Case Document 1 Filed 04/04/17 Page 1 of 15 A0 106 (Rev. 04/10) Application for a Search Warrant UNITED STATES DISTRICT COURT for the - K) 3 3 Filed at 20.12. Middle District of Georgla ct Court Deputy Clerk. In the Matter of the Search of pMiddte Disttieeof Gem (Brie?y describe the property to be searched or identify the person by name and address) THE USE OF A NETWORK INVESTIGATIVE TECHNIQUE FOR A COMPUTER ACCESSING EMAIL ACNT. APPLICATION FOR A SEARCH WARRANT Case N0. 7-MJ-2 (fee) I, a federal law enforcement of?cer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the property to be searched and give its location) See Attachment A. located in the Middle District of Georgia there is now concealed (identi?) the person or describe the property to be seized): See Attachment B. The basis for the search under Fed. R. Crim. P. 41(0) is (check one or more): Mevidence of a crime; dcontraband, fruits of crime, or other items illegally possessed; Mproperty designed for use, intended for use, or used in committing a crime; 13 a person to be arrested or a person who is unlawfully restrained. The search is related to a violation of: Code Section O?ense Description 18 U.S.C. 842(a)(1) Importing Explosives Without a License 18 U.S.C. 842(a)(3)(A) Transporting or Receiving Explosive Material Without a License 18 U.S.C. 844(d) Attempting to Transport Explosive Materials with intent to Injure The application is based on these facts: See Af?davit Cl Continued on the attached sheet. of Delayed notice of 30 days (give exact ending date if more than 30 days: is requested under 18 U.S.C. 3103a, the basis of which is set forth on the attached sheet. i Applicant ?3 stature D. Craig Bailey, Special Agent, FBI Printed name and title Sworn to before me and signed in my presence. A Date: Lil/ ?7 2 Judge/ signaturV City and state: Albany, Georgia Thomas Q. Langstaff, United States Magistrate Judge Printed name and title Case Documentl Filed 04/04/17 Pa?eeg 53f 15 3:3: .-20 I: Desutv Clerk. US. District Court Mddle District-of Georgia IN THE UNITED STATES DISTRICT COURT FOR MIDDLE DISTRICT OF GEORGIA VALDOSTA DIVISION IN THE MATTER OF THE SEARCH OF: THE USE OF A NETWORK INVESTIGATIVE TECHNIQUE FOR A COMPUTER ACCESSING EMAIL ACCOUNT case 73 2 (7.99 AFFIDAVIT IN SUPPORT OF AN APPLICATION UNDER RULE 41 FOR A WARRANT TO SEARCH AND SEIZE 1, Craig D. Bailey, being ?rst duly sworn, hereby depose and state as follows: INTRODUCTION AND AGENT BACKGROUND 1. I make this af?davit in support of an application under Rule of the Federal Rules of Criminal Procedure in support of an application for a search warrant to use a network investigative technique I request approval to send one or more communications to any computer accessing (hereinafter TARGET EMAIL). Each such communication is designed to cause the computer(s) receiving it to transmit data that will help identify the computer, its location, other infOrmation about the computer, and the user of the computer. As set forth herein, there is probable cause to believe that violations of 18 U.S.C. 842(a)(1) (importing explosives without a license); 18 U.S.C. 842(a)(3)(A) (transport or receive explosive material without a license); and 18 U.S.C. 844(d) (attempt to transport explosive materials with intent to injure) have occurred and that evidence, instrumentalities, and contraband of those violations exist on the computer(s) that receive the NIT described above. Case Document 1 Filed 04/04/17 Page Special Agent with the Federal Bureau of Investigation and have been so employed since June 2005. I am currently assigned to the Atlanta Field Of?ce (Valdosta RA). I have experience and have received training in the preparation, presentation, and service of criminal complaints and arrest and search warrants and have been involved in the investigation of numerous types of offenses against the United States. In addition, I am familiar with the manner in which federal crimes are committed and the efforts of persons involved in such activity to avoid detection by law enforcement. 3. While at the FBI Academy, I received speci?c training on using digital tools to conduct cyber investigations. Since then, I have participated in several criminal investigations involving cybercrimes. Through my training at the FBI Academy, education, and experience as an FBI agent, I have become familiar with the manner in which the Internet is used to perpetrate various crimes. 4. This af?davit is intended to only that there is suf?cient probable cause for the requested warrant and does not set forth all of my knowledge about this matter. PROBABLE CAUSE 5. On or about March 29, 2017, an individual(s) purchased a mail bomb via the Internet from a law enforcement employee working as an Online Covert Employee (OCE). The individual(s) who purchased the mail bomb utilized two separate computer monikers (hereinafter ?Moniker and ?Moniker while communicating online with the OCE on Website #1.1 The actual name of Website #1 is known to law enforcement. The site remains active and disclosure of the name of the site would potentially alert users to the fact that law enforcement 2 Case Document 1 Filed 04/04/17 Page 4 of 15 The purchase was completed with virtual currency totaling approximately $550.00 US. currency. 6. Moniker #1 initially expressed interest, in August 2016, in obtaining a bomb that could be attached to a vehicle and would detonate when the vehicle door was either opened or closed. Moniker #1 advised the OCE that Moniker #1 was 100% serious and would de?nitely buy the product. 