(3)

DATE: 08-18-2008 CLASSIFIED BY 60322uclp/stp/rds REASON: 1.4 (c) DECLASSIFY OH: 08-18-2033

bl b2 b7E

AIL INFORMATION CONTAINED HEREIN IS UNCLASSIFIED EXCEPT WHERE SHOOT OTHERWISE

Last Update: 05/16/06 16:30,

9 ? I t

&rr\

Notes: Completed changes suggested at working group meeting. Incorporated comments frorrj

ALL INFORMATION CONTAINED HEREIN IS UNCLASSIFIED EXCEPT WHERE SHOWN OTHERWISE bl b2 b7E

DATS: 08-18-2008 For Official Use Only CLASSIFIED BT 60322uclp/stp/rds REAS0II: 1.4 (c) Case Support Standard Operating Procedures (SOP) DECLASSIFY O H " : 08-18-2033

Law Enforcement Sensitive/Sensitive But Unclassified ALL^HIF^ 'ION CONTAINED HERraf' I , EXCEPT WHERE SHOOT OTHERWISE

Cryptographic and Electronic Analysis Unit (CEAU)

Software Dpyplnnmpnt Q-nun rsnm Dpnlnvmpnt OnpraHnns Canter iPOO

Page 1 of 4 Pages Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only

(S)

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) CnfhAiaro noimlnnmonl- Oniirt /CHm rionlm/monf rinoraHnne Confor /Tinn

Page 2 of 4 Pages Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only offtDe-1

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only

SET 2 b7E

Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Hpy/plnnmpnf firm in nenlnv/meni Dnerat-inn; Tenter m O D

Page 3 of 4 Pages Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only s

SECRET

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SDG) Deployment Operations Center (DOC)
b2 b7

(S)

Page 4 of 4 Pages Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only offtDe-1

ALL INFORMATION CONTAINED HEREIN 15 UNCLASSIFIED DATE'08-18-2008 BY 60322uclp/stp/rds

=FILED

mio

ENTERED RECEIVED

JUN 1 2 2007 L R
1
2 3 4 5

WESTlt STATE OF WASHINGTON ss: COUNTY OF KING

6
7

Norman B. Sanders Jr., being duly sworn on oath, deposes and says: 1. I am a Special Agent for the Federal Bureau of Investigation ("FBI"), and

S have been such for the past five years. Prior to becoming a Special Agent, I was
9

employed by the FBI as a Computer Forensic Examiner, for six and one-half years. I am currently assigned to the Seattle Office's Cyber Crime Squad, which investigates. various computer, and Internet-related federal crimes. 2. My experience as an FBI Agent has included the investigation of cases

10
11

12
13 14 15 16 17 18 19 20

involving Computer Intrusions, Extortion, Internet Fraud, Identity Theft, Crimes Against Children, Intellectual Property Rights, and other federal violations involving computers and the Internet. I have also received specialized training and gained experience in interviewing and interrogation techniques, arrest procedures, search warrant applications, the execution of searches and seizures, cyber crimes computer evidence identification, computer evidence seizure and forensic processing, and various other criminal laws and procedures. I have personally participated in the execution of arrest warrants and search warrants involving the search and seizure of computers and electronic evidence, as well as paper documents and personal belongings. 3. I am an investigative or law enforcement officer of the United States

21
22 23 24 25

within the meaning of Section 2510(7) of Title 18, United States Code, in that I am empowered by law to conduct investigations and to make arrests for federal felony offenses. 4. Relative to lliis investigation, my duties include the investigation of

26
27 28

offenses including violations of Title 18, United States Code, Sections 875(c) (Interstate Transmission of Communication Containing Threat to Injure), and 1030(a)(5)(A)(ij and
Affidavit of Norm Sanders for CIPAV USAO# 2007R00791 Page 1 of 17 Pages

(B)(iv) (Computer Intrusion Causing a Threat to Public Safety). 5. , I submit this affidavit in support of the application of the United States for

a search warrant. This search warrant pertains to the Government's planned use of a specialized technique in a pending criminal investigation. Essentially, if a warrant is approved, a communication will be sent to the computer being used to administer www.mvspace com 1 ("MySpace") user account "Timberlinebombinfo". . The communication to be sent is designed to cause the above referenced computer to transmit data, in response, that will identify the computer and/or the user(s) of the computer.2 In this manner, the FBI may be able to identify the computer and/or user of the computer that are involved in committing criminal violations of United States Code specifically, Title 18, United States Code, Sections 875(c) (Interstate Transmission of Communication Containing Threat to Injure), and 1030(a)(5)(A)(i) and (B)(iv) (Computer Intrusion Causing a Threat to Public Safety). More specifically, the United States is applying for a search warrant authorizing: a). the use of a Computer & Internet Protocol Address3 ("IP address")

