STATE OF MICHIGAN SEARCH WARRANT CASE NO. 20 19 Flint Water Crisis DISTRICT COURT POLICE AGENCY Department of Attorney General REPORT NO. aoig?F?WCT TO THE SHERIFF ORANY PEACE OFFICER: A. PERSON, PLACE, or THING to be searched is described as and located at: The Department of Attorney General, State Operations Division, 525 West Ottawa, G. Mennen Williams Bldg, Lansing, MI 48909 PROPERTY to be searched for and seized, if found, is speci?cally described as: . All unredacted State of Michigan (SOM) Data related to the Flint Water Crisis Investigation (FWCI) that is stored at premises owned, maintained, controlled, leased, rented, or operated by the Service Provider, KLDiscovery. The Service Provider, KLDiscovery is required to disclose the following information to the State of Michigan Solicitor General or a member of the Flint Water Crisis Investigation Team: . All original information, data, or files, whether electronic or paper, that were provided to the Service Provider, KLDiscovery, by any State of Michigan representative for potential inclusion in either of the workspaces described above. . All SOM Data and all associated available n1etadata,-including metadata described in Appendix A, if available. The SOM Data including both source native files and images, plus associated metadata is to be provided in the industry standard Concordance format of .dat and .opt, also known as a Relativity Load File. 4. All necessary information in order to install the Relativity Load File into a new Relativity workspace, including but not limited to usernames, passwords, Load File field descriptions, etc. will be seized at the time the warrant is executed. IN THE NAME OF THE PEOPLE OF THE STATE OF MICHIGAN I have found that probable cause exists, and you are commanded to make the search and seize the described property. Leave a copy of this warrant with attached tabulation (a written inventory) of all property taken with the person from whom the property was taken or at the premises. You are further commanded to return this warrant and tabulation to the Court. Issued: i ?fg? Date 33%: Affial?y EXHIBIT A TYPES OF METADATA Example Descuptlon BEGDOC EDC00000001 Unique beginning number for each record. ENDDOC Unique ending number for each record. ATTACH RANGE Includes the BEGDOC of the parent record and the ENDDOC of the last attachment record, separated by a hyphen The unique BEGDOC number for the first attached record. ENDATTACH The unique ENDDOC number for the last attached record. ATTACH Attachl.doc;Attac112.Xls For parent records - lists the original filenames of all attached records, separated by the multi?value delimiter. 2 For parent records - total number of records attached. ATTACH MT For parent records lists of BEGDOC numbers for all attached records, separated by the multi-value delimiter. MD5HASH D564668821034200FF3E320913F Unique MD5 hash value for the record. CUSTODIAN Smith, John Person from whom the document originated or the place/ system from where the document was collected. ALTCUSTODIAN Joe Wilson; Bob Smith; John Doe List of custodians where the record has been removed as a duplicate of the one being produced. LOOSE E-MAIL The type of document, such as, Image, E~Mail, Loose E- Mail, Attachment, eDoc, etc. APPLICATIONNAIWE MICROSOFT OFFICE WORD Native application used to access file, pulled from metadata of the native file. DOCEXT XLS The original file extension of the record. ILENAME Estimatesxls For native files: The original file name of a native file FW: Monday Meeting For Email records: Subject of e-mail message FILESIZE 27739 Size of the original native file, in bytes. AUTHOR John Smith Author field from the metadata of the native file. EDSOURCE Fully qualified original path -01.