CIPAV Wired FOIA 04-16-09

. , . , ,.
. , , . ,
,. , LAW ENFORCEMENT
.,
SENSITIVE. ' . ,
. .
, . ' . ,FOR OFFICIAL USE ONLY "
, , . . b6
,,
, , . ,
. ,
FTO~:( 1 CCIPS , , . , DA&: 00-12-7008 b7C ,
CLASSIFIED by 6 0 3 2 2 ~ ~ l p / ~ t ~ / r d a,, '
.
'
,
- ' ~ A S ~ N1.4.1~1
: ,, bi :: ,
, ' , f i ~ c ~ n s s xON:
~ r 08-i2-2033, b2 . .
.. ..b7E
ch.Z,20033 , ,
, , ,
,
' ' , ,
, ,
of you b o w , some investigators have begun to use .ninvestig'ativctechique referred,
As
tbas 'm"lhtemet Pratoc,ol,AddressVerifier"
indispmble value'in C&
aWa a ' (w).
" While the technique is of '. .
kiids'bf cases, we at seei"g indications thk it is behg used needlessly by '
'.
, .
,
,
. agencies, unneceisdly raising d i m l t legal plrstions
., (and a,d+ of su~prnsion)without my , ,
, .
.,, . . . ., . . , ,
countervailing benefit. ' . , , ,
I
, . , , , ,
I '
,. . , .,
. , . .. . . , , . . .. . . ,.. . . .. .. . . . . . . : ., n n q : 03-lg-zoos
... 8.' . ,
.' . . :. . . . . ;
' I' , ,. , ,, . ... , , , . . . . . ,. ,
. . . . . ,,:. ,
. . . .. , m1 'INFO. ' .
. '.' , :,
,
. , '. I
. . . , . . ,.,. , . . . , . ,.,.. ' ,

. .
. . . . . . . ,. ., I , ,
' , . ' ' F i ~ s ~ ~ ~ ~ m ~ : ' ~ s ~ .0', ',3 z t ~ ,,
..,.
. . i . . . ... . .. . , .. , , .. .. .. .. . .. . . . . , , , . , . , ; I
. . . . '' .' ' . sow: 1 . . 4 , ( . ~,,'j ' . , : ,,, .,, ' .
. : . , , ,., , . , .
., , ., , , . ....
, ' '
,,. ,
. . . . .. ., , , , , ,. . , , ,
, . , ' ,
, . : : I'.~~ctrss~n'oy: 03'19-2033 ,.; . , :,
, , :.
. .. . . .
. , , I. ' . , ' I ,
. . .,.i . . , ..' .: . '
I . ' ,
........
. , . ... , .
.
,,
. , ,. ,. . . . . . . , ,
.,: , . . ., ,, , .
, , ' , , , . , ., :, ' , ,, . :;.,; .bl'. . .' .. . .. . .. . . . , . . . .
. ., .. , .
, , ,
, .
,
, ,
.. . , . .. , . , , . .
, . . , , .
., . .,, . . . , . , .
.......
, , , , , , , ,
' ;
,
. , '
. . . . ... , . . . . .
... ' .', , . . . " . , ,. . ,
. . ' \. , I:, .". .,, . ,
. . ,
.. . . . .
!', , , : ,, '
., . , . . ,
, ..
,.
,
.., ! I " .
, , ' . , '.'
,
.
,, ..
.
, .
, ' , ' , ,, .
,, , . , , ' ' . ,
:
..
..
, ,
.. . .. , a
, .. , , I
, ,
,. , ,
, , . ~ , . ,
. . . . ,. :. ,
' . '
, ,, '.. :.. ' ,. , , ,.

.. . . . ,;, ,, . ' I ,
,
i
,
, .. , . , . . . . ... . .
,
', . . .,, ,
. ,
',
. ., ,.
. . , . ,
, ,
. ,.
, . ,
. ,' I.
.
I
.
,
.
' :
;,
. . . . . . .
, ..,
,
. .. . .'."bl
.,
.
, . .
,, . , " . '. '. I' : ,

.
. .:.. . . I. . . . , , . , , .
, ' ' ' I : , .
" , . ,.,,
., , , . . , . , , ; . . . . . .. . .. .. . .. . . .. # ! ' . . .. .' .. ^.
,
,,,
, ..
. , . ...
. , , 1 ; .
, ,. , .
. , .
, .,, . . . . . . . ., ,
, . ..,. , . .
, , , ,
. .
. . I
. . ' . :, ,. , .
, ..
. . . ., .
.. , , .,.
. . .. ' , , .. ,, .
, : . .. . .. . . . ..,.,.
, , , , I
, .,
'
'.' . " . . , . . .. .. .. .. . .. . . ..'I
, . , ., , . ., , :. b i ' , , , , , , , . . . . . . ' ,
., , . . ' , ,,1 , . b6 1 .,. "
. . . . . ., .
, . . ..b7C . . . . . . , .
. ., .
,. . . . . .
.
,
, . .
,
., ,
, ,
. .,
,
. . . .. . , . ,
,
, ., .
, '
. ,.I..
.;.,, , , ,
.. , . . i
' ,.. ,
'
: ...';.. ....I
, ,
. . . . . . . . . . . . . . . . .. .,. , , . ,:
I . ' '
. .
,
, , . .. . , , , , . , ,,
,
. . , .. ,
', . ' ..
. . . . .
. ,
; . .
... , , .
., ,
,.. 1 'bl
: 1
.,. ,. :1 ,
I
j . I
. ,
! . .,
, .
!
'.
1
8
. , , ..
:. : I
,.
,
.
,
. . .
, .
. ,
,,',
I . I .I
. ... . . .. . . ., .. . ,.',, . .
,.
. .
. . ,. , , , , ,
,
,
,, ' '
., , , . . .
.
, , , , , ,. ,
. .. . , , ., , . ., . ,. . ..
,
. ,.
,
,',
. . .
, I
, . ,
. .
, ,
, , . .. , , , , ' i
, . , , , ., , ,. ., ,,, , .,, . , . . ,
,.
. ,
. ., , ,, . .
2 . .
,
..
. : . : .
. ',; I " ,
,i . , '
;
.,. . . . . . .. ., . .
. classified by: -liPCLICe
, . , Jamts Poli~v.OlPR
. I,. . . DOJ' . . .. ,
' , ,' ' ' , ,, . .
. ,,
. . .. .. . , ,
. ,
, , ' ' .
.
,.
, Reason: . . ,.., ,, '. , ,
, ,
., , .. ..
,
, ., .
. . .
,
.
' , . . , , .,
,.. , , . , . ,
,
,
...
,. ,
/ '..'
,
,
., ,
. . . ., , "'
..: . ' ., !:;. ':
I.
. . ~eclassifjlon;, . , . ., . . . , . . . . ., .. , , , .
: . , , . .. ' .
,., . : , , .. ., . . .. . . .. ,,. ,
, ,, ,
. .: ' . . , .......... ,, _ ' . ' .'. , .. '
.
..
"
,
,, .
'I "
, . , ,
,
, . .., , ,
, .
. . ., . . . .. . . ,: :, ,
, ' '
. .,
,I
. . . . .'. , ..I.. I
. ,:. : . , , ,,., ,
. , , ., , , , ,. ,. .!. . ., .., .., .. .. ... . , ,
, , . , , , . ,
.. ,
,. , I
, , ,
. ,
. , ./.
. ,,, ' , I
, , , , , , , , , . I , , ,., , I , I . , ; .
VNCLASSLFIED/FOR O W I C L ~USE ONLY
CEAU Priprity is: TBD '
CEAU ID: 20070727T13746

Group I Program: SDG / DEP
A ( 1
Grou Supervisor: contact ~umberj-1 E-mail Address:
Universal as:
Fiie.Number:
UCFN Serial Number:
Record Status: Open
Start Date: 27 Jul2007
Due Date: 01 Aug 2007
Request Open For: 5 days, 21 hours,' 22 minutes
Origin of Request:
~~f~riority:
Description: ~ a & rall documents that reference 'CIPAV'
Primary Technical 'Lead:
Secondary Technical Lead:
CEAU Staff Involved:
Other Contacts:
** Not Assigned
Legal Information
ALL INFORHRTLOW COKTAImED

HEREIN IS rnCLASSTFZED
DATE 08-06-2008 BY 603Z2UC/LP/STP/919
UNCLASSIFIEDIFOR OFFICIAL USE O m
CEAU Priority is: Green
CEAU ID: 200705 16-1 3566
Group I Program: SDG / DEP
Group Supervisor: -1- Contact N u m b w ( 1 - E-mail Address:
w e File Number: 1964-RQ-1515692

UCFN Serial Number:
Record Status: Inquiry
Start Date: 07 May 2007
Due Date: TBD
Request Open For: 87 days, 12hours, 49 minutes
Origin of Request: Ur~knpwn

TMA rna nrurm m r r 0 p a w b1
b2
b7E
I
Primary Technical Lead:
Other Contacts:
Legal Information
Record Logs:
b6
b7C
05/07/2007, 1:30 PM -
4 s ) - . . ...advi'$gZfrhnt.th)..
Spoke
,...,,
with SA Cyber-Forensic Trainingdlliancs (ZYCFTA)who
I
bl
. b2
b7E
IS1 .,'...,
ALL IBFOWTION. C O ~ ~ A I W E D DAm: 08-15-2008

H"PBFT1 T S IINCLASSIRIED EXCEPT CLASSIFIED BY 60322UCIIP/5TP/gjg
UNCLASSLIVEDLFOR OFFICIAL USE ONLY
CEAU Priority is: TBD
Grou Su ,
CEAU ID: 20070502-12602
Group I Program: DG I DE
I
,b , Pervisor: Contact Nurnber~-~
niversal Case File Number: 288A -pH-100637

E-mail Address:
UCFN serial em umber:

Record Sutus; Completed
Start Date: 22 Mar 2006
Due Date: TBD
Request Open For: 498 days, 1l hours, 48 minutes
Origin of Request: U.S.

FBI Priorily: PROTECT THE UNITED STATES AGAINST CYBER-BASED
ATTACKS AND HIOH TEC b6
Description: On 3.22.06, S vised that a viotimUs hotmail account, b7c
bl
[ S ] . , . \. b2
blE
b6
Primary Technical Lead: b7c
Other Contacts:
Legal Information ALL TWmRFIRTION COElTAIMD

ZIEREJN IS UNCLASSIFIED EXCEPT
Submission ~ e t i i : WHERE SHOWN UTEZRWISE
b2
Description: Client #I- b7E
A 08-15-2008
CLASSIFIED BY 60322UC/LP/STP/gjg
Status: Closed
Technical Lead:
Start date: 03/22/2006
Due Date: TBD
Finish Date: 05/04/2007
Wamnt Expiration dak. No Expiration Date
~ e s c r i ~ t i o n : [ l
Status: Closed
~echnicnlLead:
Due Date: TBD
Warrant Expiratioa date: No Expiration Date
L
Record Logs:
04/01/2006,8:00 AM-1-1
No evidence received
' %
UNCLASSIFIED/FOR OFFICIAL USE ONLY

CEAU Prioriiy is: TBD
CEAU ID: 20070502-12594
Group I Program:
Grou Su e 'sor: contact ~umberl-1- E-mail Address:
r--V
h E i Z l T d e File Number: 174C-LV-39242
UCFN Serial,Numbek
Record Status: Completed

Start Date: 22 Dec 2005 -,+"
Due Date: TBD
Request Open For: 588 days, 1.1 hours, 47 minutes .
..
FBI Priority: SUPPORT FEDERAL,STATE,COUNTY,M[INICIPAL, AN&
INTERNATIONALPARTNERS' b7C
e adcasino received a threat.
~escription: (U) On 12.21.05, ~ ~ r b i s that
bl
b2
b7E
b6
b7C

b6
b7C
ALL INFOAEIATIOI CONFAINeD
HEF&I#Y I5 UNCLASSIFIED EXCEPT
WHERE SHOW DTXZRWISE
Other Contacts: I DATE: 08-15-2008

CLASSIFIED BY 60322lTC/IP/STP/Uj0.
REASON: 1.4 (C)
** Not assigned ,DECLASSZFY Om: 08-15-2033
Legal ~nfokation
Submission Details:
Description: Client #l
Status: Open
Technical Lead:
Due Date: TBD
Finish Date: TED
Warrant Expiration date: No Expiration Date
~escri~tioni
Statua: Open
I
Technical Lead:
Due Date: TBD
Finish Date: TBD -
Warrant Expimtion date: No Expiration Date
Record Logs:
b1
=sent lead
to begat Moscow.
UNCLASSIFIEDIFOR OFFICIAL USE ONLY
CEAU ID: 20070523-13619
Group / Program:
1Contact ~urnber~-[~-rnail Address:
Bile'Number: 288A -LV-39208

UCFN Serial Number:
Start Date: 02 Dec 2005
DueDate: TBD
Request Open For: 608 days, 11 hours, 47 minutes
b6
Origin o f Request: U.S. b7C
-
CEAU staff Involved:

None Assigned
Other Contacts:
Legal Information
ALL INFDaElATfORT COhTAINED
EIERETP IS UNCLASSIFIED EXCEPT
m m SAOWRI OrnRWISE
DATE; 08-15-2900
CLASSIFIED BY 60322UC/LP/BTPJgjg
REASOBI: 1.4 I.C .)
DECLASSIFY ON: 08-15-2053
UNCLASSIFED/FOR OWFXCIAL USE ONLY
CEAU Priority is: TED
CEAU ID: 20070502-12599
-
Group I Program:
Group Supervisor: Contact Number:l-v-mail Address:
'Universal Case !ile Number: 279~-EP-36918

