UNITED STATES DISTRICT COURT FOR THE
WESTERN DISTRICT OF VIRGINIA
CHARLOTTESVILLE DIVISION

IN THE MATTER OF THE SEARCH OF: Case No. 5: 1 9?mj?O 038
202B Tiffany Dr.
Waynesboro, VA 22980

 

AFFIDAVIT IN SUPPORT OF
AN APPLICATION FOR A SEARCH WARRANT

I, William Ury, being ?rst duly sworn, hereby depose and state as follows:
INTRODUCTION AND AGENT BACKGROUND

1. I make this af?davit in support of an application for a search warrant for 2023
Tiffany Dr., Waynesbom, VA 22980 (PREMISES) for evidence stored at the premises controlled
by William Eugene Angus UNDERWOOD. The articles to be searched for are described in the
following paragraphs and in Attachment A.

2. I am a Special Agent with the United States Capitol Police (USCP), and have
been since August 2018. 1 am currently assigned to the USCP Investigations Division, Threat
Assessment Section. Prior to working in the Investigations Division, I was a uniformed of?cer
with the USCP from April 2003 to August 2018. Prior to employment with the USCP, I was a
Deputy Sheriff in Union County, Illinois from November 1990 to February 2003. I am a
graduate of the Criminal Investigator Training Program at the Federal Law Enforcement
Training Center (FLETC) in Georgia. In the course of my employment as a Special
Agent with the USCP, have received training regarding the application for and execution of
arrest warrants. In my current assignment, I have participated in and conducted investigations
involving illegal activity, including threatening communications, both locally and interstate.

3. The facts in this af?davit come from my personal observations, my training and

experience, and information obtained from other agents and witnesses. This af?davit is intended

Case Document 1-1 Filed 08/15/19 Page 1 of 14 Pageid#: 2

to show merely that there is suf?cient probable cause for the requested warrant and does not set
forth all of my knowledge about this matter.

4. Based on the facts set forth in this af?davit, there is probable cause to believe that
evidence of violations of Title 18 U.S.C. 375(c) may be at the subject address, and there is
probable cause that those violations may have been committed by William Eugene Angus
UNDERWOOD There is also probable cause to search the information

described in Attachment A for evidence of these crimes, as further described in Attachment B.

PROBABLE CAUSE

l. A check of Virginia driver?s license re?ects an address of
202B Tiffany Dr. Waynesboro, VA 22980?3243.

2. On August 14, 2019, the United States Capitol Police Investigations Division-
Threat Assessment Section received information reported by Cooperating Witness 1 (CW-1).

3. reported he was communicating with UNDERWOOD via Facebook
Messenger on the night of August 12, 2019 and again on August 13, 2019.

4. CW-I reported UNDERWOOD was expressing mental and emotional issues he
was eXperiencing with his vehicle and with his girlfriend on the night of August 12, 2019
(Exhibit A, Pages 1-4).

5. reported UNDERWOOD followed with the conversation with the

following statement: ?And to top it off, the US is going down the shitter faster than I wanted it

 

I Title 18, United States Code Section 825(c) prohibits the transmission, in interstate

commerce, of true threats to kidnap andfor injure another individual such as, an interstate
telephone call.

Case Document 1-1 Filed 08/15/19 Page 2 of 14 Pageid#: 3

to, and I?m having legitimate serious thoughts about getting a plate carrier and rifle, and going
off on my own kind of spree in the capital building.? 2

6. When asked what good such action would do, UNDERWOOD stated: ?It
would make me feel better. And frankly, that particular action is better than inaction. Go all
founding father on their asses, clean slate this shit. I keep reading the manifestos of all these
shooters, and I legitimately understand why they do what they do. I think their targets are fucked
up, but their reasons check out with me. Gotta head back to the ?oor now man. Just thought I?d
give you a quick run down.?3

