Cipav Wired Foia 04-16-09 PDF

.
. ,
.
,
.
, ,
1 CCIPS
FTO~:(
'
ch.Z,20033
"
b6
DA&: 00-12-7008
b7C ,
CLASSIFIED by 6 0 3 2 2 ~ ~ l p / ~ t ~ / r d a,,
,, bi
::
~ A S ~ N1.4.1~1
:
b2 . .
f i ~ c ~ n s s xON:
~ r 08-i2-2033,
..b7E
,
,
,
,
'
..
'
'
'
of you b o w , some investigators have begun to use .ninvestig'ativctechique referred,

" While the technique is of '. .
tbas 'm"lhtemet Pratoc,ol,AddressVerifier"
aWa a '
indispmble value'in C&
kiids'bf cases, we at seei"g indications thk it is behg used needlessly by
.
agencies, unneceisdly raising d i m l t legal plrstions
(and a,d+ of su~prnsion)without my
.,
.,,
. . .
, ,
countervailing benefit. '
.
As
'
'
, '
LAW ENFORCEMENT
SENSITIVE.
.
FOR
OFFICIAL
USE ONLY
.
,. ,
.
.
.
,,
,.
(w).
'.
.,
'
, ,
'
. .. . . , , . .
. . ,.. . . .. .. . . . . .
,. ,
I' ,
. ,,:. ,
,. , ,, . ... , , , .
.
.
.
.
.
.
.
.
,.,.
,
. .
. . .
.
.
. , . ,.,..
,
.
.
. . . ,. .,
. . . .
..,.
,
,
,
.
,
.
,
;
. . i . . . ... . .. . , .. , , .. .. .. .. . .. . . . .
.,
,,.
,
.
: . , , ,., ,
.
, .
,
. ,
,
,
. . . . .. ., , , , , ,. . , , ,
,
,
:.
.
,,
. .. . . .
, ,.
,.
.
.
.
.
.
.
.
,
,
' , ,
, . ,
.,
, , ,
,
,
. ., .. , .
, .
..
,
, .
,
,
,
,
.
,
,
,
,
, .
. ,
.
..
'
' ,
'
. .
.',
\.
'
.. . . . .
, ..
,
, , '
.,
,.
,,
'
. . . . ... , . . . . .
.
. " . , ,.
.,, .
. .
,,
,
.
. ,
..
..
.
' . ,
,
,
,
.
, ,
:
.. . .. , a
,
'
! I " .
' , ,,
.
,
. ,
. ,.
. ,'
',
I
I.
'
. .
.,,
. . . . . .
'
'
. . . . ,. :. ,
,, , . , , '
',
.. . .'."bl
' ,.
, , ,.
,;, ,, .
'
., ,.
, . .
..
.,
.
I'
: ,
" . '.
'.
,
" , . ,.,,
. .:.. . . I. . . . , , . , , .
,,,
, ..
., , , . . , . , , ; . . . . . .. . .. .. . .. . . .. # ! ' . . .. .' .. ^.
. ,
.
,
,. , .
. . . . . . . ., ,
, .,,
. .
,
..,. ,
, .
. .
. . ' . :,
,.
, .
.. ,
,
.,.
. . . ., .
, , ,
.
..
'
, , ..
,, .
'
, : . .. . .. . . . ..,.,.
,
. . .. .. .. .. . .. . .
'.' . " .
.
, . , ., , . ., ,
:. b i ' , , , , , , , . . . . . .
., , . . '
,
,,1 , . b6
1
.,.
. .
., .
. . ..b7C . . . . . . , .
,
.
, ., .
. .,
,
. . . .. . , . ,
,
,
.;.,, ,
.. , .
'
,
,
: ...';.. ....I
. . . . . . . . . . . . . . . . .. .,. , , . ,:
. .. . , , , ,
. , ,,
. . , .. ,
', . '
..
.
;,
' '
'
I : , .
1 ; .
.,
,,
..
.
'
. .
.,
: : I'.~~ctrss~n'oy:
03'19-2033
,.; . , :,
' ,
. , . ... , .
. . .,.i . . , ..' .: . '
........
,
.,:
, .
. .,
,, , .
:, ' ,
,, .
,
:;.,; .bl'. . .' .. . .. . .. . . . , . . . .
. , ,
. .
.
.. ,
. ,
,
., . .,, . . . , . , .
'
' ;
, ,
.
'
. ...
,
. ,
.
.' . . :. . . . .
,
. , '.
:,
. , . . . . ... . .
,,
'..
.
:..
. ,
'
'
'
.
, ,
, ' ,
, , . ~ ,
..
.. ,
,
,
..,
..
.'
''
, :
, .
!', ,
,,
m1 'INFO. ' .
.".
I:,
,.
'.'
'
.
.,
I.
.
.......
'
8.'
. '.'
' F i ~ s ~ ~ ~ ~ m ~ : ' ~ s ~ .0', ',3 z t ~
. sow: 1 . . 4 , ( . ~,,'j '
. , : ,,, .,, ' .
....
..
...
.
.
,.
. : ., n n q : 03-lg-zoos
...
..'I
'
"
. ., .
,.
.,
. . . . .
. .
, ,
,..
'
. . . . .
.
, '
.
'
,.I..
. i
. .
'
... , , .
.,
,..
.,. ,.
1
: 1
:1
'bl
,
!
.
I
.
. .,
'.
..
. ,
:.
: I
,.
,
,
.
. ,
,,',
I
.
I
.
.
. ..
,
'
'
.
,
'
,,
.
,
.
,
.
,
,
,.
,.
.,
.,
.
,,,
. ,.
classified by:
, . , Jamts
-liPCLICe
.
.
Reason:
. ,.., ,,
~eclassifjlon;, . , . .,
..: . ' ., !:;. ':
.: ' . .
,., . : , , .. ., . . .. . . .. ,,. ,
,
, ,
..
, ,
"
'I
'
: .
. ,,,
.,,
'
,
.
.,
.
I
,
.. ,
,.
.
,.,
. ... . . .. . . ., .. . ,.',, . .
,,
'
., , .. ..
. .
,
.
. . ., . . . .. . . ,: :, ,
., .
. . .
,
.,
,, .
'
,I
.
..
2 . .
,
,
, . ., . ,. . ..
. :
. : .
. ',;
.
. . . .,
..
.,
.. .
,
...
,. ,
/
., , ,
,
I
Poli~v.OlPR
. I,. . . DOJ'
"
. .. ,
' ,
'..'
,
,
,i
..
. .. ,
., ,
.
'
,.
.
i
'
,.
'
., .
,, .
.
,
. ,
,
'
, .
. , ,
,.. , , . , . ,
. , . . . . ., .. , , , .
' .
, , . ..
,,
_ ' . ' .'. , ..
..........
,
, , ,,., ,
. . . . .'.
. , , , . ,
,
. , , ., , , , ,. ,. .!. . ., .., .., .. .. ... . , ,
,
. ,
"
,.
'
. .
,'
. ,:.
,, . .
'. , ,
,,
, ,
,.
, . .., , ,
,
,',
.,
.,.
,
"'
I.
'
./.
, I
..I..
VNCLASSLFIED/FOR O W I C L ~USE ONLY

CEAU Priprity is: TBD
CEAU ID: 20070727T13746
Group I Program: SDG / DEP
Grou Supervisor:
'
A ( 1
contact ~umberj-1
as:
Universal
Fiie.Number:
UCFN Serial Number:
Record Status: Open
Start Date: 27 Jul2007
Due Date: 01 Aug 2007
Request Open For: 5 days, 21 hours,' 22 minutes
Origin of Request:
~~f~riority:
Description: ~ a & rall documents that reference 'CIPAV'
Primary Technical 'Lead:

Secondary Technical Lead:
CEAU Staff Involved:
Other Contacts:
** Not Assigned
Legal Information
ALL INFORHRTLOW COKTAImED

HEREIN IS rnCLASSTFZED
DATE 08-06-2008 BY 603Z2UC/LP/STP/919
E-mail Address:
UNCLASSIFIEDIFOR OFFICIAL USE O

CEAU Priority is: Green
CEAU ID: 200705 16-1 3566
Group Supervisor:
-1-
Contact N u m b w ( 1 - E-mail Address:
e File Number: 1964-RQ-1515692
UCFN Serial Number:

Record Status: Inquiry
Start Date: 07 May 2007
Due Date: TBD

Request Open For: 87 days, 12hours, 49 minutes
Origin of Request: Ur~knpwn
TMA
rna nrurm m r r 0 p a w
b1
b2
b7E
I
Primary Technical Lead:
Other Contacts:
Legal Information
Record Logs:
05/07/2007, 1:30 PM Spoke
with SA
4 s ) - . . ...advi'$gZfrhnt.th)..
,...,,
IS1
Cyber-Forensic Trainingdlliancs (ZYCFTA)who

I
.,'...,
ALL IBFOWTION. C O ~ ~ A I W E D
H"PBFT1 T S
b6
b7C
IINCLASSIRIED EXCEPT
DAm: 08-15-2008
CLASSIFIED BY 60322UCIIP/5TP/gjg
bl
. b2
b7E
UNCLASSLIVEDLFOR OFFICIAL USE ONLY

CEAU Priority is: TBD
CEAU ID: 20070502-12602
Group I Program: DG I DE
,b
Grou Su
, Pervisor:
Contact Nurnber~-~
E-mail Address:
niversal Case File Number: 288A -pH-100637
UCFN serial em umber:
Record Sutus; Completed

Start Date: 22 Mar 2006
Due Date: TBD
Request Open For: 498 days, 1l hours, 48 minutes
Origin of Request: U.S.
FBI Priorily: PROTECT THE UNITED STATES AGAINST CYBER-BASED
ATTACKS AND HIOH TEC
Description: On 3.22.06, S
vised that a viotimUs hotmail account,
b6
b7c
bl
[ S ] . , . \.
b2
blE
b6
b7c

Other Contacts:
Legal Information
Submission ~ e t i i :
Description: Client #I-
ALL TWmRFIRTION COElTAIMD

ZIEREJN IS UNCLASSIFIED EXCEPT
WHERE SHOWN UTEZRWISE
b2
b7E
A
08-15-2008
CLASSIFIED BY 60322UC/LP/STP/gjg
Status: Closed
Technical Lead:
Start date: 03/22/2006
Due Date: TBD
Finish Date: 05/04/2007
Wamnt Expiration dak. No Expiration Date
~ e s c r i ~ t i o n : [ l
Status: Closed
~echnicnlLead:
Due Date: TBD
Warrant Expiratioa date: No Expiration Date
L
Record Logs:
AM-1-1
04/01/2006,8:00
No evidence received
'
UNCLASSIFIED/FOR OFFICIAL USE ONLY
CEAU Prioriiy is: TBD

CEAU ID: 20070502-12594
Group I Program:
Grou Su e 'sor:
r--V
contact ~umberl-1-
E-mail Address:
h E i Z l T d e File Number: 174C-LV-39242
UCFN Serial,Numbek
Record Status: Completed
Start Date: 22 Dec 2005
Due Date: TBD
Request Open For: 588 days, 1.1 hours, 47 minutes
-,+"
.
..

FBI Priority: SUPPORT FEDERAL,STATE,COUNTY,M[INICIPAL, AN&
INTERNATIONALPARTNERS'
b7C
~escription: (U) On 12.21.05, ~ ~ r b i s that

e adcasino received a threat.
bl
b2
b7E
b6
b7C

ALL INFOAEIATIOI CONFAINeD
HEF&I#Y I5 UNCLASSIFIED EXCEPT
WHERE SHOW DTXZRWISE
Other Contacts:
** Not assigned
Legal ~nfokation
b6
b7C
DATE: 08-15-2008
CLASSIFIED BY 60322lTC/IP/STP/Uj0.
REASON: 1.4 (C)
,DECLASSZFY Om: 08-15-2033
Submission Details:
Description: Client #l
Status: Open
Technical Lead:
Due Date: TBD
Finish Date: TED
Warrant Expiration date: No Expiration Date
~escri~tioni
Statua: Open
Technical Lead:
Due Date: TBD
Finish Date: TBD
Warrant Expimtion date: No Expiration Date
Record Logs:
b1
=sent
to begat Moscow.
lead
UNCLASSIFIEDIFOR OFFICIAL USE ONLY

CEAU ID: 20070523-13619
Group / Program:
1Contact ~urnber~-[~-rnail
Address:
Bile'Number: 288A -LV-39208

UCFN Serial Number:
Start Date: 02 Dec 2005
DueDate: TBD
Request Open For: 608 days, 11 hours, 47 minutes
Origin o f Request: U.S.
CEAU staff Involved:
None Assigned
Other Contacts:
Legal Information
ALL INFDaElATfORT COhTAINED

EIERETP IS UNCLASSIFIED EXCEPT
m m SAOWRI OrnRWISE
DATE; 08-15-2900
CLASSIFIED BY 60322UC/LP/BTPJgjg
REASOBI: 1.4 I.C .)
DECLASSIFY ON: 08-15-2053
b6
b7C
UNCLASSIFED/FOR OWFXCIAL USE ONLY

CEAU Priority is: TED
CEAU ID: 20070502-12599
Group I Program:
Group Supervisor:
Contact Number:l-v-mail
Address:
'Universal Case !ile Number: 279~-EP-36918

UCFN Serial Number:
Start Date: 20 Oct 2005
Due Date: TED
bque'st Open For: 65 1 days, 12 hours, 46 minutes

FBI Priority: PROTECT THE UNITED STATES FROM TERRORIST ATTACK
Description: On 10.19.2005,~4-ladvised
that he is wing to locate the specific
computer(s) bedaby subject of WMD (bomb & anthrax)
. , with subiect via
eHormail~&~&show
m.
ALL INPOREIRTIOB
HFRELI I9 UNCLASSIFIED EXCEPT

S H O O~ ~ R W I S E
Other Contacts:
* * Not Assigned
Legal Information
Submission Derails:
Description: Client #I
Status: Closed
b6
b7C
bZ
b7E
I b6
DATE: 09-18-2008
b7C
CLASSIFIED BY 60322 UC/LP/STP/gjg
mA50N:
Technical Lead
Due Date': TED
Warrant Expiration date: No ~ x ~ i r a t i 6Date
n
1-
Description:
Stabs; Closed
Technical Lead:
Start date; 10/20/2005
Due Date: TED
Warrant Expiration date: No Expiration Date
UNCLASSZIFIED/FOR OFFICIAL USE ONLY

CEAU ID: 20070523 13617
Group I Program: S ~ I G
DEP
Crou Su erviaor:
- contact ~umbwf-1
E-mail Address:
File Number: 288A -HO-647RO
e-
UCPN Serial Number:

Rf~corrlStatus: Compl~tcd
Start Date: 15 Aug 2005
Dut Date: TDD

fiequest Open For: 717 days, 12 hours. 45 minutes
FBI Priority: PROTECT THE L N T E D STATES A F A W S T CYBER-BASED
ATTACKS AND HIGH TECHNOLOOY CRIMES
On 4,29 05, SA T b d v i ~ e that
d a hacker deleted a database and
D-criptira:
IS 1
(9).
421
I

Smondary ~tchnicrrlLead:
** Not A s s i p d
Legal Information
'
DATE; 98-&$-1Q08
CLBSSIFm BY 60333VC/LP!STP/gjg
PXA50D? 1.4 tCI
..
UECLAS$LEY ON? 08-15-2033
ALL INFORITATTON CbETATNED

F E E I N IS UNCLASSIFIED EXCEPT
UNCLASSIFlEDlFOR OFFICIAL USE ONLY

CEAU ID: 30070523 13616
Grov Su ervkor:
*
-
b6
I
~ o n t a~nrxrhol-1
~ tE-mail Address:
b7C
Universal Cage File Nurnher:

UCFN Serial Number:
Record Status: Complctcd
Start Date: 09 Au8 2005
Duc Date: TBD
Request Open For: 723 days, 12hours,44 minutes
Origin df Request: U.S.

