ALL IHFQREATIEK HEREIN I3 FATE BY 03 12 99 10 03 41 Page 1 Title and Character of Case AIR FORCE INSTITUTE OF TECHNOLGY MOONLIGHT MAZE Date Property Acquired Source From which Pronertv Acquired I Ib3 02 08 1999 Anticipated Disposition Accuired Bv Case Aqent I be b7C Description of Property 1B 9 Barcode E1394242 Location B i 1 Case Number Owning Office SAN ANTONIO Date Entered ibB OTHER 02 08 1999 am-cl wsaa I139 DECEASSIFIEB Ff i520 10 11 98 s 10 10 34 Page 1 Title and Character of Case AIR FORCE INSTITUTE OF TECHNOLGY Date Property Acquired rSonrce_ er_mTich Property Acquired EIU 09 25 1998 CHARLESTON IL Anticipated Disposition Acquired Bv Case Agent Description of Property Date Entered 1D 1 TAPE #14058 1 8MM SONY DATA CARTRIDGE VOLUNTEERED Barcode E1474422 Location CAB4 SB 10 11 1998 of f fj oi - Case Nu'mberim 28810116-8562 lb I Owning Office SPRINGFIELD AL l INFEREIATE I 03 22 99 HEREIN IS 21 03 07 FIB-199 913 uwsawamg Page 1 Title and Character of Case AIR FORCE INSTITUTE OF TECHNOLGY MOONLIGHT MAZE Date Property Acquired Source from which Property Acquired AUBURN UNIVERSITY 03 15 1999 b6 b7c Anticipated Disposition Acquired Bv CaSe Aqent Description of Property 13 15 SONY BMM DATA CARTRIDGE Date Entered Barcode E1182456 Location ECR CAB8 82 03 18 1999 Case Number 288 01 68562 Owning Office MOBILE g Br mew - grammes 53 2 1999 mumsw ALL CQQTAIEED IS DATE 33 33m lf Ital 03 17 99 a m 12 03 13 Page 1 Title and Character of Case AIR FORCE INSTITUTE OF TECHNOLGY MOONLIGHT MAZE Date Property Acquired Property Acquired b PEN 5 03 12 1999 Anticipated Disposition Acquired Bv Case Aqent be b c Description of Property Date Entered 1B 14 PEN b3 Barcode E1663896 Location 03 17 1999 Case Number Owning Office PHILADELPHIA 1d warm JUL lu it 56cm tic amt 'uk' an Numc 3 Wk-c mhur I i- l slH suq - --513 502 mu 5 SR ALL 1 333 E3221 I33 3 3w 3w2i312 533732 f fbm f abgv ier Tum- Transmmud Scndur's lmnah Nmn'ncr Pagan ulnuiudmg gnu-rim Juic' 5 2 3% 4 Rur-n Iciegahunu 123 NE 6 LILL 5 21m OHM EEC A L grs ny Q 99 Huh w 6 he h HJHGIHIQII Instruutmus Xnku cl TR In'h msCavv 1 1 FYI vv- Ip I Name Telephone Famnulc Number pmux ud 13 02 334- m3 - nu- Referral Consult Brie Duscripunn u hauntunummu Faxed UUL 4- wv b6 I Relyt @2597 0 4 ALL EEBEEJ 125 3 DIETS Elf FBI FACSIMILE COVER SHEET PRECEDENCE CLASSIFICATION Immediate El Top Secret Time Transmitted El Priority Secret Sender's Initials Routine El Con dential Number of Pages 2 I3 Sensitive El Unclassi ed Name 0 Of ce To Facsimile Number including cover sheet Date 22 2 7g Attn From 61 NCJ 7 Subject 8 em gis fc wc i Name Room Telephone K3 av 67 3V 9 to - coat-'9 6 1 OF Name ofOf ce 519 511 057 051 Cid-5'5 i a mF LOP Special Handling Instructions 3% Originator's Name Telephone Originator s Facsimile Number Approved 157% 56 54 c Brief Description of Communication Faxed WARNING Information attached to the cover sheet 15 U S Government Pr0perty If you are net the intended recipient of this information disclosure reproduction distribution or use of this information is prohibited 18 USC 641 Please notify the originator or local FBI Of ce immediately to arrange for pr0per disposition ALL rel-Hansen Hermit IS tiara m ua ama Br FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 06 15 1998 To Director FBI Attn Computer Investigations NIPC Rm 11887 From SAC Cincinnati Approved By 447 7C Drafted By Case ID Title Subject Victim Cataloging and Standardization Type Intrustion Date 2 9 8 SUBMISSION Initial El Supplemental El Closed CASE OPENED CASE CLOSED No action due to state local prosecution Name Number Cl USA declination El Referred to Another Federal Agency 6 7 c Name Number Placed in unaddressed work El Closed administratively El Conviction COORDINATION FBI Field Of ce Government Agency Detachment 101 WPAFB Dayton Private Corporation ComparyWent agency AF Addre s loc tlon Federal Center tle Creek MI PurposEyTtei-ngl Dracula e-mail back up DNS 2 Hyde Data ba server Highest classi cation infemation stored in system Unclassi ed 0 02 42'71998 1 Fni To Director FE From SAC I Re 288- Date System Data Hardware con guration SunSpare 20 2 SunSpare 1000 Operating System _Solaris 2 4 Software _E-mail exchanger Unify Security Features Security Software Installed El yes identify no Logon Warning Banner yes no INTRUSION INFORMATION Access for intrusion El Internet connection dial-up number LAN insider If Internet Internet address ME Network name Method Technique s used in intrusion list provided Path of intrusion addresses 1 2 3 4 5 country 1 2 3 4 5 facility 1 2 3 4 5 Subject Age Race Sex Education Alias s Motive Group Af liation Employer Known Accomplices Equipment used Hardware con guration CPU Operating System Software Impact Compromise of classi ed information yes no Estimated number of computers affected 2 Estimated dollar loss to date _Unknown To Director FE From SACDate Category of Crime Impairment Theft of Information El Malicious code inserted El Classi ed information compromised Denial of service Unclassi ed information compromised El Destruction ofinformation sof tware El Passwords obtained El Modification of information software El Computer processing time obtained Telephone services obtained 1 Application software obtained El Operating software obtained Intrusion Unauthorized access Stat Exceeding authorized access REMARKS 00 ELL FEE I3 0112611998 w 1 YJ E wwaal ElQ 281 SEXET FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 08 10 1998 To National Security Attn NIPC-CIU Room 11887 From Cincinnati Squad 4 b6 Contact SA b7C Approved By Drafted By Case ID #JUJx-xpgq Pending 7L Title mw UNITED STATES AIR FORCE INSTITUTE OF TECHNOLOGY nu W b E Synopsis imEKQ Preliminary information and case summary concerning captioned matter mpg Deri Decl - X1 U Administrative Referenced enclosures serve as a means to furnish NSD a more detailed synopsis of captioned matter Referral Consult A arr- a mr g w v I mm arm-I 1 514 I IV I - 1 7 gaa 660 EC a I RET To National Security From Cincinnati Re my 81 08 10 1998 I IDetective UC Department of Police telephoneq I ISystems Engineer UC College of Engineering telephoneJ Em On nQ na 1qqg QQAI ISquad 4 Supervisor and case Agent attended a meeting at WPAFB to discuss the mission and direction of captioned matter CR U Referral Consult Wi x The following investigative steps leads were discussed 1 will pursue the possibility of obtaining a b3 Title Referral Consult a la HEREIN IS ALL CDIIFAIEIJED BATE E113 shows arrived on on a F l student visa LEXIS NEXIS shows current addressI I I Previous addresses I I 136 137C b7E LEADS showsl I with a current Idriver s licensel Iissued Iexnirinor is described as I That s all I found ELLE II-IFDEEQTIDEJ EDI-NAKED HEIFEEIN DATE BY I5 53 3 E $1 37 wa tat- 11 a Fo-gss new 5-25 95 v 311'913 To Director A n- 0'0 Sectim i For FBI Field Office use only - From SAC 33 Ti 131111311513 2 HZ Notification of SAC Authority Granted teriUse of Title 3 CONSENSUAL Check only ONE it I 3 Li 315 1 1 f a B Routine Use H 7 15 335 13 553553 35 mgvi wt Cl Emergency stances cannot exceed 2312331523 '3 1m its 30 days 8 may be extender Pg By 1137B This form must be typewritten supmt 1 9 gwithin 10 working days of the date authority' ts granted as s'ho Irti rm 5 below 1 Reason for Proposed Use Check 2 Type of Equipment Check Corroborate Cl Protect Protect @Collect Cl Transmitter Receiver Cl Concealed Recorder Testimony Consenting Government Evidence Ci Video i3 CCTV Video only Party Property Microphone CITelephone Cl Other Specifvl I331 Other Specify Jet s rear em 3 Consenting Party Identify ONLY on Field Office Copy 4 Intercepteegs Include Title if Public Official Nonconfidential Party meanest-1 1 11 r3313 ieeinnati a Cei zesje at '3 Confldentlai Source Engineering mandates See ease Ci Cooperative Witness others as yet unknown 5_ Duration of proposed use 6 Equipment Concealed 7 City 8 State where Equipment will Authorized On In a Motel Rm In a Telephone be used For the duration of investigation i a Residence On a Person 1 211 31 Cl For 30 days Emergency NTCM usage Ci In a Vehicle Expiring On Sigma Specify 2e 2311 8 The following mandatory requirements have been met 9 Government Attorney in judicial district where monitoring and or Consenting party has agreed to testify recording will take place has been contacted foresees no entrapment El Consenting party has executed a consent form concurs in the use of the technique A EB Recording transmitting device will be activated Yes No Date of Contact 77 if 4 only when consenting party is present a i 6 Identity of Gov Atty 4 32% b7 3 Judicial District u ta z 21 11 11 212 33 10 Violation s Tit e s 11 1 Sec s 1 333 1 USC 11 DOJ notification required Yes If Yes check reason below NOTE Requests for Routine NTCM usage involving any of the 7 sensitive circumstances requires a teletype to HQ-prepared in the format described in the MIOG Part II Section 10-103 8 Request for Emergency NTCM usage involving Item 6 below requires immediate contact with the FBIHQ substantive desk for DOJ approval The 7 sensitive circumstances do not apply to the use of CCTV video only 1 Cl Interception relates to an investigation of a member of Congress a Federal Judge a member of the Executive Branch at Executive Level IV or above or a person who has served in such capacity within the previous 2 years 2- Cl Interception relates to an investigation of any public official and the offense investigated is one