Utah Child Pornography and CSAM Defense Lawyer

Strategic Defense Starts Here

How Child Pornography and CSAM Charges Are Prosecuted in Northern Utah

An investigation involving child pornography—more commonly called child sexual abuse material, or CSAM—can threaten a person’s freedom, career, family relationships, and reputation before any criminal charge becomes public.

These cases often begin far from the accused person’s home. An electronic service provider may submit a report associated with an online account, file, or transmission. That information may be routed through the National Center for Missing and Exploited Children and then referred to Utah investigators. Police may obtain subscriber records, connect an IP address to a residence, seek a search warrant, and seize every phone, computer, tablet, or storage device they believe could contain evidence.

By the time detectives make contact, they may already have developed a theory about who used the account, who controlled the device, and how the material arrived.

That theory is not necessarily proof.

A file associated with an internet connection, online account, computer, or phone does not by itself establish who knowingly possessed, viewed, or accessed it. Modern devices generate caches, previews, backups, temporary files, synchronized copies, and other digital artifacts that can be misunderstood when taken out of context. Devices and accounts may be shared. Passwords may remain saved on old equipment. Several people may use the same Wi-Fi connection.

A meaningful defense examines every step between the original online event and the accusation against a particular person.

Attorney Andrew McAdams is a former felony prosecutor with more than twenty years of criminal-law experience. He represents people facing serious online sex crime investigations throughout Utah and evaluates not only what police claim to have found, but how the evidence was generated, preserved, interpreted, and attributed.

How Utah CSAM Investigations Commonly Begin

A person may not know that an investigation exists until officers arrive with a warrant or a detective asks for an interview. In many cases, however, the investigation began weeks or months earlier.

The Utah Attorney General’s Office serves as the lead agency for the Utah Internet Crimes Against Children Task Force. Utah ICAC works with local police departments, sheriff’s offices, the National Center for Missing and Exploited Children, and state and federal agencies. A case may therefore begin with a national platform report and later be investigated by a local Utah agency, an ICAC-affiliated investigator, the Attorney General’s Office, or a joint task-force team.

Before anyone knocks on the door, investigators may already have:

  • an online platform report or CyberTipline referral;

  • IP-address and internet-subscriber records;

  • account information, device identifiers, and timestamps;

  • file identifiers or hash information;

  • communications obtained from a provider; and

  • an affidavit supporting a warrant for a home or electronic devices.

Those records may provide a legitimate basis for further investigation. They do not necessarily establish who used the internet connection, which person controlled the account, whether material was intentionally acquired, or whether the suspect knew it existed.

A residential internet subscription may serve spouses, children, roommates, visitors, and dozens of connected devices. An account may remain logged in across several phones and computers. An IP address may identify the connection used at a particular time without identifying the human being who performed the alleged activity.

Having counsel involved before criminal charges are filed can help preserve evidence, manage requests for an interview, and prevent preliminary assumptions from becoming the uncontested foundation of the case.

Sexual Exploitation of a Minor Under Utah Law

Utah Code § 76-5b-201 is titled Sexual Exploitation of a Minor. People commonly search for the offense using terms such as child pornography possession or CSAM possession, but the Utah statute focuses on whether a person knowingly possessed or viewed child sexual abuse material, accessed it with the intent to view it, or maintained access with the intent to view it.

That language matters.

The law is not limited to a file intentionally downloaded into a conventional folder. An allegation may concern viewing, online access, cloud access, or data maintained through an account. At the same time, the prosecution must prove the required knowledge or intent. The technical presence of data alone does not automatically establish a crime.

A violation of § 76-5b-201 is classified as a second-degree felony. Utah law also permits separate charges for each minor depicted and for different items depicting the same minor. The manner in which investigators count and categorize alleged material can therefore have a substantial effect on the number of charges and the potential exposure.

The statute contains a narrow affirmative defense for certain defendants who are close in age to the minor depicted and satisfy specific statutory requirements. It is not a general defense to adult possession allegations and should be evaluated only after carefully reviewing the ages, source of the material, and surrounding circumstances.

