State of Wisconsin

Circuit Court

Brown County

STATE OF WISCONSIN -vsJared R. Carlson 822 Longview Ave. Green Bay, WI 54301 DOB: 11/24/1982 Sex/Race: MIW Eye Color: Brown Hair Color: Brown Height: 5 ft 11 in Weight: 175 Ibs Defendant, Plaintiff,

DA Case No.: 2013BR005067 Assigned DAIADA: David L. Lasee Agency Case No.: 13-007372 Court Case No.: 13CF

CRIMINAL COMPLAINT

Complainant, John Luetscher, an Assistant District Attorney, being first duly sworn on oath, deposes and says that: Count 1: MISAPPROPRIATION OF PERSONAL INFORMATION OR DOCUMENTS, REPEATER IDENTIFYING

The above-named defendant, on or about Saturday, April 27, 2013, in the City of De Pere, Brown County, Wisconsin, did intentionally use personal identifying information or personal identification documents, a username and password, of Brittany R. Kops to obtain anything of value or benefit without the individual's authorization or consent by representing that he was the individual or was acting with the authorization or consent of the individual, contrary to sec. 943.201(2)(a), 939.62(1)(b) Wis. Stats., a Class H Felony, and upon conviction may be fined not more than Ten Thousand Dollars ($10,000), or imprisoned not more than six (6) years, or both. And further, invoking the provisions of sec. 939.62(1)(b) Wis. Stats., because the defendant is a repeater, having been convicted of Criminal Damage to Property, Disorderly Conduct and Obtaining a Prescription Drug by Fraud, three misdemeanors, in Brown County case 12CF367 on November 29, 2012, which conviction(s) remain of record and unreversed, the maximum term of imprisonment for the underlying crime may be increased by not more than 2 years if the prior convictions were for misdemeanors. Count 2: COMPUTER CRIMES - ACCESS DATA, REPEATER

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

The above-named defendant, on or about Saturday, April 27, 2013, in the City of De Pere, Brown County, Wisconsin, did willfully, knowingly and without authorization, access data, contrary to sec. 943.70(2)(a)3&(2)(b)1, 939.62(1)(a) Wis. Stats., a Class A Misdemeanor, and upon conviction may be fined not more than Ten Thousand Dollars ($10,000), or imprisoned not more than nine (9) months, or both. And further, invoking the provisions of sec. 939.62(1)(a) Wis. Stats., because the defendant is a repeater, having been convicted of Criminal Damage to Property, Disorderly Conduct and Obtaining a Prescription Drug by Fraud, three misdemeanors, in Brown County case 12CF367 on November 29, 2012, which conviction(s) remain of record and unreversed, the maximum term of imprisonment for the underlying crime may be increased to not more than 2 years. Count 3: MISAPPROPRIATION OF PERSONAL INFORMATION OR DOCUMENTS, REPEATER IDENTIFYING

The above-named defendant, on or about Monday, April 29, 2013, in the City of De Pere, Brown County, Wisconsin, did intentionally use personal identifying information or personal identification documents, a username and password, of Brittany R. Kops to obtain anything of value or benefit without the individual's authorization or consent by representing that he was the individual or was acting with the authorization or consent of the individual, contrary to sec. 943.201 (2)(a), 939.62(1)(b) Wis. Stats., a Class H Felony, and upon conviction may be fined not more than Ten Thousand Dollars ($10,000), or imprisoned not more than six (6) years, or both. And further, invoking the provisions of sec. 939.62(1)(b) Wis. Stats., because the defendant is a repeater, having been convicted of Criminal Damage to Property, Disorderly Conduct and Obtaining a Prescription Drug by Fraud, three misdemeanors, in Brown County case 12CF367 on November 29, 2012, which conviction(s) remain of record and unreversed, the maximum term of imprisonment for the underlying crime may be increased by not more than 2 years if the prior convictions were for misdemeanors. Count 4: COMPUTER CRIMES - ACCESS DATA, REPEATER The above-named defendant, on or about Monday, April 29, 2013, in the City of De Pere, Brown County, Wisconsin, to defraud or obtain property, did willfully, knowingly and without authorization, access data, contrary to sec. 943.70(2)(a)3&(2)(b)2, 939.62(1)(b) Wis. Stats., a Class I Felony, and upon conviction may be fined not more than Ten Thousand Dollars ($10,000), or imprisoned not more than three (3) years and six (6) months, or both.