involving bribery conflict of interest or extortion relating to the performance of his her official duties 3- CI Interception relates to an investigation of a Federai law enforcement official 4 Cl Consenting nonconsenting party is a member of the diplomatic corps of a foreign country 5 Consenting nonconsenting party is or has been a member of the Witness Security Program and that fact is known to the agency involved or its officers 6 El Consenting nonconsenting party is in the custody of the Bureau of Prisons or the 11 8 Marshals Service 7 Attorney Generaereputy Attorney General Associate Attorney General Assistant Attorney General for the Criminal Division or the U S Attorney in the district where an investigation is being conducted has requested the investigating agency to obtain prior written consent for making a consensual interception in a specific investigation 12 Synopsis of Case Attach additional page if necessary cat rst il 'lfL i l fim 13 Justification statement necessitating emergency authorization Emergency 30 day authorization granted due to imminent need within 48 hours for use of consensual monitoring device s which precluded the handling of this request in the usual manner Cl Other Attach Additional Page to Specify 1-Government Attorney's Of ce Attn Field Approval 14 CDC If Sensitive Circumstances Exist Signature Date 15 SAC 25 Signature is 11321 5i are er tiff Date FBIHQ Approval 16 Unit Chief If Sensitive Circumstances Exist Signature Date COPY 4 ALL FBI II-IFEBRHATEGE I3 kw 3 2 4 we - - I s 11 - w Background Referral Consult b GoverningStatutes U Title 18 United States Code USC Section 1030 Fraud and Related Activity in Connection with Computers MISSION EU I83 The primary mission of this operation will be to identify modus operandi tradecraft and tools being utilized by this hacker If possible determine if the hacker is associated with a Foreign Intelligence Service and the extent of the FIS involvement and direction in his her activity If this is a FIS operation it would also provide extensive insight in to the conduct of F15 and their capabilities in attacking our information systems Through these efforts we will identify the vulnerabilities which allowed this individual to gain access to the computer systems thereby being able to anticipate and develop countermeasures to prevent this from taking place in the future This would not only apply to the AF systems but to computer systems throughout the Department of Defense U A secondary objective of this investigation is to reduce through prosecution the hacking activities against military commercial and private computer and network sis H 15 RET 55 1 1 3 I-EEZEE 13 - 52595 BEE 03435-3832 Bit 633333535313 am aabjaio 7j31f $ To Director FBI 3 Attn CID 333p h SectIon L For FBIField Office use only From SAC Cii t i rs i 8 3 5 13 - Notification of SAC AGtIErityGranted for Use of f TItle 3 33 533 53 5' CONSENSUAL Monitoring Equipment 83ft Check only one 11 3 if 5 pm 2 33 53 333 35 03 33 aeratewce CRROUHNG Use a r- v11 Tr it 1 Reason for Proposed Use Check CI Corroborate CI Protect E3 Protect Testimony Consenting Government Evidence Party Property Other Specify 3 Consenting Party identify ONLY on Field Office Copy Nonconfidential Party Confidential Source CI Cooperative Witness CI Emergency Use S_ensitive Ci clings nces cannot exceed 30 days may be extended 0 Bil-i0 ii i This form inustbAetyp ewritten nf squ d within 10 working days of the dateratIthorIty 1S grant assho In Item 5 below 2 Type of Equrpment Check Transmitter Receiver CIConcealed Recorder CI CCTV Audio Video CICCTV Video only Microphone ITeIephone I21 Other Specify Estates treatises 4 lnterceptee s Include Title if Public Official eight Seams Seinereity Cgilzg we as Sigizteezi g ercpesea Sci others as yet unknown 5 Duration of proposed use 5- Equipment Concealed 7 City State where Equipment will Authorized On 3 In a Motel Rm CI In a Telephone be used-3313533 13 31 the duration of investigation In a Residence On a Person For 30 days Emergency NTCM usage a Vehicle Expiring On C other Specufy 8 The foliowing mandatory requirements have been met Consenting party has agreed to testify Consenting party has executed a consent form Recording transmitting device will be activated only when consenting party is present 1D Violation s Title s 3i Sec s 1 3 use 9 in judicial district where monitoring and or recording will take place has been contacted foresees no entrapment 8 concurs in the use of the technique UtiYes No Date of Contact 53IdentIty of Gov't Atty m3 533 Judicial District 3 nii tt ti r3 tm i i 5H stem- rt at Fri 3 11 DOJ notification required 3 Yes Eligible If Yes check reason below NOTE Requests for Routine NTCM usage involving any of the 7 sensitive circumstances requires a teletype to HQ prepared in the format described in the MIOG Part II Section 10-103 8 Request for Emergency NTCM usage involving Item 6 below requires immediate contact with the FBIHQ substantive desk for DOJ approval The 7 sensitive circumstances do not apply to the use of CCTV video only relating to the performance of his her official duties officers CID DUB Interception relates to an investigation of a member of Congress a Federal Judge a member of the Executive Branch at Executive Level IV or above or a person who has served in such capacity within the previous 2 years Interception relates to an investigation of any public official and the offen e investigated is one involving bribery conflict of interest or extortion Interception relates to an investigation of a Federai law enforcement official Consenting nonconsenting party is a member of the diplomatic corps of a foreign country Consenting nonconsenting party is or has been a member of the Witness Security Program and that fact Is known to the agency involved or its Consenting nonconsenting party is inthe custody of the Bureau of Prisons or the U S Marshals Service Attorney General Deputy Attorney General Associate Attorney General Assistant Attorney General for the Criminal Division or the U Attorney in the district where an investigation Is being conducted has requested the investigating agency to obtain prior written consent for making a consensual interception In a specific investigation 12 Synopsis of Case Attach additional page if necessary illeaea see attacker 13 Justification statement necessitating emergency authorization Emergency 30 day authorization granted due to imminent need within 48 hours for use of consensual monitoring device s which precluded the handling of this request in the usuai manner CI Other Attach Additional Page to Specify 1-Government Attorney's OfTice Attn Field Approval 14 CD6 If Sensitive Circumstances Exist Signature 2 DateSignature I i 1 1 x sDate 2 3 ir u' FBIHQ Approval 16 Unit Chief' lf Sensitive Circumstances Exist Signature Date COPY 4 A ALL FD-302 Rev 10-6 95 HERE I TIMI L113 3 32 FEET IRATE 133-05-E i2 5033MUC bsmr'sahjain -1- Date of transcription 0 8 12 9 8 employed atl can be contacted at his work I Also of the interview I provided witness of hacking related activity at his business location At ou set was provided with a certified copy of United States District Court Order For the Southern District of Ohio Western Division Number 98 235 E filed 08 07 1998 signed by United States Magistrate Judge Timothy S Hogan Cincinnati Ohio I advised that he was contacted by I Iin reference to a possible intruder hacker who computer systems appeared to have broken into one of are located in ilding The IP of the computer system in question is and this IP address resolves to cartman aticorp org Wm duties he utilized Du to this unknown connection to their stem startedI hen attempted to contact AFCERT CERT WPAFB xi 0 3 Di MW and the F31 was onlv able to reach WPAFB ads contact with $1 and at 5 AFCERT J 2 u 14 0 If 1 1 j 9 08 07 98 North Charleston SC me# mwatmw 08 12 98 AFOSI Aqentl by SAI This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency I Rev 10-685 288-CI-68562 Continuation of FD-302 Page H assigned t4 I A FRL IFTA Building 620 Room N3F22 2241 Avionics tterson AFB OH 45433-7334 Phone E mail I explained They share a working Rev 10-6-95 Continuation ofFD 302 of On 08 07 98 Page 3 relation in their profession i ngs did not provide 7 36 a broad background on what a is or does 337C _is assigned tol I ATI Cor 7611 Barclay Ave North Charleston sc '1 one E-mail Rev 10-6-95 Continuation of FD-302 Page 4 i136 ib7C 2137153 DU b6 Sealed Court Documents ALL CDHTAIHEB HERE IN I3 SEIFZEEID i o aen998 DATE BY i133 1136 OTHER FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 08 13 1998 To Cincinnati Attn SA From Columbia Charleston Resident Adenr v Contact SA if 4 Approved By Drafted By Case ID 288-CI-68562 Pending Title Unknown Subject Wright-Patterson Air Force Base Victim CITA - THEFT Synopsis Lead to interview officials at South Carolina Research Authority Administrative I The results of the interview of I lare set forth in the enclosed The items provided by during the interview were furnished in duplicate The originals of the items were received by the FBI and a receipt was provided to for the items The original items received and the receipt are also enclosed to this EC The copy of the made available to AFOSI Enclos - we co ies of an IPn ano interview which was jointly conducted by the FBI and AFOSI Also enclosed for CI are the following 1 A containing the original receipt provided to