United States District Court: Evidence

Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 1 of 39
AO 106 (Rev. 04110) Application for a Search Warrant
'
UNITED STATES DISTRICT COURT

for the
District of Oregon
In the Matter of the Search of
(Briefly describe the property to be searched
or identify the person by name and address)
18 electronic devices, currently in law enforcement

possession, as further described in Attached A hereto
)
)
)
)
;16 -MC-217 ~
Case No.
)
)
APPLICATION FOR A SEARCH WARRANT

I, a federal law enforcement officer or an attorney for the government, request a search warrant and state under
penalty of perjury that I have reason to believe that on the following person or property (identify the person or describe the
property to be searched and give its location):
18 electronic devices, currently in law enforcement possession, as described in Attachment A hereto,

located in the
District of
Oregon
~~~~~~~~~~~
, there is now concealed (identify the
person or describe the property to be seized):
The information and items set forth in Attachment B hereto.
The basis for the search under Fed. R. Crim. P. 4l(c) is (check one ar more):
~evidence of a crime;
Mcontraband, fruits of crime, or other items illegally possessed;

g property designed for use, intended for use, or used in committing a crime;
D a person to be arrested or a person who is unlawfully restrained.
The search is related to a violation of:
Code Section
18 u.s.c. 372, 930(b),
924(c), 642, and 1361
Offense Description
Conspiracy to Impede Officers of the United States: Firearms offenses; Theft of
Government Property; and Depredation of Government Property
The application is based on these facts:

See affidavit which is attached hereto and incorporated herein by this reference.
City and state: Portland, Oregon
Paul Papak, United States Magistrate Judge

Printed name and title
~J{U!]T ..f
Dissemination Limited by Court Order
MNWR 0036235
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 2 of 39
DISTRICT OF OREGON, ss:
AFFIDAVIT OF KEVIN STRAUSS
Affidavit in Support of an Application Under Rule 41

for a Warrant to Search and Seize Evidence Including Digital Evidence
I, Kevin Strauss, being duly sworn, do hereby depose and state as follows:
Introduction and Agent Background

1.
I am a Special Agent with the Federal Bureau of Investigation (FBI), currently
assigned to the Portland Division, and have been employed by the FBI since June 2004. As a
Special Agent of the FBI, my duties and responsibilities have included conducting criminal and
national security investigations for possible violations of federal law. I received basic and
advanced law enforcement training at the FBI Academy in Quantico, Virginia. During that time,
I was taught the use and practical application of various investigative techniques that Federal law
enforcement officers are allowed to employ. In addition to my formalized training at the FBI
Academy, I have also acquired knowledge and information pertaining to violations of federal law
from numerous other sources, including formal and informal training, other law enforcement
officers and investigators, informants, and my participation in other investigations.
2.
I submit this affidavit in support of an application under Rule 41 of the Federal
Rules of Criminal Procedure for a search warrant authorizing the search and examination of
certain lawfully seized electronic devices (herein Devices) securely stored, in law enforcement
possession as further described in Attachment A hereto, and the extraction of electronically stored
information from the Devices, as described in Attachment B hereto. As set forth below, I have
probable cause to believe and do believe that the items set forth in Attachment B constitute
evidence and instrumentalities of a Conspiracy to Impede Officers of the United States, in
violation of Title 18, United States Code, Section 372; Possession of Firearms and Dangerous
MNWR 0036236
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 3 of 39
Weapons in Federal Facilities, in violation of Title 18, United States Code, Sections 930(b) and 2;
Use and Carry of a Firearm in Relation to a Crime of Violence, in violation of Title 18, United
States Code, Sections 924(c) and 2; Theft of Government Property, in violation of Title 18, United
States Code, Section 641; and Depredation of Government Property, in violation of Title 18,
United States Code, Section 1361.
3.
This affidavit is intended to show only that there is sufficient probable cause for the
requested warrant and does not set forth all of my knowledge about this matter. The facts set forth
in this affidavit are based on my own personal knowledge, knowledge obtained from other
individuals during my participation in this investigation, including other law enforcement officers,
interviews of witnesses, a review of records related to this investigation, communications with
others who have knowledge of the events and circumstances described herein, and mformation
gained through my training and experience.
Statement of Probable Cause

4.
Starting on or about November 5, 2015, and continuing through February 11, 2016,
several individuals, including Ainmon BUNDY (hereinafter A. BUNDY), Jon RITZHEIMER

Joseph O'SHAUGHNESSY, Ryan PAYNE, Ryan BUNDY (hereinafter R. BUNDY), Brian
CAVALIER, Shawna COX (hereinafter S. COX), Peter SANTILLI, Robert Lavoy Fini cum, Jason
PATRICK, Duane Leo EHMER, Dylan ANDERSON (hereinafter D. ANDERSON), Sean
ANDERSON, David Lee FRY, Jeff Wayne BANTA, Sandra Lynn ANDERSON, Kenneth
:tvffiDENBACH, Blaine COOPER Wesley KJAR, Corey LEQUIEU, Neil WAMPLER, Jason
Charles BLOMGREN, Darryl William THORN, Geoffrey STANEK, Travis COX, Eric Lee
FLORES, J.ake RYAN, and others did conspire to impede by force, intimidation, or threat, officers
Page 2 - Affidavit of Kevin Strauss
USAO Version Rev. October 2015
MNWR 0036237
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 4 of 39
of the United States from discharging their duties in the Malheur National Wildlife Refuge
(MNWR) in Hamey County, Oregon, in violation of Title 18, United States Code, Section 372.
They occupied the MNWR using firearms. Several occupiers stole and damaged government
property. On March 8, 2016, the above named individuals, with the exception ofFinicum who is
deceased, were indicted by a Grand Jury in the District of Oregon and charged with Conspiracy to
Impede Officers of the United States, in violation of Title 18, United States Code, Section 372.
Some defendants were also charged with Possession of Firearms and Dangerous Weapons in
Federal Facilities, in violation of Title 18, United States Code, Sections 930(b) and 2; Use and
Carry of a Firearm in Relation to a Crime of Violence, in violation of Title 18, United States Code,
Sections 924(c) and 2; Theft of Government Property, in violation of Title 18, United States Code,
Section 641; and Depredation of Government Property, in violation of Title 18, United States
Code, Section 1361.
5.
This affidavit is based on an investigation by the FBI into the activities of the
aforementioned individuals and others in connection with an armed occupation of the MNWR, a
unit of the National Wildlife Refuge System managed by the United States Fish and Wildlife
Service (USFWS). The MNWR is federal property.
January 2016 -Takeover of Malheur National Wildlife Refuge
6.
According to open-source reporting that I have reviewed and conversations I have
had with other law enforcement officers, on January 2, 2016, several hundred individuals
participated in a protest in Burns, Oregon, related to the resentencing of Steven and Dwight
Hammond. Following the protest, A. BUNDY, RITZHEIMER, PAYNE, R. BUNDY,
CAVALIER, Finicum, and PATRICK, among others, entered the MNWR, blocked the entrance to
MNWR 0036238
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 5 of 39
the Refuge, and began their armed occupation of several buildings within the MNWR. The
MNWR and all buildings located thereon are federal property and facilities. The MNWR is
located in Hamey County, District of Oregon. A news article posted on an Internet website on
January 3, 2016, at 7:19 a.m. and updated January4, 2016, at 12:53 p.m. included a photo with the
caption "The militiamen have blocked the entrance to the headquarters of the Malheur National
Wildlife Refuge with vehicles" and is shown below. This photograph has been verified by a
Federal Wildlife Officer with the U.S . Fish and Wildlife Service and confirmed to depict the
entrance to the MNWR. The Federal Wildlife Officer identified the vehicle as an MNWR vehicle
blocking the main road.
7.
In a local news report dated January 5, 2016, located online, Finicum spoke to
reporters at the MNWR. Finicum was interviewed on video outside the Refuge wrapped in a tarp
and blanket. He stated, "There are things more important than your life and freedom is one of
them. I'm prepared to defend freedom." Finicum was reported as holding a rifle and backpack
and was staying at the entrance to the Refuge overnight. A. BUNDY, identified as a group leader,
said the group would take a defensive position as they were anticipating a possible raid. In a later
Page 4-Affidavit of Kevin Strauss
MNWR 0036239
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 6 of 39
video posted on January 6, 2016, the speaker states, "There was intel that the uh, um, camp was
going to be raided." He then shows the heavy equipment which was placed to barricade the road
and stop the "feds." He states the equipment was brought up for them to "defend themselves."
A photo accompanying the local news article and captioned, "Activists have used heavy
equipment to block to the road to the Malheur wildlife refuge buildings" is shown below. A
Federal Wildlife Officer with the U.S. Fish and Wildlife Service identified the equipment in the
photograph as an MNWR loader and grader blocking the main entrance.
8.
The MNWR is staffed by employees of the USFWS. As a result of the armed
occupation of the MNWR by the known conspirators and others, which began on or about
January 2, 2016, and continued through February 11, 2016, employees of the USFWS who work at
the MNWR were prevented from reporting to work because of threats of violence posed by the .
defendants and others occupying the property. Sixteen (16) federal employeeswork at the
MNWR, iricluding one federal law enforcement officer and a volunteer coordinator who lived on
the Refuge and works in the visitor's center.
MNWR 0036240