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

And further, invoking the provisions of sec. 939.62(1)(b) Wis. Stats., because the defendant is a repeater, having been convicted of Criminal Damage to Property, Disorderly Conduct and Obtaining a Prescription Drug by Fraud, three misdemeanors, in Brown County case 12CF367 on November 29, 2012, which conviction(s) remain of record and unreversed, the maximum term of imprisonment for the underlying crime may be increased by not more than 2 years if the prior convictions were for misdemeanors.
Count 5: COMPUTER CRIMES - DESTROY SYSTEM, REPEATER

The above-named defendant, on or about Monday, April 29, 2013, in the City of De Pere, Brown County, Wisconsin, did willfully, knowingly and without authorization, damage computer network intended to be used in computer network, and caused damage greater than $2500, contrary to sec. 943.70(3)(a)2&(3)(b)3, 939.62(1)(b) Wis. Stats., a Class H Felony, and upon conviction may be fined not more than Ten Thousand Dollars ($10,000), or imprisoned not more than six (6) years, or both. And further, invoking the provisions of sec. 939.62(1)(b) Wis. Stats., because the defendant is a repeater, having been convicted of Criminal Damage to Property, Disorderly Conduct and Obtaining a Prescription Drug by Fraud, three misdemeanors, in Brown County case 12CF367 on November 29, 2012, which conviction(s) remain of record and unreversed, the maximum term of imprisonment for the underlying crime may be increased by not more than 2 years if the prior convictions were for misdemeanors.
Count 6: COMPUTER CRIMES - DESTROY DATA, REPEATER

The above-named defendant, on or about Monday, April 29, 2013, in the City of De Pere, Brown County, Wisconsin, did willfully, knowingly and without authorization, destroy data, and resulted in damage valued at more than $2,500, contrary to sec. 943.70(2)(a)2&(2)(b)3g, 939.62(1)(c), 943.70(2)(c)2 Wis. Stats., a Class F Felony, and upon conviction may be fined not more than Twenty Five Thousand Dollars ($25,000), or imprisoned not more than twelve (12) years and six (6) months, or both. And further, invoking the provisions of sec. 939.62(1)(c) Wis. Stats., because the defendant is a repeater, having been convicted of Criminal Damage to Property, Disorderly Conduct and Obtaining a Prescription Drug by Fraud, three misdemeanors, in Brown County case 12CF367 on November 29, 2012, which conviction(s) remain of record and unreversed, the maximum term of imprisonment for the underlying crime may be increased by not more than 2 years if the prior convictions were for misdemeanors.

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

And in addition, because the defendant disguised the identity or location of the computer at which he or she was working while committing the offense under 943.70(2)(a) or (am) with intent to make it less likely that he or she would be identified with the crime, the maximum penalty may be increased by not more than $2500 and the maximum imprisonment may be increased by not more than 2 years. Complainant is an Assistant District Attorney with the Brown County District Attorney's Office and knows of the above offenses on information and belief based upon:
PROBABLE CAUSE

1. His review of a report of Lieutenant Chad Opicka of the De Pere Police Department, who indicates that on Tuesday, April 30, 2013, at approximately 4:31 p.m., he received a phone call from Dr. Benjamin Villarruel and Michael O'Caliaghan, who are the Superintendent of Schools and the Director of Technology respectively for the Unified School District of De Pere. The school district office is located at 1700 Chicago Street in the City of De Pere, Brown County, Wisconsin. Dr. Villarruel and Mr. O'Caliaghan stated that the school district experienced a catastrophic failure with their computer system. O'Caliaghan believed the failure was caused by an intentional act by a person or persons outside of the school. At that time, there was limited details available regarding the intrusion, but O'Caliaghan believed the significant intrusion occurred at approximately 11:11 p.m. on April 29, 2013. 2. His review of a report of Detective Sergeant Thomas Schrank of the De Pere Police Department, who indicates that on April 30, 2013, at about 4:45 p.m., he had a phone conversation with Michael O'Caliaghan, who was the director of technology for the Unified School District of De Pere. O'Caliaghan indicated that he and his IT staff have been troubleshooting what appeared to be an intentional network intrusion that had disabled the Unified School District of De Pere's computer network. This system in part contains the staff's personal information, including banking and social security information and other personal data; direct pay to staff bank accounts; the student registry and personal information; staff lesson plans; emails between parents and staff and all other email correspondence; students' school work and assignments; grades; all scheduling of athletic activities; and much more data which is used by staff to function on a day to day basis at school. Further, the system allows for public access as a way to check on student grades, communicate with teachers, and for students to check homework assignments and prepare assignments on-line. O'Caliaghan indicated that there appeared to be an intrusion on Sunday, April 28, 2013, in the afternoon. Then on Monday, April 29, 2013, shortly after 11:00 p.m., there was a major network intrusion where it appeared that 21 group files for the network were deleted. There appeared to be commands to wipe the file server clean. The system was currently down and nonfunctional. At that point in time, O'Caliaghan made Detective Sergeant Schrank aware that there was a former IT staff member who had been released from his employment within the past year. That person was identified as