SCRA eyes -7 I TO Cincinnati crom Columbia Re 08 13 1998 133 OTHER Seal Court Documents inetailszl I Columbia Division Charleston RA is taking no further action regarding this investigation unless requested to do so by 00 00 A ALE CUI-ITAKIITED HERE FD-302 Rev 10-695 DATE ET 663311 3UE3313 'n -1- FEDERAL BUREAU OF INVESTIGATION Date of transcription white maleJ ICollege of Engineering 628 Engineering Research Center Univ 'nnati Cincinnati Ohio 45221 telephone number advised of the identity of the interviewing an the purpose of the interview 6 that he had the authority to monitor the b7c activiti as computers located in the Engineering Research Center I lsigned an authorizing the Federal Bureau of Investigation to initiate the monitoring of these computers a list of the Transmission Control Protocol Internet Protocol addresses and fully qualified domain names for the computers in the Engineering Research Center also advised that all of these computers contained the appropriate banners Investigationon 07 31 1998 at Cincinnati Ohio rues Datedictated 08 05 1998 1376 by SA mwd This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency FD-472 Rev 1-9 92 ALL HEREIN IS UHCLESSIFIED U - 5w2 l SQ324EUCfbawf abfnim 300 31 1 15 Date Dimmers-1L1 u p mevweltmx cation of EHIUQSBAM 13$ GUNCUAMLL Cl MCI 3M hereby Address and authorize Special Agents of the Federal Bureau of Investi gation United Stat es Department of Justice to install a recording device on any telephone utilized by me for the urpose of recording any telephone conversation s I may have with and others as yet unknown We of Subject s I on or about and continuing thereafter Date I understand that I must a party to any conversation in order to record that conversation I therefo agree not to leave the recording equipment unattended or take any action hich is likely to result in the recording of conversations to which I an a party and or to i install a Trap and Trace device in conjuncti appropriate provider s of electronic or wire service and or long distance carrier for the purp of identifying telephone numbers from which incoming ca 5 are placed to telephone number located at OA as wimgm a pm anew Denim o-Ehe' war or co Mpokr have given 6'15 writt en permission to the above- named Special Agents voluntarily and without threats or -4 wignaturv i nnaencc 1 Li IEFBREATEQE BY 1 SL3 FBI EDIEWAEEHJEIJ 1 EEREIE BY 01 26 1998 Precedence PRIORITY Date 08 23 1998 To National Security Attn Room 11887 SS From Cincinnati Squad 4 Con act SA 995% Drafted By 3 3 NJ 0 3 Approved Case ID #im n ESS-CI-sassz Pending TitldUJ S UNITED STATES AIR FORCE INSTITUTE OF TECHNOLOGY b E Synopsisiul % Summary update of captioned matter l j Details E81 What follows is a brief synOpsiS of actions accomplished as of 08 21 1998 Referral Consult 81 FBI Cincinnati obtains consent to monitor College of Engineering and Computer Science subnet 129 137 41 x utilizing FBI Form on July 31 1998 0g 17- 9 3651 C d9hd'ae itm Munmlw 3' h- wmm $355113 Wants 1 4 Km 0 To National Security From Cincinnati Re tuagg 08 23 1998 H x x Referral Consult Ulnjgi On August 21 1998 I IEng' ERF uantico 1rginia and ERF visited Cincinnati Ohio for the purpose of determining how to expand the network monitoring system at UC Subsequent a meeting with UC staff to include systems engineers and administrators the following issues were discussed W There are various end user systems identified as their own system administrators linked to the UC systems If and 3 b6 b C SW1 To miNational Security From Cincinnati Re Ts 288-CI-68562 08 23 1998 b7s Ilearned the following UCks gc system network interface utilizes a 10 megabit Ethernet pipe out to the Internet Hi In order to monitor ch College of Engineering and Computer Science subnet two options exist ma b7s m Esi A mutual suggestion was discussed Inasmuch that SCENS network has been blocked from all possible angles from UC WSU Infinet and WPAFB the consensus was that SCRA be dropped from further scrutiny due to limited resources and time constraints 4 ET Na ional Security From Cincinnati 08 23 1998 Urigi Cincinnati respectfully requests that FBIHQ coordinate with AFOSI HQ DOD to ameliorate legality issues presented on page three of this communication ULJXQ Cincinnati Division expects to conduct witness suspect victim interviews during the latter part of August 1998 and the first week of September 1998 Investigation continuing at Cincinnati 90 Pair a gaggqf jh wfgabfaig CEETAIHEQ ELAN 01 26 1999 1139 1 5 my mat-m $1 3 MT FEDERAL BUREAU OF INVESTIGATION Precedence ROUTINE Date 08 13 1998 To Cincinnati Attn SA From Cincinnati Squad 4 b6 Contact SA b7C Approved By 39k Drafted By Case ID Pending tur 288-Ci-6Bb6 Pending Title fmigi United States Air Force Institute of Technology r a klng_Aiian_ n tEJ ILI S_ Ssuaoruris 2 si_ 5188' lbWElpb SE ET Il a To Circinnati Prom' ncinnati Re 08 13 1998 bi b3 1 1 iEJx i i is Uta and LEADS confirmed portions of b E the above in ormation and by separate insert added certain details ET ALL IN IS 11111521115415 3 I FILED DATE 5 - EQIE 5032 fil fh aI-Ifsabf aim rq34302 ORev 10-6-95 -1- FEDERAL BUREAU OF INVESTIGATION 08 31 98 Date of transcription 98 244 Iwas furnished ram n r Case No E signed by the Honorable U S Maoistrate b3 Pih ihnA l i Thin I I b6 b7c During the late evening of 08 26 1998 and early morninq hours of I I la pen register and 1 th trann pv1no I I 11 33 lb 6 b7c Investigation on 08 26 1998 at Cincinnati 3th FM 288-01-68562 13 Date dictated 08 31 1998 6 by SA 21 7 SA This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency 'v ALL If m1a6n99g DATE B w05m3DlE ET FEDERAL BUREAU OF INVESTIGATION Precedence PRIORITY Date 09 04 1998 To National Security Attn SS Springfield Attn Champaign From Cincinnati Squad 4 b6 Contact SAI I b7c Approved By Drafted By Case ID #H b i y gs CI 68562 TitleiUi UNITED STATES AIR FORCE INSTITUTE OF TECHNOLOGY yr b7E SvnopsisJUi@S Lead set for Springfield Division Champaiqn RA 33 21 3 44 up 777777 Derl -3 133 sify OTHER Sealed Court Docum EnclosureS WVE i Enclosed for Springfield Division Champaign PA b6 bio Details S For information of Springfield Division Champaign RA Cincinnati Division along with United States Air Force Office of Special Investigations AFOSI are jointly investigating intrusions into computers located at Wright- Patterson Air Force Base WPAFB Dayton Ohio The intrusions appear to be originating in Russia hopping through University of Cincinnati then terminating at WPAFB The intruder has transferred several sensitive though not classified files to 0 06'06' Lf - Se a 79a_I m_iw c9 Wain c To a ional Security From Cincinnati 09 04 1998 Referral Consult w E51 On 08 26 1998 the intruder was observed making connections to various other sites not previously seen to include Eastern Illinois University EIU At approximately 0403 CDT August 31 1998 the intruder connected to ux1 cts eiu edu 139 67 8 3 via telnet and subsequently via File Trans er Protocol FTP Cincinnati Division is desirous of obtaining the username which the intruder accessed into EDTs system ULJXQ Cincinnati Division appreciates assistance from the Springfield Division Champaign RA s rr To National Security From Cincinnati 09 04 1998 LEAD S Set Lead 1 SPRINGFIELD AT CHARLESTON IL 133 136 b7C OTHER Sealed Court Docume 09 DECLELSSIFIED L3H 09 08 98 Lead Upload Report 15 15 18 Page 1 Case ID Serial 15 Lead 1 Set to SPRINGFIELD 1 Total leads set 1 Total leads not set 0 FD-3 02 Rev 10635 at -1- ALL HEREIN I53 FEDERAL BUREAU OF INVESTIGATION IPOBI Date of transcription mh'i'I-o F o'ma'l DOB I SSANI I Vis5 1 ITelephoned was advised of the identit 3e interviewing Agents and the purpose of the interview voluntarily furnished the following information under an F-l visa Ifrom She chose to attend Ibecause it was one of the few sities that acce ted her She obtained limited funds froml an entity that funds loan involvedl I Her duties Ti v-n ailed I Iai'i'pndp and qtndiodI obtained an M S degree inl lat She dvised she has no family and or relatives residing With herl She mail contact with family and friends maintains telephonic and e- I Irpvpa lpd th GHVP her her boyfriendl so computer password out to that he could e-mail messages to her Her password at that time She claims she changed her password after only two days because she knew it was wrong to give out her password Her boyfriend is a I She claims not to Investigation on 09 18 98 at Cincinnati Ohio Fm# Date dictated 09 19 98 SA by SA if 2tH4 oL301 This document contains neither recommendations nor conclusions of the FBI it is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency 136 -J Rev 10-6-95 288-CI-68562 Continuation of FD-302 Page 2 know whether her boyfriend ever served withl and or ever held a clearance 's'ted her arents and friends in if Tith respect to her long term goals expects to remain an for another four to five years to pursue her I Upon graduation she would like to work in the U S for about one year provide find a host and obtain employment before returning to or some other European country stated she has never maintained contact with any government officials either in the U S or overseas She has never been tasked by a Foreign Intellig ficer to operate either covertly or overtly in the U s advised she would contact the writer if env unusual activ1ty would ev concerning her studies and her travels abroadi I b6 b7c is currently a Iwherein she