- to the source folder, files C:\Documents\Financials and/ or mall stores EDFOLDER For native files: full path to source file For email records: folder path contained within the mail store LASTAUTHOR Joe L. Smith Last save by author from metadata of the native file. DATESENT 10/12/2010 Sent date of an email message. DATERCVD 05/22/2011 Received date of an email message. DATECREATED 09/18/2010 Creation date of a native file. DATELASTMOD 02/11/2012 Date the native file was last modified. DATEACCESSED 11/23/2010 Date the native file was last - accessed. 02/13/2011 Date the native file was last printed. DATEAPPSTART 03/05/2012 Appointment start date for calendar items. DATEAPPEND 03/05/2012 Appointment end date for calendar items. TIMESENT 07:05:12 Sent time of an email message. TIMERCVD 10:22:54 Received time of an email message. TIMECREATED 02:45:23 Creation time of a native file. Time the native file was last TIMELASTMOD 05:12:14 modified. TIMEACCESSED 11:12:43 Time the native file was last accessed. 10:34:12 Time the native file was last printed. 08:00:00 Appointment start time for calendar items. TIMEAPPEND 09:00:23 Appointment end time for calendar items. TIMEZONEPROC ?05:00) Eastern Time Timezone where record was first processed FROM Jane Smith Author of email message. TO Smith, Jane; LeeW [mailto:Main recipient(s) of email LeeW@gn1ail.com] message. CC John Paul [mailto: Recipient(s) of ?carbon copies? of email message. BCC Mary Doe Recipient(s) of ?blind carbon copies? of email message. EMAILSUBJECT Board Meeting Minutes Subject of an email message. Email thread identification EX 389B522E FF595EF9FB created by the original email system <000805c2c71b$75977050$cb Internet Message ID assigned to an email message by the outgoing mail server. NATIVEFILE 001/ Relative path to the original native file for a record TEXTPATH TEXT 00 1/ ED C000 00001.txt Relative path to the associated text file for a record STATE OF SEARCH WARRANT . CASE NO. 2019 Flint Water Crisis 67 TH DISTRICT COURT POLICE AGENCY Department of Attorney General REPORT NO. 2019-FWCT TO THE SHERIFF OR ANY PEACE OFFICER: A. PERSON, PLACE, or THING to be searched is described as and located at: Department of Technology, Management and Budget (DTMB) Michigan Security Operations Center 7150 Harris Drive, Diamondale, MI 48821 B. PROPERTY to be searched for and seized, if found, is speci?cally described as: 1. ?All 41 ?Flint Water Cases? identi?ed on attached spreadsheet (Exhibit A). The term ?Flint Water Case? refers to a unique identi?er assigned to each individual device assigned to DTMB digital forensic examiners for review and examination. All devices or the image or extraction, the report and documentation from the requesting state agency involved. report to include the following forensic information: ITAM, Bit locker, picture of service tags/ hard drives and any associated passwords. 2. For any cell phones that are seized at the location listed in Paragraph A above, any and all content of cellular phones (including SIM cards and memory cards, if applicable): Including, but not limited to: contact lists; call history lists (including received, dialed, and missed calls); (including, sent, received, and draft messages); pictures, videos, audio ?les; email; instant messaging; web Wi?Fi network information; GPS directions; calendars; notes; installed applications, usernames and. passwords for said cellular telephones or applications (if applicable). 3. For any desktOp computers, laptop computers, or tablets, including peripherals and data storage media, that are seized at the location listed in Paragraph A above, any and all content of said computers and peripheral and data storage media including, but not limited to: electronically stored communications or messages; web page web searches, cookies, history, favorite sites; images; any user names and passwords, password files, test keys, codes or other codes necessary to access the computers or applications to be searched or to convert any data ?le or information on the computers into a readable form. 4. Any application software or other programs which are on the devices that could be used to facilitate the creation, transmission or storage of the described data 1 ?les, including but not limited to photo editing software, e?mail applications, word processing software, and/ or software used to access the internet. Any passwords or password ?les necessary to gain access to the ?les, software, or applications which is on the devices. 