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

Jared R. Carlson, dob: 11/24/82, the defendant. The release of the defendant from his employment had not been pleasant. 3. His review of a report from the Department of Justice, Division of Criminal Investigation Special Agent (S/A) Brad Montgomery, who indicates that on May 1, 2013, he met with Detective Sergeant Schrank of the De Pere Police Department to assist in an investigation of an unauthorized access and deletion of data from a network belonging to the Unified School District of De Pere located in the City of De Pere, Brown County, Wisconsin. S/A Montgomery and Detective Sergeant Schrank met with several staff members from the Unified School District of De Pere, including Benjamin Villarruel, District Administrator, Michael O'Caliaghan, IT Director, Greg Ashauer, Lead Technician, and Kathy Duescher, Micro-computer Specialist. During the meeting, S/A Montgomery and Detective Sergeant Schrank initially met with Villarruel and O'Caliaghan. They explained that there were two separate attacks on the school district's network. The first took place on Sunday, April 28, 2013, in the afternoon, and the second took place on April 29, 2013, shortly after 11 :00 p.m. Villarruel explained that there had been ongoing issues with a former IT staff member named Jared R. Carlson, dob: 11/24/82, the defendant. The defendant had started working on the school district's IT staff when he was still attending high school at De Pere. In the Spring of 2012, the defendant had been placed on administrative leave pending the outcome of a criminal case. On April 29, 2012, the defendant was placed on administrative leave without pay, but continued with health benefits. The defendant had made numerous demands of the school district and sent letters to the school district. Some of those letters were threatening while others were just strange. On December 17, 2012, the defendant was fully released from his employment with the school district and separation paperwork was signed by the defendant on January 30, 2013. The defendant had been submitting numerous requests to the school, including a request to continue health benefits and an open records request for his personnel records. On April 27, 2013, just one day before the first intrusion, the open records request for his personnel records was fulfilled by the school district with the delivery of hard copies of the records the defendant was requesting. However, the defendant had requested digital copies of the documents provided on a CD or thumb drive. Subsequently, Greg Ashauer joined the discussion and provided details regarding the unauthorized intrusion and a timeline of what had occurred. Ashauer indicated that on Monday, April 29, 2013, he began receiving complaints about issues with the network. Ashauer was able to determine that the initial unauthorized access to the school district's network took place on Sunday, April 28, 2013, in the afternoon. During this intrusion, 21 Group Policy Objects were deleted from the network's domain controller. The deletion of these objects resulted in some school district staff not being able to remotely log in to the district's network and some staff not being able to remain logged in after logging in the first time. Ashauer indicated the second unauthorized access into the school district's network took place on April 29, 2013, between 11:04 p.m. and 11:07 p.m. During this intrusion, information and virtual server environments stored on these servers appeared to have been deleted. Along with the deletion of data was the deletion of all log files showing user access to the servers prior to and at the time of the deletion of the servers. Ashauer indicated the school district's server equipment was Hewlett-Packard brand equipment.