FBI Priority: SUPPORT FEDERAS., STATE, COlJNTY,MUNICIPAL. AND
INTERNATIONAL PARTNERS
that an IM subject met teenage girl for
Description! x n n 7.6.05, S
from subjcctOs cmuil no
sex
and
is
now
threatening
to
1 - - - . .............................. ........................
[ S 1 .,'"
&d,
wBjs'swsw
b6
b7C
bl
o n , , ~ ~ ~ ~ f i v # . ! ~b2
b76
~ ~
mvidcd to S
Primary Technical Load:

Seoondary Technical Lead:

None Assigned
Other Contach:
Legal Information
Record Logs;
PATE1 08-15-3008
CLA33IFTED DY GO32ZUC~fP,'JTP/$'jp
HEASPI: L.4 I C )
D E C L A S S I N DN: 0 8 - 1 5 - 2 0 3 3
ALL INFOMATTON COIITATNED
,
UNCLASSEIEDIFOR OFFICIAL USE ONLY
CEAU ID: 20070521-1361 1

Group I P r o ~ a m :
G~oUD
Su~ervisor:
1 Dl9
1contact ~
u m b e r rE-mail
l
Address:
ls 6
b7C
F i e Number: 288A -BP-38289

.UCFN Serial Number:
Start Date: 06 Apr 2005
Due Date: TED
Request Open For: 848 days, 12 hour$, 43 minutes
Origin of Request: US.

FBI Priorihr: PROTECT THE UNITED STATES AGAINST CYBER-BASED
ATTACKS "ANI~
HIGH TECHNOLOW CRIMES
Description: (U) Identify ttue IP address of subje
harass people online. Subject is using email aecoun
executed on said account. Logs indicate subject is
I
w affidavit received.a.n.3..
05 and provided to A
lnd
C SW~ signed on 4.6.05 and
bl


None Assigned
Other Contacts:
** Not Assigned
Legal Information
DAfi: 08-06-2008
CLASSIFIED BY 60322VC/LP/BTP/Vjg
REASON: 1.4 (b,cl

DECLASSTIY ON; 08-06-2033
ALL INFOFIWATION CONTAINED

HERETI 15 VQCtA54IFZED EXCEPT
WHeRe SHOW OTTERWISE
UNCLASSIFIEDAWR OFFICIAL USE ONLY

CEAU I D 20070518-13603
Group 1 Program: SDG I DEP
lor:
1-
Contact ~ u m b e r jE-mail
l
Address:
File Number; 9A-IS-94729

UCFN Serial Number:

Start Date:. 14 Feb 2005
Due Date: TED
Request Open For: 899 days, 1 1 hours, 41 minutes

.Secoadary Technical Lead:

None Assigned
Other Contacts:
** Not Assigned
PATE; 08-15-2008
Legal Information
REASON: 1 . 4 ( C ]
DECLAsSIH ON: 08-15-2033
ALL
IIFDREULTION
CLASSIFIED BY 60322VC/LP/STP/gjg
CO~AIIWED
IZERFIB IS UNCLASZIFIED EXCEPT
Record Logs:
b7C
lweb page
advised that he obtained a new W o n 2.1 7.05. Collection was

terminated on 2.20.05 at 1:30pm in compliance with initial d w and no howledge of the
new warrant. S@
b d collection restarted on 2.21.05.SA
lidentified a
1 ..........................
....
subiect.fioi.am.~.
I
~eiecom)which wwar the Q ~ r n i IP
c address assigned t o a customer in 1
law to obtain and
. . execute a Y W on that customer[lr residunc! on
b2
b7E
b6
b7C
UNCLASSIFIED~ROFFICIAL USE ONLY
- dCEAU Priority is: TBD

CEAU ID: 2007051813601
Group I Program: SDG I D P
Group Supervisor:
- E-mail Address:
Contact Numb-
Universal Case File Number: 2881 -pH-98358

UCFN Serial Number:

Start Date: .09 Feb 2005
DueDatfx TBD
MBAT MAJOR WHITE-COLLAR CRLME

stealing identities froma sensitive database and established
email account 1
I Subject using
...............
~.::for..an~nymizers~..Pl~g
.............................
to
get
slw
on
a
8
or
Z9.
S/W
obtained
on
2.
5) QF*ie7
9,Tqqm p*T"fiff"'r' . n . a s ; . s ~
I

CEAU StaffIevolved:
None Assigned
Other Contacts:
0
.
Legal Information
Record Logs:
b6
'b7C
Is)
...........................
( ]
"
Wpz~,.was,.
reviewed signed S/W
b1
b2
b7E
..............................
'
DATE: 08-15-2008
CLASSIFIED BY 6032ZUC/IP/STP/qjg
I L L INFOPEiTION COXTATNED
B R E I N 19 WCLASSIFTED EXCEPT
-----
-">-.
REASON; 1 . 4 [C)
.DECLASSIFY ON: 08-15-2033
,
I
CEAU Pkiority is: TBD

CEAU ID: 200705 18-13590
Group / Program: SDGID P
Group S u u e r v p
C o n t y NumberIC
Universal cask File Number: 166C-EP-36737

UCFN Serial Number:
Record Status: On-Hold

Start Date: 07 Feb 2005
Due Date: TBD
Origin of Beq,uest: U.S.
FBI priority: COMBAT SIGNIFICANTVIOLENT CRTME


None Assigned
Other Contacts:
Not Assigned
Legal Information
ALL IWOREVITIO?J CONTATbED

MREIRI IS UWCLASSIFIED EXCEPT
WZIERE 5H04rm DTHERWTlE
DATE; 08-15-2008
CLASSIFIED BY 60322UC/LP/STP/qjg
REasonr: 1.4 (CI
DECLASSIFI ON: 08-L5-2033
E-mi; AddreSS:
WNCLASSIFIED/FOR OFFICIAL USE ONLY

CBAIl m: 2007057.1 13608
contact ~lunber]-i
E-mail ~ddress: '
UCFN Scrial Numbcr:

StnW Date: 19 Jan 2005
Due Date: TBD
Requent Open For: 925 days, 11 haw, 36 miautes
Origin o f Requesr: U.S.

FBI Priority: PROTECT THE UNITED STATES AaAlNST CYRER-BASED
ATTACKS
IIIGII ECI-INOLOGY CRIMES
tern lata S/W &davit to Ewe a ent upon reccipt of omc s u m m q . On 2/18/05, SSA
spoke with S7
4
LA, and explained options again. M a t h is a CyberICI
Primary Teahnicnl L w d ~
CEAU staff Involved:
Other Contacts:
DATE: 08-15-2008
** Not Assinned
REASON; 1.4 ( c l
CLASSIFIED BY
6032211!TJC/T.P/5W/~jg
ILL TIFOmTIOW COmAINED

E R E I N IS UNCLASSTFLED EXCEPT
b6
h7C
Legal Information
UNCLASSIFIEDIFOR OFFICIAL USE ONLY

CEAU ID: 200705 18-1 3596
Group / Program: SDG / DEP
Gron Su ervkar: 1-
A
y
nwersal Case File Number:
contact ~umberi-1
E-mail Address:
288A -CE121918
UCFN Serial Number:

Start Dote: 09 Nov 2004
Due Date: TED
Request Open For: 996 days, 1 1 hours, 35 minutes
,FBIPriority: PROTECT THE UNITED STATES AGAINST CYBER-BASED
ATTACKS AND HIGH TECHNOLOGY CRIMES
'Primary Technical Lead:

None Assigned
Other Contacts:
** Not Assigned
Legal Information
DAIE: 08-15-2008
CLASSSFIED BY 60322UC/IP/STP/gjg
REASON; 1.4 (C)
DECLASSIFY ON? 08-15-2033
CONPATNED
ALL ISFOREIILTION
EbZTRT IS UNCLASSIFIED EXCEPT

WWeRE SHOW D m R W I S E
UNCLASSIFIEDlFOR OFFICIAL
- USE ONLY
CEAU Priority b: TED
CEAU ID: 20070518-13595
Group I Program: SDG I DEP
n
Contact
N l u n b e r j y - E-mail Address:
Universal Case File Number: 288A -SE-89989

UCFN Serial Number:

Start Date: 01 Sep.2004
Due Dstc: TBD
Request Open For: 1065 days, 12 horn, 33 minutes
Origin of Request: UU.
FBI Prioritv PROTECT THE UNITED STATES AGAINST CYEER-BASED . .
4
e d as victim in Major Case 216.

ISearch warrants
renewed in 10-day increments Search warraut renewals enaea d mid-Dee 004.SA
b6
-was
advised to download collected data for elsur.
b7C

CEAU Staff Invohed.

None Assigned
Other Contack
Legal information
DATE:
IS
.-
oa-~5-200~
REASON: 1 . 4 ( C )
D E C L A S S I N ON! 0 8 - 1 5 - 2 0 3 5
ALL INFOPJUTION CONTAINED

HERETN 15 UNCLA5SITIED EXCEPT
MS
w
7 f 22 am
Notes: Completed changes suggested at

working groupoorporated
"
DATES 08-12-2008
CLASSIFIED BY 6032tu~lp/l~p/Tds
REASON; 1.4 (el
PECUSSIFI OW; 08-12-2033
bl
. b2
b7E
nil INF~RMATIONC O E T A I ~
HEREIN 15 UNCLASSIFIED EXCEPT
WRERE SHOWN OE-ERWISE
Law Enforcement
DATE5 '00-L3-2008
CLASSIFIED BY 60322ucL0/'rtp)rds
REASON: 1 . 4 ( e )
.,
DECLASSIFY ON! 08-13-2033
ALL INFOBMATION COWAINED

HERETN IS WCLASSTFIED EXCEPT
WHERE SHOWN OTFIERWTSE
Case Support Standard Operating Procedures (SOF)
-L
E o r Official I J ROnlv
~
Law Enforcement SensihnlSen~ltiveBut ~ H f i e c I

For Omcial Use Only
Case Support Standard Operating Procedures (SOP)

Cryptographic and Electronic Analysis Unit (CEAU)
,---.
',[
i S)
i.
i,
!,
',
i;
\
'\
'!
\!
,'
i;
!.
!.
'!
i
i.
,'
1
bl
b2
b7E
1.
1
':
!
;
,
Page 2 of 4 Pages
Law Enforcement SensitiveISensitive But
Wnr t3m0i.l HISL n - I ,
>.<
~ a 'Enforcement
w
Sensitive/Sensitive But brnc
Bor Official Use Only
ifled

\Is)
\
\!,
!
i
,'
Page 3 of 4 Pages
Law Enforcement SeositiveISensitive But
For Official Use Onlv
Law ~ n f ~ r c e ~Sensitive/Senaitive
ent
But U
*
hr Official Use Only
Page 4 of 4 Pages
Law ~uiforcementSensitivdSluitive But *nUr
FEDERAL BUREAU OF INVESTIGATION
Precedence:
TO:
PRIORITY
Date:
06/07/2007
Cyber
Attn:
International Operations
bG
b7c
uc
Europe Unit
Rome
Attn:
Legat
ALAT-d
Operati~nalTechnology
Attn:
CEAU
SS
From:
Seattle
Cyber
Squad Il
Contact: D r L e c ~ i v e )
-.I
Approved BY;
Drafted By:
n
-1:nbs
C ~ G CID #: 288A-SE-NEW
Title:
(pending)
UNSUB (s)F
TIMBERLINE SCHOOL DISTRICT (VICTIM);
C O M W T E R INTRUSION - INTERNET EXTORTION
Synopsis: Requast
'~dministrative:
t-n
open captioned investigation.
Reference the following cOrMtlUnicdtions:
06/07/2007 t e l c a l befwsen ~etective)

ivision Cybes Task Force, and ROmE A L A T ~
1
b6
L7C
06/07/2007 cwlckl between

Eeilttle Division, and 3
5
~
SAY
7 CACU.
1
On 06/06/2007, S~?at.I-.l
F! nivi xion was castacted by Lacey
P r i l i c e Department (LPD), Lacey, WA, regarding numerou3 bomb
betails:
threats and D D O S attacks received at the Timberline Sbhoal

District, Laery, WA. Below are s time-line of events:
05/30/2007 - Timberline nigh school evacuation due to

hand written bomb threat nuLu.
DATE: 09-12-2008
- - - CLASBIFIED BY 60322UC/LP/STP/gjg
REASON: 1.4 (GI

INFORMBTIoN c~~~~~~~
DECLASSIFY OM; 09-12-2033
HERETN IS WCLASSIFLED EXCEPT
To: Cyber From: Seattle

