Chapter 19 — Key Takeaways
The big idea
A single conversation lives in many places at once — on the device and in the cloud — and your job is to recover what is local, compel what is remote with the correct legal instrument, and recognize that the deleted material is frequently the evidence. Communications carry intent in a way no system artifact can, which is exactly why they are fought over hardest in court. Master one technical skill — recovering deleted rows from SQLite — and you unlock most of modern chat forensics; master one reading discipline — the Received: chain bottom-up to the trust boundary — and you can trace almost any email; master one legal map — the SCA ladder — and you know precisely which instrument compels which class of record.
Email: recognize the format, then recover it
| Format | Signature / marker | Key fact |
|---|---|---|
| PST / OST | 21 42 44 4E (!BDN); wVer at 0x0A |
Unicode (23) vs ANSI (14/15, 2 GB limit); "password" = CRC, "encryption" = reversible obfuscation; deleted items linger in free space until compaction. An OST is a cached time-capsule that often outlives the server copy. |
| MBOX | From at column zero |
The separator is a convention, not a field — beware "From-munging"; what Google Takeout exports. |
| EML / EMLX | RFC 5322 headers | Single message; EMLX adds an Apple plist trailer (~/Library/Mail/). |
| MSG | D0 CF 11 E0 A1 B1 1A E1 |
OLE/CFB container; MAPI props in __substg1.0_* streams. |
Tools: pffinfo/pffexport (libpff) extract live and recovered/deleted items; readpst converts PST→MBOX; carve !BDN/RFC 5322 patterns from unallocated.
Email headers: trace and authenticate
- Read
Received:bottom-up. Each MTA prepends its header; the origin is at the bottom. Trust only at or above your trust boundary (your edge MX) — everything below can be forged. - SPF authenticates the envelope (
MailFrom), not the visibleFrom:. DKIMpassproves integrity and domain authenticity of signed headers/body. DMARC ties them to the visibleFrom:via alignment and publishes a policy (none/quarantine/reject). - Webmail leaves no PST/OST — only browser traces: history, cache fragments, and Gmail's offline IndexedDB (full bodies). The cache proves local access, not the account's contents.
Chat: one substrate, different ceilings
- SQLite is the substrate. Deleted rows survive in free blocks, freelist pages, and the
-waluntil reused orVACUUMed. Always acquiredb+-wal+-shmtogether. Carvers:undark,bring2lite, FQLite, Epilog. - WhatsApp —
msgstore.db(unencrypted, needs root/FFS); crypt12/14 backups decrypt with thefiles/key; crypt15 is E2E with the user's key — no key, no recovery. - Signal — SQLCipher with a hardware-backed key: generally unrecoverable without the unlocked device. "Encrypted, not recoverable" is the competent finding.
- Telegram — cloud chats (server-side, not E2E); Secret Chats device-only;
cache4.dbrows are TL-serialized blobs. - Slack / Discord / Teams — Electron caches over cloud truth; for org-owned data, prefer admin/eDiscovery export over the endpoint cache.
Social media: where technique stops and law begins (SCA, 18 U.S.C. §2703)
| Instrument | Standard | Compels |
|---|---|---|
| §2703(f) preservation | a request, no court | freeze records (90 days, renewable) |
| Subpoena | relevance | basic subscriber info |
| §2703(d) order | specific & articulable facts | non-content transactional metadata |
| Search warrant | probable cause | content (post-Warshak) |
Content needs a warrant; civil litigants cannot get content from the provider at all (§2702) — get it from the party.
Metadata: often worth more than the text
Verify each platform's epoch (Unix s, WhatsApp ms, Apple s/2001, FILETIME) before building a timeline; normalize to UTC. Distinguish client vs server timestamps — disagreement can be evidence. Receipts prove a message was seen; tombstones prove a deletion occurred.
You can now…
- ☐ Recognize PST/OST, MBOX, EML/EMLX, and MSG on sight and recover live and deleted items from each.
- ☐ Read a
Received:chain bottom-up to the trust boundary and interpret SPF, DKIM, and DMARC. - ☐ Acquire a chat database with its
-wal/-shmand carve deleted rows from SQLite. - ☐ State what is and isn't recoverable per app — WhatsApp, Signal, Telegram, Slack, Discord, Teams.
- ☐ Map cloud records to the correct SCA instrument and apply the civil-vs-criminal distinction.
Looking ahead
Chapter 20 — Photo, Video, and Document Forensics. You will follow the attachments this chapter kept surfacing into the media itself: EXIF GPS and camera data, manipulated- and AI-image detection, Office/PDF internal metadata, and media authentication — the evidence type at the heart of anchor case #4, handled clinically.
One sentence to carry forward: In communications, the message you must read first is the one the suspect tried to delete — and the legal instrument you choose decides whether a court ever sees it.