UCFN Serial Number:
Start Date: 20 Oct 2005
Due Date: TED
bque'st Open For: 65 1 days, 12 hours, 46 minutes
Origin of Request: U.S. b6

b7C
FBI Priority: PROTECT THE UNITED STATES FROM TERRORIST ATTACK
Description: On 10.19.2005,~4-ladvised that he is wing to locate the specific bZ
computer(s) beda- by subject of WMD (bomb & anthrax) b7E
e-
. , with subiect via m. Hormail~&~&show
I
I b6
Primary Technical Lead: ALL INPOREIRTIOB DATE: 09-18-2008 b7C
CLASSIFIED BY 60322 UC/LP/STP/gjg
HFRELI I9 UNCLASSIFIED EXCEPT mA50N:
Secondary Technical Lead: S H O O~ ~ R W I S E
Other Contacts:
* * Not Assigned
Legal Information
Submission Derails:
Description: Client #I
Status: Closed
Technical Lead
Due Date': TED
Warrant Expiration date: No ~ x ~ i r a t i 6Date
n
Description:1-
Stabs; Closed
Technical Lead:
Start date; 10/20/2005
Due Date: TED
Warrant Expiration date: No Expiration Date
UNCLASSZIFIED/FOR OFFICIAL USE ONLY
CEAU ID: 20070523 13617
*Crou Su erviaor:
e-
DEP
Group I Program: S ~ I G
- contact ~umbwf-1
File Number: 288A -HO-647RO
E-mail Address:
UCPN Serial Number:

Rf~corrlStatus: Compl~tcd
Start Date: 15 Aug 2005
Dut Date: TDD
fiequest Open For: 717 days, 12 hours. 45 minutes

FBI Priority: PROTECT THE L N T E D STATES A F A W S T CYBER-BASED
ATTACKS AND HIGH TECHNOLOOY CRIMES
D-criptira: On 4,29 05, SA T b d v i ~ e that
d a hacker deleted a database and
IS 1
(9).
421
I I
Smondary ~tchnicrrlLead:
** Not A s s i p d
Legal Information
DATE; 98-&$-1Q08
' CLBSSIFm BY 60333VC/LP!STP/gjg
..
PXA50D? 1.4 tCI
-
UECLAS$LEY ON? 08-15-2033

S ~ . T
ALL INFORITATTON CbETATNED
F E E I N IS UNCLASSIFIED EXCEPT
UNCLASSIFlEDlFOR OFFICIAL USE ONLY
CEAU ID: 30070523 13616
-
* Group I Program: SDG / DEP
Grov Su ervkor: I ~ t-
~ o n t a~nrxrhol-1
Universal Cage File Nurnher:

UCFN Serial Number:
E-mail Address: b6
b7C
Record Status: Complctcd

Start Date: 09 Au8 2005
Duc Date: TBD
Request Open For: 723 days, 12hours,44 minutes
Origin df Request: U.S.

FBI Priority: SUPPORT FEDERAS., STATE, COlJNTY,MUNICIPAL. AND b6
INTERNATIONAL PARTNERS b7C
Description! x n n 7.6.05, S that an IM subject met teenage girl for
I sex
&d,
mvidcd to S
wBjs'swsw
1 - - - . .............................. ........................
and is now threatening to from subjcctOs cmuil no
o n , , ~ ~ ~ ~ f i v # . ! ~b2
~ ~
b76
bl
[ S 1 .,'"
Primary Technical Load:
Seoondary Technical Lead:

None Assigned
Other Contach:
Legal Information
Record Logs;
PATE1 08-15-3008
CLA33IFTED DY GO32ZUC~fP,'JTP/$'jp
HEASPI: L.4 I C )
D E C L A S S I N DN: 0 8 - 1 5 - 2 0 3 3
ALL INFOMATTON COIITATNED . I
,
UNCLASSEIEDIFOR OFFICIAL USE ONLY
CEAU Priority is: TBD ,
CEAU ID: 20070521-1361 1
Group I P r o ~ a m : 1 Dl9
G~oUD Su~ervisor: 1contact ~ u m b e r rE-mail
l Address: ls 6
b7C
F i e Number: 288A -BP-38289

.UCFN Serial Number:
Start Date: 06 Apr 2005
Due Date: TED
Request Open For: 848 days, 12 hour$, 43 minutes
Origin of Request: US.

FBI Priorihr: PROTECT THE UNITED STATES AGAINST CYBER-BASED
ATTACKS "ANI~ HIGH TECHNOLOW CRIMES
Description: (U) Identify ttue IP address of subje
harass people online. Subject is using email aecoun
executed on said account. Logs indicate subject is
I lnd . .
w affidavit received.a.n.3.. 05 and provided to A G C SW~ signed on 4.6.05 and
bl

None Assigned
Other Contacts:
** Not Assigned
Legal Information
DAfi: 08-06-2008
CLASSIFIED BY 60322VC/LP/BTP/Vjg
REASON: 1.4 (b,cl
DECLASSTIY ON; 08-06-2033
ALL INFOFIWATION CONTAINED

HERETI 15 VQCtA54IFZED EXCEPT
WHeRe SHOW OTTERWISE
UNCLASSIFIEDAWR OFFICIAL USE ONLY
CEAU I D 20070518-13603
Group 1 Program: SDG I DEP
lor: 1- Contact ~ u m b e r jE-mail
l Address:
File Number; 9A-IS-94729

UCFN Serial Number:
Start Date:. 14 Feb 2005
Due Date: TED
Request Open For: 899 days, 1 1 hours, 41 minutes
I I
.Secoadary Technical Lead:

None Assigned
Other Contacts:
PATE; 08-15-2008
** Not Assigned CLASSIFIED BY 60322VC/LP/STP/gjg
REASON: 1 . 4 ( C ]
Legal Information DECLAsSIH ON: 08-15-2033
ALL IIFDREULTION CO~AIIWED

IZERFIB IS UNCLASZIFIED EXCEPT
Record Logs:
b7C
lweb page
advised that he obtained a new W o n 2.1 7.05. Collection was
.
b2
terminated on 2.20.05 at 1:30pm in compliance with initial d w and no howledge of the b7E
4 new warrant. S@
1 ..........................
.... 1
b d collection restarted on 2.21.05.SA lidentified a
subiect.fioi.am.~. I
c address assigned t o a customer in 1
~eiecom)which wwar the Q ~ r n i IP b6
b7C
. . execute a Y W on that customer[lr residunc! on
law to obtain and
UNCLASSIFIED~ROFFICIAL USE ONLY
- d-
CEAU ID: 2007051813601
Group I Program: SDG I D P
Group Supervisor: Contact Numb- - E-mail Address:
I I
Universal Case File Number: 2881 -pH-98358
UCFN Serial Number:
Start Date: .09 Feb 2005
DueDatfx TBD

MBAT MAJOR WHITE-COLLAR CRLME
stealing identities froma sensitive database and established
email account 1 I Subject using
~.::for..an~nymizers~..Pl~g
...............
5) QF*ie- 7
to get slw on
............................. a8 or Z9.
9,Tqqm p*T"fiff"'r' . n . a s ; . s ~
S/W obtained on 2.
I
Secondary Technical Lead: :

CEAU StaffIevolved: ,
None Assigned
Other Contacts:
0
. Legal Information
Record Logs:
b6
'b7C
Is) ........................... Wpz~,.was,. b1

reviewed signed S/W b2
( ] s " .............................. b7E
' DATE: 08-15-2008

CLASSIFIED BY 6032ZUC/IP/STP/qjg
I L L INFOPEiTION COXTATNED REASON; 1 . 4 [C)
-----
B R E I N 19 WCLASSIFTED EXCEPT
-">-. .
.DECLASSIFY ON: 08-15-2033
CEAU Pkiority is: TBD
CEAU ID: 200705 18-13590
,
I
Group / Program: SDGID P
Group S u u e r v p C o n t y NumberIC E-mi; AddreSS:
Universal cask File Number: 166C-EP-36737
UCFN Serial Number:
Record Status: On-Hold

Start Date: 07 Feb 2005
Due Date: TBD
Origin of Beq,uest: U.S.

FBI priority: COMBAT SIGNIFICANTVIOLENT CRTME


None Assigned
Other Contacts:
Not Assigned
Legal Information
ALL IWOREVITIO?J CONTATbED

MREIRI IS UWCLASSIFIED EXCEPT
WZIERE 5H04rm DTHERWTlE
DATE; 08-15-2008
CLASSIFIED BY 60322UC/LP/STP/qjg
REasonr: 1.4 (CI
DECLASSIFI ON: 08-L5-2033
WNCLASSIFIED/FOR OFFICIAL USE ONLY
CBAIl m: 2007057.1 13608
contact ~lunber]-i E-mail ~ddress: ' b6

h7C
UCFN Scrial Numbcr:

StnW Date: 19 Jan 2005
Due Date: TBD
Requent Open For: 925 days, 11 haw, 36 miautes
Origin o f Requesr: U.S.

FBI Priority: PROTECT THE UNITED STATES AaAlNST CYRER-BASED
ATTACKS IIIGII ECI-INOLOGY CRIMES
tern lata S/W &davit to Ewe a ent upon reccipt of omc s u m m q . On 2/18/05, SSA
d spoke with S7
4
- LA, and explained options again. M a t h is a CyberICI
Primary Teahnicnl L w d ~
CEAU staff Involved:
Other Contacts: DATE: 08-15-2008

CLASSIFIED BY 6032211!TJC/T.P/5W/~jg
** Not Assinned REASON; 1.4 ( c l
ILL TIFOmTIOW COmAINED

E R E I N IS UNCLASSTFLED EXCEPT
Legal Information
UNCLASSIFIEDIFOR OFFICIAL USE ONLY
-
CEAU ID: 200705 18-1 3596
Group / Program: SDG / DEP
Gron Su ervkar: 1- contact ~umberi-1 E-mail Address:
A
y
nwersal Case File Number: 288A -CE121918
UCFN Serial Number:

Start Dote: 09 Nov 2004
Due Date: TED
Request Open For: 996 days, 1 1 hours, 35 minutes

,FBIPriority: PROTECT THE UNITED STATES AGAINST CYBER-BASED
ATTACKS AND HIGH TECHNOLOGY CRIMES
'Primary Technical Lead:

None Assigned
Other Contacts:
** Not Assigned
Legal Information
DAIE: 08-15-2008
CLASSSFIED BY 60322UC/IP/STP/gjg
REASON; 1.4 (C)
DECLASSIFY ON? 08-15-2033
CONPATNED
ALL ISFOREIILTION
EbZTRT IS UNCLASSIFIED EXCEPT
WWeRE SHOW D m R W I S E
- USE ONLY
UNCLASSIFIEDlFOR OFFICIAL
CEAU Priority b: TED
CEAU ID: 20070518-13595
Group I Program: SDG I DEP
n-
Contact N l u n b e r j y - E-mail Address:
Universal Case File Number: 288A -SE-89989 .
UCFN Serial Number:
Start Date: 01 Sep.2004
Due Dstc: TBD
Request Open For: 1065 days, 12 horn, 33 minutes
Origin of Request: UU. 4
FBI Prioritv PROTECT THE UNITED STATES AGAINST CYEER-BASED . .

IS
.-
9 w
MS e d as victim in Major Case 216. ,
I ISearch warrants
renewed in 10-day increments Search warraut renewals enaea d mid-Dee 004.SA
b6
-was advised to download collected data for elsur. b7C
CEAU Staff Invohed.

None Assigned
Other Contack
Legal information
DATE: oa-~5-200~
CLASSIFIED BY 60322UC/LP/STP/gjg
REASON: 1 . 4 ( C )
D E C L A S S I N ON! 0 8 - 1 5 - 2 0 3 5
ALL INFOPJUTION CONTAINED

HERETN 15 UNCLA5SITIED EXCEPT
7 f 22 am Notes: Completed changes suggested at
working group- oorporated
- "
DATES 08-12-2008
CLASSIFIED BY 6032tu~lp/l~p/Tds
REASON; 1.4 (el
PECUSSIFI OW; 08-12-2033
bl
. b2
b7E
nil INF~RMATIONC O E T A I ~
HEREIN 15 UNCLASSIFIED EXCEPT
WRERE SHOWN OE-ERWISE
DATE5 '00-L3-2008 Law Enforcement
CLASSIFIED BY 60322ucL0/'rtp)rds
REASON: 1 . 4 ( e ) ., Case Support Standard Operating Procedures (SOF)
DECLASSIFY ON! 08-13-2033
ALL INFOBMATION COWAINED

HERETN IS WCLASSTFIED EXCEPT
WHERE SHOWN OTFIERWTSE -L E o r Official I J ROnlv
~
Law Enforcement SensihnlSen~ltiveBut ~ H f i e c I
For Omcial Use Only
Case Support Standard Operating Procedures (SOP)
i S)
',[
Cryptographic and Electronic Analysis Unit (CEAU)
- - . . . ,---.
i.
i,
!,
',
i;
\
!
\
'\
'!
\!
,'
i;
!.
!.
'!
i
,'
i. bl
b2
b7E
1
1.
1
':
!
;
,
Page 2 of 4 Pages
Law Enforcement SensitiveISensitive But
Wnr t3m0i.l HISL n - I ,
~ a 'Enforcement
w
Bor Official Use Only >.<
Sensitive/Sensitive But brnc

ifled
Cryptographic and Electronic Analysis Unit (CEAU) \Is)

!
I ,
\
\!,
!
i
!
,'
Page 3 of 4 Pages
-
Law Enforcement SeositiveISensitive But
For Official Use Onlv
Law ~ n f ~ r c e ~Sensitive/Senaitive
ent But U
*
hr Official Use Only
Page 4 of 4 Pages
Law ~uiforcementSensitivdSluitive But *nUr
FEDERAL BUREAU OF INVESTIGATION
Precedence: PRIORITY Date: 06/07/2007
TO: Cyber
bG
International Operations Attn: uc b7c
Europe Unit
Rome Attn: Legat
ALAT-d
Operati~nalTechnology Attn: CEAU
SS
From: Seattle
Squad Il Cyber -
Contact: D r L e c ~ i v e )
-.I I
Approved BY; , n
Drafted By: -1:nbs
C ~ G CID #: 288A-SE-NEW (pending)
Title: UNSUB (s)F

TIMBERLINE SCHOOL DISTRICT (VICTIM);
C O M W T E R INTRUSION - INTERNET EXTORTION
Synopsis: Requast t-n open captioned investigation.
'~dministrative: Reference the following cOrMtlUnicdtions:

