Case Document 1 Filed 04/17/15 Page 1 of 22

A0 106 (Rev, 01109) Application for a Search Warrant

 

UNITED STATES DISTRICT COURT

for the
Northern District of New York

In the Matter of the Search of
(Brie?y describe the properly la be searched
or {derail} the person by name and address)
1 btaclt Air. senel ti 1; 1 sitverfgrey MacBook Pro serial stlverIgrey 
8 black WD My Passport herd dnve. serial 8 M51A92R0854: silverlgrey a black WD My Passport
hard drrve. serial 3 WXU1EB3WVLC3 1 black Western Digital hard drive, serial 9 WXK1A9003026T, 1 black 
micro 268 San Disk Cruzer thumb dnve; 1 terabyte. silverrgrey. Transcend ?ash drive and black USB cable.
2 btue 46 PNY thumb 1 purple. BGB Verbatim thumb drive. 1 black Kingston MtcroSD thumb drive.

1mm mummivewnowosonmm. 1 W08- uack APPLICATION FOR A SEARCH WARRANT
Linkeys Btuetooth USB adapter. 1 orange and white thumb drive
I. a federal law enforcement of?cer or an attorney for the government, request a search warrant and state under
penalty of perjury that have reason to believe that there is now concealed on the following person or property
located in the Northern District of New York (idem)? the person or describe property to
be searched and give its location): See "Attachment which is attached to an incorporated in this Application and Af?davit.



Case No. (ATB)

 

The person or property to be searched. described above, is believed to conceal (identify the person or describe the
propertv to be seized): See "Attachment which is attached to an incorporated inthis Application and Af?davit.

The basis for the search under Fed. R. Crim. P. is (check one or mare):

evidence of a crime;

contraband. fruits of crime, or other items illegally possessed;

?i property designed for use, intended for use. or used in committing a crime:
?3 a person to be arrested or a person who is unlawfully restrained.

The search is related to a violation of 18 U.S.C. 1030(a)(2) and the application is based on these
facts: 1030(a)(5). and 1030(a)(5)(B)

8! Continued on the attached sheet.

I3 Delayed notice of days (give exact ending date if more than 30 days: is requested
under l8 U.S.C. 3 l03a. the basis of which is set forth on the attached sheet.




Mark S. Hurley. ecial Agent, FBI

Primed name and title

 

 

Sworn to before me and signed in my presence.

Date: 9411712915 7 TI 

Judge '5 signa rre

 

City and state: Syracuse. New York Hon. Andrew T. Baxter. U.S. Magistrate Judge
Primed name and title

 

Case Document 1 Filed 04/17/15 Page 2 of 22

AFFIDAVIT

1, Special Agent Mark Hurley, being duly sworn, hereby depose and state that the

following is true to the best of my information, knowledge, and belief:
INTRODUCTION Alli; AGENT BACKRO UND

l. I am a Special Agent with the Federal Bureau of Investigation (FBI), and have
served in this capacity since 2011. I am currently assigned to the Albany Field Of?ce, Syracuse
Resident Agency, where I work with a team of Agents and Task Force Of?cers who are focused
on investigating matters relating to a variety of federal crimes, including international terrorism.
I have received formal training from the FBI in investigations and operations. Currently, I am
responsible for, among other assignments, conducting investigations of alleged criminal
violations of numerous Title 18 offenses, and in that capacity have worked on a number of
investigations concerning international terrorism, violations of terrorism laws of the United
States, the execution of search warrants, and the use of cell phones, social media, and other
electronic devices used by subjects in those investigations. As an FBI Special Agent, I am
authorized to investigate violations of the laws of the United States generally, and to execute
arrest warrants issued under the authority of the United States. I have discussed the matters
herein with the other Agents working on this and other associated investigations, read reports,
and otherwise reviewed materials assimilated during the investigation. I have also discussed
with these colleagues the use of computers and cellular phones to create, store, and use electronic
data over internet-based applications, and how criminals, including terrorists and their
supporters, use cellular telephones, computers and related equipment, and the intemet to
My discussions have included consultations with law enforcement

facilitate their crimes.

personnel Speci?cally trained in these Specialized areas.