Case 3:16-cr-00051-BR
9.
Document 1240-1
Filed 09/12/16
Page 7 of 39
According to a Special Agent with the Bureau of Land Management (BLM), on
January 2, 2016, the BLM learned, by watching a live online video stream, that numerous
individuals to include A. BUNDY and PAYNE left a rally in support of the Hammonds in Burns,
Oregon, and travelled to the MNWR to take it over. BLM was notified later that day by a Harney
County Sheriff's Officer that a source informed him that the group controlled the MNWR and had
explosives, night vision goggles, and weapons and that if they didn't get the fight they wanted out
there they would bring the fight to town.
10.
Due to the presence of armed individuals occupying the Refuge and also learning
that some of their associates were still in the Burns area, the BLM made the decision to close the
Burns District Office, located at 28910 Highway 20 West, Hines, Oregon, 97738, as of January 4,
2016. This BLM action was taken out of concern for the safety of the approximately 80
employees who work there. The BLM office reopened to the public on February' 9, 2016, with
extra security precautions including an armed security contractor to man the front desk and two
extra armed, plain clothes, BLM Rangers. As of the date of this affidavit, all occupiers of the
MNWR have left the Refuge.
Pen Register Data

11.
On January 7, 2016, the Honorable John V. Acosta authorized a pen register/trap
and trace order for cellular telephone number (602) 768-2989, subscribed to Valet Fleet Service, a
business controlled by A. BUNDY, and for cellular telephone number (406) 560-2504, subscribed
to PAYNE. On January 15, 2016, the Honorable John V. Acosta authorized a pen register/trap
and trace order for cellular telephone number (619) 504-3119, used by John RITZHEIMER.
Between January 7, 2016, and January 26, 2016, there were multiple calls and/or SMS/text
MNWR 0036241
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 8 of 39
messages between A. BUNDY and numbers associated with co-conspirators PAYNE,

O'SHAUGHNESSY, CAVALIER, S. COX, and PATRICK. From January 7, 2016, until
approximately January 26, 2016, PAYNE' s cellular phone number had approximately 282 ingoing
or outgoing calls and approximately 24 SMS/text messages. S. COX was the subscriber for
cellular telephone number (435) 899-0300. Through the pen register/trap and trace data, I know
that (435) 899-0300 was in contact with PA YNE's cellular phone number, (406) 560-2504, a total
of 23 times from January 8, 2016, until Jmuary 26, 2016. S. COX' s cellular number was in
contact with A. BUNDY's cellular phone number, (602) 768-2989, a total of 34 times from
January 7, 2016, until January 20, 2016. An open-source search conducted on or about April 21,
2016, revealed a Facebook posting dated December 17, 2015, [https://www.facebook.com/jspsr
/posts/10205508438534376], by PATRICK in which he provided telephone number (425)
245-2747. A Federal Bureau of Investigation Special Agent identified https://www.facebook
.com/jspsr as PATRICK's Facebook account. Through the pen register/trap and trace data, I
know that (425) 245-274 7 was in contact with fellow occupiers A. BUNDY and PAYNE between
January 7, 2016, and January 21, 2016. A Facebook posting was made by O'SHAUGHNESSY
on or about January 12, 2016, where he urged persons deploying to Bums to contact him at
telephone number (458) 206-8745. Cellular telephone (458) 206-8745 was in contact with
A. BUNDY between January 7, 2016, and January 21, 2016. Debra Carter Pope, LEQUIEU's
fiancee, was the subscriber for cellular telephone number (775) 217-9099. An open-source
database search indicated LEQUEIU was the subscriber for the same number. Cellular telephone
(775) 217-9099 was in contact with A. BUNDY's cellular phone number 24 times from January 2,
2016, until January 27, 2016. Sandra ANDERSON was the subscriber to cellular phone number
MNWR 0036242
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 9 of 39
(208) 628-3173. Pen register data indicates that cellular phone number (208) 628-3173 was in
contact with RITZHEIMER's cellular phone number a total of 4 times from January 2, 2016, until
January 26, 2016. Based on my knowledge, training, and experience, I know that co-conspirators
often communicate their criminal plans and intentions with other co-conspirators through phone
calls, SMS/texts, emails, web posts, YouTube, Facebook, or similar social media platforms
connected through the Internet in order to carry out and further their criminal activity. I believe
that the Subject Devices are likely to contain evidence of these communications.
January 26, 2016, Arrest of PAYNE, R BUNDY, and S. COX
(Subject Devices 1-17)
12.
On January 26, 2016, PAYNE, R. BUNDY, S. COX, Finicum, and Victoria Sharp
were traveling in a white 2015 Dodge pickup with Arizona license plate BMC2300. They were
stopped by law enforcement and all were arrested with the exception of Sharp and Finicum.
Sharp was released and Finicum was shot and killed after a violent confrontation with law
enforcement. Prior to being transported from the arrest location to detention, FBI Special Agents
found on S. COX's person four computer storage media (Subject Devices 13, 14, 15, and an
unopened thumb drive in its original packaging).
13.
On or about January 27, 2016, the Deschutes County Sheriff's Office seized
Devices 1 through 8 from either the inside of or near the Dodge pickup that PAYNE, R. BUNDY,
S. COX, Finicum, and Sharp were traveling in at the time of their arrest. A Sanyo digital camera,
model E2100, with one 64 GB SanDisk Ultra PLUS Micro SD card (Device 1), a black Kyocera
cellular telephone, model E6782 (Device 2), and a Samsung cellular telephone, model SM-G360V,
with a 64 GB Micro SD card (Device 3) were found in the rear of the vehicle within reach of either
S. COX or R. BUNDY. An Apple iPad with cover (Device 4), a Motorola cellular telephone,
MNWR 0036243
- ------ - ----------- -- --- -------- --- ---- ----- ---- ----- - Case 3:16-cr-00051-BR
Document 1240-1
---------------------Filed 09/12/16
Page -10 --of- -39-- ---- -
- ---- -
model XT1254, Droid Turbo (Device 7), and a Sansa SanDisk storage device (Device 8) were
located within the front passenger compartment of the vehicle within reach of PAYNE. A
Samsung cellular telephone, model SM-G360V (Device 5) was located near the body of Lavoy
Finicum, a short distance from the pickup. A Samsung cellular telephone, model GT-18190
(Device 6) was located in the rear of the pickup inside a purse belonging to Sharp.
14.
The Deschutes County Sheriff's Office (DCSO) is conducting an investigation of
the officer-involved shooting ofFinicum. Pursuant to that investigation, DCSO obtained and
executed an Oregon state search warrant for Subject Devices 1, 2, 3, 5, 6, 7, and 8.
15.
Although Finicum and Sharp were not indicted for their participation in the armed
occupation of the MNWR, they both were present for a significant portion of the illegal occupation.
Based upon my knowledge, training, and experience, I know that individuals carry their cellular
devices on them and use these devices to document, communicate, and coordinate plans,
movements, and their criminal intentions. I also know that the defendants and their
co-conspirators took photographs and videos during the armed occupation of the MNWR to
document their activities and to promote the illegal occupation. These photos, videos and related
messages were posted to social media sites to communicate with others and in an attempt to recruit
others to participate in the occupation.
16.
On January 6, 2016, A. BUNDY was photographed with S. COX inside a building
at the MNWR. The photo was posted online to a national news website with the caption "Ammon
Bundy (L), and supporter Shawna Cox work in an office at the Malheur National Wildlife
Refuge." A Federal Wildlife Officer with the U.S. Fish and Wildlife Service confirmed the photo
depicts the inside of a U.S. Fish and Wildlife biologist's office in a federal building on the MNWR.
Page 9- Affidavit of Kevin Strauss
MNWR 0036244
- -3:16-cr-00051-BR
- -- ------ - --- - - ----- - - - - 1240-1
----- - - Filed
- - - 09/12/16
- - -- - - - -11
--Case
Document
Page
of-39
- - ----
A. BUNDY is seen operating a laptop computer during the armed occupation at the MNWR.
S. COX is depicted using what appears to be a smartphone.
17.
R. BUNDY maintained a presence at the MNWR for a majority of the occupation
until his arrest on January 26, 2016. A photograph featuring R. BUNDY utilizing a cellular
phone while at the MNWR was obseived in an article dated January 4, 2016, posted online with
the caption "Ryan Bundy talks on the phone at the Malheur National Wildlife Refuge near Burns,
Oregon." The photograph also shows R. BUNDY near a U.S. Government-tagged vehicle in the
background to the right.
I II
Ill
II I
MNWR 0036245
- -- ------ Case
- -- - - - - - - - Document
- - ---- -- - Filed
- ------ ---- 12
-- of
-39
-3:16-cr-00051-BR
1240-1
09/12/16
Page
18.
On January 4, 2016, a video was posted to an Internet website titled "Citizens for
Constitutional Freedom News Conference Oregon 114116" featured S. COX reading a redress of
grievances in Hamey County, Oregon, brought by the Citizens for Constitutional Freedom.
S. COX identifies herself by spelling her first and last name and then states "I am just an
individual, a patriot American." A screenshot from the video is shown below:
I II
II I
Ill
Ill
I II
Ill
Ill
MNWR 0036246
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 13 of 39
Citizens for Constitutional Freedom News Confilrence Oregon 114116
=t.
Ll'JESA.lUllTEioE".;s
C!D!!Cl~~
22.438
~ClftJln.(.l'in6
t:aCl<lro<sb~---0........._.1!4.,.
-mdl!y..,~llOdJ
.... -~--blvt~---''G"li:O.-.rdal_ .. ~l:cC..-.......iF_
I know based on my knowledge, training, and experience that users can take photographs, make
videos, upload videos, store photos and videos, and post photographs, videos, and updates through
\
}
the Internet to social media websites using the Subject Devices described in Attachment A.
19.
PAYNE and S. COX were not in their personal vehicles at the time of their arrests.
S. COX's personal vehicle, a silver 2006 To'Wn and Country minivan bearing Utah license plate
Xl 86TL, and PA YNE's vehicle, a white four-door 2011 Chevrolet Silverado pickup truck bearing
Montana license plate 30-7605A, were parked at the MNWR. Pursuant to federal search warrants
issued on February 18, 2016, in the District of Oregon, an FBI Evidence Response Team