06/07/2007 t e l c a l befwsen ~etective) 1
ivision Cybes Task Force, and ROmE A L A T ~ I b6
L7C
06/07/2007 cwlckl between SAY
Eeilttle Division, and 3 5 ~ 7 CACU.
1
betails: On 06/06/2007, S~?at.I-.l
F! nivi xion was castacted by Lacey
P r i l i c e Department (LPD), Lacey, WA, regarding numerou3 bomb
threats and D D O S attacks received at the Timberline Sbhoal
District, Laery, WA. Below are s time-line of events:
05/30/2007 - Timberline nigh school evacuation due to
hand written bomb threat nuLu.
DATE: 09-12-2008
- - - -
CLASBIFIED BY 60322UC/LP/STP/gjg
REASON: 1.4 (GI
INFORMBTIoN c~~~~~~~ DECLASSIFY OM; 09-12-2033
HERETN IS WCLASSIFLED EXCEPT
To: Cyber From: Seattle
Re: 288A-SE-NEW. 06/07/2007
06/04/2007 - due to
bomb threat email from sender: UNSUB (s) also
advised a computer
which resulted in a DDOS attack totaling over 80,000,000 hits. b6
b7C
-
06/05/2007 Timber1 arion due to
bomb threat email from sender:
-
06/06/2007 Timberline Hiqh School evacuation due to
bomb threat email from sender: 1
-
06/07/2007 Timberline High School received additional
email from UNSUB(6). Details unknown at present time.
LPD and the Washington state Patrol (WSP) continue to
perform school evacuations and bomb sweeps with negative results.
Parents and school district: employees have informed local
television stations and newspapers, which aired the story on June,
6. 2007. LPD has requested investigative assistance from the
Northwest Cybes Crime Task Force.
LPIJ has
student at Timberline High School,
rf,
amears not to be the
, attack,
and teachers from Timberline High School provided a list
s who may be
advising "Keep your head up."

b7C
a self proclaimed
school computer security measures. computer is in LPD
custody and forensic results are pending. Initial interview of
provided negative results.
I I
I
(
On '06/07/2007.~etective WSP, and SA b6
, Seattle Oivis~on,contacted .!USA Katheryn t7c
'Warn, Western Distr!ct of Washirigton, who agreed to pxosecute
captioned matter.
To: Cyber rim: Seattle
Re: 288A-SE-NEW. 06/07/2007
To: .Cyber From: Seattle
Re: 288A-SE-NEW, 06/07/2007
LEAD (s) :
S e t Lead 1; , (Info)
-
CYBER
AT WASHINGTON, DC
For information.
S e t Lead 2: (Info)
I
AT WASHINGTON. DC
For information.
Set Lead 3: (Action)
EQm
AT ROME. ITALY
I
Set Lead 4: (Info)

OPERATIONAL TECHNOLOGY
AT OUANFICO. VA
For information.
-
FEDERAL BURRAU O F INVEST1GATION
Precedence : PRIORITY
To: Operational Technology
Cyber
Attn:
Attn;
Date:
l ~ a l ~ s Unit
~ S A
i s ,
03/08/2007
Cryptologic & Electronic
I
b6
b7C
CY
From: Tampa
Squad 8
Contact: SA I
Approved By:
Drafted By:
Case TD 1-
#:
neL- ' (Pending)
Title:
Synopsis: Request the deployment of a Computer & IF Address

Verifier (CIPAV) . ,
Details:
BACKGROUND
DATE: 05-07-2008
CLASSIFIED BY 60325UC/IP/PLJ/gjg
REASON: 1 . 4 ( C )
ALL LIFORFIPTTOW CDPITAINED
HEREIN. 15 mCLA551FIED EXCEPT
To: chnology From: Tampa
Re: , 03/08/2007
-
. - - - -
Tampa is currently drafting the search warrant

necessary to obtain the requested CXPAV, which Tampa hopes to
denloy on or around 03/15/2007.
TO: chnoiogy From: Tampa
Re: 03/08/2007

AT OUANTICO. VIRGINIA
The Cryptologic & Electronic Analysis Unit is requested
to facilitate the deployment of a CIPAV to support captioned
Group I1 UCO.
Set Lead 2: (Info)
-.
AT WASHINGTON. D.C.
For information, read and clear.

, (Rcv. 01-31-2003)
.
FEDEmL BUREAU OF INVESTIGATION
Precedence: ROUTINE Date: 02/23/2007

TO: Cyber
OTD Attn:
ssA
DES/CEAU
n
Attn: C ~ I U - 2
rrr b6
Chicago
Prom: Cincinnati
Squad 13
- :A S
Contact
Approved By:
Drafted By: 1- jk
Case ID #: (Pending)
Title:
Synopsis: CIPAV operations have ended.

Reference:
Details: Cincinnati has employed a Computer and Internet Protocol

Address Identifier ("CIPAV")to gather evidence concerning
b 7A
b7E
b7A
DATE: 09-22-2006 ALL INFOFXATIOB COWTALNED

CLASSIFIED BY 60322PC/LP/STPlq$g HEREIN 13 UNCLASSIFIED EXCEPT
",**rrnF evnrnr n-nn*.a
To: Cvber From: Cincinnati
Re: 1 1 02/23/2007
TO: Cyber From: Cincimati
Re: 1 02/23/2007
LEAD($) :
Set Lead 1: (Info)
Read and clear.

End CIPAV operations i n support of t h i s e a s e and $end

evidence to Cincinnati.
Set ~ e a d3: (Action)
CHTCAGO
Discontinue supper t of url$drcovar accounts associated

with this Cldse and send bill for services to Cincinnati.
, (Rev. 01-31-2003)
-
FEDERAL BUREILU OF INVESTlGATION
-
Precedence: PRIORITY Date: 12/14/2006
To: Operational Technology Attn: Cryptologic & Electronic
SSA b7C
From: Houston
CT- 3.
Contact: SA 1 (
Approved By:
Drafted By: &w:-
#!'w
Case ID
Title: s 7 (Pending)
Full Investigation Initiated: 01/11/2005 (USPER).

~eferenco!"~ [I
,IS1
I
bl
b6
b7C
DATE: 09-22-2008
CLASSIFIED BY 60322VC/LP/STP/q]y
WASON: 1.4 [ C )
PECLASSIFI ON: 09-22-2033
ALL INFOPJUTION COEiTAINED

ogy From; Houston
12/14/2006
Details:
BACKGROUND
ational Tech ology From: Houston
u la/lr,2oo6
b1
b2
O W From: Houston b7E
12/14/2006 b6
b7C
b7D
b7A
(u) Houston ~ i v i s i o nhas developed a Confidential ,;(El
Witness (CW) who is willins to asaist with this investisation by i
1
'"7
'
TO: Oper Ogy From: Houston
Re: l0lM 12/14/2006

OPERATIONAL TECHNOLOGy
. A T T O L O G I C ~ ~ E C T R O N IANALYSIS
C IT
rur - X bl
Precedence; PRIORITY Date: 12/07/2006
TO: Operational Technology Attn: Cryptologic & Electronic
From: Houston
CT-1.
Contact: SA
Approved By: 1- r ,
Drafted By: y k ~ d b
I I
Case ID #: (S) I I (Pending)
Title:
Full Investigation Initiated: 01/11/2005 (USPER).

Reference: (S)
(UI
--iz----3 -
- ueclassify Uw-#QZ/2031 L
i4Sl
I
i
I
bl
b6
b7C
b7A
DATE: 09-22-2008
CLAssTFTED BY 60322UC/LP/STP/gjg
PEASON: 1 . 4 ( C ) '
DECLASSIFY ddl; 03-22-2033
ALZ TIFORFIATIOV COliTAIliTD

KERFTI 1 5 WCLA551FIED EXCEPT
From: Houston
12/07/2006
b7A
To: Opera ' Tec gy From: Houston b2
Re: 12/07/2006
ogy From: Houston
12/07/1006
(U) Houston Division has developed a Confidential

Witness (CW) who is willinq to assist with thia investisation by
.IS]!
\:
I
i:
To:
Re: 1operational
w- Technology From: Houston
12/07/2006
AT CRYPTOLOGIC & ELECTRONIC ANALYSIS UNIT '
I
.. ,
.(Rev. OI-31-2003)
FEDERAL BUREAU OF lNVEgTlGATlON
Precedence: IMMEDIATE Date: 10/25/2006

To: Operational Technology ~ t t n : Cryptologic & Electronic
From: Cincinnati
Squad 13
Contact: SA
' J
Approved By:
Drafted By: I laow
1 - 1
Case ID'#: (Pending)
Synopsis: To request the ass

Electronic Analysis Unit in as part of a
Details:
BACKGROUND
SDG PRODU
updated: June 28, 2006 by
GGAL PROCESS
Consent
criminal, PThT Court
order 60 day
expiration
FISA court order 90
day expirati~n
,,3s)
consent
Criminal Search
warrant 10 day
;
!
j . eipiration
FISA court 'order 90
d,ay expiration
1
b1
I
b2
1 b7E
I
i
Consent
; criminal Search
warrant lo day
expiration
FISA C O u f t order 90
day expiration
ALL IWFORMATION COTXXNED ,

EREIN IS UNCLA331F:ED MCEPT
W RE IAOW OTHERUIEE
DATE: 09-23-2000
CLASSIFIED BY 60322 UC LP/STP
REASON; 1.4 LC)
DECLASSIFY ON: 09-2'1-2033
-
DATE: 09-22-2006 ALL THFOWT
-
day expiration
Consent
Criminal T-IIT court
order typically 90
day expiration
FLSA c o u r t order 90
day expiration
Consent
Criminal T-I11 C O U r t
order typically 90
day expiration b 3.
r FISA c o u r t order 90 b2
day expiration b7E
NA
NA
CEAU Assistance to Seattle Case: ,
UNSUB(s); .
TIMBERLINE SCHOOL DLSTRICT (VICTIM);
-
COMPUTER INTRUSION INTERNETEXTORTION
On June 6,2007, the Seattle Division was contacted by the Lacey Policc Department
(LPD), Lacey, WA, regarding numerous bomb threats and Distributed Denial of Senice
(DDOS) attacks received at the Timberline School District, Lacey, WA. The threats
' began on May 30,2001 and persisted through June 4,2007. The t h a t s necessitated the
daily evacuation of Timberline High School. The LPD and the Washington State Patrol
(WSP) performed school evacuations and bomb sweeps with negative results. Parents
- - . which
and school district employees informed local television stations and newspapers,
aired the story on J& 6,2007. As a result, the LPD requested investigative assistance
from the Northwest Cvber Crime Task Force (NCCTFI. headed by the FBI Seattle
Division. In.turn,the ~eattleField Office reql$sted assistance fmbthe OTDICRAU to
attempt to geo-physically locate the UNSUB(s).
Assistance Provided
CEAU deployed a Cornput& Intemet Protocol Address Verifier (CIPAV) to a MySpace

- - to the WNSUB. The CIPAV returned several IF'
account identified as possibly belonging
addresses, one of whikh resolved back to Comcast Cable in Seattle, Washiapton.
Subscriber informarion obtained from Comcast led to the issuine of a search and arrest
-ant. A 15 year old male student h m Timberline High ~ c h i owasl taken into custody
without incident at his home at approximately 2 A.M. June 14,2007. The minor
confessed to issuing the bomb threats. Future bomb threats,dated June 14,2007, were
found oe the minor's cornam. The minor's computer equipment warr seized and the
arrest was made without kcident. Following an &tervi& with the minor, the LPD was
able to solve mother threat case. as the minar confessed to issuinn teleohone
^ death
threats to teachers and others, inh"'&nling
his pawits, earlier in 20G.
Last Update 10 July 2007
Draft CEAU Combined Capabilities
(Former SDC;, Pilaster, and SPU)
10 July 2007
Version 0.1
Version Control
Changed By Version # Changes

Draft Baseline
kTC-
6-
10 July 07 0.1
CEAU Combined Capabilities
(Former SDG, Pilaster, and SPU)
July 2007
Version Conwl
(Rev. 01 -3 1-2003)
FEDERAL BUREAU OF INVESTIQILTION
Precedsaca: ROUTINE Date; 07/05/2007

To: Seattle Attn: SA
Cyber
From: Operational Technology Division/

e iante Technology Section/
Electrnni r S ~ ~ r vl\l
Cryptologic and Electronic Analysis Unit
Approved By:
DiClemente Anthony P
3earcy William 1x1
Drafted By: 1- kld

Case ID 8: 2b8-HQ-1305912 - SM? (Pendina)
298~-SE-93709 (Pending)
Title; CRYPTOLOGIC ELECTRONIC ANALYSIS UNIT (CEAU)

ASSISTANCE TO THE SEATTLE FIELD OFFICE
UNSUB(S);
TIMBERLINE SCHOOL DISTRICT (VIC'l'lM) ;
COMPUTER INTRUSTON - IBT~RNETEXTORTION
Syrlopsis: ALteJ! A c t i o n Report for efLcctuating remote delivery of

a Computer Internet protocol ~ddrensV ~ r i f i c r (CIPAV) to
geophysically i ~ c a k oa subject who ha^ ~ E E U Cmultiple
~ bomb
threats against a, local high s c h u u l .
Uetails; On 06/06/2007, the Seattle n i v i s i o n was contacted by tho
Lacey Police Department (LPD), Lacey, WA, regarding numerous bomb
threats arid D i u L r - i b u b e d D e r i i a l of Sesvlce (DDOS) attacks received
at tne 'rimberlifleSchool District, Lacey, WA. The threats began
on 05/?,0/21ln7a n d persisted through 06/04/2007. The threat=
neccocitatcd the daily evacuation of Timberline nigh S c l ~ u o l .The
LPD and L h a wa~hingtonState Patrol (WSP) perfomea school
evacuations andbomb sweegs with negative results. P a r e n t s and
schonl. d i f i t - r i ~ tamplnyees informed lqcal folevision statione and
newspapera, which aired the story on June 6, 2007. Ab: a result,
~ l l oLPD requested investigative assistance from the Nbrthwest
Cyber Crime Task Force (NCCTF) headed by the Seattle Division. In
turn, the S n a t k l - FIe7d n f f i c e requested assistance from the CEAU
w i t h locating the WNSUB,
ALL TEJFORWATION CONTAINED

ZIGWIM IS U'NCLAS5IFIED
DATE D9-19-2008 BY 60322UC/LP/STP/uju
To: Seattle From: Operational Technology Division/
Re: 268-BQ-1305912 - SDG, 07/05/2007
OBJECTIVE
The objective of this operation was to deploy a CIPAV to
locate the subject issuing bomb threats to the Timberline High
School, Lacy, Washington. The CIPAV was deployed in the usual
way.
SUMMARY OF EVENTS
C
m
-~
oncur ence for the operation was obtained from Case Agent
and Kathryn A. Warn, Assistant United
y , western District of Washington. In addition,
Office of the General Counsel. concurred with the
~ - -
oneration followino
~- - his review of the affidavit and warrant.
b7C
signed by ~ a m e i i .Donobue, United States Magistrate Judge,'