Allegations involving the knowing transfer or sharing of material raise different legal and forensic questions. Those cases may turn on whether a person intentionally distributed CSAM, whether a program shared files automatically, and whether transmission records identify an actual recipient.

Utah also separately criminalizes aggravated sexual exploitation of a minor, which involves distinct alleged conduct and substantially different exposure. Keeping those issues on separate pages allows this page to remain focused on possession, viewing, access, knowledge, and attribution.

The State Must Prove Knowing Possession, Viewing, or Access

A forensic report may establish that data existed somewhere on a storage device. That is not always the same as proving that the accused person knowingly possessed, viewed, or controlled it.

Knowledge is often the central dispute.

Prosecutors may rely on the file location, user-created folders, filenames, browsing history, search terms, repeated activity, account records, statements, or efforts to organize or conceal data. Those facts can be significant. They still must be interpreted in context.

A file deliberately downloaded, renamed, and placed into a personal folder may support a different inference than an image found only in a temporary browser directory. A complete file that was repeatedly opened may carry different weight from a partial artifact recovered from deleted space. A synchronized file associated with an account may raise different questions from material stored locally by an identified user.

Police reports sometimes compress these distinctions into a simple statement that prohibited files were “found on the defendant’s computer.” That description may be technically accurate while still failing to explain who created the files, how they arrived, whether they were visible, whether they were accessible through ordinary use, or who knew they were there.

The defense should not accept a file count or software-generated label as a complete explanation. It should determine what the underlying data proves about knowledge, control, and intentional conduct.

Where the Material Was Found—and How It Arrived—Matters

Electronic data can exist in locations with very different forensic significance.

A meaningful review should distinguish among:

  • files deliberately saved in user-created folders;

  • browser caches, application caches, thumbnails, and previews;

  • automatic email or messaging-app downloads;

  • cloud-synchronized folders and device backups;

  • temporary operating-system files;

  • deleted data and unallocated storage space; and

  • external drives or removable media.

These locations should not be treated as equivalent.

A browser cache may store information automatically so a webpage loads more efficiently. A messaging application may create a thumbnail or download media without a separate instruction each time. A cloud service may copy a file among connected devices. Deleted or unallocated data may remain recoverable with forensic software even though the ordinary user could no longer locate or open it.

The file path, source application, timestamps, accessibility, and use history can all affect what the artifact proves. It may be important to determine whether the file was complete, whether it was ever opened, whether the accused person could see it without forensic software, and whether anyone moved, renamed, organized, or preserved it.

The mere label “downloaded file” is not always enough. The defense should identify what action the user took, what the device did automatically, and whether the forensic evidence can reliably distinguish between the two.

Browser Caching and Automatic Application Activity

Browsers and applications routinely store data in the background. A browser may cache images from a webpage. A social-media application may generate previews. A messaging program may download attachments automatically. An operating system may create thumbnail databases or retain temporary data.

Caching does not automatically establish innocence. A cached image may result from deliberate viewing. It may also result from an embedded webpage element, automatic loading, or background activity that the user did not direct.

The proper question is not simply whether an artifact was found in cache. It is what the surrounding evidence shows.

Relevant context may include the source page, browser history, duration and pattern of activity, search terms, nearby files, whether the original item was opened, whether it was later moved into a personal folder, and whether application settings caused media to download automatically.

Investigators may describe cached material as having been downloaded without explaining the mechanism that created it. That wording can imply a deliberate act even when the forensic process was automatic.

A reliable analysis separates intentional user behavior from ordinary device behavior and then evaluates whether the State can prove the required mental state.

Shared Computers, Phones, and Accounts

Electronic devices often have more than one user.

A household computer may be used by spouses, children, roommates, relatives, or guests. A family tablet may have no meaningful separation among users. A work computer may be accessed by several employees. An old phone may remain connected to a cloud account after it has been transferred to someone else.

Online accounts create similar complications. A Google, Apple, Microsoft, email, social-media, or cloud-storage account may remain logged in across several devices. Passwords may be shared, saved automatically, reused, or compromised. A file associated with a particular username therefore does not necessarily establish who was physically using the account at the relevant time.

