Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 1 of 50 AO 91 (Rev. 08/09) Criminal Complaint UNITED STATES DISTRICT COURT for the District of Oregon United States of America FILEI(J5~ '1512:05USDC-oRP ) ) ) ) ) ) v. Lawrence Howard Ulvi, aka Larry Ulvi '15 -MJ- 38 Defendant(s) CRIMINAL COMPLAINT I, the complainant in this case, state that the following is true to the best of my knowledge and belief. On or about the date(s) of May 17,2013 to February 26,2015 in the county of _ _ _ _ _ _ District of Oregon Multnomah in the , the defendant(s) violated: Offense Description Code Section 18 U.S.C. Section 1341 18 U.S.C. Section 1343 Mail Fraud Wire Fraud This criminal complaint is based on these facts: set forth in the attached affidavit. ~ Continued on the attached sheet. Complainant's signature SA Travis Welter Printed name and title Sworn to before me and signed in my presence. Date: City and state: Portland, Oregon Honorable Magistrate Judge Janice M. Stewart Printed name and title Case 3:15-mj-00038 Document 1 STATE OF OREGON ) COUNTY OF MULTNOMAH ) ) ss. Filed 03/05/15 Page 2 of 50 AFFIDAVIT OF TRAVIS WELTER IN SUPPORT OF ARREST WARRANT AND SEARCH WARRANTS I, Travis Welter, being duly sworn, do hereby depose and say that: 1. I am employed as a Special Agent (SA) with the Federal Bureau of Investigation (FBI), and have been so employed since July 2014. I am currently assigned to the White Collar Crime Squad of the Portland office of the FBI, which investigates violations of federal law to include violations of Title 18, United States Code, Section 1341 (Mail Fraud), Section 1343 (Wire Fraud), Section 1344 (Bank Fraud), Section 1349 (Conspiracy to Commit Mail, Wire, and Bank Fraud), and Section 1956 (Money Laundering). 2. This affidavit is submitted in support of an application for warrants authorizing the arrest and search of LARRY ULVI, a search of safe deposit box #225, located at Bank of the West branch # 146, 905 NE Halsey St., Portland, Oregon 97232, and a search of storage unit # 1056, located at Northwest Self Storage/ Portland Storage Too, 109 SE Alder Street, Portland, OR 97214. 3. The information stated herein pertaining to this investigation is based on my own personal involvement, discussions I have had with other law enforcement officers, as well as information contained in written reports. This affidavit is intended to provide probable cause to support the issuance of an arrest warrant and three search warrants as requested herein and does not purport to set forth all of the information I have acquired during the course of this investigation. 4. On February 25, 2015, Honorable Magistrate Judge John V. Acosta issued a PAGE 1- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 3 of 50 District of Oregon, Federal Search Warrant for LARRY ULVI's residence, 424 NW 21st Avenue, Apartment # 106, Portland, Oregon 97209 and for the Yahoo! Inc. email account larryulvi@yahoo.com. The application for the aforementioned search warrant Case No. '15MC-107 A&B is attached and incorporated into this application. 5. On February 26, 2015, the above mentioned Federal Search Warrant was executed at Larry UL VI's residence, 4 24 NW 21 5\ Apartment # 106, Portland, Oregon 97209. UL VI was at his residence when FBI Agents arrived and was briefly interviewed before the search commenced. When asked if he owned any other original artwork by Mark Tobey, ULVI indicated that he may have sketches in storage. At the conclusion of the interview, UL VI chose to depart the residence during the execution of the search. 6. Evidence collected from the search included approximately 150 suspected fake paintings. All but one of the recovered paintings were works on paper. Most of the suspected fake paintings were in the style of Mark Tobey and many were signed "Tobey." There were also other suspected fake paintings in the style of or signed in the name of Morris Graves, Kenneth Callahan, Charles Burchfield, and Edward Hopper. I have compared the "Tobey" paintings found during the search warrant with those purchased by Victim #2 (referenced in the attached affidavit) and later identified as not genuine by Dr. Heiner Hachmeister and have observed them to be the same or similar in style, size, and materials. 7. Also found during the search of ULVI's apartment were art supplies to include paint and pads of paper. I have reviewed the recovered paint and paper and observed the blank paper to be the same or approximately same size as the paper used in the approximately 150 suspected fakes. I also observed a sheet of paper which had been used to practice writing "T" and PAGE 2- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 4 of 50 "Tobey" several times, as well as a pad of paper which also included practiced writing of the signature "Kenneth Callahan." 8. In addition to the above suspected fake paintings, supplies to manufacture paintings, and practiced signatures, we also recovered photographs and photocopies of suspected fake paintings, business documents from Victims #1 and #2, three books about Mark Tobey, one book about Charles Burchfield, and one book about Kenneth Callahan. Each book contained images of the artist's paintings. 9. Also recovered during the search was approximately 78 pieces of digital media to include compact flash cards, memory sticks, and other forms of digital media commonly used in digital cameras. A review of the media is ongoing; however, the initial review has found several media cards which contain photographs of suspected fake paintings. I know that UL VI sent digital photographs, via email, to victims of this investigation. 10. During the execution of the search, I witnessed a "safe deposit notice" for safe deposit box #225 from Bank of the West, branch #146, dated July 7, 2014, addressed to Larry Ulvi at 23350 NE Hagey Rd, Dundee, OR 97115. I know it is common for individuals to store currency and other valuables in safe deposit boxes. On March 4, 2015, Bank of the West confirmed that UL VI still maintains and utilizes safe deposit box #225 at the Lloyd Center Branch, Branch #146, located at 905 NE Halsey Street, Portland, Oregon, and on February 26, 2015, during the execution of the above search at ULVI's residence, ULVI accessed the safe deposit box. 11. I also witnessed a "change of lease announcement" from Northwest Self Storage/ Portland Self Storage Too, 109 SE Alder Street, Portland, Oregon, dated April1, 2014, PAGE 3- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 5 of 50 addressed to Larry Ulvi at 23350 NE Hagey RD., Dundee, OR 97115. I believe that this is the same storage unit that ULVI referenced in his aforementioned interview. I also believe that this is the same storage unit that UL VI also referenced in emails documented in paragraphs 10 and 12 ofthe attached affidavit. On March 4, 2015, Specjal Agents Caleb Williams and Sean Hamblet spoke with the manager at the above storage business and were advised that ULVI rents storage unit #1056 and did access the unit at approximately 5:30pm on February 26, 2015, the day of the above mentioned search warrant execution. Search and Seizure of Digital Data 12. This application seeks permission to search for and seize evidence of the crimes described above, including evidence of how computers, digital devices, and digital storage media were used, the purpose of their use, and who used them. 13. Based upon my training and experience, and information related to me by agents and others involved in the forensic examination of computers and digital devices, I know that data in digital form can be stored on a variety of systems and storage devices, including hard disk drives, floppy disks, compact disks, magnetic tapes, flash drives, and memory chips. Some of these devices can be smaller than a thumbnail and can take several forms, including thumb drives, secure digital media used in phones and cameras, personal music devices, and similar items. They are easily carried and concealed on someone's person. Removal of Data Storage Devices 14. I know that a forensic image is an exact physical copy of a data storage device. A forensic image captures all data on the subject media without viewing or changing the data in any way. Absent unusual circumstances, it is essential that a forensic image be obtained prior to PAGE 4- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 6 of 50 conducting any search of data for information subject to seizure pursuant to the warrant. I also know that during the search of the premises it is not always possible to create a forensic image of or search digital devices or media for data for a number of reasons, including the following: a) Searching digital devices can be a highly technical process that requires specific expertise and specialized equipment. Because there are so many different types of digital devices and software in use today, it is difficult to anticipate all of the necessary technical manuals, specialized equipment, and specific expertise necessary to conduct a thorough search of the media to ensure that the data will be preserved and evaluated in a useful manner. b) Searching digital devices can require the use of precise, scientific procedures designed to maintain the integrity of the evidence and to recover latent data not readily apparent to the casual user. The recovery of such data may require the use of special software and procedures, such as those used in a law enforcement laboratory. c) The volume of data stored on many digital devices is typically so large that it will be highly impractical to search for data during the execution of the physical search of the premises. Storage devices capable of storing 500 gigabytes of data are now commonplace in desktop computers. It can take several hours, or even days, to image a single hard drive. The larger the drive, the longer it takes. Depending upon the number and size of the devices, the length of time that agents must remain onsite to image and examine digital devices can become impractical. Laboratory Setting May Be Essential For Complete And Accurate Analysis Of Data 15. Since digital data may be vulnerable to inadvertent modification or destruction, a controlled environment, such as a law enforcement laboratory, may be essential to conduct a PAGE 5- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 7 of 50 complete and accurate analysis of the digital devices from which the data will be extracted. Software used in a laboratory setting can often reveal the true nature of data. Therefore, a computer forensic reviewer needs a substantial amount of time to extract and sort through data that is concealed or encrypted to determine whether it is evidence, contraband, or an instrumentality of a crime. 