What digital artifacts (cache, temp files, logs) have courts treated as possession evidence in CSAM prosecutions?

1. What prosecutors point to first: recent‑use and shortcut artifacts

Investigators and prosecutors commonly introduce artifacts that record “recent” activity—Windows Jump Lists, LNK shortcut files, MRU (“most recently used”) entries, and ShellBags—which show files or folders were opened or browsed and thus can be used to argue a defendant had access to or knowledge of CSAM on a device ^[1]. Forensic playbooks and attorney guides cite these artifacts as central to building a timeline that links a user to specific files or directories ^{[1] [4]}.

2. App and system logs, caches and temporary files as corroboration

Mobile and desktop forensic reports routinely extract SQLite databases, application metadata, usage logs, browser caches and temporary files to show content was downloaded, viewed, or indexed by an app; vendors and forensic guides highlight these as evidence that content was “received but never opened” versus actively viewed, making the precise interpretation critical for possession arguments ^{[1] [2]}. Cloud indexing, local caches and temporary copies are treated as “digital traces” that prosecutors present alongside hash‑identified images to prove presence on a device ^{[5] [4]}.

3. Hashes, carved files and exhibits: tying a file to known contraband

Prosecutors generally pair artifacts with hash values and selected exhibits to satisfy element proof: they identify specific hashed files from a device, then use associated artifacts (file paths, timestamps, MRUs) to show those files were resident and accessible, often limiting courtroom presentation to a representative set of images whose filenames or hashes are listed in counts ^[6]. Forensic pipelines and national programs (e.g., CVIP/NCMEC workflows described by vendors) formalize how files and metadata are cataloged and handled in prosecutions ^{[5] [6]}.

4. The decisive legal question: dominion, control and attribution

Scholarly and practitioner sources emphasize that possession prosecutions hinge less on a single artifact and more on whether the government can prove dominion and control—i.e., that the defendant knew of and had the ability to access or delete the material—and forensic artifacts are marshaled to support that narrative ^{[1] [3]}. Defense strategies documented in the literature focus on parsing tool limitations, alternative explanations such as malware or multi‑user machines, and the difference between a file’s mere presence and knowing possession ^[1].

5. Where vendor materials and research can skew perception

Vendor white papers and product blogs (Cellebrite, Magnet, ADF Solutions) promote efficient triage, automated classification and cloud workflows that make artifacts easier to find and present; these materials underscore investigators’ capabilities but also carry an implicit sales agenda—presenting artifact discovery as a turnkey route to prosecution without always foregrounding attribution disputes or parsing tool error rates ^{[5] [4] [7]}. Academic work warns that artifact sets may be useful risk indicators but must be validated and contextualized before being treated as definitive proof ^[3].

6. Limits of the available reporting and what is not shown here

The provided sources catalog the common artifacts investigators extract and the prosecutorial uses of hashes and metadata, but they do not compile a definitive list of court precedents that accepted each artifact as standalone “possession” proof; therefore this report cannot assert how every jurisdiction’s courts have ruled on each artifact type, only that practitioners and forensic vendors rely on Jump Lists, LNKs, ShellBags, MRUs, SQLite/app logs, caches, carved files and hash matches as evidentiary building blocks in CSAM prosecutions ^{[1] [2] [6]}.