2006
CLASSIFIED BY 60322UC/LP/STP/gjg o h a s Raasslgned or Forwarded th
REASOB: 1.4 ( C ) 10/21/2004 1:20:40 PM
DECLASSIFY ON: 08-14-2033
ALL f A 1 F O ~ T I O NCOXTATNED
HEREIN TS UDTELA591FIED EXCEPT
WfERE mom OTHERWTSE
Request ID :0096936 Petformane Indlwtor : I
IStatus :Completed de
Opened :2/1/2005 7:34:18PM ' Closed :3/25/2005 9:47:31AM I
I Imcstlgatlve
Case MassifiGstSah Number :ZZZ
I ( :
Pmgram Manager ;vC
Assigned To Group ; EP CEAU
Categoy :CEAU
Itern: Encryption Technologies
Pmgram/Type :DataPole Irrtercept with EnctypWon
-
b 3.
b2
pfrields has Reassigned or Forwarded this
3/25/2005 9 4 2 3 1 AM 1,
b7E
I
I
Jw Reassigned or Forwarded this 'wue? 2 n
DATE: 08-18-2008
CLASSIFIED BY 60322UC/LPISTP/gjg
as Reassigned or Forwanled this request m
I
REASON: 1.4 (E)
DECLUSIRI ON: 08-11-2033
Page 1 of 1
August 28,2007
I
RequestDr Name
Phone :n
I- :
Cats Classiflcablon Number :315A
Ornw :CyDfIINI
Offlw Code : 1813-0000
r n v w g a t i w Program :NRP-IT
b6 -
Assigned b Name I-: ~rnghm
Manager f1b7C
Assigned To Group : CEAU Program/- :Remote Computer Trace
Categoy :CEAU
rtem: Internet: Tracer
DATE: 08-14-2008
CLASSIFSED BY 60322VC/LP/STP/g>g
REASON: 1.4 ( c )
DECLASSIFY OM: 08-14-2033
Page 1of 1
August 28,2007
DATE: 08-L4-2008
CLASSIFIED BY 60322UC/IP/STP/gjg
REASOW: 1 . 4 (C)
DECLA35Im 08: 08-14-2033
UN~JASFED
Page 1 of 1
Request 10 :0099477 Performance Indicator :
Status :C o m p l M Opened : 5/6/2005 9:03:10AM Closed :5/6/2005 9:04:llAM
DATE: 08-14-2008
CLASSIFIED BY 60322UC/tP/8TP/~j~
REASON: 1.4 ( C 1
DECLASSIFY ON: 08-19-2033
SECRET
L UNC-D
Page 1 of 1
RMS Request Number:,
Request I D :0100740 Pertormanee Sndlcator :
Page 1 of 1
August 28,2007
f l b7C
6-
Arsigned To Group : CWU Pmgram/Type :Remote Computer Trace
I I t n u Internet Tracer
I
b7E b6
Page 1of 1
August 28,2007
Requestor Name :n m m :C H A R L r n
Phone I-[: ORia Code : 1813-0000
Cam ClassCReation Numlrer :315A
Imastlgatlve Pmgrarn :NFLP-TT
DATE: 09-16-2008
CLAssTFIED BY 60322 V C / L P / S T P / ~ ~ ~
EASORT; 1 . 4 ( c l
DECLASSIFJI ON: 09-16-2033
ALL INFOaEIATION CONTATldED
HEEIRT I S UNCLASSIFIED EXCEPT
WERE SHOWN OTPERWIIE
1 /
1 - . Page Iof I
RMS Request Number:
Request ID : 0102306 PerPormance Indicator :
Page 1 of 1
August 28,2007
m m : Internet Tracer
b6
b7C
Requestor Name : I
MAce IDENVER b6
phone :1- Mnw Code :3210-OW0
b7C
DATE: 09-16-2UU8
CLASSIFIED BY 60522UClLP/STP/gjg
REASON: 1 . 4 ( o )
DECLASSIFY Om? 09-16-2033
Page 1of l
August 28,2007
Seatus :Completed
DfAm :PHOENIX
I
Phone :n Miice C d e :3630-0000
Caaa ~la&cati& Number :315A
InvestigativeProgram :NFIP-TT
migned to Name-
:
'
Assigned To Group : CmU PmgramlType : Computer ExploitaSon
Caregoy :CEAU
Itrm: Remote Cornpuhr Search/Surveillance
t S ' I
I from land I T A l
