Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 1 of 15

IN Tl IE UNITED STATES DISTRICT COURT
l-OR THE SGUTHIiRN DISTRICT OF GEORGIA
AUGUSTA DIVISION

INTHEMATrEROI-THESBARCI-IOI-:

)

)

Case No. \-nM\24

AUGUSTA. GA 30904 and
A LIGHT COLOR NISSAN CUBE WITII

)
)

Filed Under Seal

VIN JN8AZ2KR0CT254476. and the person

)

ofREALlTY LEIGH WINNI:R

)

1957 BATI LH ROW.

)

^

AFFIDAVIT IN SUPPORT OF AN
AFPLICATION t NDFR RULE 41 FOR A
WARRANT TO SEARCH AND SEIZE

1. Jiislin C. Garrick. being llrsi duly sworn, hereby depose and state as follows:
IN TRODUCTION AND AGENT BACKGROUND

!.

I make tills aflldavit in support of an application under Rule 41 ofthe Federal

Rules cfCriniinal Frocedure for a warrant lo search the premises known as 1957 Battle Row.
Augusta. GA 30904, hereinafter "PREMISES." further described in Attachment A; a lightcolored Nissan Cube with VIN JN8AZ2KR0C 1254476. hercinaltcr "VEHICLE"; and the person
of REALITY LEIGH WINNER, hereinafter "WINNER." for the things described in Attachment
B.

2.

1 am a Special Agenl with the Federal Bureau of Investigation ("FBI") assigned lo

the Atlanta division, and have been since 2008. During this time. 1 have received training at the
FBI Academy located at Quanlico. Virginia, specific to countcrintelligence and espionage
investigations. I currently am a.ssigncd lo investigate counterintelligence and espionage matters.

Based on my experience and training. I am familiar with efforts used to unlawfully collect and
disseminate sensitive government information, including national defense information.
3.

There is probable cause lo believe that the PREMISES,VEIIICLE. and WINNER'S

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 2 of 15

person contain evidence, contraband, fruits, and/or other items illegally possessed in violation of
18 U.S.C.§ 793(e).

4.

The facts set forth in this affidavit are based on my personal knowledge,

knowledge obtained during my participation in this investigation, and information from other

FBI and U.S. Government personnel. This affidavit is intended to show only that there is
sufficient probable cause for the requested warrant and does not set forth all of my knowledge
about this matter.
STATUTORY AUTHORITY AND DEFINITIONS

5.

For the reasons set forth below, I believe that there is probable cause to believe that

the PREMISES, VEHICLE, and WINNER'S person contain evidence, contraband, fruits, and/or
other items illegally possessed in violation of Title 18, United States Code, Section 793(e)(the
"Subject Offense").

6.

Under 18 U.S.C. § 793(e),"whoever having unauthorized possession of, access to,

or control over any document... or information relating to the national defense which

information the possessor has reason to believe could be used to the injury of the United States or
to the advantage ofany foreign nation, willfully communicates, delivers, transmits or causes to be
communicated, delivered, or transmitted" or attempts to do or causes the same "to any person not

entitled to receive it, or willfully retains the same and fails to deliver it to the officer or employee
of the United States entitled to receive it" shall be lined or imprisoned not more than ten years, or
both.

7.

Under E,\ecutive Order 13526. information in any form may be classified if it:(I)

is owned by, produced by or for, or is under the control of the United States Government;(2) falls

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 3 of 15

within one or more of the categories set forth in the lixecutive Order[Top Secret, Secret, and
Confidential]; and (3) is classified by an original classification authority who determines that its
unauthorized disclosure reasonably could be expected to result in damage to the national security.
8.

Where such unauthorized disclosure could reasonably result in damage to the

national security, the information may be classified as "Confidential" and must be properly

safeguarded. Where such unauthorized disclosure could reasonably result in serious damage to
the national security, the information may be classified as "Secret" and must be properly
safeguarded. Where such unauthorized disclosure could reasonably result in exceptionally grave
damage to the national security, the information may be classified as "Top Secret" and must be
properly safeguarded.
9.