MySpace is a international free service that uses the Internet for online communication through an interactive social network of photos, videos, weblogs, user profiles, blogs, e-mail, instant messaging, web forums, and groups, as well as other media formats. MySpace users are capable of customizing their user webpage and profile. Users are also capable of searching or browsing other MySpace webpages and adding other users as "friends". If the person identified approves your "friend" request, he or she will be added to your list of friends. Users are capable of sending MySpace messages and posting comments on other user's MySpace webpages. In submitting this request, the Government respectfully does not concede thai a reasonable expectation of privacy exists in the internet protocol address assigned by a network service provider or other provider to a specific user and used to address and route electronic communications to and from that user. Nor does the government concede that a reasonable expectation of privacy is abridged by the use of this communication technique, or that the use of this technique to collect a computer's IP address, MAC address or other variables that are.broadcast by the computer whenever it is connected to the Internet, constitutes a search or seizure. Conceptually, IP addresses are similar to telephone numbers, in that they are used to identify computers that exchange information over the Internet. An IP address is a unique numeric address used to direct information over the Internet and is a series of four numbers, each in the range 0-255, separated by periods (e.g., 121.56.97.178). In general, information sent over the Internet must contain an originating IP address and a destination IP address, which identify the computers sending and receiving the information. Section 216 of the USA Patriot Act (P.L. 107-56) amended 18 U.S.C. 3121 etseq to specifically authorize the recovery of "addressing" and "routing" information of Affidavit of Norm Sanders for CIPAV USACtf 2007R00791 Page 2 of 17 Pages
3 2

Verifier ("CIPAV") in conjunction with any computer that administers MySpace user account "Timberiinebombinfo" rhttD.7/www.mvspace.com/timberjinebombinfo"). without prior announcement within ten days from the date this Court authorizes the use of the CIPAV; b). that the CIPAV may cause any computer - wherever located - that

activates any CIPAV authorized by this Court (an "activating computer") to send network level messages4 containing the activating computer's IP address and/or MAC address,5 other environment variables, and certain registry-type information6 to a computer controlled by the FBI; c). that the FBI may receive and read within ten days from the date

this Court authorizes the use of the CIPAV, at any time of day or night, the information that any CIPAV causes to be sent to the computer controlled by the FBI; and d). that, pursuant to 18 U.S.C. 3103a(b)(3), to satisfy the notification

electronic As used here, a network-level message refers to an exchange of technical information between computers, communications by a pen register/trap & trace order.
4

Such messages work in established network protocols, determining, for example, how a given communication will be sent and received. Every time a computer connected to a local area network (LAN) or to the Internet connects to another computer on the LAN or the Internet, it broadcasts network-level messages, including its IP address, and/or media access control.(MAC) address, and/or other "environment variables." A MAC address is an unique numeric address of the network interface card in a computer: Environment variables that may be transmitted include: operating system type and version, browser type and version, the language the browser is using, etc, These network-level messages also often convey network addressing information, including origin and destination information. Network-level messages are used to make networks operate properly, transparently, and consistently.

Computers that access, and communicate on LANs do so via a network interface card (NIC) installed in the computer. The NIC is a hardware device and every NIC contains its own unique MAC address. Every time a computer connected to a LAN communicates on the LAN, the computer broadcasts its MAC address. As used here., "registry-type information" refers to information stored on the internal hard drive of a computer that defines that computer's configuration as it relates to a user's profile. This information includes, for example, the name of the registered owner of the computer and the serial number of the operating system software installed. Registry information can be provided by a computer connected to the Internet, for example, when that computer connects to the Internet to request a software upgrade from its software vendor. Affidavit of Norm Sanders for CIPAV USACtf 2007R00791 Page 3 of 17 Pages
6

1 requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may delay
2
3 4 5

providing a copy of the search warrant and the receipt for any property taken until no more than thirty (30) days after such time as the name and location of the owner or user of the activating computer is positively identified or a latter date as the court may, for good cause shown, authorize. Provision of a copy of the search warrant and receipt may, in addition to any other methods allowed by law, be effectuated by electronic delivery of true and1 accurate electronic copies (e.g. Adobe PDF file) of the fully executed documents. 6. I am thoroughly familiar with the information contained in this Affidavit,

6
7

8 9 10

which I have learned through investigation conducted with other law enforcement officers, review of documents, and discussions with computer experts. Because this an application for a search warrant and pen register, not every fact known about the investigation is set forth, but only those that are pertinent to the application. As a result of the investigation, I submit there is probable cause to believe the MySpace "Timberlinebombinfo" account, e-mail account "dougbriggsl23@gmail.com": e-mail account "dougbrigs@gmail .com": e-mail account ttdougbriggs234@gmail. com": e-mail account "thisisfromitaIv@gmail.com": and e-mail account "timberline.sucks@gmail.com" have been used to transmit interstate communications containing threats to injure, and involve computer intrusion causing a threat to public safety in violation of Title 18, United States Code, Sections 875(c) and 1030(a)(5)(A)(i) and (B)(iv). I further submit that there is probable cause to believe that using a CIPAV in conjunction with the target MySpace account (Timberlinebombinfo) will assist in identifying the individual(s) using the activating computer to commit these violations of the United States Code. 7. '

11 12
13 14 15 16 17 18 19 20 21 22
23

24 25 26 27 28

In general, a CIPAV utilizes standard Internet computer commands

commonly used commercially over local area networks (LANs) and the Internet to request that an activating computer respond to the CIPAV by sending network level