16. Analyzing the contents of a computer or other electronic storage device, even without significant technical difficulties, can be very challenging, and a variety of search and analytical methods must be used. For example, searching by keywords, which is a limited text-based search, often yields thousands of hits, each of which must be reviewed in its context by the examiner to determine whether the data is within the scope of the warrant. Merely finding a relevant hit does not end the review process. The computer may have stored information about the data at issue which may not be searchable text, such as: who created it; when and how it was created, downloaded, or copied; when it was last accessed; when it was last modified; when it was last printed; and when it was deleted. The relevance of this kind of data is often contextual. Furthermore, many common email, database, and spreadsheet applications do not store data as searchable text, thereby necessitating additional search procedures. To determine who created, modified, copied, downloaded, transferred, communicated about, deleted, or printed data requires a search of events that occurred on the computer in the time periods surrounding activity regarding the relevant data. Information about which users logged in, whether users shared passwords, whether a computer was connected to other computers or networks, and whether the users accessed or used other programs or services in the relevant time period, can help determine who was sitting at the keyboard. PAGE 6- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 17. Document 1 Filed 03/05/15 Page 8 of 50 Latent Data: Searching digital devices can require the use of precise, scientific procedures designed to maintain the integrity of the evidence and to recover latent data. The recovery of such data may require the use of special software and procedures. Data that represents electronic files or remnants of such files can be recovered months or even years after it has been downloaded onto a hard drive, deleted, or viewed via the Internet. Even when such files have been deleted, they can be recovered months or years later using readily available forensic tools. Normally, when a person deletes a file on a computer, the data contained in the file does not actually disappear; rather, that data remains on the hard drive until it is overwritten by new data. Therefore, deleted files, or remnants of deleted files, may reside in space on the hard drive or other storage media that is not allocated to an active file. In addition, a computer's operating system may keep a record of deleted data in a swap or recovery file or in a program specifically designed to restore the computer's settings in the event of a system failure. 18. Contextual Data: a) In some instances, the computer "writes" to storage media without the specific knowledge or permission of the user. Generally, data or files that have been received via the Internet are automatically downloaded into a temporary Internet directory or cache. The browser typically maintains a fixed amount of hard drive space devoted to such data or files, and the files are only overwritten as they are replaced with more recently viewed Internet pages. Thus, the ability to retrieve artifacts of electronic activity from a hard drive depends less on when the file was downloaded or viewed than on a particular user's operating system, storage capacity, and computer usage. Logs of access to websites, file management/transfer programs, firewall permissions, and other data assist the examiner and investigators in creating a "picture" of what PAGE 7- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 9 of 50 the computer was doing and how it was being used during the relevant time in question. Given the interrelationships of the data to various parts of the computer's operation, this information cannot be easily segregated. b) Digital data on the hard drive that is not currently associated with any file may reveal evidence of a file that was once on the hard drive but has since been deleted or edited, or it could reveal a deleted portion of a file (such as a paragraph that has been deleted from a word processing file). Virtual memory paging systems can leave digital data on the hard drive that show what tasks and processes on the computer were recently used. Web browsers, email programs, and chat programs store configuration data on the hard drive that can reveal information such as online nicknames and passwords. Operating systems can record additional data, such as the attachment of peripherals, the attachment of USB flash storage devices, and times the computer was in use. Computer file systems can record data about the dates files were created and the sequence in which they were created. This data can be evidence of a crime, indicate the identity of the user of the digital device, or point toward the existence of evidence in other locations. Such data may also lead to exculpatory evidence. c) Further, evidence of how a digital device has been used, what it has been used for, and who has used it, may be learned from the absence of particular data on a digital device. Specifically, the lack of computer security software, virus protection, malicious software, evidence of remote control by another computer system, or other programs or software may assist in identifying the user indirectly and may provide evidence excluding other causes for the presence or absence of the items sought by this application. Additionally, since computer drives may store artifacts from the installation of software that is no longer active, evidence of the PAGE 8- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 10 of 50 historical presence of the kind of software and data described may have special significance in establishing time lines of usage, confirming the identification of certain users, establishing a point of reference for usage and, in some cases, assisting in the identification of certain users. This data can be evidence of a crime, can indicate the identity of the user of the digital device, or can point toward the existence of evidence in other locations. Such data may also lead to exculpatory evidence. Evidence of the absence of particular data on the drive is not generally capable of being segregated from the rest of the data on the drive. Search Procedure 19. In searching for data capable of being read, stored, or interpreted by a computer or storage device, law enforcement personnel executing the search warrant will employ the following procedure: a) On-site search, ifpracticable. Law enforcement officers trained in computer forensics (hereafter, "computer personnel"), if present, may be able to determine if digital devices can be searched on-site in a reasonable amount of time and without jeopardizing the ability to preserve data on the devices. Any device searched on-site will be seized only if it contains data falling within the list of items to be seized as set forth in the warrant and in Attachment B. b) On-site imaging, ifpracticable. If a digital device cannot be searched on-site as described above, the computer personnel, if present, will determine whether the device can be imaged on-site in a reasonable amount of time without jeopardizing the ability to preserve the dat PAGE 9- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 11 of 50 c) Seizure of digital devices for off-site imaging and search. If no computer personnel are present at the execution of the search warrant, or if they determine that a digital device cannot be searched or imaged on-site in a reasonable amount of time and without jeopardizing the ability to preserve data, the digital device will be seized and transported to an appropriate law enforcement laboratory for review. d) Law enforcement personnel will examine the digital device to extract and seize any data that falls within the list of items to be seized as set forth in the warrant and in Attachment B. To the extent they discover data that falls outside the scope of the warrant that they believe should be seized (e.g., contraband or evidence of other crimes), they will seek an additional warrant. e) Law enforcement personnel will use procedures designed to identify items to be seized under the warrant. These procedures may include the use of a "hash value" library to exclude normal operating system files that do not need to be searched. In addition, law enforcement personnel may search for and attempt to recover deleted, hidden, or encrypted data to determine whether the data falls within the list of items to be seized under the warrant. f) If the digital device was seized or imaged, law enforcement personnel will perform an initial search of the original digital device or image within a reasonable amount of time not to exceed 120 days from the date of execution of the warrant. If, after conducting the initial search, law enforcement personnel determine that an original digital device contains any data falling within the list of items to be seized pursuant to this warrant, the government will retain the original digital device to, among other things, litigate the admissibility/authenticity of the seized items at trial, ensure the integrity of the copies, ensure the adequacy of chain of custody, and resolve any issues regarding contamination of the evidence. If the government PAGE 10 - AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 12 of 50 needs additional time to determine whether an original digital device or image contains any data falling within the list of items to be seized pursuant to this warrant, it may seek an extension of the time period from the Court within the original 120-day period from the date of execution of the warrant. The government shall complete the search of the digital device or image within 180 days of the date of execution of the warrant. If the government needs additional time to complete the search, it may seek an extension of the time period from the Court within the original 180-day period from the date of execution of the warrant. g) If, at the conclusion of the search, law enforcement personnel determine that particular files or file folders on an original digital device or image do not contain any data falling within the list of items to be seized pursuant to the warrant, they will not search or examine those files or folders further without authorization from the Court. Law enforcement personnel may continue to examine files or data falling within the list of items to be