Case Document 1 Filed 04/17/15 Page 3 of 22

2. This af?davit is in support of an application for a search warrant for digital
devices the data located therein, that were seized from Chris Roberts on April 15, 2015 after
Chris Roberts exited ?ight #3642 in Syracuse, New York. Chris Roberts had ?own ?om Denver
to Chicago "on?Um?f?d'Airline?s "?ight?fi?flt'M 2015, Roberts changed plane?s 'an?cT??
continued to Syracuse.

3. The following statements contained in this af?davit are based on my experience
and background as a Special Agent of the FBI and my work and conversations with other FBI
special agents and specialists in this investigation. Because this af?davit is being submitted for
the limited purpose of securing a search warrant, I have not included each and every fact known
to me concerning this investigation. I believe the information that I have set forth herein to be
reliable based upon my investigation to date.

4. This investigation concerns alleged violations of Title 18 U.S.C. Sections
1030(a)(2), and 1030(a)(5), relating to unauthorized access to computers.

IDENTIFICATION OF THE DEVICEAS) TO BE EXAMINED

5. The property listed in Attachment A is secured in the FBI Syracuse Resident
Agency and were found in the possession of Chris Roberts on April 15, 2015 after Chris Roberts
exited United Airline ?ight #3642 in Syracuse, New York. The following items were seized by
the FBI from Chris Roberts on April 15, 2015 at the Syracuse airport, herein referred to
collectively as ?Devices?:

A. 1 black I-PAD Air, serial number with hard plastic case
and Death Wish Coffee Co sticker;

B. silver/grey MacBook Pro, serial number C02LM82AFD59 w/multiple

stickers;

Case Document 1 Filed 04/17/15 Page 4 of 22

C.
WX51A92R0854
D.
WXU 1 
E.
label;
F.

G.

6.

1 silver/grey black WD My Passport hard drive, serial number

1 silver/grey black WD My Passport hard drive, serial number



1 black Western Digital hard drive, serial number WXK1A9003026T

1 black micro ZGB San Disk Cruzer thumb drive;

1 terabyte, silver/ grey Transcend ?ash drive and black USB cable;
2 blue 46 PNY thumb drives;

1 purple, SGB Verbatim thumb drive;

1 black Kingston MicroSD thumb drive;

1 black thumb drive w/toggles on the side;

1 purple black Linkeys Bluetooth USB adapter;

1 orange white thumb drive,

I submit there is probable cause to believe that the Device(s) are or contain

evidence, fruits, and instrumentalities of violations of Title 18, United States Code, Sections

1030(a)(2), 1030(a)(5). The applied-for warrant would authorize the forensic examination of the

Device(s) for the purpose of identifying electronically stored data particularly described in

Attachment B.

7.

In my training and experience, I know that the Device(s) all have been stored in a

manner in which the contents are, to the extent material to this investigation, in substantially the

same state as they were when the Device(s) ?rst came into the possession of FBI.

-..47 

Case Document 1 Filed 04/17/15 Page 5 of 22

ELECTRONIC STORAGE AND FORENSIC ANALYSIS

8. Based on my training and experience, your A?iant knows about the following
Devices.
'A'Iap'top?coniputer ?is a computer that contains a hard disk driVe ?An 

HDD, which can be internal to the computer, or an external component, is a data storage device
that consists of an external circuit board, external data, power connections, and internal glass,
ceramic, or magnetically charged rotating metal platters that permanently store data even when
powered off. A solid-state drive also known as a solid-state disk, is a data storage
device that uses integrated circuit assemblies as memory to permanently store data instead of
using rotating platters. Flash drives, ?ash cards, and thumb drives are digital storage devices that
can connect to computers or other devices using the appropriate connection. These devices are
capable of storing any electronic information including images, videos, word processing
documents, programs and software, and web pages.

10. A tablet, or IPad, is a mobile computer, typically larger than a phone yet smaller
than a notebook, that is primarily Operated by touching the screen. Tablets can also function as
wireless communication devices and can be used to access the Internet through cellular
networks, networks, or otherwise. Tablets typically contain programs called applications
which, like programs on a personal computer, perform different functions and save data
associated with those ?mctions. Apps can, for example, permit accessing the Web, sending and
receiving e-mail, and participating in Internet social networks.

