Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.
Chapter 19 — Further Reading
Foundations (🔬 / deeper)
[MS-PST]: Outlook Personal Folders File Format /[MS-CFB]: Compound File Binary Format (Microsoft Open Specifications). The authoritative structure of PST/OST and of the MSG container. Read enough to understand the!BDNheader, the NDB/LTP/Messaging layers, and why "compressible"/"cyclic" encryption is reversible obfuscation.- RFC 5322 (Internet Message Format) and RFC 5321 (SMTP). Where the
Received:,Message-ID:,From:, andReturn-Path:semantics are actually defined. RFC 5321 §4.4 is theReceived:line specification you rely on when you read a chain bottom-up. - RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC). The authentication triangle from the source. Read them together so the envelope-vs-
From:distinction and DMARC alignment are second nature. - The SQLite File Format (sqlite.org/fileformat2.html) and Write-Ahead Logging (sqlite.org/wal.html). Pages, cells, freeblocks, the freelist, and the
-wal/-shmmechanism — the entire basis of deleted-row recovery in chat forensics.
Approachable explanations (everyone)
- A provider law-enforcement guide (e.g., Google, Meta, Microsoft, Apple). Each one states, in plain language, exactly what a preservation request, subpoena, court order, and warrant will and will not yield. Reading one demystifies the SCA ladder faster than any treatise.
- SANS DFIR posters — "Smartphone Forensics," "Windows Forensic Analysis," and the SQLite/chat-artifacts cheat sheets. Wall-chart references for app database paths, timestamp epochs, and artifact locations; ideal for quick orientation before a job.
In practice (💾 Recovery · 🔍 Examiner · 🛡️ IR · 📜 Legal)
- libpff /
pffinfo/pffexport(Joachim Metz, libyal). 🔍💾 The open-source workhorse for PST/OST, including recovered-deleted items. Pair withreadpstfor PST→MBOX and Python'smailbox/emailmodules for scripted triage. - wa-crypt-tools (
wadecrypt). 💾🔍 Decrypts WhatsApp crypt12/14 (via thefiles/key) and crypt15 (via the user's backup key) — only when you lawfully hold the key. undark,bring2lite, FQLite, Epilog. 🔍 SQLite deleted-row carvers that walk freeblocks, the freelist, and the WAL. Run at least two and compare counts; remembersqlite3 .recoveris a corruption repair, not a deleted-row carver.- Microsoft Purview eDiscovery, Slack Discovery API, Google Vault. 🛡️📜 The admin-export path to org-owned chat — faster and more defensible than scraping an endpoint cache.
- DOJ CCIPS, Searching and Seizing Computers and Obtaining Electronic Evidence; United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). 📜 The practical legal map for stored communications and the case that made a warrant the standard for content.
Reference (this book)
- Appendix A — File Signatures Reference: the
!BDN,SQLite format 3\000, OLE/CFB, and RFC 5322 patterns you carve for. - Appendix B — Python Forensics Toolkit: reusable SQLite read-only extraction and timestamp-decoding snippets.
- Appendix C — Tool Reference: libpff, Autopsy Email/Android modules, AXIOM, Cellebrite, and SQLite recovery tools side by side.
- Appendix E — Legal Frameworks Reference: the SCA ladder, Warshak, §2702, the CLOUD Act, and MLAT in one place.
- Chapter 18 — Browser and Internet Forensics: the webmail/IndexedDB recovery this chapter builds on. Chapter 24 — Mobile Device Forensics: how you obtain the chat databases in the first place. Chapter 25 — The Legal Framework / Chapter 31 — Cloud Forensics: authority and mechanics for cloud accounts.
Do, don't just read
- Recover a PST. Take a sample Outlook store (see Appendix J), run
pffinfothenpffexport -m all, and compare the live folder tree against therecovered/output. Confirm the deleted items appear only in the latter. - Build a WAL recovery lab. Create a SQLite database, insert and delete rows without checkpointing, then carve with
undark— prove to yourself that deleted rows survive and that the-walholds uncheckpointed inserts. - Read a real header. Export an email from your own inbox as
.emlwith full headers and trace theReceived:chain bottom-up; identify the trust boundary and confirm the SPF/DKIM/DMARC results inAuthentication-Results. - Decode a timestamp by hand. Convert a WhatsApp millisecond value and an Apple "seconds since 2001" value to UTC, and prove you avoided the 31-year and 54,000-year classic errors.
Next: Chapter 20 — Photo, Video, and Document Forensics: following the attachments into EXIF GPS data, manipulated- and AI-image detection, and Office/PDF metadata — the media at the heart of anchor case #4.