Classified information of any designation may be shared only with persons

determined by an appropriate United Stales Government official to be eligible for access, and who
possess a "need to know." Among other requirements, in order for a person to obtain a security
clearance allowing that person access to classified United States Government information, that
person is required to and must agree to properly protect classified information by not disclosing
such information to persons not entitled to receive it. by not unlawfully removing classified
information from authorized storage facilities, and by not storing classified information in
unauthorized locations. If a person is not eligible to receive classified information, classified
information may not be disclosed to that person. In order for a foreign government to receive
access to classified information, the originating United States agency must determine that such

release is appropriate.
10.

Pursuant to I-xecutive Order 13526, classified information contained on automated

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 4 of 15

information systems, including networks and telecommunications systems, that collect, create,
communicate, compute, disseminate, process, or store classified information must be maintained
in a manner that:(I) prevents access by unauthorized persons; and (2)ensures the integrity of the
information.

11.

32 C.F.R. Parts 2001 and 2003 regulate the handling of classified information.

Specifically, 32 C.F.R. § 2001.43, titled "Storage," regulates the physical protection of classified
information. This section prescribes that Secret and Top Secret information "shall be stored in a
GSA-approved security container, a vault built to Federal Standard (FMD STD)832, or an open

storage area constructed in accordance with § 2001.53." It also requires periodic inspection of the
container and the use of an Intrusion Detection System, among other things.
PROBABLE CAUSE

12.

As set forth in further detail below, WINNER is under investigation for printing

and improperly removing and transmitting classified material from an Intelligence Community

Agency (the "U.S. Government Agency") on or about May 9, 2017, and passing the clas.sified
material to an online news outlet (the "News Outlet"). WINNER is a contractor with Pluribus
International Corporation assigned to a U.S. Government Agency facility in Georgia. She has
been employed at the facility since on or about February 13. 2017. From January 2013 until her

employment with Pluribus International Corporation. WINNER was an active duty member of
the U.S. Air Force and held a Top Secret clearance.
13.

On June I, 2017, the FBI was notified by the U.S. Government Agency that the

U.S. Government Agency had been contacted by the News Outlet on May 30, 2017, regarding an
upcoming story. The News Outlet informed the U.S Government Agency that it was in

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 5 of 15

possession of what it believed to be a classified document authored by the U.S Government
Agency. The News Outlet provided the U.S. Government Agency with a copy of this document.
Subsequent analysis by the U.S. Government Agency confirmed that the document in the News
Outlet's possession is intelligence reporting dated on or about May 5. 2017(the "intelligence

reporting"). This intelligence reporting is classified at the Top Secret level, indicating that its
unauthorized disclosure could reasonably result in c.xccptionally grave damage to the national
security, and is marked as such. The U.S. Government Agency has since confirmed that the
reporting contains information that was classified at that level at the time that the reporting was

published on or about May 5, 2017, and that such information currently remains classified at that
level.

14.

The U.S. Government Agency examined the document shared by the News Outlet

and determined the pages ofthe intelligence reporting appeared to be folded and/or creased,
suggesting they had been printed and hand-carried out of a secured space.
15.

The U.S. Government Agency conducted an internal audit to determine who

accessed the intelligence reporting since its publication. The U.S. Government Agency
determined that six individuals printed this reporting. These six individuals included WINNER.
A further audit of the six individuals' desk computers revealed that WINNER had e-mail contact
with the News Outlet. The audit did not reveal that any of the other individuals had e-mail contact
with the News Outlet.

16.

The U.S. Government Agency determined that WINNER had e-mail

communication with the News Outlet on or about March 30, 2017, and March 31, 2017. The first

e-mail was from WINNER, using e-mail address da3rc.fitness@gmail.com, to the News Outlet.

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 6 of 15

In it, WINNER appeared to request transcripts of a podcast. 'fhc second e-mail was from the
News Outlet to da3re.fitness@gmail.com and confirmed WINNER'S subscription to the service.
The da3re.fitness@gmail.com account is a personal e-mail account not sponsored by or affiliated
with the U.S. Government Agency.

17.

On or about May 9. 2017. four days after the publication ofthe classified report,

WINNER conducted searches on the U.S. Government Agency's classified system for certain
search terms, which led WINNER to identify the intelligence reporting. On or about May 9,
2017, WINNER also printed the intelligence reporting. A review of WINNER'S computer history
revealed she did not print any other intelligence report in May 2017.
18.