11. Computers and digital storage devices can include all types of electronic,
magnetic, optical, electrochemical, or other high speed data processing devices performing

logical, arithmetic, or storage functions, including desktop computers, laptop computers, mobile

Case Document 1 Filed 04/17/15 Page 6 of 22

phones, pagers, tablets, server computers, game consoles, and network hardware and also
includes any physical object upon which computer data can be recorded such as hard disk drives,
RAM, ?oppy disks, ?ash memory, CD5, DVDs, and other magnetic or optical media.

12.' Based on my knowledge; training, ?and eXperience,?your Af?ant?knows that
computers and digital storage devices can store information for long periods of time, even if the
user has attempted to delete the information. Similarly, things that have been searched for and
viewed via the Internet, apps, or other programs, can be stored for some period of time on a
device. This information can sometimes be recovered with forensic tools.

13. Based on my knowledge, training, and experience, examining data stored on
computers and digital storage devices can uncover, among other things, evidence that reveals or
suggests who possessed or used the computer or digital storage devices.

14. There is probable cause to believe that things that were once stored on the
Device(s) may still be stored there, for at least the following reasons:

A. For example, based on my knowledge, training, and experience, I know
that a powered-on computer maintains volatile data. Volatile data can be de?ned as active
information temporarily re?ecting a computer's current state including registers, caches, physical
and virtual memory, network connections, network shares, rumiing processes, disks (?oppy, tape
and/or CD-ROM), and printing activity. Collected volatile data may contain such information as
opened ?les, connections to other computers, passwords used for the presence of
anti-forensic tools, or the presence of programs loaded in memory that would otherwise go
unnoticed. Volatile data and its corresponding evidentiary value is lost when a computer is

powered-off and unplugged.

Case Document 1 Filed 04/17/15 Page 7 of 22

B. Based on my knowledge, training, and experience, I know that digital ?les
or remnants of such ?les can be recovered months or even years a?er they have been
downloaded onto a storage medium, deleted, or viewed via the Internet. Electronic ?les
'dOWnloaded to a? storage r'n?edium'can be stored for?years at little or no cost. 'Even' when ?les?
have been deleted, they can be recovered months or years later using forensic tools. This is so
because when a person ?deletes? a ?le on a digital storage device or computer, the data
contained in the ?le does not actually disappear; rather, that data remains on the storage medium
until it is overwritten by new data.

C. Therefore, deleted ?les, or remnants of deleted ?les, may reside in free
space or slack space?that is, in space on the storage medium that is not currently being used by
an active ?le?for long periods of time before they are overwritten. In addition, a computer?s
operating system may also keep a record of deleted data in a ?swap? or ?recovery? ?le.

D. Wholly apart from user-generated ?les, computer storage media including
digital storage devices and computers? internal hard drives can contain electronic evidence of
how a computer has been used, what it has been used for, and who has used it. To give a few
examples, this forensic evidence can take the form of operating system con?gurations, artifacts
from operating system or application operation, ?le system data structures, and virtual memory
?swap? or paging ?les. Computer users typically do not erase or delete this evidence, because
special so?ware is typically required for that task. However, it is technically possible to delete
this information. Data on the storage medium not currently associated with any ?le can provide
evidence of a ?le that was once on the storage medium but has since been deleted or edited, or of
a deleted portion of a ?le (such as a paragraph that has been deleted from a word processing

Web browsers, e-mail programs, and chat programs store con?guration information on the

Case Document 1 Filed 04/17/15 Page 8 of 22

storage medium that can reveal information about the Device?s use and who used it including
online nicknames and passwords. Operating systems can record additional information, such as
the attachment of peripherals, the attachment of USB ?ash storage devices or other external
"Storage media, and the times thecOmpute'f o?r?"device was in use. Cemputer ?le systems can?
record information about the dates ?les were created and the sequence in which they were
created.

E. Similarly, ?les that have been viewed via the Internet are sometimes
automatically downloaded into a temporary Internet directory or ?cache.? Forensic review may
also disclose when and by whom the Internet was used to conduct searches, view material, and
communicate with others via the Internet.

