IN THE UNITED STATES DISTRICT COURT FOR THE

EASTERN DISTRICT OF VIRGINIA

Alexandria Division

IN THE MATTER OF THE SEARCH OF

THE SAMSUNG GALAXY S9+ WIRELESS
Case No. 1: 19 - sw - 1343
TELEPHONE ASSIGNED TELEPHONE
NUMBER 610 - 348 -4313 AND IMSI
Filed Under Seal
310410189527000

AFFIDAVIT IN SUPPORTOF
AN APPLICATION FOR A SEARCH AND SEIZUREWARRANT

I Donny Kim, Special Agent of the Federal Bureau of Investigation (“FBI” ), being duly

sworn , depose and state that:

INTRODUCTION AND AGENT BACKGROUND

I am an investigative or law enforcementofficerofthe UnitedStates, within the

meaning of Section 2510 (7) of Title 18, United States Code, and am empowered by law to

conductinvestigationsof and to make arrests for offenses enumerated in Section 2516 of Title

18 United States Code

2. I a Special Agent with the Federal Bureau of Investigation (“ FBI” ) assigned to

the Washington Field Office, and have been since 2007. Duringthis time, I have received

training at the FBIAcademy located at Quantico , Virginia , specific to counterintelligence and

espionageinvestigations
. I currently am assigned to investigatecounterintelligenceand

espionage matters. From 1999 to 2007, I was a Special Agent with the U . S . Departmentof State,

Diplomatic Security Service andworked counterintelligence and espionagematters. Based on

myexperience and training, I am familiar with efforts used to unlawfully collect and disseminate

sensitive government information, includingnational defense information (“NDI” ).

 3 I make this affidavit in support of an application for a warrant to seize and search

a black Samsung Galaxy S9+ wireless telephone assigned telephone number 610- 348- 4313 and

IMSI310410189527000( DEVICE” ) and subscribed to by Henry Kyle FRESE, further

described in Attachment A , for the evidence described in Attachment B . As further described

below , this application specificallyseeksauthority to open and search either a device storage

lockbox on the Reston, Virginia, premises of the Defense Intelligence Agency (“ DIA ” ), located

at 12300 Sunrise Valley Drive, Reston, Virginia 20191, or a black NissanRoguewith Virginia

license plate 4790 -PT and VIN 5N1AT2MV9HC842483 , registered to Henry Kyle FRESE , in

order to seize the DEVICE.

4. As a result ofmypersonalparticipation in this investigation, and reportsmade to

mebyUnited States Intelligence Community Agency 1 ( “ U . S. Government Agency ) and the

DefenseIntelligence Agency ( ), I am familiar with all aspects of this investigation. On the

basis of this familiarity , and on the basis of other information that I have reviewed and

determined to be reliable, I believe thatthe facts in this affidavit show that there is probable

cause to believe that FRESEhas committed, is committing

, and willcontinue to commit

violationsof 18 U . S . C . 793( d ) , willfultransmission of nationaldefense information. This

affidavit is intended to show merely that there is sufficient probable cause for the requested

warrantand doesnot set forth allofmyknowledgeabout thismatter.

5. These acts occurredwithin the Eastern Districtof Virginia. There is probable

cause to seize and search the black Samsung Galaxy S9+ wireless telephone assigned telephone

number610- 348-4313 and IMSI310410189527000for evidence of the crimes further described

in Attachment B .
 STATUTORY AUTHORITY AND DEFINITIONS

6. Forthe reasonsset forth below , I believethat there is probable cause to believe

that FRESE committed violations of Title 18 United States Code, Section 793 (d ) and ( ), willful

transmission of nationaldefense information ( the“ SubjectOffenses” ) .

7. Under 18 U . S . C . 793 (d ), [ w ] hoever , lawfully having possession of, access to ,

or control over any document . . . information relating to the national defense which

information the possessorhas reason to believecould be used to the injury of the UnitedStates

or to the advantage of any foreign nation, willfully communicates, delivers, transmits or causes

to be communicated , delivered , or transmitted ” or attempts to do or causes the same “ to any

person not entitled to receive it, or willfully retains the same and fails to deliver it on demand to

the officer or employee of the United States entitled to receive it shallbe fined or imprisoned

notmore than ten years, or both.