Affidavit of Norm Sanders for CIPAV USACtf 2007R00791 Page 4 of 17 Pages

messages, and/or other variables, and/or registry information, over the Internet7 to a computer controlled by the FBI. The exact nature of these commands, processes, capabilities, and their configuration is classified as a law enforcement sensitive investigative technique, the disclosure of which would likely jeopardize other on-going investigations and/or future use of the technique. As such, the property to be accessed by the CIPAV request is the portion of the activating computer that contains environmental variables and/or certain registry-type information; such as the computer's true assigned IP address, MAC address, open communication ports, list of running programs, operating system (type, version, and serial number), internet browser and version, language encoding, registered computer name, registered company name, current logged-in user name, and Uniform Resource Locator (URL) that the target'computer was previously connected to. 8. An Internet Service Provider (ISP) normally controls a range of several

hundred (or even thousands) of IP addresses, which it uses to identify its customers' computers. IP addresses are usually assigned "dynamically": each time the user connects to the Internet, the customer's computer is randomly assigned one of the available IP addresses controlled by the ISP. The customer's computer retains that IP address until the user disconnects, and the IP address cannot be assigned to another user during that period. Once the user disconnects, however, that IP address becomes available to other customers who connect thereafter. ISP business customers will commonly have a permanent, 24-hour Internet connection to which a "static" (i.e., fixed) IP address is assigned. Practices for assigning IP addresses to Internet users vary, with many providers assigning semi-persistent numbers that may be allocated to a single user for a period of days or weeks. 9. Every time a computer accesses the Internet and connects to a web site,

The "Internet" is a global computer network, which electronically connects computers and allows communications and transfers of data and information across state and national boundaries. To gain access to the Internet, an individual utilizes an Internet Service Provider (ISP). These ISP's are available worldwide. Affidavit of Norm Sanders for CIPAV USACtf 2007R00791 Page 5 of 17 Pages

that computer broadcasts its IP address along with other environment variables. Environment variables, such as what language the user is communicating in, allows the web site to communicate back and display information in a format that the computer accessing the web site can understand. These environment variables, including but not limited to, the IP address and the language used by the computer, may assist in locating the computer, as well as provide information that may help identify the user of the computer. 10. The hard drives of some computers contain registry-type information. A

registry contains, among other things, information about what operating system software and version is installed, the product serial number of that software, and the name of the registered user of the computer. Sometimes when a computer accesses the Internet and connects to a software vendor's web site for the purpose of obtaining a software upgrade, the web site retrieves the computer's registry information stored on its internal hard drive. The registry information assists the software vendor in determining if that computer is running, among other information, a legitimate copy of their software because the registry information contains the software's product registration number. Registry information, such as the serial number of the operating system software and the computer's registered owner, may assist in locating the computer and identifying its user(s).

THE 11.

INVESTIGATION

On May 30, 2007, a handwritten note was discovered on the premises of

the Timberline High School in Lacey, Washington. Subsequently, school administrators ordered an evacuation of the students based on the handwritten bomb threat note. a). On June 4, 2007, Timberline High School received a bomb threat

e-mail from sender: u dougbriggsi23@gmail.com". The Unknown Subjects) 28 | (UNSUB) stated in the e-mail "I will be blowing up your school Monday, June 4,
Affidavit of Norm Sanders for CIPAV USACtf 2007R00791 Page 6 of 17 Pages

2007. There are 4 bombs planted throughout timberline high school. One in the math hall, library hall, main office and one portable. The bombs will go off in 5 minute intervals at 9:15 AM." In addition, the UNSUB(s) stated, "The email server of your district will be offline starting at 8:45 am." The UNSUB(s) launched a Denial-ofService (DOS)8 attack on the Lacey School District computer network, which caused . over 24,000,000 hits on the system within a 24 hour period. School administrators ordered an evacuation of the school on June 4, 2007. b). On June 5, 2007, the UNSUB(s) sent an e-mail from

"dougbrigs@gmail.com" stating the following:. < <Read This ASAP> > Now that the school is scared from yesturdays fake bomb threat it's now time to get serious. One in a gym locker, the girls. It's in a locker hidden under a pile of clothes. The other four I will only say the general location. One in the Language Hall, One in the math hall, One underneath a portable taped with strong ducktape. This bomb will go off if any vibrations are felt. And the last one, Is in a locker. It is enclosed in a soundproof package, and litteraly undetectable. I have used a variety of chemicals to make the bombs. They are all different kinds. They will all go off at 10:15AM. Through remote detonation. Good Luck. And i f that fails, a failsafe of 5 minutes later. The UNSUB(s) goes on to state: Oh and for the police officers and technology idots at the district office trying to track this email and yesturdays email's location. I can give you a Hint. The email was sent over a newly made gmail account, from overseas in a foreign country. The gmail account was created there, and this email and yesturdays was sent from there. So good luck talking with Italy about getting the identify of the person who owns the 100Mbit dedicated server c). In another e-mail from sender "dougbriggs234@gmail .com"

the UNSUB(s) states the following: Hello Again. Seeing as how you're too stupid to trace the email back lets get serious." [The UNSUB(s) mentions 6 bombs set to
A DOS attack is an Internet based computer attack in which a compromised system attacks a single target, thereby causing denial of service for users of the targeted computer system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users. The DOS attack is generally targeted at a particular network service, such as e-mail or web access. Affidavit of Norm Sanders "for CIPAV USAO# 2007R00791 Page 7 of 17 Pages

detonate between 10:45-11:15 AM, and adds] Seriously, you are not going to catch me. So just give up. Maybe you should hire Bill Gates to tell you that it is coming from Italy. HAHAHA Oh wait I already told you that. So stop pretending to be "tracing it" because I have already told you it's coming from Italy. That is where trace will stop so just stop trying. Oh and this email will be behind a proxy behind the Italy server. d). School administrators ordered an evacuation of the school on June 5, 2007. e). On June 6, 2007, Principle Dave Lehnis of Timberline High

School received an e-mail from sender: "dougbriggs9ll@gmail.com". The e-mail contained the following text: "ENJOY YOUR LIFE ENDING". f). In another e-mail from "douebriegs91 l@gmail.com.w the