seized pursuant to the warrant, as well as data within the operating system, file system, or software application relating or pertaining to files or data falling within the list of items to be seized pursuant to the warrant (such as log files, registry data, and the like), through the conclusion of the case. h) If an original digital device does not contain any data falling within the list of items to be seized pursuant to this warrant, the government will return that original data device to its owner within a reasonable period of time following the search of that original data device and will seal any image of the device, absent further authorization from the Court. PAGE 11 - AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 13 of 50 Data to be Seized 20. In order to search for data that is capable of being read or interpreted by a computer, law enforcement personnel will need to seize, image, copy, and/or search the following items, subject to the procedures set forth herein: a) Any computer equipment or digital devices that are capable of being used to commit or further the crimes outlined above, or to create, access, or store contraband or the types of evidence, fruits, or instrumentalities of such crimes, as set forth in Attachment B; b) Any computer equipment or digital devices used to facilitate the transmission, creation, display, encoding, or storage of data, including word processing equipment, modems, docking stations, monitors, printers, plotters, encryption devices, and optical scanners that are capable of being used to commit or further the crimes outlined above, or to create, access, process, or store contraband or the types of evidence, fruits, or instrumentalities of such crimes, as set forth in Attachment B; c) Any magnetic, electronic, or optical storage device capable of storing data, such as floppy disks, hard disks, tapes, CD-ROMs, CD-Rs, CD-RWs, DVDs, optical disks, printer or memory buffers, smart cards, PC cards, memory calculators, electronic dialers, electronic notebooks, personal digital assistants, and cell phones capable of being used to commit or further the crimes outlined above, or to create, access, or store contraband or the types of evidence, fruits, or instrumentalities of such crimes, as set forth in Attachment B; d) Any documentation, operating logs, and reference manuals regarding the operation of the computer equipment, storage devices, or software; PAGE 12- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 14 of 50 e) Any applications, utility programs, compilers, interpreters, and other software used to facilitate direct or indirect communication with the computer hardware, storage devices, or data to be searched; f) Any physical keys, encryption devices, dongles, or similar physical items which are necessary to gain access to the computer equipment, storage devices, or data; g) Any passwords, password files, test keys, encryption codes, or other information necessary to access the computer equipment, storage devices, or data, and h) All records, documents, programs, applications, or materials created, modified, or stored in any form, including in digital form, on any computer or digital device, that show the actual user(s) of the computers or digital devices during any time period in which the device was used to upload, download, store, receive, possess, or view child pornography, including the web browser's history; temporary Internet files; cookies, bookmarked or favorite web pages; email addresses used from the computer; MAC IDs and/or Internet Protocol addresses used by the computer; email, instant messages, and other electronic communications; address books; contact lists; records of social networking and online service usage; and software that would allow others to control the digital device such as viruses, Trojan horses, and other forms of malicious software. 21. The government has made no prior efforts in other judicial fora to obtain the evidence sought in the warrant. Retention of Image 22. The government will retain a forensic image of each electronic storage device subjected to analysis for a number of reasons, including proving the authenticity of evidence to be used at trial; responding to questions regarding the corruption of data; establishing the chain PAGE 13 - AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 15 of 50 of custody of data; refuting claims of fabricating, tampering, or destroying data; and addressing potential exculpatory evidence claims where, for example, a defendant claims that the government avoided its obligations by destroying data or returning it to a third party. Inventory and Return 23. With respect to the seizure of electronic storage media or the seizure or imaging of electronically stored information, the search warrant return to the Court will describe the physical storage media that were seized or imaged. Conclusion 24. Based on the foregoing, I have probable cause to believe, and I do believe, that LARRY ULVI committed mail fraud and wire fraud in violation of 18 U.S.C. § 1341 and 18 U.S.C. § 1343 that evidence of those offense(s), as more fully described in Attachment B hereto, are presently contained on his person or in his safe deposit box and storage unit, which are more fully described above and in Attachments A-1 and A-2. I therefore request that the court issue a warrant authorizing the arrest and search of LARRY UL VI and warrants authorizing a search of the safe deposit box and storage unit, described in Attachments A-1 and A-2 for the items listed in Attachment B, and the seizure and examination of any such items found. 25. This affidavit, the accompanying application, and the requested arrest and search warrants were reviewed by Assistant United States Attorney Scott Asphaug who advised me that, in his opinion, probable cause exists to apply for an arrest warrant for LARRY ULVI- PAGE 14- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 16 of 50 and search warrant to search his person, the safe deposit box, and storage location, for evidence of the crimes of mail fraud and wire fraud and LARRY UL VI's involvement in such crimes. Travis Welter Special Agent Federal Bureau of Investigation Portland, Oregon ,c::Jtt Subscribed and sworn to before me this __...._..=.::...)_ _ day of March, 2015 . .--~- onorable Janice M. Stewart United States Magistrate Judge District of Oregon PAGE 15 - AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 17 of 50 ATTACHMENT A-1 (The Place to be Searched) The place to be searched will be safe deposit box #225 located at Bank of the West, Lloyd Center Branch #146, 905 NE Halsey Street, Portland, Oregon. r Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 18 of 50 ATTACHMENT A-2 (The Place to be Searched) The place to be searched will be storage locker unit #1056 located at Northwest Self Storage, dba Portland Storage Too, 109 SE Alder Street, Portland, Oregon 109 SE Alder Street is a multi-story warehouse building with both a pedestrian door and loading dock on the Alder Street side of the building. The structure has the name "Portland Storage Too" painted on the upper part of the East side of the building. The primary entrance is through the loading dock where an adjacent staircase leads to the manager's office and first floor storage unites. Unit #1056 is located on the first floor of the building directly behind the manager's office. Unit # 1056 is a 3' x 3' storage unit with the number "1 056" painted on the front door. The unit is approximately 8' in height. Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 19 of 50 ATTACHMENT B ITEMS TO SEARCH FOR AND SEIZE AS EVIDENCE OF THE CRIMES OF MAIL FRAUD, WIRE FRAUD, AND CONSPIRACY TO COMMIT MAIL AND WIRE FRAUD. 1. Fake paintings and drawings 2. Proceeds of the sales of fake paintings and drawings 3. Instrumentalities and documents related to the creation of fake paintings and drawings 4. Correspondence with victims or other persons involved in the scheme 5. Telephone records 6. Pictures and photographs, whether printed or digital, showing fake paintings and drawings. 7. Documentation relating to bank account information, including bank statements, deposit slips, check/deposit registers, ATM receipts, and account numbers. 8. Cash 9. Documentation of international travel to include expired passports 10. Digital Evidence: a. Any computer equipment or digital devices that are capable of being used to commit or further the crimes referenced above, or to create, access, or store contraband or evidence, fruits, or instrumentalities of such crimes, including central processing units; laptop or notebook computers; personal digital assistants; wireless communication devices including paging devices and cellular telephones; peripheral input/output devices such as keyboards, printers, scanners, plotters, monitors, and drives intended for removable media; related communication devices such as modems, routers, cables, and connections; storage media; and security devices; b. Any computer equipment or digital devices used to facilitate the transmission, creation, display, encoding, or storage of data, including word processing equipment, modems, docking stations, monitors, printers, plotters, encryption devices, and optical scanners that are capable of being used to commit or further the crimes referenced above, Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 20 of 50 or to create, access, process, or store contraband, or evidence, fruits, or instrumentalities of such cnmes; c. Any magnetic, electronic, or optical storage device capable of storing data, such as floppy disks, hard disks, tapes, CD ROMs, CD Rs, CD RWs, DVDs, optical disks, printer or memory buffers, smart cards, PC cards, memory calculators, electronic dialers, electronic notebooks, personal digital assistants, and cell phones capable of being used to commit or further the crimes referenced above, or to create, access, or store contraband, or evidence, fruits, or instrumentalities of such crimes; d. Any documentation, operating logs, and reference manuals regarding the operation of the computer equipment, storage devices, or software; e. Any applications, utility programs, compilers, interpreters, and other software used to facilitate direct or indirect communication with the computer hardware, storage devices, or data to be searched; f. Any physical keys, encryption devices, dongles, or similar physical items which are necessary to gain access to the computer equipment, storage devices, or data; g. Any passwords, password files, test keys, encryption codes, or other information necessary to access the computer