8. Under 18 U . S . C . 793( e ) “ [ w ]hoever, having unauthorized possession of, access

to , or control over any document information relating to the national defense which

information the possessorhas reason to believe could be used to the injury of the United States

or to the advantage of any foreign nation , willfully communicates , delivers , transmits or causes

to be communicated , delivered , or transmitted or attempts to do or causes the same any

person not entitled to receive it , or willfully retainsthe sameand fails to deliver it on demandto
the officer or employee of the United States entitled to receive it shall be fined or imprisoned

notmore than ten years, or both.

9. Under Executive Order 13526 , information in any form may be classified if it: ( 1)

is owned by, produced by or for, or is under the controlof the United States Government; ( )

falls within one ormore of the categories set forth in the Executive Order Top Secret, Secret,

and Confidential]; and (3) is classified by an original classification authority who determines that
its unauthorized disclosure reasonably could be expected to result in damage to the national
security .

10. Where such unauthorized disclosure could reasonably result in damage to the

nationalsecurity , the informationmaybe classified as “ Confidential” and must be properly

safeguarded. Where such unauthorized disclosure could reasonably resultin serious damage to

the national security, the information may be classified as “ Secret” andmustbe properly

safeguarded. Where such unauthorized disclosure could reasonably result in exceptionally grave

damageto thenational security , the information may be classified as “ Top Secret” and must be

properly safeguarded .

11. Classified information of any designationmay be shared only with persons

determined by an appropriate United StatesGovernmentofficial beeligible for access, and

who possess a need to know . ” Amongother requirements, in order for a person to obtain a

security clearance allowing that person access to classified United States Government

information, that person is required to and must agreeto properly protectclassified information

by notdisclosing such information to persons not entitled to receive it, by not unlawfully

removing classified information from authorized storage facilities , and by not storing classified
information in unauthorized locations. If a person is noteligible to receive classified

information , classified informationmay notbe disclosed to that person. In order for a foreign

government to receive access to classified information , the originating United States agency

must determine that such release is appropriate.

12. Pursuantto ExecutiveOrder 13526, classified informationcontainedon

automated information systems, includingnetworks and telecommunications systems, that

collect, create, communicate, compute, disseminate, process, or store classified informationmust

bemaintained in a manner that: (1) prevents access by unauthorized persons; and ( 2 ) ensures the

integrity of the information .

13. 32 C . F . R . Parts 2001 and 2003 regulate the handling of classified information.

Specifically, 32 C . F. R . 2001
. 43, titled “ Storage, regulates the physicalprotection of classified

information . This section prescribes that Secret and Top Secret information “ shall be stored in a

GSA - approvedsecurity container, a vault built to FederalStandard ( FHD STD ) 832, or an open

storage area constructed in accordance with 2001. 53 .” It also requires periodic inspection of

the container and the use of an Intrusion Detection System , among other things.

PROBABLE CAUSE

14. HenryKyle FRESE (“ FRESE” ) isunder investigationfor improperly removing

and transmitting classified U . S . government national defense materials to a journalist ( Journalist

1 ) employed by a certain news outlet (“ News Outlet 1 ) , and to a second journalist (“ Journalist

2 employed by a second news outlet ( NewsOutlet 2” ) , from on or about April 2018 through

the present FRESE is a DIA employee assigned to a workspace in Reston , Virginia , in the

Eastern District of Virginia . Hehas been employed at DIA since in or about February 2018 as a
counterterrorism analyst. Prior to that, from in or about January 2017 until in or about February

2018 FRESEwas a contractemployeewith a cleared intelligence contractorworkingin a DIA

workspace in the Eastern District of Virginia. Throughout this time, FRESE has held a Top

Secret/ / Sensitive Compartmented Information (“ TS //SCI” ) security clearance.