5. Electronic communications stored within the phone and storage devices as e- mail. Such information and/ or communications that may be in the form of electronic communications (such as e-mail) residing on any media magnetic, optical or digital media). That information may include electronic communications held or maintained in electronic storage by an electronic communication service or remote computing service, as those services are de?ned within 18 U.S.C. 2703. These communications are referred to herein as ?stored communications?. These communications related to this case stored in the suspect?s computer or other electronic devices as e-mail. That federal law, whichis part of the Electronic Communications Privacy Act, allows interception of such electronic communication pursuant to a search warrant. IN THE NAME OF THE PEOPLE OF THE STATE OF NIICHIGAN: I have found that probable cause exists and you are commanded to make the search and seize the described property. Leave a copy of this warrant with attached tabulation (a written inventory) of all property taken with the person from Whom the property was taken or at the premises. You are further commanded to return this warrant and tabulation to the Court. Issued: 57% jg w- Date FLINT WATER MISOC CASES CASE AGENCY Definite (P) 1601?0078 DEQ 1603?0226 DEQ 1603?0296 1603-0322 1605?0439 1605?0442 DEQ 0 1605?0475 1605?0478 Gov's Ofc. 1607?0639 Gov?s Ofc. 1608?0757 1609?0804 DEQ 1609-0837 1609-0842 1611*1051 1701?0028 1701?0048 DEQ 1701-0056 1701?0057 1701-0084 1701?0121 Gov's Ofc. 1703?0222 DEQ 1703-0245 DEO. 1707?0715 MSHDA 1802?0154 DEQ 1803-0223 1805-0505 1806?0545 DEO. 1806?0546 1806?0629 DEQ 1809-0781 1810?0885 MDE 1810?0893 Gov's Ofc. 1810?0909 1810?0919 1811?0968 1902?0104 1902?0148 1903?0234 Exhibit A: 1 of 1 STATE OF MICHIGAN I SEARCH WARRANT CASE NO. 2019 Flint Water Crisis DISTRICT COURT POLICE AGENCY Department of Attorney General TO THE SHERIFF OR ANY PEACE OFFICER: PERSON, PLACE, 0r THING to be searched is described as and located at: The Department of Attorney General, State Operations Division, 525 West Ottawa, G. Mennen Williams Bldg, Lansing, MI 48909 PROPERTY to be searched for and seized, if found, is speci?cally described as: See ?Exhibit to include logs and/ or reports identifying relevant passwords, bit locker codes, usernames, user ids, iCloud/iTunes logins. . For any cell phones that are seized at the location listed in Paragraph A above, any and all content of cellular phones (including SIM cards and memory cards, if applicable): Including, but not limited to: contact lists; call history lists (including received, dialed, and missed calls); (including, sent, received, and draft messages); pictures, videos, audio files; email; instant messaging; web HT Wi?Fi network information; GPS directions; calendars; notes; installed applications, usernames and passwords for said cellular telephones or applications (if applicable). . For any desktop computers, laptop computers, or tablets, including peripherals and data storage media, that are seized at the location listed in Paragraph A above, any and all content of said computers and peripheral and data storage media including, but not limited to: electronically stored communications or messages; web page web searches, cookies, history, favorite sites; images; any user names and passwords, password files, test keys, codes or other codes necessary to access the computers or applications to be searched or to convert any data file or information on the computers into a readable form. . Any application software or other programs which are on the devices that could be used to facilitate the creation, transmission or storage of the described data files, including but not limited to photo editing software, e?mail applications, word processing software, and/ or software used to access the internet. Any REPORT NO. 2019-FWCT passwords or password files necessary to gain access to the files, software, or applications which is on the devices. 