UNSUB(s) states the following, Well hello Timberline, today is June 6, 2007 and I"M just emailing you today to say that school will blow up and that's final! There are 2 bombs this time (Iran short on money to Buy things at home depot). They will go off at exactly 10:45:00 AM. One is on located on a portable. And the other is somewhere else. Keep trying to 'trace' this email. The only thing you will be able to track is that it came from Italy. There is no other information that leads it back to the United States in any way so get over it. You should hire Bill Gates to track it tor you. HAHAHAHA. He will just tell you that it came from over seas, so if you have close relations with the POPE you might get some information. But other than that, have fun looking in Italy. :-) Also, stop advising teachers to no show this email to classmates. Everyone would be ammused by this email and I might stop if you do. Funny how I can trick you all into thinking that I included my name to show that it isn't me, because who the hell would put their name? Or is that just what I want you to think. And yet again, this email was sent from overseas to a newly made email account that has already been deleted of all information by the time you read this email. Get your ass on a plane to Italy if you want it to stop. g). June 6, 2007. School administrators ordered an evacuation of the school on

h).

On June 7, 2007, Timberline High School received an e-mail from '

sender "thisisfromitalv@gmail.com." The UNSUB(s) states:

Affidavit of Norm Sanders for CIPAV USACtf 2007R00791 Page 8 of 17 Pages

"There are 3 bombs planted in the school and they're all different kinds. I have premaae these weeks in advance and tested the timers to make sure they work to exact millisecond. Locking the doors is a good plan, but too late." i). June 7, 2007.. School administrators ordered an evacuation of the school on

j).

On June. 7, 2007, the UNSUB(s) posted three of the threatening

e-mails in the comments section of the online news publication service, "theolympian" The administrator from theolympian.com" removed the threatening e-mail postings. Shortly thereafter, the UNSUB(s) re-posted the threatening e-mails. Eventually, the administrator of "theolympian.com" disabled the "Comments" section.

k).

On June 7, 2007, Detective Jeremy Knight, Lacey Police

Department (LPD), received information from the Thurston County Sheriffs Office, which had revealed a complaint from a person identified as AG. AG stated that she received an invitation through myspace.com from the MySpace. profile of "Timberlinebombinfo" wanting her to post a URL link to http://bombermaiIs.hyperphp.com on her myspace.com webpage. The UNSUB(s) advised her that failure to comply would result in her name being associated with future bomb threats. Similarly, Knight received a phone call from a parent alleging that her son received the same request from the UNSUB(s). According to Knight, 33 students received a request from the UNSUB(s) to post the link on their respective myspace.com webpages. Subsequent interviews performed by Knight yielded limited information.

1).

On June 7, 2007, VW and BP received MySpace private invitations

from an individual utilizing the MySpace moniker "Timberlinebombinfo". VW accepted the invitation from "Timberlinebombinfo" and received an America Online Instant Message (AIM) from an individual utilizing AIM screen name
Affidavit of Norm Sanders for CIPAV USAO# 2007R00791 Page 9 of 17 Pages

1 "Alexspi3ring_09." Communication ceased with "Alexspi3ring_09" after VW

requested additional information related to the bomb threats. VW believed screen name "Alexspi3ring_09" was associated to ALEX SPIERING, a student at Timberline High. School. VW stated "Alexspi3ring_09" and "Timberlinebombinfo" used to have die identical graphic on their MySpace webpage. "Timberlinebombinfo" recently changed his/her graphic from a picture of guns to a picture of a bomb.

8
9
10

m).

On June 7, 2007, Thurston County School District reported ALEX

SPIERING resides at 6133 Winnwood Loop SE, Olympia, WA, 98513, telephone (360) 455-0569, date of birth ffjMfBfffr 19.

11 12
13 14 15 16 17

n).

On June 8, 2007, Comcast Internet, Thorofare, New Jersey,

reported that residential address 6133 Winnwood Loop SE, Olympia, WA, 98513 received Comcast Internet services for the following subscriber: Sara Spiering 6133 Winnwood Loop SE, Lacey, WA 98513 Telephone (360) 455-0569 Dynamically Assigned Active Account Account Number: 8498380070269681

18
19

20
21

o).

On June 8, 2007, Thurston County School District received two

22 additional bomb threat e-mails from aTimberIine.Sucks@gmail.com." which resulted in

the evacuation of the Timberline High School.

12.

On June 4, 2007, Google provided subscriber, registration, and IP Address

log history for e-mail address "dougbriggs 123@gmail.com" with the following results: Status: Enabled (user deleted account) Services: Talk, Search History, Gmail
Affidavit of Norm Sanders for CIPAV USACW 2007R00791 Page 10 of 17 Pages

1 2 3 4 5

Name: Doug Briggs Secondary Email: Created on: 03-Jun-2007 Lang: en IP: 80.76.80.103 LOGS: AH times are displayed in UTC/GMT dougbriggsl23@gmail.com Date/Time 04-Jun-2007 05:47:29 am 04-Jun-2007 05:43:14 am 03-Jun-2007 06:19:44 am IP 81.27.207.243 80.76.80.103 80.76.80.103

6
7 8 9

10 11 12
13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

a).

On June 6, 2007, a SmartWhoIs lookup of IP Address 80.76.80.103

resolved to Sonic S.R.L, Via S.Rocco 1, 24064, Grumello Del Monte, Italy, Phone: +390354491296, E-mail: Staff@sonic.it. Your affiant connected to http://sonic.it. which displayed an Italian business webpage for Sonic SRL Internet Service Provider.

b).