15. FRESEworks inside a Sensitive CompartmentInformation Facility ( SCIF ) atthe

DIA workspace in Reston, Virginia , in the Eastern District of Virginia. Employees are not

allowed to bring their cellular telephones into the SCIF. Generally , employees either store their

cellular telephones inside DIA - provided lockboxesoutside of the SCIF spaces, or simply leave

their cellular telephones in their vehicle in the facility parkinglot. Based on ongoinglaw

enforcement surveillance of FRESE I know that FRESE generally commutes to work at the DIA

facility in his black Nissan Roguewith Virginia license plate 4790 -PT and VIN

5N1AT2MV9HC842483 . Also based on this surveillance , I believe that FRESE routinely stores

the DEVICE inside his vehicle in the DIA facility parking lot while he is at work , when he does

not use the DIA -provided lockboxes .

16 . U . S . government agencies have confirmed that between at least early May 2018

and mid - July 2018 News Outlet 1 published eight articles that contain classified national

defense information that relates to the capabilities of certain foreign countries weapons systems.

Journalist 1 is the author of allof these articles . These articles contained classified intelligence

from five intelligence reports (the “ compromised intelligence reports” ) dated on or about early

March 2018 through mid - June 2018. The eight articles published by News Outlet 1, and the

intelligence reportingfrom which they are derived , both contain information that is classified up

to the TS // SCIlevel, indicating that its unauthorized disclosure could reasonably be expected to
result in exceptionally grave damage to the national security. The compromised intelligence

reports aremarked as such.

17 . U .S . Governmentinformation technology system audit logs analyzed by FBI

show that only 26 individuals, one of whom is FRESE, accessed all five of the compromised

intelligence reports

18. In his most current background security form (the “ SF-86 ) in December 2017 , on

file at the U . S . GovernmentOrganization, FRESE listed hismobile phonenumberas“ 610 -

4313” ( thetelephonenumberassociated with theDEVICE) Records checksfor FRESE also

show the DEVICEas a telephonenumber associatedwith FRESE. Public recordschecks for

Journalist 1 show a certain telephone number (“ TELEPHONE 2 a telephone number

associated with Journalist 1.

19. The FBIconductedpublic record and open sourcechecks on the individuals to

determine the genesis of contactbetween FRESE and the News Outlet Open source records

checks showed thatFRESEhas a public Twitteraccount. Journalist 1 also maintainsa public

Twitter accountthatFRESE “ follows,” meaningthat FRESE s Twitter account subscribesto

Journalist s Tweets and account updates . Journalist l Twitter account also follows FRESE s

Twitter account. Public records checks also show that FRESE and Journalist 1had the same

residential address from August 2017 through August 2018 . Based on reviews of FRESE s and

Journalist l s public social media pages, itappears that they were involved in a romantic

relationship for some or all of that period of time.

Twitter user can “ follow other Twitter users, which means subscribing to those users and site updates.
Each user profile page includes a list ofthe people who are following that user ( i.e., the user' s“ followers” list) and a
list of people whom that user follows (i .e., the user' s “ following .
 20 . On August 26 , 2019 the Honorable Leonie M . Brinkema, United States District

Judge for the Eastern Districtof Virginia, authorized an Order for the interceptionof wire and

electronic communicationsto and from theDEVICE pursuantto Section 2518 of Title 18,

United States Code (the “ Title IIImonitoring” ) . The Title IIImonitoring of the DEVICE showed

that FRESE accessed Twitter on the DEVICE. Twitter records also show periodic logins to

FRESE s Twitter account from an Internet Protocol ( IP ) address that resolves back to an IP

address range registered to AT & T Mobility LLC, the samecellular phone carrier as the

DEVICE

21
. AT& T records associatedwith the DEVICE show 508 total calls and 37 text

messagesbetweenthe DEVICE and Journalist 1 from March 1, 2018 through October 7 , 2019.

AT & T records associated with the DEVICE show 22 calls and 150 textmessages between the

DEVICE and Journalist 2 from May 1 2018 through October 7, 2019. On August 4 , 2019 ,

subsequent to receiving a June preservation request from the FBI, AT & T provided returns for a

search warranton the DEVICE, butthere was no textmessagecontentprovided. I havespoken

with a representative of AT & T who has confirmed that AT & T does not have in its possession

any textmessages to or from the DEVICE. I believethat seizing the phonewill likely allow the

FBIto see the historicaltext exchanges between FRESE and Journalist 1 and Journalist 2 that

predate the Title III monitoring that began August 26 , 2019 .