receives a stipend to cover tuition and modest expenses Her research thouGh unclassified involves that in or so she was b6 informed systems administLatUr'tU EHEHQE'her password 57C She learned that someone unknown had used her password to hack using her account She changed her password and never heard back from the systems administrator 1 13 302 Rein 10-6-95 ALL HERE If 4 -1- r v 5 - FEDERAL BUREAU OF INVESTIGATION Date of transcription 0 9 l4 9 8 DATE I I DOBI telephone was adv1sed of the identity nterviewing Agents and the purpose of the interview voluntarily furnished the following information recollected that on or about May 15 1998 he returned from a business trip to Japan Upon returning to work he was informed by two co-workers that his Picard account had been hacked into He learned that the intrusion came from the University of Cincinnati UC that his computer usage is minimal He uses the computer for word processing and e mail He has two e mail accounts Picard for long distance e-mail and Teamlinks for e-mail within Wright Patterson Air Force Base WPAFB that as a result of the hacking incident the computer network systems administrator issued everyone with a new password based on name and telephone number Despite this precaution the account was again hacked As recently as July 1998 the systems administrator instructed every user to alter their passwords to make them more difficult to penetrate relayed that his Picard e-mail contacts are extensive He stated that in the last year he has received many messages from the U S and from numerous countries abroad to include England France Germany Finland Russia Chile Japan Ner_Zealand_and_An tralia The e-mail message from Russia came from a reputed well kn from He believes is from Irecalled that has traveled to Dayton and or Columbus Ohio and San Franc1sco California sometime in 1996 annually makes numerous requests seeking joint venture progeczs with WPAFB researchers WPAFB is precluded from acceptinq any ioint venture projects with according to Iadded that has published numerous articles on titanium aluminite that he received one e-mail Investigation on 09 11 98 at Dayton Ohio FM 288-CI-68562 Datedictated 09 14 98 SA by SA This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency i Continuation of FD-302 of 0n 0 9 9 8 Page 2 message from a who inquired about scientific research According to his e mail contacts with U S persons and individuals overseas are all researchers and scientists from sundry educational institutes The e-mail b6 ncern scientific discussions relating to metallurgy b7c that none of his ewmail contacts appear to be out of the scope of his purview that none of the e mail messages requested secret or proprietary information I Irevealed he obtained his U S citizenship on I I haq a q iqtn'r 7 3115 nncz'inq rpqiding in England_ He has worked in in the past As a physicist working in the aforementioned countries he has never held a security clearance He maintains no foreign government contacts A ALL FD-302 Rey 106-95 PEFEEH Ifi DATE - 1 FEDERAL BUREAU OF INVESTIGATION Date of transcription 0 9 l4 9 8 I IDOBI I SSANI I I Itelephonezl Iwas advised of the identity of the interviewing Agents and the purpose of the interview furnished the following information recalled that ago she received a telephone call on a Monday from CORP inquiring whether or not she was logged on to their system at 3 00 A M in the morning responded negatively and from that moment forward they realized that an unknown individual utilized her username and password to break into the CORP computers and then into Wright Patterson Air Force Base WPAFB Dayton Ohio had an account at for about three years to transfer files and slides relating to the Rapid Prototyping of Application Specific Signal Processing RASSP program She stated that she no longer holds this account since this incident occurred The account was shut down She claims that none of this information was classified or sensitive Her job requires that she review material to ensure that it is cleared for public domain The information was publicly released releasable she maintains accounts on elhp and Fleetwood a er office She also has root password with her system administrator Imaintains a flyer net account and a sabre account at the University of Dayton UD She had an account at the Air Force Institute of Technology AFIT but believes it is no longer valid had a temporary account at the University of CinCinnati UC for a three day course she attended at UC She held one other account at a company called RTI but believes it is no lenger open that her account was mainly used for uca ion modules and to transfer files FTP She occasionally remote shelled to that account recalled that a week prior to this incident she logged onto the machine to FTP some files She believes she logged on from elhp Investigation on 9 11 9 8 at Dayton Ohio File# -CI-68562 Datedictated 09 14 AFOSI 29 U9 zeal This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency b7C 2136 3375 Rev 10-6-95 r 288-CI-68562 Continuation of FD-302 Page 2 She information from her PC on other occasions affirmed that she has never given out any of her asswords with the exception of her root password on elhp which I Ihas access to as revealed that her passwordl lat was a combination of upper and lower case le ers an symbols which would have been difficult to decipher Ichanged her password the request of that the subject probably could have gotten away with it if they wouldn% have logged in at 3 00 A M on a Sunday morning I Iwas born inl Ithe daughter of a I She has one brother who resides in with their mother Her father is deceased arrived in the U S finish high school in er previously resided She returned to to visit her parents and taught English grammar at for three months during the summer previously married to an a duty U S military serviceman She has been divorced for ears She is a U S c' through her previous marriage to a U S citizen occasionally vs overseas to visit he family Her last tripl was approximately affirmed she has never ecurity er 11 the U S or years ago limited contact with friends and family overseas via e-mail clearance e1 a IBECLAESIFIEE Elf 01 26 1998 es i FEDERAL BUREAU OF INVESTIGATION Precedence PRIORITY Date 09 19 1998 To National Security Attn Room 1887 SSA From Cincinnati Squad 4 Contact SA Approved By Drafted By Case ID #uur s Pending Title GED cm g MOONLIGHT MAZE SynopsisiUl $ Interviews conducted at Cincinnati DivisionDeal - X1 i i Previous Title marked ChangedF to reflect new title as Title previously carried as UNITED STATES AIR FORCE INSTITUTE OF TECHNOLOGY HACKING ATTACK ONzl 63 of interviews conducted by the writer of land one Air Force Form 116 Wl a tached statement ofl Details uiik For information of FBIHQ FBI Cincinnati and United States Air Force Office of Special Investigations AFOSI Wright Patterson AFB Dayton Ohio conducted four victim witness interviews The results of those interviews are enclosed as enclosures for NIPC-CIU FBIHQ Enclosuresdm g Enclosed for FBIHQ are three separate copies of my Sf Cincinnati Division plans to re interview on her nervous demeanor and her apparent less than boyfriend who resides in computer password at I will be closely monitored to E i QQTra7u g3 av i 1 -gru prur- in t b7E snaf e - To National Security From Cincinnati R e 83 288 - CI- 68562 09 19 1998 determine whether a change in the subject s modus operandi hacking tools and signature is detected A change in the subject s hackin could explain a nexus between the subject s andl Iconsiderin 1er telephonic and e mail contacts witw her boyfriendl and her recent travels Ul b Based on the aforementioned Cincinnati Division will re interview the subiect_with_ad itional probing questions concerning her contacts and if deemed appropriate will consider the use of a polygraphl 96 DEE LASSIFIED Emmi- 53312 01 26 f 93 FEDERAL BUREAU OF INVESTIGATION Precedence PRIORITY Date 09 28 1998 To Cincinnati Attn SAI Squad 4 From Springfield Squad 3 Champaign RA Contact SA Approved By Drafted By Case ID Pending UNITED STATES AIR FORCE INSTITUTE OF TECHNOLOGY HACKING ATTACK ONzl Synopsisiuii Lead set for Springfield at Charleston Illinois has been covered Fro G-3 ify X1 Deri Dec Referencezmi Serial 15 Re telcall between SSA 09 28 1998 Enclosed for Cincinnati auttwo copybof computer activity logs Package copy iW B Being forwarded under a separate cover is one 8 mm Data cartridge i333 3136 1OTEER Sealed Court Documents I Ema- 23% Li - 1085 CH 95 198 SEARCHED INDEXED SERJALIZED OCT 61995 FBI CINCINNATI ll ai a if 8313 2 453C 3'15 Star ab 5 Si t To Cincinnati From Springfieldw 09 28 1998 b directly Per telcall between SAI and nothing will be sent directly to the National Security Division for evaluation Springfield considers this lead covered 99 ALI HEREIN UNELASSIFIED 12 31 1936 a FEDERAL BUREAU OF INVESTIGATION copies of Request For Information letters sent to One copy of response from NAVCIRT regarding pOSSible material related to captioned matter Details Enclosed for Cincinnati are copies of documents generated by or directed to the National Infrastructure Protection Center NIPC regarding captioned matter These documents are being forwarded to Cincinnati for inclusion in the original case file 00 Precedence ROUTINE Date 08 24 1998 To Cincinnati Attn From NSD Contact SSA Approved By Drafted By Case ID Pending Title UNITED STATES