Académique Documents
Professionnel Documents
Culture Documents
. ,
.
,
.
, ,
1 CCIPS
FTO~:(
'
ch.Z,20033
"
b6
DA&: 00-12-7008
b7C ,
CLASSIFIED by 6 0 3 2 2 ~ ~ l p / ~ t ~ / r d a,,
,, bi
::
~ A S ~ N1.4.1~1
:
b2 . .
f i ~ c ~ n s s xON:
~ r 08-i2-2033,
..b7E
,
,
,
,
'
..
'
'
'
'
'
, '
LAW ENFORCEMENT
SENSITIVE.
.
FOR
OFFICIAL
USE ONLY
.
,. ,
.
.
.
,,
,.
(w).
'.
.,
'
, ,
'
. .. . . , , . .
. . ,.. . . .. .. . . . . .
,. ,
I' ,
. ,,:. ,
,. , ,, . ... , , , .
.
.
.
.
.
.
.
.
,.,.
,
. .
. . .
.
.
. , . ,.,..
,
.
.
. . . ,. .,
. . . .
..,.
,
,
,
.
,
.
,
;
. . i . . . ... . .. . , .. , , .. .. .. .. . .. . . . .
.,
,,.
,
.
: . , , ,., ,
.
, .
,
. ,
,
,
. . . . .. ., , , , , ,. . , , ,
,
,
:.
.
,,
. .. . . .
, ,.
,.
.
.
.
.
.
.
.
,
,
' , ,
, . ,
.,
, , ,
,
,
. ., .. , .
, .
..
,
, .
,
,
,
,
.
,
,
,
,
, .
. ,
.
..
'
' ,
'
. .
.',
\.
'
.. . . . .
, ..
,
, , '
.,
,.
,,
'
. . . . ... , . . . . .
.
. " . , ,.
.,, .
. .
,,
,
.
. ,
..
..
.
' . ,
,
,
,
.
, ,
:
.. . .. , a
,
'
! I " .
' , ,,
.
,
. ,
. ,.
. ,'
',
I
I.
'
. .
.,,
. . . . . .
'
'
. . . . ,. :. ,
,, , . , , '
',
.. . .'."bl
' ,.
, , ,.
,;, ,, .
'
., ,.
, . .
..
.,
.
I'
: ,
" . '.
'.
,
" , . ,.,,
. .:.. . . I. . . . , , . , , .
,,,
, ..
., , , . . , . , , ; . . . . . .. . .. .. . .. . . .. # ! ' . . .. .' .. ^.
. ,
.
,
,. , .
. . . . . . . ., ,
, .,,
. .
,
..,. ,
, .
. .
. . ' . :,
,.
, .
.. ,
,
.,.
. . . ., .
, , ,
.
..
'
, , ..
,, .
'
, : . .. . .. . . . ..,.,.
,
. . .. .. .. .. . .. . .
'.' . " .
.
, . , ., , . ., ,
:. b i ' , , , , , , , . . . . . .
., , . . '
,
,,1 , . b6
1
.,.
. .
., .
. . ..b7C . . . . . . , .
,
.
, ., .
. .,
,
. . . .. . , . ,
,
,
.;.,, ,
.. , .
'
,
,
: ...';.. ....I
. . . . . . . . . . . . . . . . .. .,. , , . ,:
. .. . , , , ,
. , ,,
. . , .. ,
', . '
..
.
;,
' '
'
I : , .
1 ; .
.,
,,
..
.
'
. .
.,
: : I'.~~ctrss~n'oy:
03'19-2033
,.; . , :,
' ,
. , . ... , .
. . .,.i . . , ..' .: . '
........
,
.,:
, .
. .,
,, , .
:, ' ,
,, .
,
:;.,; .bl'. . .' .. . .. . .. . . . , . . . .
. , ,
. .
.
.. ,
. ,
,
., . .,, . . . , . , .
'
' ;
, ,
.
'
. ...
,
. ,
.
.' . . :. . . . .
,
. , '.
:,
. , . . . . ... . .
,,
'..
.
:..
. ,
'
'
'
.
, ,
, ' ,
, , . ~ ,
..
.. ,
,
,
..,
..
.'
''
, :
, .
!', ,
,,
m1 'INFO. ' .
.".
I:,
,.
'.'
'
.
.,
I.
.
.......
'
8.'
. '.'
' F i ~ s ~ ~ ~ ~ m ~ : ' ~ s ~ .0', ',3 z t ~
. sow: 1 . . 4 , ( . ~,,'j '
. , : ,,, .,, ' .
....
..
...
.
.
,.
. : ., n n q : 03-lg-zoos
...
..'I
'
"
. ., .
,.
.,
. . . . .
. .
, ,
,..
'
. . . . .
.
, '
.
'
,.I..
. i
. .
'
... , , .
.,
,..
.,. ,.
1
: 1
:1
'bl
,
!
.
I
.
. .,
'.
..
. ,
:.
: I
,.
,
,
.
. ,
,,',
I
.
I
.
.
. ..
,
'
'
.
,
'
,,
.
,
.
,
.
,
,
,.
,.
.,
.,
.
,,,
. ,.
classified by:
, . , Jamts
-liPCLICe
.
.
Reason:
. ,.., ,,
~eclassifjlon;, . , . .,
..: . ' ., !:;. ':
.: ' . .
,., . : , , .. ., . . .. . . .. ,,. ,
,
, ,
..
, ,
"
'I
'
: .
. ,,,
.,,
'
,
.
.,
.
I
,
.. ,
,.
.
,.,
. ... . . .. . . ., .. . ,.',, . .
,,
'
., , .. ..
. .
,
.
. . ., . . . .. . . ,: :, ,
., .
. . .
,
.,
,, .
'
,I
.
..
2 . .
,
,
, . ., . ,. . ..
. :
. : .
. ',;
.
. . . .,
..
.,
.. .
,
...
,. ,
/
., , ,
,
I
Poli~v.OlPR
. I,. . . DOJ'
"
. .. ,
' ,
'..'
,
,
,i
..
. .. ,
., ,
.
'
,.
.
i
'
,.
'
., .
,, .
.
,
. ,
,
'
, .
. , ,
,.. , , . , . ,
. , . . . . ., .. , , , .
' .
, , . ..
,,
_ ' . ' .'. , ..
..........
,
, , ,,., ,
. . . . .'.
. , , , . ,
,
. , , ., , , , ,. ,. .!. . ., .., .., .. .. ... . , ,
,
. ,
"
,.
'
. .
,'
. ,:.
,, . .
'. , ,
,,
, ,
,.
, . .., , ,
,
,',
.,
.,.
,
"'
I.
'
./.
, I
..I..
A ( 1
contact ~umberj-1
as:
Universal
Fiie.Number:
UCFN Serial Number:
Record Status: Open
Start Date: 27 Jul2007
Due Date: 01 Aug 2007
Request Open For: 5 days, 21 hours,' 22 minutes
Origin of Request:
~~f~riority:
Description: ~ a & rall documents that reference 'CIPAV'
Other Contacts:
** Not Assigned
Legal Information
E-mail Address:
-1-
rna nrurm m r r 0 p a w
b1
b2
b7E
I
Primary Technical Lead:
Secondary Technical Lead:
Other Contacts:
Legal Information
Record Logs:
05/07/2007, 1:30 PM Spoke
with SA
4 s ) - . . ...advi'$gZfrhnt.th)..