7. The pathway to violence is generally comprised of the following steps:
grievances, violent ideation, research and planning, pre-attack preparation, probing and
breaching, and committing violence. Although not all documented lone wolf attacks precisely
follow this template, there are many consistencies along the path. Where one shooter may skip

one step, others may retreat back before continuing on. Two examples follow:

a The events of March 15, 2019 in Christchurch, New Zealand, and the manifesto that was
published by the actor allow investigators to follow along the actor?s pathway to
violence. The actor in Christchurch discussed over many pages his grievances with his
government, discussed how the ?extermination of the white race? could be stopped,
discussed at length why he chose the firearms he did, to include a discussion of why he
chose certain ones over the other. This particular actor all but skipped pre-attack
planning, narrowing his intended targets down to three with no set goal of where and
when to start his attack. Ultimately, with no intervention the attack was committed by an
actor with no military background yielding the deaths of 51 souls.

- The events of August 4, 2019 in Dayton, OH demonstrate that the pathway to violence is
different for each actor. In this case the actor did not leave a manifesto for investigators

 

3 Exhibit A (A series of Facebook sereen captures and photos provided by (CW-1 to law
enforcement.)

3 Exhibit A at 2.

Case Document 1-1 Filed 08/15/19 Page 3 of 14 Pageid#: 4

to follow, however there were other clues that went unnoticed until after the attack. The
Dayton actor expressed interest in violence as a means to solve his perceived issues.
Through the months prior to the shooting it was discovered that his rhetoric and internet
searches became more violent and promoted the idea that violence would ultimately be
the answer. It is believed that this actor was inspired by the manifesto left by the actor of
the El Paso shooting.

8. From Exhibit A, the following facts can be gleaned: personal
life has begun to fracture (issues with girlfriend. emotional issues)(Exhibit A at 
UNDERWOOD stated he is ?having serious thoughts about getting a plate carrier and ri?e, and
going off on my own kind of spree in the capital [sic] building? (Exhibit A at he is reading
the manifestos of other actors and identifying with them (Exhibit A at 2), and he is researching
weapons, alcohol. and armor (Exhibit A - google search history).

9. communicated to UNDERWOOD that violence was not the answer, and
UNDERWOOD replied: ?Bro, our freedoms are already gone. We have no power other than
violence-3'4

10. CW-I questioned UNDERWOOD about his future legacy and told
UNDERWOOD he had so much to live for. UNDERWOOD communicates ?That?s exactly my
point. Facebook is collecting it all. It?s all monitored. And I?ll probably get my door kicked in
soon. For having treasonous thoughts and conversations. Fuck my rights, yeah? I?d leave the
legacy of a free man. Realistically, no, I?m not going to do anything, because it would ultimately
serve no purpose. But I'd really like to buy a cabin in Northern Montana, and just fucking
disappear. The fact that we can?t even discuss such a thing as this without being a crime though,
tells me all I need to know about my rights and freedoms. They?re only given to me by violence

of keeping them. If we cannot have faith in our government or process, then how else are we

 

4 Exhibit A at 2.

Case Document 1-1 Filed 08/15/19 Page 4 of 14 Pageid#: 5

expected to change things? All of these epiphanies and questions led me to saying what I?ve said.
Do you see where I?m coming from? The only options are to ?ght or run. Lol this is why I don?t
open up a lot.?5

11. communicated that ?murdering people in cold blood won?t do shit." And
UNDERWOOD replied: ?What will do shit? Also, like 50 revolutions say your wrong." 5

12. W?l communicates that mass protest is the answer and loose actions will not do
the country good in which UNDERWOOD replies: ?Nah, not a loose action. A revolution. And
when the fuck has protest accomplished anything? I?d love an example"?

13. communicates he cannot morally condone statements, to
which UNDERWOOD replied: ?But you can morally condone letting the govemment trample all
over its own people.?3

14. The communication provided to law enforcement ends with giving his
opinion of the state of the nation to come, and receives no reply from 

15. also informed law enforcement that, on the evening of August 13, 2019
(the day after the communications set forth above), be received another Facebook message from

UNDERWOOD, which showed a list of items for which UNDERWOOD had recently searched

 

5 Exhibit A at 3.
6 Exhibit A at 4.
7 Id.
5? 1d.

910?.