AIR FORCE INSTITUTE OF TECHNOLOGY CITA COMPUTER OO CINCINNATI Synopsis This communication is to forward documents to the original case file Referral Censult SEARCHED a 'v'I ERIE 03 86 2812 E f ME 445% ALL EEFEIH I3 GATE 3 3w w23i2 35332sir'U g Emaf hx'ni U S Department of Justice in Federal Bureau of Investigation Washington D C 20535-0001 August 4 1998 D631 ReferralfCensult This letter is to request information frorr databases and published reports that may be relevant to an ongoing FBI criminal investigation 16 investigation centers on a series of intrusions into computer systems located at Wright Patterson Air Force Base The intrusions appear to originate from a series of Internet service providers located in the Russian Federation It also appears that the intruder is connecting to the ISPs through a dial-up connection which suggests a local Russian point of origin The FBI currently possesses no information indicating that the attacker is a U S person Technical information relevant to this request is provided in the enclosure which also speci es an operational point of contact in the FBI As additional tec 'r'91 if ormation becomes available it will be forwarded to the operational point of contact at The FBI legal contact point for this matter is Assistant General Counsel Please do not hesitate to call him if you require additional information Thank you for your assmtance in this matter Sincerely Associate General Counsel for National Security Affairs CC mount 1 The Wright Patterson Air Force Base WPAFB a key educational and research and development base has documented numerous intrusions into approximately eight of their systems The attacks primarily come through computers located in the computer lab at the University of Cincinnati Hov'vever attacks have been seen om Wright University located in Dayton OH and Aticorpnet located in Charleston SC The intrusions into these U S systems appears to be originating from a dialup connection to four Internet Service Providers ISPs located in Russia The hacking occurs Monday through Friday midnight and approximately 9 00 am EDT The following are thei involved 1b 7 The following passwords or environment variables have been used during the intrusions 3 275 The followmg are usernames software authors or tool names Iis the name ofl Istudent whose account is being used at I Our information indicates she is a non US person The following les are known to have been taken by the hacker om WPAFB 7 3 3b 6 NIPC Operational POC is SSA ALE HEELE BATE 653335 535513amiaabfaia a U S Department of Justice Federal Bureau of Investigation Washington D C 20535-0001 August 3 1998 ReferralfConsult Dea This letter is to request information from databases and published reports that may be relevant to an ongoing FBI criminal investlgation The investigation centers on a series of intrusions into computer systems located at Wright Patterson Air Force Base The intrusions appear to originate from a series of Internet service providers located in the Russian Federation It also appears that the intruder is connecting to the ISPs through a dial-up connection which suggests a local Russian point of origin The FBI currently possesses no information indicating that the attacker is a U S person Technical information relevant to this request is provided in the enclosure which also speci es an operational point of contact in the FBI As additional tech nal infmnation becomes available it will be forwarded to the operational point of contact a The FBI legal contact point for this matter is Assistant General Counsel I Please do not hesitate to call him if you require additional information Thank you for your assistance in this matter Sincerely Assocmte General counsel Ior ational Security Affairs cc NSA 5033 HIDE US Department of Justice Federal Bureau of Investigation Washington D C 20535-0001 August 31 1998 Win Dear ReferraliConsult This letter is to request technical assistance in conjunction with an ongoing FBI criminal investigation The investlgatron centers on a series of intrusions into computer systems located at Wright Patterson Air Force Base The intrusions appear to originate from a series of Internet service providers located in the Russian Federation It also appears that the intruderis connecting to the ISPs through a dia1-up connection which suggests a local Russian p ointrof origin The FBI currently possesses no information indicating that the attacker is a US person Tih ls already made in an August 21 1998 letter addressed to Acting General Counse a standard Request for Information in connection with this investigation The purpose of this letter is to add a technical assistance request so tha expert personnel can-assisttheFBI i vestigators on certain technical questions relating to 6 computer data collected by the'FB'I'r b7 The FBI legal contact point for this matter is Assistant General Counsel Please do not hesitate to call him if you require additional information thank you tor your in this matter U Sincerely 7 Associate General Counsel for National Security Affairs Referral Consult cc Den Mu urces scant Li 351 Fiji 77 50-448 Rev 5-2-97 7i FBI FACSIMILE COVER SHEET PRECEDENCE CLASSIFICATION 3' '53 on Immediate Top Secret Time Transmitted 94 El Priority Sender Initials Con dential El Sensitive Unclassi ed Routine To OGC Name of Of ce Facsimile NumberNumber of Pages 2 including cover sheet Date 08 31 1998 1b '6 Am 1137c ame Room 1 elepnone From NI PC Name of Office Subject Techni cal As si stance Reque Special Handling Instructions 7 1b a Originator s Name Telephone 13 7 Originator s Facsimile NumberApproved MJ Brief Description of Communication Faxed See Attached WARNING Information attached to the cover sheet is U S Government Property If you are not the intended recipient of this information disclosure reproduction distribution or use of this information is prohibited 18 USC 641 Please notify the originator or the local FBI Of ce immediately to arrange for proper disposition Kev- 6-2-97 BEELASSIFIEB ft FBI ACSIMILE COVER SHEET PRECEDENCE CLASSIFICATION Immediate Top cret Time Transmitted 313% Priority Sender s Initials MJ Routine Confidential Number of Pages 2 El Sensitive including cover sheet Unclassi ed To Date 08 31 1998 Name of Of ce tx Facsimile NumberAttn 1b 7 Name Room Telephone From NI PC Name of Of ce Subject Technical Assistance Request Special Handling Instructions lb 6 1b 7 Originator s Name Telephone Originator s Facsimile NumberApproved MJ Brief Description of Communication Faxed See AttaChed WARNING Information attached to the cover sheet is U S Government Property If you are not the intended recipient of this information disclosure reproduction distribution or use of this information is prohibited 18 USC 641 Please notify the originator or the local FBI Of ce immediately to arrange for proper disposition ALL IEFGFEEKEATEGN HEREIIE IS EJATE EUSESEUEEhawfsabfam US Department of Justice Federal Bureau of Investigation meWJ%M % r 550 Main Street Room 9000 HkNa Cincinnati Ohio 45202 September 21 1998 SA b7c USLF Office or Spec1ai Investigations AFOSI Detachment 101 4165 Communications Boulevard Suite 3 Wright-Patterson Air Force Base Ohio 45433 To Whom It May Concern Upon expiration of AFOSFs Form 52 Consensual Monitoring at Wright State University WSU FBI Cincinnati will continue monitoring computers at WSU utilizing AFOSI monitoring equipment Consensual monitoring will be in effect as of the date of this communication to the conclusion of this matter pursuant to FBI Form Notification of SAC authority granted for use of consensual monitoring equipment Sincerely yours Sheri A Farrar Special Agent in Charge By Supervisory Special Agent 1 Addressee Cincinnati Bszaw 2 aff 2 Gui 5 1 9313 Nu-Luau - an 27 1'952'1r'1 e NV Jaka'i Wu Iil 2968 - -- nag ALE EDI-NAKED HERE IE IS BATE E f U S Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 288-CI-68S62 October 6 1998 DCFL 500 Duncan Avenue Room 1009 Bolling AFB DC 20332 6000 SUBJECT Request for Computer Forensic Media Analysis 1 COMPLETE SUBJECT TITLE BLOCK INFORMATION Wright Patterson AFB Ohio June 1 1998 Unauthorized access of governmental and civilian computer systems Violation of Title 18 USC Section 1030 Fraud and Related Activity in Connection with Computers 2 PRIORITY This is a Category 1 intrusion on several military systems This joint investigation is considered one of the f highest priority cases within the FBI and AFOSI realms The analysis of the enclosed tapes is requested immediately by the Department of Justice Department of Defense the Federal Bureau of Investigation and AFOSI r 3 CLASSIFICATION This investigation is classified however the evidence is not 4 CO-CASE AGENTS SAI I FBI Cincinnati bi Ohio commerciall I SA I AFOFI Det Egg 101 Ogio DSN commerc1a AEOQT a Ohio DSN commercial 5 SYNOPSIS OF THE CASE On or about June 1 1998 WPAFB began detecting intrusions at several Air Force In ti - of Technology in in gii _ b E The intrusions originally were detected coming through the University of Cincinnati however additional intrusions have been detected at several education sites and numerous Internet Service Providers The unidentified intruder uses authorized accounts and valid passwords to gain access into the victim systems and then files telnets to another system or pop roots To date investigative agencies have not been able to detect any sniffer rootkit or trojanized programming