15. As further described in Attachment B, this application seeks permission to locate
not only electronically stored information on the Device(s) that might serve as direct evidence of
the crimes described on the warrant, but also forensic evidence that establishes how the
Device(s) were used, the purpose of the use, who used the Device(s), and when. There is
probable cause to believe that this forensic electronic evidence might be on the Device(s)
because:

A. Data on the storage medium can provide evidence of a ?le that was once
on the storage media but has since been deleted or edited, or of a deleted portion of a ?le (such
as a paragraph that has been deleted from a word processing Virtual memory paging
systems can leave traces of information on the storage medium that show what tasks and
processes were recently active. Web browsers, e-mail programs, and chat programs store
con?guration information on the storage medium that can reveal information such as online

nicknames and passwords. Operating systems can record additional information, such as the

Case Document 1 Filed 04/17/15 Page 9 of 22

attachment of peripherals, the attachment of USB ?ash storage devices or other external storage
media, and the times the computer or device was in use. Computer ?le systems can record
information about the dates ?les were created and the sequence in which they were created. This
information can be recovereti?m?onths or even years 'after they have been downloaded onto the
storage medium, deleted, or viewed. Bash history is a log detailing all commands entered by a
user when operating in a Unix/Linux environment. The bash history is maintained on an
Operating system unless manually deleted by a user. Plist is a ?le that stores users settings on a
Unix/Linux operating system. Plist ?les are the equivalent of registry ?les in a Windows
operating system. I know that these sorts of artifacts provide evidence of what a computer was
used for, by whom and when.

B. Forensic evidence on a device can also indicate who has used or controlled
the device. This ?user attribution? evidence is analogous to the search for ?indicia of
occupancy? while executing a search warrant at a residence.

C. A person with appropriate familiarity with how a digital storage device
works may, after examining this forensic evidence in its proper context, be able to draw
conclusions about how electronic devices were used, the purpose of their use, who used them,
and when.

D. The process of identifying the exact electronically stored information on
storage media that are necessary to draw an accurate conclusion is a dynamic process. Electronic
evidence is not always data that can be merely reviewed by a review team and passed along to
investigators. Whether data stored on a computer is evidence may depend on other information

stored on the computer or digital storage device and the application of knowledge about how a

Case Document 1 Filed 04/17/15 Page 10 of 22

computer or digital storage device behaves. Therefore, contextual information necessary to
understand other evidence also falls within the scape of the warrant.

E. Further, in ?nding evidence of how a device was used, the purpose of its
use, who used it, and when, sometimes it 'is "necessary to establish that a particui?ar thing is not 
present on a storage medium.

F. Your Af?ant knows that when an individual uses an electronic device to
aid in the commission of a crime, the individual?s electronic device will generally serve both as
an instrumentality for committing the crime, and also as a storage medium for evidence of the
crime. The electronic device is an instrumentality of the crime because it is used as a means of
committing the criminal offense. The electronic device is also likely to be a storage medium for
evidence of crime. From my training and experience, I believe that an electronic device used to
commit a crime of this type may contain: information about devices attached to computers, and
information about who used the devices and when and where.

G. Your Af?ant also knows that those who engage in criminal activity will
attempt to conceal evidence of the activity by hiding ?les, them, or by giving them
deceptive names such that it is necessary to view the contents of each ?le to determine what it
contains.

16. Your Af?ant recognizes the prudence requisite in reviewing and preserving in its
original form only such records applicable to the violations of law described in this Af?davit and
in in order to prevent unnecessary invasion of privacy and overbroad searches.
Your A?iant advises it would be impractical and infeasible for the Government to review the
mirrored images of digital devices that are copied as a result of a search warrant issued pursuant

to this Application during a single analysis. Your Af?ant has learned through practical