,...,,
IS1
.,'...,
ALL IBFOWTION. C O ~ ~ A I W E D
H"PBFT1 T S
b6
b7C
IINCLASSIRIED EXCEPT
DAm: 08-15-2008
CLASSIFIED BY 60322UCIIP/5TP/gjg
bl
. b2
b7E
Contact Nurnber~-~
E-mail Address:
b6
b7c
bl
[ S ] . , . \.
b2
blE
b6
b7c
Other Contacts:
Legal Information
Submission ~ e t i i :
Description: Client #I-
A
08-15-2008
CLASSIFIED BY 60322UC/LP/STP/gjg
Status: Closed
Technical Lead:
Start date: 03/22/2006
Due Date: TBD
Finish Date: 05/04/2007
Wamnt Expiration dak. No Expiration Date
~ e s c r i ~ t i o n : [ l
Status: Closed
~echnicnlLead:
Start date: 03/22/2006
Due Date: TBD
Finish Date: 05/04/2007
Warrant Expiratioa date: No Expiration Date
L
Record Logs:
AM-1-1
04/01/2006,8:00
No evidence received
'
r--V
contact ~umberl-1-
E-mail Address:
UCFN Serial,Numbek
Record Status: Completed
Start Date: 22 Dec 2005
Due Date: TBD
Request Open For: 588 days, 1.1 hours, 47 minutes
-,+"
.
..
INTERNATIONALPARTNERS'
b7C
bl
b2
b7E
b6
b7C
Other Contacts:
** Not assigned
Legal ~nfokation
b6
b7C
DATE: 08-15-2008
CLASSIFIED BY 60322lTC/IP/STP/Uj0.
REASON: 1.4 (C)
,DECLASSZFY Om: 08-15-2033
Submission Details:
Description: Client #l
Status: Open
Technical Lead:
Start date: 12/22/2005
Due Date: TBD
Finish Date: TED
Warrant Expiration date: No Expiration Date
~escri~tioni
Statua: Open
Technical Lead:
Start date: 12/22/2005
Due Date: TBD
Finish Date: TBD
Warrant Expimtion date: No Expiration Date
Record Logs:
b1
=sent
to begat Moscow.
lead
1Contact ~urnber~-[~-rnail
Address:
None Assigned
Other Contacts:
Legal Information
DATE; 08-15-2900
CLASSIFIED BY 60322UC/LP/BTPJgjg
REASOBI: 1.4 I.C .)
b6
b7C
Contact Number:l-v-mail
Address:
m.
ALL INPOREIRTIOB
Other Contacts:
* * Not Assigned
Legal Information
Submission Derails:
Description: Client #I
Status: Closed
b6
b7C
bZ
b7E
I b6
DATE: 09-18-2008
b7C
CLASSIFIED BY 60322 UC/LP/STP/gjg
mA50N:
DECLASSIFY ON: 09-18-2033
Technical Lead
Start date: 10/20/2005
Due Date': TED
Finish Date: 05/04/2007
Warrant Expiration date: No ~ x ~ i r a t i 6Date
n
1-
Description:
Stabs; Closed
Technical Lead:
Start date; 10/20/2005
Due Date: TED
Finish Date: 05/04/2007
Warrant Expiration date: No Expiration Date
- contact ~umbwf-1
E-mail Address:
e-
IS 1
(9).
421
I
** Not A s s i p d
Legal Information
'
DATE; 98-&$-1Q08
CLBSSIFm BY 60333VC/LP!STP/gjg
PXA50D? 1.4 tCI
..
UECLAS$LEY ON? 08-15-2033
*
-
b6
I
~ o n t a~nrxrhol-1
~ tE-mail Address:
b7C
[ S 1 .,'"
&d,
wBjs'swsw
b6
b7C
bl
o n , , ~ ~ ~ ~ f i v # . ! ~b2
b76
~ ~
mvidcd to S
Other Contach:
Legal Information
Record Logs;
PATE1 08-15-3008
CLA33IFTED DY GO32ZUC~fP,'JTP/$'jp
HEASPI: L.4 I C )
D E C L A S S I N DN: 0 8 - 1 5 - 2 0 3 3
ALL INFOMATTON COIITATNED
,
UNCLASSEIEDIFOR OFFICIAL USE ONLY
1 Dl9
1contact ~
u m b e r rE-mail
l
Address:
ls 6
b7C
I
w affidavit received.a.n.3..
05 and provided to A
lnd
bl
Other Contacts:
** Not Assigned
Legal Information
DAfi: 08-06-2008
CLASSIFIED BY 60322VC/LP/BTP/Vjg
1-
Contact ~ u m b e r jE-mail
l
Address:
Other Contacts:
** Not Assigned
PATE; 08-15-2008
Legal Information
REASON: 1 . 4 ( C ]
DECLAsSIH ON: 08-15-2033
ALL
IIFDREULTION
CLASSIFIED BY 60322VC/LP/STP/gjg
CO~AIIWED
Record Logs:
b7C
lweb page
b2
b7E
b6
b7C
- E-mail Address:
Contact Numb-
CEAU StaffIevolved:
None Assigned
Other Contacts:
0
.
Legal Information
Record Logs:
b6
'b7C
Is)
...........................
( ]
"
Wpz~,.was,.
reviewed signed S/W
b1
b2
b7E
..............................
'
DATE: 08-15-2008
CLASSIFIED BY 6032ZUC/IP/STP/qjg
I L L INFOPEiTION COXTATNED
B R E I N 19 WCLASSIFTED EXCEPT
-----
-">-.
REASON; 1 . 4 [C)
.DECLASSIFY ON: 08-15-2033
,
I
C o n t y NumberIC
Other Contacts:
Not Assigned
Legal Information
DATE; 08-15-2008
CLASSIFIED BY 60322UC/LP/STP/qjg
REasonr: 1.4 (CI
DECLASSIFI ON: 08-L5-2033
E-mi; AddreSS:
contact ~lunber]-i
tern lata S/W &davit to Ewe a ent upon reccipt of omc s u m m q . On 2/18/05, SSA
spoke with S7
4
LA, and explained options again. M a t h is a CyberICI
Primary Teahnicnl L w d ~
Secondary Technical Lead:
Other Contacts:
DATE: 08-15-2008
** Not Assinned
REASON; 1.4 ( c l
CLASSIFIED BY
6032211!TJC/T.P/5W/~jg
b6
h7C
Legal Information
A
y
nwersal Case File Number:
contact ~umberi-1
E-mail Address:
288A -CE121918
Other Contacts:
** Not Assigned
Legal Information
DAIE: 08-15-2008
CLASSSFIED BY 60322UC/IP/STP/gjg
REASON; 1.4 (C)
DECLASSIFY ON? 08-15-2033
CONPATNED
ALL ISFOREIILTION
UNCLASSIFIEDlFOR OFFICIAL
- USE ONLY
CEAU Priority b: TED
CEAU ID: 20070518-13595
Group I Program: SDG I DEP
n
Contact
N l u n b e r j y - E-mail Address:
Other Contack
Legal information
DATE:
IS
.-
oa-~5-200~
CLASSIFIED BY 60322UC/LP/STP/gjg
REASON: 1 . 4 ( C )
D E C L A S S I N ON! 0 8 - 1 5 - 2 0 3 5
MS
w
7 f 22 am
DATES 08-12-2008
CLASSIFIED BY 6032tu~lp/l~p/Tds
REASON; 1.4 (el
PECUSSIFI OW; 08-12-2033
bl
. b2
b7E
nil INF~RMATIONC O E T A I ~
HEREIN 15 UNCLASSIFIED EXCEPT
WRERE SHOWN OE-ERWISE
Law Enforcement
DATE5 '00-L3-2008
CLASSIFIED BY 60322ucL0/'rtp)rds
REASON: 1 . 4 ( e )
.,
-L
E o r Official I J ROnlv
~
,---.