Case Document 1-1 Filed 08/15/19 Page 5 of 14 Pageid#: 6

online.? The list of items for which UNDERWOOD had searched included Glock 1? price,
bottle of jack, Waynesboro to Emporia, VA, and level 5 ballistic plates.H

16. UNDERWOOD followed the list with the statement: ?Lol 1 think my FBI agent is
on high alert? ?Bottle of jack, level 5 plates, glock, and the drive from my place to a DC suburb


17. UNDERWOOD communicated to that he has a friend who lives in DC and
was planning to visit. replied the statements scared him for a second, to which
UNDERWOOD replied: ?So imagine how my agent feels.? '3

1 8. reported acebook address as:


19. reported UNDERWOOD goes by the name Eugene.

20. Agents submitted to Facebook an emergency request for subscriber information
and IP session logs for the user name: A review of the
information provided by Facebook in response revealed that the subscriber?s name is Eugene
UNDERWOOD, with phone number 540?480-7138.

21. Agents performed database searches associated with phone number 540-480-

7138, and the results con?rmed an association with William UNDERWOOD of Staunton, VA.

 

'0 Exhibit A at 5?6.
11 Id.
?3 Exhibit A at 5.

'3 Id.

Case Document 1-1 Filed 08/15/19 Page 6 of 14 Pageid#: 7

22. Facebook also provided to law enforcement IP session logs that showed 1?
address was being used on 2019-08-13 at 22:03:41
UTC, by a Facebook account registered to 

23. An open source search of the IP address
revealed the provider as Comcast.

24. Agents Submitted an exigent request to the Comcast Legal Response Center for
subscriber information associated with the IP address
and was provided with the following
Subscriber information: William UNDERWOOD of 2023 Tiffany Dr. Waynesboro, VA
22980, phone number of 540-480-7138.

25. Law enforcement database checks on UNDERWOOD provided a date of
birth in the year 1995, and a social securit}r number 

26. provided photos of a vehicle to law enforcement, bearing Virginia
license plate ROKKET. Law enforcement conducted database checks on Virginia
registration ROKKET and learned the registered owner was William Eugene Angus
UNDERWOOD, of 2023 Tiffany Drive in Waynesboro, Virginia 22930-3243. Law
enforcement surveillance on August 15, 2019 revealed the vehicle was parked in front of
202B Tiffany Drive in Waynesboro, Virginia, the suspected residence of
UNDERWOOD.

USE OF COMPUTERS AND CELLULAR PHONES IN THREAT RELATED OFFENSES

27. Based on af?ant?s training and experience and discussions with other law

enforcement officers, persons committing or intending to commit threat related offenses often

 

Communications at Exhibit A at 5.

Case Document 1-1 Filed 08/15/19 Page 7 of 14 Pageid#: 8

utilize computers, data storage devices external storage devices, ZIP disks, and (CD-Roms),

and other electronic communications equipment including cellular telephones. These persons

often use computers, cell phones, and peripheral devices to search the internet and to

communicate and transmit threats to recipients of threat related activities.

23.

TECHNICAL TERMS

Based on my training and experience, I use the following technical terms to

convey the following meanings:

a.

Wireless telephone: A wireless telephone (or mobile telephone, or cellular
telephone) is a handheld wireless device used for voice and data communication
through radio signals. These telephones send signals through networks of
transmitterlreceivers, enabling communication with other wireless telephones or
traditional ?land line? telephones. A wireless telephone usually contains a ?call
log,? which records the telephone number, date, and time of calls made to and
from the phone. In addition to enabling voice communications, wireless
telephones offer a broad range of capabilities. These capabilities include: storing
names and phone numbers in electronic ?address books;? sending, receiving, and
storing text messages and e-mail; taking, sending, receiving, and storing still
photographs and moving video; storing and playing back audio ?les; storing
dates, appointments, and other information on personal calendars; and accessing
and downloading information from the Internet. Wireless telephones may also
include global positioning system technology for determining the
location of the device.