The defense should compare account records, device records, and real-world evidence.

User profiles, browser sessions, application logs, saved credentials, biometric settings, location information, photographs, communications, and device-unlock records may help establish which person was active. Work schedules, travel records, receipts, surveillance footage, witnesses, and use of another device may also affect whether the State’s timeline makes sense.

A general assertion that “someone else could have used the computer” is rarely enough. The stronger analysis identifies the other users, explains when and how they had access, and tests each possibility against the forensic timeline.

Device ownership is relevant. It is not automatically proof that the owner caused every artifact stored on the device.

Cloud Synchronization Can Distort File Counts and Attribution

Cloud systems can copy data among phones, computers, tablets, online accounts, and backups without a separate deliberate action on each device.

A file received on one device may later appear on several others because cloud synchronization was enabled. A backup may preserve a file after it disappears from the original equipment. An account shared by several people may cause one user’s data to appear on another person’s device.

That process can complicate both attribution and the number of alleged items.

Several recovered copies may reflect one original event followed by automatic replication. A timestamp may identify when a server synchronized or restored the data rather than when a person first viewed it. A file associated with an account may be stored only in the cloud rather than locally accessible on every connected device.

The defense should identify the originating device, synchronization settings, linked accounts, connected users, and the meaning of each timestamp. It should also distinguish among creation, modification, access, upload, download, server processing, and backup restoration.

Without that analysis, a single source file can appear to be several separate intentional acquisitions.

An IP Address Identifies a Connection, Not Necessarily a Person

An IP address can connect alleged activity to an internet service used at a particular location. It ordinarily does not identify the individual person who performed the activity.

This distinction is especially important in Utah ICAC and CyberTipline investigations because the IP address may be the first connection between a remote online event and a Utah residence.

The internet-service provider may identify the subscriber whose name appears on the account. Police may then assume that the subscriber was the likely user or seek a warrant covering devices inside the home. That may be reasonable as an investigative step, but it does not complete the attribution analysis.

Family members, roommates, visitors, employees, and many connected devices may share the same address. Dynamic IP assignments, timestamp accuracy, time-zone conversion, provider records, and network configuration can also matter.

The defense should examine how investigators moved from the internet connection to the accused person. Did the affidavit identify a particular device? Did police account for other residents and authorized users? Was there evidence tying the relevant account, browser, application, or search activity to one person before officers seized the devices?

An IP address can justify further investigation. Standing alone, it does not prove who knowingly accessed or controlled the material.

Device Attribution Requires a Complete Digital and Physical Timeline

After a search warrant is executed, investigators may associate each seized device with the person who purchased, carried, or primarily used it. That is an important starting point, but it should not replace a complete attribution analysis.

Forensic evidence may reveal which user profile was active, which account was logged in, whether the device was unlocked, what applications were being used, whether communications were occurring, and where the device was physically located.

Real-world information may be equally important.

If the alleged activity occurred while the accused person was at work, traveling, in court, or using another device, those facts may challenge the attribution theory. Activity immediately before and after the event may identify the actual user. Photographs, messages, location history, receipts, access logs, and witnesses may help place the device and the accused person in different locations.

The strongest analysis places the digital events and physical events on the same timeline.

The question is not merely who owned the equipment. It is who could access it, who was likely operating it, and whether the device evidence and real-world evidence point to the same person.

Independent Digital Forensic Review

Law-enforcement forensic tools can extract, organize, and identify large amounts of information. The resulting report still requires interpretation.

Automated software may locate known file signatures, recover deleted data, display account information, or identify application artifacts. It may not explain who created the artifact, whether the person could see it, or what user action caused it to exist.

A defense-oriented forensic review may examine:

  • forensic-image integrity and chain of custody;

  • file paths, storage locations, and accessibility;

  • creation, modification, access, deletion, and synchronization times;

  • browser, application, cache, thumbnail, and cloud artifacts;

  • user profiles, account sessions, device identifiers, and connected equipment;

  • whether files were viewed, opened, moved, renamed, or organized;

  • malware, remote access, or unauthorized account activity; and

  • whether the government’s timeline is technically and factually possible.

