Stickers are a popular function in chat communication via WhatsApp Messenger. These are image files that have been prepared to be quickly or repeatedly inserted into WhatsApp conversations at the push of a button, similar to a smiley or an emoji. In a forensic analysis, it is essential to determine how media files were saved, especially if it is questionable or incriminating content. Unfortunately, it has been identified that WhatsApp stickers can also contain illicit content. During an investigation it was established that WhatsApp stickers are stored in the iOS file system when received from a third person. An examination of the exact circumstances is therefore essential in order to make a correct legal assessment (e.g. is this a case of deliberate possession of a file?).
The following is an excerpt of a forensic analysis of WhatsApp stickers in the Apple iOS operating system. The following findings refer to WhatsApp version 2.21.131.1 and iOS version 14.7.
Case study
Example: WhatsApp stickers containing incriminating content were found on an Apple iPhone. How should these findings be interpreted?
Question: What happens in the file system and WhatsApp database when WhatsApp stickers are received in iOS?
Forensic analysis
In preparation for the investigation, three different stickers were sent to an Apple iPhone SE via WhatsApp.
The following four cases were examined:
1. A sticker was received with the chat open and seen directly in real time.
(Time variance between the displayed time and the received timestamp is due to delayed screenshot creation)
The image file is located in the directory:
/mobile/Containers/Shared/AppGroup/group.net.whatsapp.WhatsApp.shared/Message/
Media/43660XXXXXXX@s.whatsapp.net/6/f/6f3a3c78-2e05-450e-9334-ce1ffXXXXXXX.webp
Conclusion: The sticker is, by default, saved in the iOS file system immediately upon reception. In this case, it is apparent that the file was only viewed. The user did not save the file to the storage medium on purpose.
2. The sticker was received when the chat was open, seen directly and was subsequently saved by the user as a favourite for possible further use.
The image file is located in the directory:
/mobile/Containers/Shared/AppGroup/group.net.whatsapp.WhatsApp.shared/stickers/
no-sticker-pack/32ecb847-c3e8-4873-8717-7a5daXXXXXXX.webp
Conclusion: The sticker is, by default, saved in the iOS file system immediately upon reception. However, if the sticker was manually added as a favourite, the file is now saved in the stickers directory shown above. In this case, it suggests that the file was deliberately saved for later use.
3. The sticker was received with the chat closed and not seen.
The image file is located in the directory:
/mobile/Containers/Shared/AppGroup/group.net.whatsapp.WhatsApp.shared/Message/
Media/43660XXXXXXX@s.whatsapp.net/8/3/83a8f2c1-acae-40e9-9805-d5ef5XXXXXXX.webp
Conclusion: The sticker is regularly saved in the iOS file system immediately upon receipt. A close analysis of the received message via Cellebrite Physical Analyzer shows that the message is marked as "unread". This information originates from the WhatsApp database ChatStorage.sqlite, from the table ZWAMESSAGE. The message in question has a value of 6 in the ZMESSAGESTATUS column, which is an indication of an unread message. That means that the file is indeed saved in the file system, but was not seen by the receiving end. This rules out the possibility that the file was knowingly saved.
4. The sticker will be deleted after the user receives it.
The image file is no longer present on the file system.
Conclusion: Stickers received in a WhatsApp conversation and deleted by the receiving user can no longer be found on the file system of the receiving end. In this case, recovery using forensic data reconstruction methods was not possible.
Summary
If files are found on an iPhone that were received as stickers in a WhatsApp conversation and show incriminating content, it is possible to show whether the file was stored intentionally or without the user's intervention. In principle, all received WhatsApp stickers are always stored in the file system, even if the files have never been viewed. Based on the location of the file in the iOS file system, it can be shown whether a sticker was actively added by the suspect for further use by marking it as a "favourite". The status value of the message in the WhatsApp database that contained the sticker can also be used to track whether the message (and thus, for example, a sticker file in question) was displayed on the device at all. Finally, sticker files that have been received and deleted by the user can no longer be found in the file system. How such files have been stored exactly could therefore be of profound importance in the legal assessment of the (intentional) ownership of a file by a suspect.
This article is intended to be non-binding and of a purely informative nature. It can never replace an expert opinion related to a specific and explicit situation.