On June 7, 2007, a request to MySpace for subscriber and IP

Address logs for MySpace user "Timberlinebombinfo" provided the following results: User ID: First Name: Last Name: Gender: Date of Birth: Age: Country: City: 199219316 Doug Briggs Male 12/10/1992 14 US Lacey

Affidavit of Nonn Sanders for CIPAV USAO* 2007R00791 Page 11 of 17 Pages

Postal Code: Region: Email Address: User Name: Sign up IP Address: Sign up Date: Delete Date: Login Date

985003 Western Australia timberline.sucks@email .com timberlinebombinfo 80.76.80.103 June 7, 2007 7:49PM N/A June 7, 2007 7:49:32:247 PM IP Address 80.76.80.103

c).

FBI Seattle Division contacted FBI Legate Attache Rome, Italy and

an official request was provided to the Italian National Police requesting assistance in contacting Sonic SRL and locating the compromised computer utilizing IP Address 80.76.80.103. d). On June 7, 2007, the System Administrator for the

www. theolvmpian. com advised the posting of the bomb threat e-mails originated from IP Address 192.135.29.30. A SmartWhois lookup resolved 192.135.29.30 to "The
17 18 19

National Institute of Nuclear Physics (INFN), LNL - Laboratori Nazionali di Legnaro, Italy". 13. Based on my training, experience, and the investigation described herein, I

20 know the following among other things:

a).

that network level messages, including the originating IP address

22 and MAC address^ other variables, and certain registry-type information of a computer
23

can be used to assist in identifying the individual(s) using that computer; and b). the individual(s) using the aforementioned activated computer

24
25 26 27 28

utilized compromised computers to conceal their true originating IP address and thereby intentionally inhibiting the individual(s)' identification. Compromised computers are generally infected with computer viruses, trojans, or other malevolent programs, which can allow a user the ability to control computer(s) on the Internet or particular services
Affidavit of Nonn Sanders for CIPAV USAO* 2007R00791 Page 12 of 17 Pages

1 2 3 4 5

of compromised computer(s) without authorization. It is common for individuals engaged in illegal activity to access and control compromised computer(s) to perform malicious acts in order to conceal their originating IP addresses. 14. Based on training, experience, and the investigation described herein, I

have concluded that using a CIPAV on the target MySpace "Timberlinebombinfo"

6 account may assist the FBI to determine the identities of the individual(s) using the
7 8 9 10 11

activating computer. A CIPAV's activation will cause the activating computer to send network level messages, including the activating computer's originating IP address and MAC address, other variables, and certain registry-type information. This information may assist the FBI in identifying the individual(s) using the activating computers. 15. The CIPAV will be deployed through an electronic messaging program

12 from an account controlled by the FBI. The computers sending and receiving the
13 14 15

CIPAV data will be machines controlled by the FBI. The electronic message deploying th CIPAV will only be directed to the administrators) of the "Timberlinebombinfo" account. a). Electronic messaging accounts commonly require a unique user name and password. b). Once the CIPAV is successfully deployed, it will conduct a onetime search of the activating computer and capture the information described in paragraph seven. c). The captured information will be forwarded to a computer controlled by the FBI located within the Eastern District of Virginia. d). After the one-time search, the CIPAV will function as a pen register device and record the routing and destination addressing information for electronic communications originating from the activating computer.

16
17

18
19 20 21

22
23 24 25 26 27 28

Affidavit of Norm Sanders for CIPAV USAO# 2007R00791 Page 13 of 17 Pages

1 2 3 4 5 6 7 8 9 10 11 12. 13 14 15 16 17

e).

The pen register will record IP address, dates, and times of the electronic communications, but not the contents of such communications or the contents contained on the computer, and forward the IP address data to a computer controlled by the I, for a period of (60) days.

16.

Based upon my review of the evidence, my training and experience, and

information I have gathered from various computer experts, I have probable cause to believe that deploying a CIPAV in an electronic message directed to the administrator(s) of the MySpace "Timberlinebombinfo" account will assist in identifying a computer and individual(s) using the computer to transmit bomb threats and related communications in violation of Title 18,United States Code Sections 875(c) and 1030(a)(5)(A)(i) and (B)(iv). 17. Because notice as required by Federal Rule of Criminal Procedure

41(f)(3) would jeopardize the success of the investigation, and because the investigation has not identified an appropriate person to whom such notice can be given, I hereby

18 request authorization to delay such notice until an appropriate person is identified.

Further, assuming providing notice would still jeopardize the investigation after an appropriate person to receive notice is identified, I request permission to ask this Court to authorize an additional delay in notification. In any event, the United States

22 government will notify this Court when it identifies an appropriate person to whom to
23 24 25 26 27 28 Affidavit of Nonn Sanders for CIPAV USAO* 2007R00791 Page 14 of 17 Pages

give notice, so that this Court may determine whether notice shall be given at that time. 18. Because there are legitimate law enforcement interests that justify an

unannounced use of the CIPAV and review of the messages generated by the activating

