Carmel Case # CG1300319

FILED
JUN 1 3 2013
STATE OF CALIFORNIA- COUNTY OF

RETURN FOR SEARCH WARRAN II THESUPERIORCOURT
I, the undersigned, make this Return to the attached Search ..... -I
I received said warrant issued by the Honorable Judge Robert
O'Farrell, on 06/05/13 and under its authority, on 06/05/13, diligently
searched the property, person(s) and/or things described therein, and
there I discovered the following items and do hereby make an
inventory of the same:
1-Phone 4
Lap Top Serial #CNF7371 MVZ
Ativa Thumb drive Serial # ATMMD16NFTSOL
CD-RW-Imitation Brand
Lexar Thumb Drive Serial# 33195-BGBGA
HP Desk Top Computer Serial# USH00600NP
CD-R Memorex Brand
I, Officer Lightfoot, by whom this warrant was executed, do swear that
the above inventory contains a true and detailed account of all the
property taken by me on the warrant.

otticer Rachelle Lightfoot
Subscribed and sworn to before me this 13th day of June, 2013 in
Monterey, California
b[,-3/-G
Clerk of the Court
I
\Jii: ,,. - -
V /;
---- ---------------------
SUPERIOR COURT OF CALIFORNIA
County of Monterey
SEARCH WARRANTC
JUN 1 3 2!113
THE PEOPLE OF THE STATE OF CALIFORNIA TO
any peace officer in Monterey County:
Warrant No. ] (t/6'2.-
The affidavit below, sworn to and subscribed before me, has established probable cause for this search warrant that you
are ordered to execute as follows:
Place(s) to be searched: Described in Addendum A, attached hereto and incorporated by reference.
Property and/or Person to be seized: Described in Addendum 8 , attached hereto and incorporated by reference.
Night service: [If initialed by Magistrate] For good cause shown night service is authorized: ___ _
Hobbs sealing requested: [If initialed by Magistrate] For good cause shown for Hobbs sealing is authorized: ___ _
Disposition of property: Pursuant to Penal Code 1536, the law enforcement agency seizing evidence pursuant to this
search warrant may dispose of such evidence in law once it is no longer needed for investigation and
prosecution. Until that time, a\1 property arra rJetain e affiant' s custody.
.. :. .
, -- n c 1 rz g ft.:.... , .:. ?' % -
) .:J. , _..) - . =-:_cv"Vl.....C ' //
p te and Time Warrant Issued %_ . . ge of the Superior Court
Officer Rachelle Lightfoot, Carmel Police Department: The facts in support of this warrant are contained in the Statement
of Probable Cause, which is attached hereto and incorporated by reference. Also incorporated by reference and attached hereto
are Exhibit lA, describing the place(s) to be searched, and Exhibit 18 , describing the evidence to be seized.
Evidence type (Penal Code 1524):
D Stolen or embezzled property.
[gl Property or things used as a means of committing a telony.
D Property or things in the possession of any person with the intent to use it as a means of committing a public offense, or
in the possession of another to whom he or she may have del ivered it for the purpose of concealing it or preventing its
being discovered.
[gl Property or things that are evidence that tends to show a felony has been committed, or tends to show that a particular
person has committed a felony.
D Property or things consisting of evidence that tends to show that a violation of P.C. 31 1.3 [sexual exploitation of a
child], or 311.11 [possession of matter depicting sexual conduct of a person under 18 years of age] has occurred or
is occurring.
D Other evidence type listed in Penal Code 1524(a) (must specifY).
Declaration: I declare under penalty of perjury that the information within my personal knowledge contained in this affidavit,
including all incorporated documents, is true and based thereon I have probable cause to believe and do believe that the
property/person described in Addendum A is lawfully seizable and is now at the locations set forth in Addendum B. I
therefore request that this Search Warrant be issued.
Date (;,- 6 -\

I
J
---------------- -------- --- ---------------------------------- ----- ----- -n ' ~ ( ( ? r_:-_ ----
Addendum A
Place(s) to be searched:
I -
1. The residence of Steve Mclnchak at 27590 Via Sereno is further described as single-family two story
dwelling being a tan colored stucco structure with dark brown in color trim located at the northwest
comer of Shulte Road and Via Sereno, Cannel, California having a pointed shingle roof. The residence
has two garage doors: Both are located on the east side ofthe house and are beige with dark brown
trim. The larger door is on the S/E comer and the smaller one is closer to the N/E comer. The door to the
residence is located on the NE side just out of view. The number "27590" is hanging from the gutter
above the garage.