',[
i S)
i.
i,
!,
',
i;
\
'\
'!
\!
,'
i;
!.
!.
'!
i
i.
,'
1
bl
b2
b7E
1.
1
':
!
;
,
Page 2 of 4 Pages
Law Enforcement SensitiveISensitive But
Wnr t3m0i.l HISL n - I ,
>.<
~ a 'Enforcement
w
Sensitive/Sensitive But brnc
ifled
\Is)
\
\!,
!
i
,'
Page 3 of 4 Pages
Law Enforcement SeositiveISensitive But
For Official Use Onlv
Law ~ n f ~ r c e ~Sensitive/Senaitive
ent
But U
*
hr Official Use Only
Page 4 of 4 Pages
Precedence:
TO:
PRIORITY
Date:
06/07/2007
Cyber
Attn:
International Operations
bG
b7c
uc
Europe Unit
Rome
Attn:
Legat
ALAT-d
Operati~nalTechnology
Attn:
CEAU
SS
From:
Seattle
Cyber
Squad Il
Contact: D r L e c ~ i v e )
-.I
Approved BY;
Drafted By:
n
-1:nbs
C ~ G CID #: 288A-SE-NEW
Title:
(pending)
UNSUB (s)F
TIMBERLINE SCHOOL DISTRICT (VICTIM);
C O M W T E R INTRUSION - INTERNET EXTORTION
Synopsis: Requast
'~dministrative:
t-n
1
b6
L7C
SAY
7 CACU.
1
On 06/06/2007, S~?at.I-.l
F! nivi xion was castacted by Lacey
P r i l i c e Department (LPD), Lacey, WA, regarding numerou3 bomb
betails:
Re:
due to
06/04/2007 bomb threat email from sender:
UNSUB (s) also
advised a computer
which resulted in a DDOS attack totaling over 80,000,000 hits. b6
b7C
06/05/2007 Timber1
bomb threat email from sender:
arion due to
LPIJ has
student at Timberline High School,
amears not to be the
and teachers from Timberline High School provided a list
s who may be
attack,
rf,
computer is in LPD
Initial interview of
b7C
On '06/07/2007.~etective
(
WSP, and SA
Katheryn
of Washirigton, who agreed to pxosecute
b6
t7c
To:
Re:
To:
Re:
LEAD (s) :
S e t Lead 1;
(Info)
CYBER
AT WASHINGTON, DC
For information.
S e t Lead 2:
(Info)
AT WASHINGTON. DC
For information.
Set Lead 3:
(Action)
EQm
AT ROME. ITALY
I
Set Lead 4:
(Info)
OPERATIONAL TECHNOLOGY
AT OUANFICO. VA
For information.
Precedence : PRIORITY
To:
Date:
Attn:
Operational Technology
Attn;
Cyber
03/08/2007
b6
b7C
~ S A
CY
From: Tampa
Squad 8
Contact:
Approved By:
Drafted By:
Case
TD
Title:
1-
SA
neL-
#:
'
(Pending)
Details:
BACKGROUND
DATE: 05-07-2008
CLASSIFIED BY 60325UC/IP/PLJ/gjg
REASON: 1 . 4 ( C )
DECLASSIFY ON: 05-07-2033
ALL LIFORFIPTTOW CDPITAINED
HEREIN. 15 mCLA551FIED EXCEPT
&
IF Address
chnology From:
, 03/08/2007
To:
Re:
.
Tampa
chnoiogy From:
03/08/2007
TO:
Re:
Set Lead 1:
Tampa
(Action)
OPERATIONAL TECHNOLOGY
AT OUANTICO. VIRGINIA
The Cryptologic & Electronic Analysis Unit is requested
to facilitate the deployment of a CIPAV to support captioned
Group I1 UCO.
Set Lead 2:
(Info)
-.
AT WASHINGTON. D.C.
(Rcv. 01-31-2003)
Precedence: ROUTINE
TO:
Date: 02/23/2007
Cyber
Attn: C ~ I U - 2
OTD
Attn:
ssA
DES/CEAU
rrr
b6
Chicago
Prom: Cincinnati
Squad 13
Contact
- :A S
Approved By:
Drafted By:
1-
Case ID #:
jk
(Pending)
Title:
b7E
b7A
DATE: 09-22-2006
CLASSIFIED BY 60322PC/LP/STPlq$g
To:
Re:
Cvber
From:
Cincinnati
02/23/2007
From:
TO: Cyber
Re:
Cincimati
1 02/23/2007
LEAD($) :
Set Lead 1:
(Info)
(Action)
Set ~ e a d3:
(Action)
CHTCAGO
with this
(Rev. 01-31-2003)
Precedence:
To:
PRIORITY
Operational Technology
Date:
Attn:
12/14/2006
b7C
From: Houston
CT- 3.
Contact: SA
1 (
Approved By:
Drafted
By:
Case ID
#!'w
Title:
&w:-
7
(Pending)
[
I
~eferenco!"~
,IS1
I
DATE: 09-22-2008
CLASSIFIED BY 60322VC/LP/STP/q]y
WASON: 1.4 [ C )
PECLASSIFI ON: 09-22-2033
bl
b6
b7C
From; Houston
12/14/2006
ogy
Details:
BACKGROUND
From:
la/lr,2oo6
Houston
From: Houston
12/14/2006
O W
b1
b2
b7E
b6
b7C
b7D
b7A
Witness
,;(El
TO:
'
Oper
'"7
From: Houston
12/14/2006
Ogy
Re: l0lM
Set Lead 1:
(Action)
OPERATIONAL TECHNOLOGy
A T T O L O G I C ~ ~ E C T R O N IANALYSIS
C
rur -
IT
bl
Date:
Precedence; PRIORITY
TO:
12/07/2006
Attn: Cryptologic
Operational Technology
&
Electronic
From: Houston
CT-1.
Contact:
SA
1- r
Approved By:
Drafted By:
y
I
Case ID #: (S)
(Pending)
Title:
(UI
--iz----3
ueclassify Uw-#QZ/2031
i4Sl
i
I
bl
b6
b7C
b7A
DATE: 09-22-2008
CLAssTFTED BY 60322UC/LP/STP/gjg
PEASON: 1 . 4 ( C ) '
DECLASSIFY ddl; 03-22-2033
ALZ TIFORFIATIOV COliTAIliTD
From:
12/07/2006
Houston
To: Opera
Re:
'
Tec
From: Houston
12/07/2006
gy
b7A
b2
ogy
From: Houston
12/07/1006
.IS]!
\:
i:
To:
Re:
Technology
1operational
w
-
From: Houston
12/07/2006
Set Lead 1:
(Action)
OPERATIONAL TECHNOLOGY
AT CRYPTOLOGIC & ELECTRONIC ANALYSIS UNIT
'
..
.(Rev. OI-31-2003)
FEDERAL BUREAU OF lNVEgTlGATlON
Precedence:
To:
From:
Date: 10/25/2006
IMMEDIATE
~ t t n : Cryptologic
Operational Technology
&
Electronic
Cincinnati
Squad 13
Contact: SA
'
Approved By:
Drafted By:
Case ID'#:
1 - 1
laow
(Pending)
Details:
as part of a
BACKGROUND
SDG PRODU
updated:
GGAL PROCESS
Consent
criminal, PThT Court
order 60 day
expiration
FISA court order 90
day expirati~n
,,3s)
!
consent
Criminal Search
warrant 10 day
eipiration
FISA court 'order 90
d,ay expiration
b1
b2
b7E
i
Consent
criminal Search
warrant lo day
expiration
FISA C O u f t order 90
day expiration
ALL IWFORMATION COTXXNED ,
EREIN IS UNCLA331F:ED MCEPT
W
R
E IAOW OTHERUIEE
DATE: 09-23-2000
CLASSIFIED BY 60322 UC LP/STP
REASON; 1.4 LC)
DECLASSIFY ON: 09-2'1-2033
DATE: 09-22-2006
ALL THFOWT
r
NA
NA
day expiration
Consent
Criminal T-IIT court
order typically 90
day expiration
FLSA c o u r t order 90
day expiration
Consent
Criminal T-I11 C O U r t
order typically 90
day expiration
b 3.
