Computer Forensics Overview

Home /  Handbook /  Computer Forensics Overview

Chapter 3: Computer Forensics

Computer Forensics Overview


Digital evidence can play a critical role in child pornography cases, and a computer forensic expert witness can help review the prosecution’s investigation work and prove a defendant’s innocence. Authorities may obtain a search warrant that allows them to seize electronic devices, memory cards, CDs, thumb drives, and storage devices, search information stored on electronic devices, receive access to online accounts, social media profiles, chat rooms, and other platforms, and track online activity and messaging.

By analyzing a computer’s data, a computer forensic expert can analyze whether there was likely intent in the electronic possession/receipt/distribution of child pornography, or whether this was performed outside of the defendant’s knowledge. For example, if the material is found to have never been opened, it can suggest that the person did not know the true nature of the material. A person could also have also unknowingly received the files when downloading other files from the Internet. There could also be a virus or hacker present that resulted in the material being placed on the defendant’s computer.

An expert can also help determine the number and content of images or videos. If there are duplicate images, they may count as separate images and affect the outcome of sentencing. If child pornography is intermixed with adult pornography or other unrelated files, but the prosecution’s examiner finds that a folder contains child pornography and reports the total number of files within it, the count could be inaccurate.

They can also help determine whether the computer was infected with a virus or malware that led to the material’s possession, receipt, or distribution.

During a trial, the defense’s expert witness can help build a specific theory of defense and testify to cast doubt on the prosecution’s expert witness. Even if a case does not proceed to trial, defense experts can help demonstrate the exact number of images, the location of the images, the length of video files, and how long the alleged conduct was going on, which can help to negotiate a deal or receive a more lenient sentence from the judge.


Internet Service Providers (ISPs) offering online storage of content are mandated to report child pornography that they find on their system to the National Center for Missing & Exploited Children (NCMEC) following the PROTECT Act of 2008. NCMEC purports to be a private nonprofit, but they essentially operate as an extension of the government. ISPs report online child crime directly to NCMEC through Cybertipline Reports. These reports include a date/time and IP address, which NCMEC then uses to find coordinates.

Material may be stored on an electronic device’s internal hard drive, a removable flash drive, CD, or external hard drive, or “in the cloud” on remote servers maintained by third-party providers and accessed through the Internet. Most cloud services store a cache of recently accessed documents.

The content of digital files can be summarized as a unique identifier, a “hash value,” through a process called “hashing.” The hash value for files can be used to identify that copies of a file are the same, even if their names or other attributes are changed. NCMEC and law enforcement keep a record of the hash values of known child pornography images, and may be used as a way to identify the content of material without actually viewing it. However, hash values can be easily changed by manipulating the material itself. NCMEC maintains a database of the hash values of all known child pornography images.

Peer-to-peer (P2P) file-sharing refers to a software that allows devices to share files over the Internet. They allow devices to connect to one another and share content directly. Centralized servers connect users, maintain lists of shared files, or monitor for illegal content. When users place files in or download files to the software’s shared folder, they are made available for other users of the P2P network. A P2P user typically can control the extent to which files on their device are shared. P2P file sharing is widely used to download child pornography. Government investigations into P2P networks can reveal the IP addresses of users offering child pornography. P2P file sharing permits “impersonal” sharing of files, because once a user permits the network to share their files, they have no control over who has access to them or how many times they are shared, and do not have direct contact with other users. However, some P2P networks allow for private networks that limit the sharing of files to only invited users.

Other ways child pornography may be accessed is through “internet relay chat” (IRC) chat rooms, newsgroups, social networking websites, or commercial Internet websites. People may also trade material with one another directly through email, instant messenger services, webcasting, and video streaming.


People may download material from public Wi-Fi networks to make their identity harder to trace. Alternative or anonymous payment methods may be used to pay for access to certain services or images. They may also disguise their Internet Protocol (IP) address to avoid being identified, rename images and folders, encrypt their data with a password, wipe previously deleted files from hard drives, or use an anonymizer software. Anonymizers also allow access to what is commonly known as the “Dark Web,” where people may be able to share or download child pornography without being identified.

Many defendants are identified through the recovery of IP addresses or Globally Unique Identifiers (GUIDs) on P2P networks or Internet forums, or the recovery of payment authorizations for network providers or commercial child pornography sites. The government then subpoenas the ISP to determine which customer was using the IP address at a given time, if possible. The government may also use sting operations to identify offenders, such as creating fake websites, posing as minors, or infiltrating closed trading communities while undercover.[1]

Upon seizing a defendant’s devices, digital forensic examiners identify the child pornography material and preserve the evidence. This typically involves making a duplicate image of a hard drive and running a search for files with known child pornography hash values. They will also search file folders, browsing or communications programs, emails, chat logs, and caches, which store temporary files automatically. Metadata may be used to determine more information about the files (See “Metadata Analysis”). Sophisticated techniques can be used to recover files that have been deleted from the hard drive and cache or decrypt hidden or encrypted files.


United States Sentencing Commission. (2012). Technology and Investigation by Law Enforcement in Child Pornography Cases.


See the section on Private Search Doctrine (Fourth Amendment Defenses) for a more detailed overview of the private search doctrine. In United States v. Ackerman, 831 F.3d 1292 (10th Cir. 2016), the Supreme Court maintained that NCMEC is a state actor because it serves a police function in operating the cybertipline. 18 U.S.C. § 2258A(a) requires ISPs to send cyber tips to NCMEC when they discover evidence of child pornography on their platform. In United States v. Meals, 21 F.4th 903 (5th Cir. 2021) it was argued that because of this law Facebook acted as a government agent when they found and reported child pornography found on the defendant’s computer. This argument was rejected because the law does not require ISPs to actively search for evidence of child pornography. The case also argued that NCMEC is a government agent that exceeded the scope of Facebook’s search when they reviewed the messages. However, the court found that even if NCMEC were a government agent, NCMEC only transmitted information between Facebook and law enforcement. While the court in Meals rejected these arguments, it raises the potential for private search doctrine arguments to be made in the future if the government and/or law enforcement encourage private actors to conduct searches or if the officer’s search was limited to the scope of the private party’s search when it receives potential evidence.

The government is often interested in the data gathered by private companies. As the relationship between the government and private companies continues to evolve, it is likely that the two will become increasingly intertwined, and the limits of the private search doctrine will be tested.


Request Your Consultation

Fields Marked With An “*” Are Required

"*" indicates required fields

I Have Read The Disclaimer*
This field is for validation purposes and should be left unchanged.