22 TELEPHONE 3 is the registered phone number for Journalist 2 s known social

media accounts, includingher Twitter account, in which she self identifies as a correspondent

covering national security for News Outlet 2. Public records checks also show Journalist 2 as

the user of TELEPHONE 3 .

 23 Journalist 2 worksfor NewsOutlet 2. NewsOutlet 1 and News Outlet2 are

owned bythe same parent company and are part of the same group of publicly affiliated news

outlets . Journalist 1 and Journalist 2 report on the same topics and were assigned to cover the

same location from mid- 2018 into 2019. Journalist 2 is amore senior journalist , who has been

assignedto that location for over a decade. In early July 2019 Journalist 1 and Journalist2 co

authored an article related to topics similar to Journalist l s article containing classified NDI
. On

Journalist s personalTwitterpage, Journalist1 Tweeted a link to the early July 2019 article,

noting it was the first co -authored piece of the pair. On Journalist 2 s personal Twitterpage,

Journalist 2 Tweeted a link to the article and stated Journalist 1was a “ colleague” who helped

co -author the newsarticle. Journalist 1 subsequently retweeted Journalist 2 ' s Tweet.

24 . Computer network logs from DIA show FRESE ran searches using terms related

to the sametopics discussed in the compromised intelligence reports. These topics fall outside

the scope of FRESE s duties for his position as a counterterrorism analyst with the DIA.

25. In the spring of 2018, Journalist 1 called the DEVICE . Approximately 34

minutes later, Journalist 1 called the DEVICE for a call that lasted approximately six minutes.

The next day, FRESE used search terms related to the topics contained in the five compromised

intelligence reports, which contained information classified up to the TS/ / SCI level. The search

termswere notrelated to topics FRESEwould search as part of FRESE job responsibilities

.

Approximately 29 minutes after conducting the search , FRESE accessed Intelligence Report 1,

oneofthe five compromised intelligencereports. Three days later, FRESE again accessed

Intelligence Report 1.

26 Search warrant returns from Twitter show that, seven days after FRESE accessed

IntelligenceReport 1 for the second time, Journalist 1 wrote a TwitterDirectMessage( )

to FRESE in which she asked whether FRESE would be willing to speak with Journalist 2.

FRESE stated that he was “ down to help Journalist 2 if ithelped Journalist 1 becausehe

wanted to see Journalist 1 “ progress .” During the same Twitter exchange, Journalist 1 also

indicated that certain officials within the United States government were calling into question

information related to the topic of IntelligenceReport1. FRESE characterizedthe denialas

" ” and commented that a separate U . S. Intelligence Agency , U . S .GovernmentAgency 2 ,

had supplied certain informationcontainedwithin IntelligenceReport1.

27. The same day followingthe Twitter conversation discussed above, at 7: 42 p. m . ,

Journalist 1 placed a call to the DEVICE that lasted approximately eightminutes. At 1:31 a. m .

the following day, Journalist 1 placed a call to the DEVICE that lasted approximately 15

minutes.

28. Several days later, Journalist 2 sent the DEVICE a text message . Approximately

six hours later, Journalist 2 sent the DEVICE another textmessage. Within the next45

minutes, FRESEand Journalist 2 exchanged five additionaltextmessageswith each other.

Then , at approximately 3: 38 p.m ., the DEVICE called Journalist 1.

29. The morning of thenextday, FRESEagain used search termsrelated to the topics

contained in Intelligence Report 1, which contained information classified up to the TS/ /SCI

level. The search termswere not related to topics FRESE would search as part of FRESE s

responsibilities . At approximately 12: 15 p. m ., the DEVICE called Journalist 1. The call lasted

approximately seven minutes. At approximately 3:24 p .m ., the DEVICE called Journalist 2 .

That call lasted approximately 36 minutes. Atapproximately 4 : 01 p. m . , Journalist 1 then called

the DEVICE. That call lasted approximately oneminute. Approximately 30 minutes later,

NewsOutlet 1 publishedan onlinearticle ( “ Article 1 ) , authoredby Journalist1, which

10
contained classified national defense information from Intelligence Report 1. Journalist 1 then

Tweeted a link to Article 1. The nextday FRESE re- Tweeted Journalist of Article

1. U . S . governmentagencieshaveconfirmed that Article 1 containsclassifiedNDI

. I believe

that FRESE passed Journalist 1 the classified NDIfrom Intelligence Report 1 that appeared in

Article 1.