PDA: A personal digital assistant, or PDA, is a handheld electronic device used
for storing data (such as names, addresses, appointments or notes) and utilizing
computer programs. Some PDAs also function as wireless communication
devices and are used to access the Internet and send and receive e-mail. PDAs
usually include a memory card or other removable storage media for storing data
and a keyboard and/or touch screen for entering data. Removable storage media
include various types of ?ash memory cards or miniature hard drives. This
removable storage media can store any digital data. Most PDAs run computer
software, giving them many of the same capabilities as personal computers. For
example, PDA users can work with word-processing documents, spreadsheets,
and presentations. PDAs may also include global positioning system 
technology for determining the location of the device.

8

Case Document 1-1 Filed 08/15/19 Page 8 of 14 Pageid#: 9

c. Tablet: A tablet is a mobile computer, typically larger than a phone yet smaller
than a notebook that is primarily operated by touching the screen. Tablets
function as wireless communication devices and can be used to access the Internet
through cellular networks, 802.] networks, or otherwise. Tablets
typically contain programs called apps, which, like programs on a personal
computer, perform different functions and save data associated with those
functions. Apps can, for example, permit accessing the Web, sending and
receiving e?mail, and participating in Internet social networks.

d. Portable media player: A portable media player (or Player? or iPod) is a
handheld digital storage device designed primarily to store and play audio, video,
or photographic ?les. However, a portable media player can also store other
digital data. Some portable media players can use removable storage media.
Removable storage media include various types of ?ash memory cards or
miniature hard drives. This removable storage media can also store any digital
data. Depending on the model, a portable media player may have the ability to
store very large amounts of electronic data and may offer additiOnal features such
as a calendar, contact list, clock, or games.

e. Pager: A pager is a handheld wireless electronic device used to contact an
individual through an alert, or a numeric or text message sent over a
telecommunications network. Some pagers enable the user to send, as well as
receive, text messages.

f. IP Address: The Internet Protocol address (or simply address?) is a unique
numeric address used by computers on the Internet. An IP address looks like a
series of four numbers, each in the range 0-255, separated by periods 
121.565.97.178). Every computer attached to the Internet must be assigned an IP
address so that Internet traffic sent from and directed to that computer may be
directed properly from its source to its destination. Most Internet service
providers control a range of IP addresses. Some computers have static?that is,
long-term?IP addresses, while other computers have dynamic?that is,
frequently changed?1P addresses.

g. Internet: The Internet is a global network of computers and other electronic
devices that communicate with each other. Due to the structure of the Internet,
connections between devices on the Internet often cross state and international
borders, even when the devices communicating with each other are in the same
state.

it. Storage medium: A storage medium is any physical object upon which computer
data can be recorded. Examples include hard disks, RAM, ?oppy disks, ?ash

9

Case Document 1-1 Filed 08/15/19 Page 9 of 14 Pageid#: 10

memory, CD-ROMs, and other magnetic er optical media.

COMPUTERS. ELECTRONIC STORAGE. AND FORENSIC ANALYSIS

29. As described above and in Attachment B, this application seeks permission to

search for records and other items that might be found on the PREMISES, in whatever form they

are found. One form in which the records might be found is data stored on a computer?s hard

drive or other storage media. Thus, the warrant applied for would authorize the seizure of

electronic storage media or, potentially, the copying of electronically stored information, all

under Rule B).

30. Probable cause. I submit that if a computer or storage medium is found on the

PREMISES, there is probable cause to believe those records will be stored on that computer or

storage medium, for at least the following reasons:

a.