bttempts to get status of intere
"]metwlh negatlve m u b o
I
DATE: 08-14-2008
CLAlSIFSED BY 60322UC/LP/STP/gjg
REASON: 1.4 (C]
DECLASSIFY 0 1 : 08-14-2033
Page 1 of 1
August 28,2007
I - :
~eqiestorName O ~ :
KWASHINGTON b6
:n M R C ~C O U :
~ 3920-0000
b7C
. o6
Assigned to NameI-: Program Manager :7 1 b7C
Asdgned To Gmup : CEAU PmgtamlType :Computer mplohtlon
Category :CEAU
m m : Remote Computer Search/Sutveillanoe
ALL I N W m T I O I COrnAINED
HEREIN I9 ETCLASSIFXED
PATE 04-15-8006 BY 603ZZVC/LP/PLJ/gjg
Page 1 of 1
I
August 28,2007
Request I D :0107566
Status :Completed
~eiformaiceIndimtor :
Opened :12/21/2005 2 : 1 5 : 1 5 ~ ~Closed : 1/5/2006 4:55:44PM
I
~cquegtorName I-: (Iffice :W V G A s b6
b7C
p h 0 n e : I l Mnee Code :33806000
Case Claslficatlon Number :315A
Investigative Program :NRP-TT
~mgram I -:
Manager b7c
Asslgned To Group : CEAU
eabegoy :CEAU
Itam: Internet Tnwr
DATE: 08-14-ZOO8
CLassIFIED BY GO322UC/LP/STP/gjg
REASON: 1 . 4 ( C )
DECLASSIFY ON: 08-14-2033
Page 1 of 1
RMS Request Number:
Request I D :'0111114 Perfbrmance f ndleator :
Status :Completed Opened : 4/27/2006 10:43:58AM C l d :4/27/2006 10:44:16AM
Name :
R~uastM I I OflCe :PrrrSBURGH . b6
Phone :1- 0mce code :3650-0000
b7C
~6
Assigned to Name I(: 1-4
~rograrnManager b7C
Assigned To Group : CEAU Program/Type :Remote Cornpuber Trace
category :CE4U
m m : Internat Tmcer
b6
b7C
Page 1 of 1
August 28,2007
DATE; 04-15-2008
CLASSIFIED BY 60322UC/LP/PLJ/dU
REASON; 1.4 (Cl
DECLASSIN ON: 04-15-2033
ALL I ~ F O r n T I O NCOrnATNED
WEREIN IS UNCLASSIFIED EXCEPT
m RE 5 n m OrnRWISE
Page 1. of 1
August 28,2007
Rtque~brName $7 :
OW~B ~rLOUIS b6
1-1
Phone Office Code :3730-0000
b7C
bl
Page .lof 1
August 28,2007
n
I Requestor Name :
Phone :n
flee :fl LOUIS '
b6 -
Assigned tm Name j l - 4
Program Manager -b7C
Assigned To Group : CEAU SL Pmgam/Type : Computer Ewpbltation
b1
Wtegov :CE4U b2
b7E
Item Remote Computer Seareh/Surveillance
l l l U Z W 7 8:37;25 AM
b6
j Ihas Reassigned or Forwarded thibT$uest to
DATE: 08-14-2008
CLISSLFIED BY bD322UC/IP/STP/gjg
REASON: 1.4 [Cl
DECLASSIPY 01: 08-64-2033
Care Number
I I
2 I
b7A
, ,,.,'
, ,,
3 r
..."
1
J ,.,'
IIProgmm Sensitive bl
1 Page 1 of 26
b2
b7E
blA
09/14/2006 1722 hrs. IlPrognm Sensitive Page 2 N26
Cases; At-A-Glrnee
\ tsj
Pending Csle Nulnber
I i
b7A
bl
b2
- b7E
b7A
(5)
IS) $1
b2
YE
~ Y A
I s1
5) (s)
-
09/34/2006 17:22 hrs. IRrogrnrn Se~sltlve pate 7 oil6
I I
9 UNKNOWN t
4s)
bl
bl
b7E
blA
L,,,,,
1
10
I2
I3
-
1
t
Es1 bl
b2
-
blE
:s) "" ( S]
-
W1412006 17:22 hrs. IIPmgram Sensitive Page 11 of 26
09/14/2W617:ZZ 1rm. IIPrognm Sensitive b~ Page 12 d 2 6
b2
b7E
b6
b7C
Page 17 of 26
bl
b%
blE
1 .
?I - 1 31 s ~ ~ a 5 4 3 a r
ISl .,'
,,,.,,.
.
, .,.
...,....
..,.' . "
.,...
,..,..,,.,.
--
.... .,.,..I.'
.,...., ,
,
,,...."'