2. Any and all outbuildings, trailers, or vehicles on the curtilage of the property under the control of the
occupants of the residence at Carmel Valley, Monterey County, California.
For further Description of residence please see below photograph:
2
~ r lP'6 e-
I ---
, - - - ~ - - - - - - - ~ - - - - - - - - - - - - - - - - - - - - - - ~ ~ - - - - - - - - - - - - - ,
'
I
Addendum B I
FOR THE FOLLOWING PROPERTY:
All electronic data processing and storage devices, computers and computer systems, such as central processing
units, internal and peripheral storage devices such as fixed disks, internal and external hard drives, floppy disk
drives and diskettes, tape drives and tapes, optical storage devices, dongles, encryption keys, personal data
assistants (PDA's) or other memory storage devices, including thumb or flash drives, computing or data
processing software, stored on any type of medium such as: hard disks, floppy disks, CD-R's, CD-RW's, DVD' s,
cassette tapes, or other permanent or transient storage medium.
Any records, whether stored on paper, or electronically stored on magnetic media such as tape, cassette, disk,
diskette or on memory storage devices such as optical disks, programmable instruments such as mobile telephones,
"electronic calendar\address books" calculators, or any other storage media, together with indicia of use,
ownership, possession, or control of such records.
Any written or computer communication in printed or stored medium such as E-Mail and Chat Logs whether in
active files, deleted files or unallocated space on the hard drive, floppy drive or any data storage media.
Search of all of the above items is for files, data, images, software, deleted files, altered files, and date and time, for
evidence.
With respect to computer systems and any items listed above found during the execution with this Search
Warrant, the searching Peace Officers are authorized to seize and book said computer systems and any items
listed above and transfer them to a Law Enforcement Agency location prior to commencing the search of the
items. Furthermore, said search may continue beyond the ten-day period beginning upon issuance of this
Search Warrant, to the extent necessary to complete the search on the computer systems and any items listed
above.
The search of any seized computer, hard drive and removable storage devices may take place at the Monterey
County District Attorney' s Office, or any other secure law enforcement facility with the necessary equipment to
conduct the search safely and efficiently. You may also search for and seize all peripheral devices that appear
reasonably necessary to access data stored in the computer and removable storage devices.
Any indicia, such as fingerprints, letters, envelopes, bills, identification cards, driver's licenses, passports, rent
receipts, leases, financial records, checks, checkbooks, diaries and any written documents, that tend to show
who has dominion and control over the premises to be searched for the stolen property listed above. Also, any
photos, drawings, videos, DVDs or other pictures that tend to show the identity of the person or persons who
have dominion and control over the premises to be searched for the stolen property listed above.
L ____________ _
----------- - - -
_ ___ _j
3
- ---- --------- - ---------------- ----- --------- ----- - ----- ------ - -==-=--::-1E_ L -------
FILED
+ Statement of Probable Cause +
Summary of Training of Affiant, Rachelle Lightfoot:
1. P.O.S.T. Basic Police Academy 2002
2. P.O.S.T Radar Operator Course 2004
3. P.O.S.T Arrest Control/Defensive Driving & Firearms 2005
4. P.O.S.T Criminal Investigation Core Course 2005
5. SBRPST Interview and Interrogation 2006
6. P.O.S.T Arrest Control/Defensive Driving &.Firearms 2006
7. P.O.S.T Monterey County Joint Gang Task Force 2007
8. P.O.S.T Mounted Patrol Course (CMOA) 2007
9. P.O.S.T Field Training Officer 2007
I 0. P.O.S.T Search Warrant Investigation 2008
11 . P.O.S.T Supervisory Development Course 2008
12. P.O.S.T Gang Survival Conference 2008
13. P.O.S.T CIT Academy 2008
14. P.O.S.T CMOA Update/Annual Workshop 2008
15. P.O.S.T Death Investigation 2008
16. P.O.S.T Gang Survival Conference 2009
17. P.O.S.T DUI Standards & Training 2009
18. Gryphon Training Group Elderly Victimization 2009
19. P.O.S.T Child Abuse Investigation 2009
20. P.O.S.T Sexual Assault Investigation 2009
21. P.O.S.T Detective Training Symposium 2009
22. 0.0.1 Firearms Investigation Training 2009
23. P.O.S.T Specialized Surveillance Techniques 2010
24. D.O.J Arson Evidence & Analysis 2010
25. SEARCH Social Networking Investigation 2010
26. HIDTA Detecting Deception-Interview/Interrogation 2011
27. P.O.S.T Informant Development & Maintenance Course 2011
28. SJPD Megan's Law Training 2011
29. 0.0.1 PC Forensics/Basic Data Recovery 2012
30. P.O.S.T Detective Training Symposium 2012
31. P.O.S.T Human Trafficking of Minors 2012
32. P.O.S.T Gang Survival Conference 2012
!