1 [computer in this case, 9 1 ask this Court to authorize the proposed use of a CIPAV 2 without the prior announcement of its use. One of these legitimate law enforcement
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

interests is that announcing the use of the CIPAV would assist a person controlling the . activating computer(s) to evade revealing its true IP address, other variables, and certain registry-type information - thereby defeating the CIPAV's purpose. 19. Rule 41(e)(2) requires that (A) the warrant command the FBI "to execute

the warrant within a specified time no longer than 10 days" and (B) "execute the warrant during the daytime unless the judge for good cause expressly authorizes execution.at another time..." In order to comply with Rule 41, the Government will only deploy CIPAV between the hours of 6:00 a.m. and 10:00 p.m. (PST) during an initial 10-day period. However, the Government seeks permission to read any messages generated by the activating computer as a result of a CIPAV at any time of day or night during the initial 10-day period. This is because the individuals using the activating computer may activate the CIPAV after 10:00 p.m. or before 6:00 a.m., and law enforcement would seek to read the information it receives as soon as it is aware of the CIPAV response given the emergent nature of this investigation. If the CIPAV is not activated within the initial 10-day period, the Government will seek further authorization from the Court to read any information sent to the computer controlled by the FBI as a result of that CIPAV after the lO* day from the date the Court authorizes the use of the first CIPAV. 20. Because the FBI cannot predict whether any particular formulation of a

21
22 23 24 25 26 27 28

CIPAV to be used will cause a person(s) controlling the activating computer to activate a CIPAV, I request that this Court authorize the FBI to continue using additional CIPAV's in conjunction with the target MySpace account (for up to 10 days after this warrant is authorized), until a CIPAV has been activated by the activating computer.

See Wilson v. Arkansas. 514 U.S. 927, 936 (1995) (recognizing that "law enforcement interests may . . . establish the reasonableness of an unannounced entry.") Affidavit of Nonn Sanders for CIPAV USAO* 2007R00791 Page 15 of 17 Pages

21.

Accordingly, it is respectfully requested that this Court issue a search

2 warrant authorizing the following:

a).

the use of multiple CIPAVs until one CIPAV is activated by the

activating computer in conjunction with the target MySpace "Timberlinebombinfo" account, without prior announcement, within 10 days from the date this Court authorizes

6 the use of the first CIPAV;

b).

the CIPAV may cause an activating computer - wherever located -

to send network level messages containing the activating computer's IP address, and/or MAC address, and/or other variables, and/or certain registry-type information to a computer controlled by the FBI and located within the Eastern District of Virginia; c). that the FBI may receive and read, at any time of day or night,

within 10 days ftom the date the Court authorizes of use of the CIPAV, the information that any CIPAV causes to be sent to the computer controlled by the FBI; d). that once the FBI has received an initial CIPAV response from the

activating computer consisting of network level messages containing the activating

16 computer's IP address, and/or MAC address, and/or other variables, and/or certain
17

registry-type information, the FBI will thereafter only be collecting the types of

18 addressing and routing information that can be collected pursuant to a pen register
19 20 21 22 23 24 25 26 27

order; and e). that, pursuant to 18 U.S.C. 3103a(b)(3), to satisfy the notification

requirement of Federal Rule of Criminal Procedure 41(f)(3), the FBI may delay providing a copy of the search warrant and the receipt for any property taken until no more than thirty (30) days after such time as the name and location of the individual(s) using the activating computer is positively identified or a latter date as the court may, for good cause shown, authorize. Provision of a copy of the search warrant and receipt may, in addition to any other methods allowed by law, be effectuated by electronic delivery of true and accurate electronic copies (e.g. Adobe PDF file) of the fully

28 executed documents.
Affidavit of Norm Sanders for CIPAV USAO# 2007R00791 Page 16 of 17 Pages

22.

It is further requested that this Application and the related documents be

2 filed under seal. The information to be obtained is relevant to an on-going investigation.

Premature disclosure of this Application and related documents may jeopardize the success of the above-described investigation. WHEREFORE, Affiant respectfully requests that a warrant be issued authorizing

6 the FBI to utilize a CIPAV and receive the attendant information according to the terms
7 8 9 10 11 12 13 14 15 16 17
18

set forth in this Affidavit.

THIS APPLICATION DOES NOT SEEK AUTHORIZATION TO THE CONTENT OF ANY ELECTRONIC COMMUNICATIONS, AND THE WARRANT WILL SO SPECIFY.

Sworn to and subscribed before me this /.K day of June, 2007

rman B.Sanders Special Agent Federal Burea Bureau of Investigation

sfijMih T< WW Hon. yames p. uononue Umteu States Magistrate Judge

19 20

21
22 23 24 25 26 27 28 Affidavit of Norm Sanders for C1PAV USAO# 2007R00791 Page 17 of 17 Pages

DATE: 08-18-2008 CLASSIFIED BY 60322uclp/stp/rds REASON: 1.4 (c) DECLASSIFY ON: 08-18-2033

gggJ^T ^ ^ ^

bl b2 b7E

"t,Iftlleo 7

(S)

HMniiBBiiiNaaaaaHiiBiMiMiMMiM

SEfr

ALL INFORMATION CONTAINED HEREIN IS UNCLASSIFIED EXCEPT TdHERE SHOWN OTHERWISE

7 / j ^ ^
Jkji^ Sensitive but Uro \ Last Update 5 June 2007

12 Jume 2007

DATE: 08-18-2008 CLASSIFIED BY 60322uclp/stp/rds REASON: 1.4 (c) DECLASSIFY ON: 08-18-2033

Sensitive but

Sensitive butJUpfeis Version Control Date 12 June 07 Changed By 1 1 Version # 0.1