Addressee Q Cincinnati BB bb 2 atsob m 0TH 6 ITEMS TO BE ANALYZED 1 One 3GB Hard Drive Western Digital Caviar 33100 University of Wisconsin Remarks AFOSI Form 96 will be e mailed to DCFL The OS and other pertinent information will be on 96 2 One 4mm Digital Data Storage cartridge 120M labeled Wright State University Remarks Ditto as above 3 Two 8mm Helical Scan Maxell Data Cartridges SUPPORT REQUESTED Extract all system logs text document etc Examine file system for modification to operating system software or configuration Examine file system for back doors check for setuid and setgid files Examine file system for any sign of a sniffer program Extract data from this 4mm 8mm tape and convert to readable format cut to CD Backup hard drives and place backup on a CD tape or other format Analyze for deleted files and restore deleted files out findings to CD Extract all pertinent text files of a sexual nature Extract all trojanized programs or scripts code programs out to CD Provide an analysis report and cut all findings to CD 7 PERTINENT DATA Coordinate with SA and HQ with pertinent data 8 AUTHORITY OSI Form 96 will be sent electronically 9 OTHER DOCUMENTS The ACISS report is the same as the one sent on the August 26 1998 request 10 INSTRUCTIONS Please make five copies and send all copies of the analysis report to HQ HQ will distribute the analysis accordingly Please return all evidence to FBI Cincinnati by If ll POC etachment 101 at DSN or commerc1a Sincerely yours Sheri A Farrar Special Agent in Charge By 11 16 b7 Supervisory Special Agent ALL ES UHCLASSIFIEB FD-302 Rev 10-6-95 FEDERAL BUREAU OF INVESTIGATION Date of transcription 1 0 2 6 9 8 Date of Birth I Social Security Account Number was advised of the identities of the interviewing Agents and the purpose of the interview furnished the following information Iidentified her boyfriend asI I a white male DOB resides in I He is a who works at a factory which utilizes a 1 rep to pump and maintain 011 for commercial purposes was unable to identify the factory location a I able to comment whether the factory has an ties to the She recalled that Ihas worked there Since late recently informedI Ithat he is in search of a new job I Iadvised her most recent contact approximate lvl via e mail most recently visited She stayed with her family fo while visiting friends and family Prior to enrolling ad I obtained financial assistance from a foundation that provides fu ds for Euronean students to studv abroad logged onto web site and learned from an adviser the type of arch that is conducted at that department liked what ro ram had to offer and as a result she matriculated at his is a te matriculated in the a 0 en ioned program I Iadvised her research atI IinvolvesI I Tn lavmpn terms Iutilizesl r_J l I According to mixed Signal deSign can be 81 applications to include military application advised her research strictly Investigation on 10 16 9 8 at Cincinnati Ohio Fm# mmdew 10 29 98 Jb u u This document contains neither recommendations nor conclusions of the FBI It is the property of the FBI and is loaned to your agency it and its contents are not to be distributed outside your agency BATE E f 136 Rev 10-6-95 Continuation of FD-302 Page 2 theoretical research She does not know who the end user is of the research she conducts Her recalled that during her visit at the Embassyl she was interviewed by an embassy employee concerning her request for an exit visa to abroad The employee spoke Romanian and English He asked Ef f jthe following questions a 5 1 NJ Cb Who is funding your trip How long will you be in the Why are you traveling to the When will you return Do you have any family in the Will you be working in the mU l -wNH the interview lasted approximately fifteen minutes The interviewer was male and was dressed in a suit and tie The interview was conducted within the confines of the gener 1 off ce space where there was no expectation of privacy affirmed that at no time was she asked promised and or influenced to cooperate with embassy officials and or other government employees that she weekly e-mail b7c correspon ence with her boyfriend and other friends and famil Her contacts a are very limited She advise a as a very small group that meets approximately once a month for social functions added that she would contact the FBI in the event she feels threatened and or is confronted by any unusual person s advised she would not object to a polygraph if requested to do so terrixrrn PERI If BATE st U S Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 kNm November 3 1998 35 07' Rec-d Furman University 3300 Poinsett Hwy Greenville SC 29613 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear if -J This letter is to follow up our telephone conversation on November 2 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the 33_ following dates September 22 and 24 1998 an unknown Lkde individual illegally entered a state 'tutional computer system at According to our investigation this cormunication originated or b7E passed through your system furman edu This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back up files and any other evidence that pertains to the aforementioned connections For ease of reference Title 18 U S C 2703 f provides Requirement to preserve evidence 1 In general A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other 11 Addressee u c1 288 68562 BB bb 2 Sea-isms turmeric 2 Period of retention Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If vou have anv questions or comments please feel free to call SA at Sincerely yours Sheri A Farrar Special Agent in Charge Superv1sory Special Agent ALE CEIETAKEEB lift BY US Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 EENQ November 3 1998 University of Pittsburgh 600 Epsilon Drive Pittsburgh PA 15238 b5 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear This letter is to follOW'up our telephone conversation on November 2 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the CED following date s September 18 1998 an unknown individual illegally entered a state 0 ned academic instit tional computer 53% system at sumac occ uc edu r According to our has investigation this communication ri inated or as through your system unixs2 cis pitt edu I This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back up files and any other evidence that pertains to the aforementioned connections For ease of reference Title 18 U S C 2703 f provides Requirement to preserve evidence 1 In general - A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or Addressee eh CI BB bb 2 indexed - 7 PE Mammy u 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If you have anv questions or comments please feel free to call SA at Sincerely yours Sheri A Farrar Special Agent in Charge By SuperVisory Special Agent w- ALL BERE IE E5 BATE B m im3 312 BY EBBQ JSfbumx sai faim U S Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 qu November 3 1998 Harvard University Network Services Division Office for Information Technology oxeMZb 8T1 Cambridge MA 02138 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear b6 This letter is to follow up our telephone conversation on October 30 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the following dates September 22 and 24 1998 an unknown liu individual illegally entered a computer system at sumac occ uc edu According to our investigation this communication originated or massed through vour system jsbach harvard edu This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back-up files and any other evidence that pertains to the aforementioned connections 00 j azr For ease of reference Title 18 U S C 2703 f 43V lprovides 53dedqu WWw - 2 13 kgzIW wwu Requirement to preserve evidence Fifed y - 1 In general - A provider of a wire or electronic communication service or a remote computing service Addressee l CI BB bb 2 5031 bl 03 upon the request of a government entity shall take all necessary steps to preserve records-and other evidence in its possession pending the issuance of a court order or other process 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If you have any questions or comments ruleaLLfELtree to call at Sincerely yours Sheri A Farrar Special Agent in Charge By Superv1sory SpeCial Agent r3 REE ill I 55 Hill 315 5 FEES Kiwi 6 383 3 31 351132 as sabj 31 11 ALL IEIFEJFMTIBH CSEIFAIEED US Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 In Reply Please Refer to Cincinnati Ohio 4 52 02 EbNm November 3 1998 Mawr College 101 North Merion Ave Mawr PA 19010-2899 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear b6 This letter is to follow up our telephone conversation b7C on October 30 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to - investigate unauthorized access into private state local and federal computer systems As previously discussed during the following date s September 23 1998 an unknoWn individual illegally entered a state owned academic institutional computer system at sumac occ uc edu IAccording to our b7a investigation this communication originated_or_nassed_fhrough your system This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this prodess can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back-up files and any other evidence that pertains to the aforementioned connections For ease of reference Title 18 U S C 2703 provides n 1 53 it L7 ed w-W'u Requirement to preserve evidence Filed