MAZZ

--+-- ___ ___ .D[:I' '.;

880 hrs
24 hrs
15 hrs
84 hrs
24 hrs
14 hrs
16 hrs
24 hrs
40 hrs
24 hrs
80 hrs
16 hrs
32 hrs
16 hrs
16 hrs
16 hrs
8 hrs
16 hrs
40 hrs
40 hrs
16 hrs
8 hrs
40 hrs
8 hrs
8 hrs
8 hrs
20 hrs
8 hrs
32 hrs
24 hrs
8 hrs
16 hrs
Tnofuentes
Affiant, Rachelle Lightfoot, is currently a Detective for the Carmel-by-the-Sea Police Department and has been
employed since 2003. Affiant attended the P.O.S.T Basic Police Academy, located at Gavilan College in 2002.
The Basic Police Academy provided basic classroom and practical exercise and instruction regarding a variety
of crimes and criminal investigations and was approximately 880 hours in duration. Following graduation from
the Police Academy, Affiant worked as a patrol officer in the City of Salinas, where Affiant handled various
calls for service. Affiant began working for the Carmel-by-the-Sea Police Department in October 2003 and was
assigned to patrol for approximately five years. In January 2009, Affiant was assigned to investigations and was
made responsible for investigating sexual and violent crimes, homicide, major drug and property related crimes
and computer crimes.
_ ____ j
4
n 1 0::. i
On Tuesday, 05-28-13, at approximately 1000 hours, I was contacted by Co_ mm _ and_e_r of ilie
Carmel Police Department in regards to possible misconduct of another city employee, Steve Mclnchak.
Commander Tomasi told me that Mclnchak was suspected of using his position as Information
Systems/Network Manager to access sensitive information from the city's computers. Commander Tomasi
advised that the city had hired an outside Forensic Examiner to gather proof and facts. He asked that I contact
the examiner and initiate an investigation.
On Wednesday, 05-29-13, At approximately 1100 hours, I met with Forensic Examiner, Mark Alcock, in my
office. During introductions, Alcock told me that on 02-27-13, he was retained by the city of Carmel to do an
examination of Mclnchak's work computer. Alcock told me that his credentials included being a retired police
officer and had been examining computers since 1994. His job included identifying, preserving and recovering
data from digital media devices, including computers, lap tops and personal digital assistants (PDAs), that may
have been linked to or used in a crime. He told me that he also testified in court about information that was
found or recovered and was considered an "expert" in his field by superior court standards.
Alcock told me that his investigation started on 03-06- 13, when he went to Mclnchak office located at Vista
Lobos (Torres & 3rd) to search his desk top computer. He was accompanied by City Human Resources
Director, Susan Paul and Police Chief Michael Calhoun. Mclnchak was not present at the time. Alcock said that
when he sat down in front of the computer, Mclnchak had left it logged on, essentially allowing anyone total
access to his computer contents. It should be noted that this computer is city property and subject to search per
departmental policy.
Using a forensic tool kit (FTK), Alcock obtained a forensic image ofMclnchak's computer files that could be
analyzed at a later date. Alcock then completed a "field" examination where he looked and went into different
files to see if there was any evidence of misconduct. What he found was that Mclnchak's computer had network
shares to all of the city's servers, which led to directory shares containing employee documents. Alcock also
noted that Mclnchak had created network shares that allowed him to access any employee's personal computer
desk top which also would contain their documents and e-mails.
