When transferring data, the user needs to select the files or directory they want to transfer, and if sending as an email transfer as opposed to via a download link: the email address to send it to, and the email address to use as the sender.
If transferring via email when not logged in, when hitting the 'Transfer' button the user will also need to enter a code which is sent to their email address and hit an additional ‘Validate’ button.
Unfortunately, WeTransfer leaves few clues of a files being sent in the user's browser history, i.e. there is no '/upload' URL (like there is a '/download' URL) to be found, so analysts will primarily be reliant on the cookies which the site uses.
The following three cookies can be created when the transfer is initiated:
The wt_from cookie (caches the last entered email addresses entered in the ‘Your email’ field).
The wt_to cookie (responsible for caching the email addresses the data was sent to) was found to be set on transfer, but only when the user was not logged into an account.
The wt_sent cookie (caches the number of transfers sent in the session). Importantly, if the user selects to receive a download link as opposed to sending an email to the recipient, the wt_sent is the only one of these three cookies which is set on the initiation of the data transfer.