MNWR 0036247
--- - - --- -
-- - - -- - - --- -- -- - Document
----- - -- -1240-1
- - - - ----------- Page
--- - 14
--Case--3:16-cr-00051-BR
Filed-----
09/12/16
of--39----------------
- ---
conducted a search of these vehicles. From S. COX's vehicle, agents seized a black Canon Vixia
HF R50 camera, serial number 782914204885 with a 32GB SanDisk Ultra memory card (Device
9); a silver and black LG cellular phone, model LG 100, serial number 005CYPY0053120 (Device
1O); a black and red colored 16 GB SanDisk memory card with the name "Bundy" handwritten on
one side (Device 11); and a Kodak 4GB SD memory card (Device 12). From PAYNE's vehicle,
agents seized a black Motorola Verizon cellular phone, identification number SJUG5853CE, MSN
identification K566NQC53Z, FCC ID number IHDT56LB1, MEID HEX identification
A0000022517CF8 (Device 16) and a white disc labeled "Targeted Individual Myron May Speaks
From The Grave. Another Victim of the NWO Agenda." (Device 17). In the middle of the disc
read "For more info GMNken.com" and "Stop The Crime.Net." Open-source Internet inquiry
indicates that "GMNken.com" is a website featuring information regarding government
conspiracy theories and is authored by Kenneth Rhoades, a cameraman for defendant SANTILLI.
Open-source Internet inquiry indicates that "Stopthecrime.net" is a similar website featuring
different types of conspiracy theories and is run by Deborah Tavares. While the DVD is labeled
as described above, it is unknown if this DVD contains what is described on the label or if other
information pertinent to the charges listed above is saved and recorded on the DVD. Based on my
training and experience, I know that DVDs, like any computer storage medium, can be used to
store photos, videos, documents, and other data.
January 27, 2016, Arrest of PATRICK

20.
On January 27, 2016, PATRICK was arrested by law enforcement at a roadblock
near the MNWR. Several items were seized from PATRICK at the time of his arrest, including a
white Samsung Galaxy Note II smartphone with damaged screen cover (Device 18); a black LG
MNWR 0036248
---
- : - - - - - - - - -- - - - - - - --- - - --- - - - - - 09/12/16

- - - - ---- 15
-of 39
Case 3:16-cr-00051-BR Document 1240-1- -Filed
Page
cellular phone, serial number 509VTWP0680929 (Device 19); a SanDisk 32GB memory card
(Device 20); a Sony IC recorder, ICD-PX312 (Device 21); a silver Canon PowerShot Elph 160
camera (Device 22); a Verbatim 32GB SD memory card (Device 23); a Canon Vixia HFR62
camera, serial number 902074103090 (Device 24); and a white Apple iPhone, model Al549, IMEI
356989065989240 (Device 25).
21 .
PATRICK' s Facebook account was "Jason Patrick," found at Internet address
www.Facebook.com/jspsr. On January 2, 2016, at 2:56 p.m., PA1RICK posted a photograph of

himself in front of the MNWR sign with an American flag draped over it. The caption under the
photograph read as follows : "Peacefully reclaiming the lands for the people. Truth, love, and
um"ty."
22.
PATRlCK made several Facebook posts regarding the occupation of the MNWR
during the occupation in January 2016.
Page 14-Mfidavit of Kevin Strauss
MNWR 0036249
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 16 of 39
February 11, 2016, Arrest of BLOMGREN

(Subject Device 26)
23.
On February 11, 2016, BLOMGREN was arrested in the parking lot of a Wal-Mart
located in Mesquite, Nevada. Agents seized a ZTE cellular phone, model 2797L, serial number
9B0433711LD3 (Device 26).
24.
BLOMGREN's Facebook account was "Jason Blomgren," found at Internet
address www.Facebook.com/jason.blomgren.9?fref=ts. On January 10, 2016, at 7:43 a.m.,

BLOMGREN posted a photograph of himself and Jon RITZHEIMER. The caption under the
photograph read as follows: "Day #1 (Front gate guard detail) The PATRIOTS begin to
assemble ... Meeting WI Jon Ritzheimer - Joker J."
~-
C.ton ~Jwn C... , ~.-.t.~1 ,.,..0l!~l'.-#~Gn~IOO:ill!~~r.:tv
.!I.
~ "-'1'w~~ f~ teotNWC(IOn HO ..... )W.,,.,."'""e.:n~
* ' .,.
Jo\.41(,1' ,
-~ ' ' -
. ..
..
..-.
.
u
:l'li. J.s1ic;.n SICWTi~"

~ ~-
111< PAflttOTJI 11<;11110

.l<UrJ
0 fue~
.n-
. -.""='- .
. .~.-:1 - ,..
OiJ! ., "'"""" ~ l~
-~ ~
Wt J("n
d<tl)
A:-~-:-e--<
...""...
, .. , .
~-II.
.... ....
25.
~~.
ii!'
'
On January 11, 2016, BLOMGREN posted another video on his Facebook account
where he is seen sitting next to RITZHEIMER who was talking about people claiming the land and
using the land and they were here to defend the land. As RITZHEIMER makes his _statements,
MNWR 0036250
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 17 of 39
BLOMGREN was seen nodding in approval and said, ''Hear that." During the occupation of the
J\.1NWR, BLOMGREN posted many messages on his Facebook account regarding the occupation.
-
lll : l l l l l = - - i l
................. .........
,.,_ . ... ..-.. ... - ; "
- -
-.- - .. - ........
.---.. ~#- .
~- ~
.. -
...._
... r
t'_.. _......,._ "
' "' """'
_:i\.<
!CJ~~ ---- -
' . . .fli ~:~~-~:~.:;;:;;:..: .-:.: ..:-. ~~~~:c: ._

''11
-- - ~ v ,..,.
~.:- .-~------,-,-
----
.-
....... :- ...... . : -
.
._ ..- ........ :- ......
... f
..,..,,,; ..... - -
'I = ::;;:-;: ~:.,~ ~-:

:-,. .............. '!' . ..... . ..,.....
1..._ . .,.
ft ..-
-- ~
.-
-.
--~ ~ --
~ .-.- ..- ~.
..... . , . .
' ~., ,.-:
--
.., ..... -- . ,
___ , _ _ _ ,_ , .... _ ., - -
February 11, 2016, Arrest of KJAR

26.
On February 11, 2016, KJAR was arrested. Several items were seized from KJAR
at the time of his arrest including: a silver MacBook laptop with a sticker across the top of the
laptop that reads "FACTOR 55 Precision Engineering," model A1278, PN identification number
0857323, MLC identification number DA261 l (Device 27); an Apple iPhone, model A1429, IC
identification 579CE2610A, IMEI 990002256034214, in a black Wounded Warrior Project
protective case (Device 28); and an Apple iPhone in a black case, model A1687, FCC ID number
BCGE2944A, IC number 579CE2944A (Device 29).
27.
While on the MNWR, KJAR made several Facebook posts from his public
Facebook account www.facebook.com/wes.kjar: The following post was made on January 5,
MNWR 0036251
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 18 of 39
2016, at 8 :09 p.m.: "Calling all people who believe we need to make a change in the country to
come to Oregon and stand for the Ranchers and citizens of Harney County."
11
r-.
'"'-
, ... ,r-...:1>
II .......... ,_._ - a;..:. O

.,,
flt
ir.tra
_, _
Slt.10-rt< ~"lilot.'".~
l-o11 _,. L""....
...,KJ>',
~l:tc: ~J~.-.~belon'l!M'S\IHC'JG.ft"~IC~L~.r;trl('(CUllllJ"
~V)m("\O~.-"Wld~--'Ctt'-.enc111(TS"""'~~~f'(,CIU't!\..
~..- ~We1Y- irl ~
Ill :z..:-.,:::~=--~~~~:;:;;,.r:-:.:;..~
...
...
~~...,
..,,,~
,,.~o.1'1-flete~Clf,_....
.......,,_,~--...-.~~~~.e
R.-.l...CN't~,..,.""'
.....
'-d~
...
,_
".
t'll'!'flQ~ll$t.."1t:r.io...,.~:NC'ctllitlt~MtlJ~OI'\
rw:r;n,C::~ieo:tr~._,,..
';),\.''. ~
,'\; .. ~, :
...... ~~
...... ~N""a,;f!
>
. ." ~1._~ ~: .~:~:.. :; .

I
::,-._
An image of KJAR was published in an Internet news article, "Oregon occupiers: Not ready to
leave yet." KJAR is seen handling a cellular phone. The phone observed in the photograph
closely resembles the Apple iPhone that was found in KJAR's possession at the time of his arrest.
II I
II I
I II
I II
I II
Ill
Ill
Page 17 -Affidavit of Kevin Strauss
MNWR 0036252
-:-- -- ---- -- - - -Case

--- --3:16-cr-00051-BR
- - - -- - -----------1240-1
- - - - - -Filed
-Document
- - ---- ~
- ----- --- - ---19

----- - ---- - - - --09/12/16
Page
of 39
KJAR served as one of A. BUNDY's bodyguards.

February 11, 2016, Arrest of Sean ANDERSON
(Subject Device 30)
28.
On February 11, 2016, Sean ANDERSON was arrested. Sean ANDERSON's
white Chevrolet Silvera.do pickup truck bearing Idaho license plate I67564 was found at the
MNWR. This vehicle was searched by an FBI Evidence Response Team pursuant to a federal
search warrant signed in the District of Oregon on February 18, 2016. Agents recovered a silver
Samsung cellular phone, model SCH-S738C (GP), FCC ID number A3LSCHS738C (Device 30).
29.
Sean ANDERSON used the public Facebook account "Sean Anderson III." While
he was on the MNWR, he used his Facebook account to garner support for the remaining occupiers
at the MNWR. The following is a Facebook post from February 10, 2016, that was a repost from
MNWR 0036253
-.----- ----- -- -- 3:16-cr-00051-BR

----- --- - ----- ----------------1240-1
- - - - -- - - - - ------ ------ - ----Case
Document
Filed
09/12/16
Page
20 of --39 - - -- ---- -
the public Facebook account "Bundy Ranch." The repost stated: "WAKE UP AMERICA!
WAKE UP WE THE PEOPLE! WAKE UP PATRIOTS! WAKE UP MILITA (sic)! IT'S
TIME!!!!!! CLIVEN BUNDY rs HEADING TO THE HARNEY COUNTY RESOURCE
CENTER IN BURNS OREGON."
WAKE UP AMERlCA!
W.t..KE UP WE THE PEOPLE!
WAKE UP PATRIOTS!
Wl.KE UP MILITA!
ITS Tlf\'lE!!!!!
CLIVEN BUNDY IS HEADING TO THE HARNEY COUNn' RESOURCE CENTER
IN BURNS OREGON .
Another Facebook post by Sean ANDERSON included a YouTube link and was posted
January 27, 2016. The YouTube link was titled, "Bums Oregon-Calling All Patriots Now!!!!!
Bums Oregon--Calling All Patriots Now!!!!!

MNWR 0036254
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 21 of 39
Device Recovered from February 18, 2016,

Search of Chevrolet Tahoe
(Subject Device 31)
30.
Pursuant to a federal search warrant signed in the District of Oregon on
February 18, 2016, FBI Evidence Response Teams conducted searches upon 14 vehicles
abandoned by the occupiers at the MNWR. One of these vehicles was a black Chevrolet Tahoe
Sports Utility Vehicle bearing Nevada license plate 368SVM registered to Jesse Scott Thornton.
Jesse Scott Thornton is related to Brand Nu Thornton (hereinafter Thornton) who was present for
much of the MNWR occupation. He was photographed by the media blowing a spiral-shaped
shofar, a kind of trumpet made from an animal horn. Inside the black Chevrolet Tahoe an FBI
Evidence Response Team found and seized a brown-colored Toshiba laptop, serial number
3A830554K, model number NB305-N410BN (Device 31).
31.
On January 8, 2016, FBI Special Agents interviewed environmental activist Don
Francis. Francis advised that he visited the MNWR on January 5, 2016, and interacted With
several of the occupiers. Francis interacted with Thornton who told Francis that he was in charge
of scheduling and further described himself as a "receptionist." Thornton told Francis that he was
"willing to die for a good cause."
32.
In an Internet news website article entitled "Why the Oregon militia is citing the
