Chapter 19 — Exercises
These problems move from email-format recognition through header analysis, webmail and SQLite chat recovery, the legal ladder for cloud records, and metadata/timeline work — concept checks, hands-on labs ("recover from this image," "build the timeline," "write the report," "calculate and verify"), and judgment calls. (answer in Appendix) = worked solution in Answers. ⭐ = stretch. Practice images and lab setup are in Appendix J; signatures in Appendix A.
Group A — Recognizing email formats
19.1 A file begins with the bytes 21 42 44 4E E1 9A 7C 4F 53 4D 0E 00 0E 00 01 01. (a) What family of file is this, and what ASCII string do the first four bytes spell? (b) Read the version word at offset 0x0A (little-endian) and state whether the store is ANSI or Unicode. (c) What practical recovery risk does that version carry? (answer in Appendix)
19.2 Explain, in two or three sentences an attorney with no technical background could follow, why the "password" on a password-protected PST is not an obstacle to a forensic examiner, and why a vendor's claim of "compressible" or "cyclic" PST encryption does not mean you need a key.
19.3 Match each opening signature to its file type, and name the chapter tool that reads it: (a) D0 CF 11 E0 A1 B1 1A E1; (b) 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00; (c) 21 42 44 4E; (d) a line beginning at column zero with From MAILER-DAEMON Fri Mar 15 ....
19.4 ⭐ A client brings you Archive.pst (2.3 GB) that Outlook refuses to open, reporting that the file has reached its maximum size. From the header you confirm wVer = 14. Explain what happened, why ~2 GB is the trigger, and outline your recovery options ranked from least to most invasive (repair-in-place vs. carve the internal nodes). (answer in Appendix)
19.5 You are handed an MBOX export from Google Takeout. A colleague's script reports 4,012 messages; a second tool reports 3,987. Explain the most likely cause of the discrepancy (hint: the From separator is a convention, not a fielded structure), and describe how you would decide which count to put in your report.
Group B — Header analysis and authentication (read this image)
19.6 Read the following Received: chain and Authentication-Results header. (a) Which IP is the actual connecting peer your edge MX observed? (b) Which hop is the claimed origin, and why should you trust it less? (c) Where is the trust boundary? (d) State the SPF, DKIM, and DMARC verdicts and what each one tests. (answer in Appendix)
Return-Path: <alerts@secure-bank-update.com>
Received: from mx.acme-corp.com (mx.acme-corp.com [203.0.113.10])
by store.acme-corp.com with LMTP id 77aa
for <ar@acme-corp.com>; Wed, 03 Apr 2024 14:22:09 -0400
Received: from relay.bulkmail.example (relay.bulkmail.example [198.51.100.40])
by mx.acme-corp.com (Postfix) with ESMTPS id 9d12
for <ar@acme-corp.com>; Wed, 03 Apr 2024 14:22:08 -0400
Received: from [192.168.1.9] (unknown [185.220.100.250])
by relay.bulkmail.example with ESMTPA id 0c7e;
Wed, 03 Apr 2024 18:22:03 +0000
Authentication-Results: mx.acme-corp.com;
spf=fail (sender IP 198.51.100.40 not permitted) smtp.mailfrom=secure-bank-update.com;
dkim=none; dmarc=fail (p=quarantine) header.from=yourbank.com
From: "Your Bank Security" <no-reply@yourbank.com>
19.7 A message passes SPF but the recipient insists it is a forgery. Explain how both statements can be true at once. Which single mechanism would have caught the spoof, and why?
19.8 State precisely what a DKIM pass proves and what it does not prove. In your answer name the header fields d=, s=, bh=, and b=, and explain where the verifier obtains the public key.
19.9 ⭐ A message shows spf=pass for bounce.mailchimp-mailings.example and dkim=pass for d=mailchimp-mailings.example, but the visible From: is billing@yourcompany.com and DMARC reports fail. Explain why DMARC failed despite two passes, using the concept of alignment. Is this necessarily malicious? Give one benign and one malicious explanation. (answer in Appendix)
19.10 List five spoofing "tells" that live in headers or addressing rather than in the body, and for each give a one-line example (e.g., a homoglyph/lookalike domain, a display-name spoof, a Reply-To: mismatch). Which of these would survive even when SPF, DKIM, and DMARC all pass?
Group C — Webmail recovery from the browser
19.11 A custodian used Gmail exclusively through Chrome and swears they "never downloaded anything." On the disk image, list the four browser locations you would examine for webmail evidence and state what each can yield. Which one can contain entire message bodies offline? (answer in Appendix)
19.12 ⭐ Frame the same Gmail IndexedDB fragment two ways. (a) As a 💾 recovery technician serving a client whose provider purged old mail, what does the cache give you? (b) As a 🔍 examiner, what does that same artifact prove, and — crucially — what does it not prove about the account's full contents?
19.13 Recover from this image. You have a Chromium profile carved from a workstation. Write the step-by-step procedure (paths included) to (a) confirm webmail use, (b) extract any cached message fragments and attachment thumbnails, and (c) record, for your report, the distinction between local access and account content that requires legal process.