30 . AT & T records show that, on at least eight separate occasions in mid 2018 , the

DEVICEcommunicatedwith either Journalist1 or Journalist2 , or both , on the same day as

Journalist l s publication of an article containing classified NDIfrom the compromised

intelligence reports.

On September 24 , 2019 , FRESE viewed two additional intelligence reports,

Intelligence Report 2 and Intelligence Report 3 . Both Intelligence Report 2 and Intelligence

Report 3 were published in mid -September 2019 andboth contained NDIclassified up to the

SECRET//SCIlevel. IntelligenceReport2 and IntelligenceReport3 both relate to the same

subjectmatter. On September 24 , 2019, at 7: 11p .m . , FRESE sent a textmessage to Journalist 2

asking Journalist 2 to call him . Less than a minute later, Journalist 2 called FRESE , and they

spoke for approximately fiveminutes . According to AT& T geolocation data , FRESE was within

the Eastern Districtof Virginia when he sent the textmessage and spokewith Journalist2 from

the DEVICE

32 Journalist 2 asked FRESE what was goingon at work ?” FRESE responded ,

, well it' s nothing to do with , like what I cover, per usual but um , it s so it' s about, still like

[ topic of Intelligence Reports 2 and 3] . . And I don ' t know if anyone s really commented on

this but I saw a report, it' s a few days old at this point, um , that basically the [ foreign country]
are [ topic of IntelligenceReport2 and 3 .” U . S . governmentagencieshaveconfirmed thatthe

content FRESE provided Journalist 2 in the September24 , 2019 call contains classified

information . I believe that FRESE used the DEVICE to provide classified NDIto Journalist 2.

33 . Journalist 2 asked FRESE for information that was “ probably outside your lane

as well, but if you ever hear anything about this whole like, topic concerning the U. S. and a

foreign government] then we d definitely be interested in that as well.” FRESE responded ,

“ Yeah, of course.

TECHNICAL TERMS

34 . Based on my training and experience, I use the following technical terms to

convey the followingmeanings:

a . Wireless telephone: A wireless telephone (or mobile telephone, or cellular

telephone) is a handheld wirelessdevice used for voice and data communication

through radio signals. These telephones send signals through networksof

transmitter/ receivers, enablingcommunicationwith other wireless telephonesor

traditional“ land line” telephones. A wireless telephone usually contains a “ call

log, ” which records the telephone number, date, and time of calls made to and

from the phone. In addition to enabling voice communications, wireless

telephonesoffera broad range of capabilities. These capabilitiesinclude: storing

names and phone numbers in electronic “ address books; sending, receiving, and

storing textmessagesand e-mail; taking, sending, receiving, and storing still

photographs and moving video storing and playingback audio files; storing
 dates , appointments , and other information on personal calendars ; and accessing

and downloadinginformation from the Internet. Wireless telephonesmay also

includeglobalpositioningsystem (“ GPS” ) technology for determiningthe

location of the device .

b. Digitalcamera: A digitalcamera is a camerathat recordspicturesas digital

picture files, rather than by usingphotographic film . Digitalcameras use a

variety of fixed and removable storagemedia to store their recorded images.

Imagescan usually be retrievedby connectingthe camera to a computeror by

connecting the removable storage medium to a separate reader. Removable

storage media include various types of memory cards or miniature hard

drives . Most digital cameras also include a screen for viewing the stored images.

This storagemedia can contain any digitaldata, includingdata unrelated to

photographs or videos.

Portablemedia player portablemedia player (or“ MP3 Player” or iPod) is a

handheld digitalstorage device designed primarilyto store and play audio , video,

or photographic files. However , a portable media player can also store other

digital data . Some portable media players can use removable storagemedia.

Removablestoragemedia includevarious types of flash memory cards or

miniature hard drives. This removable storage media can also store any digital

data. Depending on the model, a portable media player may have the ability to

store very large amounts of electronic data and may offer additionalfeatures such

as a calendar, contact list, clock , or games.