Is
Page 19 of 26
-
CMS6D
I
(s)
IS
bl
b2
CLOSED
blE
288A.RH-52644
-
-5s) .,,
I I I I I I
Page 20 of 26
IIProgram Sensitive Page 21 of26
C481i At-A-GIaUCe
-
CLOSED 174C-LV-39242
1 A I 2BBD-W-
k. n 2329M .'P
msao 31sB.IP. a)
94772
bl
b2
b7E
CLOSED ~"7-Ti?777 L
C s1
Is \,I
-CS) J
CWSED Unknown 315N-SF-012606
ALL INFORMATION C D h T A I m
liERGIB 15 UNCLASSIFIED MCEPT
WERE SHOWN OITERWISE
x
Swsitive but U
Version Control
Last Update 5 June 2007
1
\
Page 2 of 2 Pages
-,dT Law Enforcement
- Sensitlve/Sessitive
-.-E-A.., But
smm Y/=/-Q 7
DATE: 08-13-2000 Law Enforcement SensitiveISensitlve But Unc
CLASSIFIED BY 60322uoLp/stp/rds For Official Use Only bl
REl3rJN: 1.4 ( o ) b2
DECLASSIFY 01: 0~-13-2033 Case Support Standard Operating Procedures (SOP) b 7 ~
-. - , -
Cryptographic and Electronic Analysis Unit (CEAU)
* . I--,., -
El'
1
I
I
I
I
1
Page 3 of 10 Pages
MT L a w Enlomnent SensitlvdSeasitive But*U
w-" r.#*"&.I 11"- #%..I..
Law Enforcement SendivdSensifive But ~k)jas$$ecl
For Official Use Only bl
b2
Case SuppoR Standard Opeating Procedures (SOP) b7E
Cryptographlc and Electronic Analysis Unit (CEAU)
(DOC)
Page 4 of 10 Pages
Law iEi~hnrmentknsiLive/Sensitive But*U
Per ChFiini.1 l l r . ~nnlv
Law Enlommmt Sensitive,Sensitive But ~ x f i e d
For Official Use Only bl
Case Support Standard Operating Procedures (SOP)
Cryptographic and Eleamnic Analysis Unit (CEAU),
E:E
Software Development Group (SDG) Deployment Operatlons Center (DOC)
Page 5 of 10 Pages
Law Enforcement SasEt6ve/Sensitive But U$?p$$l
Law Enforcement Sensitlve/Sensitive But
For Official Use Only
Case Support Standard Operating procedures (SOP)
Cryptographic and Electronic Analysis Unit (CEAU)
h
Software Development Gmup (SDG] Deployment Operations Center (DOC)
Page 6 of 10 Pages
Law Enforcement SensitlvelSensltlve But Unc
Law Enforcement Seositive/Sensltive But
For Oficial Use Only
Case Support Standard Operating Procedures (SOP)
Cryptographic and Electronic Analysis Unit (CEAU)'
yrnent Operations Center (DOC)
Page 7 of 10 Pages
Law Bnforcement SwidveISensitive ~ b ~ tn ? y @ $ d
Law Enforcement SeuitiveISensitive But ~n*ed
For O1Ticial Use Only
Case Support Standard Operating Procedures (SOP)
Cryptographic and Electronic Analysis Unit (CEAU)
& h a r e Development Group (SDG)..Peplovrnent Operations Center (DOC)
i
i
!
1
i
Page 8 of 10 Pages
Law Enforcement Sensitive/Sensitive But
For Off~cialUse Qnlv
SHT
Bar Official Use Only x
Law E~forcementSensitivdSensitive But Unc ified
Page 9 of 10 Pages
Law Enforcement SensitlvelSensitive But
For Official Use Onlv
Law Enforcement Iensitive/SeosMve But* U
3 For Official Use Only
Case Support Standard Operating Procedures (SOP)
Cryptographic and Electronic Analysis Unit (CEAU)
Software Development Group (SDG) Deployment Operations Center (DOC)
-
b1
Page 10 of 10 Pages
Law Enforcement SensitivdSeositive But ~ n h m d
Pittrlburgb II Investigation @merent case then original ongoing one)
.. -
01/04/2007 SPU referred case to OTD/CEAU
-
01/31/2007 ITOS requests OTDJCEAUif remate computer attack can be conducted
against target
-
02/07/2007 SPU contacted CEAU to offer assistance regarding case. CEAU advised %2
it may quire1-a which falls in SPVs a&. If so,CEAU wiU c o o ~ t C b 7 ~
with SPU for the task.
* Present Per Case Agent, CEAU advised Pittsburgh that they could assist with a wireless
hack to obtain a frle tree, but not the hard drive content. SPU has not heard anything h m
OTD rcgardjng this. ,.
Cincinnati ~nvestigation
"During the period of the current search wmranb the ~ & u bhacker(. r r c c e i s e d n
I 02/13/2007 at 12:23:08 Eastern Standard Time
I"ESTr9. The Unaubfs) then ~ r o c e e d e j visit
t ~ the site 29 more timer. I n these instunces, the
b ~ ~ dnot i deti&iilsrp&bad
d becrrurc of system incompatibiliry. On 02/15/2007 at
5:29:21 EDT, the system was able to deliver a CIPAV and the CIPAV tetumed data"
STOU engineers immediately engaged in the case and began providing data back to SA
0 t h very next day. STOU contiaued to provide daily support until the analysis was
complete.