Case 1:12-mj-00304-JGS Doc #4 Filed 10/09/12 Page 1 of 5 Page IDiffllED- GR . October 9, 2012 3:46PM AO 93 (Rev. 12109) Search and Seizure Warrant TRACEY CORDES, CLERK U.S. DISTRICT COURT WESTERN DISTRICT OF MICHIGAN BY: dmh /______UNITED STATES DISTRICT COURT for the Western District of Michigan

In the Maner of the Search of (8riefl.v describe the property to be searched or identify the person by name and address) Case No. 1: 12-mj-304

an Apple 1-Phone model A 1332 with IC #

SEARCH AND SEIZURE WARRANT

To: Any authorized law enforcement officer

An application by a federal law enforcement officer or an attorney for the government requests the search of the following person or property located in the Western District of Michigan (identify thl! person or describe the property to be searched and giw its location):

One black-colored Apple 1-Phone telephone bearing model# A 1332 and IC # ••••. recovered from····· bedroom localed at·····

The person or property to be searched, described above, is believed to conceal (id('ntif:v til(' pason ur dt•saib~t the property to be sei=ed): historical information regarding call activity, "phone book" directory information. stored voice-mails and text . and electronic files, photographs, and video images

I find that the affidavit(s). or any recorded testimony, establish probable cause to search and seize the person or property.

YOU ARE COMMANDED to execute this warrant on or before ·---··- ... Sep~ l9. ~1.2. . ··--· ·--..... (not to I!.T,'el!d I-I days) gf in the daytime 6:00 .a.m. to I 0 p.m. 0 at any time in the day or night as I find reasonable cause has been established.

Unless delayed notice is authorized below. you must give a copy of the warrant and a receipt for the property taken to the person from whom, or from whose premises, the property was taken, or leave the copy and receipt at the place where the property was taken . . The officer executing this warrant, or an officer present during the execution of the warrant, must prepare an inventory as required by law and promptly return this warrant and inventory to United States Magistrate Judge Joseph G. Scoville (name)

0 I find that immediate notification may have an adverse result listed in I 8 U.S.C. § 2705 (except for delay of trial). and authorize the officer executing this warrant to delay notice to the person who, or whose property, will be searched or seized (clreck thl! appropriate bo.TJ Ofor days (notro exceed 30) . •.,...,...,. ... · ying, the later specific date of ______.

Date and time issued: ~ ~, J-t:Jt z_ I :3~ City and state: Grand Rapids, Michigan Printed name and tit/!! Case 1:12-mj-00304-JGS Doc #4 Filed 10/09/12 Page 2 of 5 Page ID#9

AO 93 {Rev 12/09) Scarth and Seizure Warranl {Page 21 Return

Case No.: Date and tim/warr~nt executed: Copy .~fJ/ant and inventory left with:

1:12-mj-304 9'/JJ //,l. ~ <2c_, v ~u..- 7 ~ ,;,0 .F " -· L-::>~,--,c ~ Inventory made in the presence of:

/Cr +.-:-0.--c.

,,.. r c -r- ' -<· J (. I -

Certification

I declare under penalty of perjury that this inventory is correct and was returned along with the original warrant to the designated judge.

/ / /' Date: £Tecuting officer ·s signature / ~ --· ;;He ( /-/ s r Printed name and title -l / y 5,! I Summary

Connection Type Cable No. 110

Extraction start date/time 9/13/20 12 12:00:01 PM

Extraction end data/Ume 9/13120 12 4:28:21 PM

UFED Physical Analyzer version 3.0.1.7

Case number GP13CR12GP0008

Case name Aguilera el. al.

Notes ·····1-Phone I FPFII20122271400011701 f Physical Examination Examiner name Special Agent Cory Howe

Department Homeland Security Investigations

LocaUon Grand Rapids, Ml

Device Information

II Name Value - __-_ _[_~?