288A-SE-NEW. 06/07/2007
Re:
due to
06/04/2007 bomb threat email from sender:
UNSUB (s) also
advised a computer
which resulted in a DDOS attack totaling over 80,000,000 hits. b6
b7C
06/05/2007 Timber1
bomb threat email from sender:
arion due to
06/06/2007 Timberline Hiqh School evacuation due to

bomb threat email from sender: 1
06/07/2007 Timberline High School received additional

email from UNSUB(6). Details unknown at present time.
LPD and the Washington state Patrol (WSP) continue to

perform school evacuations and bomb sweeps with negative results.
Parents and school district: employees have informed local
television stations and newspapers, which aired the story on June,
6. 2007. LPD has requested investigative assistance from the
Northwest Cybes Crime Task Force.
LPIJ has
student at Timberline High School,
amears not to be the
and teachers from Timberline High School provided a list
s who may be
attack,
rf,
advising "Keep your head up."

a self proclaimed
school computer security measures.
custody and forensic results are pending.
provided negative results.
computer is in LPD
Initial interview of
b7C
On '06/07/2007.~etective
(
'Warn, Western Distr!ct

captioned matter.
, Seattle Oivis~on,contacted .!USA
WSP, and SA
Katheryn
of Washirigton, who agreed to pxosecute
b6
t7c
To:
Re:
Cyber rim: Seattle

288A-SE-NEW. 06/07/2007
To:
Re:
.Cyber From: Seattle

288A-SE-NEW, 06/07/2007
LEAD (s) :
S e t Lead 1;
(Info)
CYBER
AT WASHINGTON, DC
For information.
S e t Lead 2:
(Info)
AT WASHINGTON. DC
For information.
Set Lead 3:
(Action)
EQm
AT ROME. ITALY
I
Set Lead 4:
(Info)
OPERATIONAL TECHNOLOGY
AT OUANFICO. VA
For information.
FEDERAL BURRAU O F INVEST1GATION
Precedence : PRIORITY
To:
Date:
Attn:
Operational Technology
Attn;
Cyber
03/08/2007
Cryptologic & Electronic

l ~ a l ~ s Unit
i s
b6
b7C
~ S A
CY
From: Tampa
Squad 8
Contact:
Approved By:
Drafted By:
Case
TD
Title:
1-
SA
neL-
#:
'
(Pending)
Synopsis: Request the deployment of a Computer

Verifier (CIPAV)
Details:
BACKGROUND
DATE: 05-07-2008
CLASSIFIED BY 60325UC/IP/PLJ/gjg
REASON: 1 . 4 ( C )
ALL LIFORFIPTTOW CDPITAINED
HEREIN. 15 mCLA551FIED EXCEPT
&
IF Address
chnology From:
, 03/08/2007
To:
Re:
.
Tampa
Tampa is currently drafting the search warrant

necessary to obtain the requested CXPAV, which Tampa hopes to
denloy on or around 03/15/2007.
chnoiogy From:
03/08/2007
TO:
Re:
Set Lead 1:
Tampa
(Action)
AT OUANTICO. VIRGINIA
The Cryptologic & Electronic Analysis Unit is requested
to facilitate the deployment of a CIPAV to support captioned
Group I1 UCO.
Set Lead 2:
(Info)
-.
AT WASHINGTON. D.C.
For information, read and clear.
(Rcv. 01-31-2003)
FEDEmL BUREAU OF INVESTIGATION
Precedence: ROUTINE
TO:
Date: 02/23/2007
Cyber
Attn: C ~ I U - 2
OTD
Attn:
ssA
DES/CEAU
rrr
b6
Chicago
Prom: Cincinnati
Squad 13
Contact
- :A S
Approved By:
Drafted By:
1-
Case ID #:
jk
(Pending)
Title:
Synopsis: CIPAV operations have ended.

Reference:
Details: Cincinnati has employed a Computer and Internet Protocol

Address Identifier ("CIPAV")to gather evidence concerning
b 7A
b7E
b7A
DATE: 09-22-2006
CLASSIFIED BY 60322PC/LP/STPlq$g
ALL INFOFXATIOB COWTALNED

HEREIN 13 UNCLASSIFIED EXCEPT
",**rrnF evnrnr n-nn*.a
To:
Re:
Cvber
From:
Cincinnati
02/23/2007
From:
TO: Cyber
Re:
Cincimati
1 02/23/2007
LEAD($) :
Set Lead 1:
(Info)
Read and clear.

Set Lead 2:
(Action)
End CIPAV operations i n support of t h i s e a s e and $end

evidence to Cincinnati.
Set ~ e a d3:
(Action)
CHTCAGO
with this
Discontinue supper t of url$drcovar accounts associated

Cldse and send bill for services to Cincinnati.
(Rev. 01-31-2003)
FEDERAL BUREILU OF INVESTlGATION
Precedence:
To:
PRIORITY
Date:
Attn:
12/14/2006
Cryptologic & Electronic

SSA
b7C
From: Houston
CT- 3.
Contact: SA
1 (
Approved By:
Drafted
By:
Case ID
#!'w
Title:
&w:-
7
(Pending)
Full Investigation Initiated: 01/11/2005 (USPER).
[
I
~eferenco!"~
,IS1
I
DATE: 09-22-2008
CLASSIFIED BY 60322VC/LP/STP/q]y
WASON: 1.4 [ C )
PECLASSIFI ON: 09-22-2033
ALL INFOPJUTION COEiTAINED
bl
b6
b7C
From; Houston
12/14/2006
ogy
Details:
BACKGROUND
ational Tech ology
From:
la/lr,2oo6
Houston
From: Houston
12/14/2006
O W
b1
b2
b7E
b6
b7C
b7D
b7A
Witness
,;(El
(u) Houston ~ i v i s i o nhas developed a Confidential

(CW)
who is willins to asaist with this investisation by
TO:
'
Oper
'"7
From: Houston
12/14/2006
Ogy
Re: l0lM
Set Lead 1:
(Action)
OPERATIONAL TECHNOLOGy
A T T O L O G I C ~ ~ E C T R O N IANALYSIS
C
rur -
IT
bl
Date:
Precedence; PRIORITY
TO:
12/07/2006
Attn: Cryptologic
&
Electronic
From: Houston
CT-1.
Contact:
SA
1- r
Approved By:
Drafted By:
y
I
Case ID #: (S)
(Pending)
Title:
Full Investigation Initiated: 01/11/2005 (USPER).

Reference: (S)
(UI
--iz----3
ueclassify Uw-#QZ/2031
i4Sl
i
I
bl
b6
b7C
b7A
DATE: 09-22-2008
CLAssTFTED BY 60322UC/LP/STP/gjg
PEASON: 1 . 4 ( C ) '
DECLASSIFY ddl; 03-22-2033
ALZ TIFORFIATIOV COliTAIliTD
KERFTI 1 5 WCLA551FIED EXCEPT
From:
12/07/2006
Houston
To: Opera
Re:
'
Tec
From: Houston
12/07/2006
gy
b7A
b2
ogy
From: Houston
12/07/1006
(U) Houston Division has developed a Confidential

Witness (CW) who is willinq to assist with thia investisation by
.IS]!
\:
i:
To:
Re:
Technology
1operational
w
-
From: Houston
12/07/2006
Set Lead 1:
(Action)
AT CRYPTOLOGIC & ELECTRONIC ANALYSIS UNIT
'
..
.(Rev. OI-31-2003)
FEDERAL BUREAU OF lNVEgTlGATlON
Precedence:
To:
From:
Date: 10/25/2006
IMMEDIATE
~ t t n : Cryptologic
&
Electronic
Cincinnati
Squad 13
Contact: SA
'
Approved By:
Drafted By:
Case ID'#:
1 - 1
laow
(Pending)
Synopsis: To request the ass

Electronic Analysis Unit in
Details:
as part of a
BACKGROUND
SDG PRODU
updated:
June 28, 2006 by
GGAL PROCESS
Consent
criminal, PThT Court
order 60 day
expiration
FISA court order 90
day expirati~n
,,3s)
!
consent
Criminal Search
warrant 10 day
eipiration
FISA court 'order 90
d,ay expiration
b1
b2
b7E
i
Consent
criminal Search
warrant lo day
expiration
FISA C O u f t order 90
day expiration
ALL IWFORMATION COTXXNED ,
EREIN IS UNCLA331F:ED MCEPT
W
R
E IAOW OTHERUIEE
DATE: 09-23-2000
CLASSIFIED BY 60322 UC LP/STP
REASON; 1.4 LC)
DECLASSIFY ON: 09-2'1-2033
DATE: 09-22-2006
ALL THFOWT
r
NA
NA
day expiration
Consent
Criminal T-IIT court
order typically 90
day expiration
FLSA c o u r t order 90
day expiration
Consent
Criminal T-I11 C O U r t
order typically 90
day expiration
b 3.
FISA c o u r t order 90 b2
day expiration
b7E
CEAU Assistance to Seattle Case:
UNSUB(s);
TIMBERLINE SCHOOL DLSTRICT (VICTIM);
COMPUTER INTRUSION INTERNETEXTORTION
On June 6,2007, the Seattle Division was contacted by the Lacey Policc Department
(LPD), Lacey, WA, regarding numerous bomb threats and Distributed Denial of Senice
(DDOS) attacks received at the Timberline School District, Lacey, WA. The threats
' began on May 30,2001 and persisted through June 4,2007. The t h a t s necessitated the
daily evacuation of Timberline High School. The LPD and the Washington State Patrol
(WSP) performed school evacuations and bomb sweeps with negative results. Parents
and school district employees informed local television stations and newspapers,
- - . which
aired the story on J& 6,2007. As a result, the LPD requested investigative assistance
from the Northwest Cvber Crime Task Force (NCCTFI. headed by the FBI Seattle
Division. In.turn,the ~eattleField Office reql$sted assistance fmbthe OTDICRAU to
attempt to geo-physically locate the UNSUB(s).
Assistance Provided
CEAU deployed a Cornput& Intemet Protocol Address Verifier (CIPAV) to a MySpace
account identified as possibly belonging
- - to the WNSUB. The CIPAV returned several IF'
addresses, one of whikh resolved back to Comcast Cable in Seattle, Washiapton.
Subscriber informarion obtained from Comcast led to the issuine of a search and arrest
-ant.
A 15 year old male student h m Timberline High ~ c h i owas
l taken into custody
without incident at his home at approximately 2 A.M. June 14,2007. The minor
confessed to issuing the bomb threats. Future bomb threats,dated June 14,2007, were
found oe the minor's cornam. The minor's computer equipment warr seized and the
arrest was made without kcident. Following an &tervi& with the minor, the LPD was
able to solve mother threat case. as the minar confessed to issuinn teleohone
death
^
threats to teachers and others, inh"'&nling
his pawits, earlier in 20G.
Last Update 10 July 2007
Draft CEAU Combined Capabilities
(Former SDC;, Pilaster, and SPU)

10 July 2007
Version 0.1
Version Control
Changed By
10 July 07
Version #
0.1
Changes
Draft Baseline
kTC6-
CEAU Combined Capabilities
(Former SDG, Pilaster, and SPU)

July 2007

Version Conwl
(Rev. 01 -3 1-2003)
FEDERAL BUREAU OF INVESTIQILTION
Precedsaca:
To:
Date; 07/05/2007
ROUTINE
Attn:
Seattle
SA
Cyber
From:
Operational Technology Division/

Electrnni r S ~ ~ r vl\l
e iante Technology Section/
Cryptologic and Electronic Analysis Unit
Approved By:
DiClemente Anthony P
3earcy William 1x1
Drafted By:
1-
kld
- SM?
298~-SE-93709
Case ID 8: 2b8-HQ-1305912
Title;
(Pendina)
(Pending)
CRYPTOLOGIC ELECTRONIC ANALYSIS UNIT (CEAU)

ASSISTANCE TO THE SEATTLE FIELD OFFICE
UNSUB(S);
TIMBERLINE SCHOOL DISTRICT (VIC'l'lM) ;
COMPUTER INTRUSTON - IBT~RNETEXTORTION
Syrlopsis: ALteJ! A c t i o n Report for efLcctuating remote delivery of

a Computer Internet protocol ~ddrensV ~ r i f i c r (CIPAV) to
geophysically i ~ c a k oa subject who ha^ ~ E E U Cmultiple
~
bomb
threats against a, local high s c h u u l .
Uetails; On 06/06/2007, the Seattle n i v i s i o n was contacted by tho

Lacey Police Department (LPD), Lacey, WA, regarding numerous bomb
threats arid D i u L r - i b u b e d D e r i i a l of Sesvlce (DDOS) attacks received
at tne 'rimberlifleSchool District, Lacey, WA. The threats began
on 05/?,0/21ln7a n d persisted through 06/04/2007. The threat=
neccocitatcd the daily evacuation of Timberline nigh S c l ~ u o l .The
LPD and L h a wa~hingtonState Patrol (WSP) perfomea school
evacuations andbomb sweegs with negative results. P a r e n t s and
schonl. d i f i t - r i ~ tamplnyees informed lqcal folevision statione and
newspapera, which aired the story on June 6, 2007. Ab: a result,
~ l l oLPD requested investigative assistance from the Nbrthwest
Cyber Crime Task Force (NCCTF) headed by the Seattle Division. In
turn, the S n a t k l - FIe7d n f f i c e requested assistance from the CEAU
w i t h locating the WNSUB,
ALL TEJFORWATION CONTAINED
ZIGWIM IS U'NCLAS5IFIED
DATE D9-19-2008 BY 60322UC/LP/STP/uju
To: Seattle From: Operational Technology Division/