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

Ashauer contacted Hewlett-Packard to request assistance in determining what happened to the system and to get assistance in recovering their data. During the service call, the Hewlett-Packard technician told Ashauer that it appeared as if the storage controller had been reset to default or the factory settings. The technician from Hewlett-Packard replaced some equipment, but that did not solve the issue. At the time of the interview, the only log file viewable contained information that showed the first logon into the system after the deletion of the virtual server was on April 29, 2013, at 11:07 p.m. 4. His review of supplemental reports of S/A Brad Montgomery of the Department of Justice, Division of Criminal Investigation, who indicates that on May 28,2013, he and Detective Sergeant Schrank of the De Pere Police Department conducted an interview of Jared R. Carlson, dob: 11/24/82, the defendant, at the dining room table of his residence, located at 822 Longview Avenue in the Village of Allouez. The interview was conducted during the execution of a search warrant at that same address. At the beginning of the interview, S/A Montgomery and Detective Sergeant Schrank explained to the defendant that he was free to leave and that he did not have to answer questions, that he was not under arrest and that he would not be placed under arrest on that date. The defendant initially stated he would like to speak with a friend of his named Mike, and then possibly an attorney. S/A Montgomery advised the defendant that he could contact an attorney while the search was being conducted, but that they would not allow any other phone calls while the search warrant was being conducted. After further discussion, the defendant stated, "Let's talk and see where it goes." S/A Montgomery asked the defendant to describe the computer network system at the Unified School District of De Pere. The defendant provided details of how he thought the school district's computer may have been attacked. S/A Montgomery and Detective Sergeant Schrank began to ask the defendant about the network intrusions that took place on Sunday, April 28, 2013, and Monday, April 29, 2013. The defendant initially denied having any involvement in the unauthorized access. S/A Montgomery and Detective Sergeant Schrank continued to question the defendant regarding his involvement. The defendant again asked if he could speak with his friend, Mike, before answering questions. S/A Montgomery and Detective Sergeant Schrank allowed the defendant to make that phone call. The defendant spoke to his friend, Mike, over the telephone. After the conversation, the defendant explained that Mike advised that he contact an attorney. S/A Montgomery and Detective Sergeant Schrank asked the defendant what he wanted to do. The defendant stated he wanted to continue to talk with S/A Montgomery and Detective Sergeant Schrank. After further discussion, the defendant indicated he had gone into the network without authorization, but that he had not deleted anything during his access into the system. The defendant stated he had gone into file servers and folders and was admitting to accessing his personnel file, the IT network administration file and the Simplex server. The defendant stated he remoted into the network through a Virtual Desktop Instance (VDI) that was currently assigned to a teacher whose name started with the letter "K". The teacher had been previously identified as Brittany R. Kops. The defendant stated he used Kops' username and password to log into the De Pere School District's system. He accessed a website provided to teachers and staff that allows them to work remotely through the VDI. Once logged into the school district's network, he was able to use other administrative usernames and passwords to elevate his privileges on the network. The defendant continued to state that he had not

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

intentionally caused any damage to servers, files, or any data on the school district's computer. The defendant also explained that the only computer he used to access the school district's network was the Asus laptop that was located by officers during the execution of the search warrant. The defendant did state he attempted to eliminate any traces of evidence on the laptop by defragmenting the hard drive and wiping all the free space on the hard drive and then deleting information from the registry. 5. His review of a supplemental report prepared by Detective Sergeant Schrank of the De Pere Police Department, who indicates that on May 29,2013, at approximately 3:23 p.m., he received a voicemail from Jared R. Carlson, dab: 11/24/82, the defendant. In the voicemail, the defendant asks for Detective Sergeant Schrank to call him because he wanted to speak with him. Detective Sergeant Schrank called the defendant at approximately 3:26 p.m. The defendant asked if it would be possible for him to come speak with Detective Sergeant Schrank. The defendant arrived at the De Pere Police Department and a recorded interview began at approximately 4:05 p.m. Detective Sergeant Schrank reminded the defendant that he was not under arrest and that he was free to leave the building at any time. The defendant indicated that he was aware of that and that he wanted to talk to Detective Sergeant Schrank and that is why he called him. Detective Sergeant Schrank provided the defendant with a receipt for the items that were collected the previous day as part of the execution of the search warrant. The defendant reviewed the list and Detective Sergeant Schrank asked him what he should focus on forensically. The defendant told Detective Sergeant Schrank, "When I did do that awhile ago, which I didn't mean to do and I didn't crash it. It was just a look. It was the Asus laptop." Therefore, the defendant identified the Asus laptop recovered from his home as the laptop that he used to enter the Unified School District of De Pere's network for the intrusion. The defendant initially stated that he entered the district network and looked around, but did not cause any damage. The defendant recalled that it was about a month ago that he entered into the school network. He stated he looked into his file folder and a couple other folders. He stated that the access to the school system was set so that any staff member could get into the network from outside the school. The defendant asked Detective Sergeant Schrank if they could get past the name that he used to enter the school network, as he did not remember the school staff name that he used to access the network. The defendant said that after entering the network, there was a way that he could change the access level from the low level that the staff member had to increase it to a higher access level as he knew the password required to do so. The defendant stated he upped the access level to look at his folder in the school network, as well as other stuff. The defendant described that students had very very strict access levels, staff members had a little less strict access, but the technological staff had all access. The defendant stated he changed the staff member's setting that he used to enter the school system to the highest level, the tech level access. He indicated there is a command to change that access level. He initially didn't remember the command, so he had to look it up. The defendant indicated he used the command to jump the access level from low to higher access and then was able to look around more in the school network. The defendant described he was involved in the entire creation of the school network. He also indicated he created all of the district's usernames and came up with a bank of passwords. The defendant said he later put all of the usernames and passwords onto a spreadsheet. The