FISA c o u r t order 90 b2
day expiration
b7E
UNSUB(s);
On June 6,2007, the Seattle Division was contacted by the Lacey Policc Department
(LPD), Lacey, WA, regarding numerous bomb threats and Distributed Denial of Senice
(DDOS) attacks received at the Timberline School District, Lacey, WA. The threats
' began on May 30,2001 and persisted through June 4,2007. The t h a t s necessitated the
daily evacuation of Timberline High School. The LPD and the Washington State Patrol
(WSP) performed school evacuations and bomb sweeps with negative results. Parents
and school district employees informed local television stations and newspapers,
- - . which
aired the story on J& 6,2007. As a result, the LPD requested investigative assistance
from the Northwest Cvber Crime Task Force (NCCTFI. headed by the FBI Seattle
Division. In.turn,the ~eattleField Office reql$sted assistance fmbthe OTDICRAU to
attempt to geo-physically locate the UNSUB(s).
Assistance Provided
CEAU deployed a Cornput& Intemet Protocol Address Verifier (CIPAV) to a MySpace
account identified as possibly belonging
- - to the WNSUB. The CIPAV returned several IF'
addresses, one of whikh resolved back to Comcast Cable in Seattle, Washiapton.
Subscriber informarion obtained from Comcast led to the issuine of a search and arrest
-ant.
A 15 year old male student h m Timberline High ~ c h i owas
l taken into custody
without incident at his home at approximately 2 A.M. June 14,2007. The minor
confessed to issuing the bomb threats. Future bomb threats,dated June 14,2007, were
found oe the minor's cornam. The minor's computer equipment warr seized and the
arrest was made without kcident. Following an &tervi& with the minor, the LPD was
able to solve mother threat case. as the minar confessed to issuinn teleohone
death
^
threats to teachers and others, inh"'&nling
his pawits, earlier in 20G.
Version 0.1
Version Control
Changed By
10 July 07
Version #
0.1
Changes
Draft Baseline
kTC6-
(Rev. 01 -3 1-2003)
Precedsaca:
To:
Date; 07/05/2007
ROUTINE
Attn:
Seattle
SA
Cyber
From:
Approved By:
DiClemente Anthony P
3earcy William 1x1
Drafted By:
1-
kld
- SM?
298~-SE-93709
Case ID 8: 2b8-HQ-1305912
Title;
(Pendina)
(Pending)
ZIGWIM IS U'NCLAS5IFIED
DATE D9-19-2008 BY 60322UC/LP/STP/uju
OBJECTIVE
The objective of this operation was to deploy a CIPAV to
locate the subject issuing bomb threats to the Timberline High
School, Lacy, Washington. The CIPAV was deployed in the usual
way.
SUMMARY OF
EVENTS
C
m
-~
oncur ence for the operation was obtained from Case Agent
and Kathryn A. Warn, Assistant United
y , western District of Washington. In addition,
Office of the General Counsel. concurred with the
b7C
oneration followino
his
review
of
the
affidavit
and
warrant.
signed by ~ a m e i i .Donobue, United States Magistrate Judge,'
United States District Court,,Western District of Washington,
dated 6/12/2007.
~
- -
~-
CONCLUSION
CEAU deployed a CLPAV to a MySpaee account identified as
possibly belonging to the UNSUB. The CIPAV returned several IP
Addresses, one resolving back to Comcast Cable in Seattle,
Washington. Subscriber information obtained from Comcast
confirmed the suspicions of Law Enforcement and led to the
issuing of a search warrant and arrest warrant. A 15 year old
male student from Timberline High School'was taken into custody
without incident at his home at approximately 2 A.M. on
6/14/2007. The minor confessed to issuing the bomb threats. Bomb
threats dated 6/14/2007,were found on the minor's computer. The
minor's computer equipment was seized and the arrest was made
without incident. Following an interview with the minor, the LPD
was able to clear another threat case, as the minor confessed to
issuing telephone death threats to teachers and others, including
his parents, earlier this year.
'
LEAD (s) :
Set Lead 1 :
(Action)
SEATTLE
A T SEATTLE. WA'
Lead covered at OTD/ESTS/CEAU. Read and Clear
Set Lead 2:
(Action)
AT WASHINGTON. DC
(Rev. 01-31-2003)
H
FEDERAL BUREAU OF INVESTIGATION
Precedence:
ROUTINE
Date:
06/13/2007
Contact: SSA
Approved By:
Drafted By:
C a ~ oID H :
Iitle:
senrry
William 111
1-
2 6 8 IIQ-1305912-SW
BACKGROUND
Qn 96/96/2007, the S e a t t l e Division waa contacted by
Leccy Police Department (LPD), Lacey, WA, regarding numerous born
threats and UDUS attacks faCeived at the Timberline School
Bisttict, Lacey, WA. Relow a r e a t i m e - l i n e of events:
05/30/2007
DATE; 08-14-2000
CLASSIFIED BY bU922UC/LP/STP/wjg
1.4 ( C J
DECLASSIFY DO: 08-14-2033
REASON:
aLiurl due to a6
UNSUB (l) also b7C
06/05/2007
Timberli
bomb threat email from sender:
nh Schnol
nvar
ation due to
06/06/2007 - Timber1
bomb threat email from sander:
06/07/2007
~imberlineHigh School received additional
m a l l from UNSUB(s). Details unknown a r present time.
pw
""'
- D
Qn
e r d up."
06/03/3007,
is described by teachers as
On 06/07/2007, Detective)
IWS!?, and SA
1,
sqattle
D
i
v
~
~
i
o
n
contacted
,
AUSA
Kdtheryn
I
Warma, wcaternTiatrict of Wsrrhir~gtun,who agreed to prosecute
captioned n l a t t e r .
To:
Re:
ALL
I N E O ~ T I ~ Ncomts~
FERELN IS ,UNCLASSIFIED
DATE 03-18-2008 BY 609221p/pl/rtla
STATE OF WASNINGTON
COUNTY OF KING
Norman B. Sanders Jr., Wig duly sworn on oarh,'deposes and says:
1.'
employed by the FBI as a Computer Forensic Examiner, for six and one-half years. I
sm currently assigned to fhe Seattle Office's Cybet Crime Squad, which investigates.
various computer, and Internet-related federal crimes.
2.
involvhg ~omputer~ntruions.
Extortion, Internet Fraud; Identity Theft,Crimes
ahst st Children, htellechlal Property Rights, and other federal violations involving
computers and the Internet. I Pave also received specialized training and gained
experience in interviewing and interrogation tedmiques, arrest procedures, search
warrant applications. the execution of searches and seizures, cyber crimes computer
evidence identification, computer evidence seizure and forensic processhg, and various
other criminal laws and procedures. I have personally participated in the execution of
mest warrants and search warrants involving the search and seizure of computers and
electronic evidence, as well as paper documents z
h personal belongings.
3.
within the meaning of Section 2510(7) of Title 18, united States Code, in hat I am
enipowered by law m conduct investigations and to make arrests for federal felony
offenses.
Pngt I of 17 Pages
1
2
5.
I submit this affidavit in support of the amlication of the United States for :
a. search warrant.