Re: 268-BQ-1305912 - SDG, 07/05/2007
OBJECTIVE
The objective of this operation was to deploy a CIPAV to
locate the subject issuing bomb threats to the Timberline High
School, Lacy, Washington. The CIPAV was deployed in the usual
way.
SUMMARY OF
EVENTS
C
m
-~
oncur ence for the operation was obtained from Case Agent
and Kathryn A. Warn, Assistant United
y , western District of Washington. In addition,
Office of the General Counsel. concurred with the
b7C
oneration followino
his
review
of
the
affidavit
and
warrant.
signed by ~ a m e i i .Donobue, United States Magistrate Judge,'
United States District Court,,Western District of Washington,
dated 6/12/2007.
~
- -
~-
CONCLUSION
CEAU deployed a CLPAV to a MySpaee account identified as
possibly belonging to the UNSUB. The CIPAV returned several IP
Addresses, one resolving back to Comcast Cable in Seattle,
Washington. Subscriber information obtained from Comcast
confirmed the suspicions of Law Enforcement and led to the
issuing of a search warrant and arrest warrant. A 15 year old
male student from Timberline High School'was taken into custody
without incident at his home at approximately 2 A.M. on
6/14/2007. The minor confessed to issuing the bomb threats. Bomb
threats dated 6/14/2007,were found on the minor's computer. The
minor's computer equipment was seized and the arrest was made
without incident. Following an interview with the minor, the LPD
was able to clear another threat case, as the minor confessed to
issuing telephone death threats to teachers and others, including
his parents, earlier this year.
'
To: Seattle From: Operational Technology Division/

R e : 268-HQ-1305912 SDG, 07/05/2007
LEAD (s) :
Set Lead 1 :
(Action)
SEATTLE
A T SEATTLE. WA'
Lead covered at OTD/ESTS/CEAU. Read and Clear
Set Lead 2:
(Action)
AT WASHINGTON. DC
Read and Clear..
(Rev. 01-31-2003)
H
FEDERAL BUREAU OF INVESTIGATION
Precedence:
ROUTINE
Date:
06/13/2007
From: Operational Technology D i ' v i~iu11
Electronic Surveillance Technology Section/

Crygtologic and Eleetroni? Ana1,ysis unit
Contact: SSA
Approved By:
Drafted By:
C a ~ oID H :
Iitle:
senrry
William 111
1-
2 6 8 IIQ-1305912-SW
CRYPTQLOGIC ELECTRONIC ANALYSTS TNTT (CEAU)

ASSISTANCE TO THE SEATTLE FIELD OFFICE
Synopsls! operations Order to assist the Seattle ~ i s l dOffice

with effectuating remote delivery bf a C ~ w u t s rInternet Protocol
Addrefis Verificr (CIFAV) to geophysically locate a subjecl who
has issued multiple bulrb threat against a local high school.
Details:
The Seattle Field O f f i c e has requested aofiiotancc from
the CEAU with gcophynically locating a subject engaged in issuing
b u n b Lllreats via the Internet to Timberline High SChdol, Lacey,
Washxnaton. The objective of the operation i n t.o remotely deploy
a C f P A v tn geophysically locate tho subjaof.
BACKGROUND
Qn 96/96/2007, the S e a t t l e Division waa contacted by
Leccy Police Department (LPD), Lacey, WA, regarding numerous born
threats and UDUS attacks faCeived at the Timberline School
Bisttict, Lacey, WA. Relow a r e a t i m e - l i n e of events:
05/30/2007
Timnberline nigh School evacuation due to
hand written bomb threat fiote.

06/04/2007
Timber1
b o d threat 'entail f r u ~ nsender!
DATE; 08-14-2000
CLASSIFIED BY bU922UC/LP/STP/wjg
1.4 ( C J
DECLASSIFY DO: 08-14-2033
REASON:
ALL IWFOWATIOfl CbWT&IWED

H E W I N IS UNCLASSIFIED EXCEPT
aLiurl due to a6
UNSUB (l) also b7C
To: Operational Technology From: Operational Technology

Re: 268-HQ-1305912-SDG, 06/13/2007
advised a cnmprlt&r attack will hit thc Lacey School D i s l r i c t ,

which resulted in a DDOS attack totaling o v e r 80,000,000 hits.
06/05/2007
Timberli
bomb threat email from sender:
nh Schnol
nvar
ation due to
06/06/2007 - Timber1
bomb threat email from sander:
06/07/2007
~imberlineHigh School received additional
m a l l from UNSUB(s). Details unknown a r present time.
LPD and the washington S t a t e .Pacrbl ( w ~ P )continue t o

perform sclluul evacuations and bomb sweeps with negative results.
Parents and school district emplnyees have informed local
t e l e v i n i n q stations and nswsgapero, which aired the story on June
6, 2007. LFD has requested ir~vcrtigaEiveassistance from the
Northwest Cyber Crime Task Force.
k6
b7C
LPP has conducted numerous tholrouulr ir~terviewsof a

atudent at Tirnlrarlirle nigh school,
appears not to be the subrect respLnslble tnr bonh threats!
and teachers from Timberline High School provided a liut
s who m y ba re6p011siLLe POT
pw
""'
received a t e x t messa e from
- D
advising uKeep your
Qn
e r d up."
06/03/3007,
is described by teachers as
a self proclaimed computer hacker L h a t routinely bypaSlbs the

schoul computer security measufbs. 1 computer is in LpD
forensic rmsults are pendipg. Initial interview of
ovided negative reeulta.
\
On 06/07/2007, Detective)
IWS!?, and SA
1,
sqattle
D
i
v
~
~
i
o
n
contacted
,
AUSA
Kdtheryn
I
Warma, wcaternTiatrict of Wsrrhir~gtun,who agreed to prosecute
captioned n l a t t e r .
To:
Re:
Operational Technology From: Operational Technology

268-wQ-1305912-SDG, 06/13/2007
CONCEPT OF THE OPERATION

Deployment npqrations Personnel (DOC) will deploy a
CIeAV to geophysically locate the subject issuing bomb threats to
the Timberline High SclluoL, Lacy, Washington. The CIPAV w i l l be
deployed v i a a Uniform kesource Locator (URL) address posted to
the subject's private chat room on WySpace.com (S'popular social
networking web~itc)
ALL
I N E O ~ T I ~ Ncomts~
FERELN IS ,UNCLASSIFIED
DATE 03-18-2008 BY 609221p/pl/rtla
STATE OF WASNINGTON
COUNTY OF KING
Norman B. Sanders Jr., Wig duly sworn on oarh,'deposes and says:
I am a Spaid Agent for the Federal Bureau of Investigation ("PBII*), and

have been such for the past five years. Prior to becoming a Special Agent. I was
.
1.'
employed by the FBI as a Computer Forensic Examiner, for six and one-half years. I
sm currently assigned to fhe Seattle Office's Cybet Crime Squad, which investigates.
various computer, and Internet-related federal crimes.
2.
My experience as an m1 Agent has included the investigation of cases
involvhg ~omputer~ntruions.
Extortion, Internet Fraud; Identity Theft,Crimes
ahst st Children, htellechlal Property Rights, and other federal violations involving
computers and the Internet. I Pave also received specialized training and gained
experience in interviewing and interrogation tedmiques, arrest procedures, search
warrant applications. the execution of searches and seizures, cyber crimes computer
evidence identification, computer evidence seizure and forensic processhg, and various
other criminal laws and procedures. I have personally participated in the execution of
mest warrants and search warrants involving the search and seizure of computers and
electronic evidence, as well as paper documents z
h personal belongings.
3.
I am an investigative or law enforcement officer of the united States
within the meaning of Section 2510(7) of Title 18, united States Code, in hat I am
enipowered by law m conduct investigations and to make arrests for federal felony
offenses.
. Relative to this investigation, my duties include the investigation of

offeqes including violations of Title 18, United States Cade, Sections 87S(c) aterstate
Transmission of Communication containing Threat to Injure), and 1030(a)(S)(A)(ij and
4.
Affidavit of Norm Sanders for ClPAV

USAW 2W7R00791
Pngt I of 17 Pages
1
2
(B)(iv) (Computer Intrusion Causing a Threat to Public Safety).
5.
I submit this affidavit in support of the amlication of the United States for :
a. search warrant.
This search warrant pertains to the Government's pIanned use of a
specialized kchnique in a pending criminal investigation. hentially, if a warmnt is

approved, a communication will be Sent to the computer being used to administer
'
www.mvspace.m'iu ' ("Myspace") user account 'Timberlinebombinfo".

,
Thecommunication to be sent i s designed to cause rhe above referenced
computer to transmit data, in response, that will identify,the computer andlor the
user(s) of the computer.2. In this aanner, the FBI m y be able to identify the computer
and/or user .of the computer that are involved in committing criminal violations of
United States Code specifically. Title 18, United States Code, Sections 875(c)
(hmtate Transmission of Communicarion Containing Threat
'
4Injure). and
1030(a)(S)[A)(i) and (B)(iv) (Computer Intrusion causing a Threat to Public Safety).
More specScaIly, the United States is applying for a search warraut authorizing:
a).
the use of a Computer & Internet Protocol Address3 ("IP address")
.
I
Myspace is a international free setvim that uuscs the Internet for online communicalion through
an interacavc social network of photos, videos, weblogb, user pmfdes, blogs, e-mail, instant
messaging. web forums,and groups, as well as other medi* formats. MySpace users an capable of
customizing their user webpage and profile. Users arc also capable of searching or browsing olhcr
Myspace webfmges an4 adding other users 8s 'friends*. If mE person identified approves your
%end" requeat, he or she will be added to your list of friends. Uscrs are capable of sending Myspace
'
mesqes and posting commnls on olhEt user's MySpacc webpages.
ln submining thin request, the Gmemment regpeethrlly d m not eoncsdc!that a reasonable

expectation of privacy exists in the internet protocol address &signed by a network service provider. or
orher provider to a specif% User and used ro address aud route c1ecrioi.i~cocommicati011~
to and kom
that'uscr. Nor do= the government c o n d e rhat a reasanable expcctabn of privacy is abridged by UIC
Use Of this convnunication technique, M Cat the use of lhis mchniiue to collect a ~omputeT'8TP
addtcu, MAC address or other variablea that nre.broadcast by the computer whenever it is c o m t e d
to Ute Internet, ~0nstitUksa search or wizure.
3
Concepprsuy. IP addresses arc similar a telephone numbers, in that lhey are used to identify
compufen rhat exchange information over the Internet. An IF address is a unique numeric address
~ S e dto dircct information over tho Inrrrnet and is a series of four nuinkem, each in the range 0-255.
separated by periods (e.g., 121.56.97.178). In general, informarion sent over the lutemet must
cwtain qn Originating IP address and a destination IP addnss. which identify the w m p ~sending
s
and ncelving the information. Section 216 of (hc USA Patriot Act (P.L. 107-56)amended 18 U.S.C.
503121 et scq to sp~iflcallyauthorize rht recovery of "addressing" and 'routing" infomtion of
Affidavit of Norm Sanders for CIPAV
USAO# 2 0 0 7 W 9 1
Page 2 of 17 Page%
Verifier ("CIPAV*) in conjunction with any camputt* that administers MySpace user
account 'Timberlinebombinfo"
.,
mm ://www.mns~ace.~dm/tl~lberlinebmb~pl,
without prior announcement within ten days from the date this Court authorizes the use
of the CIPAV;
b).
that the CIPAV may cause any computer. wherever located - ehat
activates any CIPAV authorized by this Court (an "activating computer" to tond
network level messages4containing the activating computer's IP address a W o r M4C
addresl~,~
other environment viriables, and certain repistry-rype informstion' to a
cornpurer comolled by the FBI;
c).
that the FBI may receive and read within ten days from the date
this Court authorizes the use of the CIPAV, at any tinie of day or night, the information
that any CIPAV &uses to be sent to the computer conboUd by the FBI; and
d).
that, pursuant to 18 U.S.C.83103a@)(3), b qatisfy the notification
?lutronicAs used here, a network-level message refers to an exchange of technical i n b m t i o n

b t w n wmpurers. communications by a pen regisrer/trap & uace order.
'
Such -ge*
work in established network pro-Is,
dctcrmIniag, for e.urmple, how 9 given
;ommunication will be sent and received. Everv time a cmuur come~tCdto a lccal aRB MIWOIk
[LAN)O Fthe~Internet ~lnn&rsto another computer on thd LAN ot rhe Intrm~t,iibm8dcasB
ReWorL-level w a g e s , including its F address, a d o r media access control.(MAC) address, andlor
~rher" c n v i r o ~ nvariables."
t
A MAC addmss is an uniquc numeric addnss of the network intenkc
card in a computer; Envimnment variables rhat may be mmilted include: operaring system rypc and
vemion, browsw type and version, h e language the browser is using, etc. These network-level
mmges also 01% convey network addressing information, includiag origin and desllnaIillion
iffOtma(ion. Networblevel messages are used to make networb opcrace properly, transparendy, and
;onaistently.
~-.
~
C q u t e r s Uldt access, and cotttmunicae on LANs do po via a acework hterfaec card (NIC)
installed in Ulc cornpuler. The N1C is a hardware device and every NIC w n t a k its own uniquc MAC
addnss. Every rime a computer connected lo a LAN c ~ m ~ l n i c a ton
e s the LAN,the c m p u e
broadcam iu hiAC address.
'
As used hem* "registiytype iufo~alion"refers to infozmtion stored on the internal hud

f i v e of a urmputer that defmes that computer's coufiguration as it relates to a user's profile. This
information includes, for example, the name of the registered owner of the computer and rhe serial
number of t
k naprating system sohare installed. Registq information can be provided by a
mmpnter connected to the Interact, for example, when that camputer connects lo the InfPmef tQ teqU1:st
a s o h a m upgrade from im sofwart vendor.
Affidavit of Nann Sanders for CIPAV
USAW 2W7RW791
Page 3 of 17 Pages
requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may M i y

providiq a copy of the search warranf and the receipt for any property taken until no
,
more than thirLy (30) days after such time as the name a d location of the owner or user
of t@
activating computer is positively identified or a latte~date as the court may, for
good cause shown, authorize. h v i s i o n of a copy of the search warrant and receipt
may, in addition to any other methods allowed by law, be effectuated by electronic
delivery of true an& accurate electronic copies (e.g. Adobe PDF tile) of the fully
exccutd documents.
6.
I ak rhoroughly familiar with the information contained in this Affidavit,
which I Pave learned through investigation conducted with other law enfmement
officers, review of documents, and discussions with computer experts. Because this an
application for-a search warrant and pen register, not every fact known about the
investigation is set forth, but only &se that are pertinent to the application. As a result
of the investigation, 1 submit there Is probable cause to believe the MySpace
"Timberlinebombinfo" account, e-mail account udouebri~es123&3~maitCom";

e-mail
account =mail.~nl";
e-mail account "dou~bbriees234~rnnail.com";

email
account "thisisfromidalv&email.com"; and e-mal account

'tirnberlin_e.suc~mail,co~
" have been used to trausmit interstate communicafions
containing thteats to injure, and involve computer intnrsion causing a threat to public
safety in violation of Title 18, United States Code, Sections875(c) and 1030(a)(S)(A)(i)
and (B)(iv). I further submit that there is probable c a w to believe that using a CIPAV
in conjunction with the target MySpace account (Timberlinebombinfo) will assist in

identifying the individual(6) using the activating computer to commit the= violations of
the United States Code.