Case Document 1 Filed 04/17/15 Page 11 of 22

experience that various pieces of evidence retrieved from digital devices in investigations of this
sort often have unknown probative value and linkage to other pieces of evidence in the
investigation until they are considered within the ?uid, active, and ongoing investigation of the
"whole as "it develops. 'In? other wards, the weight of each individual piece of the data ?uctuates
based upon additional investigative measures undertaken, other documents under review and
incorporation of evidence into a consolidated whole. Analysis is content-relational, and the
importance of any associated data may grow whenever further analysis is performed. The full
scope and meaning of the whole of the data is lost if each piece is observed individually, and not
in sum. Due to the interrelation and correlation between pieces of an investigation as that
investigation continues, looking at one piece of information may lose its full evidentiary value if
it is related to another piece of information, yet its complement is not preserved along with the
original. In the past, your Af?ant has reviewed activity and data on digital devices pursuant to
search warrants in the course of ongoing criminal investigations. Your af?ant has learned ??om
that experience, as well as other investigative efforts, that multiple reviews of the data at
different times is necessary to understand the full value of the information contained therein, and
to determine whether it is within the scope of the items sought in Attachment B. In order to
obtain the full picture and meaning of the data from the information sought in Attachments A
and of this application, the Government would need to maintain access to all of the resultant
data, as the completeness and potential of probative value of the data must be assessed within the
full scepe of the investigation. As such, your Af?ant respectfully requests the ability to maintain
the whole of the data obtained as a result of the search warrant, and to maintain and to review the
data in the control and custody of the Government and law enforcement at times deemed

necessary during the investigation, rather than minimize the content to certain communications

10

Case Document 1 Filed 04/17/15 Page 12 of 22

deemed important at one time. As with all evidence, the Government will maintain the evidence
and mirror images of the evidence in its custody and control, without alteration, amendment, or
access by persons unrelated to the investigation.

17." Based on the foregoing, and cens'istent with Rule the 'wairant?I am 
applying for would permit seizing, imaging, copying and reviewing the contents of the Device(s)
consistent with the warrant. The warrant I am applying for would authorize a later examination
and perhaps repeated review of the Device(s) or information from a copy of the Device(s)
consistent with the warrant. The examination may require authorities to employ techniques,
including but not limited to computer-assisted scans of the entire medium, that might expose
many parts of the Device(s) to human inspection in order to determine whether it is evidence
described by the warrant.

INVESTIGATION
18. A Special Agent with the FBI interviewed Chris Roberts on February 13, 2015
and March 5, 2015 to obtain information about vulnerabilities with In Flight Entertainment (IFE)
systems on airplanes. Chris Roberts advised that he had identi?ed vulnerabilities with IFE
systems on Boeing 737-800, 737-900, 757-200 and Airbus A-320 aircraft. Chris Roberts
furnished the information because he would like the vulnerabilities to be ?xed.
19. During these conversations, Mr. Roberts stated the following:

A. That he had exploited vulnerabilities with IFE systems on aircra? while in
?ight. He compromised the IFE systems approximately 15 to 20 times during the time period
2011 through 2014. He last exploited an IFE system during the middle of 2014. Each of the
compromises occurred on airplanes equipped with IFE systems with video monitors installed in

the passenger seatbacks.

11

Case Document 1 Filed 04/17/15 Page 13 of 22

B. That the IF systems he compromised were Thales and Panasonic systems.
The IFE systems had video monitors installed in the passenger seatbacks.

C. That he was able to exploit/gain access to, or ?hack? the IFE system after

?he would get physical access to?th'e?iFE system th?rb??gh?the?Seat Electroni'C?Box 

under the passenger seat on airplanes. He said he was able to remove the cover for the SEB under
the seat in front of him by wiggling and squeezing the box.

D. After removing the cover to the SEB that was installed under the
passenger seat in front of his seat, he would use a Cat6 ethemet cable with a modi?ed connector
to connect his lapt0p computer to the IFE system while in ?ight.

E. He then connected to other systems on the airplane network after he
exploited/gained access to, or ?hacked? the IFE system. He stated that he then overwrote code
on the airplane?s Thrust Management Computer while aboard a ?ight. He stated that he
successfully commanded the system he had accessed to issue the or climb command. He
stated that he thereby caused one of the airplane engines to climb resulting in a lateral or
sideways movement of the plane during one of these?ights. He also stated that he used Vortex
software after compromising/exploiting or ?hacking? the airplane?s networks. He used the
software to monitor traf?c from the cockpit system.

