AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Legal Disclaimer

The information listed below is purely informational in nature and not meant to be a substitute for legal advice. One should consult with their respective jurisdiction’s district attorney, prosecutor, judge, etc prior to using this language for any legal process in an actual investigation. AboutDFIR and its authors are not liable for any content, accuracy, or context.

Serving Preservation Letters/Search Warrants

As stated on this section’s home page, for every digital investigation where a Preservation Letter or Search Warrant is involved, Search.org’s ISP List should be your number one stop regarding proper steps to serve your legal process.

Preservation Letter/Search Warrant Language Template

Pursuant to Title 18, United States Code, Section 2703(f), you are requested to preserve all records relating to any Discord account(s) associated with the registered email address suspect@domain.com from X date/time to Y date/time UTC including but not limited to:

  • All user account information including but not limited to: account creation date, registered email address, registered phone number, associated payment methods (including billing address and name), and terms of service IP address
  • A list of all usernames and associated discriminators used for the above account during the above timeframe
  • The content of all messages, public and private, sent by suspect#1234, including deleted and edited messages
  • A list of all servers suspect#1234 was a member of and/or owned during the above timeframe 
  • All images and media sent or received by suspect#1234 during the above timeframe 
  • All reactions to posts/messages committed by suspect#1234
  • All assigned roles associated with servers suspect#1234 was a member of

Alternative Language

Any and all content for the Discord account(s) with the username suspect#1234 from X date/time to Y date/time UTC including but not limited to:

Any and all content relating to any Discord account(s) associated with the registered phone number 1-123-456-7890 from X date/time to Y date/time UTC including but not limited to:

Notes

It may be possible to discover other account(s) owned by the suspect using the verbiage above. As long as probable cause supports it, it doesn’t hurt to see what else the suspect is doing beyond known account(s). It may help your case become stronger. Also, for Discord, the 4 digits after the # are crucial in identifying the correct suspect’s username. Technically, 9999 people can have the same username on Discord. They would all be distinguishable from their discriminator, or the #XXXX after their username. Example: Suspect#0001 through Suspect#9999 could exist. The numbers are very important! 

In addition to the above, Discord Nitro is a premium subscription service for Discord which allows for a user to change their username and discriminator at will. See below for a preview of what that looks like to the end-user:

Given that usernames are NOT static, it’s crucial to have a timestamp associated with the specific username you’re looking for. They could be suspect#1234 one minute and badguy#5678 the next minute. If you only have usernames and no email or phone number associated with the account, you’re going to need to know as specific as possible timeframes for when he/she had the respective username(s).