WhatsApp stickers are a popular hybrid of images and emoticons that can contain user-created content. Stickers are mostly sent for legitimate reasons, but are also used to distribute illicit content such as Child Sexual Abuse Material (CSAM). As the process of creating stickers becomes easier for users from version to version, a digital forensic analysis is still lacking. Therefore, we present the first comprehensive digital forensic analysis of WhatsApp’s sticker handling on Android, with a special focus on the legal context, i.e. the definition of possession of illicit content. Our analysis is based on 40 scenarios that reflect the full lifecycle of community-created stickers. We show how the distribution channel of a sticker found on a device can be reconstructed, partially even when its traces have been removed from WhatsApp and are not visible through WhatsApp’s user interface. In addition, we show that Google Drive backups recover stickers, making device seizure dispensable; however, stickers can still be permanently deleted. Most importantly, we show that simply finding a sticker on a device is not sufficient to meet the requirements of the legal definition of possession. Therefore, prosecution for possession of a sticker requires additional evidence, which we provide.    «

WhatsApp stickers are a popular hybrid of images and emoticons that can contain user-created content. Stickers are mostly sent for legitimate reasons, but are also used to distribute illicit content such as Child Sexual Abuse Material (CSAM). As the process of creating stickers becomes easier for users from version to version, a digital forensic analysis is still lacking. Therefore, we present the first comprehensive digital forensic analysis of WhatsApp’s sticker handling on Android, with a spe...    »