13
d . GPS : A GPS navigation device uses the Global Positioning System to display its

current location . It often contains records the locations where it has been . Some

GPS navigation devices can give a user driving orwalking directions to another

location. These devices can contain records ofthe addresses or locationsinvolved

in such navigation. The GlobalPositioningSystem (generally abbreviated

“ GPS” ) consists of 24 NAVSTAR satellites orbiting the Earth . Each satellite

contains an extremely accurate clock . Each satellite repeatedly transmits by radio

a mathematical representation of the current time, combined with a special

sequence of numbers. These signals are sent by radio, using specifications that

are publicly available. A GPS antenna on Earth can receive those signals. When

a GPS antenna receives signals from atleast four satellites, a computer connected

to that antenna can mathematically calculate the antenna s latitude, longitude, and

sometimes altitudewith a high levelof precision.

e. PDA : A personal digital assistant, or PDA, is a handheld electronic device used

for storing data ( such as names, addresses, appointments or notes) and utilizing

computer programs. SomePDAsalso function as wireless communication

devices and are used to access the Internet and send and receive e -mail.

usually include a memory card or other removable storagemedia for storingdata

and a keyboard and/ or touch screen for entering data . Removable storagemedia

include various types of flash memory cards or miniature hard drives . This

removable storagemedia can store any digital data . Most PDAs run computer

software , giving them many of the same capabilities as personal computers . For

example, PDA users can work with word -processing documents, spreadsheets,
14
 and presentations. PDAsmay also include global positioning system (“GPS” )

technology for determining the location of the device.

f. Address: An Internet Protocoladdress (or simply “ IP address” ) is a unique

numeric address used bycomputers on the Internet. An IP address is a series of

four numbers, each in the range -255, separated by periods ( e. g. , 121

.56. 97 . 178) .

Every computer attached to the Internet computer must be assigned an IP address

so thatInternettraffic sent from and directed to that computermay be directed

properly from its source to its destination . Most Internet service providers control

a range of IP addresses. Some computers havestatic — that is, long-term IP

addresses, while other computers have dynamic — that is, frequently changed — IP

addresses

g. Internet: The Internet is a globalnetwork of computers and other electronic

devices that communicatewith each other. Due to the structure of the Internet,

connectionsbetween deviceson the Internetoften cross state and international

borders, even when the devices communicating with each other are in the same

state .

35 . Based on my training , experience , and research , and from consulting the

manufacturer' s advertisements and producttechnical specifications, I know that the Device has

capabilities that allow it to serve as a wireless telephone, digital camera, portablemedia player,

GPS navigation device , and PDA. In mytraining and experience, examining data stored on

devices of this type can uncover, among otherthings, evidence that reveals or suggests who

possessedor used the device.

15
 ELECTRONIC STORAGE AND FORENSIC ANALYSIS

. Based on myknowledge, training, and experience, I know that electronic devices

can store information for long periods of time. Similarly, things that have been viewed via the

Internet are typically stored for someperiod of time on the device. This information can

sometimes be recovered with forensics tools.

Forensic evidence. As further described in Attachment B , this application seeks

permission to locate not only electronically stored information that mightserve as direct

evidence of the crimes described on the warrant , but also forensic evidence that establishes how

the Devicewas used, the purpose of its use, who used it, and when. There is probable cause to

believe that this forensic electronic evidence mightbe on the Device because:

a. Data on the storage medium can provide evidence of a file that was once on the

storage medium buthas since been deleted or edited, or of a deleted portion of a

file (such as a paragraph that has been deleted from a word processing file .

b. Forensic evidence on a device can also indicate who has used or controlled the

device. This “ user attribution” evidence is analogousto the search for indicia of

occupancy ” while executing a search warrant at a residence.

. A person with appropriate familiarity with how an electronic device worksmay,

after examiningthis forensic evidencein itsproper context

, be able to draw

conclusionsabouthow electronic deviceswere used, the purposeof their use, who

used them , and when .

16
 d. The process of identifying the exact electronically stored information on a storage

medium that is necessaryto draw an accurate conclusion is a dynamic process.