Book of Mormon's," Thornton is shown in a photograph blowing his shofar and behind him can be
seen a black Chevrolet Tahoe that closely resembles the Chevy Tahoe where the laptop was found.
Ill
II I
I II
MNWR 0036255
-. -
- - - ---- --Case
- -- -------------- - -- - -Document
- - - -- - ------ - 09/12/16
- - - - -- - Page
- - 22 of 39
3:16-cr-00051-BR
1240-1
Filed
January 27, 2016, Arrest of EHMER

(Subject Devices 36 and 37)
33.
On January 27, 2016, EHMER was arrested. EHMER signed a consent form for
FBI Special Agents to search his red Chevroiet Tahoe. When FBI Special Agents searched the
vehicle, they found a Samsung tablet, serial number R52F708RQJR (Device 36), and a Samsung
Galaxy SII cellular phone, model SCHR760, FCC ID number A3LSCHR760 (Device 37).
34.
On January 9, 2016, while he was occupying the Refuge, EHMER's Facebook
account, www.facebook.com/duane.ehmer, shared an article titled "On the frontlines of the

Oregon standoff'' with an image of EHMER and his horse Hellboy at what appears to be the
MNWR. At 9:31 p.m. later that same day, EHMER's Facebook account commented on this
article, "yep its me" and again at 11 :34 p.m. posted, "it was a beautiful day." In January 2016,
EHMER made several posts to his Facebook account regarding his occupation of the MNWR
MNWR 0036256
-:---
----- - --- - -- - - -- -- -- - - - --- - - - - - -- -- -- - --
Case 3:16-cr-00051-BR
35.
Document 1240-1
- - -
Filed 09/12/16
Page 23 of 39
As stated above all listed devices are currently in law enforcement custody.
Devices 1through8 are currently in storage at the Deschutes County Sheriffs Office, 63333 West
Highway 20, Bend, Oregon 97703. Devices 9 through 39 are currently in storage at the FBI
Portland Field Office, 9109 NE Cascades Parkway, Portland, Oregon 97220. In my training and
experience, I know that the Subject Devices have been stored in a manner in which their contents
are, to the extent material to this investigation, in substantially the same state as they were when
the Devices first came into the possession of law enforcement.
36.
Based on my training and experience, I use the following technical terms to convey
the following meanings:

a.
Digital camera. A digital camera is a camera that records pictures as
digital picture files, rather than by using photographic film. Digital cameras use a variety of fixed
and removable storage media to store their recorded images. Images can usually be retrieved by
connecting the camera to a computer or by connecting the removable storage medium to a separate
reader. Removable storage media include various types of flash memory cards or miniature hard
drives. This storage media can contain any digital data, including data unrelated to photographs
or videos.
b.
Portable media player. A portable media player (or "MP3 Player" or
iPod) is a hand.held digital storage device designed primarily to store and play audio, video, or
photographic files. However, a portable media player can also store other digital data. Some
portable media players can use removable storage media. Removable storage media include
various types of flash memory cards or miniature hard drives. This removable storage media can
also store any digital data. Depending on the model, a portable media player may have the ability
MNWR 0036257
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 24 of 39
to store very large amounts of electronic data and may offer additional features such as a calendar,
contact list, clock, or games.
c.
GPS.
A GPS navigation device uses the Global Positioning System to
. display its current location. It often contains historical records of the locations where it has been.
Some GPS navigation devices can give a user driving or walking directions to another location.
These devices can contain records of the addresses or locations involved in such navigation. The
Global Positioning System (generally abbreviated as "GPS") consists of 24 NAVSTAR satellites
orbiting the Earth. Each satellite contains an extremely accurate clock. Each satellite repeatedly
transmits by radio a mathematical representation of the current time, combined with a special
sequence of numbers. These signals are sent by radio, using specifications that are publicly
available. A GPS antenna on Earth can receive those signals. When a GPS antemia receives
signals from at least four satellites, a computer connected to that antenna can mathematically
calculate the antenna's latitude, longitude, and sometimes altitude with a high level of precision.
d.
PDA. A personal digital assistant, or PDA, is a handheld electronic device
used for storing data (such as names, addresses, appointments, or notes) and utilizing computer
programs. Some PDAs also function as wireles.s communication devices and are used to access
the Internet and send and receive email. PDAs usually include a memory card or other removable
storage media for storing data and a keyboard and/or touch screen for entering data. Removable
storage media include various types of flash memory cards or miniature hard drives. Tiris
removable storage media can store any digital data. Most PDAs run computer software, giving
them many of the same capabilities as personal computers. For example, PDA users can work
II I
MNWR 0036258
-;---- - -- ---Case
- - - 3:16-cr-00051-BR
-- -- -- - -
Document 1240-1
Filed 09/12/16
Page 25 of 39
with word-processing documents, spreadsheets, and presentations. PDAs may also include
global positioning system ("GPS") technology for determining the location of the device.
e.
Tablet. A tablet is a mobile computer, typically larger than a phone yet
smaller than a notebook, that is primarily operated by touching the screen. Tablets function as
wireless communication devices and can be used to access the Internet through cellular networks,
802.11 "wi-fi" networks, or otherwise. Tablets typically contain programs called apps, which,
like programs on a personal computer, perform different functions and save data associated with
those functions. Apps can, for example, permit accessing the Web, sending and receiving email,
and participating in Internet social networks.
f.
Storage medium. A storage medium is any physical object upon which
computer data can be recorded. Examples include hard disks, RAM, floppy disks, flash memory,
CD-ROMs, and other magnetic or optical media.
g.
IP address. An Internet Protocol address (or simply "IP address") is a
unique numeric address used by computers on the Internet. An IP address is a series of four
numbers, each in the range 0-255, separated by periods (e.g., 121.56.97.178). Every computer
attached to the Internet computer must be assigned an IP address so that Internet traffic sent from
and directed to that computer may be directed properly from its source to its destination. Most
Internet service providers control a range of IP addresses. Some computers have static-that is,
long-term-IP addresses, while other computers have dynamic-that is, frequently changed-IP
addresses.
h.
Internet. The Internet is a global network of computers and other
electronic devices that communicate with each other. Due to the structure of the Internet,
MNWR 0036259
Case 3:16-cr-00051-BR
- - ---- --09/12/16
-Document
1240-1
Filed
-39
-- --- -- - - -
- Page
- - -- of
26
connections between devices on the Internet often cross state and international borders, even when
the devices communicating with each other are in the same state.
36.
The Devices in this case include laptops, tablets, cameras, recording devices, and
storage media. Based on my training and experience, and research I know that examining data
stored on these devices can uncover, among other things, evidence that reveals or suggests who
possessed or used the device.
37.
Based on my knowledge, training, and experience, I know that electronic devices
can store information for long periods of time. Similarly, things that have been viewed via the
Internet are typically stored for some period of time on the device. This information can
sometimes be recovered with forensics tools.
38.
There is probable cause to believe that things that were once stored on the Devices
will still be stored there because, based on my knowledge, training, and experience, I know:
a.
Electronic files or remnants of such files can be recovered months or even
years after they have been downloaded, deleted, or viewed via the Internet. Electronic files
downloaded to a storage medium can be stored for years at little or no cost. Even when files have
been deleted, they can be recovered months or years later using forensic tools. When a person
"deletes" a file on a computer, the data contained in the file does not actually disappear; rather, that
data remains on the storage medium until it is overwritten by new data. Therefore, deleted files or
remnants of deleted files, may reside in free space or slack space-that is, in space on the storage
medium that is not currently being used by an active file-for long periods of time before they are
overwritten. In addition, a computer's operating system may also keep a record of deleted data in
a "swap" or "recovery" file.
MNWR 0036260
-.-------- ~ ------- - ----~--------------------------------Case

3:16-cr-00051-BR Document 1240-1 Filed 09/12/16 Page 27 of 39
b.
Wholly apart from user-generated files, computer storage media-in
particular, computers' internal hard drives-contain electronic evidence of how a computer has
been used, what it has been used for, and who has used it. To give a few examples, this forensic
evidence can take the form of operating system configurations, artifacts from operating system or
application operation, file system data structures, and virtual memory "swap" or paging files.
Computer users typically do not erase or delete this evidence, because special software is typically
required for that task. However, it is technically possible to delete this information.
c.
Similarly, files that have been viewed via the Internet are sometimes
automatically downloaded into a temporary Internet directory or "cache."

39.
As further described in Attachment B, this application seeks permission to locate
not only electronically stored information that might serve as direct evidence of the crimes
described on the warrant but also forensic evidence that establishes how each Device was used, the
purpose of its use, who used it, and when. There is probable cause to believe that this forensic
electronic evidence will be on the Devices because, based on my knowledge, training, and
experience, I know:
a.
Data on the Devices can provide evidence of a file that was once on the
Devices but has since been deleted or edited, or of a deleted portion of a file (such as a paragraph
that has been deleted from a word processing file). Virtual memory paging systems can leave
traces of information on the storage medium that show what tasks and processes were recently
active. Web browsers, email programs, and chat programs store configuration information on the
storage medium that can reveal information such as online nicknames and passwords. Operating
systems can record additional information, such as the attachment of peripherals, the attachment of
MNWR 0036261
-------Document
- - - - -- 1240-1
Case 3:16-cr-00051-BR
Filed 09/12/16
Page 28 of 39
USB flash storage devices or other external storage media, and the times the computer was in use.
Computer file systems can record information about the dates files were created and the sequence
in which they were created.
b.
Forensicevidence on a device can also indicate who has used or controlled
the device. This "user attribution" evidence is analogous to the search for "indicia of occupancy"
while executing a search warrant at a residence. For example, registry information, configuration
files, user profiles, email, email address books, "chat," instant messaging logs, photographs, the
presence or absence of malware, and correspondence (and the data associated with the foregoing,
such as file creation and last-accessed dates) may be evidence of who used or controlled the device
at a relevant time. Further, forensic evidence on a device can show how and when the device was
accessed or used. Such ''timeline" information allows the forensic analyst and investigators to
understand the chronological context of access, use, and events relating to the crime under
investigation. This ''timeline" information may tend to either inculpate or exculpate the device
user. Last, forensic evidence on a device may provide relevant insight into the device user's state
of mind as it relates to the offense under investigation. For example, information on a device may
indicate the user's motive and intent to commit a crime (e.g., relevant web searches occurring
before a crime indicating a plan to commit the same), consciousness of guilt (e.g., running a
"wiping program" to destroy evidence on the device or password protecting or encrypting such
evidence in an effort to conceal it from law enforcement), or knowledge that certain information is
stored on a computer (e.g., logs indicating that the incriminating information was accessed with a
particular program).
II I
'-'
MNWR 0036262
- -
-- - -- --- ----
Case
3:16-cr-00051-BR
c.
Document 1240-1
Filed 09/12/16
Page 29 of 39
- - -- -- --- - -
A person with appropriate familiarity with how an electronic device works
may, after examining this forensic evidence in its proper context, be able to draw conclusions
about how electronic devices were used, the purpose of their use, who used them, and when.
d.
The process of identifying the exact electronically stored information on a
storage medium necessary to draw an accurate conclusion is a dynamic process. Electronic

evidence is not always data that can be merely reviewed by a review team and passed along to
investigators. Whether data stored on a device is evidence~ depend on other information
stored on the device and the application of knowledge about how a device behaves. Therefore,
contextual information necessary to understand other evidence also falls within the scope of the
warrant.
e.
Further, in finding evidence of how a device was used, the purpose of its
use, who used it, and when, sometimes it is necessary to establish that a particular thing is not
present on a storage medium. For example, the presence or absence of counter-forensic programs
or anti-virus programs (and associated data)~be relevant to establishing the user's intent.
f.
I know that when an individual uses an electronic device to commit a crime,
the electronic device will generally serve both as an instrumentality for committing the crime and
as a storage medium for evidence of the crime. From my training and experience, I believe that an
electronic device used to commit a crime ofthis type may contain: data that is evidence of how the
electronic device was used; data that was sent or received; and other records that indicate the
nature of the offense.
40.
Nature of examination. Based on the foregoing, and consistent with Rule
41(e)(2)(B), the warrant I am applying for would permit the examination of the Devices consistent
'
MNWR 0036263
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 30 of 39
with the warrant. The examination may require authorities to employ techniques, including but
not limited to computer-assisted scans of the entire medium, that might expose many parts of the
Devices to human inspection in order to determine whether it is evidence described by the warrant.
41.
The initial examination of the Devices will be performed within a reasonable
amount of time not to exceed 120 days from the date of execution of the warrant. If the
government needs additional time to conduct this review, it may seek an extension of the time
----
period from the Court within the original 120-day period from the date of execution of the warrant.
The government shall complete this review within 180 days of the date of execution of the warrant.
If the government needs additional time to complete this review, it may seek an extension of the
""::'---"
time period from the Court.

42.
If, at the conclusion of the examination, law enforcement personnel determine that
particular files or file folders on the Devices or image do not contain any data falling within the
scope of the warrant, they will not search or examine those files or folders further without
authorization from the Court. Law enforcement personnel may continue to examine files or data
falling within the purview of the warrant, as well as data within the operating system, file system,
software application, etc., relating to files or data that fall within the scope of the warrant, through
the conclusion of the case.
4 3.
If an examination is conducted, and it is determined that the Devices do not contain
any data falling within the ambit of the warrant, the government will return the Devices to their
owners (if known) within a reasonable period of time following the search and will seal any image
of the Devices, absent further authorization from the Court.
/II
MNWR 0036264
- -- -- - - - - --- - - -1240-1
- - - ---
- -- - -- Page
- --31- ofCase 3:16-cr-00051-BR
Document
Filed 09/12/16
39- -
44.
The government may retain the Devices as evidence, fruits, contraband, or an

~
instrumentality of a crime or to commence forfeiture proceedings against the Devices and/or the
data contained therein.
45.
The government will retain a forensic image of the Devices for a number of
reasons, including proving the authenticity of evidence to be used at trial, responding to questions
regarding the corruption of data, establishing the chain of custody of data, refuting claims of
fabricating, tampering, or destroying data, and addressing potential exculpatory evidence claims
where, for example, a defendant claims that the government avoided its obligations by destroying
data or returning it to a third party.
46.
Manner ofexecution. Because this warrant seeks only pennission to examine a
device already in law enforcement's possession, the execution of this warrant does not involve the
physical intrusion onto a premises. Consequently, I submit there is reasonable cause for the Court
to authorize execution of the warrant at any time in the day or night.
Conclusion
4 7.
Based on the foregoing, I have probable cause to believe, and I do believe, that the
Devices described in Attachment A contain evidence and instrumentalities of a Conspiracy to

Impede Officers of the United States, in violation of Title 18, United States Code, Section 372;
Possession ofFireanns and Dangerous Weapons in Federal Facilities, in violation of Title 18,
United States Code, Sections 930(b) and 2; Use and Carry of a Firearm in Relation to a Crime of
Violence, in violation of Title 18, United States Code, Sections 924(c) and 2; Theft of Government
Property, in violation of Title 18, United States Code, Section 641 ; and Depredation of
Government Property, in violation of Title 18, United States Code, Section 1361 , as set forth in
MNWR 0036265
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 32 of 39
Attachment B. I therefore request that the Court issue a warrant authorizing a search of the
Devices described in Attachment A for the items listed in Attachment B and the seizure and
examination of any such items found.
48.
Prior to being submitted to the Court, this affidavit, the accompanying application,
and the requested search warrant were all reviewed by Assistant United States Attorney (AUSA)
Geoffrey A. Barrow, and AUSA Barrow advised me that in his opinion the affidavit and
application are legally and factually sufficient to establish probable cause to support the issuance
of the requested warrant.
Reguest for Sealing

49.
It is respectfully requested that the Court issue an order sealing, tintil further order
of the Court, all papers submitted in support of the requested search warrant, including the
application, this affidavit, the attachments, and the requested search warrant. I believe that
sealing these documents is necessary because the information to be seized is relevant to an ongoing
investigation, and any disclosure of the information at this time may endanger the life or physical
safety of an individual, cause flight from prosecution, cause destruction of or tampering with
evidence, cause intimidation of potential witnesses, or otherwise seriously jeopardize an
Ill
II I
I II
I II
Ill
Ill
MNWR 0036266
Case 3:16-cr-00051-BR
Document 1240-1
Filed 09/12/16
Page 33 of 39
investigation. Premature disclosure of the contents of the application, this affidavit, the
attachments, and the requested search warrant may adversely affect the integrity of the
investigation.
SS
~~~ecialAgent~
, FBI
Subscribed and sworn to before me this
2Q_r--o
y f Ap . 2016.
--\ {)J.l ~ .
c2fll/?
PAULPAPAK
.
United States Magistrate Judge
MNWR 0036267
- - -Document
- - - -1240-1
- -- -Filed
- 09/12/16
- - - - ---39
- - -- Case 3:16-cr-00051-BR
Page
34 of
ATTACHMENT A
Property to Be Searched
The items to be searched are the following Subject Devices:

