You are right I should not have used hard statistics because I am only going off of anecdote and guessing. I don't know if 2% of people busted with CP are framed or 20%, but I do know for a fact that it is possible to frame somebody for CP in such a way that forensics will come to the wrong conclusion. I also don't know if somebody having CP + their IP logged by LE + forensic analysis will lead to a conviction in 99.99% of cases, but I think I can find a statistic of over 96% of CP cases end up in a conviction, and also I can find numerous stories of judges dismissing charges when traffic analysis is the only evidence against a suspect. I believe that all of my other uses of percentage were clearly figures of speech (ie: it doesn't matter if 100% of computer users can do it or only the top 1%, doesn't really make a claim to the exact % of computer users capable). I would hope that it would be enough to at least discredit forensic reports! If it can be demonstrated that forensic analysis is incapable of distinguishing between a system that was used by the owner to download and share CP, and a system that was hacked into or otherwise manipulated into downloading and sharing CP, I think that is enough to discredit forensic analysis. That leaves us with traffic analysis, which already is not considered enough to secure a conviction, the presence of CP which cannot be proven to have been intentionally downloaded or distributed, and a forensic analysis that has been discredited. That doesn't seem like it should be enough to convict somebody to me, certainly it would not convince me of somebodies guilt beyond a reasonable doubt let alone a shadow of a doubt. I highly disagree. In my example Bob is, from the perspective of computer forensics, indistinguishable from somebody who intentionally downloaded and shared CP. Something like 96% of people arrested on CP charges are convicted. If Bob could have gotten off unless he had a shitty lawyer, then it seems to me that nearly everybody could get off, other than the people who incriminate themselves (through confessions or spontaneous verbalization, both of which are, admittedly, surprisingly common). I don't know the exact percentage, or even a ball park figure, of those who are convicted based upon the results of computer forensics alone, but if Bob can get off with a good lawyer then ALL of them should get off as well. If a serial rapist could spontaneously change his DNA to that of arbitrary humans, would you still say that DNA is useful for evidence? If there is an over the counter tool that somehow allowed you to simply clone the barrel of a gun and modify the barrel of your own gun such that it leaves impressions identical to the cloned gun, would you still think that ballistic imprint correlation is useful for evidence? I can see that in some cases computer forensics are very useful for evidence, but the fact is that the analysts are relying on there not being a malicious agent trying to mislead them. It is similar to writeprint analysis, if no countermeasures are taken writeprint analysis can achieve accuracy in the high 90%'s, however if somebody intentionally tries to mimic the writeprint of somebody else the technique is easily tricked. So it is not true to say that writeprint analysis is worthless, but it is true to say that it is fairly trivial to write something such that it looks like somebody else wrote it. The writeprint analysts are hoping that the large majority of people don't attempt to make their writeprint look like that of someone else, just as the computer forensic analysts are hoping that there are not malicious agents trying to make it look like random people committed computer crimes. So no computer forensics are not worthless, but when it comes to establishing guilt beyond a shadow of a doubt they are entirely insufficient. The full point I am making is that the evidence that Windows leaves behind can be fraudulent such that forensics cannot possibly determine if it is indicative of guilt of a user of the physical PC. Also there are many different skill levels of forensic people working for LE, and in many cases forensics technicians are not trained well enough to do an in depth analysis. For vendors on SR it is less of a concern because for them the evidence is the possession of drugs and the act of dealing the drugs. It is possible to frame somebody for drugs sure, but I imagine that LE would watch them such that they establish their involvement in drugs prior to arresting them. They will not determine a vendors IP address and then raid the vendor and convict them based upon discovering drugs. More likely they will put the vendor under surveillance and watch them pick up drug packages, watch them send out packages and then intercept them and determine that they contain drugs, and then raid the vendor (that is what happened to Enelysion anyway). In the case of CP, they detect an IP address involved with it and then they raid the person and secure a conviction based upon the presence of CP and a forensic analysis of the system. For example look at the attack against Gnutella. It allows Alice to trick Bobs client into downloading any file from the internet. It is not really a different action for Bob to search for an mp3 and be sent an mp3 than it is for Bob to search for an mp3 and have his client manipulated into downloading CP. In this case forensics would probably be able to differentiate if they were trained well enough, there would likely be logs of Bob searching for various things and the CP would not be included. If it takes Bob a while to be raided though it is possible that logs would be gone by the time he is arrested, but the CP would still be present. It has been a few years since I studied forensics on Windows systems (I pretty much gave up that quest after determining that FDE is the nail in the coffin of traditional computer forensics...well I also stopped using Windows lol), I would need to refresh my memory a bit prior to determining if forensics could differentiate between a file the gnutella client is tricked into downloading versus a file it intentionally downloads. However, this was just a basic example of how somebody could be framed. A skilled hacker would not use such an attack if they determine it would leave a trace. There are certainly people who can penetrate into a system, carry out actions and then leave without a trace being left to indicate that the system was penetrated.