5. Electronic communications stored within the phone and storage devices as e- mail. Such information and/ or communications that may be in the form of electronic communications (such as e?mail) residing on any media magnetic, optical or digital media). That information may include electronic communications held or maintained in electronic storage by an electronic communication service or remote computing service, as those services are defined within 18 U.S.C. 2703. These communications are referred to herein as ?stored communications?. These communications related to this case stored in the suspect?s computer or other electronic devices as e?mail. That federal law, which is part of the Electronic Communications Privacy Act, allows interception of such electronic communication pursuant to a search warrant. IN THE NAME OF THE PEOPLE OF THE STATE OF MICHIGAN: I have found that probable cause exists and you are commanded to make the search and seize the described property. Leave a copy of this warrant with attached tabulation (a written inventory) of all property taken with the person from whom the property was taken or at the premises. You are further commanded to return this warrant and tabulation to the Court. ue agis - Flint Water MDEQ device data in the physical custody of the DAG. iPho-ne 65' . iPhone 65 unsucces?Sful? attempt at full extraction;- 1/23/2017 Responsive text messages produced in Flood Volume 16. 12.31291 3.10.961? .. 5(2012016 weep-1a a: muearacaga 2/1220 16 Image of device. Cook- if: Haas; lexezzoie-i? [Ii?aigaofde?cer [119/20 . Krisztiani': 3' .7 Encry?jfed; full ?kti?aCtion; . Mono ?mlth IiPliO'Iie 6-2321 . liliozao?-?. Enbig??t?dg?nsu'cce?sful 'atteitipt 1Phone4s 5117/2 16 my. ??ft admin; Imiage of device. E?tf?c?d?l? a: full ?itra'ction: Laptop image 05/26/2016 Image of device. Shek?erf?Sihi?i'- "age- 22172015.; save. wagon-?- E?crii?t?iu?su?d 'ssfui .ati??i?f atoll; aeration: Exhibit A: of 9 iPhone 55 - Second (EVE- 3/7/2016 unsuccessful attempt at full extraction. Attempt Exhibit A: 2 of 9 Flint Water - device data in the physical custody of the DAG. Successful extraction. Responswe text messages Were,- produced in Flood volume 007.2%: - 5- - unsuccessful attempt at fu11 extraction. 10/13/2016 11/18/201654 Successful extractlon Responsive text messages were produced in Flood Velurne 011.: 11/21/2016 Successful extraction Responswe'fezxt messagesfwe're I I Droducedelood Volume'019 - 10/3/9016 unsuccessful attempt at full extraction. 1- iPllone 5s 12/9/2016 unsuccessful attempt at full extraction. iPhofie Successful extractionResponsive teart messages produced 11? Flood Volume i(1.1 11/18/2016 5. preduced'in'Flood Volume 011. SuccessfulextractiomResponswe text'messagesiwere; 9/27/2016 hem/ted unsuccess??atte mp1 atfull extraction 12/9/2016 unsuccessful attempt at full extraction. Successful extraction. .. "if" -. . .. 12/9/2016 Successful extraction. Text messages were reviewed and no responsive material was identi?ed. Cmput 1mg 1/19/9017 Iimiage-v- Reviews pad .. . I I I53 55' Motorola 11/18/2016 Successful extractlon- Text messages Were lewewed and no responsrve material Was 1dent1?ed Lasherfh iPliO?? 0:355 iPhone 6 at - 12/9/2016 Successful extraction. Responsive text messages were produced in Flood Volume 014. I?_ii- :unsucceSSfol attempt. at extraction. . . Exhibit A 3 019 lessee" Lybn?? Nicka iPad Air 2 10/13/2016 Successful extraction. Responsive text messages were produced in Flood Volume 026. nil/'1' 9/201 7 Success?il extraction. Responswe text messages Hivereg if produced in Flood Veluine' 018; .- - . .. 