At all times relevant to this affidavit. WINNER has maintained an active Top

Secret clearance. The U.S. Government Agency confirmed that although WINNER had the

required access to search for and view the intelligence reporting, the information contained in the
intelligence reporting is unrelated to her job duties, and WINNER therefore does not possess a
"need to know."

19.

On or about May 24, 2017, a reporter for the News Outlet(the "Reporter")

contacted another U.S. Government Agency affiliate with whom he has a prior relationship. This
individual works for a contractor for the U.S. Government (the "Contractor"). The Reporter
contacted the Contractor via text message and asked him to review certain documents. The
Reporter told the Contractor that the Reporter had received the documents through the mail, and
they were postmarked "Augusta. Georgia." WINNliR resides in Augusta, Georgia. The Reporter
believed that the documents were sent to him from someone working at the location where
WINNER works. The Reporter took pictures of the documents and sent them to the Contractor.

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 7 of 15

The Reporter asked the Contractor to determine the veracity of the documents. The Contractor
informed the Reporter that he thought that the documents were fake. Nonetheless, the Contractor
contacted the U.S. Government Agency on or about June 1, 2017, to inform the U.S. Government
Agency of his interaction with the Reporter. Also on June I. 2017, the Reporter texted the
Contractor and said that a U.S Government Agency official had verified that the document was

real. When questioned about what intelligence report number was associated with the images on
his phone, the Contractor supplied the reporting number associated with the intelligence reporting
at issue.

20.

On May 27 to 29, 2017, WINNER traveled outside the United States to Belize in

Central America. WINNER provided notice to the U.S. Government Agency in March 2017 of
her intent to travel to Belize in May 2017. The purpose of WINNER'S travel and her activities
while abroad are unknown.

21.

WINNER resides at the PREMISliS, as verified on June 2, 2017, by her Driver's

License address and two utility billing addresses. Additionally, WINNER owns and drives a
light-colored Nissan Cube with VIN JN8AZ2KR0CT254476. as verified by the vehicle

registration information. Agents viewed a light-colored Nissan Cube parked at the PREMISES on
June 2. 2017. and witnessed WINNER traveling in the VEHICLE in Augusta, Georgia, on June 3.
2017. I confirmed on June 2. 2017. that WINNER has a cellular phone serviced by

Cingular/AT&T. In my training and experience, people typically store their electronics and
correspondence (including letters or printed emails) in their homes and transport them in their
vehicles. I also know that people typically carry small electronic storage devices and
communication devices, such as thumb drives and cellular phones, on their person. There is thus

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 8 of 15

probable cause to believe that intelligence reporting and evidence ofcorrespondence between
WINNER and the News Outlet, among other items ofevidentiary value, may be found inside the
PREMISES and the VEHICLE, as well as on storage and communication devices on WINNER'S
person. Moreover, there is probable cause to believe that evidence ofcommunications between
WINNER and the News Outlet, among other items of evidentiary value, will be found on
WINNER'S electronic devices at the PREMISES, in the VEHICLE,and on WINNER'S person.
COMPUTERS,ELECTRONIC STORAGE,AND FORENSIC ANALYSIS

22.

As described in Attachment U. this application seeks permission to search for

records that might be found on the PREMISES, in the VEHICLE,and on WINNER'S person, in
whatever form they are found. One form in which the records might be found is data stored on a
computer's hard drive or other storage media. Thus, the warrant applied for would authorize the
seizure of electronic storage media or, potentially, the copying ofelectronically stored
information, all under Rule 41(e)(2)(B).

23.

Probable cause. I submit that if a computer or storage medium is found on the

PREMISES, in the VEHICLE,or on WINNER'S pcr.son. there is probable cause to believe those
records will be stored on that computer or storage medium, for at least the following reasons:
a. Based on my knowledge, training, and experience, I know that computer files or

remnants ofsuch llles can be recovered months or even years after they have been
downloaded onto a storage medium, deleted, or viewed via the Internet. Electronic
files downloaded to a storage medium can be stored for years at little or no cost.

