I am going to talk about CP but only indirectly as computer forensics relates to it. First I need to define what I mean by computer forensics, as this title is used as a sort of catch all, applying to everything from cryptanalysis to traffic analysis to data recovery to data locating to remote hacking and spying. The goal of cryptanalysis is to decrypt encrypted data, it is not voodoo science and is actually essentially applied mathematics. The goal of traffic analysis is often to determine where a target is located, it is not really voodoo science because it can be extremely useful, especially when no countermeasures are being taken against it (however it can also be, and often is, extremely misleading). The goal of data recovery is to obtain data that somebody has attempted to destroy, either via physical damage of a drive platter or possibly by overwriting a file. This is not voodoo science, people really try to delete or destroy electronic files and people in data recovery really do use techniques that sometimes allow them to recover deleted files. The goal of data locating is to find files that somebody tried to hide, this is not voodoo science either, an example would be using a database of fuzzy hash signatures to quickly scan a drive looking for previously identified illegal files. Remote hacking and spying is not really voodoo science either, it has the goal of penetrating a suspect computer and obtaining evidence off of it covertly. Remote hacking can give misleading results, but there are real vulnerabilities and there are real ways to exploit them. However, all of these things taken as a whole, and coupled with the art of analyzing system logs looking for intelligence and evidence (ie: traditional computer forensics, building a timeline of activity, linking activity to a specific user, etc), are essentially voodoo science when used in the context of criminal investigations. Let me give you some examples. Let's say that Alice downloads a bunch of CP (I suppose she is a high school teacher..) , but since she doesn't want to get caught she uses her neighbors WiFi. Now the police pick up on the downloading of the CP due to traffic analysis (ie: Alice's neighbors IP address shows up in the logs of a CP site). Now the police send a team to raid Alice's neighbors house based on the intelligence their traffic analysts have gathered. Now Alice's neighbor probably doesn't have much to worry about these days, since in recent times (although not historically), the police analyze the WiFi around the modem detected accessing CP, and they will likely detect Alice if she engages in a pattern of behavior (although if she only does it once and never again, and she makes sure to spoof her MAC address, then she will likely never be identified and the buck will stop at her neighbor). Fortunately for Alice's neighbor Bob, even if Alice only uses his WiFi once with a spoofed MAC address, the police are going to very likely determine that Bob did not download CP, because they will seize his computer and send it to a forensics lab. They will scan his computer looking for illegal images and find likely none or just a few older jailbait pictures that are present on the drives of most people who look at amateur pornography, and which the police do not give a fuck about. They will analyze various logs looking for a sign that Bob accessed the CP site in question (or any CP sites at all) and they will find no evidence of this. They will look for signs that Bob wiped or deleted illegal images, such as traces in his swap space, logs of titles of known illegal images, etc, and they will find nothing. After a few weeks, Bob will get his computer back and the case will be closed. Now let's imagine that Alice is a bit more sophisticated. She wants to prove that computer forensics are not capable of obtaining evidence beyond a reasonable doubt. So she creates a virus that infects computers through a vulnerability in Firefox. Bob goes to one of the malicious websites and becomes infected with the virus. First the virus determines that Bob is running a popular P2P file sharing program. Then it searches for some canned keywords looking for child pornography. Then it downloads the CP and stores it in Bobs shared files, perhaps hidden in such a way that Bob cannot easily detect the presence of the files. Then the virus deletes all traces of itself. Hell, it never even really needs to leave RAM in the first place! After a while the police traffic analysts discover that somebody with Bob's IP address is sharing CP. They raid Bob as before, first checking for the presence of a WiFi thief (and finding that there is none, hell Bob has his internet connection encrypted with WPA 2 even!). Now they send the computer to the forensic lab as before. Except this time, the forensics agents quickly detect thousands of CP images in Bob's shared folder! Furthermore, they find logs that Bob was active on the computer during the time the CP was downloaded in the first place! They know it must be Bob because Bob was also checking his E-mail at the same time the files were downloaded! Now Bob is charged with downloading and distributing CP. At court Bob argues that he must have been infected with a virus, but the forensic experts counter that they scanned his entire drive with every leading commercial anti virus software out there, and absolutely nothing was detected! The jury quickly sentences to Bob to twenty years in prison and lifetime registration as a sex offender, and the case is closed. It is so easy for a skilled hacker to completely fool computer forensics, entirely, from traffic analysis all the way to the analysts at the lab. In fact, it is so easy that I would never be convinced of somebodies guilt based upon a forensic analysis of their computer system, even when accompanied with traffic analysis, hell even when coupled with cryptanalysis. Even remote hacking and spying can be misleading if there is an active agent attempting to create misleading results. Basic things like using your neighbors WiFi are not likely to get them in trouble, at least not these days, but it is still essentially trivial to frame anybody you want for a CP crime in such a way that they *will* be convicted. Computer forensics is *always* hoping that there is not such an agent, they are *always* hoping to be one step ahead of the 'bad guys' and in 98% of the cases they come to the correct conclusion with their analysis. The fact of the matter is though in those other 2% of cases they are going to come to an incorrect conclusion, and their training is not going to be sufficient enough that they can even consider it as a possibility, and certainly the jury is going to not believe the person who attributes his problems to a virus that was never detected because it literally left no trace.