Alcock also advised me that on 05-17-13, he was able to access Mclnchak's city issued lap top computer.
Alcock explained that Mclnchak had left it logged on in his office, and Alcock was able to do a partial forensic
search using FTK software. Alcock said that the search was going to take longer than he had time for so he
aborted it before it was finished. Fortunately, before that, he was able to see where Mclnchak had logged in as
City Code Enforcement Officer John Hanson and Hanson's documents and e-mail contents were downloaded
onto Mclnchak's lap top desk top.
Because Mclnchak was our information systems manager, he had access to everyone's passwords and user ID's.
Alcock and I went over Mclnchak's job description together and it stated that only under general supervision or
direction was he allowed to access anyone's account and if he did, it would be as an administrator under his own
administrative user name or password. There would be no reason he would ever have to log in as the employee.
Alcock explained that when an administrator works on a computer he must use the administrator account which
has the rights and permissions to make repairs of the computer that the employee's user name and password
would not have. Alcock went on to explain that normal information systems practice to enter an employee's
account would be either using the remote administrative utility which would require the permission of the
employee, or, through server shares that the administrator has access too, but would log in using administration
user id and password, not employyees. Therefore, an employee's private documents would only be seen and not
downloaded to the administrator's computer.
Alcock explained that Mclnchak instead of using any of the normal ways to access employee accounts, he chose
to use the user roaming feature of Windows that allowed him to log into the employee's account using their own
5
' I _. ..zj (.-
r Itniql1e.usemame-and.pasd from a different-com:Jrter and view everything on that compllter Alcock tol.d--l
1-
me that doing it this way caused Windows to download the employee's desk top, my documents and e-mail
account onto the computer being used, in this case Mclnchak's computer, allowing him to view these documents
and e-mails offline. This way, he did not have to log in as the employee anymore to access their files. It was
already on his computer. Alcock believed that Mcinchak was logging in this way to avoid detection allowing
him to view sensitive documents and files undetected.
Alcock provided me with Carmel's City Policy and Procedure Data Sheet and pointed out where it stated that
city management had a right to access and monitor employee computers as needed and that the systems were
restricted to city business. It stated that there was no expectation of privacy to extend to work related conduct or
to the use of city owned equipment or supplies, that the information systems manager was to act under
administrative direction, and that the use of access codes of other employees to gain access to their e-mail and
phone messages, or any computer account was prohibited except by management Mclnchak's position was not
considered a management position.
Additionally, the policy stated that employees were not to use computers, including lap tops, or personal
i computers on city work that are not owned or leased by the city for use by employee, or connect such
computers to the city information systems network without the prior written consent of the department director.
Alcock told me that he had been working with Mclnchak under the ruse that he was conducting an audit of the
City's computer system and servers, and in conversation, got Mclnchak to admit that he frequently remotely
accessed the city server from his home computer and lap top. Alcock said that from what he observed, this was
a direct violation of policy. From their conversation, Alcock suspected that there was sensitive information that
had been downloaded to Mclnchak's personal desk top just like his work computer.
Alcock told me that based on his training and experience and what he had observed from his forensic exam, it
was his opinion that Mclnchak was in violation of California Code Section 502.
Alcock cited the following sections:
502 PC: "Where the law was enacted to protect the integrity of all types and forms of lawfully created
computers, computer systems, and computer data that was vital for the protection ofthe privacy of
individuals as well as to the well being of financial institutions, business concerns and governmental
agencies."
502 (c)(2) PC: "Knowingly accesses and without permission, takes, copies, or makes use of any data
from a computer, computer system, or computer network, or takes or copies any supporting
documentation, whether existing or residing internal or external to a computer, computer system, or
computer network."
502 ( c )(7) PC: "Knowingly and without permission accesses or causes to be accessed any computer,
computer system or computer network."
Alcock told that many of the shares/folders found on Mclnchak's desk top were linked to the accounts of high
ranking officials in the city. Those officials included the Mayor, City Council Members, Chief of Police, Police
Commander and Fire Chief. Evidence also showed that aside from the employees listed above, Mclnchak also
accessed four other employee accounts, three of them being employees of the Carmel Police Department.