7. Moniker #1 resurfaced on or about March 27, 2017, and advised OCE the following: will supply address. You mail package and when it is opened boom game over. Also please delete all messages between us.? 8. Moniker #1 further advised on or about March 27, 2017: ?Target is nobody special. Just a rat criminal.? 9. Later on the same day, Moniker #1 wrote: will send money and address today if you are ok with order.? 10. Finally, on March 27, 2017, Moniker #1 wrote: ?If you have any advice like should I destroy this phone once completed and us both destroy all messages please let me know. Time is running out and I need this pos to get his bday present on time. Please let me know something as soon as possible so I can look elsewhere if you don?t want the job.? action is being taken against the site, potentially provoking users to notify other users of law enforcement action, ?ee, and/or destroy evidence. Accordingly, for purposes of the con?dentiality and integrity of the ongoing investigation involved in this matter, speci?c names and other identifying factors have been replaced with generic terms. Case Document 1 Filed 04/04/17 Page 5 of 15 ll. Moniker #2 surfaced on or about March 28, 2017, and advised OCE the following: ?I?m not going to be able to tomorrow. Almost 9pm no worries my friend will de?nitely have it to you tomorrow on my word? 12. On or about March 28, 2017, and March 29, 2017, Moniker #2 paid for the mail bomb with virtual currency totaling approximately $550.00 US. currency and provided the target as James Lawrence, 3813 Del Circle, Hahira, Georgia 31632. 13. FBI subsequently con?rmed that an individual named James Lawrence lives at 3813 Del Circle in Hahira, Georgia. 14. On or about March 30, 2017, the OCE advised Moniker #2 that the bomb would not be activated when it was shipped but would need to be received by Moniker #2 to activate the device prior to delivery to the target. Moniker #2 responded: ?You don?t have a reshipper in USA. I am trying to stay out of this as most as possible being I have motive. That?s why I?m doing it this way. If not I will ?gure it out. . .please give me detailed instructions on how to keep myself from blowing my face off it?s a black rat so make the box look appealing if possible.? 15. On April 4, 2017, Moniker #2 provided an email address so that the OCE could send a document containing the detailed instructions Moniker #2 had requested regarding the mail bomb: 16. Accordingly, probable cause exists to believe that Violations of 18 U.S.C. ?842(a)(1) (importing explosives without a license); 18 U.S.C. 842(a)(3)(A) (transport or receive explosive material without a license); and 18 U.S.C. 844(d) (attempt to transport explosive materials with intent to injure) have occurred. Case Document 1 Filed 04/04/17 Page 6 of 15 THE REMOTE SEARCH TECHNIQUE 17. Based on my training, experience, and the investigation described above, I have concluded that using a NIT may help law enforcement locate the user of the TARGET EMAIL. Accordingly, I request authority to use the NIT, which will be deployed via email to investigate any user who logs into the TARGET EMAIL on a computer. 18. If a computer successfully activates the NIT, the NIT will conduct a limited search of that computer for the items set forth in Attachment B. The NIT utilizes computer instructions to cause an activating computer to send certain information to a computer controlled by the FBI. 19. The NIT will be delivered through a link included in an email that contains a document with the imbedded NIT. When the document is opened on an Internet connected computer, instructions within the document direct the activating computer to connect to the FBI controlled server. The communications with the FBI controlled server result in the server capturing'the originating IP Address from the activating computer. The computer?s true assigned IP address can be associated with an Internet service provider and a particular ISP customer. 20. Speci?cally, the NIT is designed to collect the items described below and in Attachment B, information that may assist in identifying the computer, its location, other information about the computer, and the user of the computer, all of which is evidence, instrumentalities, and contraband of violations of 18 U.S.C. 842(a)(1); 18 U.S.C. and 18 U.S.C. 844(d). This information may include the following: a. The computer?s IP address (Internet Protocol Address). An IP Address is a unique numeric address used to direct information over the Internet. For example, 5 Case Document 1 Filed 04/04/17 Page 7 of 15 21. addresses are written as a series of four groups of numbers, each in the range 0 255, separated by periods 121.56.97.178). Conceptually, IP addresses are similar to telephone numbers in that they are used to identify computers that send and receive information over the Internet. The type of operating system running on the computer, including type Windows) and version Windows 10). The web browser and version running on the computer. The web browser is the program that allows computer users to view web pages. Firefox, Internet Explorer, Chrome and Safari are examples of web browsers. The computer?s language encoding and default language. Users can set computers to display text in a particular language. The computer?s time zone information. The Uniform Resource Locator to which the target computer was previously connected. URLs, such as are used to access web sites. The NIT will cause the above-described information to be sent over the Internet to a computer controlled by the FBI located in the Northern District of Georgia and then relayed to investigators in the Middle District of Georgia. 