Group D — Chat applications and SQLite recovery
19.14 Explain why a "deleted" SQLite message row is usually still recoverable. Name the three locations the old row data can persist, and name the two operations that actually destroy it. (answer in Appendix)
19.15 Acquire and recover from this image. You image an Android handset and pull /data/data/com.whatsapp/databases/. The directory contains msgstore.db, msgstore.db-wal, and msgstore.db-shm. (a) Why must you copy all three together, and what do you lose if you grab only msgstore.db? (b) After hashing each file, outline the two passes you run: live-row extraction and deleted-row carving. (c) Which tool category does not carve deleted rows despite its name? (answer in Appendix)
19.16 Compare the recoverability of WhatsApp msgstore.db.crypt14 versus msgstore.db.crypt15. For each, state where the key lives, what cipher protects the backup, and the realistic outcome when you possess the backup but not the key. Explain why crypt15 is the harder ceiling.
19.17 ⭐ Write the report sentence. A subject used Signal. Their phone is locked and you have no passcode. Write the two-to-three-sentence finding you would put in a forensic report. It must (a) name the protection (SQLCipher with a hardware-backed key), (b) state the outcome without overclaiming, and (c) avoid implying you can break it. Then state what would change the outcome. (answer in Appendix)
19.18 Telegram: explain the forensic difference between an ordinary "cloud chat" and a "Secret Chat." For each, say where the content lives, whether it is end-to-end encrypted, and which discipline (local device analysis vs. legal process to the provider) is the right tool. Why can cache4.db rows not be read as plain text columns?
19.19 Slack, Discord, and Teams are Electron apps. (a) Explain why their on-disk footprint resembles a browser profile and name one local artifact for each. (b) For an organization investigating its own Slack workspace, why is the endpoint cache usually the wrong first move, and what is the right one? (c) Where does "new" Teams store its data, and what is the one-line lesson about that move?
Group E — Social media and the legal process
19.20 Place each instrument on the SCA ladder (18 U.S.C. §2703) and state what class of data it compels and at what legal standard: (a) preservation request §2703(f); (b) subpoena §2703(c)(2); (c) §2703(d) order; (d) search warrant §2703(a)/(b). (answer in Appendix)
19.21 A private attorney in a civil wrongful-termination case wants the opposing party's Facebook direct messages. They propose subpoenaing Meta directly for the message content. Explain why that will be quashed (name the statute and the kind of case law), and describe the correct way to obtain those communications.
19.22 ⭐ A detective has a strong lead but the warrant will take a week to draft and approve, and the provider's retention window is short. What single step, available immediately and requiring no court order, should they take first — and what exactly does it accomplish and not accomplish? (answer in Appendix)
19.23 After United States v. Warshak (6th Cir. 2010), what is the practical national standard for compelling the content of stored email from a provider, and why is a §2703(d) order insufficient for message bodies? Connect your answer to the Fourth Amendment.
Group F — Metadata, timestamps, and the timeline
19.24 Calculate and verify. Convert each of these to a UTC calendar time, showing the epoch you used: (a) WhatsApp timestamp = 1700000000000; (b) Unix seconds 1710524400; (c) Apple absolute (seconds since 2001-01-01) 732218400. Then state the classic error you avoided in (a) and (c). (answer in Appendix)
19.25 A WhatsApp message carries a client timestamp of Fri 18:55 but the server received_timestamp is Fri 19:21. (a) Which is the more trustworthy anchor, and why? (b) What might a 26-minute gap indicate? (c) How would you phrase this in a report so you do not overstate it?
19.26 ⭐ Build the timeline. From the fragments below, build a single UTC communications timeline and write one sentence stating what it shows. Note any entry whose source you would flag as cache-not-account or client-vs-server time.
- Recovered OST item: sent "fyi" + TurbineHousing_pkg.zip → jr.personal@gmail.com Fri 19:21 (-0400)
- Received chain: outbound relay to Google MX, corp DKIM=pass Fri 19:21:07 (-0400)
- Browser history: mail.google.com session (jr.personal) on corp machine Sat 09:02 (-0400)
- Gmail offline IndexedDB: inbox shows "fyi" + TurbineHousing_pkg.zip received Fri 19:21 (server)
- $Recycle.Bin $I record: CAD files deleted; Prefetch: CCleaner run Sat 09:12 / 09:14
Group G — Progressive project: the communications layer
19.27 Hash and log (calculate and verify). You carve Archive.pst from your case image, compute SHA-256 = e4d9…, run pffexport read-only, then recompute SHA-256 = e4d9… (identical). (a) What does the unchanged hash prove? (b) Why does a read-only parser preserve it? (c) Exactly what do you record on the chain-of-custody worksheet (Appendix F)? (answer in Appendix)
19.28 ⭐ Write the report section. Add the communications layer to your Forensic Case File. Produce a one-page section that: (1) lists each email store and chat database recovered, with hashes and tool+version; (2) reports live-row and recovered-deleted-row counts for at least one SQLite database, corroborated by a second tool; (3) for one cloud account, names the correct legal instrument to obtain its content and states that the local cache proves only access; and (4) states at least one honest limitation (encryption ceiling, cache-not-account, or deleted-row-without-context). Save it into your case-file folder for assembly in Chapter 26 and the capstone.
Self-check. You have mastered this chapter when you can pick up any communications artifact and answer three questions without hesitation: What format/container is this, and how do I read it? Where do its deleted items hide, and have I acquired them (database and
-wal)? And if the authoritative copy is in the cloud, which legal instrument compels it? If you can read aReceived:chain bottom-up to the trust boundary, carve a deleted row from a SQLite freelist or WAL, and explain why a Signal "no results" is an architectural fact rather than a failure of your work, you are ready for Chapter 20 — Photo, Video, and Document Forensics, where you follow the attachments this chapter kept surfacing into the images, video, and documents themselves.