equipment, storage devices, or data; and h. All records, documents, programs, applications, or materials created, modified, or stored in any form, including in digital form, on any computer or digital device, that show the actual user(s) of the computers or digital devices during the time the device was used to commit the crimes referenced above, including the web browser's history; temporary Internet files; cookies, bookmarked, or favorite web pages; email addresses used from the computer; MAC IDs and/or Internet Protocol addresses used by the computer; email, instant messages, and Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 21 of 50 other electronic communications; address books; contact lists; records of social networking and online service usage; and software that would allow others to control the digital device such as viruses, Trojan horses, and other forms of malicious software. As used herein, the terms "records," "documents," "programs," "applications," or "materials" includes records, documents, programs, applications, or materials created, modified, or stored in any form. Search Procedure In searching for data capable of being read, stored, or interpreted by a computer or storage device, law enforcement personnel executing the search warrant will employ the following procedure: a. On-site search, ifpracticable. Law enforcement officers trained in computer forensics (hereafter, "computer personnel"), if present, may be able to determine if digital devices can be searched on site in a reasonable amount of time and without jeopardizing the ability to preserve data on the devices. Any device searched on site will be seized only if it contains data falling within the list of items to be seized as set forth in the warrant and in Attachment B. b. On-site imaging, ifpracticable. If a digital device cannot be searched on site as described above, the computer personnel, if present, will determine whether the device can be imaged on site in a reasonable amount of time without jeopardizing the ability to preserve the data. c. Seizure of digital devices for off-site imaging and search. If no computer personnel are present at the execution of the search warrant, or if they determine that a digital device cannot be searched or imaged on site in a reasonable amount of time and without Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 22 of 50 jeopardizing the ability to preserve data, the digital device will be seized and transported to an appropriate law enforcement laboratory for review. d. Law enforcement personnel will examine the digital device to extract and seize any data that falls within the list of items to be seized as set forth in the warrant and in Attachment B. To the extent they discover data that falls outside the scope of the warrant that they believe should be seized (e.g., contraband or evidence of other crimes), they will seek an additional warrant. e. Law enforcement personnel will use procedures designed to identify items to be seized under the warrant. These procedures may include the use of a "hash value" library to exclude normal operating system files that do not need to be searched. In addition, law enforcement personnel may search for and attempt to recover deleted, hidden, or encrypted data to determine whether the data falls within the list of items to be seized under the warrant. f. If the digital device was seized or imaged, law enforcement personnel will perform an initial search of the original digital device or image within a reasonable amount of time not to exceed 120 days from the date of execution of the warrant. If, after conducting the initial search, law enforcement personnel determine that an original digital device contains any data falling within the list of items to be seized pursuant to this warrant, the government will retain the original digital device to, among other things, litigate the admissibility/authenticity of the seized items at trial, ensure the integrity of the copies, ensure the adequacy of chain of custody, and resolve any issues regarding contamination of the evidence. If the government needs additional time to determine whether an original digital device or image contains any data falling within the list of items to be seized pursuant to this warrant, it may seek an extension of the time period from the Court within the original 120-day period from the date of execution of Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 23 of 50 the warrant. The government shall complete the search of the digital device or image within 180 days of the date of execution of the warrant. If the government needs additional time to complete the search, it may seek an extension of the time period from the Court within the original 180-day period from the date of execution of the warrant. g. If, at the conclusion of the search, law enforcement personnel determine that particular files or file folders on an original digital device or image do not contain any data falling within the list of items to be seized pursuant to the warrant, they will not search or examine those files or folders further without authorization from the Court. Law enforcement personnel may continue to examine files or data falling within the list of items to be seized pursuant to the warrant, as well as data within the operating system, file system, or software application relating or pertaining to files or data falling within the list of items to be seized pursuant to the warrant (such as log files, registry data, and the like), through the conclusion of the case. h. If an original digital device does not contain any data falling within the list of items to be seized pursuant to this warrant, the government will return that original data device to its owner within a reasonable period of time following the search of that original data device and will seal any image of the device, absent further authorization from the Court. Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 24 of 50 AO 106 (Rev. 04/10) Application for a Search Warrant UNITED STATES DISTRICT COURT for the District of Oregon In the Matter of the Search of (Briefly describe the property to be searched or identify the person by name and address) The residence at 424 NW 21st Street, Apt 106, Portland, Oregon and Information associated with the email account larryulvi@yahoo.com controlled by Yahoo! Inc. ) ) ) ) ) ) Case No. '15 -MC-10 7-' A~· 13 APPLICATION FOR A SEARCH WARRANT I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the property to be searched and give its location): See attachments A-1 and A-2 which are attached hereto and incorporated herein by this reference. located in the --------------- District of Oregon -----------~---------- , there is now concealed (identify the person or describe the property to be seized): the information and items set forth in Attachment B which is attached hereto and incorporated herein by this reference. The basis for the search under Fed. R. Crim. P. 41 (c) is (check one or more): ~evidence of a crime; ~contraband, fruits of crime, or other items illegally possessed; itJ property designed for use, intended for use, or used in committing a crime; 0 a person to be arrested or a person who is unlawfully restrained. The search is related to a violation of: Code Section 18 U.S.C. § 1343 18 U.S.C. § 1341 Offense Description Wire Fraud Mail Fraud The application is based on these facts: See affidavit which is attached hereto and incorporated herein by this reference. l'lf Continued on the attached sheet. Travis Welter Date: . I . i I '--------1.,..~ L./ \ Judge's signature City and state: Portland, Oregon Honorable John V. Acosta, United States Magistrate Judge Printed name and title Case 3:15-mj-00038 STATE OF OREGON COUNTY OF MULTNOMAH Document 1 ) ) ) ss. Filed 03/05/15 Page 25 of 50 AFFIDAVII OF IRAVIS WELTER IN SUPPORT OF A SEARCH WARRANT I, Travis Welter, being duly sworn, do hereby depose and say that: 1. I am employed as a Special Agent (SA) with the Federal Bureau of Investigation (FBI), and have been so employed since July 2014. I am currently assigned to the White Collar Crime Squad of the Portland office of the FBI, which investigates violations of federal law to include violations ofTitle 18, United States Code, Section 1341 (Mail Fraud), Section 1343 (Wire Fraud), Section 1344 (Bank Fraud), Section 1349 (Conspiracy to Commit Mail, Wire, and Bank Fraud), and Section 1956 (Money Laundering). 2. This affidavit is submitted in support of an application for a warrant authorizing the search of 1) a residence, 424 NW 21 5\ Apartment #106, Portland, Oregon 97209 and 2) email address larryulvi0.vahoo.com. 3. The information stated herein pertaining to this investigation is based on my own personal involvement, discussions I have had with other law enforcement officers, as well as information contained in written reports. This affidavit is intended to provide probable cause to support the issuance of a search warrant as requested herein and does not purport to set forth all of the information I have acquired during the course of this investigation. Relevant Electronic and Wire Communication Statutes 4. The relevant federal statutes involved in the disclosure of customer communication records for the requested data in the above email account is as follows: PAGE 1 - AFFIDA VII OF IRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 26 of 50 a. Title 18 U.S.C. § 2703(a) provides, in part: "A governmental entity may require the disclosure by a provider of electronic communication service of the contents of a wire or electronic communication, that is in electronic storage in an electronic communications system for one hundred and eighty days or less, only pursuant to a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant." b. Title 18 U.S.C. § 2703(b)(1)(A) provides, in part: "A governmental entity may require a provider of remote computing service to disclose the contents of a wire or electronic communication . . . (A) without required notice to the subscriber or customer, if the governmental entity obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant." c. Title 18 U.S.C. § 2703(c)(1)(A) provides, in part: "A governmental entity may require a provider of electronic communication service or remote computing to disclose a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications) only when the governmental entity - (A) obtains a warrant issued using the procedures described in the Federal Rules of Criminal Procedure by a court with jurisdiction over the offense under investigation or equivalent State warrant." PAGE 2- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 27 of 50 d. Title 18 U.S.C. § 2510(1) defines a "wire communication" as "any aural transfer made in whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable, or other like connection between the point of origin and the point of reception ... furnished or operated by any person engaged in providing or operating such facilities for the transmission of interstate or foreign communications affecting interstate or foreign commerce." e. Title 18 U.S.C. § 2510(12) defines "electronic communication" as "any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photo electronic or photo optical system that affects interstate or foreign commerce," with certain exceptions not applicable here. f. Title 18 U .S.C. § 251 0(17) defines "electronic storage" as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof;" and "any storage of such communication by an electronic communication service for purposes of backup protection of such communication." Background of Investigation 5. In approximately October 2011, a Seattle, Washington fine art dealer, hereinafter Victim # 1, was contacted by LARRY ULVI pursuant to an advertisement that Victim # 1 had placed indicating he was interested in Mark Tobey paintings. By way of background, Mark Tobey (1890-1976) was an abstract painter and is widely considered the most important artist PAGE 3 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 28 of 50 within the Northwest School of painting. Tobey's works are highly sought after by international dealers and collectors. 