'
computer to transmit data, in response, that will identify,the computer andlor the
user(s) of the computer.2. In this aanner, the FBI m y be able to identify the computer
and/or user .of the computer that are involved in committing criminal violations of
United States Code specifically. Title 18, United States Code, Sections 875(c)
(hmtate Transmission of Communicarion Containing Threat
'
4Injure). and
More specScaIly, the United States is applying for a search warraut authorizing:
a).
.
I
Myspace is a international free setvim that uuscs the Internet for online communicalion through
an interacavc social network of photos, videos, weblogb, user pmfdes, blogs, e-mail, instant
messaging. web forums,and groups, as well as other medi* formats. MySpace users an capable of
customizing their user webpage and profile. Users arc also capable of searching or browsing olhcr
Myspace webfmges an4 adding other users 8s 'friends*. If mE person identified approves your
%end" requeat, he or she will be added to your list of friends. Uscrs are capable of sending Myspace
'
orher provider to a specif% User and used ro address aud route c1ecrioi.i~cocommicati011~
to and kom
that'uscr. Nor do= the government c o n d e rhat a reasanable expcctabn of privacy is abridged by UIC
Use Of this convnunication technique, M Cat the use of lhis mchniiue to collect a ~omputeT'8TP
addtcu, MAC address or other variablea that nre.broadcast by the computer whenever it is c o m t e d
to Ute Internet, ~0nstitUksa search or wizure.
3
Concepprsuy. IP addresses arc similar a telephone numbers, in that lhey are used to identify
compufen rhat exchange information over the Internet. An IF address is a unique numeric address
~ S e dto dircct information over tho Inrrrnet and is a series of four nuinkem, each in the range 0-255.
separated by periods (e.g., 121.56.97.178). In general, informarion sent over the lutemet must
cwtain qn Originating IP address and a destination IP addnss. which identify the w m p ~sending
s
and ncelving the information. Section 216 of (hc USA Patriot Act (P.L. 107-56)amended 18 U.S.C.
503121 et scq to sp~iflcallyauthorize rht recovery of "addressing" and 'routing" infomtion of
Affidavit of Norm Sanders for CIPAV
USAO# 2 0 0 7 W 9 1
Page 2 of 17 Page%
Verifier ("CIPAV*) in conjunction with any camputt* that administers MySpace user
account 'Timberlinebombinfo"
.,
mm ://www.mns~ace.~dm/tl~lberlinebmb~pl,
without prior announcement within ten days from the date this Court authorizes the use
of the CIPAV;
b).
that the CIPAV may cause any computer. wherever located - ehat
activates any CIPAV authorized by this Court (an "activating computer" to tond
network level messages4containing the activating computer's IP address a W o r M4C
addresl~,~
other environment viriables, and certain repistry-rype informstion' to a
cornpurer comolled by the FBI;
c).
that the FBI may receive and read within ten days from the date
this Court authorizes the use of the CIPAV, at any tinie of day or night, the information
that any CIPAV &uses to be sent to the computer conboUd by the FBI; and
d).
'
Such -ge*
work in established network pro-Is,
dctcrmIniag, for e.urmple, how 9 given
;ommunication will be sent and received. Everv time a cmuur come~tCdto a lccal aRB MIWOIk
[LAN)O Fthe~Internet ~lnn&rsto another computer on thd LAN ot rhe Intrm~t,iibm8dcasB
ReWorL-level w a g e s , including its F address, a d o r media access control.(MAC) address, andlor
~rher" c n v i r o ~ nvariables."
t
A MAC addmss is an uniquc numeric addnss of the network intenkc
card in a computer; Envimnment variables rhat may be mmilted include: operaring system rypc and
vemion, browsw type and version, h e language the browser is using, etc. These network-level
mmges also 01% convey network addressing information, includiag origin and desllnaIillion
iffOtma(ion. Networblevel messages are used to make networb opcrace properly, transparendy, and
;onaistently.
~-.
~
C q u t e r s Uldt access, and cotttmunicae on LANs do po via a acework hterfaec card (NIC)
installed in Ulc cornpuler. The N1C is a hardware device and every NIC w n t a k its own uniquc MAC
addnss. Every rime a computer connected lo a LAN c ~ m ~ l n i c a ton
e s the LAN,the c m p u e
broadcam iu hiAC address.
'
Page 3 of 17 Pages
more than thirLy (30) days after such time as the name a d location of the owner or user
of t@
good cause shown, authorize. h v i s i o n of a copy of the search warrant and receipt
delivery of true an& accurate electronic copies (e.g. Adobe PDF tile) of the fully
exccutd documents.
6.
which I Pave learned through investigation conducted with other law enfmement
officers, review of documents, and discussions with computer experts. Because this an
application for-a search warrant and pen register, not every fact known about the
investigation is set forth, but only &se that are pertinent to the application. As a result
of the investigation, 1 submit there Is probable cause to believe the MySpace
containing thteats to injure, and involve computer intnrsion causing a threat to public
safety in violation of Title 18, United States Code, Sections875(c) and 1030(a)(S)(A)(i)
and (B)(iv). I further submit that there is probable c a w to believe that using a CIPAV
commonly used commercially over local area networks (LANs) and the Internet to
request that an activating computer respond to the ClPAV by sending network level
Rffldavit of Nonn Sandcn for CIPAV
USAW 2W7R00791
Pagc 4 of 17 Pages
S O U Locator
~ C ~ (UU)
"dynabhllyW:
each rime the user
avaiIable IP addresses contrc~lledby the ISP. The customer's computer retains lhar IP
address until the user disconnects, and the IP address cannot be assigned to another
user during that period. Once The user disco~ects,however, mat IP address becomes
available to other customers who connect thereafter. ISP business customers will
9.
Every time a computer accesses the Internet and connects to a web site,
Pam 5 Of 17 Pages
that computer broadcasw its IP ad&w along with oh& environment variables.
atcessing the web site can understand. These enviconment variables, including but not
limited to, the IP address and the language used by the computer', may assist in locating
the camputer, as well as provide infarmation that may help identify the user sf the
computer.
10.
regisay contains, among other things, information about what operating system
software and version is installed, the product serial numby of that software,
and.h e
name of the registered user ofthe cqmputer. Sometimes when a computer accesses the
Intenet and connects to a software vendor's web site for the purpose of obtaining a.
software upgrade, the web site remieves the computer's registry information stored on
its internal hard drive. The regisby iafomation assists the software vendor in
..
determining if that computer is running, among other information, a legitimate copy of
their sohare
,. because'the registry infonuation coniains the sofhnrare's product
regismtion number. Regisq itlformatioo. such as the serial 'rmmber of fie hcperatiug
rystem software and the computer's registered owner, may assist in locating the
:omputer. and identifying its user(s).
11.
IUNSUB) stated in the e-mail "I will be blowing up your school Monday. June 4,
,
Page 6 or 17 Pages
hall, library hall, &ah office a$ one portable. The bombs will go off in 5 miwte
intervals at 9:15 AM," fn addition, the UNSUB(~)stated, 'The email server of your
iistrict will be offline starting at 8:45 am." The UNSUB(s) launched a Denial-ofSqice (Dm)'
attack on the Lamy School Disaicr computer nmork, which caused
3ver 2~,000.000hits on the system within a 24 hour period. School administrators
YLducbpe
as.A
.,
Hello Again: Seeing as how ou're too stu id to trace the email
back lets get serious." phe
mentions bombs sa to .
UNSU$S)
A DOS actnek is an Internet based computer attack in which a compromised system auacka a
iingle largel, thereby causing I denial of service for vriers of &e l e e t c d computer s y s m The fldod
>fincoming messages to the rarget sysfern essentially forces it to shut down. thereby deny& service to
he system to legitiinate users. The DOS attack is generally targeted at a particular ne-k
service,
~uchas e-mail or web a-.