7.
In general, a CPAV utilizes standard Internet cornpurer bmmands
commonly used commercially over local area networks (LANs) and the Internet to
request that an activating computer respond to the ClPAV by sending network level
Rffldavit of Nonn Sandcn for CIPAV
USAW 2W7R00791
Pagc 4 of 17 Pages
messages, andlor other variables, a a o r regisfry Wonnation, over the Intent7 to a

computer coatrolled by the FBI. The exact nature of these commands, processes,
capabilities, and their confiration is classified as a law enforcm?nt sensitive
investigative technique, the disclosure of which would likely jeopardize other on-going
hvestigatious andlor future use of the t d d q u e . As such,.the property to be sccessed
by the CIPAV request is the portion of the activating computer that contains
environmental variables andtor certain registry-type' information; such as the

computer's true assigned IP address, MAC address, open communication potts, list of
runniug p w s , operating system (type, version, and serial hnmber), internet
browser and version, language encoding, registered computer name,registered

company name, -ent
logged-ln user Mme, and Uaifoml ~
S O U Locator
~ C ~ (UU)
tbat the target'computer was previously connected KO.

,8.
An Internet Service Provider QSP) innally conkols a ratige of several
(or even thousands) of IP addresses, whicb it use6 to identify its customers'

Computers.
P addresses are usually ass-
"dynabhllyW:
each rime the user
connects to the Internet, the customer's computer is randomly -assignedone of the
avaiIable IP addresses contrc~lledby the ISP. The customer's computer retains lhar IP
address until the user disconnects, and the IP address cannot be assigned to another
user during that period. Once The user disco~ects,however, mat IP address becomes
available to other customers who connect thereafter. ISP business customers will
commonly have a permanent, 2dhour Internet coanection.to which a "sratic" (i.e.,

fixed) IP address is assigned. Practices for assigning IIP addresses to Internst uskrs
with many providers assigning semi-persistent numbers that may be allocated to a

single,userfor a period of days or weeks.
vary,
9.
Every time a computer accesses the Internet and connects to a web site,
'Ihe "lnternec"is a global computer network, which ektronically connect~computers and

allows comrmaicatio~a d unnsfero of data and information across scar and national boundaries. To
!Pin access m the Internet, an individual utilizes an Internet Service Prwidm (ISP). Tbrsc ISP's are
available worldwide.
Pam 5 Of 17 Pages
that computer broadcasw its IP ad&w along with oh& environment variables.
Environment variables, such as what language t h user

~ is communicating in, gllows the
web site to mmmunicate back ;nd display information in a f o m i that the comp&r
atcessing the web site can understand. These enviconment variables, including but not
limited to, the IP address and the language used by the computer', may assist in locating
the camputer, as well as provide infarmation that may help identify the user sf the
computer.
10.
The hard drives of some computers contain regisw-rype information. A
regisay contains, among other things, information about what operating system
software and version is installed, the product serial numby of that software,
and.h e
name of the registered user ofthe cqmputer. Sometimes when a computer accesses the
Intenet and connects to a software vendor's web site for the purpose of obtaining a.
software upgrade, the web site remieves the computer's registry information stored on
its internal hard drive. The regisby iafomation assists the software vendor in
..
determining if that computer is running, among other information, a legitimate copy of
their sohare
,. because'the registry infonuation coniains the sofhnrare's product
regismtion number. Regisq itlformatioo. such as the serial 'rmmber of fie hcperatiug
rystem software and the computer's registered owner, may assist in locating the
:omputer. and identifying its user(s).
11.
On May 30.2007, a handwritten note was discovered on the premises of
fie Timber1ine High School in Lacey,,Washington. Subsequently, school

idminiitrators ordered an evacuation of rhe students based on the handwritten.bomb
fueat note.
a). On June 4,2007, Timberlime High School received a bomb threat

:-mail from sender: 'douabrie~s1238mail.~om",The Uplinown Subject(s)
IUNSUB) stated in the e-mail "I will be blowing up your school Monday. June 4,
,
Affidavit of Norm Sanders for CIPAV

USAOi9 2007RW3791
Page 6 or 17 Pages
throu@wt timberline high school. One in the'math
2W7. There are 4 bombs
hall, library hall, &ah office a$ one portable. The bombs will go off in 5 miwte
intervals at 9:15 AM," fn addition, the UNSUB(~)stated, 'The email server of your
iistrict will be offline starting at 8:45 am." The UNSUB(s) launched a Denial-ofSqice (Dm)'
attack on the Lamy School Disaicr computer nmork, which caused
3ver 2~,000.000hits on the system within a 24 hour period. School administrators
xdered an evacuation of the school on June 4,2007.
On June 5; 2007, the UNSUB(s) sent an e-mail l?Wr~

b).
,
d w p b r 1 g staring the following: .
< <Read This ASAP > >

Now that the schoo! is scared from yemdays fake pomb e t it's
now t i to get senous. One in a gym locker. the guls. It's m a
locker Mden under a pile of clothes. The other four I W!I only '
say the eneral location. One in the Language Hall, One m the
b&. Oqe ~lndcmertha portable raped wlth sm
Thy bomb wlll o off if any vibrations are felt. And e kist one
Is m a locker. t i s enclosed in a sound roof package, and h a d y
undetectable. I have used a vatye of emicals to make the
bombs. . They are all dierent
YLducbpe
as.A
They will all o off at 10: ISAM. Through remote detonation.

.Good Luck. And i that fails. a failsafeof 5 mlnutes later.
The UNSUB(s) goes on m s u e :
Oh and for the

ofice tryb to track
lice officersand technology idots the dislrict

t
K
email
yesfirrays emnd7slrntme I
The email was sent over a newly made gmil
at.
.,
give you a &t.

.Uxouut,from overs* in a foreign country. The gmail ~ccount was
created there and h s ernail and ycsarrdays was sent from there. So
good luck taljun with Ital about getting the identify of
@e person
who owns the l h ~ b id&ated
t
server
c.
In another e-mail from sender *d0~ebriees234~ail,com

3,
fie UNSUB(s) states the following:
Hello Again: Seeing as how ou're too stu id to trace the email
back lets get serious." phe
mentions bombs sa to .
UNSU$S)
A DOS actnek is an Internet based computer attack in which a compromised system auacka a
iingle largel, thereby causing I denial of service for vriers of &e l e e t c d computer s y s m The fldod
>fincoming messages to the rarget sysfern essentially forces it to shut down. thereby deny& service to
he system to legitiinate users. The DOS attack is generally targeted at a particular ne-k
service,
~uchas e-mail or web a-.
8
9
lo
II
detonate between 10:45-11:15 AM, and adds1 Seriously, you are not
Bill
oing to catch me. Sa just give u Maybe you should hire
wait 1
hater to tell you that it is coming& Italy. HAHAHA Oh
alreadv told vou chat. So stm ~ r e t e n d hto~be "trache it" because I
where t r a , ~
have already-toldyii it's c o & ~ f i o mTdy. That is
will stop so 'ust stop trying. Oh and this ernail will be
behind a
proxy b e d tho Italy server.
~ the who01 on June
d). School admhktators ordered an e v a c u a of
u
I1
e).
On JUIE 6,2007, Principle Dave Lehnis of Timberline High
School received an e-mail fromsender: "douebri~vs9~1Amnail.~0m~.

The e-mail
contained the following text: 'BNJOY YOUR LIFE ENDING".
ID another email from B

UNSUB(s) states the following,
f).
l l @ m n a i l . c e the
emaifae~'unithathas
already been deleted of all information b the time you read his
email. Get your.asson a plane to Italy i you want it to stop.
g).
School admiuisaators ordered an evacuation of the school on
I& 6,2007.
h). On June 7,2007.Timberline High School recived an e-kid from

I
sender "rh'isishmiralv@Pmajl.com." The UNSUB(s) states:
Affidavit of Norm Srnden for CIPAV
USAW 2007R00791
'There are 3 bombs lanted in the school and they're all dierent
kinds. I have rema e these weeks in advance and tested the timp
to make sure ey work to exact millisecond. Locking the doors is
a good plan, but too late."
2, B
i).
s June 7, 2007..
School administrators ordered an evacuation of the school on
On June.7,2007,the UNSUB(s) posted Wee of the threatening

j).
s lie-mails in the comments section of the onlinenews publication service, 'theOlympian".
7
9
lo
The adwhiskator from theolympian.com" removed the threatening e-mail postings.,

Iphortly
thereafter, the UNSUB(s) re-posted the threatening e-mails. Eventually, the
adminiseator of 'rhmlympian.camw disabled the *comments'" section.

12
, ~ 3
14
.I
k
On June 7,2007, Detective Jeremy Knight, Lamy Police
D e p m n t (LPD).received information from the Thurston County Sheriffs Office,
1s which had rewaled a complaint f k i a person identifed as 40. AG Stated tbat she
14
17
18
19
invitation through myspace.com from the Myspaceprofile of

'tTimberliwbombinfan wanting her to post a URL link to
. .
hm://bambe&ls.hvoert)ha. corn on her myspace.com webpage. The UNSTJB(s)
advisd her that failure to comply would result in her name being associated with fume
threats. Similarly, Knight received a phone call from a parent alleging that her
the same request from the UNSUB(s). According to Knight, 33 students
received
&
u beceived a request from h e UNSUB(S) to post the link on their respective myspace.com
23 webpages. Subsequent interviews performed by Kaight yielded limited information.
1I
25
26
On June 7, 2007, V W and BP received Myspace private invitations

1).
from an individual utiliiing the MySpace moniker 'Timberlinebombinfo". V W .
accepted the invitation fr~m'~~imberlinebombinfo''received an America Wine

I
la
Message (AIM)
an iqdividual utilizing AHM screen name
and
IInstant
from
09." Communication ceased with "Alexspi3rinp_O9"after VW

iaformaion related to the bomb threats. VW believed screen name
associated to ALEX SPIERING. a student at Timberline High.
-09" and "Timberlinebombinfo"used to have the

gtaphic on their Myspace webpage. "Timbe~linebombinfo"r e d y changed
from a picture of guns to a
of a bomb.
m). On June 7,2007, Thurston County School District reported ALEX

9 QSPIERINGresides at 6133 Winnwood Loop SE,Olympia, WA, 98513, teleph,one (360)
10 p
0
5
6
9
date
. of birth19I.
"I
I
"1
n). On J p e 8, 2007. Comcast Internet. Thorofiire. New Jersey.

13 b o r t e d that residential address 6133 Winhwood Loop SE, Olympia, WA, 98515
I2
received Comcast Internet services for the following subscriber:
14
:IS
Sam Spiering
17
6133 W i w o o d Loop SE, Lacey, WA 98513

Telephdne (360) 455-0569
19
Dynamically Assigned Active Account

Account Number: 8498380070269681
"1
21
0).
On June 8. 2007, Thurston County School District received two
P additional bomb lhreat e-mails h
,.
m "Timhe~Iine.Suck@~m
ail.cam." which resulied in
u the evacuation of the Timberline High School.

24
12.
On June 4.2007. Cioogle provided subscriber, registration. and IF Address

log history for e-mail address "douebriggS11236email.corn"with the following results:
25
26
27
28
Status:
*
Enabled (user deleted account)
Setvims: Talk, Search History, Gmail

AMdavit of Nom Sadden for CIPAV
USAW 2007R00791
Name: Doug Briggs

'SecondaryErnail:
created & 03-~un:2007
Lang: en
PP: 80.76.80.103
LOGS:.All times are'displayed in UTCJGMT
gpugtvicasl23~~mail.com
DatelTime
IP
063~-2007
05:47:29,am
81.27.207:243
04-Sun-200705:43: 14 am '
80.76.80.103
03-Sun-200706:1944 am
80.76.80.103
On June 6,2007,a SmartWbIs lookup of IP Address 80.76.80.103

a).
!solved to Sonic S.R.L.Via S.Rocco 1, 240@, Grumello Del Monte, Italy.
horn: +39035M91296, E-mail:Staffmsonic.it. Your affiant connected to

@://sonic.itawhich dispiayed an Italian busin& webpage for sonic SRL Inremet.
%-viceProvider.
On June 7,2007, a request to MySpace for subscriber and IP

ddress l&s for Myspace user "Timberlinebombinfo"provided the foilowing results:
b).
"
User ID:
199219316
First Name:
Doug
last Name: ,
Briggs
Gender;
Male
Date of Birth:
12110J1992
Age;
14
couq:
US
City:
Law
rffiddvil of Nonn Smdera for ClPAV

JSAOC 2W7ROM91
Page I I of 17 Page$
Postal Code:
985003
Region:
Western Australia
Email'Address:'
tirnberljne.sucksB~mai1
.corn
User Name:
timberlinebambinfo
Sign up IP Address:
10
11
80.76.80.103
Sign up Date:
Juae 7,2007 7:49PM
Delete Date:
NIA
Login Date
June 7,20077:49:32:247 PM IP Address 80.76.80.103
FBI Seattle Division contacted FBI: Legate Attache Rome,Italy and
o).
an official request was providcd to the Italian ~ a t i o hPolice

l
requesting assistance h
12
contacting Sonic SRL and locating the cornpromisad kmputer utilizing IP Address
13
80.76.80.103.
14
d). m,June7, 2007, the S y s m Administrator for the