6. According to Victim #1, shortly after being contacted by ULVI he purchased one abstract painting and approximately six "market sketches" (drawings or paintings of Seattle street scenes) from ULVI. After purchasing the abstract painting, Victim #1 submitted a digital image of the painting via email to Committee Mark Tobey (CMT), a committee of art experts who maintains archives about the life and work of Mark Tobey. Based on the digital image of the painting, Dr. Heiner Hachrneister ofCMT, a recognized expert on the works of Mark Tobey, issued a written letter of authentication for this painting. Following the email authentication, Victim #1 mailed the original painting to Hachrneister. Upon seeing the painting in person, Dr. Hachrneister determined the painting not to be authentic. 7. About six months after the initial purchase, ULVI began offering more Tobey's to Victim # 1. According to Victim# 1, he then sent photographs of each painting, via email, to Dr. Hachrneister for authentication and, in each case, Dr. Hachrneister advised the paintings were deemed as not authentic and were to be placed in the CMT Fakes Registry. Every time Victim #1 received Dr. Hachrneister's opinion the paintings were not authentic, Victim #1 informed ULVI of the opinion. At no time did Victim #1 provide the identity ofULVI to Dr. Hachrneister. 8. According to Victim #1, he last saw ULVI in approximately June 2013. Until this meeting, Victim #1 had thought ofULVI as an individual who had aspirations ofbeing an art dealer and had acquired some fake Tobey's in trade. However, following this meeting, Victim #1 's opinion was that ULVI was a "con man." In this meeting, ULVI offered several works by PAGE 4- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 29 of 50 two separate artists and the works looked as though they had been painted by the same hand. Victim # 1 quickly declined UL VI's offer and has not been contacted by him since. 9. On May 17, 2013, a fine art dealer with galleries in California, hereinafter Victim #2, received an online inquiry from an individual who identified himself as "larry" at 424 NW 21st #106, Portland, Oregon, 97209, telephone (971) 258-4837, emaillarryulvi((l!vahoo.com. "Larry" was later identified as LARRY ULVI. This inquiry was received via the gallery's website which allows viewers the opportunity to offer paintings for sale. In his inquiry, UL VI uploaded an image of a Mark Tobey painting which he indicated "Purchased in Switzerland 70\'s .. at art fair.has authentican from Heishauser..as u know I can\'t spell ... Larry." Later that same day employees of Victim #2 sent an email to larrvulvi0;vahoo.com expressing interest in the painting. I believe "Heishauser" in UL VI's email refers to Dr. Heiner Hachmeister and references a May 2, 2013 certificate of authenticity that Dr. Hachmeister issued for one Mark Tobey painting that ULVI provided to CMT via email. 10. On May 20, 2013, Victim #2's gallery received an email from larryulvi@,vahoo.com which stated "Going thru my storage I found some more ..I will send thru the mail pies of all of them ... you should receive in 2 days?? Larry." 11. On May 27, 2013, in response to an email asking ULVI how much he wanted to sell the Mark Tobey painting for, Victim #2's gallery received an email from larrvulvirw.vahoo.com which stated "The one I sold here at auction brought only 3500 .. I'm open to it, as I have some more I want to sell later .... Of course the one here did not have the CMT stamp on it ... Larry IPS ... I could run up to Seattle and show the guy the painting if you want??" I know the reference to the Seattle "guy" is referring to Victim #2 who, in addition to his PAGE 5 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 30 of 50 California galleries, on occasion works from his residence which is located in a suburb of Seattle, Washington. 12. On May 28, 2013, one of Victim #2's employees offered ULVI $7,000 for two Mark Tobey paintings and asked ULVI if there was authentication for the second painting. Later that same day, UL VI replied from larrvulvi(a,vahoo.com "You gotta deal. ... Larry," indicating he had accepted the $7,000 offer. Also later that same day ULVI replied from larrvulvi((l:vahoo.com "Am sending off to cmt later this week, as I have 4 more in the East bay in my storage .. Can't send too many too quickly to CMT, as he likes to evaluate them?" In this email ULVI also asked if Victim #2 was interested in paintings by Lyonel Feininger and Charles Burchfield. According to Dr. Hachmeister, ULVI did not send any other paintings to CMT for authentication. 13. May 29, 2013, an employee of Victim #2 sent an email to ULVI at larrvulvir(i vahoo.com and provided instructions for UL VI to ship the paintings to Victim #2 in Washington. Also in this email, ULVI was asked to provide the provenance for the two paintings to which he replied that he had purchased them from a gallery at the Basel, Switzerland art fair in the early 1970's. Later that same day ULVI sent an email from lan·yulvi({[;yahoo.com advising he would be in Olympia, Washington the following day and would deliver them to Victim #2 at that time. 14. On June 1, 2013, ULVI met Victim #2 at a public location near Victim #2's Washington residence to deliver the two Mark Tobey paintings. ULVI brought a third Mark Tobey painting to this meeting and agreed to sell it for $2,000. At this meeting Victim #2 gave UL VI two checks for $3,500 each and one check for $2,000. PAGE 6- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 15. Document 1 Filed 03/05/15 Page 31 of 50 Between June 3, 2013 and June 14, 2013, several emails were exchanged between Victim #2 or employees of Victim #2 and ULVI at laJTvulvi~a:yahoo.com wherein ULVI offered additional Mark Tobey paintings. On June 13, 2013, an employee of Victim #2 offered a bottle of wine to UL VI in appreciation for his business and asked where the wine should be mailed to which ULVI advised 424 NW 21 5\ #106, Portland, Oregon 97209. 16. On June 15, 2013, Victim #2 purchased two more Mark Tobey paintings from UL VI for $2,500 which he mailed to UL VI at 424 NW 21 5\ # 106, Portland, Oregon 97209. UL VI had previously provided the two paintings to Victim #2 at his Washington residence via the US mail or FedEx. 17. On July 11, 2013, Victim #2 completed his last purchase of artwork from ULVI when he mailed a check for $7,000 to ULVI at 424 NW 21 5\ #106, Portland, Oregon 97209 representing full payment for four Mark Tobey paintings and one Mark Tobey drawing which ULVI had previously shipped to him. Shortly after the final purchase, Victim #2 received three more Mark Tobey paintings from ULVI. These paintings were sent via US mail or FedEx and were unsolicited. Upon receiving the unsolicited works, Victim #2 became concerned that one individual could have such a large number of Mark Tobey paintings. 18. On July 29, 2013, Victim #2 sent an email to ULVI at larrvulvira.vahoo.com wherein Victim #2 claimed to have received a phone call from someone in Seattle, Washington that had expressed concern at the authenticity of the Tobey's on Victim #2's website. Victim #2 indicated he planned to contact Dr. Hachmeister who in tum may contact the FBI. According to Victim #2, there was no call from someone in Seattle and he had employed the subterfuge to solicit a response from UL VI. PAGE 7 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 19. Document 1 Filed 03/05/15 Page 32 of 50 On July 30,2013, ULVI sent an email from larrvulvi0\·ahoo.com to Victim #2 wherein he asked if the person who had called was Victim #1. ULVI then stated "This guy wants to buy cheap .. Actually the ones on your website?? Have already been sent to Hachmeister and approved .. .it cost me nearly $500 each to have this done .. .Ifit will make you feel better, I will contact the fbi and have them inspect the situation, but somehow I feel like I would just be wasting their time .... and govt money ... If we stir things up, it could create a whole lot of headaches for ourselves ... I also showed pies to a guy named John but he wasn't interested ..... Only people I showed to." Based on my knowledge of this investigation, I know that ULVI only sent digital images of one Tobey painting to Hachmeister and not the multiple paintings he refers to above. I also know that UL VI has attempted to sell or consign fake paintings to art dealers other than those he detailed above. 20. On July 30 and 31,2013, Victim #2 contacted Dr. Hachmeister via email for his opinion on three of the paintings he purchased from ULVI. On July 31, 2013, Dr. Hachmeister sent an email to Victim #2 which stated that all works sent to him by email which were signed "Tobey" were not, in his opinion, authentic. Following this initial opinion, Victim #2 shipped all 13 Mark Tobey's to Dr. Hachmeister for his review. 21. On July 31,2013, Victim #2 forwarded Dr. Hachmeister's email to ULVI at larrvulvi0:;vahoo.com and threatened to contact the FBI. Later that same day, ULVI sent an email from larryulvi0:;vahoo.com to Victim #2 which stated "Yeh, that sounds good tome .... who are you anyway??" 