22. Each of the above categories of information sought by the NIT may constitute and/or contain evidence of the crimes under investigation, including information that may help to identify the computer receiving the NIT and its user. a. The computer?s true assigned IP address can be associated with an Internet service provider and a particular ISP customer. The operating system, including type and version, can also corroborate the identity of a computer. The browser type and versions can also corroborate the identity of a computer. Case Document 1 Filed 04/04/17 Page 8 of 15 d. The language encoding and computer default language can help identify the subject by identifying his native spoken language. e. Time zone information will assist in con?rming the geographical location of the subject computer. f. The last?visited URL can sometimes help corroborate the identity of the computer and user by, for example, showing that the NIT ran after the user visited a website associated with the attempted purchase of a mail bomb. 23. Based on my training, experience, my consultation with other FBI and law enforcement employees, and the investigation described herein, 1 know that network level messages and information gathered directly from a sending computer can be effective in identifying a computer, its location and individual(s) using a computer. For instance, individual(s) using the Internet can use compromised computers or commercial services to conceal their true originating IP address and thereby intentionally inhibit their identi?cation. For example, as mentioned earlier, the subject accessing the TARGET EMAIL account used the services of an Internet company, to mask the IP address from which they are logging on to the TARGET EMAIL account. Getting IP address and other information directly from the computer being used by the subject can defeat such techniques. The NIT will cause the above-described information to be sent over the Internet to a computer controlled by the FBI, which will analyze the resulting information. TIME AND MANNER OF EXECUTION OF THE SEARCH 24. Rule 41(e)(2) of the Federal Rules of Criminal Procedure requires that the warrant command the law enforcement of?cer ?to execute the warrant within a speci?ed time no 7 Case Document 1 Filed 04/04/17 Page 9 of 15 longer than 14 days? and to ?execute the warrant during the daytime unless the judge for 39 good cause expressly authorizes execution at another time . . . . The government seeks permission to deploy the NIT onto the computer accessing the TARGET EMAIL account and for the NIT to operate as described above, including by collecting and sending information to law enforcement, at any time of day or night within 14 days of the date the warrant is authorized. There is good cause to allow such a method of execution as the time of deployment causes no additional intrusiveness or inconvenience to anyone. More speci?cally, the government has no control of the timing or when the subject(s) will access the TARGET EMAIL account. The government also seeks to read any information that the NIT causes to be sent from the activating computer at any time of day or night during the 14 days from the date the warrant is authorized. This is because the individuals using the activating computer may activate the NIT after 10:00 PM or before 6:00 AM and law enforcement would seek to read the information it receives as soon as it is aware of the NIT response. JURISDICTION 25. This Court has jurisdiction to issue the requested warrant under Rule because the above facts establish there is probable cause to believe that the location of the computer(s) accessing the TARGET EMAIL has been concealed through technological means, and that there is probable cause to believe that activities related to the crime being investigated occurred within this judicial district. Case Document 1 Filed 04/04/17 Page 10 of 15 AUTHORIZATION REQUEST: DELAYED NOTICE 26. Pursuant to 18 U.S.C. 3103a(b) and Federal Rule of Criminal Procedure I request that this Court authorize the of?cers executing the warrant to delay notice until 30 days after the collection authorized by the warrant has been completed. 27. This application seeks a warrant authorizing the use of computer software on the computer(s) accessing the TARGET EMAIL that, after successful installation, will collect and send information from that computer and make it available to government personnel authorized by the requested warrant to receive and review such information. Thus, the warrant applied for would authorize the copying of electronically stored information under Rule However, as further speci?ed in Attachment B, which is incorporated into the warrant, the applied?for warrant does not authorize the physical seizure of any tangible property. 28. It is intended that the collection and sending of such information will be performed without the knowledge of the TARGET users. 29. There is reasonable cause to believe that providing immediate noti?cation of the warrant may have an adverse result, as de?ned in 18 U.S.C. 2705. Providing immediate notice to the owner or user of the TARGET ACCOUNTS would seriously jeopardize the ongoing investigation, as such a disclosure would give that person an opportunity to destroy evidence, change patterns of behavior, notify confederates, and ?ee from prosecution. See 18 U.S.C. 3103a(b)(1). 