User_System_Data I 2 Activation Stale WildcardActivated 1 l - 3 Application Entries ,o ~ -~ 4 Application Siza (bytos) ,o 5 Board n90ap I I G Book Entries 0 7 , Book Size (bytes) 0 8 Capacity 14GB 9 Cloud BaCkup Enabled False 10 CPID 8930 11 Data Entries 1 12 Data Size (bytes) 4366336 13 ECID 14 Free Memory (bytes) t4231298048 15 iBoot (firmware) version iBoot-1219.62.16 16 ICCID 17 Last Backup Computer Name Adriana Mac8ook Pro 18 Last Backup Computer Type Mac 19 Last Sync 6125/20 12 6:45:37 AM(UTC-4) 20 last Used ICCID 21 Locale Language on_U S 22 Memory Size (bytes) 14758297600 23 Owner Name monica 24 Passcode 25 Phone Number 26 Proofing Entries 0 27 Proofing Size (bytes) 0 28 Ringtone Entries 0 29 Ringtone Size (bytes) 0 30 Serial number 31 Sync Host Name Adriana Mac8ook Pro ·­' 32 Synced with Computer: Adriana MacBook Pro\User: Cachetes 33 Synced with Computer: Useras Power Mac GS (3)\User: User 34 USB( Ethernet) MAC -·. - - ·~- .. 35 voiceMemo €!-a~ 1:12-mj-00304-JGS. Doc #4 Fil ed 10/09/12 Page 4 of 5 Page JD.#l~L .. -~ .. 36 ; Vo_lceMemo Size. (by1es) 0 37 WI-FiMAC : CC:08:EO:B2:4F:83

Image Hash Details ' 1) • Name Image Path iPhone4GSM_5.1. IJ>hysicai_Physlcel_13-09-12_ 12-00-01.1mg Size (Bytue) 15955189780

Plugins :_·v~----~ ~ -· · ·. ·· t Name ·-.. ". ., .. ,.~ ..__ ....., ___··. .· _ • IPhonePhyslcallnputiD CeUebrllo 2.0

2 . DMGOpener CeUebrile 2.0

3 MBRGenel1c CeUebrlto 2.0 ( • • ' ' I . ' ' .!o: • , . '' · '' " t ' ' ; o•l'o•l .'•' J •' t ,'•< •I • • •. · !• :1 . -: ...... : ..

4 ApplePaltltlonMap CeUebrite 2.0

5 GUIDPII/UtlonTabla Cellebrite 2.0

8 TARArdtlveOpener CeUebrite 2.0

7 HFS CeUebrlte 2.0

8 IPhoneCaUlog Cellebrile 2.0

9 IF'tlone databases Cellebrite 2.0 , , ' 11! , • . .• : ......

10 QulcldlmeMelada1a CeUebrite 2.0

1 : • : lo : • ' • I ,:,, 1 > t ·' · ·~ 'o ' • il t ;< ' ' .1 t"' · 11 !Phone deYtce Info Cellobrito 2.0

12 Cellebrite 2.0 ..:. ., ,· .• • · . • , ,· . ' ·· • , •! · ··" ' .,· ·•·I· · 1! 1· ! • • .11 . • \. ·u 1~ !: :• •· · •. • .. ,, ! · • • r• • ·(,i ~t ~ : ,, ... ..· ·.t • • • • • • . .. .. •• , • • •• •. 13 Cellebrite 2.0

Contents ····-··------Type i .. ···- ·· --. -. -.-~- -- _ ] · CaDLog 104 (-IOcletml) 104 (4 Deleted)

" Incoming 23 (1 Deleted) 23 (1 Oeloted)

w Missed 48 48

33 (3 Deleted) 33 (3 Deleted)

2 (t Deleted) 2 (1 Deleted)

2 (1 Deleted) 2 (1 Deleled) "' iMessage: • •••• Ueontacts 18 18

' Installed Appllcelions 37 37 ·2 IP Connectlons 13 13

~Locations 659 (28 Deletec11 659 (28 Deleted) "' CeUtowers 227 227 e Harvested Wlfl Locations 28 (28 Deleted) 28 (28 Deleted) e Media Locations . 1