I.
Seized during the January 26, 2016, arrest of PAYNE, R. BUNDY, and S. COX (Devices
1-17):
1.
One (1) Sanyo digital camera, model E2100, serial number 11091011182,
with one 64 GB SanDisk Ultra PLUS Micro SD card (Device 1).

2.
One (1) Apple iPad with cover (Device 4).
3.
One (1) Sansa San.Disk storage device (Device 8).
4.
One (1) black Canon Vixia HF RSO camera, serial number 782914204885,
containing one (1) 32GB SanDisk Ultra memory card (Device 9).
5.
One (1) black and red colored 16 GB SanDisk memory card with the name
"Bundy" handwritten on one side (Device 11).

6.
One (1) Kodak 4GB SD memory card (Device 12).
7.
One (1) black 16GB SanDisk thumb drive USB 3.0 (Device 13).
8.
One (1) red 2 GB Verbatim thumb drive bearing identification number
11090904002650AAX (Device 14).

9.
One (1) SanDisk MicroMate containing one (1) 32 GB SD card (Device
10.
One (1) a white disc labeled "Targeted Individual Myron May Speaks
15).
From The Grave. Another Victim of the NWO Agenda." (Device 17).
Ill
Page 1-Attachment A
USAO Version Rev. July 2015
MNWR 0036268
Case 3:16-cr-00051-BR
II.
III.
Document 1240-1
Filed 09/12/16
Page 35 of 39
Seized pursuant to the January 27, 2016, arrest of PATRICK (Devices 18-25):
1.
One (1) SanDisk 32GB memory card (Device 20).
2.
One (1) Sony IC recorder, ICD-PX312 (Device 21).
3.
One (1) silver Canon PowerShot Elph 160 camera (Device 22).
4.
One (1) Verbatim 32GB SD memory card (Device 23).
5.
One (1 ) Canon Vixia HFR62 camera, serial number 902074103090 (Device 24).
Seized during the February 11 , 2016, arrest of KJAR (Devices 27-29):