dimxaws 1 In general - A prov1der of a ere or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process Addresses L CI BB bb 2 My 1 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in_ order to prevent the authorized seizing or securing of any - person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If you have any questions or comments please feel free to call SA lat Sincerely yours Sheri A Farrar Special Agent in Charge 0N By Supervisory Special Agent ALL EHFUEHATIDE carralrrn HERE 13 DEE - E-3i312 Eff 511353dif fbalifi abf i US Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 November 3 1998 Florida Institute of Technology FIT-DOM 150 West University Blvd Melbourne FL 32901 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear This letter is to follow up our telephone conversation on October 30 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the following date s September 22 1998 an unknown individual illegally entered a state ow c i stitutional computer system at sumac occ uc edu I According to our investigation this communication originated or passed through your system sunmlb new fit edu This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back-up files and any other evidence that pertains to the aforementioned connections For ease of reference Title 18 U S C 2703 f SCIEE 33 I I provides Seria ved gamma Requirement to preserve evidence 1 In general - A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process I - Addressee c1 2 396 5 of oi I 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing'of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If ou have an uestions or comments please feel free to call SAI lat Sincerely yours Sheri Farrar Special Agent in Charge b7c SuperVisory SpeCial Agent ALL CQNTAIEEB EN 13 mtcmaarrirn BAKE U S Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 EbNm November 3 1998 Indiana University South Bend Campus 1700 Mishawaka Ave South Bend IN 46634-7111 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear be This letter is to follow up our telephone conversation on October 29 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and 9 federal computer systems As previously discussed during the Cir following date s August 25 and 26 1998 an unknown individual illegally entered a state orned academic instititional computer system at sumac occ uc edu According to our investigation this communication oriqinated or passed through your system oitl iusb edu This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back-up files and any other evidence that pertains to the aforementioned connections 050% cz err For ease of reference Title 18 U S C 2703 f provides Searched- r- Wm rmmsikzcm Requirement to preserve evidence knemduwn_ Tia Filed - a Hindi-4w 1 In general - A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process Addresses 1 CI BB bb 2 5 30 Oio u 2 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal 'request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If vou have anv questions comments please feel ee to call SA at Sincerely yours Sheri A Farrar Special Agent in Charge b7c By Supervisory Special Agent ALE Eff QATE U S Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 November 3 1998 California Institute of Technology Information Technology Services 014 8l Pasadena CA 91125 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear 136 This letter is to follow up our telephone conversation b7c on October 29 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the following date s September 22 1998 an unknown individual 33 illegally entered a state owned academic instititional computer system at sumac occ uc edu According to our b E investigation this communication origi ated or passed throuor your system newvortex ama caltech edu This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back-up files and any other evidence that pertains to the aforementioned connections c4fga For ease of reference Title 18 U S C 2703 f provides S dmd Requirement to preserve evidence mdeed_ whey-em a and 1 In general - A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process c1 2 30 Sb Ui o i 2 Period of retention Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended fer an additional 90 day period-upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If on have an uestions or comments please feel free to call SAI lat Sincerely yours Sheri A Farrar Special Agent in Charge b7C ero Supervisory Special Agent g ELL HERE IS BATE Eff EDSEMUEEanx ae ail U S Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 thWJ%wH%hr m_ Cincinnati Ohio 45202 Eth November 3 1998 Haverford College Academic Computing Haverford PA 19041 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear This letter is to follow up our telephone conversation on October 29 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the following date s September 23 and 24 1998 an unknOWn individual illegally entered a state owned academic institutional computer system at sumac occ uc edu According to our investigation this communication originated 9 passed through your system io haverford edu This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back up files and any other evidence that pertains to the aforementioned connections gage 27- fj g For ease of reference Title 18 U S C 2703 f provides Saymmg Requirement to preserve evidence EmkweL_ Fife- i 1 In general - A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary steps to preserve records and other evidence in its possession pending the issuance of a court order or other process Addresses CI 2 7 0 3 HEIHrt-Iruraywm -I- HhW-Luu - kw hammer - 1137B 3% 0 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency if vcu have anv questions or comments please feel free to call SA at Sincerely yours Sheri A Farrar Special Agent in Charge By Superv1sory Special Agent ALL IS Milli DATE 333-06-3013 El 5033d i fbawisa nfaie US Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 bNm November 3 1998 University of Texas at Austin Office of Telecommunication Services Services Building Room 319 Austin TX 78712 1024 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f be This letter is to follow up our telephone conversation on October 29 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to E investigate unauthorized access into private state local and xn federal computer systems As previously discussed during the following date s September 22 1998 an unknown individual illegally entered a state computer system at sumac occ uc edu According to our b7a investigation this communication originated or passed through your system net cs utexas edu This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back up files and any other evidence that pertains to the aforementioned connections dif- 71 fj azvsi For ease of reference Title 18 U S C 2703 f provides Searcmaw wmsme Requirement to preserve evidence t 4 Piiuu 1 In general - A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary 1 - Addressee 69 CI BB bb 2 vii steps to preserve records and other evidence in its possession pending the issuance of a court order or other process 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If or comments please feel ee to call at Sincerely yours b6 Sheri A Farrar b c Special Agent in Charge 331' I Supervisory Special Agent - ALL IHFURHATIBE tanriinra Hanan IS womanimrn BATE BY US Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 Cincinnati Ohio 45202 EbNm November 3 1998 Auburn University Division of Telecommunications ETV Auburn University AL 36849-5423 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f Dear This letter is to follow up our telephone conversation on October 29 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the following date s September 23 1998 an unknown individual illegally entered a state 0 tional computer -system at sumac occ uc edu According to our investigation this communication originated or passed through your system I This letter serves to inform you that I will be purSuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take appropriate measures to preserve transactional logs contents of any relevant communications back-up files and any other evidence that pertains to the aforementioned connections nga C37 For ease of reference Title 18 U S C 2703 f 33 provides arm Requirement to preserve evidence i1 mam r hd 1 In general - A provider of a wire or electronic communication service or a remote computing service upon the request of a government entity shall take all necessary 1 Addresses CI BB bb 2 i niim 1 3 99 9 steps to preserve records and other evidence in its possession pending the issuance of a court order or other process 2 Period of retention Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search - Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If you have anv cuesfions or comments call SA at Sincerely yours Sheri A Farrar Special Agent in Charge By Superv1sory speCial Agent 1136 13753 ALL OMAR-ED HERE In DATE EQSE-if fb aux'sabfaics U S Department of Justice Federal Bureau of Investigation 550 Main Street Room 9000 thWJ% h r Cincinnati Ohio 45202 EbNm November 3 1998 Duke University 407 North Building Durham NC 27706 RE Notice to Preserve Evidence Under Title 18 U S C 2703 f - This letter is to follow up our telephone conversation on October 29 1998 As I stated at that time I am a Special Agent for the Federal Bureau of Investigation FBI