F. Roberts said he used Kali Linux to perform penetration testing of the IFE
system. He used the default IDs and passwords to compromise the IF systems. He also said that
he used VBox which is a virtualized environment to build his own version of the airplane
network. The virtual environment would replicate airplane network, and that he used virtual

machine?s on his laptop while compromising the airplane network.

12

Case Document 1 Filed 04/17/15 Page 14 of 22

20. On February 13, 2015 and February 23, 2015 Special Agents with the FBI in
Denver advised Chris Roberts that accessing airplane networks without authorization is a
violation of federal statute, and that Roberts may be prosecuted for obtaining access to airplane
netWorks or advised that he understOodand he would 
not access airplane networks.

21. On February 23, 2015 the following tweet was made by on Chris Roberts? Twitter
account Sidragonl: ?Two very civilized but direct warnings in the last week to not mess with
certain things means I?ll be modifying a few upcoming talks?.

22. On April 15, 2015 United Airlines advised the FBI that Chris Roberts tweeted the
following message ?'om Twitter account Sidragonl: ?Find myself on a 737/800, lest see Box-
SATCOM, Shall we start playing with EICAS messages? OXYGEN 
Anyone 

23. The following conversation was on Twitter account Sidragonl in response to the
tweet about Roberts? being on a 737/800: RafalLos tweeted you?re in jail. 
followed by a tweet from Chris Roberts @Sidragonl of ?There IS a distinct possibility that the
course of action laid out above would land me in an orange suite rather quickly 

24. United Airlines advised that Chris Roberts was traveling on a United Airlines
?ight #1474 from Denver to Chicago on April 15, 2015. His seat was 3A. The aircraft tail
number was 3260.

25. On April 15, 2015 a Senior Manager with United Airlines? Cyber Security
Intelligence Department, advised that United Airlines ?ight #1474 was equipped with a Thales

IFE system with seatback monitors. Two SEBs are installed in each row. One SEB is installed

13

Case Document 1 Filed 04/17/15 Page 15 of 22

on each side of the airplane aisle. A SEB is installed under seat 2A and a SEB is installed under
seat 3A.

26. A Senior Manager with United Airlines? Cyber Security Intelligence Department
advised the FBI refers to the Engine Indication Crew Alerting System. 
provides the pilots with information about the airplane engines.

27. According to a Senior Manager with United Airlines? Cyber Security Intelligence
Department the portion of Chris Roberts? tweet OXYGEN may refer to the
passenger oxygen masks on the aircraft. ICE is a possible acronym for In Flight
Communications Equipment or Integrated Communications Equipment.

28. I know the acronym IFE refers to the In Flight Entertainment system and
SATCOM is a reference to satellite communications system which are installed on some aircraft.

29. On April 15, 2015 Chris Roberts changed aircraft after arriving in Chicago and
?ew to Syracuse, New York on United Airlines ?ight #3642. United Airlines ?ight #3642 was
not equipped with an IFE system.

30. United Airlines aircraft with tail number 3260 ?ew from Chicago to Philadelphia
on April 15, 2015. The ?ight number was 1607. The ?ight arrived at gate D13 at Philadelphia
International Airport on April 15, 2015.

31. On April 15, 2015, a Special Agent with the FBI impeded the SEBs in the ?rst
class cabin on United Airlines 737 aircraft, ?ight 1607 at gate D13 at the Philadelphia
International Airport. A Special Agent with the FBI advised that the SEBs under seats 2A and
3A showed signs of tampering. The SEB under 2A was damaged. The outer cover of the box

was open approximately V2 inch and one of the retaining screws was not seated and was exposed.