The analysis should begin with the underlying data rather than the detective’s summary alone.

In some cases, the raw evidence confirms the State’s interpretation. In others, it shows that artifacts were inaccessible, automatically generated, synchronized from another device, associated with another user, or created at a time inconsistent with the prosecution’s narrative.

Independent review is not an exercise in inventing innocent explanations. It is a method of determining whether the conclusions in the police report are actually supported by the data.

That is why digital evidence in sex crime cases should be examined as evidence rather than treated as an automatic verdict.

Search-Warrant Issues in Utah CSAM Investigations

A judge’s signature does not make every aspect of a search immune from review.

The warrant affidavit must establish probable cause connecting the alleged criminal activity to the location and devices officers want to search. When the investigation begins with an IP address or online account, the affidavit should explain why investigators believe evidence will be found at the residence and why particular devices are likely connected to the activity.

A defense attorney should examine whether the affidavit accurately describes the platform report, subscriber information, timestamps, account records, other household users, and the age of the information. Material omissions or misleading descriptions can affect the probable-cause analysis.

The warrant must also describe what officers are authorized to search and seize with adequate particularity. Permission to search for evidence of one alleged offense does not necessarily authorize an unlimited examination of all information on every device.

The defense should compare the affidavit, signed warrant, property inventory, forensic protocol, and actual extraction. Questions may arise when officers seize devices with little connection to the allegation, search categories of data beyond the warrant, retain unrelated information, or use evidence discovered outside the permitted scope.

Depending on the facts, there may be grounds to challenge the search warrant, seek suppression, or limit how the seized evidence may be used.

Even when a court does not suppress the entire search, problems in the affidavit or execution can expose weaknesses in the investigators’ attribution theory and affect how prosecutors evaluate the case.

An Interview Can Supply Evidence the Digital Record Does Not Prove

Detectives may describe an interview as an opportunity to explain what happened. The interview may instead be designed to establish the exact facts missing from the technical evidence.

Investigators may ask who owned the device, whether anyone else used it, who knew the passwords, whether the person recognized an application, whether the account was exclusively controlled, or why particular files were present.

A person who has never seen the forensic report is in a poor position to answer those questions accurately.

Guessing about unfamiliar technology, accepting the detective’s description of the evidence, or attempting to explain files from memory can create inconsistencies. A person may unintentionally eliminate a shared-access defense by overstating exclusive control. On the other hand, denying obvious device or account use can damage credibility if the forensic evidence later proves otherwise.

There may be circumstances in which communication with investigators is strategically useful. That decision should be made after counsel understands what police have and what they are trying to establish.

An unprepared interview can transform an incomplete technical case into a case supported by the accused person’s own statements.

Prefiling Representation Before the Case Becomes Public

Some of the most important decisions occur before a prosecutor files a criminal information.

Investigators may still be examining devices, comparing accounts, identifying possible users, and preparing supplemental reports. The prosecutor may be deciding whether the evidence supports charges, whom to charge, how many counts to allege, and whether the matter should remain with local authorities, be handled by the Utah Attorney General’s Office, or involve federal agencies.

Representation during the prefiling investigation may allow counsel to preserve evidence, respond to interview requests, identify other users, obtain independent technical input, and present reliable information that corrects a material misunderstanding.

Evidence worth preserving may include:

  • work, school, travel, and location records;

  • documentation of other device, network, or account users;

  • records of account compromise, remote access, or cloud synchronization;

  • device histories and records showing equipment was shared, sold, or reassigned;

  • communications or records establishing the accused person was elsewhere; and

  • technical findings that contradict an assumed file path, timestamp, or user attribution.

This does not mean turning over every defense theory or producing information without understanding its effect. It means deciding strategically whether credible evidence can change the filing analysis before the allegations become a public felony case.

No attorney can promise that charges will be avoided. Early involvement can nevertheless help ensure that the prosecutor considers more than the initial investigative narrative.