Last Update 5 June 2007

Changes Draft Baseline

b6 b7C

Sensitive but Lmsjay

U^ Sensitive but Uri X \

SE^T

Last

Update 5 June 2007

b2 b7E

Sensitive but

S E&gf^t

if

DATE: 08-18-2008 CLASSIFIED BY 60322uclp/stp/i:(is

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only ^ ^

REASON: 1.4 (c) Case Support Standard Operating Procedures (SOP) DECLASSIFY ON: 08-18-2033 Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SDG) Deployment Operations Center (DOC)

bl b2 b7E

ALL INFORMATION CONTAINED Page 1 of 4 Pages Law Enforcement Sensitive/Sensitive But Unclassified HEREIN IS UNCLASSIFIED EXCEPT WHERE SHOWN OTHERWISE For Official Use Only offtDe-1

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only / \ Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SDG) Deployment Operations Center (DOC)

bl b2 b7E

ALL INFORMATION COBTAINED HEREIN 15 UNCLASSIFIED EXCEPT WHERE SHOWN OTHERWISE

DATE: 08-18-2008 CLASSIFIED BY 60322uclp/stp/rds REASON: 1.4 c) DECLASSIFY ON: 08-18-2033

&tf^T

Page 2 of10Pages . . Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only ^ \

DATE: 08-18-2003 CLASSIFIED BY 60322uclp/stp/rds

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only / \

i f f
b5

'

PEAS ON: 1.4 (C) Case Support Standard Operating Procedures (SOP) b~ DECLASSIFY ON: 08-18-2033 Cryptographic and Electronic Analysis Unit (CEAU) CnfhA/aro nowolnnmont ^rnim f^nf^ Danlm/mpnl- Onpratinnc PPnter fnOH

Page 1 of 10 Pages
ALL INF0RHATION CONTAINED ^ ,E ... ?.. . T HEREIN i s UNCLASSIFIED E X C E P T 1 ^ Enforcement Sensitive/Sensitive But FOR WHERE SHOWN OTHERWISE Official Use Only

^
'

^
,

Unj^ffied ^ \

Law Enforcement Sensitive/Sensitive But Unbjraified For Official Use Only / \ Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SPG) Deployment Operations Center (DOC)
b2

ki

b?E

Page 2 of 10 Pages . . Law Enforcement Sensitive/Sensitive But Uncta$ified For Official Use Only

SECRET

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only / \ Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SPG) Deployment Operations Center iDQO
b7E

Page 3 of 10 Pages.. Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only ^ \

acttfssif Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only / \

b7E Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SDG) Deployment Operations Center (DOC)

(S)

Page 4 of 10 Pages . , Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only ^^ \

Law Enforcement Sensitive/Sensitive But U n u n i f i e d For Official Use Only X \

bl b2

Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SPG) Deployment Operations Center (DOC)

b7E

Page 5 of 10 Pages s. / Law Enforcement Sensitive/Sensitive But Unmsgified For Official Use Only

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only / \ Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SPG) Deployment Operations Center (DOC)

(S)

bl b2 b7E

Page 6 of 10 Pages . . Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only^\

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only/\ Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SDG) Deployment Operations Center (DOC)

bl b2 b7E

Page 7 of 10 Pages.. Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only ^ \

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only / \ Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SPG) Deployment Operations Center (DOC)

bl b2 b7E

Page 8 of 10 Pages . . Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only ^ \

Law Enforcement Sensitive/Sensitive But Uncial For Official Use Only

fled

SE

Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SPG) Deployment Operations Center (DOC)

bl b2 b7E

Page 9 of 4 Pages Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only offtDe-1

Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only/\ Case Support Standard Operating Procedures (SOP) Cryptographic and Electronic Analysis Unit (CEAU) Software Development Group (SPG) Deployment Operations Center (DOC)

(Si

S j ^ T

Page 10 of 10 Pages.. Law Enforcement Sensitive/Sensitive But Unclassified For Official Use Only^\

09/14/2006 17:22 hrs.

//Program Sensitive

bl

Pagel of26
DATE: 0 8 - 1 9 - 2 0 0 8 CLASSIFIED BY 6 0 3 2 2 u c l p / s t p / r d s PEASOH: 1 . 4 ( c ) DECLASSIFY OH: 0 8 - 1 9 - 2 0 3 3

(SJ

b2 b7E hi A

Cases: At-A-Glance

bl b2 b7E

09/14/2006 17:22 hrs.

//Program Sensitive

bl

Page 2 of26

(S)

SEpR^t
Cases: At-A-Glance

S)
Pending Case Number

Pje Deployments

(S)

r~

(S)
b7A

(S)

S)

l3>

(S)
1 bl

t ^ \ (a)

b7E

i 3)
[S)
09/14/2006 17:22 hrs.

(S)

TTProgram Sensitive

Page 3 of 26

<S)

s^ej
!S]

jgj
Cases: At-A-Glance

(S)

(Si

bl b2 b7E b7A

S)
09/14/2006 17:22 hrs. //Program Sensitive Page 4 of 26

(S)

JbrE

(S)

bl b2
b7E

(S)

09/14/2006 17:22 hrs.

//Program Sensitive

Page S of 26

(S)

Stssgf

SjBfij
fncpc- A--nianrp
Pending Case Number

(S)
(SJ
bl b2 b7E b7A

S)

S)

(S)
(S) (S) (S) <S)

09/14/2006 17:22 hrs.

//Program Sensitive

Page 6 of 26

(S)
sipari

Cases: At-A-Glance
Pending Case Number

(S)
b7A

(5)

(S) (S)
UNKNOWN
bl b2 b7E

(S)

09/14/2006 17:22 hrs.