8
9
lo
II
detonate between 10:45-11:15 AM, and adds1 Seriously, you are not
Bill
oing to catch me. Sa just give u Maybe you should hire
wait 1
hater to tell you that it is coming& Italy. HAHAHA Oh
alreadv told vou chat. So stm ~ r e t e n d hto~be "trache it" because I
where t r a , ~
have already-toldyii it's c o & ~ f i o mTdy. That is
will stop so 'ust stop trying. Oh and this ernail will be
behind a
proxy b e d tho Italy server.
~ the who01 on June
d). School admhktators ordered an e v a c u a of
u
I1
e).
l l @ m n a i l . c e the
emaifae~'unithathas
already been deleted of all information b the time you read his
email. Get your.asson a plane to Italy i you want it to stop.
g).
I& 6,2007.
'There are 3 bombs lanted in the school and they're all dierent
kinds. I have rema e these weeks in advance and tested the timp
to make sure ey work to exact millisecond. Locking the doors is
a good plan, but too late."
2, B
i).
s June 7, 2007..
9
lo
, ~ 3
14
.I
k
1s which had rewaled a complaint f k i a person identifed as 40. AG Stated tbat she
14
17
18
19
&
u beceived a request from h e UNSUB(S) to post the link on their respective myspace.com
23 webpages. Subsequent interviews performed by Kaight yielded limited information.
1I
25
26
IInstant
from
of a bomb.
"I
I
"1
14
:IS
Sam Spiering
17
19
"1
21
0).
,.
m "Timhe~Iine.Suck@~m
ail.cam." which resulied in
12.
25
26
27
28
Status:
*
USAW 2007R00791
PP: 80.76.80.103
LOGS:.All times are'displayed in UTCJGMT
gpugtvicasl23~~mail.com
DatelTime
IP
063~-2007
05:47:29,am
81.27.207:243
04-Sun-200705:43: 14 am '
80.76.80.103
03-Sun-200706:1944 am
80.76.80.103
%-viceProvider.
"
User ID:
199219316
First Name:
Doug
last Name: ,
Briggs
Gender;
Male
Date of Birth:
12110J1992
Age;
14
couq:
US
City:
Law
Page I I of 17 Page$
Postal Code:
985003
Region:
Western Australia
Email'Address:'
tirnberljne.sucksB~mai1
.corn
User Name:
timberlinebambinfo
Sign up IP Address:
10
11
80.76.80.103
Sign up Date:
Delete Date:
NIA
Login Date
o).
12
contacting Sonic SRL and locating the cornpromisad kmputer utilizing IP Address
13
80.76.80.103.
14
b):
Page 12 of 17 Pages
'
14.
a).
Once the CIPAV is successfully deployed, it will conduct a onetime search of the activat'ing computer and capture the information
b).
c).
,
d).
Virginia.
After the onetime search, the CIPAV will function asa pen register
device anxl record the muting and destination addressing information
Page 13 of 17 Pages
e).
U'mard the
iformation I have gathered from various computer experts, I have probable cause to
,
idividual(s) using the computer m transmit bomb mats and related wmmunications in
iolation of Title 18,United States Code Swtions 875(c) and 1030(a)(S)(A)(i) and
3)(iv).
17.
l(Q(3) would jeopardize the success of the investigation, and because the hvestigation
as not identified &I appropriate person to whom such notice can be given, I hereby
quest aumorizatioo to delay suoh notice until an appropriate person b identifA.
h e r , assuming providing notice wollld still jeopardize the iuv&tigatioion after rur
~ropriateperson to receive notice is identified. I request~permissionto ask this Court
1 authorize an additional delay
JSAW 2007RMn91
is that announcing the use of the CIPAV would assist a person conaolling the
computer(#)to evade revealing its true IP address, other variables, and certain
e infDrmation - thereby defeating the ClPAV's purpose.
19. Rule 41(eX2) requires that (A) the warrant command the PBI ''to execute
'within a specified time no
. . longer thsn 10 days" and (B) "execute the
r time.. ." In order to comply with Rule 41, the Government will
between the hours of 6:00 a.m. and 10:OO p.m. (PST)during an
W is not
Page I5 d 17 Pages
dl.
'
led by the FBI and located within the Eastern Di~UictOf Virginia;
c).
that the FBI may receive and read, at any time of day or night,
d). that once the FBI bas received an initial ClPAV response from the
ivating computer consisting of network level messages contawg the activating
e).
Page 16 of 17 Pages
22.
Remature disclosure of this Application and related documents may jeopardize the
iucces8 of
me &is
n#.
USAW 2CO7R00791
Page 17 of I f b e
SECRET
(3
4.37 ~
caea: Atd-GIanu
UA
IS)
DIIIL: 08-14-2008
CIIISSInH) BY 60322UElp1Sq /L&
A50Q: 1.4 I s )
SECRET
4 - 7
ROUTINE
Precedence:
TO :
Date:
09/05/2007
b6
Records ~anagement
Attn:
~ ~ ~ S / w ~ ~ / ~ i n c hSite
e s t2,
e rGR N23
From:
approved -By:
Drafted By:
..
'~aae
ID #:
Title:
b7c
I
-:w,~~
130-HQ-C1547903
(Pending)
-------
----
ELECTIjllNIC FRONTIER,AND
C ~ E T,NETWORKS-
/w d
ALL INFORMATTON ~ 0 i m ~ 1 m ~
HEREIN IS UI$CLA5SIFIED
DATE 03-19-2008 BY 603221p/plj/rds
Reference:
1 9 0 - ~ ~ - d 1 5 4 7 9 0Serial
3
49
!'
.:
:,.
,i
,,.
, .?
??
Re:
190-HQ-C1547903,
Prom:
To:
09/05/200d7
LEZ+D(a):
Set Lead 1:
(Info)
RECORDS MANAGEMENT
AT RIDS/~PU/WINCI-~ESTERSITE 2 , GR ~ 2 3
Read and C l e a r .
Precedence:
To:
ROUTINE
Cyber
Cincinnati
Evansville RA
Indianapolis
; r j \
Las Vegas
I SSA )
Approved By:
Drafted By:
Case,ID
Title:
Synopsis:
i jjb
To f o r w a r d results
(Pending)
r:
Enelesura(s):
Details: he r e f e r e n c e d
analyze 1
To:
Re :
SPECIAL TECHNOLOGY
05/25/2007
LEAD ( a ) :
Sea Lead 1:
(Info)
CYBER
A'ILR#SH.I.NGTON.
DC.
sat uILd 2 ;
(Action)
CTNrTN,ty$TI
AT CINCINNATI. 01110
Read and C l e a r .
S b t laad 3!