United States District Court,,Western District of Washington,
dated 6/12/2007.
CONCLUSION
CEAU deployed a CLPAV to a MySpaee account identified as
possibly belonging to the UNSUB. The CIPAV returned several IP
Addresses, one resolving back to Comcast Cable in Seattle,
Washington. Subscriber information obtained from Comcast
confirmed the suspicions of Law Enforcement and led to the
issuing of a search warrant and arrest warrant. A 15 year old
male student from Timberline High School'was taken into custody
without incident at his home at approximately 2 A.M. on
6/14/2007. The minor confessed to issuing the bomb threats. Bomb
threats dated 6/14/2007,were found on the minor's computer. The
minor's computer equipment was seized and the arrest was made
without incident. Following an interview with the minor, the LPD
was able to clear another threat case, as the minor confessed to
issuing telephone death threats to teachers and others, including
his parents, earlier this year.
' To: Seattle From: Operational Technology Division/
-
R e : 268-HQ-1305912 SDG, 07/05/2007
LEAD (s) :
Set Lead 1 : (Action)
SEATTLE
A T SEATTLE. WA'
Lead covered at OTD/ESTS/CEAU. Read and Clear
AT WASHINGTON. DC
Read and Clear..
(Rev. 01-31-2003) H
FEDERAL BUREAU OF INVESTIGATION
From: Operational Technology D i ' v i~iu11
-
Electronic Surveillance Technology Section/
Crygtologic and Eleetroni? Ana1,ysis unit
Contact: SSA
Approved By: senrry William 111
Drafted By: 1-
C a ~ oID H : 2 6 8 IIQ-1305912-SW
Iitle: CRYPTQLOGIC ELECTRONIC ANALYSTS TNTT (CEAU)

ASSISTANCE TO THE SEATTLE FIELD OFFICE
Synopsls! operations Order to assist the Seattle ~ i s l dOffice
with effectuating remote delivery bf a C ~ w u t s rInternet Protocol
Addrefis Verificr (CIFAV) to geophysically locate a subjecl who
has issued multiple bulrb threat against a local high school.
Details: The Seattle Field O f f i c e has requested aofiiotancc from
the CEAU with gcophynically locating a subject engaged in issuing
b u n b Lllreats via the Internet to Timberline High SChdol, Lacey,
Washxnaton. The objective of the operation i n t.o remotely deploy
a C f P A v tn geophysically locate tho subjaof.
BACKGROUND
Qn 96/96/2007, the S e a t t l e Division waa contacted by
Leccy Police Department (LPD), Lacey, WA, regarding numerous born
threats and UDUS attacks faCeived at the Timberline School
Bisttict, Lacey, WA. Relow a r e a t i m e - l i n e of events:
05/30/2007 -
hand written bomb threat fiote.
Timnberline nigh School evacuation due to
06/04/2007 Timber1 aLiurl due to a6

b o d threat 'entail f r u ~ nsender! UNSUB (l) also b7C
DATE; 08-14-2000
CLASSIFIED BY bU922UC/LP/STP/wjg
REASON: 1.4 ( C J
DECLASSIFY DO: 08-14-2033
ALL IWFOWATIOfl CbWT&IWED

H E W I N IS UNCLASSIFIED EXCEPT
To: Operational Technology From: Operational Technology
Re: 268-HQ-1305912-SDG, 06/13/2007
advised a cnmprlt&r attack will hit thc Lacey School D i s l r i c t ,

which resulted in a DDOS attack totaling o v e r 80,000,000 hits.
06/05/2007 -
Timberli nh Schnol nvar ation due to
bomb threat email from sender:
06/06/2007 - Timber1
bomb threat email from sander:
06/07/2007 -
~imberlineHigh School received additional
m a l l from UNSUB(s). Details unknown a r present time.
LPD and the washington S t a t e .Pacrbl ( w ~ P )continue t o
perform sclluul evacuations and bomb sweeps with negative results.
Parents and school district emplnyees have informed local
t e l e v i n i n q stations and nswsgapero, which aired the story on June
6, 2007. LFD has requested ir~vcrtigaEiveassistance from the
Northwest Cyber Crime Task Force. k6
b7C
LPP has conducted numerous tholrouulr ir~terviewsof a
atudent at Tirnlrarlirle nigh school,
appears not to be the subrect respLnslble tnr bonh threats!
and teachers from Timberline High School provided a liut
s who m y ba re6p011siLLe POT ""'
pw - D
advising uKeep your
received a t e x t messa e from
e r d up."
Qn 06/03/3007,
is described by teachers as
a self proclaimed computer hacker L h a t routinely bypaSlbs the
schoul computer security measufbs. 1 - computer is in LpD
forensic rmsults are pendipg. Initial interview of
ovided negative reeulta.
I I
On 06/07/2007, Detective) IWS!?, and SA
I 1, sqattle D i v ~ ~ i o n
contacted
, AUSA Kdtheryn
Warma, wcaternTiatrict of Wsrrhir~gtun,who agreed to prosecute
captioned n l a t t e r .
To: Operational Technology From: Operational Technology
Re: 268-wQ-1305912-SDG, 06/13/2007
CONCEPT OF THE OPERATION

Deployment npqrations Personnel (DOC) will deploy a
CIeAV to geophysically locate the subject issuing bomb threats to
the Timberline High SclluoL, Lacy, Washington. The CIPAV w i l l be
deployed v i a a Uniform kesource Locator (URL) address posted to
the subject's private chat room on WySpace.com (S'popular social
networking web~itc).
ALL I N E O ~ T I ~ Ncomts~
FERELN IS ,UNCLASSIFIED
DATE 03-18-2008 BY 609221p/pl¶/rtla
STATE OF WASNINGTON
COUNTY OF KING
Norman B. Sanders Jr., Wig duly sworn on oarh,'deposes and says:

. . I am a Spaid Agent for the Federal Bureau of Investigation ("PBII*), and
1.'
have been such for the past five years. Prior to becoming a Special Agent. I was
employed by the FBI as a Computer Forensic Examiner, for six and one-half years. I
sm currently assigned to fhe Seattle Office's Cybet Crime Squad, which investigates.
various computer, and Internet-related federal crimes.
2. My experience as an m1 Agent has included the investigation of cases
Extortion, Internet Fraud; Identity Theft,Crimes
involvhg ~omputer~ntruions.
ahst st Children, htellechlal Property Rights, and other federal violations involving
computers and the Internet. I Pave also received specialized training and gained
experience in interviewing and interrogation tedmiques, arrest procedures, search
warrant applications. the execution of searches and seizures, cyber crimes computer
evidence identification, computer evidence seizure and forensic processhg, and various
other criminal laws and procedures. I have personally participated in the execution of
mest warrants and search warrants involving the search and seizure of computers and
electronic evidence, as well as paper documents z
h personal belongings.
3. I am an investigative or law enforcement officer of the united States
within the meaning of Section 2510(7) of Title 18, united States Code, in hat I am
enipowered by law m conduct investigations and to make arrests for federal felony
offenses.
. Relative to this investigation, my duties include the investigation of
4.
offeqes including violations of Title 18, United States Cade, Sections 87S(c) aterstate
Transmission of Communication containing Threat to Injure), and 1030(a)(S)(A)(ij and
Affidavit of Norm Sanders for ClPAV
USAW 2W7R00791
Pngt I of 17 Pages
(B)(iv) (Computer Intrusion Causing a Threat to Public Safety).
I
1
2 5. ! I submit this affidavit in support of the amlication of the United States for :
a. search warrant. This search warrant pertains to the Government's pIanned use of a
specialized kchnique in a pending criminal investigation. hentially, if a warmnt is
approved, a communication will be Sent to the computer being used to administer '
www.mvspace.m'iu ' ("Myspace") user account 'Timberlinebombinfo".

, Thecommunication to be sent i s designed to cause rhe above referenced
computer to transmit data, in response, that will identify,the computer andlor the
user(s) of the computer.2. In this aanner, the FBI m y be able to identify the computer
'
and/or user .of the computer that are involved in committing criminal violations of
United States Code specifically. Title 18, United States Code, Sections 875(c) .
(hmtate Transmission of Communicarion Containing Threat 4Injure). and
1030(a)(S)[A)(i) and (B)(iv) (Computer Intrusion causing a Threat to Public Safety).
More specScaIly, the United States is applying for a search warraut authorizing:
a). the use of a Computer & Internet Protocol Address3 ("IP address")
.
I
Myspace is a international free setvim that uuscs the Internet for online communicalion through
an interacavc social network of photos, videos, weblogb, user pmfdes, blogs, e-mail, instant
messaging. web forums,and groups, as well as other medi* formats. MySpace users an capable of
customizing their user webpage and profile. Users arc also capable of searching or browsing olhcr
Myspace webfmges an4 adding other users 8s 'friends*. If mE person identified approves your
%end" requeat, he or she will be added to your list of friends. Uscrs are capable of sending Myspace
' mesqes and posting commnls on olhEt user's MySpacc webpages.
ln submining thin request, the Gmemment regpeethrlly d m not eoncsdc!that a reasonable
expectation of privacy exists in the internet protocol address &signed by a network service provider. or
orher provider to a specif% User and used ro address aud route c1ecrioi.i~cocommicati011~to and kom
that'uscr. Nor do= the government c o n d e rhat a reasanable expcctabn of privacy is abridged by UIC
Use Of this convnunication technique, M Cat the use of lhis mchniiue to collect a ~omputeT'8TP
addtcu, MAC address or other variablea that nre.broadcast by the computer whenever it is c o m t e d
to Ute Internet, ~0nstitUksa search or wizure.
3
Concepprsuy. IP addresses arc similar a telephone numbers, in that lhey are used to identify
compufen rhat exchange information over the Internet. An IF address is a unique numeric address
~ S e dto dircct information over tho Inrrrnet and is a series of four nuinkem, each in the range 0-255.
separated by periods (e.g., 121.56.97.178). In general, informarion sent over the lutemet must
cwtain qn Originating IP address and a destination IP addnss. which identify the w m p ~sending
s
and ncelving the information. Section 216 of (hc USA Patriot Act (P.L. 107-56)amended 18 U.S.C.
503121 et scq to sp~iflcallyauthorize rht recovery of "addressing" and 'routing" infomtion of
Affidavit of Norm Sanders for CIPAV
USAO# 2 0 0 7 W 9 1
Page 2 of 17 Page% .
Verifier ("CIPAV*) in conjunction with any camputt* that administers MySpace user
account 'Timberlinebombinfo"
.,
mm ://www.mns~ace.~dm/tl~lberlinebmb~pl,
without prior announcement within ten days from the date this Court authorizes the use
of the CIPAV;
b). that the CIPAV may cause any computer. wherever located - ehat
activates any CIPAV authorized by this Court (an "activating computer" to tond
network level messages4containing the activating computer's IP address a W o r M4C
other environment viriables, and certain repistry-rype informstion' to a
addresl~,~
cornpurer comolled by the FBI;
c). that the FBI may receive and read within ten days from the date
this Court authorizes the use of the CIPAV, at any tinie of day or night, the information
that any CIPAV &uses to be sent to the computer conboUd by the FBI; and
d). that, pursuant to 18 U.S.C.83103a@)(3), b qatisfy the notification
?lutronicAs used here, a network-level message refers to an exchange of technical i n b m t i o n

b t w n wmpurers. communications by a pen regisrer/trap & uace order.
' Such -ge* work in established network pro-Is, dctcrmIniag, for e.urmple, how 9 given
~-.
;ommunication will be sent and received. Everv time a cmuur come~tCdto a lccal aRB MIWOIk
~ ~ ~ - -
[LAN)O Fthe~Internet ~lnn&rsto another computer on thd LAN ot rhe Intrm~t,iibm8dcasB
ReWorL-level w a g e s , including its F address, a d o r media access control.(MAC) address, andlor
~rher" c n v i r o ~ nvariables."
t A MAC addmss is an uniquc numeric addnss of the network intenkc
card in a computer; Envimnment variables rhat may be mmilted include: operaring system rypc and
vemion, browsw type and version, h e language the browser is using, etc. These network-level
mmges also 01% convey network addressing information, includiag origin and desllnaIillion
iffOtma(ion. Networblevel messages are used to make networb opcrace properly, transparendy, and
;onaistently.
C q u t e r s Uldt access, and cotttmunicae on LANs do po via a acework hterfaec card (NIC)
installed in Ulc cornpuler. The N1C is a hardware device and every NIC w n t a k its own uniquc MAC
addnss. Every rime a computer connected lo a LAN c ~ m ~ l n i c a ton e s the LAN,the c m p u e
broadcam iu hiAC address.
' As used hem* "registiytype iufo~alion"refers to infozmtion stored on the internal hud
f i v e of a urmputer that defmes that computer's coufiguration as it relates to a user's profile. This
information includes, for example, the name of the registered owner of the computer and rhe serial
number of t k naprating system sohare installed. Registq information can be provided by a
mmpnter connected to the Interact, for example, when that camputer connects lo the InfPmef tQ teqU1:st
a s o h a m upgrade from im sofwart vendor.
Affidavit of Nann Sanders for CIPAV
USAW 2W7RW791
Page 3 of 17 Pages
requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may M i y
providiq a copy of the search warranf and the receipt for any property taken until no
,
more than thirLy (30) days after such time as the name a d location of the owner or user
of t@ activating computer is positively identified or a latte~date as the court may, for
good cause shown, authorize. h v i s i o n of a copy of the search warrant and receipt
may, in addition to any other methods allowed by law, be effectuated by electronic .
delivery of true an& accurate electronic copies (e.g. Adobe PDF tile) of the fully
exccutd documents.
6. I ak rhoroughly familiar with the information contained in this Affidavit,
which I Pave learned through investigation conducted with other law enfmement
officers, review of documents, and discussions with computer experts. Because this an
application for-a search warrant and pen register, not every fact known about the
investigation is set forth, but only &se that are pertinent to the application. As a result
of the investigation, 1 submit there Is probable cause to believe the MySpace
"Timberlinebombinfo" account, e-mail account udouebri~es123&3~maitCom";
e-mail
account =mail.~nl"; e-mail account "dou~bbriees234~rnnail.com";
email
account "thisisfromidalv&email.com"; and e-mal account
" have been used to trausmit interstate communicafions
'tirnberlin_e.suc~mail,co~
containing thteats to injure, and involve computer intnrsion causing a threat to public
safety in violation of Title 18, United States Code, Sections875(c) and 1030(a)(S)(A)(i)
and (B)(iv). I further submit that there is probable c a w to believe that using a CIPAV
in conjunction with the target MySpace account (Timberlinebombinfo) will assist in
identifying the individual(6) using the activating computer to commit the= violations of
the United States Code.
7. In general, a CPAV utilizes standard Internet cornpurer bmmands
commonly used commercially over local area networks (LANs) and the Internet to
request that an activating computer respond to the ClPAV by sending network level
Rffldavit of Nonn Sandcn for CIPAV

USAW 2W7R00791
Pagc 4 of 17 Pages
messages, andlor other variables, a a o r regisfry Wonnation, over the Intent7 to a
computer coatrolled by the FBI. The exact nature of these commands, processes,
capabilities, and their confiration is classified as a law enforcm?nt sensitive
investigative technique, the disclosure of which would likely jeopardize other on-going
hvestigatious andlor future use of the t d d q u e . As such,.the property to be sccessed
by the CIPAV request is the portion of the activating computer that contains
environmental variables andtor certain registry-type' information; such as the
computer's true assigned IP address, MAC address, open communication potts, list of
runniug p w s , operating system (type, version, and serial hnmber), internet
browser and version, language encoding, registered computer name,registered
company name, -ent logged-ln user Mme, and Uaifoml ~ S O U Locator
~ C ~ (UU)
tbat the target'computer was previously connected KO.