l4

Case Document 1 Filed 04/17/15 Page 16 of 22

32. At that time, we then knew: (I) that the Seat Electronics Box (SEB) for the IFE
aboard the aircraft on which Roberts had ?own from Denver to Chicago on April 15, 2015
showed signs of tampering in the location where Roberts had been seated; (2) that Roberts had
sent" Social media?m'e?ssages' during that ?ight indicating he was about" to? acCes?s without?
authorization that aircra??s (3) that Roberts had previously claimed in his conversations
with the FBI on February 13, 2015 and March 5, 2015 that he had been able to and did use
special equipment in his possession to ?hack? into the IF systems on aircraft previously and had
claimed that he had connected to other systems on the aircraft network; and (4) that agents and
technical specialists with the FBI believed that he may have just done that again or attempted to
do so using the equipment then in his possession as witnessed by the FBI. We further knew that
Roberts had reservations to travel by air from Syracuse back to Denver on April 17, 2015.
Considering all of this information, we believed that Roberts had the ability and the willingness
to use the equipment then with him to access or attempt to access the IFE and possibly the flight
control systems on any aircraft equipped with an IFE system, and that it would endanger public
safety to allow him to leave the Syracuse airport that evening with that equipment. Accordingly,
we con?scated the above-referenced equipment at that time.

33. On April 15, 2015, Special Agents with the FBI interviewed Roberts at the
Syracuse Airport after he arrived in Syracuse on United Airlines ?ight #3642. Chris Roberts had
the following items in his possession upon arrival in Syracuse: 1 black I-PAD Air, serial number
lwith hard plastic case and Death Wish Coffee Co sticker; 1 silver/grey
MacBook Pro serial number C02LM82AFD59 w/multiple stickers; silver/grey black WD My

Passport hard drive, serial number silver/grey black WD My Passport hard

drive, serial number WXUIEB3WVLC3, 1 black Western Digital hard drive, serial number

15

Case Document 1 Filed 04/17/15 Page 17 of 22

WXK1A9003026T w/ label; 1 black micro ZGB San Disk Cruzer thumb drive; 1
terabyte, silver/grey, Transcend ?ash drive and black USB cable; 2 blue 46 PNY thumb drives;
1 purple, 8GB Verbatim thumb drive; 1 black Kingston MicroSD thumb drive; 1 black thumb
"dt'ive'w/tog'gles on the Linke?ys Bluetooth USB adapter, 1 orange and
white thumb drive.

34. Chris Roberts asked the interviewing Agents when Roberts was interviewed if the
interview was in response to Roberts? tweet on April 15. Roberts advised during the interview
that he did not compromise the airplane network on the United Airlines ?ight ?'om Denver to
Chicago. Chris Roberts advised that the thumb drives in his possession contained virtual
machines and malware to compromise networks. He described the content as ?nasty.?

35. A virtual machine is a secondary operating system that runs on a primary
operating system with hardware emulation. A user is able to run several concurrent virtual
machines with different operating systems on one computer. Virtual machines can be stored and
operated from different storage media such as USB drives, external hard drives, or
an internal hard drive.

36. During the interview on April 15, 2015 Chris Roberts voluntarily showed the FBI
wiring schematics related to multiple airplane models. The schematics were on Roberts?
MacBook Pro.

37. Chris Roberts advised during the interview on April 15, 2015 that his MacBook
Pro had been powered on since his ?ight ?'om Denver to Chicago. The screen is locked on the
MacBook Pro but the computer has remained on since being seized by the FBI on April 15,

2015.

16

Case Document 1 Filed 04/17/15 Page 18 of 22

38. On April 15, 2015 the FBI seized digital evidence in possession of Chris Roberts.
Roberts photographed the items that were seized. A photograph of the seized items were then
tweeted on Chris Roberts? Twitter account Sidragonl with the following caption ?Bye bye
electronics, all ail now in?chstody/sei?zed?; 

CONCLUSION

39. Based on the investigation described above, probable cause exists to believe that
inside the Device(s) (described on Attachment A), will be found evidence, fruits, and
instrumentalities of a violation of Title 18, United States Code, Sections 1030(a)(2), 1030(a)(5)
an 1030(a)(5)(B). (described on Attachment B).

40. I, therefore, respectfully request that the attached warrant be issued authorizing
the search and seizure of the items described in Attachment A for the items listed in Attachment

B.

I declare under penalty of perjury that the foregoing is true and correct to the best of my

?ark Hurley, Spec% Agent, FBI

SUBSCRIBED and SWORN before me this 7 day of April, 2015

Meagan

Hon. )lhdrew T. Baxter
United States Magistrate Judge

information, knowledge, and belief.