1.
One (1) silver MacBook laptop with a sticker across the top of the laptop that reads
"FACTOR 55 Precision Engineering," model A 1278, PN identification number 0857323,

MLC identification number DA2611 (Device 27).
IV.
Seized pursuant to February 18, 2016, search of a Chevrolet Tahoe (Device 31 ):

1.
One (1) brown-colored Toshiba laptop, serial number 3A830554K, model number
NB305-N410BN (Device 31).

V.
Seized during the January 27, 2016, arrest of EHMER (Devices 36 and 37):
1.
One (1) Samsung tablet, serial number R52F708RQJR (Device 36).
Devices 1 through 8 are currently in storage at the Deschutes County Sheriffs Office,
63333 West Highway 20, Bend, Oregon 97703.
Devices 9 through 39 are currently in storage at the FBI Portland Field Office, 9109 NE
Cascades Parkway, Portland, Oregon 97220.
Page 2-Attachment A
USAO Version Rev. July 2015
MNWR 0036269
- - - - -Page
- - --36
--of- 39-- - - - - - - - -Document
--- - ---Case 3:16-cr-00051-BR
1240-1
Filed 09/12/16
----
ATTACHMENT B
Items to Be Seized
1.
All records on the Subject Devices described in Attachment A that relate to
violations of the following crimes: a Conspiracy to Impede Officers of the United States, in
violation of Title 18, United States Code, Section 372; Possession of Firearms and Dangerous
Weapons in Federal Facilities, in violation of Title 18, United States Code, Sections 930(b) and
2; Use and Carry of a Fireann in Relation to a Crime of Violence, in violation of Title 18, United
States Code, Sections 924(c) and 2; Theft of Government Property, in violation of Title 18,
United States Code, Section 641; and Depredation of Government Property, in violation of
Title 18, United States Code, Section 1361 involving Ammon BUNDY, Jon RITZHEIMER,
Joseph O'SHAUGHNESSY, Ryan PAYNE, Ryan BUNDY, Brian CAVALIER, Shawna COX,
Peter SANTILLI, Robert Lavoy Finicum, Jason PATRICK, Duane Leo EHMER, Dylan
ANDERSON, Sean ANDERSON, David Lee FRY, Jeff Wayne BANTA, Sandra Lynn
ANDERSON, Kenneth MEDENBACH, Blaine COOPER, Wesley KJAR, Corey LEQUIEU,
Neil WAMPLER, Jason Charles BLOMGREN, Darryl William THORN, Geoffrey STANEK,
Travis COX, Eric Lee FLORES, Jake RYAN, Victoria Sharp, and Brand Nu Thornton since
November 1, 2015, including:
a.
Financial records, cancelled checks, cashier's checks and money order
records, wire transfer records, records of credit card and automatic teller machine
activity, including credit and/or debit cards related to travel to or from or occupation of
the Malheur Wildlife National Refuge.
Ill
Page 1 - Attachment B
- USAO Version Rev. October 2015
MNWR 0036270
Case 3:16-cr-00051-BR
b.
Document 1240-1
Filed 09/12/16
Page 37 of 39
Calendar books, log books, appointment books, and telephone number
listings reflecting appointments, meetings, and travel schedules.