30. To the extent that Attachment describes stored wire or electronic information, such a seizure is reasonably necessary, because without this seizure, there would be no other way, to my knowledge, to view the information and to use it to further the investigation. 9 Case Document 1 Filed 04/04/17 Page 11 of 15 Furthermore, the network investigative technique does not deny the users or administrators access to the account information, nor does the technique permanently alter any of the information stored in the accounts. See 18 U.S.C. 3103a(b)(2). 31. SEARCH AUTHORIZATION REQUESTS Accordingly, for each of the aforementioned reasons, it is respectfully requested that this Court issue a search warrant authorizing the followinglink included in an email that contains a document with the imbedded NIT on the computer accessing the TARGET EMAIL until the NIT has returned the information authorized to be collected by this warrant, without prior announcement, within 14 days from the date this Court issues the requested warrant; the NIT may cause an activating computer wherever located to send to the FBI network level messages containing information that may assist in identifying the computer, its location, other information about the computer and the user of the computer; that the government may receive and read, at any time of day or night, within 14 days from the date the Court authorizes the use of the NIT, the information that the NIT causes to be sent to the computer controlled by the that, pursuant to 18 U.S.C. 3103a(b)(3), to satisfy the noti?cation requirement of Rule 41(f)(3) of the Federal Rules of Criminal Procedure, the government may delay providing a copy of the search warrant and the receipt for any property taken until the time that a suspect has been identi?ed and has been placed in custody from the sending of the NIT unless noti?cation is further delayed by the court; and that provision of a copy of the search warrant and receipt may, if other methods allowed by law are unavailable, be effectuated by electronic delivery of true and accurate electronic copies Adobe PDF file) of the fully executed documents in the same manner as the NIT is delivered. REQUEST FOR SEALING It is respectfully requested that this Court issue an order sealing, until further order of the Court, all papers submitted in support of this application, including the application 10 Case Document 1 Filed 04/04/17 Page 12 of 15 and search warrant. I believe that sealing this document is necessary because the search warrant is relevant to an ongoing investigation into the criminal organizations as not all of the targets of this investigation will be searched at this time. Based upon my training and experience, I have learned that, online criminals actively search for criminal af?davits and search warrants via the internet, and disseminate them to other online criminals as they deem appropriate, post them publicly online through the cardng forums. Premature disclosure of the contents of this af?davit and related documents may have a signi?cant and negative impact on the continuing investigation and may severely jeopardize its effectiveness. CONCLUSION 33. Based on the information identi?ed above, information provided to me, and my experience and training, I have probable cause to believe there exists evidence, instrumentalities, and contraband of criminal activity related to attempts to purchase a mail bomb on computers that access TARGET EMAIL, in violation of 18 U.S.C. 842(a)(1); 18 U.S.C. and 18 U.S.C. 844(d). 34. Based on the information described above, there is probable cause to believe that the information described in Attachment constitutes evidence of these crimes. 35. Based on the information described above, there is probable cause to believe that employing a NIT on any computer accessing TARGET EMAIL, to collect information described in Attachment B, will result in the United States obtaining the evidence of the crimes described above. Respectfully submitted, 11 Case Document 1 Filed 04/04/17 Page 13 of 15 g; CM Special Agent Federal Bureau of Investigation Subscribed and sworn to before me on April 4, 2017. 91% THOMAS Q. LANQSTAU FRA UNITED STATES MAGI JUDGE 12 Case Document 1 Filed 04/04/17 Page 14 of 15 ATTACHMENT A Location to be Searched This warrant authorizes the use of a network investigative technique on the portion of any computer accessing that may assist in identifying the computer, its location, other information about the computer, and the user of the computer. Case Document 1 Filed 04/04/17 Page 15 of 15 ATTACHMENT Information to be Seized Information that may assist in identifying the computer, its location, other information about the computer, and the user of the computer, all of which is evidence, instrumentalities, and contraband of violations of 18 U.S.C. 842(a)(l); 18 U.S.C. and 18 U.S.C. ?844(d). This information may include environmental variables and/or certain registry-type information, such as: A. The computer?s IP address. B. The type of operating system running on the computer, including type and version. C. The web browser and version running on the computer. D. The computer?s language encoding and default language. Users can set computers to display text in a particular language. E. The computer?s time zone information. F. The Uniform Resource Locator to which the target computer was previously connected. This warrant does not authorize the physical seizure of any tangible property. In approving this warrant, the Court ?nds reasonable necessity for the seizure of stored wire and electronic information as described above. See 18 U.S.C. 3103a(b)(2).