Based on my knowledge, training, and experience, I know that computer ?les
or remnants of such ?les can be recovered months or even years after they
have been downloaded onto a storage medium, deleted, or viewed via the
Internet. Electronic ?les downloaded to a storage medium can be stored for
years at little or no cost. Even when ?les have been deleted, they can be
recovered months or years later using forensic tools. This is so because when
a person ?deletes? a ?le on a computer, the data contained in the ?le does not
actually disappear; rather, that data remains on the storage medium until it is
overwritten by new data.

Therefore, deleted ?les, or remnants of deleted ?les, may reside in free space
or slack space?that is, in space on the storage medium that is not currently
being used by an active ?le?for long periods of time before they are
overwritten. In addition, a computer?s operating system may also keep a
record of deleted data in a ?swap? or ?recovery? ?le.

Wholly apart from user-generated ?les, computer storage media?in
particular, computers? internal hard drives?contain electronic evidence of
how a computer has been used, what it has been used for, and who has used
it. To give a few examples, this forensic evidence can take the form of
operating system con?gurations, artifacts from operating system or
application operation, ?le system data structures, and virtual memory ?swap?

10

Case Document 1-1 Filed 08/15/19 Page 10 of 14 Pageid#: 11

or paging ?les. Computer users typically do not erase or delete this
evidence, because special software is typically required for that task.
However, it is technically possible to delete this information.

(1. Similarly, ?les that have been viewed via the Internet are sometimes
automatically downloaded into a temporary Internet directory or ?cache."
31. Forensic evidence. As further described in Attachment B, this application seeks

permission to locate not only computer ?les that might serve as direct evidence of the crimes

described on the warrant, but also for forensic electronic evidence that establishes how

computers were used, the purpose of their use, who used them, and when. There is probable

cause to believe that this forensic electronic evidence will be on any storage medium in the

PREMISES because:

a.

Data on the storage medium can provide evidence of a ?le that was once on
the storage medium but has since been deleted or edited, or of a deleted
portion of a ?le (such as a paragraph that has been deleted from a word
processing Virtual memory paging systems can leave traces of
information on the storage medium that show what tasks and processes were
recently active. Web browsers, e-mail programs, and chat programs store
con?guration information on the storage medium that can reveal information
such as online nicknames and passwords. Operating systems can record
additional information, such as the attachment of peripherals, the attachment
of USB ?ash storage devices or other external storage media, and the times
the computer was in use. Computer ?le systems can record information about
the dates ?les were created and the sequence in which they were created,
although this information can later be falsi?ed.

Forensic evidence on a computer or storage medium can also indicate who
has used or controlled the computer or storage medium. This ?user
attribution? evidence is analogous to the search for "indicia of occupancy?
while executing a search warrant at a residence. For example, registry
information, con?guration ?les, user pro?les, e-mail, e-mail address books,
?chat," instant messaging logs, photographs, the presence or absence of
malware, and correspondence (and the data associated with the foregoing,
such as ?le creation and last-accessed dates) may be evidence of who used or
controlled the computer or storage medium at a relevant time.

11

Case Document 1-1 Filed 08/15/19 Page 11 of 14 Pageid#: 12

c. A person with appropriate familiarity with how a computer works can, after
examining this forensic evidence in its proper context, draw conclusions
about how computers were used, the purpose of their use, who used them,
and when.

d. The process of identifying the exact files, blocks, registry entries, logs, or
other forms of forensic evidence on a storage medium that are necessary to
draw an accurate conclusion is a dynamic process. While it is possible to
specify in advance the records to be sought, computer evidence is not always
data that can be merely reviewed by a review team and passed along to
investigators. Whether data stored on a computer is evidence may depend on
other information stored on the computer and the application of knowledge
about how a computer behaves. Therefore, contextual information necessary
to understand other evidence also falls within the scope of the warrant.

e. Further, in finding evidence of how a computer was used, the purpose of its
use, who used it, and when, sometimes it is necessary to establish that a
particular thing is not present on a storage medium. For example, the
presence or absence of counter?forensic programs or anti-virus programs
(and associated data) may be relevant to establishing the user?s intent.

