Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases — at no additional cost to you.

Chapter 19 — Further Reading

Foundations (🔬 / deeper)

  • [MS-PST]: Outlook Personal Folders File Format / [MS-CFB]: Compound File Binary Format (Microsoft Open Specifications). The authoritative structure of PST/OST and of the MSG container. Read enough to understand the !BDN header, the NDB/LTP/Messaging layers, and why "compressible"/"cyclic" encryption is reversible obfuscation.
  • RFC 5322 (Internet Message Format) and RFC 5321 (SMTP). Where the Received:, Message-ID:, From:, and Return-Path: semantics are actually defined. RFC 5321 §4.4 is the Received: line specification you rely on when you read a chain bottom-up.
  • RFC 7208 (SPF), RFC 6376 (DKIM), RFC 7489 (DMARC). The authentication triangle from the source. Read them together so the envelope-vs-From: distinction and DMARC alignment are second nature.
  • The SQLite File Format (sqlite.org/fileformat2.html) and Write-Ahead Logging (sqlite.org/wal.html). Pages, cells, freeblocks, the freelist, and the -wal/-shm mechanism — the entire basis of deleted-row recovery in chat forensics.

Approachable explanations (everyone)

  • A provider law-enforcement guide (e.g., Google, Meta, Microsoft, Apple). Each one states, in plain language, exactly what a preservation request, subpoena, court order, and warrant will and will not yield. Reading one demystifies the SCA ladder faster than any treatise.
  • SANS DFIR posters — "Smartphone Forensics," "Windows Forensic Analysis," and the SQLite/chat-artifacts cheat sheets. Wall-chart references for app database paths, timestamp epochs, and artifact locations; ideal for quick orientation before a job.
  • libpff / pffinfo / pffexport (Joachim Metz, libyal). 🔍💾 The open-source workhorse for PST/OST, including recovered-deleted items. Pair with readpst for PST→MBOX and Python's mailbox/email modules for scripted triage.
  • wa-crypt-tools (wadecrypt). 💾🔍 Decrypts WhatsApp crypt12/14 (via the files/key) and crypt15 (via the user's backup key) — only when you lawfully hold the key.
  • undark, bring2lite, FQLite, Epilog. 🔍 SQLite deleted-row carvers that walk freeblocks, the freelist, and the WAL. Run at least two and compare counts; remember sqlite3 .recover is a corruption repair, not a deleted-row carver.
  • Microsoft Purview eDiscovery, Slack Discovery API, Google Vault. 🛡️📜 The admin-export path to org-owned chat — faster and more defensible than scraping an endpoint cache.
  • DOJ CCIPS, Searching and Seizing Computers and Obtaining Electronic Evidence; United States v. Warshak, 631 F.3d 266 (6th Cir. 2010). 📜 The practical legal map for stored communications and the case that made a warrant the standard for content.

Reference (this book)

  • Appendix A — File Signatures Reference: the !BDN, SQLite format 3\000, OLE/CFB, and RFC 5322 patterns you carve for.
  • Appendix B — Python Forensics Toolkit: reusable SQLite read-only extraction and timestamp-decoding snippets.
  • Appendix C — Tool Reference: libpff, Autopsy Email/Android modules, AXIOM, Cellebrite, and SQLite recovery tools side by side.
  • Appendix E — Legal Frameworks Reference: the SCA ladder, Warshak, §2702, the CLOUD Act, and MLAT in one place.
  • Chapter 18 — Browser and Internet Forensics: the webmail/IndexedDB recovery this chapter builds on. Chapter 24 — Mobile Device Forensics: how you obtain the chat databases in the first place. Chapter 25 — The Legal Framework / Chapter 31 — Cloud Forensics: authority and mechanics for cloud accounts.

Do, don't just read

  • Recover a PST. Take a sample Outlook store (see Appendix J), run pffinfo then pffexport -m all, and compare the live folder tree against the recovered/ output. Confirm the deleted items appear only in the latter.
  • Build a WAL recovery lab. Create a SQLite database, insert and delete rows without checkpointing, then carve with undark — prove to yourself that deleted rows survive and that the -wal holds uncheckpointed inserts.
  • Read a real header. Export an email from your own inbox as .eml with full headers and trace the Received: chain bottom-up; identify the trust boundary and confirm the SPF/DKIM/DMARC results in Authentication-Results.
  • Decode a timestamp by hand. Convert a WhatsApp millisecond value and an Apple "seconds since 2001" value to UTC, and prove you avoided the 31-year and 54,000-year classic errors.

Next: Chapter 20 — Photo, Video, and Document Forensics: following the attachments into EXIF GPS data, manipulated- and AI-image detection, and Office/PDF metadata — the media at the heart of anchor case #4.