22. On August 1, 2013, Victim #2 contacted the Portland office of the FBI. At the direction of the FBI, and in an effort to ease any concerns that the FBI may conduct an PAGE 8 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 33 of 50 investigation of his activities, Victim #2 sent an email to ULVI advising he had cooled down and asked ULVI for additional documentation regarding the paintings. ULVI advised he would mail the documentation, however, after several requests by Victim #2 no documents establishing authenticity were provided. 23. On September 11, 2013, Dr. Hachmeister issued a written report wherein he analyzed the paper, colors, paint materials, signatures, etc of each work. In addition to problems with the materials, colors, and signatures, Dr. Hachmeister noted that the dates on the works range from 1960 to 1970 and 12 of the 13 works "came from the same pad of papers, respectively from the same size of pad" and were the same approximate size or double size. Dr. Hachmeister advised "statistically, it is impossible that one may find- in one collectionauthentic works by Mark Tobey having the same sizes or exactly double sizes over this range of years." Dr. Hachmeister concluded that all 13 works were not authentic to include the one painting he had previously authenticated via email for ULVI on May 2, 2013. 24. On October 9, 2013, ULVI sent an email from larrvulvi(CV,yahoo.com to Victim #2 requesting payment for the three unsolicited Tobey paintings he had sent to Victim #2 in July, 2013. At the direction of the FBI, Victim #2 replied that he did not want to purchase the three paintings. 25. On October 12, 2013, Victim #2 sent an email to ULVI advising he would return the three paintings to ULVI upon receiving the paperwork from ULVI which related to his earlier purchases. Later that same day, ULVI sent a reply from larrvulvi0'vahoo.com which stated "You Sure?? I sent some to a woman in a gallery in NY city, and I never heard from her again!!!" Following this exchange, Victim #2 did not hear from UL VI again until PAGE 9 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 34 of 50 December 22,2014. 26. On December 22 and 23, 2014, Victim #2 received emails from ULVI at larrvulvi i(V,yahoo.com wherein UL VI advised he had sent "stuff from Portland." 27. On January 6, 2015, Victim #2 received at his California gallery, via U.S. mail, an envelope containing photographs of two paintings (a Mark Tobey and a Kenneth Callahan painting) which UL VI was offering for sale and two purchase agreements which related to the request made by Victim #2 on August 1, 2013. According to the postmark, the package was shipped on December 16, 2014 from Portland, Oregon 97210. The return address on the envelope was "Larry Ulvi, 424 NW 21st #106, Portland, Ore 9709 (sic)." The package was originally shipped to Victim #2's Washington residence and was automatically forwarded to the California gallery by the United States Postal Service. 28. On February 19,2015, Troy Fluke, manager ofThe Roselyn apartments, 424 NW 21st Avenue, Portland, Oregon, advised that LARRY ULVI is currently residing at 424 NW 21st Avenue, Apartment #106, Portland, Oregon and has resided there since approximately November 2011. Fluke further advised that ULVI utilizes the community storage area which is located in the basement of The Roselyn. The community storage area was observed to contain multiple open storage racks, each labeled with apartment numbers. ULVI's storage area was observed to be located on the West wall, in the lower section ofthe rack, and was labeled "106." Technical Background 29. Based on my training and experience, I have learned that Yahoo! Inc. provides a variety of on-line services, including electronic mail ("email") access, to the public. Yahoo! Inc. allows subscribers to obtain e-mail accounts at the domain name https://mail.vahoo.com, like the PAGE 10- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 35 of 50 lan·yulvi0;vahoo.com. Subscribers obtain an account by registering with Yahoo! Inc .. During the registration process, Yahoo! Inc. asks subscribers to provide basic personal information which Yahoo! Inc. retains as associated with the email account. Yahoo! Inc. also retains certain other information associated with the email account such as account access information and email transactional information. Yahoo! Inc. email accounts can be used to create, transmit, receive, and store content. 30. This content may include retrieved and unretrieved email for Yahoo! Inc. subscribers. Therefore, the computers of Yahoo! Inc. are likely to contain stored electronic communications, including retrieved and unretrieved email for Yahoo! Inc. subscribers, and information concerning subscribers and their use of Yahoo! Inc. services, such as account access information, email transaction information, and account application information. From my training and experience, I know that such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 31. A Yahoo! Inc. subscriber can also store with the provider files in addition to emails, such as address books, contact or buddy lists, calendar data, pictures (other than ones attached to emails), and other files, on servers maintained and/or owned by Yahoo! Inc .. From my training and experience, I know that evidence of who was using an e-mail account may be found in address books, contact or buddy lists, e-mail in the account, and attachments toe-mails, including pictures and files. 32. From my training and experience, I know that email providers generally ask their subscribers to provide certain personal identifying information when registering for an e-mail account. Such information can include the subscriber's full name, physical address, telephone PAGE 11 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 36 of 50 numbers and other identifiers, alternative e-mail addresses, and, for paying subscribers, means and source of payment (including any credit or bank account number). From my training and experience, I know that such information may constitute evidence of the crimes under investigation because the information can be used to identify the account's user or users. 33. In my training and experience, email providers typically retain certain transactional information about the creation and use of each account on their systems. This information can include the date on which the account was created, the length of service, records of log-in (i.e., session) times and durations, the types of service utilized, the status of the account (including whether the account is inactive or closed), the methods used to connect to the account (such as logging into the account via the provider's website), and other log files that reflect usage of the account. In addition, email providers often have records of the Internet Protocol address ("IP address") used to register the account and the IP addresses associated with particular logins to the account. Because every device that connects to the Internet must use an IP address, IP address information can help to identify which computers or other devices were used to access the email account. 34. From my training and experience, I know that in some cases, e-mail account users will communicate directly with an email service provider about issues relating to the account, such as technical problems, billing inquiries, or complaints from other users. Email providers typically retain records about such communications, including records of contacts between the user and the provider's support services, as well records of any actions taken by the provider or user as a result of the communications. From my training and experience, I know that such information may constitute evidence of the crimes under investigation because the information PAGE 12-AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 37 of 50 can be used to identify the account's user or users. 35. A preservation notice was served on Yahoo! Inc. for the contents ofthe Email Accounts on 1120/2015 for larrvulvi@,vahoo.com, Yahoo! Inc. internal reference number 267800. No further legal process has been served on Yahoo! Inc. for the content of the email account. Search and Seizure of Digital Data 36. This application seeks permission to search for and seize evidence of the crimes described above, including evidence of how computers, digital devices, and digital storage media were used, the purpose of their use, and who used them. 37. Based upon my training and experience, and information related to me by agents and others involved in the forensic examination of computers and digital devices, I know that data in digital form can be stored on a variety of systems and storage devices, including hard disk drives, floppy disks, compact disks, magnetic tapes, flash drives, and memory chips. Some of these devices can be smaller than a thumbnail and can take several forms, including thumb drives, secure digital media used in phones and cameras, personal music devices, and similar items. They are easily carried and concealed on someone's person. Removal of Data Storage Devices 38. I know that a forensic image is an exact physical copy of a data storage device. A forensic image captures all data on the subject media without viewing or changing the data in any way. Absent unusual circumstances, it is essential that a forensic image be obtained prior to conducting any search of data for information subject to seizure pursuant to the warrant. I also PAGE 13 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 38 of 50 know that during the search of the premises it is not always possible to create a forensic image of or search digital devices or media for data for a number of reasons, including the following: a) Searching digital devices can be a highly technical process that requires specific expertise and specialized equipment. Because there are so many different types of digital devices and software in use today, it is difficult to anticipate all of the necessary technical manuals, specialized equipment, and specific expertise necessary to conduct a thorough search of the media to ensure that the data will be preserved and evaluated in a useful manner. b) Searching digital devices can require the use of precise, scientific procedures designed to maintain the integrity of the evidence and to recover latent data not readily apparent to the casual user. The recovery of such data may require the use of special software and procedures, such as those used in a law enforcement laboratory. c) The volume of data stored on many digital devices is typically so large that it will be highly impractical to search for data during the execution of the physical search of the premises. Storage devices capable of storing 500 gigabytes of data are now commonplace in desktop computers. It can take several hours, or even days, to image a single hard drive. The larger the drive, the longer it takes. Depending upon the number and size of the devices, the length of time that agents must remain onsite to image and examine digital devices can become impractical. Laboratory Setting May Be Essential For Complete And Accurate Analysis Of Data 39. Since digital data may be vulnerable to inadvertent modification or destruction, a controlled environment, such as a law enforcement laboratory, may be essential to conduct a complete and accurate analysis of the digital devices from which the data will be extracted. PAGE 14-AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 39 of 50 Software used in a laboratory setting can often reveal the true nature of data. Therefore, a computer forensic reviewer needs a substantial amount of time to extract and sort through data that is concealed or encrypted to determine whether it is evidence, contraband, or an instrumentality of a crime. 