,8. An Internet Service Provider QSP) innally conkols a ratige of several
(or even thousands) of IP addresses, whicb it use6 to identify its customers'
Computers. P addresses are usually ass- each rime the user
"dynabhllyW:
connects to the Internet, the customer's computer is randomly -assignedone of the
avaiIable IP addresses contrc~lledby the ISP. The customer's computer retains lhar IP
address until the user disconnects, and the IP address cannot be assigned to another
user during that period. Once The user disco~ects,however, mat IP address becomes
available to other customers who connect thereafter. ISP business customers will
commonly have a permanent, 2dhour Internet coanection.to which a "sratic" (i.e.,
fixed) IP address is assigned. Practices for assigning IIP addresses to Internst uskrs
vary, with many providers assigning semi-persistent numbers that may be allocated to a
single,userfor a period of days or weeks.
9. Every time a computer accesses the Internet and connects to a web site,
1
'Ihe "lnternec"is a global computer network, which ektronically connect~computers and
allows comrmaicatio~a d unnsfero of data and information across scar and national boundaries. To
!Pin access m the Internet, an individual utilizes an Internet Service Prwidm (ISP). Tbrsc ISP's are
available worldwide.
Pam 5 Of 17 Pages
that computer broadcasw its IP ad&w along with oh& environment variables.
~ is communicating in, gllows the
Environment variables, such as what language t h user
web site to mmmunicate back ;nd display information in a f o m i that the comp&r
atcessing the web site can understand. These enviconment variables, including but not
limited to, the IP address and the language used by the computer', may assist in locating
the camputer, as well as provide infarmation that may help identify the user sf the
computer.
10. The hard drives of some computers contain regisw-rype information. A
regisay contains, among other things, information about what operating system
software and version is installed, the product serial numby of that software, and.h e
name of the registered user ofthe cqmputer. Sometimes when a computer accesses the
Intenet and connects to a software vendor's web site for the purpose of obtaining a.
software upgrade, the web site remieves the computer's registry information stored on
its internal hard drive. The regisby iafomation assists the software vendor in
..
determining if that computer is running, among other information, a legitimate copy of
,. because'the registry infonuation coniains the sofhnrare's product
their sohare
regismtion number. Regisq itlformatioo. such as the serial 'rmmber of fie hcperatiug
rystem software and the computer's registered owner, may assist in locating the
:omputer. and identifying its user(s).
11. On May 30.2007, a handwritten note was discovered on the premises of

fie Timber1ine High School in Lacey,,Washington. Subsequently, school
idminiitrators ordered an evacuation of rhe students based on the handwritten.bomb
fueat note. , ,
a). On June 4,2007, Timberlime High School received a bomb threat

:-mail from sender: 'douabrie~s1238mail.~om",The Uplinown Subject(s)
IUNSUB) stated in the e-mail "I will be blowing up your school Monday. June 4,
, .
Affidavit of Norm Sanders for CIPAV
USAOi9 2007RW3791
Page 6 or 17 Pages
2W7. There are 4 bombs throu@wt timberline high school. One in the'math
hall, library hall, &ah office a$ one portable. The bombs will go off in 5 miwte
intervals at 9:15 AM," fn addition, the UNSUB(~)stated, 'The email server of your
iistrict will be offline starting at 8:45 am." The UNSUB(s) launched a Denial-of-
Sqice (Dm)'
attack on the Lamy School Disaicr computer nmork, which caused
3ver 2~,000.000hits on the system within a 24 hour period. School administrators
xdered an evacuation of the school on June 4,2007.
b). On June 5; 2007, the UNSUB(s) sent an e-mail l?Wr~
,
d w p b r 1 g staring the following: .
< <Read This ASAP > >
Now that the schoo! is scared from yemdays fake pomb e t it's
now t i to get senous. One in a gym locker. the guls. It's m a
locker Mden under a pile of clothes. The other four I W!I only '
say the eneral location. One in the Language Hall, One m the
b&. Oqe ~lndcmertha portable raped wlth sm
Thy bomb wlll o off if any vibrations are felt. And e kist one
H YLducbpe
Is m a locker. t i s enclosed in a sound roof package, and h a d y
as.A
undetectable. I have used a vatye of emicals to make the
bombs. . They are all dierent
They will all o off at 10: ISAM. Through remote detonation.
B
.Good Luck. And i that fails. a failsafeof 5 mlnutes later.
The UNSUB(s) goes on m s u e : .
Oh and for the lice officersand technology idots the dislrict
at.
ofice tryb to track
give you a &t.
t K email yesfirrays emnd7slrntme I
The email was sent over a newly made gmil ., :
.Uxouut,from overs* in a foreign country. The gmail ~ccount was
created there and h s ernail and ycsarrdays was sent from there. So
good luck taljun with Ital about getting the identify of @e person
who owns the l h ~ b id&ated
t server
c. In another e-mail from sender *d0~ebriees234~ail,com 3,
fie UNSUB(s) states the following:
back lets get serious." phe UNSU$S)

mentions bombs sa to . i
Hello Again: Seeing as how ou're too stu id to trace the email
I
A DOS actnek is an Internet based computer attack in which a compromised system auacka a
iingle largel, thereby causing I denial of service for vriers of &e l e e t c d computer s y s m The fldod
>fincoming messages to the rarget sysfern essentially forces it to shut down. thereby deny& service to
he system to legitiinate users. The DOS attack is generally targeted at a particular ne-k service,
~uchas e-mail or web a-.
detonate between 10:45-11:15 AM, and adds1 Seriously, you are not
oing to catch me. Sa just give u Maybe you should hire Bill
hater to tell you that it is coming& Italy. HAHAHA Oh wait 1
alreadv told vou chat. So stm ~ r e t e n d hto~be "trache it" because I
II
have already-toldyii it's c o & ~ f i o mTdy. That is where t r a , ~
will stop so 'ust stop trying. Oh and this ernail will be behind a
4 proxy b e d tho Italy server.
d). School admhktators ordered an e v a c u a of ~ the who01 on June
7 u e). On JUIE 6,2007, Principle Dave Lehnis of Timberline High

8
9
I1 contained the following text: 'BNJOY YOUR LIFE ENDING".
The e-mail
School received an e-mail fromsender: "douebri~vs9~1Amnail.~0m~.
lo Y f).ID another email from B

UNSUB(s) states the following,
e d l l @ m n a i l . c e the
emaifae~'unithathas
.
r
already been deleted of all information b the time you read his
email. Get your.asson a plane to Italy i you want it to stop.
g). School admiuisaators ordered an evacuation of the school on
I& 6,2007.
h). On June 7,2007.Timberline High School recived an e-kid from

sender "rh'isishmiralv@Pmajl.com." The UNSUB(s) states: I
Affidavit of Norm Srnden for CIPAV

USAW 2007R00791
'There are 3 bombs lanted in the school and they're all dierent
2, B
kinds. I have rema e these weeks in advance and tested the timp
to make sure ey work to exact millisecond. Locking the doors is
a good plan, but too late."
I
s June 7, 2007..
i). School administrators ordered an evacuation of the school on
7 I j). On June.7,2007,the UNSUB(s) posted Wee of the threatening

s lie-mails in the comments section of the onlinenews publication service, 'theOlympian".
lo
9
Iphortly
The adwhiskator from theolympian.com" removed the threatening e-mail postings.,
thereafter, the UNSUB(s) re-posted the threatening e-mails. Eventually, the
adminiseator of 'rhmlympian.camw disabled the *comments'" section.
12 .I
, ~ 3 I k On June 7,2007, Detective Jeremy Knight, Lamy Police
14
ID e p m n t (LPD).received information from the Thurston County Sheriffs Office,

1s which had rewaled a complaint f k i a person identifed as 40. AG Stated tbat she
14 received invitation through myspace.com from the Myspaceprofile of
17 'tTimberliwbombinfan wanting her to post a URL link to
. .
18
19
Ihm://bambe&ls.hvoert)ha. corn on her myspace.com webpage. The UNSTJB(s)
advisd her that failure to comply would result in her name being associated with fume
threats. Similarly, Knight received a phone call from a parent alleging that her
&
the same request from the UNSUB(s). According to Knight, 33 students

u beceived a request from h e UNSUB(S) to post the link on their respective myspace.com
1I
23 webpages. Subsequent interviews performed by Kaight yielded limited information.
25 1). On June 7, 2007, V W and BP received Myspace private invitations

26 from an individual utiliiing the MySpace moniker 'Timberlinebombinfo". V W .
7
la
I
accepted the invitation fr~m'~~imberlinebombinfo''received an America Wine
Message (AIM)
IInstant
and
an iqdividual utilizing AHM screen name
from
09." Communication ceased with "Alexspi3rinp_O9"after VW
iaformaion related to the bomb threats. VW believed screen name
associated to ALEX SPIERING. a student at Timberline High.
-09" and "Timberlinebombinfo"used to have the
gtaphic on their Myspace webpage. "Timbe~linebombinfo"r e d y changed
from a picture of guns to a of a bomb.
m). On June 7,2007, Thurston County School District reported ALEX

9 QSPIERINGresides at 6133 Winnwood Loop SE,Olympia, WA, 98513, teleph,one (360)
10 p-0 56 9. of birth-
date 19I.
"I
I2 n). On J p e 8, 2007. Comcast Internet. Thorofiire. New Jersey.
13 b o r t e d that residential address 6133 Winhwood Loop SE, Olympia, WA, 98515
14
I
:IS
received Comcast Internet services for the following subscriber:
Sam Spiering
6133 W i w o o d Loop SE, Lacey, WA 98513
17 Telephdne (360) 455-0569
"1
19
Dynamically Assigned Active Account
Account Number: 8498380070269681
"1
21
- - 0). On June 8. 2007, Thurston County School District received two
P additional bomb lhreat e-mails h
,.
ail.cam." which resulied in
m "Timhe~Iine.Suck@~m
u the evacuation of the Timberline High School.
24
25 12. On June 4.2007. Cioogle provided subscriber, registration. and IF Address

26 log history for e-mail address "douebriggS11236email.corn"with the following results:
27 Status: Enabled (user deleted account)
28
*
Setvims: Talk, Search History, Gmail
AMdavit of Nom Sadden for CIPAV
USAW 2007R00791
Name: Doug Briggs
'SecondaryErnail:
created & 03-~un:2007
Lang: en
PP: 80.76.80.103
LOGS:.All times are'displayed in UTCJGMT
gpugtvicasl23~~mail.com
DatelTime IP
05:47:29,am
063~-2007 81.27.207:243
04-Sun-200705:43: 14 am ' 80.76.80.103
03-Sun-200706:1944 am 80.76.80.103
a). On June 6,2007,a SmartWbIs lookup of IP Address 80.76.80.103

!solved to Sonic S.R.L.Via S.Rocco 1, 240@, Grumello Del Monte, Italy.
horn: +39035M91296, E-mail:Staffmsonic.it. Your affiant connected to
@://sonic.itawhich dispiayed an Italian busin& webpage for sonic SRL Inremet.
%-viceProvider.
b). On June 7,2007, a request to MySpace for subscriber and IP

ddress l&s for Myspace user "Timberlinebombinfo"provided the foilowing results:
User ID: 199219316
First Name: Doug
last Name: , Briggs
Gender; Male .
Date of Birth: 12110J1992
" Age; 14
couq: US
City: Law
rffiddvil of Nonn Smdera for ClPAV
JSAOC 2W7ROM91
Page I I of 17 Page$
Postal Code: 985003
Region: Western Australia
Email'Address:' tirnberljne.sucksB~mai1
.corn
User Name: timberlinebambinfo
Sign up IP Address: 80.76.80.103
Sign up Date: Juae 7,2007 7:49PM
Delete Date: NIA
Login Date June 7,20077:49:32:247 PM IP Address 80.76.80.103
10
11
I o). FBI Seattle Division contacted FBI: Legate Attache Rome,Italy and
an official request was providcd to the Italian ~ a t i o hPolice
l requesting assistance h
12 contacting Sonic SRL and locating the cornpromisad kmputer utilizing IP Address
13 80.76.80.103.
14 d). m,June7, 2007, the S y s m Administrator for the
1 v m ~ i a n . kadvised the posting of the bomb threat ehails originated porn . ' ,
192.135.29.30. A Smartwhois lookup resolved 192.135.29.30to 'The

titute of Nuclear Physics (INFN). - Labratori Naziatdi di hgnaro,
Based on my B a W , expMence, aud the investigation described hereiq!,1

owing among other things:
a). that network level messages, including the originating TP address
'
ess, other variables, and ce,&h regism-ripe infomation of a computer

sist in identifying the individual@)using that comptw; and
b): the kidividual(3) using the aforementioned activated computer
sed computers to conceal their true originating fP address and thereby
iting the individual(s)' identification. ,Compromised comp.ukrsare
with computer viruses, trojans, or other malevolent programs. which
ability to conirol computet(s) on the Internet or particular selvic~s
A f f i v i t of Nom Sandera Eor ClPAV
USAO# zMnROW9 1
Page 12 of 17 Pages
compromised computer(s) without authorization. It is common for individuals
aged in illegal activity to access and control coinpromised computer(s) to perfom
icious acb in order to conceal their origktiug IP addresses.
14. Based on mining, experience, and the investigation described herein, 1
concluded that wing a CIPAV on the target MySpace 'Timberlinebombinfo"
t the PBf to determine the identities of the individual($) using tbe
ring computer. A CIPAV7s'aetivationwill Muse the activating computer to send
level messages, including tbe activating computer's originating IP address and
ss, other variables. and certain registry-type information. This information
in identifying the individual($)using the activating computers.
15. , The C P A V wiU k deployed through an electronic messaging program
conaolled by ;he FBI. The computers sendink and receiving the
be machines controlled by the FBI. The electtonic message deploying
nly be directed to the administrator(s) of the "Timberlinebambinfo"
a). Electronic messaging accouuts commonly require a unique user

same and password.
b). Once the CIPAV is successfully deployed, it will conduct a one-
time search of the activat'ing computer and capture the information
desctibed in paragraph seven.
c). The captured information will be forwarded to a computer
, conmlled by the FBI located within the Eastern Disuicc of
Virginia.
d). After the onetime search, the CIPAV will function asa pen register
device anxl record the muting and destination addressing information
for electronic communications originating from the activahg
computer.
Affmvit of Norm Sadeta for CIPAV