 

 

17

Case Document 1 Filed 04/17/15 Page 19 of 22

ATTACHMENT A
LOCATIQN TO BE SEARCHED
1 black I-PAD Air, serial number hard plastic case and Death Wish
Coffee 'Co "sticker; ?Silver/grey' MacBook?P?ro Serial number ?ivfimilt?iple' stickers:
silver/grey black WD My Passport hard drive, serial number silver/grey black
WD My Passport hard drive, serial number WXUIEB3WVLC3, 1 black Western Digital hard drive,
serial number WXK1A9003026T w/ label; 1 black micro ZGB San Disk Cruzer thumb drive; 1
terabyte, silver/grey, Transcend ?ash drive and black USB cable; 2 blue 46 PNY thumb drives; 1
- purple, 8GB Verbatim thumb drive; 1 black Kingston MicroSD thumb drive; 1 black thumb drive

w/toggles on the side; 1 purple black Linkeys Bluetooth USB adapter, 1 orange and white thumb

drive.

Case Document 1 Filed 04/17/15 Page 20 of 22

ATTACHMENT 
DESCRIPTION OF ITEMS TO BE SEIZED AND AEARCHED

For the Device(s) listed and described in Attachment A, the following items, that constitute

of the? commission Of, contraband, of instrumentalities of violations

of Title 18, United States Code, Sections 1030(a)(2); 1030(a)(5)(A); and lO30(a)(5)(B).

1. Software programs used for mapping, compromising or monitoring computer
networks including Kali Linux, MetaSploit, Wireshark, deplorer, ParaView software, VxWorks,
Nmap, Vector Canoe and Vortex software.

2. Virtualizing software including Virtual Box and VMWare.

3. Bash history on native or virtualized Linux machines.

4. All ?les related to connection settings including connection logs, regisuy lists,
and plists. .

5. All electronic email, attachments, chat logs, Twitter posts, FaceTime logs and

Skype logs or other communications discussing airplane systems or how to access a airplane?s
computer systems or that would reveal who used the devices and when.

6. Powerpoint presentations, photographs, images, and screenshots containing
information about airplane networks, airplane wiring schematics and In Flight Entertainment
systems.

7. Documentation about In Flight Entertainment systems, airplane manuals, and
airplane networks.

8. Records pertaining to airline travel.

9. Volatile memory to include keys and passwords.

Case Document 1 Filed 04/17/15 Page 21 of 22

10. Usemames and passwords for In Flight Entertainment systems and airplane
networks.

1 1. Mac Addresses.

12. Records of Internet actiVity?inCIuding?"search t?nns pertaining to vidla'tions of '18'
U.S.C. 1030(a)(2) or 1030(a)(5), or that show who used, owned, possessed, or controlled the
Device(s)

13. Evidence of who used, owned, or controlled the Device(s) to commit or facilitate
the commission of the crimes described, or at the time the things described in this warrant were
created, edited, or deleted, including photographs, videos, logs, call logs, phonebooks, address
books, contacts, IP addresses, registry entries, con?guration ?les, saved usernames and
passwords, documents, calendars, browsing history, search terms, metadata, user pro?les, e-mail,
email contacts, messages (text or voice), instant messaging logs, ?le structure and
correspondence.

14. Evidence of software that may allow others to control the Device(s), such as
viruses, Trojan horses, and other forms of malicious software, as well as evidence of the
presence or absence of security provisions or so?ware designed to detect malicious software or
unauthorized use of the device, and evidence of the lack of such malicious software

DEFINITIONS:

15. As used above, the terms "records" and "information" include all of the foregoing
items of evidence in whatever form and by whatever means they may have been created or
stored, including any form of computer or electronic storage (such as hard disks or other media

that can store data); any handmade form (such as writing, drawing, painting); any mechanical

Case Document 1 Filed 04/17/15 Page 22 of 22

form (such as printing or typing); and any photographic form (such as micro?lm, micro?che,

prints, slides, negatives, videotapes, motion pictures, or photocopies).

1-t1-? . q?vuu.r?n