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

defendant indicated that once he got into the network, he realized that the school had not changed any of the administrative passwords from the time that he previously worked there. The defendant stated he used a "SOL-Service" account to access the network at the highest level. The defendant stated when he had been into the school network, he went into the IT folder. He wanted to see if they had changed anything after he left and see if they got rid of his accounts. The defendant found that they had not. The defendant indicated he recalled going into two of his account folders that the school had on him when he made the intrusion. He stated he purposely avoided attendance records, grades and payroll as he did not want to hurt the students or the staff. The defendant further explained that there is no difference between accessing the network at school or at home as long as you had the passwords. The defendant explained that he had no restrictions and he could do pretty much anything he wanted in the network without limitations. He stated he had created the network system, he had created the names for the network system, he had created all of the usernames and passwords for the school staff for the network and set up the system, as.well as did the backup. The defendant stated that the administrator accounts had been set up for the passwords not to expire and that when he intruded into the system, he realized that they had not turned off his accounts or changed the passwords.
Detective Sergeant Schrank discussed with the defendant his departure from employment at the school. The defendant stated he did not have a big problem with the departure, he just wished they would have given him more of the things that he asked for, including a year's pay, benefits and a couple other things. The defendant also said he believed the HR department was playing games with him by turning his health benefits off and on. He indicated he had written Dr. Villarruel a letter about that. The defendant stated he felt as if the school was playing games with him and this made him feel upset. He did say that he never really wanted to hurt the school or mess up their system. Detective Sergeant Schrank asked the defendant if the system was going to fail, what could he have done or what would he expect to see for the system to go down. The defendant said that the storage or SX failed, but that there are so many different parts. Detective Sergeant Schrank asked the defendant if things were going to be deleted, how would it be done. The defendant said that the core switch is where everything is connected and that could bring the system down. Detective Sergeant Schrank asked the defendant what would need to be done to delete the system and the defendant said he would go after the virtual center, right click and say delete. The defendant explained how the virtual center works and how it manages all of the servers and that you can right click and delete and wipe the servers clean and that is the simplest way to explain it. The defendant drew diagrams of how the servers worked and are controlled.

The defendant again explained how to log into the system remotely and what commands he would have made. The defendant explained that he never changed the teacher's access, but "e-validated" his access, which was a temporary validation to provide increased access level. The defendant stated he used the "SOL-Service" account and password to up his level to administrator. He stated as soon as he logged out, it would go back to normal and no one would see that he was in. The defendant again recalled looking at his folder, as well as a shared folder in the network, but stated that he did not