Electronic evidence is not always data thatcan bemerely reviewed by a review

team and passed along to investigators. Whether data stored on a computer is

evidencemay depend on other information stored on the computer and the

application ofknowledge abouthow a computer behaves. Therefore, contextual

informationnecessary to understand other evidencealso falls within the scopeof

the warrant.

e. Further, in findingevidence of how a devicewas used, the purposeof its use, who

used it, and when , sometimes it is necessary to establish that a particular thing is

notpresenton a storagemedium .

38 . Nature of examination. Based on the foregoing, and consistentwith Rule

41( ) ) ( B ) , thewarrantI am applying for would permitthe examination of thedevice consistent

with the warrant. The examinationmay requireauthoritiesto employ techniques, includingbut

notlimited to computer-assisted scans of the entiremedium , that mightexposemany parts of the

device to human inspection in order to determine whether it is evidence described by the warrant.

MANNER OF EXECUTION

39. This warrant seeks authorization to open and search either a device storage

lockbox on the Reston, Virginia premises of the Defense Intelligence Agency (“ DIA ” ) , located at

12300 Sunrise Valley Drive, Reston, Virginia 20191, or a black Nissan Rogue with Virginia

17
license plate 4790 -PT and VIN 5N1AT2MV9HC842483, registered to Henry Kyle FRESE, in

order to seize the DEVICE and conductthe search described above.

18
 CONCLUSION

39. I submitthat thisaffidavitsupports probable cause for a search warrant

authorizing the examination of the Device described in Attachment A to seek the itemsdescribed

in Attachment B .

Respectfully submitted ,

Donny Kim
Special Agent
FederalBureau of Investigation

Subscribed and sworn to beforemeon 201

Honorable Michael S. Nachmanoff

UNITED STATES MAGISTRATE JUDGE

19
 ATTACHMENT A

Property to Be Searched

The DEVICE to be seized and searched is a black SamsungGalaxy S9 + wireless

telephone assigned telephone number 610 -348 -4313 and IMSI 310410189527000 , with listed

subscriber Henry Kyle FRESE.

To the extentnecessary to seize theDEVICE, this warrant also authorizesthe search of

either

a device storage lockbox on the Reston, Virginia , premises of the Defense

Intelligence Agency (“ DIA located at 12300 Sunrise Valley Drive, Reston, Virginia 20191; or

b A black Nissan Rogue with Virginia license plate 4790 -PT, with VIN

5N1AT2MV9HC842483, registered to Henry Kyle FRESE.

 This warrant authorizes the forensic examination of the DEVICE for the purpose of

identifyingthe electronically stored informationdescribed in AttachmentB .

 ATTACHMENT B

Particular Things to be Seized

1. Allrecordson the Devicedescribed in Attachment A that relate to violations of Title 18

United States Code Section 793 and involve Henry Kyle FRESE since January 1,

2017, including:

a. Classified material

Any U . S . Governmentmaterial

foreign government material

Contacts, by any means, with foreign governments, foreign powers, or

agents of foreign powers ;

e Contact, by anymeans, with media outlets ;

f. Information , including communications in any form , regarding the

retrieval, storage, ortransmission of sensitive or classifiedmaterial;

Information regarding tradecraft, how to obtain or deliver sensitive

information, and/ or how to avoid or evade detection by intelligence officials or law

enforcement authorities.

2. Evidence of user attribution showingwho used orowned the Device at the time the

things describedin this warrantwere created , edited, or deleted, such as logs,

phonebooks, saved usernames and passwords, documents, and browsing history;

As used above, the terms “ records” and “ information ” include allof the foregoing items

of evidence in whatever form and by whatevermeans theymay have been created or stored,
including any form of computer or electronic storage (such as flash memory or other media that

can store data) and any photographic form .

This warrant authorizes a review of electronic storage media and electronically stored

information seized or copied pursuantto this warrant in order to locate evidence, fruits, and

instrumentalities described in this warrant. The review of this electronic data may be conducted

by any government personnel assisting in the investigation, who may include, in addition to law

enforcement officers and agents, attorneys for the government, attorney support staff, and

technical experts . Pursuant to this warrant , the FBImay deliver a complete copy of the seized or

copied electronic data to the custody and control of attorneys for the government and their

support staff for their independent review .