USAW'lW7R00791
Page 13 of 17 Pages
e). The pen register will recod PB address, dates, m d times of the
electronic comwnicatiom, but not the aoutents of such
ccmmunieatioas or the contents contained on the computer, and
U'mard the address data to a computer cantroned by byhe
FBI,Pw r p d o d of (60) days.
CQNCLUSIOM
16. Ikrsed upon my review of the evidence, my training and experience, and
iformation I have gathered from various computer experts, I have probable cause to
,
elieve that deploying a ClPAV in an electronic message directed to the administrator(s)
f the MySpace 'Timberlinebombinfo" account will assist in identifying a computer and
idividual(s) using the computer m transmit bomb mats and related wmmunications in
iolation of Title 18,United States Code Swtions 875(c) and 1030(a)(S)(A)(i) and
3)(iv).
17. Becawe notice as required by Federal Rule of drimid Procedure
l(Q(3) would jeopardize the success of the investigation, and because the hvestigation
as not identified &I appropriate person to whom such notice can be given, I hereby
quest aumorizatioo to delay suoh notice until an appropriate person b identifA.
h e r , assuming providing notice wollld still jeopardize the iuv&tigatioion after rur
~ropriateperson to receive notice is identified. I request~permissionto ask this Court
1 authorize an additional delay in notification. In any event, the Unitwl States
Dvcrnment will notify thii Court when it identifies an appropriateperson to whom to
ive notice, sa that this Court m i y determine whether notice shall be given at that h e .
18. Because there are legitimate law enforcem~ntinterests that justify an
nanuounced use of the CIPAV and rev$w of the messages generared by the aciivathg ,
4Wdavit of Nom ~adcn'

for CIPAV
JSAW 2007RMn91
.-
ter in this case: I ask this ~ o u rto
t authorize the proposed use of a CPAV
t the prior announcement of its use. One of these legitimam law enforcement
is that announcing the use of the CIPAV would assist a person conaolling the ,
computer(#)to evade revealing its true IP address, other variables, and certain
e infDrmation - thereby defeating the ClPAV's purpose.
19. Rule 41(eX2) requires that (A) the warrant command the PBI ''to execute
. . longer thsn 10 days" and (B) "execute the
'within a specified time no
the d a y w e unlesa the judge for good cause expressly authorizes
r time.. ." In order to comply with Rule 41, the Government will
between the hours of 6:00 a.m. and 10:OO p.m. (PST)during an
. However, the Government seeks permission to d any messages
"ahg computer as a result of a CTPAVat any dme of day or night
period. This is because the individuals using the activating
e CIPAV after 10:OO p.m. or before 6:00 a.m.,and law
read the h e m t i o n it receives as soon as-it is aware of the
emergent nature of this investigation. If the C W is not
O-day period, the Government will seek further authorization
n sent to the computer controlled by the FBI as a
from the date the Court authorizes the use of the
20. Because the FBI tannot predict whether any particular fom111ationof a
s) mnkolling the activating computer40 activate
rize the FBI to continue using additional
ySpace accwnt (for up to 10 days after this
been activated by the activating &puter.
Aff~davilof Nom Sandm for CIPAV

USAW2mm791
Page I5 d 17 Pages
dl. Accordingly, it is respectfully requested that thiscourt issue a search
a m t authorizing the following:
, a). the use of multiple CIPAVs until one CIPAV is activated by the
tivating computer in o~njunctioa.with the target kIyspace *TimbedinebombiafoW
, &ithour prior,annou~lcernent,within 10 days from the date this Court authorizes
b). the CIPAV may cause an activathg computer - wherever located -

etwark level messages containing the activating computer's 1P address, andlor
s, andlar orher variables. a m o r certain regisay.*lpe information to a '
led by the FBI and located within the Eastern Di~UictOf Virginia;
c). that the FBI may receive and read, at any time of day or night,
m the date the Court authorizes of use of h e CIVAV, the information
ses to be sent to the computer controlled by the FBI;
d). that once the FBI bas received an initial ClPAV response from the
ivating computer consisting of network level messages contawg the activating
r's IP address, andlot MAC address, and/or olher variables, andlor c m i n
information, the FBI will thereafter only be collecting the Q ~ s of
routing information that can be collected pwmnt to a pw register
. .
e). that. pursuant to 18 U.S.C. 63103a(b)(3). to satisfy the notification

Pederal M e of ~ r & l Ymedw 41(f)(3), the FBI may delay
y of the search warrant and the receipt for any property talcen until no
(30) days after such time as the name and location of the individual(s)
ug computer is positively identifd or a latter date as the court may,
n, authorize. Provision of a copy of the search warrant and receipt
ny ocher methods allowed by law, be effectuated by electconic
curare electronic copies (e.g. Adobe PDF file)of the fully
Affidavit ot Norm Spndcrs for CIPAV

USAW urwRWl91
. Page 16 of 17 Pages
?
22. It is fuaher requested that this Application and the related documZnt6 be
filed under seal. The information to be obtained is relevant to an on-going invesqgation.
Remature disclosure of this Application and related documents may jeopardize the
iucces8 of the above-described investigation.
WHEREFORE,Affiant respectWly requests that a warrant be issued authorizing
b FBI ro utilizt: a CIPAV and receive the attendant information according to the terms
st fonh in this Affidavit.
TIXIS APPEPCATTORI DQES NOT SEEK AUTRQHPPZATIQN TO O B P 1

iBE ~ O N l % N TOF ANY ELECTROMC COi+vfMDMCAmONS,AND 'FWE
WARRANT WlLL SO SECU'Y.
iworn to an subscribed before .

me &is n#. day of June. 2007
~fidldavitof h r m S d e r s for CIPAV

USAW 2CO7R00791
Page 17 of I f b e ¶
SECRET (3 4.37 ~
caea: Atd-GIanu
-
4 - 7
UA
IS)
DIIIL: 08-14-2008
CIIISSInH) BY 60322UElp1Sq /L&
A50Q: 1.4 I s )
CLAS4TFI MT: 08-14-2033 ALL TWPOPEATZ31 COXTkZNED
tlERt7U T9 ETCtA357tTE0 EXCEPT
SECRET SHOGW OIEERUISE
b6
TO : Records ~anagement Attn: b7c
~ ~ ~ S / w ~ ~ / ~ i n c hSite e rGR N23
e s t2,
From: Office Special Technology
Special Technolosies and Applications Office
Contact: 1
approved -By:
Drafted By:
I
-:w,~~
..
ID #:
'~aae 130-HQ-C1547903 (Pending) /w d
Title: FREEDOM OF INFORMATION ACT
~ ~ ------- ~ ----
REQUEST FROM WIRED NEWS ALL INFORMATTON ~ 0 i m ~ 1 m ~

ELECTIjllNIC FRONTIER,AND HEREIN IS UI$CLA5SIFIED
DATE 03-19-2008 BY 603221p/plj/rds
C ~ E T,NETWORKS- .
,
.
,
Synopsis: To advise Records ~anagementof results of the Special

Technologies'and Applications Office (STAO) search for responsive .:
documents pertai.ningmto the Computer and Internet Protocol
Address Verifier ,($IPAV)tool pursuant to captioned Freedom of
Information Act. (F6IA)p request. . . :,.
,i
Reference: 1 9 0 - ~ ~ - d 1 5 4 7 9 0Serial
3 49
Enclosure(s): Enclosed under separate cover for Records

Management are: one (1) compact disk containing an electronic
copy of "Magic Quadrant for Information Access Technology." aqd,
packetof all STAO IAU held CIPAV tool materials.
,,(I)
!' Detaile : !Pureuant to Records Management request detailed in
referenced communication, STAO canvassed all unit personnel for
any and all documentarion, correspondence, and materiala
concerning the CIPAV tool. The response w a s negative for all
STAO entities with the exception of the Investigative Analysis
Unit (IAU). IAU has provided copies of all unit resident
information concerning the CIPAV tool. The requested information
has been forwarded under separate cover to Records Management.
Inasmuch as the Records Management request for a search
for any and all CIPAV materials was conducted, with tthe resultant
, materials forwarded to OTD, STAO considers the matter satisfied
and the lead covered.
,,. , , , , ,
, .?
To: ?? Prom: Office sp&cial Technology
Re: 190-HQ-C1547903, 09/05/200d7
LEZ+D(a):
Set Lead 1: (Info)
RECORDS MANAGEMENT
AT RIDS/~PU/WINCI-~ESTERSITE 2 , GR ~ 2 3
Read and C l e a r .
(Rev. 01-3 1.2003)
Precedence: ROUTINE
To: Cyber
Cincinnati
Indianapolis Evansville RA
; r j \
Las Vegas
From: OFFICE SPECIAL TECHNOLOGY
STAO/STOU
Cootaot : I SSA )
Approved By:
ALL INPORNATLON CONTAINED b6
HEREIRT IS UNCLASSIFIED b7C
DATE 03-19-2006 BY 603221p/pljlrds
Drafted By: G i jjb
Case,ID # : l I (Pending)
Title: cTPAv nPPT,nYMrNT '
Synopsis: To f o r w a r d results of analysis a n d to cover lead.
r: Enelesura(s): F i n a l report of f i n d i n g s dated May 23, 2001.

Details: he r e f e r e n c e d 1 irequested that STAO
analyze 1
Previous analvsis of CIPAV data resulted in the

b2
b7E
b7A
To: ICE SPECIAL TECHNOLOGY
Re : 05/25/2007
Enclosed is a final report of findings. This report

supercedes any preliminary reports that were provided
electronically/telephonically prior to the publication of the final
report. Please note that the final page of the report
includes a customer satisfaction survey and.that, time
permitting, STAO/STOU would appreciate candid feedback in
order t o ensure the satisfaction of its customers.
STOU considers this Lead covered.
SPECIAL TECHNOLOGY
05/25/2007
LEAD ( a ) :
Sea Lead 1: (Info)
CYBER
A'ILR#SH.I.NGTON. DC.
Read and Clcar.
sat uILd 2 ; (Action)
CTNrTN,ty$TI
AT CINCINNATI. 01110
Read and C l e a r .
S b t laad 3! (Info)
LAS VEGAS
AT LAS VEGAS. NEVADA
Road and Clear.
set wad 4 ~ : (Info)
INDIANAPOLIS
A'I' E V A N S U E INDIANA
Read and Clear,

August 28,2007
RMS Request Number:

I D :0116159 Performance Xndlcator :Technical exprtlr
I
Stntus :Closed
Requestor Name I-:

Opened : 11/17/2006 3:41:39PM Closed :5/14/2007 9:43:57AM
office : HOUSMN
b6
b7C
-
PhoneI-[: Offlcs t o d m :3290-0000
Case Clasrifiratlon Number :315A b6
b7C
Investigative Pmgrsm : NRP-lT
Assigned to Name
Figned TO fmup : CEAU
Program Manager I -:
PmQram/Type :Remote Computer Trace
. I
catee~:cEAu
Ibm: Internet Tracer
Derived from: OTHER
DATE: 04-11-2008
CLASSIFIEP BY 60322UCltP/PLJ/gjg
REASON: 1.4 ( C )
ALL 'INFOPJL4TION COETATNED

HEPJTRI I5 UNCLASSIFIED EXCEPT
WHERE SHDWN OTHERWISE
August 28,2007
RMS Request Numtrer:

Request I D :0092259 PeMrmance Indicator :~echnicalexpertise
I
1 Status :Closed
Raquestor Name :n
Opand :9/27/2004 2:28:13PM C l d : 1/13/2005 1:39:50PM
Office :'OMAHA
I
Phone :n
Case Classffleation Number :
lnvertigative Pmgram :
I
Assigned to Name :n Program Mana er :
~saignedTO ~ m u :p o
- 0 ~ :D m
Item: Internet/ISP intercept
m
4 S ]1
(S) -ram/-
IffT',I b2
b 7 ~
-
27120W 2:28:13 PM
-I
ssigned/forwarded request t o r 1
u
9/27/2004 2:28:13 P P f y
assignedlbnrvarded request b
DATE: 08-14-2006
CLASSIFIED BY 60322UC/LP/STP/gjg o h a s Raasslgned or Forwarded th
REASOB: 1.4 ( C ) 10/21/2004 1:20:40 PM
ALL f A 1 F O ~ T I O NCOXTATNED
HEREIN TS UDTELA591FIED EXCEPT
WfERE mom OTHERWTSE
Request ID :0096936 Petformane Indlwtor : I
IStatus :Completed de
Opened :2/1/2005 7:34:18PM ' Closed :3/25/2005 9:47:31AM I
I Imcstlgatlve
Case MassifiGstSah Number :ZZZ
I' ~miarn :MIX
I ( :
Pmgram Manager ;vC
Assigned To Group ; EP CEAU
Categoy :CEAU
Itern: Encryption Technologies
Pmgram/Type :DataPole Irrtercept with EnctypWon
-
b 3.
b2
pfrields has Reassigned or Forwarded this
3/25/2005 9 4 2 3 1 AM 1,
b7E
I
I
Jw Reassigned or Forwarded this 'wue? 2 n
DATE: 08-18-2008
CLASSIFIED BY 60322UC/LPISTP/gjg
as Reassigned or Forwanled this request m
I
REASON: 1.4 (E)
DECLUSIRI ON: 08-11-2033
ALL IlFORElATIOlV COhTAIlED