1 v m ~ i a n . kadvised the posting of the bomb threat ehails originated porn
192.135.29.30. A Smartwhois lookup resolved 192.135.29.30to 'The
titute of Nuclear Physics (INFN).
Labratori Naziatdi di hgnaro,
Based on my B a W , expMence, aud the investigation described hereiq!,1

owing among other things:
a). that network level messages, including the originating TP address
'
ess, other variables, and ce,&h regism-ripe infomation of a computer
sist in identifying the individual@)using that comptw; and
b):
the kidividual(3) using the aforementioned activated computer
sed computers to conceal their true originating fP address and thereby
iting the individual(s)' identification. ,Compromised comp.ukrsare

with computer viruses, trojans, or other malevolent programs. which
ability to conirol computet(s) on the Internet or particular selvic~s
A f f i v i t of Nom Sandera Eor ClPAV
USAO# zMnROW9 1
Page 12 of 17 Pages
'
compromised computer(s) without authorization. It is common for individuals
aged in illegal activity to access and control coinpromised computer(s) to perfom

icious acb in order to conceal their origktiug IP addresses.
Based on mining, experience, and the investigation described herein, 1
14.
concluded that wing a CIPAV on the target MySpace 'Timberlinebombinfo"
t the PBf to determine the identities of the individual($) using tbe

ring computer. A CIPAV7s'aetivationwill Muse the activating computer to send
level messages, including tbe activating computer's originating IP address and
ss, other variables. and certain registry-type information. This information

in identifying the individual($)using the activating computers.
15.
The C P A V wiU k deployed through an electronic messaging program
conaolled by ;he FBI. The computers sendink and receiving the

be machines controlled by the FBI. The electtonic message deploying
nly be directed to the administrator(s) of the "Timberlinebambinfo"
Electronic messaging accouuts commonly require a unique user
a).
same and password.
Once the CIPAV is successfully deployed, it will conduct a onetime search of the activat'ing computer and capture the information
b).
desctibed in paragraph seven.
The captured information will be forwarded to a computer
c).
,
d).
conmlled by the FBI located within the Eastern Disuicc of
Virginia.
After the onetime search, the CIPAV will function asa pen register
device anxl record the muting and destination addressing information
for electronic communications originating from the activahg

computer.
Affmvit of Norm Sadeta for CIPAV
USAW'lW7R00791
Page 13 of 17 Pages
e).
The pen register will recod PB address, dates, m d times of the
electronic comwnicatiom, but not the aoutents of such

ccmmunieatioas or the contents contained on the computer, and
U'mard the
address data to a computer cantroned by byhe
FBI,Pw r p d o d of (60) days.

CQNCLUSIOM
16.
Ikrsed upon my review of the evidence, my training and experience, and
iformation I have gathered from various computer experts, I have probable cause to
,
elieve that deploying a ClPAV in an electronic message directed to the administrator(s)
f the MySpace 'Timberlinebombinfo" account will assist in identifying a computer and
idividual(s) using the computer m transmit bomb mats and related wmmunications in
iolation of Title 18,United States Code Swtions 875(c) and 1030(a)(S)(A)(i) and
3)(iv).
17.
Becawe notice as required by Federal Rule of drimid Procedure
l(Q(3) would jeopardize the success of the investigation, and because the hvestigation
as not identified &I appropriate person to whom such notice can be given, I hereby
quest aumorizatioo to delay suoh notice until an appropriate person b identifA.
h e r , assuming providing notice wollld still jeopardize the iuv&tigatioion after rur
~ropriateperson to receive notice is identified. I request~permissionto ask this Court
1 authorize an additional delay
in notification. In any event, the Unitwl States
Dvcrnment will notify thii Court when it identifies an appropriateperson to whom to

ive notice, sa that this Court m i y determine whether notice shall be given at that h e .
Because there are legitimate law enforcem~ntinterests that justify an

nanuounced use of the CIPAV and rev$w of the messages generared by the aciivathg
18.
4Wdavit of Nom ~adcn'

for CIPAV
JSAW 2007RMn91
.ter in this case: I ask this ~ o u rto

t authorize the proposed use of a CPAV
t the prior announcement of its use. One of these legitimam law enforcement
is that announcing the use of the CIPAV would assist a person conaolling the
computer(#)to evade revealing its true IP address, other variables, and certain
e infDrmation - thereby defeating the ClPAV's purpose.
19. Rule 41(eX2) requires that (A) the warrant command the PBI ''to execute
'within a specified time no
. . longer thsn 10 days" and (B) "execute the
the d a y w e unlesa the judge for good cause expressly authorizes
r time.. ." In order to comply with Rule 41, the Government will
between the hours of 6:00 a.m. and 10:OO p.m. (PST)during an
. However, the Government seeks permission to d any messages

"ahg computer as a result of a CTPAVat any dme of day or night
period. This is because the individuals using the activating
e CIPAV after 10:OO p.m. or before 6:00 a.m.,and law

read the h e m t i o n it receives as soon as-it is aware of the
emergent nature of this investigation. If the C
W is not
O-day period, the Government will seek further authorization
n sent to the computer controlled by the FBI as a

from the date the Court authorizes the use of the
20.
Because the FBI tannot predict whether any particular fom111ationof a
s) mnkolling the activating computer40 activate

rize the FBI to continue using additional
ySpace accwnt (for up to 10 days after this
been activated by the activating &puter.
Aff~davilof Nom Sandm for CIPAV

USAW2mm791
Page I5 d 17 Pages
dl.
Accordingly, it is respectfully requested that thiscourt issue a search
a m t authorizing the following:

the use of multiple CIPAVs until one CIPAV is activated by the
a).
tivating computer in o~njunctioa.with the target kIyspace *TimbedinebombiafoW
,
, &ithour prior,annou~lcernent,within 10 days from the date this Court authorizes
the CIPAV may cause an activathg computer - wherever located b).

etwark level messages containing the activating computer's 1P address, andlor
s, andlar orher variables. a m o r certain regisay.*lpe information to a
'
led by the FBI and located within the Eastern Di~UictOf Virginia;
c).
that the FBI may receive and read, at any time of day or night,
m the date the Court authorizes of use of h e CIVAV, the information

ses to be sent to the computer controlled by the FBI;
d). that once the FBI bas received an initial ClPAV response from the
ivating computer consisting of network level messages contawg the activating
r's IP address, andlot MAC address, and/or olher variables, andlor c m i n

information, the FBI will thereafter only be collecting the Q ~ s of
routing information that can be collected pwmnt to a pw register
.
e).
that. pursuant to 18 U.S.C. 63103a(b)(3). to satisfy the notification
Pederal M e of ~ r & l Ymedw 41(f)(3), the FBI may delay

y of the search warrant and the receipt for any property talcen until no
(30) days after such time as the name and location of the individual(s)
ug computer is positively identifd or a latter date as the court may,
n, authorize. Provision of a copy of the search warrant and receipt

ny ocher methods allowed by law, be effectuated by electconic
curare electronic copies (e.g. Adobe PDF file)of the fully

Affidavit ot Norm Spndcrs for CIPAV
USAW urwRWl91
Page 16 of 17 Pages
It is fuaher requested that this Application and the related documZnt6 be
22.
filed under seal. The information to be obtained is relevant to an on-going invesqgation.
Remature disclosure of this Application and related documents may jeopardize the
iucces8 of
the above-described investigation.
WHEREFORE,Affiant respectWly requests that a warrant be issued authorizing

b FBI ro utilizt: a CIPAV and receive the attendant information according to the terms
st fonh in this Affidavit.
TIXIS APPEPCATTORI DQES NOT SEEK AUTRQHPPZATIQN TO O B P 1

iBE ~ O N l % N TOF ANY ELECTROMC COi+vfMDMCAmONS,AND 'FWE
WARRANT WlLL SO SECU'Y.
iworn to an subscribed before .

day of June. 2007
me &is
n#.
~fidldavitof h r m S d e r s for CIPAV
USAW 2CO7R00791
Page 17 of I f b e
SECRET
(3
4.37 ~
caea: Atd-GIanu
UA
IS)
DIIIL: 08-14-2008
CIIISSInH) BY 60322UElp1Sq /L&
A50Q: 1.4 I s )
CLAS4TFI MT: 08-14-2033
ALL TWPOPEATZ31 COXTkZNED
SECRET
tlERt7U T9 ETCtA357tTE0 EXCEPT

SHOGW OIEERUISE
4 - 7
ROUTINE
Precedence:
TO :
Date:
09/05/2007
b6
Records ~anagement
Attn:
~ ~ ~ S / w ~ ~ / ~ i n c hSite
e s t2,
e rGR N23
From:
Office Special Technology

Special Technolosies and Applications Office
Contact:
approved -By:
Drafted By:
..
'~aae
ID #:
Title:
b7c
I
-:w,~~
130-HQ-C1547903
(Pending)
FREEDOM OF INFORMATION ACT

REQUEST FROM WIRED NEWS
~
-------
----
ELECTIjllNIC FRONTIER,AND
C ~ E T,NETWORKS-
/w d
ALL INFORMATTON ~ 0 i m ~ 1 m ~
HEREIN IS UI$CLA5SIFIED
DATE 03-19-2008 BY 603221p/plj/rds
Synopsis: To advise Records ~anagementof results of the Special

Technologies'and Applications Office (STAO) search for responsive
documents pertai.ningmto the Computer and Internet Protocol
Address Verifier ,($IPAV)tool pursuant to captioned Freedom of
Information Act. (F6IA)p request. . .
Reference:
1 9 0 - ~ ~ - d 1 5 4 7 9 0Serial
3
49
Enclosure(s): Enclosed under separate cover for Records

Management are: one (1) compact disk containing an electronic
copy of "Magic Quadrant for Information Access Technology." aqd,
,,(I)
packetof all STAO IAU held CIPAV tool materials.
!'
Detaile : !Pureuant to Records Management request detailed in

referenced communication, STAO canvassed all unit personnel for
any and all documentarion, correspondence, and materiala
concerning the CIPAV tool. The response w a s negative for all
STAO entities with the exception of the Investigative Analysis
Unit (IAU). IAU has provided copies of all unit resident
information concerning the CIPAV tool. The requested information
has been forwarded under separate cover to Records Management.
Inasmuch as the Records Management request for a search

for any and all CIPAV materials was conducted, with tthe resultant
materials forwarded to OTD, STAO considers the matter satisfied
and the lead covered.
.:
:,.
,i
,,.
, .?
??
Re:
190-HQ-C1547903,
Prom:
Office sp&cial Technology
To:
09/05/200d7
LEZ+D(a):
Set Lead 1:
(Info)
RECORDS MANAGEMENT
AT RIDS/~PU/WINCI-~ESTERSITE 2 , GR ~ 2 3
Read and C l e a r .
(Rev. 01-3 1.2003)
Precedence:
To:
ROUTINE
Cyber
Cincinnati
Evansville RA
Indianapolis
; r j \
Las Vegas
From: OFFICE SPECIAL TECHNOLOGY

STAO/STOU
Cootaot :
I SSA )
Approved By:
Drafted By:
Case,ID
Title:
cTPAv nPPT,nYMrNT '
Synopsis:
i jjb
To f o r w a r d results
ALL INPORNATLON CONTAINED

b6
HEREIRT IS UNCLASSIFIED
b7C
DATE 03-19-2006 BY 603221p/pljlrds
(Pending)
of analysis a n d to cover lead.
r:
Enelesura(s):
F i n a l report of f i n d i n g s dated May 23, 2001.
Details: he r e f e r e n c e d
analyze 1
irequested that STAO
Previous analvsis of CIPAV data resulted in the

b2
b7E
b7A
To:
Re :
ICE SPECIAL TECHNOLOGY

05/25/2007
Enclosed is a final report of findings. This report

supercedes any preliminary reports that were provided
electronically/telephonically prior to the publication of the final
report. Please note that the final page of the report
includes a customer satisfaction survey and.that, time
permitting, STAO/STOU would appreciate candid feedback in
order t o ensure the satisfaction of its customers.
STOU considers this Lead covered.
SPECIAL TECHNOLOGY
05/25/2007
LEAD ( a ) :
Sea Lead 1:
(Info)
CYBER
A'ILR#SH.I.NGTON.
DC.
Read and Clcar.
sat uILd 2 ;
(Action)
CTNrTN,ty$TI
AT CINCINNATI. 01110
Read and C l e a r .
S b t laad 3!
(Info)
LAS VEGAS
AT LAS VEGAS. NEVADA
Road and Clear.
set wad
4 ~ :
(Info)
INDIANAPOLIS
A'I' E V A N S U E
Read and Clear,
INDIANA
August 28,2007
RMS Request Number:

Performance Xndlcator :Technical exprtlr
I D :0116159
Stntus :Closed
Opened : 11/17/2006 3:41:39PM
Closed :5/14/2007 9:43:57AM

b6
I-:
Requestor Name
I-[:
Phone
office : HOUSMN
Offlcs t o d m :3290-0000
b6
b7C
Investigative Pmgrsm : NRP-lT
I -:
Assigned to Name
Program Manager
Figned TO fmup : CEAU
PmQram/Type :Remote Computer Trace
catee~:cEAu
Ibm: Internet Tracer
Derived from: OTHER
ALL 'INFOPJL4TION COETATNED

HEPJTRI I5 UNCLASSIFIED EXCEPT
WHERE SHDWN OTHERWISE
b7C
Case Clasrifiratlon Number :315A
DATE: 04-11-2008
CLASSIFIEP BY 60322UCltP/PLJ/gjg
REASON: 1.4 ( C )
August 28,2007
RMS Request Numtrer:

Request I D :0092259
1 Status :Closed
Raquestor Name
Phone
PeMrmance Indicator :~echnicalexpertise

Opand :9/27/2004 2:28:13PM
:n
C l d : 1/13/2005 1:39:50PM
Office :'OMAHA
:n
Case Classffleation Number :
lnvertigative Pmgram :
Assigned to Name
:n
~saignedTO ~ m u :p o
- 0 ~
(S)
:D m
Item: Internet/ISP intercept
Program Mana er :
-ram/-
IffT',I
b2
4 S ]1
b 7 ~
-I
27120W 2:28:13 PM
ssigned/forwarded request t
u
9/27/2004 2:28:13 P P f y
assignedlbnrvarded request b
DATE: 08-14-2006
REASOB: 1.4 ( C )
ALL f A 1 F O ~ T I O NCOXTATNED
HEREIN TS UDTELA591FIED EXCEPT
WfERE
mom
OTHERWTSE
o h a s Raasslgned or Forwarded th
10/21/2004 1:20:40 PM
Request ID :0096936
IStatus :Completed
de
Petformane Indlwtor :
Opened :2/1/2005 7:34:18PM
'
Closed :3/25/2005 9:47:31AM
Case MassifiGstSah Number :ZZZ