40. Analyzing the contents of a computer or other electronic storage device, even without significant technical difficulties, can be very challenging, and a variety of search and analytical methods must be used. For example, searching by keywords, which is a limited text-based search, often yields thousands of hits, each of which must be reviewed in its context by the examiner to determine whether the data is within the scope of the warrant. Merely finding a relevant hit does not end the review process. The computer may have stored information about the data at issue which may not be searchable text, such as: who created it; when and how it was created, downloaded, or copied; when it was last accessed; when it was last modified; when it was last printed; and when it was deleted. The relevance of this kind of data is often contextual. Furthermore, many common email, database, and spreadsheet applications do not store data as searchable text, thereby necessitating additional search procedures. To determine who created, modified, copied, downloaded, transferred, communicated about, deleted, or printed data requires a search of events that occurred on the computer in the time periods surrounding activity regarding the relevant data. Information about which users logged in, whether users shared passwords, whether a computer was connected to other computers or networks, and whether the users accessed or used other programs or services in the relevant time period, can help determine who was sitting at the keyboard. PAGE 15 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 41. Document 1 Filed 03/05/15 Page 40 of 50 Latent Data: Searching digital devices can require the use of precise, scientific procedures designed to maintain the integrity of the evidence and to recover latent data. The recovery of such data may require the use of special software and procedures. Data that represents electronic files or remnants of such files can be recovered months or even years after it has been downloaded onto a hard drive, deleted, or viewed via the Internet. Even when such files have been deleted, they can be recovered months or years later using readily available forensic tools. Normally, when a person deletes a file on a computer, the data contained in the file does not actually disappear; rather, that data remains on the hard drive until it is overwritten by new data. Therefore, deleted files, or remnants of deleted files, may reside in space on the hard drive or other storage media that is not allocated to an active file. In addition, a computer's operating system may keep a record of deleted data in a swap or recovery file or in a program specifically designed to restore the computer's settings in the event of a system failure. 42. Contextual Data: a) In some instances, the computer "writes" to storage media without the specific knowledge or permission of the user. Generally, data or files that have been received via the Internet are automatically downloaded into a temporary Internet directory or cache. The browser typically maintains a fixed amount of hard drive space devoted to such data or files, and the files are only overwritten as they are replaced with more recently viewed Internet pages. Thus, the ability to retrieve artifacts of electronic activity from a hard drive depends less on when the file was downloaded or viewed than on a particular user's operating system, storage capacity, and computer usage. Logs of access to websites, file management/transfer programs, firewall permissions, and other data assist the examiner and investigators in creating a "picture" of what PAGE 16- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 41 of 50 the computer was doing and how it was being used during the relevant time in question. Given the interrelationships of the data to various parts of the computer's operation, this information cannot be easily segregated. b) Digital data on the hard drive that is not currently associated with any file may reveal evidence of a file that was once on the hard drive but has since been deleted or edited, or it could reveal a deleted portion of a file (such as a paragraph that has been deleted from a word processing file). Virtual memory paging systems can leave digital data on the hard drive that show what tasks and processes on the computer were recently used. Web browsers, email programs, and chat programs store configuration data on the hard drive that can reveal information such as online nicknames and passwords. Operating systems can record additional data, such as the attachment of peripherals, the attachment of USB flash storage devices, and times the computer was in use. Computer file systems can record data about the dates files were created and the sequence in which they were created. This data can be evidence of a crime, indicate the identity of the user of the digital device, or point toward the existence of evidence in other locations. Such data may also lead to exculpatory evidence. c) Further, evidence of how a digital device has been used, what it has been used for, and who has used it, may be learned from the absence of particular data on a digital device. Specifically, the lack of computer security software, virus protection, malicious software, evidence of remote control by another computer system, or other programs or software may assist in identifying the user indirectly and may provide evidence excluding other causes for the presence or absence ofthe items sought by this application. Additionally, since computer drives may store artifacts from the installation of software that is no longer active, evidence of the PAGE 17- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 42 of 50 historical presence of the kind of software and data described may have special significance in establishing time lines of usage, confirming the identification of certain users, establishing a point of reference for usage and, in some cases, assisting in the identification of certain users. This data can be evidence of a crime, can indicate the identity of the user of the digital device, or can point toward the existence of evidence in other locations. Such data may also lead to exculpatory evidence. Evidence of the absence of particular data on the drive is not generally capable of being segregated from the rest of the data on the drive. Search Procedure 43. In searching for data capable of being read, stored, or interpreted by a computer or storage device, law enforcement personnel executing the search warrant will employ the following procedure: a) On-site search, ifpracticable. Law enforcement officers trained in computer forensics (hereafter, "computer personnel"), if present, may be able to determine if digital devices can be searched on-site in a reasonable amount of time and without jeopardizing the ability to preserve data on the devices. Any device searched on-site will be seized only if it contains data falling within the list of items to be seized as set forth in the warrant and in Attachment B. b) On-site imaging, ifpracticable. If a digital device cannot be searched on-site as described above, the computer personnel, if present, will determine whether the device can be imaged on-site in a reasonable amount of time without jeopardizing the ability to preserve the data. PAGE 18- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 43 of 50 c) Seizure of digital devices for off-site imaging and search. If no computer personnel are present at the execution of the search warrant, or if they determine that a digital device cannot be searched or imaged on-site in a reasonable amount of time and without jeopardizing the ability to preserve data, the digital device will be seized and transported to an appropriate law enforcement laboratory for review. d) Law enforcement personnel will examine the digital device to extract and seize any data that falls within the list of items to be seized as set forth in the warrant and in Attachment B. To the extent they discover data that falls outside the scope of the warrant that they believe should be seized (e.g., contraband or evidence of other crimes), they will seek an additional warrant. e) Law enforcement personnel will use procedures designed to identify items to be seized under the warrant. These procedures may include the use of a "hash value" library to exclude normal operating system files that do not need to be searched. In addition, law enforcement personnel may search for and attempt to recover deleted, hidden, or encrypted data to determine whether the data falls within the list of items to be seized under the warrant. f) If the digital device was seized or imaged, law enforcement personnel will perform an initial search of the original digital device or image within a reasonable amount of time not to exceed 120 days from the date of execution of the warrant. If, after conducting the initial search, law enforcement personnel determine that an original digital device contains any data falling within the list of items to be seized pursuant to this warrant, the government will retain the original digital device to, among other things, litigate the admissibility/authenticity of the seized items at trial, ensure the integrity of the copies, ensure the adequacy of chain of custody, and resolve any issues regarding contamination of the evidence. If the government PAGE 19- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 44 of 50 needs additional time to determine whether an original digital device or image contains any data falling within the list of items to be seized pursuant to this warrant, it may seek an extension of the time period from the Court within the original 120-day period from the date of execution of the warrant. The government shall complete the search of the digital device or image within 180 days of the date of execution of the warrant. If the government needs additional time to complete the search, it may seek an extension of the time period from the Court within the original 180-day period from the date of execution of the warrant. g) If, at the conclusion of the search, law enforcement personnel determine that particular files or file folders on an original digital device or image do not contain any data falling within the list of items to be seized pursuant to the warrant, they will not search or examine those files or folders further without authorization from the Court. Law enforcement personnel may continue to examine files or data falling within the list of items to be seized pursuant to the warrant, as well as data within the operating system, file system, or software application relating or pertaining to files or data falling within the list of items to be seized pursuant to the warrant (such as log files, registry data, and the like), through the conclusion of the case. h) If an original digital device does not contain any data falling within the list of items to be seized pursuant to this warrant, the government will return that original data device to its owner within a reasonable period of time following the search of that original data device and will seal any image of the device, absent further authorization from the Court. PAGE 20- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 45 of 50 Data to be Seized 44. In order to search for data that is capable of being read or interpreted by a computer, law enforcement personnel will need to seize, image, copy, and/or search the following items, subject to the procedures set forth herein: a) Any computer equipment or digital devices that are capable of being used to commit or further the crimes outlined above, or to create, access, or store contraband or the types of evidence, fruits, or instrumentalities of such crimes, as set forth in Attachment B; b) Any computer equipment or digital devices used to facilitate the transmission, creation, display, encoding, or storage of data, including word processing equipment, modems, docking stations, monitors, printers, plotters, encryption devices, and optical scanners that are capable of being used to commit or further the crimes outlined above, or to create, access, process, or store contraband or the types of evidence, fruits, or instrumentalities of such crimes, as set forth in Attachment B; c) Any magnetic, electronic, or optical storage device capable of storing data, such as floppy disks, hard disks, tapes, CD-ROMs, CD-Rs, CD-RWs, DVDs, optical disks, printer or memory buffers, smart cards, PC cards, memory calculators, electronic dialers, electronic notebooks, personal digital assistants, and cell phones capable of being used to commit or further the crimes outlined above, or to create, access, or store contraband or the types of evidence, fruits, or instrumentalities of such crimes, as set forth in Attachment B; d) Any documentation, operating logs, and reference manuals regarding the operation of the computer equipment, storage devices, or software; PAGE 21- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 46 of 50 e) Any applications, utility programs, compilers, interpreters, and other software used to facilitate direct or indirect communication with the computer hardware, storage devices, or data to be searched; f) Any physical keys, encryption devices, dongles, or similar physical items which are necessary to gain access to the computer equipment, storage devices, or data; g) Any passwords, password files, test keys, encryption codes, or other information necessary to access the computer equipment, storage devices, or data, and h) All records, documents, programs, applications, or materials created, modified, or stored in any form, including in digital form, on any computer or digital device, that show the actual user(s) of the computers or digital devices during any time period in which the device was used to upload, download, store, receive, possess, or view child pornography, including the web browser's history; temporary Internet files; cookies, bookmarked or favorite web pages; email addresses used from the computer; MAC IDs and/or Internet Protocol addresses used by the computer; email, instant messages, and other electronic communications; address books; contact lists; records of social networking and online service usage; and software that would allow others to control the digital device such as viruses, Trojan horses, and other forms of malicious software. 45. The government has made no prior efforts in other judicial fora to obtain the evidence sought in the warrant. Retention of Image 46. The government will retain a forensic image of each electronic storage device subjected to analysis for a number of reasons, including proving the authenticity of evidence to be used at trial; responding to questions regarding the corruption of data; establishing the chain PAGE 22- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 47 of 50 of custody of data; refuting claims of fabricating, tampering, or destroying data; and addressing potential exculpatory evidence claims where, for example, a defendant claims that the government avoided its obligations by destroying data or returning it to a third party. Inventory and Return 4 7. With respect to the seizure of electronic storage media or the seizure or imaging of electronically stored information, the search warrant return to the Court will describe the physical storage media that were seized or imaged. Request for Sealing 48. I respectfully request that the Court issue an order sealing this affidavit, the attached application, the requested search warrant, and the search warrant return, until further order of the Court. Those documents detail an ongoing criminal investigation involving many potential targets, not all of whom have been contacted yet by law enforcement authorities. Based on my training and experience, I know that persons who commit crimes online sometimes search the Internet for criminal affidavits and search warrants and disseminate them to others, including in online forums such as chat rooms. I believe that premature disclosure of the contents of this affidavit, the application, the search warrant, and the return may have a significant negative impact on the investigation and may severely jeopardize its effectiveness by alerting other potential targets to the investigation, giving them an opportunity to warn others, to flee, or to destroy evidence. 49. This Court has jurisdiction to issue the requested warrant because it is "a court with jurisdiction over the offense under investigation." 18 U.S.C. §§ 2703(a), 2703(b)(l)(A), and 2703 (c)(l)(A). Pursuant to 18 U.S. C. § 2703(g), the presence of a law enforcement officer is not required for the service or execution of this warrant. PAGE 23 -AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 48 of 50 Conclusion 50. Based on the foregoing, I have probable cause to believe, and I do believe, that LARRY ULVI committed mail fraud and wire fraud in violation of 18 U.S.C. § 1341 and 18 U.S.C. § 1343 that evidence of that/those offense(s), as more fully described in Attachments B-1 and B-2 hereto, are presently contained in his residence and his email account, which are more fully described above and in Attachments A-1 and A-2. I therefore request that the court issue a warrant authorizing a search of the residence and email account, described in Attachment A-I and A-2 for the items listed in Attachments B-1 and B-2, and the seizure and examination of any such items found. Because the warrant will be served on Yahoo! Inc. who will then compile the requested records at a time convenient to it, there exists reasonable cause to permit the execution of the requested warrant at any time in the day or night. 51. This affidavit, the accompanying application, and the requested search warrant were reviewed by Assistant United States Attorney Scott Asphaug who advised me that, in his opinion, probable cause exists to apply for a search warrant to search the residence, and email address, for evidence of the crimes of mail fraud and wire fraud and LARRY UL VI's involvement in such crimes. Travis Weli¢/ Special Agent Federal Bureau of Investigation Portland, Oregon Subscribed and sworn to before me this _ _ __:_£5 __._ day of,Febru~ 2015. <'i J/)1 Ho~o;~Ole John V. Acosta United States Magistrate Judge District of Oregon PAGE 24- AFFIDAVIT OF TRAVIS WELTER Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 49 of 50 ATTACHMENT A-1 (The Place to be Searched) The place to be search will be 424 NW 21st Avenue, Apartment #106, Portland, Oregon and the storage space associated with apartment #106. 424 NW 21st Avenue, Portland, Oregon is a three story multi-family residential apartment complex with a basement common area. The complex is known as The Roselyn and is made of red brick construction. The building is located on the East side of 21st Avenue and has a green awning over the primary entrance. Upon entering the building, Apartment # 106 is located on the 100 level and is the 3rd door on the South side of the hallway. Apartment #106's door has a brown plate on it which reads "1 06." The storage space associated with apartment #106 is located in the basement ofthe apartment complex. This community storage space consists of multiple racks and each rack is divided into sections which are labeled by apartment number. UL VI's storage space is on the bottom row of the rack located on the West wall within the storage area and is labeled "106." Case 3:15-mj-00038 Document 1 Filed 03/05/15 Page 50 of 50 ATTACHMENT A-2 Place To Be Searched This warrant applies to information associated with larrvulvi 1U:vahoo.com that is stored at premises owned, maintained, controlled, or operated by Yahoo! Inc., a company that accepts service of legal process at: Yahoo Custodian of Records Yahoo! Inc. 701 First Avenue Sunnyvale, CA 94089 LawEnforcement-Inquiries@yahoo-inc.com A preservation letter was sent to Yahoo! Inc. for larryulvi•({,vahoo.com on January 20, 2015 and was provided Internal Reference Number 267800.