AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Legal Disclaimer

The information listed below is purely informational in nature and not meant to be a substitute for legal advice. One should consult with their respective jurisdiction’s district attorney, prosecutor, judge, etc prior to using this language for any legal process in an actual investigation. AboutDFIR and its authors are not liable for any content, accuracy, or context.

Serving Preservation Letters/Search Warrants

As stated on this section’s home page, for every digital investigation where a Preservation Letter or Search Warrant is involved, Search.org’s ISP List should be your number one stop regarding proper steps to serve your legal process.

Microsoft Law Enforcement Portal

Create an account on Microsoft’s LE Portal ahead of your submission so you don’t have to wait for verification to occur. If time is of the essence, hopefully, you already have a login established.

Preservation Letter/Search Warrant Language Template

Pursuant to Title 18, United States Code, Section 2703(f), you are requested to preserve all records relating to any Microsoft account(s) associated with the registered email address suspect@domain.com from X date/time to Y date/time UTC including but not limited to:

  • All user account information including but not limited to: account creation date, registered email address, registered phone number, associated payment methods (including billing address and name), and terms of service IP address
  • The contents of the following Google services for the above specified timeframe
    • OneDrive
    • Outlook
    • Bing
      • Sub bullet points can be utilized to further specify items from a respective service related to your investigation, for example:
      • Search queries
      • Saved searches
      • Search alerts

Alternative Language

Any and all content relating to any Microsoft account(s) associated with the registered phone number 1-123-456-7890 from X date/time to Y date/time UTC including but not limited to:

Notes

Similar to Google, Microsoft has multiple services that offer the potential for useful data for your investigations. However, Google holds the crown in most services offered by a country mile. With Microsoft, you can leverage any service provided by their Office 365 product as long as the account you’re dealing with is a 365 account. With Office 365, documents are stored on OneDrive which can be provided if you ask for them in your search warrant with appropriate probable cause. 

Microsoft has multiple potential email domains that a user can utilize including but not limited to: @hotmail.com, @live.com, @msn.com, @passport.com, and @outlook.com. It is also not uncommon for someone to use a completely different email provider’s domain for their Microsoft account, i.e. a Gmail address.