c.
Documents reflecting travel expenditures to include copies of travel
tickets, hotel bills, gas receipts, and copies of payment items comprising evidence of
expenditures and liabilities.
d.
Correspondence and communications between the above-referenced
individuals.
e.
Photographs, video and audio recordings, records, and social media posts
related to the planning, takeover, and occupation of the Malheur National Wildlife
Refuge and the above-referenced individuals' presence in Harney County, Oregon.
f.
Information related to the possession, sale, transfer, and/or use of firearms
and/or dangerous weapons.

g.
Contact lists, including e-mail addresses, telephone numbers, names, and
addresses.
2.
Evidence of user attribution showing who used or owned the Subject Devices at
the time the things described in this warrant were created, edited, or deleted, such as logs,
phonebooks, saved usemames and passwords, documents, and browsing history.
3.
Records evidencing the use of the Internet, including:

a.
Records of Internet Protocol addresses used.
b.
Records of Internet activity, including firewall logs, caches, browser
history and cookies, "bookmarked" or "favorite" web pages, search terms that the user
entered into any Internet search engine, and records of user-typed web addresses.
Page 2-Attachment B
MNWR 0036271
Case 3:16-cr-00051-BR
c.
4.
Document 1240-1
Filed 09/12/16
Page 38 of 39
Records of data storage accounts and use of data storage accounts.
As used above, the terms "records" and "information" include all of the foregoing
items of evidence in whatever form and by whatever means they may have been created or
stored, including any form of computer or electronic storage (such as flash memory or other
media that can store data) and any photographic form.
Search Procedure
5.
The examination of the Subject Devices may require authorities to employ
techniques, including but not limited to computer-assisted scans of the entire medium, that might
expose many parts of the Subject Devices to human inspection in order to determine whether it is
evidence described by the warrant.
6.
The initial examination of the Subject Devices will be performed within a
reasonable amount of time not to exceed 120 days from the date of execution of the warrant. If
the government needs additional time to conduct this review, it may seek an extension of the
time period from the Court within the original 120-day period from the date of execution of the
warrant. The government shall complete this review within 180 days of the date of execution of
the warrant. If the government needs additional time to complete this review, it may seek an
extension of the time period from the Court.
7.
If, at the conclusion of the examination, law enforcement personnel determine
that particular files or file folders on the Subject Devices or images do not contain any data
falling within the scope of the warrant, they will not search or examine those files or folders
further without authorization from the Court. Law enforcement personnel may continue to
examine files or data falling within the purview of the warrant, as well as data within the
MNWR 0036272
Case 3:16-cr-00051-BR
----- -------- --- .
Document 1240-1
Filed 09/12/16
Page 39 of 39
operating system, file system, software application, etc., relating to files or data that fall within
the scope of the warrant, through the conclusion of the case.
8.
If an examination is conducted, and it is determined that the Subject Device does
not contain any data falling within the ambit of the warrant, the government will return the
Device to its owner within a reasonable period of time following the search and will seal any
image of the Subject Device, absent further authorization from the Court.
9.
The government may retain the Subject Devices as evidence, fruits, contraband,
or an instrumentality of a crime or to commence forfeiture proceedings against the Devices

and/or the data contained therein.
10.
The government will retain a forensic image of the Subject Devices for a number
of reasons, including proving the authenticity of evidence to be used at trial, responding to

questions regarding the corruption of data, establishing the chain of custody of data, refuting
claims of fabricating, tampering, or destroying data, and addressing potential exculpatory
evidence claims where, for example, a defendant claims that the government avoided its
obligations by destroying data or returning it to a third party.
MNWR 0036273

United States District Court: Evidence

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

United States District Court: Evidence

Uploaded by

Copyright:

Available Formats

Case 3:16-cr-00051-BR

AO 106 (Rev. 04110) Application for a Search Warrant

UNITED STATES DISTRICT COURT

18 electronic devices, currently in law enforcement

APPLICATION FOR A SEARCH WARRANT

18 electronic devices, currently in law enforcement possession, as described in Attachment A hereto,

, there is now concealed (identify the

person or describe the property to be seized):

The information and items set forth in Attachment B hereto.

Mcontraband, fruits of crime, or other items illegally possessed;

The application is based on these facts:

City and state: Portland, Oregon

Paul Papak, United States Magistrate Judge

Dissemination Limited by Court Order

DISTRICT OF OREGON, ss:

AFFIDAVIT OF KEVIN STRAUSS

Affidavit in Support of an Application Under Rule 41

Introduction and Agent Background

I am a Special Agent with the Federal Bureau of Investigation (FBI), currently

I submit this affidavit in support of an application under Rule 41 of the Federal

Dissemination Limited by Court Order

Statement of Probable Cause

several individuals, including Ainmon BUNDY (hereinafter A. BUNDY), Jon RITZHEIMER

Page 2 - Affidavit of Kevin Strauss

USAO Version Rev. October 2015

Dissemination Limited by Court Order

According to open-source reporting that I have reviewed and conversations I have

Page 3 - Affidavit of Kevin Strauss

USAO Version Rev. October 2015

Dissemination Limited by Court Order

Page 4-Affidavit of Kevin Strauss

USAO Version Rev. October 2015

Dissemination Limited by Court Order

The MNWR is staffed by employees of the USFWS. As a result of the armed

USAO Version Rev. October 2015

Dissemination Limited by Court Order

According to a Special Agent with the Bureau of Land Management (BLM), on

Pen Register Data

On January 7, 2016, the Honorable John V. Acosta authorized a pen register/trap

Page 6 - Affidavit of Kevin Strauss

USAO Version Rev. October 2015

Dissemination Limited by Court Order

messages between A. BUNDY and numbers associated with co-conspirators PAYNE,

Page 7 - Affidavit of Kevin Strauss

USAO Version Rev. October 2015

Dissemination Limited by Court Order

USAO Version Rev. October 2015

Dissemination Limited by Court Order

The Deschutes County Sheriff's Office (DCSO) is conducting an investigation of

On January 6, 2016, A. BUNDY was photographed with S. COX inside a building

Page 9- Affidavit of Kevin Strauss

Dissemination Limited by Court Order

USAO Version Rev. October 2015

R. BUNDY maintained a presence at the MNWR for a majority of the occupation

USAO Version Rev. October 2015

Dissemination Limited by Court Order

Dissemination Limited by Court Order

USAO Version Rev. October 2015

Citizens for Constitutional Freedom News Confilrence Oregon 114116

.... -~--blvt~---''G"li:O.-.rdal_ .. ~l:cC..-.......iF_

Page 12 - Affidavit of Kevin Strauss

USAO Version Rev. October 2015

Dissemination Limited by Court Order