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

damage it. He said that he went into the network before the damage to the network. The defendant then started to explain to Detective Sergeant Schrank that the school caused him stress that messed him up on the day he was arrested in 2012. He stated the incident where he was arrested started everything. The defendant then confirmed that he knows he went into the school network and "e-validated" his access to the network. He stated he knew his laptop would still show that. He then explained that the attack he executed against the school would have been late at night, probably at 10:00 or 11:00 p.m., and that he did so from his home. The defendant stated he issued commands to attack the school network at the HP storage appliance. At that point, the defendant stated he just wanted to tell the truth. He stated that he knew he messed up. The defendant explained that the MSA, or the storage appliance, had a command where it could be deleted and when you activate that command, it wipes the appliances to the factory settings and everything would be deleted and would appear blank. All of the servers would be wiped clean to factory settings and all of the data would be destroyed. The defendant stated that is what he is sorry about. The storage appliance would have been wiped to a factory state, which would have wiped pretty much everything. The defendant stated he thinks he issued the commands to delete because he was confused and upset that night. He stated he was upset with the school and that was it. He indicated he thought he would wipe out the servers, but when you are on meds, you don't process it completely. He indicated he thought it would take the school a day or two, but that they should have been able to restore the servers. The defendant said he never got afraid until the day Detective Sergeant Schrank showed up as he did not think the school was investigating the issue because it would cost too much money. The defendant said again that he knew he had messed up and that he shouldn't have done it. He said he was sorry and it was a mistake. He indicated he would write an apology letter to the school district. The defendant asked if officers could look at his laptop because the defendant could show officers the stuff on his laptop and the command that he used. The defendant talked about the command that he used to look in the folders. He also talked about the command to raise privileges that did no harm. The second part was the HP storage appliance, which is what he was very sorry about. The defendant wrote down that he logged into the system and reset about 50 servers that were caused to be set back to the factory reset, therefore, deleting the data from them. 6. His review of a Forensic Investigation Report prepared by Mark Shelhart, Senior Manager for 403 Labs. That report indicates that on May 4, 2013, 403 Labs was contracted to investigate a breach of the computer system of the De Pere Unified School District in De Pere, Wisconsin. 403 Labs met with personnel from the De Pere Unified School District, who explained that an unknown individual had deleted one of its two primary storage area network (SAN) arrays on April 29, 2013. The deletion caused a loss of data and the majority of De Pere Unified School District's systems to go offline. The report first explains the definition of a storage area network, which is a device that provides hard drive storage for multiple computers at the same time. Instead of maintaining hard drives on separate computers, a SAN allows all drives to be in one unit, but appear as local hard drives on each computer. SANs facilitate easier maintenance, flexibility and growth and potentially faster backup and restore times. The 403 Labs report indicated that the majority of the De Pere Unified School District's servers and user data were stored on

08/22/2013

STATE OF WISCONSIN - VS - Jared R Carlson

the same SAN device at the De Pere Unified School District. Deleting the SAN array left the De Pere Unified School District without critical systems for several days. Many files belonging to the school, faculty and students were lost beyond recovery. In the initial findings, 403 labs indicated that after the SAN array went offline, the vendor, Hewlett-Packard, assigned a technician to investigate the issue. The HP technician forwarded a log excerpt from the SAN device, which included information that purported to be an IP address where the intrusion was made. The log excerpt indicated a connection to the SAN's administrative interface. The De Pere Unified School District reported that it was an unexpected and unauthorized connection. 403 Labs was able to determine that the IP address that was initially reported was transposed and that the ultimate IP address 10.115.40.33 was a known IP address on the De Pere Unified School District's network. That IP address was associated with an account of Brittany Kops, a De Pere Unified School District employee. Kops is a special education teacher for the school. 403 Labs made forensic images of several devices, including Kops' virtual PC, her physical workstation and the master control server. Using those forensic images, 403 Labs was able to create a Summary of Findings. In its Summary of Findings, 403 Labs identified conclusive evidence of a breach of the De Pere Unified School District's computer systems. The artifacts listed indicate attacks on two separate dates where an attacker connected to Brittany Kops' virtual PC, an attacker successfully located and accessed documents regarding the defendant's termination and previous employment, an attacker used an account with administrative privileges to connect to other systems, an attacker accessed files related to the De Pere Unified School District's IT infrastructure, an attacker connected to the SAN and deleted its contents and further, the defendant's user account assigned to him during his employment was accessed. 403 Labs indicated that while Brittany Kops had a physical workstation that she used, she had a virtual PC that allowed her to work from any computer remotely. The virtual PC would appear as fully functioning to an end user. 403 Labs identified that an attacker gained access to Brittany Kops' virtual PC by using her password. The password was initially set up for Kops by the defendant as part of his IT role with the De Pere Unified School District. Brittany Kops' physical workstation showed no signs of use during the timeframe when the intrusions occurred. Brittany Kops' virtual PC contained several artifacts showing multiple documents concerning the defendant, which were accessed late at night on April 28, 2013. The artifacts showed that the virtual PC accessed several other documents that contained sensitive information regarding IT infrastructure and other staff members, including School Superintendent Villarruel, Janine Rasmussen, who is Villarruel's assistant, and Michael O'Caliaghan, the defendant's former supervisor and the IT Director for the school district. At the time of the intrusion, a service account (SQLService) accessed other systems within the De Pere Unified School District's network. The account had the same password as when the defendant worked for the school district. 403 Labs indicates that an