Even when files have been deleted, they can be recovered months or years later
using forensic tools. This is so because when a person "deletes" a file on a

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 9 of 15

computer, the data contained in the file docs not actually disappear; rather, that
data remains on the storage medium until it is overwritten by new data.

b. Therefore, deleted files, or remnants ofdeleted files, may reside in free space or
slack space, that is, in space on the storage medium that is not currently being
used by an active file.. for long periods oftime before they are overwritten. In
addition, a computer's operating system may also keep a record ofdeleted data in
a "swap" or "recovery" file.
c. Wholly apart from user-generated files, computer storage media - in particular,
computers' internal hard drives - contain electronic evidence of how a computer
has been used, what it has been u.scd for. and who has used it. To give a few
examples, this forensic evidence can take the form of operating system
configurations, artifacts from operating sy.stem or application operation, file
system data structures, and virtual memory "swap" or paging files. Computer
users typically do not erase or delete this evidence, because special software is
typically required for that task. However, it is technically possible to delete this
information.

d. Similarly, files that have been viewed via the Internet are sometimes automatically
downloaded into a temporary internet directory or "cache."
24.

Forensic evidence. As further described in Attaehment H, this application seeks

permission to locate not only computer files that might .serve as direct evidence of the crimes
described on the warrant, but also for forensic electronic evidence that e.stablishes how computers
were used, the purpose of their use, who used them, and when, fhcrc is probable cause to believe

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 10 of 15

that this forensic electronic evidence will be on any storage medium in the PREMISES, in the
VEHICLE,or on WINNER'S person because:
a. Data on the storage medium can provide evidence of a file that was once on the

storage medium but has since been deleted or edited, or ofa deleted portion of a
file (such as a paragraph that has been deleted from a word processing file).

Virtual memory paging systems can leave traces of information on the storage
medium that show what tasks and processes were recently active. Web browsers,
e-mail programs, and chat programs .store configuration information on the storage
medium that can reveal information such as online nicknames and passwords.
Operating systems can record additional information, such as the attachment of
peripherals, the attachment of USB 1 lash storage devices or other e.xternal storage
media, and the times the computer was in use. Computer file systems can record
information about the dates files were created and the sequence in which they were
created, although this information can later be falsified,
b.

As explained herein, information stored within a computer and other

electronic storage media may provide crucial evidence of the ''who, what, why,
when, where, and how" ofthe criminal conduct under investigation, thus enabling
the United States to establish and prove each element or alternatively, to exclude

the innocent from further suspicion. In my training and experience, information
stored within a computer or storage media (e.g., registry information,
communications, images and movies, transactional information, records ofsession

times and durations, internet history, and anti-virus, spywarc. and malware

10

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 11 of 15

detection programs)can indicate who has used or controlled the computer or
storage media. This "user attribution" evidence is analogous to the search for
"indicia of occupancy" while executing a search warrant at a residence. The
existence or absence of anti-virus, spyware, and malware detection programs may

indicate whether the computer was remotely accessed, thus inculpating or
exculpating the computer owner. Further, computer and storage media activity can
indicate how and when the computer or storage media was accessed or used, for

e-\ample, as described herein, computers typically contain information that log:
computer user account session times and durations, computer activity associated

with user accounts, electronic storage media that connected with the computer, and
the IP addresses through which the computer accessed networks and the internet.
Such information allows investigators to understand the chronological context of
computer or electronic storage media access, use, and events relating to the crime

under investigation. Additionally, some information stored within a computer or

electronic storage media may provide crucial evidence relating to the physical
location of other evidence and the suspect. For example, images .stored on a
computer may both show a particular location and have geolocation information
incorporated into its file data. Such file data typically also contains information

indicating when the file or image was created. The exi.stence of such image files,
along with external device connection logs, may also indicate the presence of
additional electronic storage media (e.g., a digital camera or cellular phone with an
incorporated camera). The geographic and timeline information described herein

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 12 of 15

may either inculpate or exculpate the computer user. Last, information stored
within a computer may provide relevant insight into the computer user's state of

mind as it relates to the offense under investigation. For example, information
within the computer may indicate the owner's motive and intent to commit a crime

(e.g., internet searches indicating criminal planning), or consciousness of guilt
(e.g., running a "wiping" program to destroy evidence on the computer or
password protecting/encrypting such evidence in an effort to conceal it from law
enforcement).

c. A person with appropriate familiarity with how a computer works can, after

examining this forensic evidence in its proper context, draw conclusions about how
computers were used, the purpose of their use, who used them, and when.

