Forensic Analysis of: WeTransfer

WeTransfer is commonly used as a data exfiltration tool, and as such, I decided to take a look at how a digital forensic investigator could ‘put the user behind the keyboard’ by analysing the web browser history of the data transferor.

Site Access

Whilst you don’t need an account to send data, you have to accept the terms and conditions, which WeTransfer handily records in the cookie wt_tandc, the creation time of which can be used to ascertain when the Ts & Cs were accepted.

Other cookies such as wt_privacy and wt_first_visit do a similar job with helping you identify when the service was first used, however in my research wt_tandc was the only cookie of the three which was always present depending on if you accepted or rejected non-functional cookies.

Finally, the wt_signout cookie (which as the name suggests is set on sign out) may also be for producing a full timeline of a user’s WeTransfer activity.

Transferring Data

When transferring data, the user needs to select the files or directory they want to transfer, and if sending as an email transfer as opposed to via a download link: the email address to send it to, and the email address to use as the sender.

If transferring via email when not logged in, when hitting the 'Transfer' button the user will also need to enter a code which is sent to their email address and hit an additional ‘Validate’ button.

Unfortunately, WeTransfer leaves few clues of a files being sent in the user's browser history, i.e. there is no '/upload' URL (like there is a '/download' URL) to be found, so analysts will primarily be reliant on the cookies which the site uses.

The following three cookies can be created when the transfer is initiated:

The wt_from cookie (caches the last entered email addresses entered in the ‘Your email’ field).

The wt_to cookie (responsible for caching the email addresses the data was sent to) was found to be set on transfer, but only when the user was not logged into an account.

The wt_sent cookie (caches the number of transfers sent in the session). Importantly, if the user selects to receive a download link as opposed to sending an email to the recipient, the wt_sent is the only one of these three cookies which is set on the initiation of the data transfer.

Once a transfer has been initiated, the user is shown a progress bar which indicates the percentage of the transfer. Interestingly, if you are logged in, and only if you are logged in. The Title of the web page also changes from 'WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free' to '1% - Transferring…' with the percentage increasing in time with that of the transfer.

Non-logged in file transfer.

Logged in file transfer with '% - Transferring...' Title.

When the transfer reaches 100%, there is a brief pause on the transfer screen (which appeared to be slower on larger uploads) before the user is presented a ‘your transfer details’ screen. At which point the Title of the web page returns to 'WeTransfer - Send Large Files & Share Photos Online - Up to 2GB Free'.

From my research I noted that a user can close the browser in the brief window once the transfer has reached 100% but before they have been presented the ‘Your transfer details’ page and the files will still be transferred successfully.

Transfer at 100%.

'Your transfer details' screen.

This is important because when looking at the logged in user’s Google Chrome history where the browser was closed at 100%, the web page Title:

31% - Transferring…

...was retained for the WeTransfer.com URL.

But as you can see here, the percentage retained in the browser history can be much lower than the percentage achieved and that presented to the user.

And what may be more frustrating for investigators is that the '% - Transferring…' Title will likely not be retained in the browser history for users that proceeded to the ‘Your transfer details’ screen.

Emails

If you have access to the email account used to verify the sending of the files, emails from 'noreply@wetransfer.com' can be used to confirm a transfer has taken place and can include the name of the transferred directory or file (including file extension), the recipient email address and a download link to the file.

Although, if the user selects to send the file via receiving a download link as opposed to sending the recipient an email, the only email the sender will receive is when the file is first downloaded using the link.

Summary

The wt_from, wt_to and wt_sent cookies are all indicators that a file transfer was initiated. More specifically, if you have a wt_from or wt_to cookie, the transfer was initiated as an email transfer and if you only have a wt_sent cookie, the transfer was initiated as a download link.

If the Titles '1% - Transferring…' to '99% - Transferring…' can be seen in the browser history, it is again an indication of a file transfer being initiated. As my research has shown, it is possible that the file transfer was allowed to complete successfully and the user closed the page at 100% before they were presented with the 'Your transfer details' screen. However, the '% - transferring...' Titles would of course also be present in the history if a user closed the browser and cancelled the transfer at a percentage equal or greater than that stored in the browser history.

Emails provide a way to confirm a transfer was completed, however investigators may not have access to the account used by the sender.

To summarise further, it is my opinion that:

If you have a wt_sent cookie and no '% - Transferring…' page Title, it is highly likely that the transfer was completed.

If you have a wt_sent cookie and any '% - Transferring…' page Title, a transfer was initiated but it is possible that it was completed.

Research correct as of September 2022.

Reference: https://wetransfer.com/documents/WeTransfer_Cookie_List_20181015.pdf