Alcock explained them as roaming user accounts. This gave Mclnchak the ability to remotely log into these user
accounts from his desk top computer and access any e-mail or documents he wanted. Alcock said that he found
several e-mails and documents that were saved to his accounts that were personal and sensitive in nature that
L Mclnchak had no right to access.
---------------------------
6
r- - - - - ~ - ----- ------------------------ ------
Alcock showed me examples of some sensitive documents and e-mails he printed off of Mclnchak's desk top
computer. These included:
Pay scale of all Police Services: Officers obtained from Carmel Police Employee Jeff
Olinger's personal document folder.
Pay scale of Code Enforcement Officer John Hanson obtained from Hanson's personal
document folder.
General Fund Revenues & Budget and e-mail with sensitive attachment from Dept. City
Clerk Molly Laughlin obtained from her personal documents folder and e-mail.
Personal document involving private medical procedure and e-mail obtained from Library
Director Janet Bombard's personal document folder and e-mail.
Employee Performance Appraisal for co-worker Rose Franzen obtained from her personal
document folder.
E-mail from City Manager Jason Stilwell that was sent to City Council members obtained
from Council Member Victoria Beach's e-mail.
It should be noted that the City Policy states that to forward or reproduce communications marked attorney
client privilege or confidential information without prior consent by the city administrator or city attorney is
prohibited. In the cited cases, several fell under this umbrella and where a clear violation.
Based on my training and experience and the above facts, I have substantial cause to believe that
the information sought in this search warrant for items in Steve Mclnchak's residence and on his computer(s)
will tend to show that he illegally accessed Carmel City employee's personal files and will have had it
downloaded to his personal computer, which is a felony violation of penal code section 502. Based on Alcock's
statement that Mclnchak admitted to remotely accessing the city server from his residential computer, he clearly
has at least one computer and related paraphernalia at his home.
Mclnchak's residence is 27590 Via Sereno, Cannel , California. I was able to confirm this address as his
residence through the following sources: California Department of Motor Vehicles print out, The Last One
(TLO) Law Enforcement search engine, and through Mclnchak's personnel records at the City of Carmel-by-
the-Sea.
I personally went out and confirmed the residence and took the picture attached.
REQUEST FOR OFF SITE AUTHORIZATION
As mentioned previously, during the investigation of this case, I have had the assistance of Forensic Examiner
Mark Alcock. Forensic Examiner Alcock is highly trained in the area of computer forensics and is considered
an expert witness in superior court.
7
.=8 - , (__
------------- --- ----- ---- -- . -- - ----_ -------- ---------- ---- . -
on my training in this area together with information I have received from Forensic Examiner Mark
Alcock,, I believe the execution of this warrant may take a great deal of time and require a special facility,
special equipment and software because:
(1) Your affiant does not know what operating system is running the computer that is the subject of this
warrant and therefore, it will take time to determine how the operating system permits access to data.
(2) The amount of data that may be stored in the hard drives and removable storage devices is enormous,
and your affiant doesn' t know the number or size of the hard drives and removable storage devices that
will have to be searched pursuant to this warrant.
(3) The data to be seized may be located anywhere on the hard drives and removable storage devices
including hidden files, program files, and ''deleted" files that have not been overwritten.
(4) The data may be encrypted, it may be inaccessible without a password, and it may be protected by self-
destruct programming, all of which will take time to bypass.
(5) Because data stored on a computer can be destroyed or altered rather easily, either intentionally or
accidentally, the search must be conducted carefully and in a secure environment.
( 6) To prevent alteration of data and insure the integrity of the search, your affiant plans to make clones of
all drives and devices, and then search the clones; this too, will take time and special equipment.
I therefore request authorization to search this computer, hard drive and removable storage devices that have
been seized at the Monterey County District Attorney' s Office, or any other secure law enforcement facility
with the necessary equipment to conduct the search safely and efficiently. Your affiant also requests
authorization to search for and seize all peripheral devices
Based on the aforementioned information and investigation, I believe grounds for the issuance of a search
warrant exist as set forth in Penal Code section 502.
I, the affiant, pray that a search warrant be issued for the seizure of said property, or any part thereof, from said
location at any time of the day, good cause being shown therefore, and that
the same be brought before this magistrate or retained subject to the order of this Court.
Officer Rachelle Date
'----------------- ------------
8