d. The process of identifying the exact llles, blocks, registry entries, logs, or other
forms of forensic evidence on a storage medium that are necessary to draw an
accurate conclusion is a dynamic process. While it is possible to specify in
advance the records to be sought, computer evidence is not always data that can be

merely reviewed by a review team and passed along to investigators. Whether data
stored on a computer is evidence may depend on other information stored on the

computer and the application of knowledge about how a computer behaves.
Therefore, contextual information nccc.ssary to understand other evidence also falls
within the scope of the warrant.

e. Further, in finding evidence of how a computer was used, the purpose of its use,
who used it, and when, sometimes it is necessary to establish that a particular thing

12

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 13 of 15

is not present on a storage medium. 1-or example, the presenee or absence of
counter-forensic programs or anti-virus programs(and associated data) may be
relevant to e.stablishing the user's intent.
25.

Necessity ofseizing or copying entire computers or storage media. In most cases,

a thorough search of a premises or vehicle for information that might be stored on storage media

often requires the seizure ofthe physical storage media and later off-site review consistent with
the warrant. In lieu ofremoving storage media from the premises or vehicle, it is sometimes

possible to make an image copy ofstorage media. Generally speaking, imaging is the taking of a
complete electronic picture ofthe computer's data, including all hidden sectors and deleted files.
Either seizure or imaging is often necessary to ensure the accuracy and completeness ofdata
recorded on the storage media, and to prevent the loss of the data either from accidental or
intentional destruction. This is true because ofthe following:
a. The time required for an examination. As noted above, not all evidence takes the
form of documents and files that can be easily viewed on site. Analyzing evidence

of how a computer has been used, w hat it has been used for. and who has used it
requires considerable time, and taking that much time on premises could be
unreasonable. As explained above, because the warrant calls for forensic
electronic evidence, it is exceedingly likely that it will be necessary to thoroughly
examine storage media to obtain evidence. Storage media can store a large
volume of information. Reviewing that information for things described in the
warrant can take weeks or months, depending on the volume ofdata stored, and
would be impractical and invasive to attempt on-sitc.

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 14 of 15

b. Technical requirements. Computers can be configured in several different ways,
featuring a variety of different operating systems, application software, and
configurations. Therefore, searching them sometimes requires tools or knowledge
that might not be present on the search site. The vast array ofcomputer hardware
and software available makes it difTicult to know before a search what tools or

knowledge will be required to analyze the system and its data on the Premises.
However, taking the storage media off-site and reviewing it in a controlled
environment will allow its examination with the proper tools and knowledge.
c. Variety of forms of electronic media. Records sought under this warrant could be
stored in a variety ofstorage media formats that may require off-site reviewing
with specialized forensic tools.

26.

Nature ofexamination. Based on the foregoing, and consistent with Rule

41(e)(2)(B), the warrant I am applying for would permit seizing, imaging, or otherwise copying
storage media that reasonably appear to contain some or all of the evidence described in the
warrant, and would authorize a later review ofthe media or information consistent with the

warrant. The later review may require techniques, including but not limited to computer-assisted
scans of the entire medium, that might expose many parts of a hard drive to human inspection in
order to determine whether it is evidence described by the warrant.
CONCLUSION

27.

I submit that this affidavit supports probable cause for a warrant to search the

PREMISES,the VEMICLE, and the PERSON described in Attachment A and seize the items
described in Attachment B.

14

 Case 1:17-mj-00024-BKE Document 1-3 Filed 06/03/17 Page 15 of 15

REQUEST FOR SEALING

28.

i( is respectfully requested thai this Court issue an order sealing, until further order

of the Court, all papers submitted in support ofthis application, including the application and
search warrant. I believe that sealing this document is necessary because the items and

information to be seized are relevant to an ongoing investigation and the l-'UI has not yet identified
all potential criminal confederates nor located all evidence related to its investigation. Premature
disclosure of the contents of this affidavit and related documents may have a significant and

negative impact on the continuing investigation and may scverclyjcopardi/e its effectiveness by
allowing criminal parties an opportunity to flee, destroy evidence (stored electronically and
otherwise), change patterns of behavior, and notify criminal confederates.

Respectfully submitted.

Ju?

Special Agent
T'cderal liureaii of Investigation
Subscribed and sworn to before me

on June 3. 2017;

ABll BRIAN K. EPFS
UNITED STATES MAGISTRA TE JUDG!-: