Chapter 19 — Quiz

14 questions: 10 multiple choice, 2 true/false, 2 short answer. Answers and a scoring band are at the bottom. No peeking until you have written your own answers.


Multiple choice

Q1. The first four bytes of an Outlook PST/OST file are: - A) D0 CF 11 E0 - B) 21 42 44 4E (!BDN) - C) 53 51 4C 69 (SQLi) - D) 25 50 44 46 (%PDF)

Q2. To trace an email to its true origin, you read the Received: chain: - A) top-down, because the first header written is the origin - B) bottom-up, because each server prepends its header, so the earliest hop sits at the bottom - C) in any order — the ordering is not meaningful - D) not at all; only Return-Path: matters

Q3. SPF authenticates which identity? - A) the visible From: header - B) the Reply-To: header - C) the envelope sender (RFC5321.MailFrom / Return-Path) - D) the body hash in the DKIM signature

Q4. When SQLite "deletes" a row, the row data: - A) is immediately overwritten with zeros - B) is moved to a hidden Recycle Bin table - C) remains in free blocks, freelist pages, or the -wal until that space is reused or a VACUUM runs - D) is re-encrypted in place

Q5. Without the user's backup key, a WhatsApp msgstore.db.crypt15 backup is: - A) trivially decrypted using the files/key file - B) decrypted by ignoring the PST password CRC - C) effectively unrecoverable — it is end-to-end encrypted with a key WhatsApp never sees - D) stored in plaintext on shared storage

Q6. In a criminal case, compelling the content of stored messages from a provider requires: - A) a §2703(f) preservation letter - B) a subpoena - C) a §2703(d) order - D) a probable-cause search warrant

Q7. The -wal (write-ahead log) file matters forensically because: - A) it stores the database password - B) the most recent messages may exist only there, not yet checkpointed into the main .db - C) it is always empty until the app closes - D) it holds only schema definitions, never rows

Q8. A PST's "compressible" (permute) or "cyclic" encryption is best described as: - A) AES-256 requiring the user's key - B) reversible obfuscation that any forensic parser undoes automatically - C) RSA public-key encryption - D) SQLCipher with a hardware-backed key

Q9. DMARC adds what to SPF and DKIM? - A) a longer cryptographic key - B) alignment between an authenticated domain and the visible From: domain, plus a publishable failure policy - C) end-to-end encryption of the message body - D) a replacement transport protocol for SMTP

Q10. Telegram's ordinary chats are: - A) end-to-end encrypted and stored only on the device - B) cloud chats stored on Telegram's servers and synced across devices (not E2E) - C) never stored anywhere after delivery - D) kept inside an Outlook OST

True / False

Q11. Because an OST is a cached copy of a server mailbox, it can contain messages that have since been deleted from the server. (True / False)

Q12. A civil litigant may serve a subpoena directly on Facebook (Meta) to obtain another user's private message content. (True / False)

Short answer

Q13. You are about to acquire a WhatsApp database from a file-system extraction. Which files must you collect together, and why does grabbing only the .db risk losing the most relevant evidence?

Q14. In a Received: chain, what is the "trust boundary," and why does it determine which headers you can rely on?

---

Answer key

Q1 — B. PST/OST begin with 21 42 44 4E = !BDN. D0 CF 11 E0 is an OLE/CFB file (MSG, legacy Office), 53 51 4C 69 starts SQLite format 3\000, and %PDF is a PDF.

Q2 — B. Each MTA prepends a Received: header, so the topmost is the last hop (nearest the recipient) and the bottommost is the first hop (nearest the origin). Trace bottom-up.

Q3 — C. SPF checks the envelope sender (RFC5321.MailFrom / Return-Path) against the domain's authorized-IP list. It says nothing about the visible From:, which is why a message can pass SPF and still display a forged From:.

Q4 — C. Deletion unlinks the cell and marks its space free (page freeblock list or the database freelist); the bytes persist until reused, and are erased outright only by VACUUM. Recent deletions may also linger in the -wal.

Q5 — C. crypt15 backups are end-to-end encrypted with the user's 64-hex/passphrase-derived backup key that WhatsApp never holds. Without that key, the AES-256-GCM backup is not breakable. (crypt12/14 use the per-install files/key, which is why A is wrong here.)

Q6 — D. Content requires a probable-cause search warrant (§2703(a)/(b); the practical post-Warshak standard). The lesser instruments compel subscriber info and non-content metadata only.

Q7 — B. With WAL journaling, new/changed rows are written to -wal first and only later checkpointed. The freshest messages — including ones sent just before seizure — may exist only in -wal. Acquire db, db-wal, and db-shm together.

Q8 — B. Permute ("compressible") is a fixed byte-substitution table; cyclic is a rolling XOR keyed by block ID. Both are obfuscation, automatically reversed by any parser — not cryptography. (The PST "password" is merely a CRC32, also ignored.)

Q9 — B. DMARC ties SPF/DKIM results to the visible From: by requiring alignment, and publishes a policy (p=none|quarantine|reject) telling receivers what to do on failure.

Q10 — B. Ordinary Telegram chats are cloud chats — server-stored and synced, not end-to-end encrypted. Only opt-in Secret Chats are E2E and device-only.

Q11 — True. An OST is a local cache of the server mailbox; it frequently retains messages later deleted from the server, making it a time capsule of the mailbox as of the last sync.

Q12 — False. The SCA (§2702) bars providers from disclosing content to private parties; civil subpoenas to providers for message content are quashed (e.g., Crispin, Theofel). Obtain the communications from the party instead.

Q13. Collect msgstore.db together with its -wal and -shm companions (and note the files/key if decryption is needed). The write-ahead log can hold the newest messages that have not yet been checkpointed into the main database, so copying only the .db silently discards the freshest — and often most relevant — conversation. Hash each file as acquired.

Q14. The trust boundary is the first mail server you actually control (your edge MX). Headers written at or above it are reliable because trusted infrastructure recorded them; everything below it was written by foreign relays and can be forged by the sender. You anchor conclusions about origin to the header your own server wrote, treating lower hops only as far as you trust the relay that produced them.

Scoring: 13–14 correct — examiner-ready; you can read headers and recover chat with confidence. 10–12 — solid; revisit the one or two areas you missed (likely SPF-vs-DMARC alignment or the SCA ladder). 7–9 — reread the "SQLite substrate," "header analysis," and "social media / legal process" sections before the case studies. Below 7 — work back through index.md, then redo the exercises Groups B, D, and E.