08/22/2013

10

STATE OF WISCONSIN - VS - Jared R Carlson

administrator account has the highest level of access and can perform nearly all actions on the computer. On April 27, 2013, logs show that an attacker used the SQLService account to remotely access three other servers in the De Pere Unified School District's environment. Those servers include the domain controller (dc01), which controls security for all users in the environment, including teachers, students and staff. A second server that was accessed was the simplex3 server, which hosts the closed-circuit television security system for the school. Evidence shows that an attacker viewed video footage from the school via Brittany Kops' computer. A third server that was accessed was the vcenter01 server, which is the master server controlling nearly all other servers within the school district's environment. Accessing that vcenter system could allow an attacker to remotely access and control nearly any other server. The connection logs of that server indicated that the attacker had a familiarity with the school district system's infrastructure. 403 Labs report further indicates that on April 29, 2013, an attacker accessed IT-related documents in a manner similar to the unauthorized entry that occurred on April 27, 2013. The report demonstrates that the De Pere Unified School District's SAN device had its own webpage used for maintenance and management and that since it is a webpage, the browser history of Brittany Kops' virtual PC could capture activity listed. 403 Labs was able to identify, using Brittany Kops' virtual PC, that her user account was connected to the SAN and that once connected, an attacker clicked on the button that deleted the SAN array, which caused the outage suffered by the De Pere Unified School District, its staff and its students. The forensic evidence indicates that the delete button was clicked at approximately 11:05 p.m. on April 29,2013. Shortly after the SAN array was deleted, someone logged into the defendant's user account assigned to him during the period of his employment. The vcenter server showed activity on the defendant's account at approximately 11:16 p.m. on April 29,2013. The information from 403 Labs is consistent with the confession provided by the defendant regarding the nature of his entry into the De Pere Unified School District's system. 7. His review of a supplemental report of Detective Sergeant Schrank, who indicates that on May 29, 2013, he and S/A Montgomery of the Division of Criminal Investigation met with Brittany R. Kops. Kops indicated that she had been a special education teacher at Foxview Intermediate School from September of 2011 to the present. She indicated that she is assigned a laptop computer and that she believed it was an HP computer. She stated she always leaves the laptop at school and did not understand how to remotely enter into the school network from home or outside of school with the laptop. She indicated she is assigned a unique personal username and password assigned to her by the school district for login and entry to the network. She indicated the username and password is for her and her only. She stated she has never given consent or provided the username or password to any other person. She denied ever accessing the school network during late evening hours, either 10:00 p.m. or 11 :00 p.m., or later. She stated she had never entered any files, folders or any other areas of the school network related to Jared Carlson. Kops specifically stated she had never given the defendant consent to use her unique personal username and password assigned to her by the De Pere Unified School District for login or entry into the district network.

08/22/2013

II

STATE OF WISCONSIN - VS - Jared R Carlson

8. His review of a supplemental report of Detective Sergeant Schrank, who indicates that on July 11, 2013, he spoke with Superintendent Benjamin Villarruel about the current dollar loss to the school district that was a result of the intrusion by the defendant into the school's network. As of that time, the school did not have a final cost, but indicated that they had paid $20,000 to 403 Labs for their help in attempting to restore the network and servers related to the intrusion. In addition, the school district paid $11,500 to Camera Corner to help restore their MSA SAN data that was deleted from the network system. 9. His review of the Wisconsin Circuit Court Access Program (CCAP), which shows that on November 29,2012, Jared R. Carlson, the defendant, was convicted of Criminal Damage to Property, Disorderly Conduct and Obtaining a Prescription Drug by Fraud, all misdemeanors, in Brown County case 12CF367. Complainant believes the reports of Lieutenant Opicka and Detective Sergeant Schrank of the De Pere Police Department and S/A Montgomery of the Division of Criminal Investigation as they are sworn law enforcement officers whose reports your complainant has reviewed in the past and found to be truthful and reliable. Based on the foregoing, the complainant believes this complaint to be true and correct.

Subscribed and sworn to before me, and approved for filing on: This 22nd day of August, 2013.

(Assistant)District Attorney

08/2212013

12