(Info)
LAS VEGAS
AT LAS VEGAS. NEVADA
set wad
4 ~ :
(Info)
INDIANAPOLIS
A'I' E V A N S U E
INDIANA
August 28,2007
I D :0116159
Stntus :Closed
I-:
Requestor Name
I-[:
Phone
office : HOUSMN
Offlcs t o d m :3290-0000
b6
b7C
I -:
Assigned to Name
Program Manager
catee~:cEAu
Ibm: Internet Tracer
b7C
DATE: 04-11-2008
CLASSIFIEP BY 60322UCltP/PLJ/gjg
REASON: 1.4 ( C )
August 28,2007
1 Status :Closed
Raquestor Name
Phone
:n
C l d : 1/13/2005 1:39:50PM
Office :'OMAHA
:n
lnvertigative Pmgram :
Assigned to Name
:n
~saignedTO ~ m u :p o
- 0 ~
(S)
:D m
Program Mana er :
-ram/-
IffT',I
b2
4 S ]1
b 7 ~
-I
27120W 2:28:13 PM
ssigned/forwarded request t
u
9/27/2004 2:28:13 P P f y
assignedlbnrvarded request b
DATE: 08-14-2006
CLASSIFIED BY 60322UC/LP/STP/gjg
REASOB: 1.4 ( C )
DECLASSIFY ON: 08-14-2033
ALL f A 1 F O ~ T I O NCOXTATNED
HEREIN TS UDTELA591FIED EXCEPT
WfERE
mom
OTHERWTSE
o h a s Raasslgned or Forwarded th
10/21/2004 1:20:40 PM
Request ID :0096936
IStatus :Completed
de
Petformane Indlwtor :
'
I'
I ( :
;vC
Pmgram Manager
Categoy :CEAU
3/25/2005 9 4 2 3 1 AM
b2
b7E
SiIOW$ OWRTJTSE
Page 1 of 1
I
1,
n
August 28,2007
status :a m p l a
Parformanee Indieator :
Opened : 3/8/2005 12:35:09PM
I- :
RequestDr Name
Ornw :CyDfIINI
Phone
:n
I-:
Assigned b Name
~rnghm
Manager
Program/-
Categoy :CEAU
rtem: Internet: Tracer
DATE: 08-14-2008
CLASSIFSED BY 60322VC/LP/STP/g>g
REASON: 1.4 ( c )
DECLASSIFY OM: 08-14-2033
Page 1of 1
b6 f
1
b7C
August 28,2007
Request I D :0099200
Status : Completed
Performance Indicator :
Opened :4/25/2005 10:32:21AM
1-1
~ffica: BUFFALO
Requestor Name
1-
b6
m c e code : 3110-0000
Phone
b7C
Program Manager
l~equeaed
Support :Buffalo request asslsbnoe wlth UPAV
IS) J
bl
b2
b7E
b6
b7C
DATE: 08-L4-2008
CLASSIFIED BY 60322UC/IP/STP/gjg
REASOW: 1 . 4 (C)
DECLA35Im 08: 08-14-2033
UN~JASFED
Page 1 of 1
06
b7C
Request 10 :0099477
Performance Indicator :
Status :C o m p l M
Requestor Name :
Phone
I(:
Ofiice : PHILADELPHIA
b6
b7C
:
nb7C
u6
1-4
Assigned to Name
h i g n e d To Gmup : CEAU
Program Manager
Category :CEAU
DATE: 08-14-2008
CLASSIFIED BY 60322UC/tP/8TP/~j~
REASON: 1.4 ( C 1
DECLASSIFY ON: 08-19-2033
SECRET
UNC-D
Page 1 of 1
1 ststus ! ~
Pertormanee Sndlcator :
Requestor Name-:
Phone
I- :
Care ClarrMcaDian Number :315A
Investigative Program :NRP-TT
b6
W k e Code : 1813-0000
b7C
Awigned ta Name
:
n
~ & i a m Manager :
%6
b7C
Cakgory :CEAU
mm: Internet Tracer
..
b7C-
~upporl~
: ~ n w a nto tsendl
s
to a cyber extortion subject.
b1
b2
&=ant
b7E
Page 1 of 1
amplate sw a amdavit to S A n a n d
~ On n
5.23.05, ~ ~ n a d v i s that
e d he b still
get a warrant to use the technique. On 6.23.05
dvised that case is being closed. COMPLFED
August 28,2007
Status :Completed
Perlbrrnanfe Indicator :
Opened :8/12/2005 3:52:28PM
Requestor Name :
Phone
:n
claeed :9/28/2005
12:39:43PM
0ma :CLEVELAND
omoe Code :3170-woo
b6
b7C
f
Arsigned To Group : CWU
b7C
6-
I t n u Internet Tracer
I
communicating wlth fugithre via Email
b7E
b6
Page 1of 1
August 28,2007
Request I D :0102303
Ststus ? Completed
Requestor Name
I-[:
:n
m m :C H A R L r n
ORia Code : 1813-0000
Phone
Cam ClassCReation Numlrer :315A
Imastlgatlve Pmgrarn :NFLP-TT
:nb7c06
igned Q Name :
O
C l o d : 8/17/2005 1:11:12PM
Prmram Manager
Pmgram/fypc !'~mI0te
Computer Traa
Category :CEAU
Item: Internet Tracer
DATE: 09-16-2008
CLAssTFIED BY 60322 V C / L P / S T P / ~ ~ ~
EASORT; 1 . 4 ( c l
DECLASSIFJI ON: 09-16-2033
ALL INFOaEIATION CONTATldED
HEEIRT I S UNCLASSIFIED EXCEPT
WERE SHOWN OTPERWIIE
1 -
1 /
Page Iof I
mtus :Complekl
PerPormance Indicator :
Opened :8/17/2005 1:26:50PM
I-[:
C l o d :8/17/2005 1:27:02PM
Requestor Name
Phone :
b6
b7C
Tnwstigatlve Program : N R P r r
I(:
f -4
Adgnedto Name
Pmgram Manager
mtegoy :CEAU
Page 1 of 1
August 28,2007
m ;10/18/2W5 2:22:16PM
C I U :1W1812005 2:22:32PM
m m : Internet Tracer
b6
b7C
A 09-16-zooa
~
nr
SO~Z~UC/LY/~'~P/W~~
Performance Indlcatxlr :
Requert ID :0106847
Opanetl: i1/28/2005 i1:02:43AM
Requestor Name :
I
MAce IDENVER
phone :
Mnw Code :3210-OW0
Cam ClassffiUtion Number :315A
Investigative Program :NRP-TT
1-
b6
b7C
I
Requested Support :Re hlcall t o 0 1 1 / 2 3 &
2812005. Denver requests use of the CIPAV technique. A draf
of an affldavR has been e r n a i l e d a o n 13/28/2005.
Additional information wlll follow re method used to deliver the
technique. Questions, please call)
DATE: 09-16-2UU8
CLASSIFIED BY 60522UClLP/STP/gjg
REASON: 1 . 4 ( o )
DECLASSIFY Om? 09-16-2033
Page 1of l
og :12/21/20052;08:31 PM
August 28,2007
Seatus :Completed
I-:
Requestor Name
DfAm :PHOENIX
Phone
Miice C d e :3630-0000
:n
Caaa ~la&cati&
Number :315A
InvestigativeProgram :NFIP-TT
migned to Name:
'
t S ' I
DATE: 08-14-2008
CLAlSIFSED BY 60322UC/LP/STP/gjg
REASON: 1.4 (C]
DECLASSIFY 0 1 : 08-14-2033
ALL INFOREIATION COlK4INED
HEREIN I S UNCLASSIFIED EXCEPT
WIEW SWOWN VTKCRWISE
Page 1 of 1
August 28,2007
0107347
Pwlbrmance Indkatur :
Request I D :0107347
Status :Completed
I - :
~eqiestorName
:n
b6
b7C
M R C ~C O U :
~ 3920-0000
Assigned to NameI-:
Asdgned To Gmup : CEAU
Category :CEAU
m m : Remote Computer Search/Sutveillanoe
Program Manager :7
1
PmgtamlType :Computer mplohtlon
ALL I N W m T I O I COrnAINED
HEREIN I9 ETCLASSIFXED
PATE 04-15-8006
BY 603ZZVC/LP/PLJ/gjg
Page 1 of 1
o6
b7C
August 28,2007
Status :Completed
~eiformaiceIndimtor :
Request I D :0107566
I-:
~cquegtorName
(Iffice :W V G A s
p h 0 n e : I l
b6
b7C
DATE: 08-14-ZOO8
CLassIFIED BY GO322UC/LP/STP/gjg
REASON: 1 . 4 ( C )
DECLASSIFY ON: 08-14-2033
Page 1 of 1
b7c
Status :Completed
R~uastM
Name :
Perfbrmance f ndleator :
Opened : 4/27/2006 10:43:58AM
1-
Phone :
C l d :4/27/2006 10:44:16AM
OflCe :PrrrSBURGH
b6
b7C
I(:
Assigned to Name
~rograrnManager
1-4
~6
b7C
category :CE4U
m m : Internat Tmcer
b6
b7C
Page 1 of 1
August 28,2007
Requesl I D : 0111145
Opened :4/28/2006 9:45:21AM
Status ;Completed
Requastor Name
I- :
Phone
1-
Name :
Prqjram Manager
mu.