. e Win networks 403 403 1 ·_ Cas~l: 12-mj -00304-JGS Doc #4 Fi led 10/09/12 ~ge 5 of 5 . Page _lp~ ~~------~:~-- .i Passwords ·a 8

··> SMS Messages 422 (63 Deleted) 422 (63 Deleted)

~ Drafts

o lnbox 228 (34 Deleted) 228 ( 34 Deleted)

e Sent 193 (29 D~

'·. User 577 577 iD.Web Bookmarks

ORoot

U Web History 151 151

:i" Wireless Nebovorl

{ij: Data Files . 10149 i t89 D cl e tl~) 10149 (189 Deleted)

o Audio 292 292

o Configuration 3185 ( 1 ?0 Dt!letMl 3185 (170 Deleted)

o Database . 135 135

• Images 6340 (11! !:>e:ll!led) 6340 ( 19 Deleted)

o Text 198 198 •VIdeos . 1

'cy Carved Files 0 0

Call Log 11 i}1 J

..L • These detaJls are cross-rafenlncecl from this device's

Incoming r:):; ,

·~-- ~ -- - · ·- - · i · ~ -·- ·· ~ - ~ - ·r··- . ·: 'l1me · -r~ ; VIde : Souro& - -:-·--:·--+·--- · - ~ • .i = ! Party 1 ocan . -. -·.. '~ · :~ ..·:;· ,· - ~ j ·:t ...=• ...... l ...... __;,_j .._, -· .. i. ! ... I 310 410 Pedro' 712912012 7:30:13 00:01 :04 ves 1 ~ .. .AM(UTC+O) ···------···--1··--·4 2 ' 310 410 Pedro· 7/30/2012 1:36:51 00:01 :12 I : AM(UTC.+O) ; ; ... -· ·' 3 310 410 Dad' 7/3012012 2:34:08 00:00:32 _AM(UTC+O) ------r. ------· -- · 4 310 410 Dad' 7130/2012 5:38:54 00:00:37 _PM(UTC+O) .. ·--·--+I · 5 310 . 410 Cesar' 7/3012012 5:44:59 00:00:59 ! PM(UTC+O) i " - -···-·------!-: - -- ~- -- 6 310 410 ' Bmo· 7/3012012 5:49:11 00:02:17 _PM(UTC+O) ... ····------,-·- . 7 310 410 Beto' 7/30/2012 5:58:55 00:02:21 i _PM(UTC+O) .. ... - .. -----· ... "t-- _.. 8 310 410 Cesar· 7/3012012 6:43:12 00:01 :47 _PM(YTC+O) ' ' ' .. ___,...... ~· - · -· '' 9 310 410 BP.tO' 713012012 8:04:57 00:00:22 I PM(UTC+O) I •• I " • ... 10 310 410 Bow· 7130/2012 9:28:43 00:01:58 .. ---·--t-· .PM(UTC+O) ! i --··----.-·--- -4> 11 310 410 Pedro· 7/3012012 10:41:18 00:01:21 I _PM(UTC+O) . --·---1-.. . 12 310 410 Bcto' 7/3112012 12:18:02 00:03:27 I !·- .AM(UTC+O) ... --·- ·-J--..... ' 13 310 410 Esmeralda' 7/3112012 1:02:47 00:00:15 I ...... PM(UTC+O) . I .. . ··~ t· -._ ____ l ____ 14 :310 410 7/3112012 1:17:51 00:05:28 ! ...... P~(UTC+O) i· ·:- " '·----··· --t- --- 15 !310 410 Beto' 7131/2012 1:23:18 00:02: 11 I _PM(UTC+O) I ' ... .., ... · --~ .. ' ·------L ...... ~ 16 310 410 Felix" 713112012 2:48:39 00:00:43 I PM(UTC+O) ______L.