11/17/2916?? Successfulexti action. Responswe text messages 'Droduced 1n Flood Volume 010.21: .: - MCKane Fathom 11/1fZ/2016 Successful extraction Responswe text messages werejiljl-f -. - produced in Flood Volume 010.- Miller-5 corms see/20 - unsuccessful ?attempt at fullextraction? Z: 8/30/2016 unsuccessful attempt at full extraction. Moran if attempt at full extraction 12/9/2016 Successful extraction. Text messages were reviewed and no .. 9/27/2916 responsive material was identi?ed- Successful extraction ?not reduced 1/13/2017 Successful extraction. Responswe text messages were produced in Flood Volume 017. Peeler ii'j . unsuccessful attempt at full extraction. 5/26/2016 Successful extraction. Responsive text messages were produced in Flood Volume 012. - 8/30/2016 1; Successful extraction. Text messages were reviewed and no 7 responsive material was identi?ed- I 8/30/2016 Successful extraction. Text messages were reviewed and no responsive material was identi?ed. . 5126/2016; 5/25/2016 ?g Image. Reviewed for responsive information and produced. .61 6/3016:- 1mg Revised and sensed; Priest?" Successful extraction Responswe'text messages were produced in Flood Volume 010 Rockefeller}? ICIiery'l?g; ?iPhbne 63' Plus 1-6/6/20181-35' SucceSS?il extra-cabs. not: reviews/71:11:? Exhibit A: 4 of 9 Travis? - .- lRashini- iPl'i'oile' 11/ 5' Enorybted, u?suc'Cess?ll'attempt at full extraction. .. iPhone 6 x/ 19/1/9016 Successful extraction. Responsive text messages were produced in Flood Volume 014. . . Meghan;- iPl?iQh? 55 1/18/3017 rewewed 5119/9016 -- Wells Eden Successful extrac?mon Responswe text messages were__? - .. produced 111 Floocl Volume 09 - - - - 10/3/9016 Successful extraction. Responsive text messages were produced 111 Flood. Volume 026. Exhibit A: 5 of 9 Flint Water - Gov. device data in the physical custody of the DAG. iPhone data copy I Hard Drive (slim) . December 2018 Physical iPeid: .- December . iTunes backup cony, not produced. erases es'extr'actioa? December 2018 Sdccessful extraction; net 'produCem-? - - Physical irrigate 1v? Physical iPad .- D'e'cenibe'r2018 Hard Dried [-15 December 2018 I iPhb??'i ?'xtractio? 10f23r2018' iPhone 63 extraction 1/ succeSSful extraction, not pfodnced; 5: .55. . . 712582016 Successful extraction. According to WNJ, the responsive, non~privileged information 10/932?90 18 was" produced to OSC December 2018 Baird-e;- . IRic?ardi-?f Droid Phone extraction D's-cease: 20181? . Successful extraction. According to information provided by WNJ, the responsive, non-privile ged information from a Baird mobile device was produced to 080. iJRhon? 5's credence 016'? j" Successful extraction. According to WNJ the responsrve non?priwleged information 3' was nro'dnced to 030 cameras - December 2018 net-aerate 2018' . . -. . - Ti.? Hard Drive iPhone 6 extraction Became; 2018 i: 8fli2016 Successful extraction. According to WNJ, the responsive, non-privileged information. was produced to OSC. Brewn Physical iPad 1V 5' December-2.01825: Hard December 2018 December-20118.9: assess-7 miseries-i; iPhone data copy 1030;320:8213 succesS?i-l extraction, not'prodnced; December 2018 iTunes backup copy, not-produced- Exhibit A: 8 of 9 iBhO?s?'eii Physical iPhone Successful extraction According to WNJ the respons e, non-pnvaleged Informatlon was produced to OSC Original data held by eDlscovery vendor DAG does not have a coll-3EIEI . . I I December 2018 HardDriveil" December 2018 i. ?che extracth . 10r'6K9018- successml'e?traCtion not pieduced' . According to ?che responelve . . . mobile? _deidoe was pIoduced to? OS hut-?re suspect tIiat it was. ?om an earlier (Mr-fraction iPhone data copy December 2018 iPhone f, :5 .: Hard Drive (slim) .. December 2018 i 2- iTunes ?backup? copy- not produced December 2018 Oie?ent-h i - IEHzabeiH 55Ccimpizt'ef 3: -. Hard Drive (shmi '1ox24/20 if?" at: Si3f2016= In December 2018 as produced tti OSC. Physical iPad December 018. --.-..- December 20 18 Hard .Dr'iir'?? {3111:0/ Decembef' 2013 iPhone data copy December 2018 iTunes backup copy, not produced. PhisicaliPho?'