HEWIN IS UNCLASSIFIED EXCEPT
WS
t 2F
. SiIOW$ OWRTJTSE
Page 1 of 1
August 28,2007
RMS Request Number:

Request I D :0097973 Parformanee Indieator :
status :a m p l a Opened : 3/8/2005 12:35:09PM Closed :3/18/2005 2:34:41PM
I
RequestDr Name
Phone :n
I- :
Cats Classiflcablon Number :315A
Ornw :CyDfIINI
Offlw Code : 1813-0000
r n v w g a t i w Program :NRP-IT
b6 -
Assigned b Name I-: ~rnghm
Manager f1b7C
Assigned To Group : CEAU Program/- :Remote Computer Trace
Categoy :CEAU
rtem: Internet: Tracer
DATE: 08-14-2008
CLASSIFSED BY 60322VC/LP/STP/g>g
REASON: 1.4 ( c )
DECLASSIFY OM: 08-14-2033
ALL INFORFlATION COUTAIIdED

HEREIP I5 UNCLA55IFIED EXCEPT
n P E SBOWN VTtERWISE
Page 1of 1
August 28,2007
Request I D :0099200 Performance Indicator :

Status : Completed Opened :4/25/2005 10:32:21AM Closed :4/27/2005 8:43:llAM
Requestor Name1-1 ~ffica: BUFFALO b6

b7C
Phone 1- m c e code : 3110-0000
Case Classification Number :315A
rnvestigative Progmm : NRP-lT
Assigned to Name 4 1 Program Manager n 06

b7C
Assigned To Gmup : CEAU Prograrnlqpa :Remote Computer Trace
Categoy :CEAU
Item: Internet Tracer
.
Support :Buffalo request asslsbnoe wlth UPAV
l~equeaed 11 Ilworklog :4/27/2005 8:43:11 AM
IS) J I
1
bl
b2
b7E
b6
b7C
DATE: 08-L4-2008
CLASSIFIED BY 60322UC/IP/STP/gjg
REASOW: 1 . 4 (C)
DECLA35Im 08: 08-14-2033
ALL INFOREIATLON CONTAINED

HERETl T5 UNCLASSIFIED EXCEPT
WWRE SHOWN OTHERWISE
UN~JASFED
Page 1 of 1
Request 10 :0099477 Performance Indicator :
Status :C o m p l M Opened : 5/6/2005 9:03:10AM Closed :5/6/2005 9:04:llAM
Requestor Name : n Ofiice : PHILADELPHIA b6

b7C
I(:
Phone OFRce Code : 1813-0000
Case ClassMcalion Number :315A
Investigative Pmgram :NFIP-TT
Assigned to Name 1-4 Program Manager :nb7C u6
h i g n e d To Gmup : CEAU Program/Typ :Remote Computer Trace

Category :CEAU
mm: Internet Tracer
DATE: 08-14-2008
CLASSIFIED BY 60322UC/tP/8TP/~j~
REASON: 1.4 ( C 1
ALL TUFDPWTTON CDETAINED

tiERETN TS UNCLASSIFIED EXCEPT
WHERX SHOWN O m R W T S E
SECRET
L UNC-D
Page 1 of 1
RMS Request Number:,
Request I D :0100740 Pertormanee Sndlcator :
1 ststus ! ~ o m p l ~ Opened :6/23/2005 10:33:56AM Closed :6/23/2005 10:34:25AM .
Requestor Name-: 0ffim :NMT ORLEANS b6

b7C
I- :
Phone W k e Code : 1813-0000
Care ClarrMcaDian Number :315A
Investigative Program :NRP-TT
I
Awigned ta Name :n ~ & i a m Manager : n %6

b7C
-
AWigntd TO Gmup : CEAU hQr;lm/Type :Remote Computer Trace
Cakgory :CEAU
mm: Internet Tracer
..
b7C-
~upporl~ : ~ n w a nto tsendl
s 1 Worklog :6/23/2005 10:34:25 AM
to a cyber extortion subject. b1 11
b2 &=ant amplate sw a amdavit to S A n a n d
b7E l T ~ On n e d he b still
5.23.05, ~ ~ n a d v i s that
get a warrant to use the technique. On 6.23.05
dvised that case is being closed. COMPLFED
ALL TWFORELTTOI COMAImED

-IN 19 URTCLASSIFIED
DATE 09-16-2008 BY 60322UC/LP/STP/gjg
Page 1 of 1
August 28,2007
RMS Request Number:

Request ID :0102202 Perlbrrnanfe Indicator :
Status :Completed Opened :8/12/2005 3:52:28PM claeed :9/28/2005 12:39:43PM
Requestor Name : 7 1 0ma :CLEVELAND b6

Phone :n omoe Code :3170-woo b7C
Case C l a d f i e o n Number :315A
Investigative Program ;NRP-lT
f l b7C
6-
Arsigned To Group : CWU Pmgram/Type :Remote Computer Trace
I I t n u Internet Tracer
I
communicating wlth fugithre via Email
b7E b6
ALL IWFORFUTIORI COliTLTWED

HEPEW 3 1 UNCLASSfPIED
DATE 09-16-2008 BY 60322UC/LP/STP/gjg
Page 1of 1
August 28,2007
RMS Request Number:

Request I D :0102303 PerPDrrnance Indicabr :
Ststus ? Completed Opened : 8/17/2005 1:10:54PM C l o d : 8/17/2005 1:11:12PM
Requestor Name :n m m :C H A R L r n
Phone I-[: ORia Code : 1813-0000
Cam ClassCReation Numlrer :315A
Imastlgatlve Pmgrarn :NFLP-TT
igned Q Name :O Prmram Manager :nb7c- 06
migned To Group : CEAU . Computer Traa

Pmgram/fypc !'~mI0te
Category :CEAU
DATE: 09-16-2008
CLAssTFIED BY 60322 V C / L P / S T P / ~ ~ ~
EASORT; 1 . 4 ( c l
DECLASSIFJI ON: 09-16-2033
ALL INFOaEIATION CONTATldED
HEEIRT I S UNCLASSIFIED EXCEPT
WERE SHOWN OTPERWIIE
1 /
1 - . Page Iof I
RMS Request Number:
Request ID : 0102306 PerPormance Indicator :
mtus :Complekl Opened :8/17/2005 1:26:50PM C l o d :8/17/2005 1:27:02PM
Requestor Name I-[: OfRm :LOS ANGELES

Phone : Miice Code : 1813-00W
Case Classification Number :315A b6
b7C
Tnwstigatlve Program : N R P r r
Adgnedto Name I(: Pmgram Managerf -4

i**signed To Group : CEAU Pmgam/Type :Remote Computer Trace
mtegoy :CEAU
ALL IWFOQJWTIDI CONTAINED

F I N IS UXCLASSXFfED EXCEPT
W W S B O m OTERWISE
Page 1 of 1
August 28,2007
RMS Request Number:
Status :Gornpleted O m ;10/18/2W5 2:22:16PM C I U :1W1812005 2:22:32PM
Offiw Code :1813-0000

Case Classification Number :315A
Asslgned To Group : CEAll ~ m g r a m / V l k:Remote Computer Race
m m : Internet Tracer
b6
b7C
ALL INFORHATTflN COBjTAWb

mRgm 25 UNCLASSIFIED
D A 09-16-zooa
~ nr SO~Z~UC/LY/~'~P/W~~
RMS Request Number:
Requert ID :0106847 Performance Indlcatxlr : I
Status :Cmnpleted Opanetl: i1/28/2005 i1:02:43AM Closed :12/21/2005 2:08:31PM
Requestor Name : I
MAce IDENVER b6
phone :1- Mnw Code :3210-OW0
b7C
Cam ClassffiUtion Number :315A

nssigned TO GWUp : CEAU ProgramIType :Computer Exploitation

Category : CEAU
Itsrn: Remote Computer Search/Surveillance
I
Requested Support :Re hlcall t o 0 1 1 / 2 3 & og :12/21/20052;08:31 PM
2812005. Denver requests use of the CIPAV technique. A draf
of an affldavR has been e r n a i l e d a o n 13/28/2005.
Additional information wlll follow re method used to deliver the
technique. Questions, please call)
DATE: 09-16-2UU8
CLASSIFIED BY 60522UClLP/STP/gjg
REASON: 1 . 4 ( o )
DECLASSIFY Om? 09-16-2033
ALL IMFORMRTIUll COWAINED

E R E I N IS UNCLASSIFTED EXCEPT
TiEZFE SIiOm DTTERWISE
Page 1of l
August 28,2007
Seatus :Completed
Requestor Name I-:

Opened : 12/6/2005 4:19:10PM Closed : 12/6/2005 5:08:04PM
DfAm :PHOENIX
I
Phone :n Miice C d e :3630-0000
Caaa ~la&cati& Number :315A
InvestigativeProgram :NFIP-TT
migned to Name-
:
'
Assigned To Group : CmU PmgramlType : Computer ExploitaSon
Caregoy :CEAU
Itrm: Remote Cornpuhr Search/Surveillance
t S ' I
I from land I T A l
bttempts to get status of intere
"]metwlh negatlve m u b o
I
a numzr of mssions. COMPLITE.
DATE: 08-14-2008
CLAlSIFSED BY 60322UC/LP/STP/gjg
REASON: 1.4 (C]
DECLASSIFY 0 1 : 08-14-2033
ALL INFOREIATION COlK4INED

HEREIN I S UNCLASSIFIED EXCEPT
WIEW SWOWN VTKCRWISE
Page 1 of 1
August 28,2007
RMS Request Number: 0107347

Request I D :0107347 Pwlbrmance Indkatur :
Status :Completed Opened : 12/14/2005 5:04:36PM Closed :2/9/2006 9:32:16AM
I - :
~eqiestorName O ~ :
KWASHINGTON b6
:n M R C ~C O U :
~ 3920-0000
b7C
Cam Classifieatlon Number :315A

~ ~ g a t i Program
v e ;NRP-lT
. o6
Assigned to NameI-: Program Manager :7 1 b7C
Asdgned To Gmup : CEAU PmgtamlType :Computer mplohtlon
Category :CEAU
m m : Remote Computer Search/Sutveillanoe
Warldog :2/9/2006 9:32:16 AM

-
sslms
ALL I N W m T I O I COrnAINED
HEREIN I9 ETCLASSIFXED
PATE 04-15-8006 BY 603ZZVC/LP/PLJ/gjg
Page 1 of 1
I
August 28,2007
Request I D :0107566
Status :Completed
~eiformaiceIndimtor :
Opened :12/21/2005 2 : 1 5 : 1 5 ~ ~Closed : 1/5/2006 4:55:44PM
I
~cquegtorName I-: (Iffice :W V G A s b6
b7C
p h 0 n e : I l Mnee Code :33806000
Case Claslficatlon Number :315A
~mgram I -:
Manager b7c
Asslgned To Group : CEAU
eabegoy :CEAU
Itam: Internet Tnwr
DATE: 08-14-ZOO8
CLassIFIED BY GO322UC/LP/STP/gjg
REASON: 1 . 4 ( C )
ALL JRTFOPJUTIDN COmAINED

=REIN TS UNCLASSTFIED EXCEPT
WIIERF SEOWN OTHERWlSE
Page 1 of 1
RMS Request Number:
Request I D :'0111114 Perfbrmance f ndleator :
Status :Completed Opened : 4/27/2006 10:43:58AM C l d :4/27/2006 10:44:16AM
Name :
R~uastM I I OflCe :PrrrSBURGH . b6
Phone :1- 0mce code :3650-0000
b7C
Case Claasifiation Number :315A

Inveetlgatlve Program :NnP-rT
~6
Assigned to Name I(: 1-4
~rograrnManager b7C
Assigned To Group : CEAU Program/Type :Remote Cornpuber Trace
category :CE4U
m m : Internat Tmcer
b6
b7C
ALL IWFOREhTION COEJTAIXTD

HEREIN IS UNCLASSIFIED
PATE 04-15-2008 BY 60322UC/LP/PLJ/gjg
Page 1 of 1
August 28,2007
RMS Request Number:

Requesl I D : 0111145 Performance Indicator :
Status ;Completed Opened :4/28/2006 9:45:21AM Closed :4/28/2006 9:45:44AM

I
Requastor Name
I- :
Phone
:(I
Office :DM-CRYVrOLOGIC B ELECIR ANALY
CaPe Classlfldon Number : ' 3 1 5 ~

Omce Code ; 1813-OW0
I
fnwetlgatlve Program :NFIP-lT
Assigned Name : 1- Prqjram Manager 4 )

Assigned To Group : CEAU PmgramlTypsl: Remote Computer Trace
category : mu.
I I
Reauested Support :& i 8.31.05. SA)

On
DATE; 04-15-2008
CLASSIFIED BY 60322UC/LP/PLJ/dU
REASON; 1.4 (Cl
DECLASSIN ON: 04-15-2033
ALL I ~ F O r n T I O NCOrnATNED
WEREIN IS UNCLASSIFIED EXCEPT
m RE 5 n m OrnRWISE
Page 1. of 1
August 28,2007
RMS Request Number:

Request I D :0115736 Performance Indieator :Technical expertise
Status :Closed Opened : 11/2/2006 5:14:29PM Clmed :3/7/2007 10:28:16AM
Rtque~brName $7 :
OW~B ~rLOUIS b6
1-1
Phone Office Code :3730-0000
b7C
Case ClassHization Number :315A

InvePligative Program :NFIP-TT
-Asslgnd to Name :n I-:
Pmgram Manager
6-
b7c
Assigned t o Gmup : CEAU SL Programlfvpe :Computer Exploibtion -
Cetegvy :CEAU
Item: Remote Computer Search/Surveillance
1
has Reassigned or Fornarcled this q,tCt to
bl
DATE; 09-16-2008 ALL IMFORMATIOM COMTAIUED

