AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Legal Disclaimer

The information listed below is purely informational in nature and not meant to be a substitute for legal advice. One should consult with their respective jurisdiction’s district attorney, prosecutor, judge, etc prior to using this language for any legal process in an actual investigation. AboutDFIR and its authors are not liable for any content, accuracy, or context.

Serving Preservation Letters/Search Warrants

As stated on this section’s home page, for every digital investigation where a Preservation Letter or Search Warrant is involved, Search.org’s ISP List should be your number one stop regarding proper steps to serve your legal process.

Google Law Enforcement Requests System

Google LERS is one of the most user-friendly portals at law enforcement’s disposal. It is advised to create an account ahead of time and your login saved somewhere secure so you’re ready to go when time is of the essence. 

Preservation Letter/Search Warrant Language Template

Pursuant to Title 18, United States Code, Section 2703(f), you are requested to preserve all records relating to any Google account(s) associated with the registered email address suspect@gmail.com from X date/time to Y date/time UTC including but not limited to:

  • All user account information including but not limited to: account creation date, registered email address, registered phone number, associated payment methods (including billing address and name), and terms of service IP address
  • The contents of the following Google services for the above specified timeframe
    • Hangouts
    • Maps
    • Gmail
    • (list any other services relevant to your investigation)
      • Sub bullet points can be used to further specify what you want from each service, if needed

Alternative Language

Any and all content relating to any Google account(s) associated with the registered phone number 1-123-456-7890 from X date/time to Y date/time UTC including but not limited to:

Notes

It may be possible to discover other account(s) owned by the suspect using the verbiage above. As long as probable cause supports it, it doesn’t hurt to see what else the suspect is doing beyond known account(s). It may help your case become stronger. 

The main challenge with Google is that they offer so many services that store data on any given individual. It is important to ensure you’re aware of all the services they provide and what those respective services can provide you. Additionally, Google is notorious for discontinuing services seemingly at random. If your case involves a Google account with a timeframe of 6 months or more ago, check here for a list of discontinued Google services to see if any might be relevant to your investigation. Once you have developed a list of relevant Google services for your investigation, ensure you list them in the appropriate place above in the template language. 

If you are looking for specific items from a specific service, it may behoove you to list that in a bullet point below the respective service. For instance, if I wanted a few specific items from the Google Maps service, I could do something like this:

  • Maps
    • Location History
    • Search Results
    • Saved Home/Work Address

Or for Hangouts, another example:

  • Hangouts
    • All messages sent and received by the user
    • All images and media sent and received by the user including deleted media and all associated metadata

You can get creative with each of these services. In order to ensure you’re asking for everything a Google service can offer you, talk to your resident Google enthusiast!

Other Templates

Google Affidavit

Google Warrant

Chromebook GoBy

Chromebook Device Template

A special thank you to VTO Brews & Bytes for the above templates!