I Imcstlgatlve
~miarn
:MIX
I'
I ( :
;vC
Pmgram Manager
Assigned To Group ; EP CEAU
Pmgram/Type :DataPole Irrtercept with EnctypWon
Categoy :CEAU
Itern: Encryption Technologies
pfrields has Reassigned or Forwarded this

b 3.
3/25/2005 9 4 2 3 1 AM
b2
b7E
Jw Reassigned or Forwarded this 'wue?
as Reassigned or Forwanled this request m

DATE: 08-18-2008
CLASSIFIED BY 60322UC/LPISTP/gjg
REASON: 1.4 (E)
DECLUSIRI ON: 08-11-2033
ALL IlFORElATIOlV COhTAIlED
HEWIN IS UNCLASSIFIED EXCEPT
WS
t 2F
.
SiIOW$ OWRTJTSE
Page 1 of 1
I
1,
n
August 28,2007
RMS Request Number:

status :a m p l a
Parformanee Indieator :
Opened : 3/8/2005 12:35:09PM
I- :
Closed :3/18/2005 2:34:41PM
RequestDr Name
Ornw :CyDfIINI
Phone
Offlw Code : 1813-0000
:n
Cats Classiflcablon Number :315A

r n v w g a t i w Program :NRP-IT
I-:
Assigned b Name
~rnghm
Manager
Assigned To Group : CEAU
Program/-
Categoy :CEAU
rtem: Internet: Tracer
DATE: 08-14-2008
CLASSIFSED BY 60322VC/LP/STP/g>g
REASON: 1.4 ( c )
DECLASSIFY OM: 08-14-2033
ALL INFORFlATION COUTAIIdED

HEREIP I5 UNCLA55IFIED EXCEPT
n P E SBOWN VTtERWISE
Page 1of 1
b6 f
1
b7C
:Remote Computer Trace
August 28,2007
Status : Completed
Performance Indicator :
Opened :4/25/2005 10:32:21AM
Closed :4/27/2005 8:43:llAM
1-1
~ffica: BUFFALO
Requestor Name
1-
b6
m c e code : 3110-0000
Phone
b7C
Case Classification Number :315A
rnvestigative Progmm : NRP-lT

Assigned to Name
Program Manager
Prograrnlqpa :Remote Computer Trace
Assigned To Gmup : CEAU

Categoy :CEAU
Item: Internet Tracer
l~equeaed
Support :Buffalo request asslsbnoe wlth UPAV
11 Ilworklog :4/27/2005 8:43:11 AM
IS) J
bl
b2
b7E
b6
b7C
DATE: 08-L4-2008
CLASSIFIED BY 60322UC/IP/STP/gjg
REASOW: 1 . 4 (C)
DECLA35Im 08: 08-14-2033
ALL INFOREIATLON CONTAINED

HERETl T5 UNCLASSIFIED EXCEPT
WWRE SHOWN OTHERWISE
UN~JASFED
Page 1 of 1
06
b7C
Request 10 :0099477
Status :C o m p l M
Closed :5/6/2005 9:04:llAM
Opened : 5/6/2005 9:03:10AM
Requestor Name :
Phone
I(:
Ofiice : PHILADELPHIA
OFRce Code : 1813-0000
b6
b7C
Case ClassMcalion Number :315A
Investigative Pmgram :NFIP-TT
:
nb7C
u6
1-4
Assigned to Name
h i g n e d To Gmup : CEAU
Program Manager
Program/Typ :Remote Computer Trace
Category :CEAU
mm: Internet Tracer
DATE: 08-14-2008
CLASSIFIED BY 60322UC/tP/8TP/~j~
REASON: 1.4 ( C 1
ALL TUFDPWTTON CDETAINED

tiERETN TS UNCLASSIFIED EXCEPT
WHERX SHOWN O m R W T S E
SECRET
UNC-D
Page 1 of 1
RMS Request Number:,

1 ststus ! ~
Pertormanee Sndlcator :
o m p l ~ Opened :6/23/2005 10:33:56AM
Closed :6/23/2005 10:34:25AM
Requestor Name-:
Phone
I- :
Care ClarrMcaDian Number :315A
Investigative Program :NRP-TT
0ffim :NMT ORLEANS
b6
W k e Code : 1813-0000
b7C
Awigned ta Name
:
n
~ & i a m Manager :
AWigntd TO Gmup : CEAU
%6
b7C
hQr;lm/Type :Remote Computer Trace
Cakgory :CEAU
mm: Internet Tracer
..
b7C-
~upporl~
: ~ n w a nto tsendl
s
to a cyber extortion subject.
b1
1 Worklog :6/23/2005 10:34:25 AM

11
b2
&=ant
b7E
ALL TWFORELTTOI COMAImED

-IN
19 URTCLASSIFIED
DATE 09-16-2008 BY 60322UC/LP/STP/gjg
Page 1 of 1
amplate sw a amdavit to S A n a n d
~ On n
5.23.05, ~ ~ n a d v i s that
e d he b still
get a warrant to use the technique. On 6.23.05
dvised that case is being closed. COMPLFED
August 28,2007
RMS Request Number:

Request ID :0102202
Status :Completed
Perlbrrnanfe Indicator :
Opened :8/12/2005 3:52:28PM
Requestor Name :
Phone
:n
claeed :9/28/2005
12:39:43PM
0ma :CLEVELAND
omoe Code :3170-woo
b6
b7C
Case C l a d f i e o n Number :315A

Investigative Program ;NRP-lT
f
Arsigned To Group : CWU
b7C
6-
Pmgram/Type :Remote Computer Trace
I t n u Internet Tracer
I
communicating wlth fugithre via Email
b7E
b6
ALL IWFORFUTIORI COliTLTWED

HEPEW 3 1 UNCLASSfPIED
DATE 09-16-2008 BY 60322UC/LP/STP/gjg
Page 1of 1
August 28,2007
RMS Request Number:

PerPDrrnance Indicabr :
Ststus ? Completed
Requestor Name
I-[:
Opened : 8/17/2005 1:10:54PM
:n
m m :C H A R L r n
ORia Code : 1813-0000
Phone
Cam ClassCReation Numlrer :315A
Imastlgatlve Pmgrarn :NFLP-TT
:nb7c06
igned Q Name :
O
migned To Group : CEAU
C l o d : 8/17/2005 1:11:12PM
Prmram Manager
Pmgram/fypc !'~mI0te
Computer Traa
Category :CEAU
DATE: 09-16-2008
CLAssTFIED BY 60322 V C / L P / S T P / ~ ~ ~
EASORT; 1 . 4 ( c l
DECLASSIFJI ON: 09-16-2033
ALL INFOaEIATION CONTATldED
HEEIRT I S UNCLASSIFIED EXCEPT
WERE SHOWN OTPERWIIE
1 -
1 /
Page Iof I
RMS Request Number:

Request ID : 0102306
mtus :Complekl
PerPormance Indicator :
Opened :8/17/2005 1:26:50PM
I-[:
C l o d :8/17/2005 1:27:02PM
Requestor Name
OfRm :LOS ANGELES
Phone :
Miice Code : 1813-00W
b6
b7C
Tnwstigatlve Program : N R P r r
I(:
f -4
Adgnedto Name
Pmgram Manager
i**signed To Group : CEAU
Pmgam/Type :Remote Computer Trace
mtegoy :CEAU
ALL IWFOQJWTIDI CONTAINED

F I N IS UXCLASSXFfED EXCEPT
W W S B O m OTERWISE
Page 1 of 1
August 28,2007
RMS Request Number:

Status :Gornpleted
m ;10/18/2W5 2:22:16PM
C I U :1W1812005 2:22:32PM
Offiw Code :1813-0000

Asslgned To Group : CEAll
~ m g r a m / V l k:Remote Computer Race
m m : Internet Tracer
b6
b7C
ALL INFORHATTflN COBjTAWb

mRgm 25 UNCLASSIFIED
D
A 09-16-zooa
~
nr
SO~Z~UC/LY/~'~P/W~~
RMS Request Number:

Status :Cmnpleted
Performance Indlcatxlr :
Requert ID :0106847
Opanetl: i1/28/2005 i1:02:43AM
Closed :12/21/2005 2:08:31PM
Requestor Name :
I
MAce IDENVER
phone :
Mnw Code :3210-OW0
Cam ClassffiUtion Number :315A
1-
nssigned TO GWUp : CEAU

Category : CEAU
b6
b7C
ProgramIType :Computer Exploitation
Itsrn: Remote Computer Search/Surveillance
I
Requested Support :Re hlcall t o 0 1 1 / 2 3 &
2812005. Denver requests use of the CIPAV technique. A draf
of an affldavR has been e r n a i l e d a o n 13/28/2005.
Additional information wlll follow re method used to deliver the
technique. Questions, please call)
DATE: 09-16-2UU8
CLASSIFIED BY 60522UClLP/STP/gjg
REASON: 1 . 4 ( o )
DECLASSIFY Om? 09-16-2033
ALL IMFORMRTIUll COWAINED

E R E I N IS UNCLASSIFTED EXCEPT
TiEZFE SIiOm DTTERWISE
Page 1of l
og :12/21/20052;08:31 PM
August 28,2007
Seatus :Completed
Opened : 12/6/2005 4:19:10PM
I-:
Closed : 12/6/2005 5:08:04PM
Requestor Name
DfAm :PHOENIX
Phone
Miice C d e :3630-0000
:n
Caaa ~la&cati&
Number :315A
InvestigativeProgram :NFIP-TT
migned to Name:
'
PmgramlType : Computer ExploitaSon
Assigned To Group : CmU

Caregoy :CEAU
Itrm: Remote Cornpuhr Search/Surveillance
t S ' I
bttempts to get status of intere

from
land I T A l
"]metwlh negatlve m u b o
a numzr of mssions. COMPLITE.
DATE: 08-14-2008
CLAlSIFSED BY 60322UC/LP/STP/gjg
REASON: 1.4 (C]
DECLASSIFY 0 1 : 08-14-2033
ALL INFOREIATION COlK4INED
HEREIN I S UNCLASSIFIED EXCEPT
WIEW SWOWN VTKCRWISE
Page 1 of 1
August 28,2007
RMS Request Number:
0107347
Pwlbrmance Indkatur :
Status :Completed
Opened : 12/14/2005 5:04:36PM
I - :
~eqiestorName
:n
Closed :2/9/2006 9:32:16AM

O ~ :
KWASHINGTON
b6
b7C
M R C ~C O U :
~ 3920-0000
Cam Classifieatlon Number :315A

~ ~ g a t i Program
v e
;NRP-lT
Assigned to NameI-:
Asdgned To Gmup : CEAU
Category :CEAU
m m : Remote Computer Search/Sutveillanoe
Program Manager :7
1
PmgtamlType :Computer mplohtlon
Warldog :2/9/2006 9:32:16 AM

sslms
ALL I N W m T I O I COrnAINED
HEREIN I9 ETCLASSIFXED
PATE 04-15-8006
BY 603ZZVC/LP/PLJ/gjg
Page 1 of 1
o6
b7C
August 28,2007
Status :Completed
~eiformaiceIndimtor :
Opened :12/21/2005 2 : 1 5 : 1 5 ~ ~Closed : 1/5/2006 4:55:44PM
I-:
~cquegtorName
(Iffice :W V G A s
p h 0 n e : I l
Mnee Code :33806000
b6
b7C
Case Claslficatlon Number :315A

~mgram
Manager
I -:
Asslgned To Group : CEAU

eabegoy :CEAU
Itam: Internet Tnwr
DATE: 08-14-ZOO8
CLassIFIED BY GO322UC/LP/STP/gjg
REASON: 1 . 4 ( C )
ALL JRTFOPJUTIDN COmAINED

=REIN TS UNCLASSTFIED EXCEPT
WIIERF SEOWN OTHERWlSE
Page 1 of 1
b7c
RMS Request Number:

Request I D :'0111114
Status :Completed
R~uastM
Name :
Perfbrmance f ndleator :
Opened : 4/27/2006 10:43:58AM
1-
Phone :
C l d :4/27/2006 10:44:16AM
OflCe :PrrrSBURGH
0mce code :3650-0000
b6
b7C
Case Claasifiation Number :315A

Inveetlgatlve Program :NnP-rT
I(:
Assigned to Name
~rograrnManager
1-4
Program/Type :Remote Cornpuber Trace
~6
b7C
category :CE4U
m m : Internat Tmcer
b6
b7C
ALL IWFOREhTION COEJTAIXTD

HEREIN IS UNCLASSIFIED
PATE 04-15-2008 BY 60322UC/LP/PLJ/gjg
Page 1 of 1
August 28,2007
RMS Request Number:

Requesl I D : 0111145
Opened :4/28/2006 9:45:21AM
Status ;Completed
Requastor Name
I- :
Closed :4/28/2006 9:45:44AM
Office :DM-CRYVrOLOGIC B ELECIR ANALY

:
(
I
Omce Code ; 1813-OW0
Phone
CaPe Classlfldon Number : ' 3 1 5 ~
fnwetlgatlve Program :NFIP-lT

Assigned
1-
Name :

category :
Prqjram Manager
PmgramlTypsl: Remote Computer Trace
mu.

