NordSec 2023 - Paper accepted
28 September 2023
Our work in a nutshell:
WhatsApp stickers, a user-created mix of emoji and image/GIF, are unfortunately being misused by some users for illegal content, such as child sexual abuse material and Nazi propaganda, and are being prosecuted by law enforcement. Our research shows that WhatsApp automatically and unknowingly saves received stickers on the recipient's mobile device, which can lead to legal problems for users who neither want nor know they have illegal stickers. On the other hand, our research gives law enforcement the knowledge they need to bring the real perpetrators to justice.
Paper Details:
Title: "To Possess or Not to Possess - WhatsApp for Android Revisited with a Focus on Stickers"
Authors: Samantha Klier and Harald Baier
Abstract: WhatsApp stickers are a popular hybrid of images and emoticons that can contain user-created content. Stickers are mostly sent for legitimate reasons, but are also used to distribute illicit content such as Child Sexual Abuse Material (CSAM). As the process of creating stickers becomes easier for users from version to version, a digital forensic analysis is still lacking. Therefore, we present the first comprehensive digital forensic analysis of WhatsApp’s sticker handling on Android, with a special focus on the legal context, i.e. the definition of possession of illicit content. Our analysis is based on 40 scenarios that reflect the full lifecycle of community-created stickers. We show how the distribution channel of a sticker found on a device can be reconstructed, partially even when its traces have been removed from WhatsApp and are not visible through WhatsApp’s user interface. In addition, we show that Google Drive backups recover stickers, making device seizure dispensable; however, stickers can still be permanently deleted. Most importantly, we show that simply finding a sticker on a device is not sufficient to meet the requirements of the legal definition of possession. Therefore, prosecution for possession of a sticker requires additional evidence, which we provide.