CLASSIPTED BY 60322UC/LPt3TP/qjg WEREIN IS UNCLASSIFIED EXCEPT
PEASON: 1.4 ( c ) WHERe SHOWN O'lEERUISE
DECLASSIN CQJ: 09-16-2033
Page .lof 1
August 28,2007
Request ID :0117037 Pei'Fannance Inditatar :Technical expemse

Status :Closed Opened :1/9/2007 4:16:55PM C l a d : 5/14/2007 10:04:28AM
n
I Requestor Name :
Phone :n
flee :fl LOUIS '
Miice Code :37300000

b6
b7C
I Cam Clasification Number :315A

ZnwslrgaUve Pragram : NRP-lT
b6 -
Assigned tm Name j l - 4
Program Manager -b7C
Assigned To Group : CEAU SL Pmgam/Type : Computer Ewpbltation
b1
Wtegov :CE4U b2
b7E
Item Remote Computer Seareh/Surveillance
l l l U Z W 7 8:37;25 AM
b6
j Ihas Reassigned or Forwarded thibT$uest to
DATE: 08-14-2008
CLISSLFIED BY bD322UC/IP/STP/gjg
REASON: 1.4 [Cl
DECLASSIPY 01: 08-64-2033
ALL INFDREtATION CONTAINED

MREIN IS UNCLA33TFIED EXCEPT
mR E SN0W OTHERWISE
smw
DATE: 03-38-2005 ALL IPIOPJNTIOH COrn&IiIEb
CLASSTFIED BY 6 0 3 2 2 1 ~ i v l J l r d a Caru: At-A-G~uuc~ HemIW 19 CWCLASSITIED
=SO% 1.4 I s )
DECLii5SIA:.0 03-18-20.33
Care Number
I I
2 I
b7A
, ,,.,'
, ,,
3 r
..."
1
J ,.,'
IIProgmm Sensitive bl
1 Page 1 of 26
b2
b7E
blA
09/14/2006 1722 hrs. IlPrognm Sensitive Page 2 N26
Cases; At-A-Glrnee
\ tsj
Pending Csle Nulnber
I i
b7A
bl
b2
- b7E
b7A
(5)
09/14/2006 1R22 hrs. //IPiqram Sensitive Page 3 of 26

Casa: At-A-GIaace (s)
09/14/2006 17:22 hro. IIProgmm Sensitive Page 4 of 26

SECRET
IS) $1
b2
YE
~ Y A
I s1
5) (s)
-
09/34/2006 17:22 hrs. IRrogrnrn Se~sltlve pate 7 oil6
I I
9 UNKNOWN t
4s)
bl
bl
b7E
blA
L,,,,,
1
10
I2
I3
09/14/2006 17?22hra. Page 8 of 26

09/14/2006 17:22 hn. //Program Sensitive
w - (5)
-
1
t
Es1 bl
b2
-
blE
:s) "" ( S]
-
W1412006 17:22 hrs. IIPmgram Sensitive Page 11 of 26
09/14/2W617:ZZ 1rm. IIPrognm Sensitive b~ Page 12 d 2 6
b2
b7E
b6
b7C
Page 17 of 26
bl
b%
blE
1 .
?I - 1 31 s ~ ~ a 5 4 3 a r
ISl .,'
,,,.,,.
.
, .,.
...,....
..,.' . "
.,...
,..,..,,.,.
--
.... .,.,..I.'
.,...., ,
,
,,...."'
09/14/2006 17:22 hrs. //Program SenalUve Page 18 of 26
Is
Page 19 of 26
-
CMS6D
I
(s)
IS
bl
b2
CLOSED
blE
288A.RH-52644
-
-5s) .,,
I I I I I I
Page 20 of 26
IIProgram Sensitive Page 21 of26
C481i At-A-GIaUCe
-
CLOSED 174C-LV-39242
1 A I 2BBD-W-
k. n 2329M .'P
msao 31sB.IP. a)
94772
bl
b2
b7E
CLOSED ~"7-Ti?777 L
C s1
Is \,I
-CS) J
CWSED Unknown 315N-SF-012606
//Program SsnslUve Page 22 of 26

page 26 of 26
DATE: 09-13-2008
, CLASSIFIED BY 6032Zuclp/stp/rds
PEAsON: 1.4 ( C )
ALL IPFOmTION CONTAINED

=IN 1I.UNCLAIBIFIED EXCEPT
S&T suomgmmLs~
Last update 5 June 2007
DATE: 08-13-2006 - '

CLASSIPIEP BY 6032Zuclp/stp/rds
RERSOWI 1.4 (el
DECLASSIFY 08: 08-13-2033
ALL INFORMATION C D h T A I m
liERGIB 15 UNCLASSIFIED MCEPT
WERE SHOWN OITERWISE
x
Swsitive but U
Version Control
Last Update 5 June 2007
Date I ChangedBy Version # Changes

0.1 Draft Baseline
Sensitive but
% Last Update 5 June 2007
.d '
.*
TE: 08-i3-2006
Law Enforcement SensltivelSeuitive But
For Official Use Only
u~W
ASSSFIED BY 60322uoLp/aw/~d3
,A~ON; 1.4 L C ) Case Support Standard Operating Procedures (SOP)
:CLASISSJNOH; O ~ - L ~ - Z O ~ S Crv~toaraohicand Electronic Analysis Unit (CEAU) \
Law Enforcement ~e;sitlvel~ensltlveBut

- ----r-n nian nnlv
Law Enforcement SensitivelSensitlve But LJDC
For Ofilcial Use Only
Case Suppoe Sbndard Operating Procedures (SOP)
Somare Development Group (5DG) Deployment Operamns Center (DOC)
1
\
4. Case Remote Install
Page 2 of 2 Pages
-,dT Law Enforcement
- Sensitlve/Sessitive
-.-E-A.., But
smm Y/=/-Q 7
DATE: 08-13-2000 Law Enforcement SensitiveISensitlve But Unc
CLASSIFIED BY 60322uoLp/stp/rds For Official Use Only bl
REl3rJN: 1.4 ( o ) b2
DECLASSIFY 01: 0~-13-2033 Case Support Standard Operating Procedures (SOP) b 7 ~
-. - , -
* . I--,., -
El'
1
I
I
I
I
1
ALL INFOFXATTON CONTAINED

HEREIN IS UNCLASSXFIED EXCEPT Page 1 of 10 Pages
WAERE SHOWN OTHERWISE Law Enforcement Sensitive/Senaltive But
=P&T Rnr nftirinl ITse Onlv
Law Enforcement SensitivelSensitive But
For Official Use Only b2
b7E
Somare Development Group (SDG) Deployment Operations Center (DOC)
2==I Page 2 of 10 Pages

t a w Enforcement SensitivelSensitive But: Unc
w e d
' SEW Law Enforcement Sen1ItiveIS~n6itiveBut U~
For Official Use Only bI
b2
' Case Suppo.rt Standard Operating Procedures (SOP) b7E
Cryptographic and Electronic Analysis Unit (CEAU) ,
Somare Development Group (SDG) Deployment Operations Center (DOC)
Ii
j
j
I
I
1
i
j
i
j
i
!
1
I
I
j
i
I
!
j
j
j
I
1
j
Page 3 of 10 Pages
MT L a w Enlomnent SensitlvdSeasitive But*U
w-" r.#*"&.I 11"- #%..I..
Law Enforcement SendivdSensifive But ~k)jas$$ecl
For Official Use Only bl
b2
Case SuppoR Standard Opeating Procedures (SOP) b7E
Cryptographlc and Electronic Analysis Unit (CEAU)
(DOC)
Page 4 of 10 Pages
Law iEi~hnrmentknsiLive/Sensitive But*U
Per ChFiini.1 l l r . ~nnlv
Law Enlommmt Sensitive,Sensitive But ~ x f i e d
For Official Use Only bl
Cryptographic and Eleamnic Analysis Unit (CEAU),
E:E
Software Development Group (SDG) Deployment Operatlons Center (DOC)
Page 5 of 10 Pages
Law Enforcement SasEt6ve/Sensitive But U$?p$$l
Law Enforcement Sensitlve/Sensitive But
For Official Use Only
Case Support Standard Operating procedures (SOP)
h
Software Development Gmup (SDG] Deployment Operations Center (DOC)
Page 6 of 10 Pages
Law Enforcement SensitlvelSensltlve But Unc
Law Enforcement Seositive/Sensltive But
For Oficial Use Only
Cryptographic and Electronic Analysis Unit (CEAU)'
yrnent Operations Center (DOC)
Page 7 of 10 Pages
Law Bnforcement SwidveISensitive ~ b ~ tn ? y @ $ d
Law Enforcement SeuitiveISensitive But ~n*ed
For O1Ticial Use Only
& h a r e Development Group (SDG)..Peplovrnent Operations Center (DOC)
i
i
!
1
i
Page 8 of 10 Pages
Law Enforcement Sensitive/Sensitive But
For Off~cialUse Qnlv
SHT
Bar Official Use Only x
Law E~forcementSensitivdSensitive But Unc ified
Case Support Standard Operating. Procedures (SOP)

loyment Operations Center (DOC)
Page 9 of 10 Pages
Law Enforcement SensitlvelSensitive But
For Official Use Onlv
Law Enforcement Iensitive/SeosMve But* U
3 For Official Use Only
Software Development Group (SDG) Deployment Operations Center (DOC)
-
b1
Page 10 of 10 Pages
Law Enforcement SensitivdSeositive But ~ n h m d
Pittrlburgb II Investigation @merent case then original ongoing one)
.. -
01/04/2007 SPU referred case to OTD/CEAU
-
01/31/2007 ITOS requests OTDJCEAUif remate computer attack can be conducted
against target
-
02/07/2007 SPU contacted CEAU to offer assistance regarding case. CEAU advised %2
it may quire1-a which falls in SPVs a&. If so,CEAU wiU c o o ~ t C b 7 ~
with SPU for the task.
* Present Per Case Agent, CEAU advised Pittsburgh that they could assist with a wireless
hack to obtain a frle tree, but not the hard drive content. SPU has not heard anything h m
OTD rcgardjng this. ,.
Cincinnati ~nvestigation
1- Acting Unit Chief, Special Technologies 0 erations Unit (STOU) was

contacted w the evening of F e b v r y IJ.2001by 6psi.I Agerd[L1(~quad if -
C i n c i i t i Division) reqksting urgent support . ~ a a d v i s e that
d he was working on a cage
(288A-CI-76037-WB) which &needed immediate assistance h m STOU in analytitlg data
obtained h m a Computer and I~temetProtocpl Address Identifier ("CIPAV") inserted in five b2
d i f f e r e n t t b7E
b7D
Acording to the Cincinnati's EC, "The CIPAV was previous1 &posed to hackem from
01130/2007 to 02/09/2007 but no information was gathered because
I I
DL
"During the period of the current search wmranb the ~ & u bhacker(. r r c c e i s e d n
I 02/13/2007 at 12:23:08 Eastern Standard Time
I"ESTr9. The Unaubfs) then ~ r o c e e d e j visit
t ~ the site 29 more timer. I n these instunces, the
b ~ ~ dnot i deti&iilsrp&bad
d becrrurc of system incompatibiliry. On 02/15/2007 at
5:29:21 EDT, the system was able to deliver a CIPAV and the CIPAV tetumed data"
~ ~ a r e ~ u e sSTOUt e dimmediately begin analyzing all data recovered by the CIPAV

and continue to perform analysis on an ongoing basis until the termination of CPAV operations b2
b7E
. b7Q
STOU engineers immediately engaged in the case and began providing data back to SA
0 t h very next day. STOU contiaued to provide daily support until the analysis was
complete.

CIPAV Wired FOIA 04-16-09

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

CIPAV Wired FOIA 04-16-09

Enviado por

Direitos autorais:

Formatos disponíveis

. , . , ,.

. . . , . . ,.,. , . . . , . ,.,.. ' ,

, ,, '.. :.. ' ,. , , ,.

,, . , " . '. '. I' : ,

CEAU ID: 20070727T13746

Primary Technical 'Lead:

Secondary Technical Lead:

CEAU Staff Involved:

ALL INFORHRTLOW COKTAImED

w e File Number: 1964-RQ-1515692

Origin of Request: Ur~knpwn

Secondary Technical Lead:

CEAU Staff Involved:

ALL IBFOWTION. C O ~ ~ A I W E D DAm: 08-15-2008

niversal Case File Number: 288A -pH-100637

UCFN serial em umber:

Origin of Request: U.S.

Secondary Technical Lead:

CEAU Staff Involved:

Legal Information ALL TWmRFIRTION COElTAIMD

UNCLASSIFIED/FOR OFFICIAL USE ONLY

Record Status: Completed

Primary Technical Lead:

Secondary Technical Lead:

CEAU Staff Involved:

Other Contacts: I DATE: 08-15-2008

Bile'Number: 288A -LV-39208

Secondary Technical Lead:

CEAU staff Involved:

'Universal Case !ile Number: 279~-EP-36918

Origin of Request: U.S. b6

CEAU Staff Involved:

UCPN Serial Number:

Origin of Request: U.S.

CEAU Staff Involved:

UECLAS$LEY ON? 08-15-2033

Universal Cage File Nurnher:

Record Status: Complctcd

Origin df Request: U.S.

Seoondary Technical Lead:

CEAU Staff Involved:

F i e Number: 288A -BP-38289

Origin of Request: US.

Primary Technical Lead:

Secondary Technical Lead:

CEAU Staff Involved:

ALL INFOFIWATION CONTAINED

File Number; 9A-IS-94729

Origin of Request: U.S.

CEAU Staff Involved:

ALL IIFDREULTION CO~AIIWED

advised that he obtained a new W o n 2.1 7.05. Collection was

Origin of Request: U.S.

Primary Technical Lead:

Secondary Technical Lead: :

Is) ........................... Wpz~,.was,. b1

' DATE: 08-15-2008

Record Status: On-Hold

Origin of Beq,uest: U.S.

Primary Technical Lead:

CEAU Staff Involved:

ALL IWOREVITIO?J CONTATbED

contact ~lunber]-i E-mail ~ddress: ' b6

UCFN Scrial Numbcr: