AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Legal Disclaimer

The information listed below is purely informational in nature and not meant to be a substitute for legal advice. One should consult with their respective jurisdiction’s district attorney, prosecutor, judge, etc prior to using this language for any legal process in an actual investigation. AboutDFIR and its authors are not liable for any content, accuracy, or context.

Serving Preservation Letters/Search Warrants

As stated on this section’s home page, for every digital investigation where a Preservation Letter or Search Warrant is involved, Search.org’s ISP List should be your number one stop regarding proper steps to serve your legal process.

Preservation Letter/Search Warrant Language Template

Any and all content relating to any Snapchat account(s) associated with the registered email address suspect@domain.com from X date/time to Y date/time UTC including but not limited to:

  • All user account information including but not limited to: name, username, birthday, registered mobile number, registered email address, associated payment methods (including billing address and name), snap privacy settings, account creation date, and terms of service IP address
  • Login History and Account Information including but not limited to: basic information, device information, device history, login history, two-factor authentication, account deactivated/reactivated, display name change, mobile number change, password change, Snapchat linked to Bitmoji, email change, spectacles
  • Snap History: sent and received
  • Chat History: sent and received
  • Our Story and crowd-sourced content
  • Purchase history: in-app purchases, on demand geofilters
  • Snapchat Support History
  • User Profile: app profile, demographics, engagement, discover channels viewed, interest categories
  • Friends: friends list, friend requests sent, blocked users, deleted friends
  • Ranking: number of stories viewed, content interests
  • Location History: frequent locations, latest location, top locations, map explore, locations you have visited
  • Search History
  • Terms History
  • Subscriptions
  • Bitmoji
  • Shop History
  • Basic account information (username, registered email address, registered phone number, account creation date) for any Snapchat account(s) which share the registered phone number and/or registered email addresses for the above Snapchat user account(s) for the time period of *insert timeframe here*

Alternative Language

Any and all content for the Snapchat account(s) with the username suspect from X date/time to Y date/time UTC including but not limited to:

Any and all content relating to any Snapchat account(s) associated with the registered phone number 1-123-456-7890 from X date/time to Y date/time UTC including but not limited to:

Notes

It may be possible to discover other Snapchat account(s) owned by the suspect using the verbiage above. As long as probable cause supports it, it doesn’t hurt to see what else the suspect is doing beyond known account(s). It may help your case become stronger. I have personally had success with this for Snapchat so it’s absolutely worth a shot.

One cannot use Snapchat on a web browser, however, there is an online portal where you can access “My Data“. As of 12/2/2019, here is what Snapchat told me is available for my to download:

This can be a great template for what to ask for on a preservation letter or search warrant. Actually, if you look closely, 90% in the image above is in the language template on this page. Feel free to modify as you see fit to fit your investigation best. The worst they can say is “no” and you just have to modify what you’re asking for until something sticks. That’s how we all learn!