32. Necessity of seizing or copying entire computers or storage media. In most cases,
a thorough search of a premises for information that might be stored on storage media often
requires the seizure of the physical storage media and later off-site review consistent with the
warrant. In lieu of removing storage media from the premises, it is sometimes possible to make
an image copy of storage media. Generally speaking, imaging is the taking of a complete
electronic picture of the computer?s data, including all hidden sectors and deleted ?les. Either
seizure or imaging is often necessary to ensure the accuracy and completeness oi?data recorded
on the storage media, and to prevent the loss of the data either from accidental or intentional
destruction. This is true because ofthe following:

a. The time required for an examination. As noted above, not all evidence takes
the form of documents and ?les that can be easily viewed on site. Analyzing
evidence of how a computer has been used, what it has been used for, and
who has used it requires considerable time, and taking that much time on

premises could be unreasonable. As explained
12

Case Document 1-1 Filed 08/15/19 Page 12 of 14 Pageid#: 13

above, because the warrant calls for forensic electronic evidence, it is
exceedingly likely that it will be necessary to thoroughly examine storage
media to obtain evidence. Storage media can store a large volume of
information. Reviewing that information for things described in the warrant
can take weeks or months, depending on the volume of data stored, and
would be impractical and invasive to attempt on?site.

b. Technical requirements. Cemputers can be con?gured in several different
ways, featuring a variety of different operating systems, application software,
and con?gurations. Therefore, searching them sometimes requires tools 0r
knowledge that might not be present on the search site. The vast array of
computer hardware and software available makes it difficult to know before a
search what tools or knowledge will be required to analyze the system and its
data On the Premises. However, taking the storage media off-site and
reviewing it in a controlled environment will allow its examination with the
proper tools and knowledge.

c. Variety of forms of electronic media. Records sought under this warrant
could be stored in a variety of storage media formats that may require off-site
reviewing with specialized forensic tools.

33. Nature of examination. Based on the foregoing, and consistent with Rule
the warrant I am applying for would permit seizing, imaging, or otherwise copying
storage media that reasonably appear to contain some or all of the evidence described in the
warrant, and would authOrize a later review of the media or information consistent with the
warrant. The later review may require techniques, including but not limited to computer-assisted
scans of the entire medium, that might expose many parts of a hard drive to human inspection in
order to determine whether it is evidence described by the warrant.

34. If it is found that at least two people share the PREMISES as a residence,
it is possible that the PREMISES will contain storage media that are predominantly used, and
perhaps owned, by persons who are not suspected of a crime. If it is nonetheless determined that

that it is possible that the things described in this warrant could be found on any of those

13

Case Document 1-1 Filed 08/15/19 Page 13 of 14 Pageid#: 14

computers or storage media, the warrant applied for would permit the seizure and review of those
items as well.
AUTHORIZATION REQUEST

35. Based on the foregoing, I request that the Court issue the preposed search warrant,
pursuant to Federal Rule of Criminal Procedure 41.

36. I further request that the Court order that all papers in support of this application,
including the affidavit and search warrant, be sealed until executi0n of the search warrant. These
documents discuss an ongoing criminal investigation that is neither public nor known to the subject
of the investigation. Accordingly, there is good cause to seal these documents because their
premature disclosure may seriously jeopardize that investigation, including by giving the subject
an opportunity to destroy or tamper with evidence. endanger the safety of investigators, change
patterns of behavior, notify confederates, and flee from prosecution.

OATH

The information in this affidavit is true to the best of my knowledge and belief.

Respectfully submitted, 4

William Ury. Special Agent
United States Capitol Police

Received by reliable electronic means and sworn and attested to by telephone on

this )6 day of August 2019.

?01017 S: gallon

ROBERT S. BALLOU
UNITED STATES MAGISTRATE JUDGE

 

14

Case Document 1-1 Filed 08/15/19 Page 14 of 14 Pageid#: 15