I
Reauested Support :&

On
i 8.31.05. SA)
DATE; 04-15-2008
CLASSIFIED BY 60322UC/LP/PLJ/dU
REASON; 1.4 (Cl
DECLASSIN ON: 04-15-2033
ALL I ~ F O r n T I O NCOrnATNED
WEREIN IS UNCLASSIFIED EXCEPT
m
R
E 5 n m OrnRWISE
Page 1. of 1
August 28,2007
RMS Request Number:

Status :Closed
Performance Indieator :Technical expertise

Clmed :3/7/2007 10:28:16AM
Opened : 11/2/2006 5:14:29PM
~rLOUIS
Rtque~brName $
7
Phone
OW~B
:
b6
Office Code :3730-0000
b7C
-Asslgnd to Name :
n
Pmgram Manager
I-:
6b7c
Assigned t o Gmup : CEAU SL
Programlfvpe :Computer Exploibtion
1-1
Case ClassHization Number :315A
InvePligative Program :NFIP-TT
Cetegvy :CEAU
Item: Remote Computer Search/Surveillance

1
has Reassigned or Fornarcled this q,tCt to

bl
DATE; 09-16-2008
ALL IMFORMATIOM COMTAIUED
CLASSIPTED BY 60322UC/LPt3TP/qjg WEREIN IS UNCLASSIFIED EXCEPT
PEASON: 1.4 ( c )
WHERe SHOWN O'lEERUISE
DECLASSIN CQJ: 09-16-2033
Page .lof
August 28,2007
Request ID :0117037
Status :Closed
Pei'Fannance Inditatar :Technical expemse
Opened :1/9/2007 4:16:55PM
C l a d : 5/14/2007 10:04:28AM
Requestor Name :
Phone
flee :fl LOUIS
:n
'
b6
b7C
Miice Code :37300000
Cam Clasification Number :315A
ZnwslrgaUve Pragram : NRP-lT
Assigned tm Name j
Program Manager
- 4
Assigned To Group : CEAU SL

Wtegov :CE4U
Item Remote Computer Seareh/Surveillance
b1
b6
-b7C
Pmgam/Type : Computer Ewpbltation
b2
b7E
l l l U Z W 7 8:37;25 AM
b6
Ihas Reassigned or Forwarded thibT$uest
DATE: 08-14-2008
CLISSLFIED BY bD322UC/IP/STP/gjg
REASON: 1.4 [Cl

DECLASSIPY 01: 08-64-2033
ALL INFDREtATION CONTAINED

MREIN IS UNCLA33TFIED EXCEPT
m
R
E SN0W OTHERWISE
to
smw
DATE: 03-38-2005
CLASSTFIED BY 6 0 3 2 2 1 ~ i v l J l r d a
=SO%
1.4 I s )
DECLii5SIA:.0
03-18-20.33
ALL IPIOPJNTIOH COrn&IiIEb

HemIW 19 CWCLASSITIED
Caru: At-A-G~uuc~
Care Number
b7A
..."
,,.,'
,
,
,.,'
IIProgmm Sensitive
bl
b2
b7E
blA
Page 1 of 26
,,
09/14/2006 1722 hrs.
IlPrognm Sensitive
Page 2 N26
Cases; At-A-Glrnee
\
tsj
Csle Nulnber
Pending
b7A
bl
b2
b7E
b7A
(5)
09/14/2006 1R22 hrs.
//IPiqram Sensitive
Page 3 of 26
(s)
Casa: At-A-GIaace
09/14/2006 17:22 hro.
IIProgmm Sensitive
Page 4 of 26
SECRET
1
IS)
$1
b2
YE
~ Y A
I s1
5)
09/34/2006 17:22 hrs.
(s)
IRrogrnrn Se~sltlve
pate 7 oil6
I
9
UNKNOWN
4s)
bl
bl
b7E
blA
L,,,,,
10
I
I2
I3
09/14/2006 17?22hra.
Page 8 of 26
09/14/2006 17:22 hn.
//Program Sensitive
(5)
Es1
bl
b2
blE
:s)
""
( S]
-
W1412006 17:22 hrs.
IIPmgram Sensitive
Page 11 of 26
09/14/2W617:ZZ 1rm.
IIPrognm Sensitive
b~
b2
b7E
b6
b7C
Page 12 d 2 6
Page 17 of 26
bl
b%
blE
1 .
31 s ~ ~ a 5 4 3 a r
?I - 1
ISl
.,'
...,....
..,.' . "
,..,..,,.,.
Is
-09/14/2006 17:22 hrs.
.,...., ,
....
.,.,..I.'
,,...."'
//Program SenalUve
Page 18 of 26
.,...
, .,.
,,,.,,.
Page 19 of 26
CMS6D
(s)
IS
bl
b2
blE
CLOSED
288A.RH-52644
-5s)
.,,
Page 20 of 26
IIProgram Sensitive
Page 21 of26
C481i At-A-GIaUCe
174C-LV-39242
CLOSED
1
k. n
2BBD-W-
.'P
2329M
msao
a)
31sB.IP.
94772
bl
b2
b7E
CLOSED
~"7-Ti?777
C s1
Is
CWSED
Unknown
\,I
-CS)
315N-SF-012606
//Program SsnslUve
Page 22 of 26
page 26 of 26
DATE: 09-13-2008
CLASSIFIED BY 6032Zuclp/stp/rds
PEAsON: 1.4 ( C )
S&T
ALL IPFOmTION CONTAINED

=IN
1I.UNCLAIBIFIED EXCEPT
suomgmmLs~
Last update 5 June 2007
DATE: 08-13-2006 - '

CLASSIPIEP BY 6032Zuclp/stp/rds
RERSOWI
1.4 (el
DECLASSIFY 08: 08-13-2033
ALL INFORMATION C D h T A I m
liERGIB 15 UNCLASSIFIED MCEPT
WERE SHOWN OITERWISE
Last Update 5 June 2007
Swsitive but U
Version Control
Date
ChangedBy
Version #
0.1
Changes
Draft Baseline
Sensitive but
Last Update 5 June 2007
.d '
u~W
.*
Law Enforcement SensltivelSeuitive But

For Official Use Only
ASSSFIED BY 60322uoLp/aw/~d3
,A~ON; 1.4 L C )
:CLASISSJN
OH; O ~ - L ~ - Z O ~ S
Crv~toaraohicand Electronic Analysis Unit (CEAU)
TE: 08-i3-2006
Law Enforcement ~e;sitlvel~ensltlveBut
----r-n
nian nnlv
Law Enforcement SensitivelSensitlve But LJDC
For Ofilcial Use Only
Case Suppoe Sbndard Operating Procedures (SOP)

Somare Development Group (5DG) Deployment Operamns Center (DOC)
1
\
4. Case Remote Install
-,dT
Page 2 of 2 Pages
Law Enforcement
But
- Sensitlve/Sessitive
-.-E-A..,
smm
Y/=/-Q
Law Enforcement SensitiveISensitlve But Unc

DATE: 08-13-2000
CLASSIFIED BY 60322uoLp/stp/rds
REl3rJN: 1.4 ( o )
DECLASSIFY 01: 0~-13-2033
-. -
El'
ALL INFOFXATTON CONTAINED
Page 1 of 10 Pages
HEREIN IS UNCLASSXFIED EXCEPT
WAERE SHOWN OTHERWISE
Law Enforcement Sensitive/Senaltive But
=P&T
Rnr nftirinl ITse Onlv
bl
b2
b 7 ~
I--,.,
Law Enforcement SensitivelSensitive But
b2
b7E

Somare Development Group (SDG) Deployment Operations Center (DOC)
2==I
Page 2 of 10 Pages
t a w Enforcement SensitivelSensitive But: Unc

w e
'
SEW
Law Enforcement Sen1ItiveIS~n6itiveBut U~

'
bI
b2
b7E
Case Suppo.rt Standard Operating Procedures (SOP)

Somare Development Group (SDG) Deployment Operations Center (DOC)
Ii
j
j
I
1
i
j
i
j
j
I
Page 3 of 10 Pages
L a w Enlomnent SensitlvdSeasitive But*U
MT
w-"
r.#*"&.I
11"-
#%..I..
Law Enforcement SendivdSensifive But ~k)jas$$ecl

bl
b2
Case SuppoR Standard Opeating Procedures (SOP)

Cryptographlc and Electronic Analysis Unit (CEAU)
b7E
(DOC)
Page 4 of 10 Pages
Law iEi~hnrmentknsiLive/Sensitive But*U

Per ChFiini.1
l l r . ~nnlv
Law Enlommmt Sensitive,Sensitive But ~ x f i e d

bl
E:E

Cryptographic and Eleamnic Analysis Unit (CEAU),
Software Development Group (SDG) Deployment Operatlons Center (DOC)
Page 5 of 10 Pages
Law Enforcement SasEt6ve/Sensitive But U$?p$$l
Law Enforcement Sensitlve/Sensitive But

Case Support Standard Operating procedures (SOP)
Software Development Gmup (SDG] Deployment Operations Center (DOC)
h
Page 6 of 10 Pages
Law Enforcement SensitlvelSensltlve But Unc
Law Enforcement Seositive/Sensltive But

For Oficial Use Only
Cryptographic and Electronic Analysis Unit (CEAU)'
yrnent Operations Center (DOC)
Page 7 of 10 Pages
Law Bnforcement SwidveISensitive ~ b ~ tn ? y @ $ d
Law Enforcement SeuitiveISensitive But ~n*ed

For O1Ticial Use Only
& h a r e Development Group (SDG)..Peplovrnent Operations Center (DOC)
Page 8 of 10 Pages
Law Enforcement Sensitive/Sensitive But

For Off~cialUse Qnlv
SHT
Law E~forcementSensitivdSensitive But Unc ified

Bar Official Use Only
Case Support Standard Operating. Procedures (SOP)
loyment Operations Center (DOC)
Page 9 of 10 Pages
Law Enforcement SensitlvelSensitive But
For Official Use Onlv
Law Enforcement Iensitive/SeosMve But* U


Software Development Group (SDG) Deployment Operations Center (DOC)
-
b1
Page 10 of 10 Pages
Law Enforcement SensitivdSeositive But ~ n h m d
Pittrlburgb II Investigation @merent case then original ongoing one)
..
*
01/04/2007 SPU referred case to OTD/CEAU

01/31/2007 ITOS requests OTDJCEAUif remate computer attack can be conducted
against target
02/07/2007 SPU contacted CEAU to offer assistance regarding case. CEAU advised %2
it may quire
1-a
which falls in SPVs a&.
If so,CEAU wiU c o o ~ t C b 7 ~
with SPU for the task.
Present Per Case Agent, CEAU advised Pittsburgh that they could assist with a wireless
hack to obtain a frle tree, but not the hard drive content. SPU has not heard anything h m
OTD rcgardjng this.
,.
Cincinnati ~nvestigation
1-
Acting Unit Chief, Special Technologies 0 erations Unit (STOU) was

contacted w the evening of F e b v r y IJ.2001by 6psi.I Agerd[L1(~quad
if C i n c i i t i Division) reqksting urgent support . ~ a a d v i s e that
d he was working on a cage
(288A-CI-76037-WB) which &needed immediate assistance h m STOU in analytitlg data
obtained h m a Computer and I~temetProtocpl Address Identifier ("CIPAV") inserted in five
d
i
f
f
e
r
e
n
t
t
b2
b7E
b7D
Acording to the Cincinnati's EC, "The CIPAV was previous1 &posed to hackem from
01130/2007 to 02/09/2007 but no information was gathered because
I
DL
"During the period of the current search wmranb the ~ & u bhacker(. r r c c e i s e d n
02/13/2007 at 12:23:08 Eastern Standard Time
I"ESTr9. The Unaubfs) then ~ r o c e e d e j visit
t ~ the site 29 more timer. I n these instunces, the
b ~ ~ dnot
i deti&iilsrp&bad
d
becrrurc of system incompatibiliry. On 02/15/2007 at
5:29:21 EDT, the system was able to deliver a CIPAV and the CIPAV tetumed data"
~ ~ a r e ~ u e sSTOU
t e dimmediately begin analyzing all data recovered by the CIPAV
and continue to perform analysis on an ongoing basis until the termination of CPAV operations
.
STOU engineers immediately engaged in the case and began providing data back to SA
0 t h very next day. STOU contiaued to provide daily support until the analysis was
complete.
b2
b7E
b7Q

Cipav Wired Foia 04-16-09 PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Cipav Wired Foia 04-16-09 PDF

Transféré par

Droits d'auteur :

Formats disponibles

.

of you b o w , some investigators have begun to use .ninvestig'ativctechique referred,

VNCLASSLFIED/FOR O W I C L ~USE ONLY

Primary Technical 'Lead:

CEAU Staff Involved:

ALL INFORHRTLOW COKTAImED

UNCLASSIFIEDIFOR OFFICIAL USE O

Contact N u m b w ( 1 - E-mail Address:

e File Number: 1964-RQ-1515692

UCFN Serial Number:

Due Date: TBD

CEAU Staff Involved:

Cyber-Forensic Trainingdlliancs (ZYCFTA)who

UNCLASSLIVEDLFOR OFFICIAL USE ONLY

niversal Case File Number: 288A -pH-100637

UCFN serial em umber:

Record Sutus; Completed

Primary Technical Lead:

CEAU Staff Involved:

ALL TWmRFIRTION COElTAIMD

UNCLASSIFIED/FOR OFFICIAL USE ONLY

CEAU Prioriiy is: TBD

h E i Z l T d e File Number: 174C-LV-39242

Origin of Request: U.S.

~escription: (U) On 12.21.05, ~ ~ r b i s that

Primary Technical Lead:

Secondary Technical Lead:

CEAU Staff Involved:

UNCLASSIFIEDIFOR OFFICIAL USE ONLY

Bile'Number: 288A -LV-39208

Origin o f Request: U.S.

Primary Technical Lead:

Secondary Technical Lead:

CEAU staff Involved:

ALL INFDaElATfORT COhTAINED

DECLASSIFY ON: 08-15-2053

UNCLASSIFED/FOR OWFXCIAL USE ONLY

'Universal Case !ile Number: 279~-EP-36918

Origin of Request: U.S.

Primary Technical Lead:

Secondary Technical Lead:

HFRELI I9 UNCLASSIFIED EXCEPT

CEAU Staff Involved:

UNCLASSZIFIED/FOR OFFICIAL USE ONLY

File Number: 288A -HO-647RO

UCPN Serial Number:

Dut Date: TDD

Primary Technical Lead:

CEAU Staff Involved:

ALL INFORITATTON CbETATNED

UNCLASSIFlEDlFOR OFFICIAL USE ONLY

Universal Cage File Nurnher:

Origin df Request: U.S.

Primary Technical Load:

CEAU Staff Involved:

CEAU Priority is: TBD

CEAU ID: 20070521-1361 1

F i e Number: 288A -BP-38289

Origin of Request: US.

C SW~ signed on 4.6.05 and

Primary Technical Lead:

CEAU Staff Involved:

REASON: 1.4 (b,cl