a duly authorized federal law enforcement officer empowered to investigate unauthorized access into private state local and federal computer systems As previously discussed during the 69 following date s September 22 and 24 1998 an unknown 4 individual illegally entered a state owned academic institutional 1f computer system at sumac occ uc edu b7E According to our investigation this communication or1 inated or passed through your system This letter serves to inform you that I will be pursuing the issuance of a subpoena and or court order under Title 18 U S C 2703 d respectively to trace the unknown individual back from your system Inasmuch that this process can be time consuming I have requested pursuant to Title 18 U S C 2703 f that you take-appropriate measures to preserve transactional logs contents of any relevant communications back-up files and any other evidence that pertains to the aforementioned connections 27 a For ease of reference Title 18 U S C 2703 f Prov1des S Eamhedwalammw Se a ze - ha baa-Wag indexed- Requirement to preserve evidence - -- mmp-Juugpda 156 1 In general - A prov1der of a ere electronic communication service or a remote computing service upon the request of a government entity shall take all necessary l7 Addressee lo- CI BB bb 2 10 9 42- 59 8 steps to preserve records and other evidence in its possession pending the issuance of a court order or other process 2 Period of retention - Records referred to in paragraph 1 shall be retained for a period of 90 days which shall be extended for an additional 90 day period upon a renewal request by the governmental entity Finally although you have been most cooperative we have in other situations experienced some informational leaks While such leaks may represent misplaced good intentions they can have serious impact upon our investigation Accordingly we would respectfully request that your personnel be placed on notice that they are subject to criminal liability should they disclose any privileged information The governing statute in this regard is Title 18 U S C 2232 b which provides Notice of Search Whoever having knowledge that any person authorized to make searches and seizures has been authorized or is otherwise likely to make a search or seizure in order to prevent the authorized seizing or securing of any person goods wares merchandise or other property gives notice or attempts to give notice of the possible search and seizure to any person shall be fined under this title or imprisoned not more than five years or both Again I greatly appreciate your cooperation in this matter with our agency If you have any questions or comments please feel free to call SA lat Sincerely yours 3136 3137 Sheri A Farrar Special Agent in Charge By Supervisory SpeCial Agent FEDERAL BUREAU OF INVESTIGATION FOIPA DELETED PAOE INFORMATION SHEET No Duplieation Fees are eharged for Deleted Page Information Sheet sj Total Deleted Page sj 233 Page 4 b3 Sealed Court Doournents Page 5 b3 Sealed Court Doournents Page 6 133 Sealed Court Doeuments Page 133 Sealed Court Dootunents Page 3 b3 Sealed Court Doournents Page 5' b3 Sealed Court Doournents Page 133 Sealed Court Doeuments Page 11 133 Sealed Court Dootunents Page 12 133 Sealed Court Doou lents Page 13 133 Sealed Court Doournents Page 14 133 Sealed Court Doeuments Page 15 133 Sealed Court Dootunents Page 16 133 Sealed Court Doou lents Page 133 Sealed Court Doournents Page 18 133 Sealed Court Doournents Page 19 133 Sealed Court Dootunents Page 133 Sealed Court Doou lents Page 21 h3 Sealed Court Doournents Page 22 133 Sealed Court Doournents Page 23 133 Sealed Court Dootunents Page 24 133 Sealed Court Doou lents Page 25 133 Sealed Court Doournents Page 26 133 Sealed Court Doeuments Page 27 133 Sealed Court Doeurnente Page 23 133 Sealed Court Doetunents Page 34 Referral- Direet Page 35 Referral- Direot Page 36 ReferralIE-ireot Page ReferralIE-ireot Page 33 Referrall'E-ireet Page 39 ReferralIE-ireet Page 45 ReferralfConeult Page 47 Referral- Consult Page 43 Referral- Direet Page 49 Referral- Direot Page ReferralIE-ireot Page 51 ReferralIE-ireot Page 52 ReferralIE-ireot Page 53 ReferralIE-ireet Page 54 Referrall'E-ireot Page 55 ReferralJ E-ireot Page 56 Referral- Direet Page Referral- Direot Page 59 Page El Page 51 Page 52 hl ETC Page 63 Page 64 Page 65 Page 65 Page Page 63 ho ETC Page 59 Page Page 71 Page 7'2 Page 7'3 Page 7'4 Page 75 ho ETC Page To Page Page 7'3 Page 7'9 Page Page Page 32 Page 33 Page 34 Page 35 Page 36 Page 33 Page 33 Page 39 Page Page 91 Page 92 Page 93 Page 105 133 Sealed Ceurt Deeuments Page 106 b3 Sealed Cent I Deeunlenta Page 133 Sealed Cent-I Deemente Page 103 133 Sealed Ceurt Deements Page 105' b3 Sealed Ceurt Deeuments Page 110 b3 Sealed Cent I Deeunlenta Page 111 h3 Sealed Cent l Deemnenta Page 112 b3 Sealed Ceurt Deements Page 113 Sealed Ceurt Deeuments Page 114 133 Sealed Cent I Deeunlenta Page 115 b3 Sealed Cent l Deemnenta Page 116 b3 Sealed Ceurt Deements Page 11 133 Sealed Ceurt Deemnents Page 113 b3 Sealed Cent I Deeunlenta Page 115I b3 Sealed Cent l Deemnenta Page 120 133 Sealed Cami Deements Page 121 Sealed Ceurt Deemnents Page 122 b3 Sealed Cent I Deeunlenta Page 123 133 Sealed Cent I Deeunlenta Page 131 Referralflijeneult Page 133 133 Sealed Ceurt Deements Page 135' b3 Sealed Ceurt Deeuments Page 140 133 Sealed Court Doeuments Page 141 133 Sealed Court Doeurnente Page 142 133 Sealed Court Doetunents Page 143 133 Sealed Court Doemments Page 144 133 Sealed Court Doeurnents Page 145 133 Sealed Court Doeurnente Page 146 133 Sealed Court Doetunents Page 14 133 Sealed Court Doemments Page 143 133 Sealed Court Doeurnents Page 14EI 63 Sealed Court Doeurnente Page 150 133 Sealed Court Doeu lente Page 151 133 Sealed Court Doemments Page 152 133 Sealed Court Doeurnents Page 153 63 Sealed Court Doeurnente Page 154 133 Sealed Court Doeu lente Page 155 133 Sealed Court Doemments Page 156 133 Sealed Court Doemnents Page 157' 63 Sealed Court Doeurnente Page 15EI 133 Sealed Court Doeu lente Page 160 133 Sealed Court Doetunents Page 161 133 Sealed Court Doemnents Page 162 133 Sealed Court Doeurnente Page 163 133 Sealed Court Doeu lente Page 164 133 Sealed Court Doetunents Page 165 133 Sealed Court Doemnents Page 166 133 Sealed Ceurt Deemnents Page 167' 33 Sealed Cent I Deeunlenta Page 163 33 Sealed Cent l Deemnenta Page 169 33 Sealed Cent-I Deements Page 1T3 33 Sealed Ceurt Deemnents Page 1T1 33 Sealed Cent I Deeunlenta Page 192 33 Sealed Cent I Deeunlenta Page 193 33 Sealed Cent-I Deements Page 1T4 33 Sealed Ceurt Deemnents Page 1T5 33 Sealed 361 111 Deeuments Page 196 33 Sealed Cent I Deeunlenta Page 17 33 Sealed Cent-I Deements Page 1T3 33 Sealed Ceurt Deements Page 1T9 33 Sealed 361 111 Deeuments Page 133 33 Sealed Cent I Deeunlenta Page 131 33 Sealed Cent-I Deemente Page 132 33 Sealed Ceurt Deements Page 133 33 Sealed 361 111 Deeuments Page 136 33 Sealed Cent I Deeunlenta Page 13 33 Sealed Cent-I Deemente Page 133 33 Sealed Ceurt Deements Page 139 33 Sealed Ceurt Deeuments Page 193 33 Sealed Cent I Deeunlenta Page 191 33 Sealed Cent-I Deemente Page 192 33 Sealed Ceurt Deements Page 193 33 Sealed Ceurt Deeuments Page 194 133 Sealed Court Doeuments Page 195 133 Sealed Court Doeurnente Page 196 133 Sealed Court Doetunents Page 19 133 Sealed Court Doemments Page 193 Referral- Consult Page 199 Referral- Direet Page Referral-'Direet Page 201 Referral-'Direet Page 210 133 Sealed Court Doetunents Page 211 133 Sealed Court Doemments Page 212 133 Sealed Court Doeurnents Page 213 133 Sealed Court Doeurnente Page 214 133 Sealed Court Doeu lente Page 215 133 Sealed Court Doemments Page 216 133 Sealed Court Doeurnents Page 21 133 Sealed Court Doeurnente Page 213 133 Sealed Court Doeu lente Page 219 133 Sealed Court Doemments Page 220 133 Sealed Court Doemnents Page 221 133 Sealed Court Doeurnente Page 222 133 Sealed Court Doeu lente Page 223 133 Sealed Court Doetunents Page 224 133 Sealed Court Doemnents Page 225 133 Sealed Court Doeurnente Page 240 Referral-'Direet Page 241 Referral-'Direet Page 242 Referral- Direet Page 254 Referral- Direet Page 255 Referral- Direet Page Page 256 Referral- Direet 25 Referral- Direet Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page 253 Referrale-ireet 259 Referral- Direet 263 Referral- Direet 261 Referral- Direet 262 Referral- Direet 263 Referral- Direet 264 Referral- Direet 265 Referral- Direet 266 Referrale-ireet 26 Referrale-ireet 263 Referral- Direet 269 Referral- Direet 2743 Referrale-ireet 2T1 Referral- Direet 222 Re ferrale-ire e1 223 Referral- Direet 224 Referrale-ireet 2T5 Re ferral- Dire et 276 Referral- Direet 27' Referral- Direet 2T3 Re ferral- Dire 31 229 Referral- Direet 233 Referral- Direet 231 Referral- Direet 232 Referral- Direet 233 Referrale-ireet 2 34 Re ferral- Dire et 235 Referral- Direet 236 Referrale-ireet 2 Re ferral- Dire 233 Referral- Direet 239 Referral- Direet 293 Referral- Direet 291 Referrale-ireet 292 Referral- Direet 293 Referral- Direet 294 Referral- Direet 295 Referral- Direet 296 Referral- Direet 29 Referral- Direet 293 Referral- Direet 299 Referrale-ireet 333 Referrale-ireet 331 Referral- Direet 332 Referral- Direet 333 Referrale-ireet 334 Referral- Direet 335 Referral- Direet 336 Referral- Direet 311 Referrale-ireet 312 Referrale-ireet Page 313 Referrale-ireet Page 314 133 Sealed Cent I Deeunlenta Page 315 133 Sealed Cent l Deemnenta Page 316 133 Sealed Cami Deements Page 320 136 ETC