DATE; 04-15-2008
CLASSIFIED BY 60322UC/LP/PLJ/dU
REASON; 1.4 (Cl
DECLASSIN ON: 04-15-2033
ALL I ~ F O r n T I O NCOrnATNED
WEREIN IS UNCLASSIFIED EXCEPT
m
R
E 5 n m OrnRWISE
Page 1. of 1
August 28,2007
~rLOUIS
Rtque~brName $
7
Phone
OW~B
:
b6
b7C
-Asslgnd to Name :
n
Pmgram Manager
I-:
6b7c
1-1
Cetegvy :CEAU
DATE; 09-16-2008
ALL IMFORMATIOM COMTAIUED
CLASSIPTED BY 60322UC/LPt3TP/qjg WEREIN IS UNCLASSIFIED EXCEPT
PEASON: 1.4 ( c )
WHERe SHOWN O'lEERUISE
DECLASSIN CQJ: 09-16-2033
Page .lof
August 28,2007
Request ID :0117037
Status :Closed
C l a d : 5/14/2007 10:04:28AM
Requestor Name :
Phone
:n
'
b6
b7C
Assigned tm Name j
Program Manager
- 4
b1
b6
-b7C
b2
b7E
l l l U Z W 7 8:37;25 AM
b6
DATE: 08-14-2008
CLISSLFIED BY bD322UC/IP/STP/gjg
to
smw
DATE: 03-38-2005
CLASSTFIED BY 6 0 3 2 2 1 ~ i v l J l r d a
=SO%
1.4 I s )
DECLii5SIA:.0
03-18-20.33
Caru: At-A-G~uuc~
Care Number
b7A
..."
,,.,'
,
,
,.,'
IIProgmm Sensitive
bl
b2
b7E
blA
Page 1 of 26
,,
IlPrognm Sensitive
Page 2 N26
Cases; At-A-Glrnee
\
tsj
Csle Nulnber
Pending
b7A
bl
b2
b7E
b7A
(5)
//IPiqram Sensitive
Page 3 of 26
(s)
Casa: At-A-GIaace
IIProgmm Sensitive
Page 4 of 26
SECRET
1
IS)
$1
b2
YE
~ Y A
I s1
5)
(s)
IRrogrnrn Se~sltlve
pate 7 oil6
I
9
UNKNOWN
4s)
bl
bl
b7E
blA
L,,,,,
10
I
I2
I3
09/14/2006 17?22hra.
Page 8 of 26
//Program Sensitive
(5)
Es1
bl
b2
blE
:s)
""
( S]
-
IIPmgram Sensitive
Page 11 of 26
09/14/2W617:ZZ 1rm.
IIPrognm Sensitive
b~
b2
b7E
b6
b7C
Page 12 d 2 6
Page 17 of 26
bl
b%
blE
1 .
31 s ~ ~ a 5 4 3 a r
?I - 1
ISl
.,'
...,....
..,.' . "
,..,..,,.,.
Is
.,...., ,
....
.,.,..I.'
,,...."'
//Program SenalUve
Page 18 of 26
.,...
, .,.
,,,.,,.
Page 19 of 26
CMS6D
(s)
IS
bl
b2
blE
CLOSED
288A.RH-52644
-5s)
.,,
Page 20 of 26
IIProgram Sensitive
Page 21 of26
C481i At-A-GIaUCe
174C-LV-39242
CLOSED
1
k. n
2BBD-W-
.'P
2329M
msao
a)
31sB.IP.
94772
bl
b2
b7E
CLOSED
~"7-Ti?777
C s1
Is
CWSED
Unknown
\,I
-CS)
315N-SF-012606
//Program SsnslUve
Page 22 of 26
page 26 of 26
DATE: 09-13-2008
CLASSIFIED BY 6032Zuclp/stp/rds
PEAsON: 1.4 ( C )
DECLASSIFY ON: 08-13-2033
S&T
suomgmmLs~
1.4 (el
DECLASSIFY 08: 08-13-2033
ALL INFORMATION C D h T A I m
liERGIB 15 UNCLASSIFIED MCEPT
WERE SHOWN OITERWISE
Swsitive but U
Version Control
Date
ChangedBy
Version #
0.1
Changes
Draft Baseline
Sensitive but
.d '
u~W
.*
----r-n
nian nnlv
1
\
-,dT
Page 2 of 2 Pages
Law Enforcement
But
- Sensitlve/Sessitive
-.-E-A..,
smm
Y/=/-Q
-. -
El'
Page 1 of 10 Pages
HEREIN IS UNCLASSXFIED EXCEPT
WAERE SHOWN OTHERWISE
Law Enforcement Sensitive/Senaltive But
=P&T
Rnr nftirinl ITse Onlv
bl
b2
b 7 ~
I--,.,
b2
b7E
2==I
Page 2 of 10 Pages
'
SEW
'
bI
b2
b7E
Ii
j
j
I
1
i
j
i
j
j
I
Page 3 of 10 Pages
L a w Enlomnent SensitlvdSeasitive But*U
MT
w-"
r.#*"&.I
11"-
#%..I..
bl
b2
b7E
(DOC)
Page 4 of 10 Pages
l l r . ~nnlv
bl
E:E
Page 5 of 10 Pages
Law Enforcement SasEt6ve/Sensitive But U$?p$$l
Page 6 of 10 Pages
Law Enforcement SensitlvelSensltlve But Unc
Page 7 of 10 Pages
Page 8 of 10 Pages
SHT
Page 9 of 10 Pages
Law Enforcement SensitlvelSensitive But
b1
Page 10 of 10 Pages
Law Enforcement SensitivdSeositive But ~ n h m d
..
*
Cincinnati ~nvestigation
1-
b2
b7E
b7D
Acording to the Cincinnati's EC, "The CIPAV was previous1 &posed to hackem from
01130/2007 to 02/09/2007 but no information was gathered because
I
DL
"During the period of the current search wmranb the ~ & u bhacker(. r r c c e i s e d n
02/13/2007 at 12:23:08 Eastern Standard Time
I"ESTr9. The Unaubfs) then ~ r o c e e d e j visit
t ~ the site 29 more timer. I n these instunces, the
b ~ ~ dnot
i deti&iilsrp&bad
d
becrrurc of system incompatibiliry. On 02/15/2007 at
5:29:21 EDT, the system was able to deliver a CIPAV and the CIPAV tetumed data"
~ ~ a r e ~ u e sSTOU
t e dimmediately begin analyzing all data recovered by the CIPAV
and continue to perform analysis on an ongoing basis until the termination of CPAV operations
.
STOU engineers immediately engaged in the case and began providing data back to SA
0 t h very next day. STOU contiaued to provide daily support until the analysis was
complete.
b2
b7E
b7Q