?s i=1 December 2018? Physical iPad Dad?mb?r 2018 rte-4;: Hard Drive '(e?nii?eiz??ii. December 20 18 December 2018' if; .3 Hard- Driife- i 5i I D?Cember2018 -. - .Heefsi?? Hard Drive Decemberi2018 Decemizier 2018 Hollins . l- i . fiPhon'e Gs .extraction'i?i'i- Samsung Galaxy 4 extraction Successful extraction, not produced. . . IPhoneextraction . iPhone 6s logeokeois . Successfui eiti?c?ee, 'nois'pr'oduce dis. i; 8i3f2016 According to NJ, the responsive, non- privileged information ?our a HoIJins phone was produced to OSC. Exhibit A: 7 of 9 lPhone ,55 I 5' Hard Drive J- - December @0182; December 20185 I I I iPad data copy DeCember 2018 7-53 December 2018 iTunes backup copy, not produced. datacopy . December 2018'." i?I?unes' backup copy, not produced; 73:5 2 Ali?o'n. 891343.119 (sum) $139133: IPhone Physica1 iPad J, I I December 9018.15 5 Hard Driv9 (slim).- 1/ 13:51! . December 20 18 December 2018": 3.15. - Physical when}. 11. f, . Physical iPad Hard Drivel" December'2018i1i1-d 31 December 2018 iPhone 6 extraction December 2018.; 1/28120 18 Successful extraction, not produced. Manblakouclis 55:15.73 Virginia .: Physical 1- - thsical iPad I Hard Dlive k/I, :5 December 20 18 Hard Drive v/ 1- December December 20 18 resigaleha?e; Hard Drive (919.139.) 99.1%: December 2018 datacopy . 1 1 December 5' mines Backup: 6:63.33. hot 1.9.1.3991: . . 5:51 [Hard -. 1 .: 141:: IDika .3 :Phdne? extractron 10124-12018 71-221.: 7K2812016 Successful extraction- According to WNJ, the responsive, non-privileged information was produced to 080 I iPho?e" 111.459.6993}? Physical inone December"- 20183-1.? 1.3 iTunes backup copy; net produced . December 2018 Phone has handwritten note of 11119118. Pbysical iPad Hard Drive . December 2018*" I December 2018 I: . .. .. . if December 20 18:1 1-311 eicelirhg?? Physical iPad Hard. Drive (gum-.96.. 13.989213911421119 iPhone 7 extraction December 20 18 5 Dec-Ember - =3 INEEI 211412.018 Successful extraction, not produced. Exhibit A: 7 of 9 Sanders i- 13b011e extractmn mobile dewcew extractlon sac-1211311111 extraction 1101: 11111111111: Accordmg to the reSponsiye ncn? . 13- privile ged information froma Saunders I 11131011111111 to 080 __b11_t we suspect that it was from a11ear11er iPhone data copy \1 3113 51ca11Phone December 2018 P11311111 113111 December 201-811.? iTunes 13111?1111 copy, not produced. 4/ December 20 18 Hard Drive (5111111Seott'F: - 11311111 111111111 . . 13110119 data copy 10131120181." .- .3 Succ?Ss?jlextracticn; not prom-{09? December 2018 iTuues backup copy, not produced. 191111111 copy 5% - -- December 2018 1111115 13111111111111}: not prddu'c?d; Physical iPhone NC Physical 11911. 1: J, 113',? Hard Drive (slim) December 2018 51311011" 65.198114911113111. "(9619016 Successful extraction to 1:11e responsne mformatmn '3 was produced 136 080.1 - 131101111 Hard 131-111 (slim) - 1311520115 December 2018 .-. $115111 extractio?: iPhone data copy 10/311120 :3 15113 - 3 December 2018 iTu11es backup copy, not produced. 1111111111111231 a Physical iPhone . 1115111111 2018: ii?iuei-i: iTune's backup cepy,? "not'prOd?'ced; 1131311111 11111 9- December 20 18 D'ec?mbef 2018 . 3. December 2018 5125/2016 .. Successful extractmn Ac ordmg 111211111,- 111? 3881301131161 non-pnwleged mformation 11' ?as produced to 080-.? - .. Tam, - I v? Hard Drive December 2018*?; ff. December 2018 1.311111111310111 . Ha1d Drive - December 20181:] I: December 2018- I Also: Christine N. noted on hard drive. P331111 11?11 x/ December 2018 Exhibit A: 8 019 II?Iard Drive (811131)!ng iDec'embe'r 2018 8m "'ntli? Sam ?areDi'ire' 331- D'?eemb'eir'zols - West anh/ Wndy g?i?cel 173119119 Decembe? 2018: f? PhysicaliPad December 2018 Hard Drive (Slif?) Deciamber 20 18 . I iPhone 7 extraction 2!14f2018 Successful extraction, not produced. Unknd?li"i"5' k/m . ICust'odia'n's? 1- Hafd Decembeiiz?l?} .I "f "fl 5 7:735- . i' -. Physical iPhone 0909 December 2018 Exhibit A: 9 of 9