//Program Sensitive

Page 7 of 26

(S)

sef<r

10

11

(S)
12 13

!
09/14/2006 17:22 hrs. //Program Sensitive Page 8 of 26

(S)

5f<

Cases: At-A-GIance .

09/14/2006 17:22 hrs.

//Program Sensitive

ts>

Page 9 of26

(S)

09/14/2006 17:22 hrs.

//Program Sensitive

Page 10 of 26

ts>

. Cases: At-A-GIance

b7A bl b2 b7E

(S)

(S)
09/14/2006 17:22 hrs. //Program Sensitive ^2 J Page 11 of 26

(S)
SeffET

Cases: At-A-Glance

(S)

09/14/2006 17:22 hrs.

//Program Sensitive

(S)

bl b2 b7E b6 b7C

Page 12 of 26

SC8C

st&H;
Cases: At-A-Glance

IS)

(S)
bl b2 b7E b6 b7C

09/14/2006 17:22 hrs.

//Program Sensitive

Page 13 oi 2b

Cisas-

At.A.ifiliinra

<S>

b7A bl b2 b7E

(S)

iS)

09/14/2006 17:22 hrs.

//Program Sensitive

( 3 )

Page 14 of 26

SBRET

Tases: At-A-Clanre

-(S).

09/14/2006 17:22 hrs.

//Program Sensitive

Page 15 of 26

(S)

SBREJ
Cases: At-A-Glance

b2
b7E

b7A

(S) (S)

(S)

(S)
Page 16 of 26

09/14/2006 17:22 hrs.

//Program Sensitive

S >

09/14/2006 17:22 hrs.

//Program Sensitive

(S)

bl b2 b7E

Page 17 of 26

SjERCf
Cases: At-A-Glance

bl b2 b7E

(Si
(S)
315Q-CA-654321

(S)

(S) (S)
09/14/2006 17:22 hrs.

t)

//Program Sensitive

Page 18 of 26

(S)

bl b2 b7E
fotoAt-A-OQIIW

CLOSED

3I5N-PH-98148

N/A

CLOSED

315Q-PX-75889

315Z-PX-123456

(S)

S)

09/14/2006 17:22 hrs.

//Program Sensitive

Page 19 of 26

(S)

sjMj

Cases: At-A-Glance

CLOSED

288A-PH-100637

288A-PH-100637

CLOSED

288A-RH-52644

(S)
bl b2 b7E

(S)

(S)
09/14/2006 17:22 hrs. //Program Sensitive Page 20 of 26

IS)

SERt

bl

IS 1

b2 b7E
CLOSED CLOSED CLOSED CLOSED 288A-LV-39208 266A-PH-96921 288A-LV-I2345 Same as Case # 315Q-DN-64862

(S)
(S)

(S)
CLOSED 266H-SC-39675 266H-PH-99771LPI 266H-PH-9977ILP2

(SI
09/14/2006 17:22 hrs. //Program Sensitive Page 21 of 26

(S)

slftf^T

(S)
CLOSED 266H-PH-99771

SpBR^r
Cases: At-A-Glance

(S)

CLOSED TERMINAI ED CLOSED

174C-LV-39242 288D-WF232964

315B-EP94772

bl b2 b7E

CLOSED

??79_99_9999?7

9999_99_9999?9

<S)

iS)

CLOSED

Unknown

315N-SF-012606

(S)
09/14/2006 17:22r rs.

(S)
(S)
//Program Sensitive Page 22 of 26

(S)

(5)
Status

(S):
bl b2 b7E

09/14/2006 17:22 hrs.

//Program Sensitive

Page 23 of 26

13)

<s)

(S)
bl b2 b7E

09/14/2006 17:22 hrs.

//Program Sensitive

Page 24 of 26

(S)
SSR^T

Cases: At-A-GIance

(S) (S)
CLOSED 315Q-PX-75889 315Z-PX-123456LP2 315Z-PX-123456LP3 315Z-PX-123456LP4

bl b2 b7E

<S)

tS)
CLOSED 315Q-PX-75889 315Z-PX-123456LP5 315Z-PX-123456LP6 315Z-PX-123456LP7

09/14/2006 17:22 hrs.

//Program Sensitive

Page 25 of 26

(S)

Cases: At-A-Glance

IS)
-

(S)

(SI

bl b2 b7E b7A

09/14/2006 17:22 hrs.

//Program Sensitive

Page 26 of 26

(S>

IE8R

DATE: 08-20-2008 CLASSIFIED BY 60322uclp/stp/rds REASON: 1.4 (c) DECLASSIFY ON: 08-20-2033

Last Update: 0 5 / 1 ^ 6 16:30, |

Notes: Completed changes suggested at working group meeting. Incorporated comments from \ I

(3)
bl b2 b7E ALL INFORMATION CONTAINED HEREIN IS UNCLASSIFIED EXCEPT WHERE SHOWN OTHERWISE

IS)

Sfcf^T
//Program Sensitive 8/1/2007 10:39 A M

Casas: At-A-Glance

(S)

(S)

(3)
288A-RH-52644 N/A

//Program Sensitive

8/1/2007 10:69 AM

(S)
OTrnrassnB266A-PH-96921

sicjjg

Cases: At-A-Glancs

Same as Case #

266H-SC-39675

266H-PH-99771-LP1 266H-PH-99771-LP2

<S)
266H-PH-99771 N/A

(S)
174C-LV-39242 288D-WF-232964 Same as Case # N/A

bl b2 b7E

//Program Sensitive

8/1/2007 10:70 A M