Preserve the Evidence and Avoid Making the Situation Worse

A person who fears that illegal material may be connected to a device may feel an urge to delete files, reset equipment, close accounts, change passwords, or ask someone else to remove information.

Those actions can destroy evidence that would have helped explain what happened. They may also create allegations involving obstruction, tampering, or consciousness of guilt.

The same concern applies to contacting witnesses or other device users. Attempts to coordinate an explanation can be misinterpreted, even when the person believes they are merely trying to understand the situation.

Preservation is particularly important when the defense may involve shared use, automatic downloads, synchronization, account compromise, malware, or remote access. Resetting a device can eliminate the artifacts needed to prove those issues.

The safer course is to preserve the existing data, avoid discussing the facts with investigators or potential witnesses, and obtain legal advice before taking action.

What Happens if Charges Are Filed in Utah

Sexual exploitation of a minor is a felony offense. Utah felony cases are filed in district court rather than a municipal justice court.

Depending on where the alleged conduct occurred or where the case is filed, the matter may proceed in the Second, Third, Fourth, or another Utah judicial district. A case connected to Salt Lake County may be handled differently at the local level from one filed in Davis, Weber, or Utah County, even though the same statewide statute applies.

After charges are filed, the case may involve a first appearance, release conditions, a preliminary hearing, arraignment, discovery, pretrial motions, negotiations, and potentially trial. Motions involving search warrants, statements, forensic evidence, expert access, and the admissibility of electronic records may become central.

The preliminary hearing is not the final trial. It is a probable-cause screening hearing. The State’s burden at that stage is lower than proof beyond a reasonable doubt, and many technical or factual disputes may require later litigation.

A person facing felony sex crime charges in Utah should understand both the digital-evidence issues and the local criminal procedure that will control how those issues are presented.

State, Local, and Federal Involvement

Not every Utah CSAM investigation follows the same path.

A local police department may execute the warrant and refer the case to the county or district attorney. An ICAC-affiliated investigator may work with the Utah Attorney General’s Office. A federal agency may become involved when the alleged conduct crosses state lines, involves a broader network, or arises from a federal investigation.

The fact that an online service operates nationally does not automatically make the case federal. Likewise, an investigation that begins locally may later involve federal authorities.

State and federal cases involve different charging statutes, discovery practices, sentencing systems, and strategic considerations. Determining which agency is leading the investigation—and which prosecutor is reviewing it—is therefore important from the beginning.

Consequences Beyond the Criminal Sentence

CSAM allegations can affect nearly every part of a person’s life before the court determines guilt.

Employment may be suspended or terminated. Professional licenses and security clearances may be reviewed. Military service, government employment, housing, family-court proceedings, and contact with children may be affected. The public nature of a felony case can create reputational harm even when the evidence is disputed.

A conviction under § 76-5b-201 can result in incarceration, probation or supervision, treatment requirements, internet or device restrictions, and registration consequences. Multiple counts can materially increase the potential exposure and complicate negotiations and sentencing.

Teachers, healthcare professionals, therapists, contractors, military personnel, and government employees may face consequences separate from the criminal case. Defense strategy should account for those risks early rather than treating them as an afterthought.

Former-Prosecutor Perspective on Digital Attribution

Andrew McAdams spent approximately ten years prosecuting felony cases before becoming a criminal defense attorney. That background provides insight into how prosecutors review warrant affidavits, forensic summaries, interviews, and charging recommendations.

At first glance, a CSAM investigation may appear to present a simple chain:

An online report identified an IP address. The address led to a home. Officers found a device. Forensic software identified files.

Each link in that chain requires examination.

Was the online report complete and accurately interpreted? Was the timestamp converted correctly? Who used the connection? Which device generated the activity? Who controlled the relevant profile or account? Where were the files located? Were they visible and accessible? Did a browser, application, or cloud service create them automatically? Were they associated with a different user? What evidence proves knowledge?

The seriousness of the accusation cannot substitute for proof. A disciplined defense returns the case to the statutory elements, the raw evidence, constitutional requirements, and a timeline that can withstand technical scrutiny.

CSAM Defense Throughout Northern Utah

McAdams Law represents clients facing CSAM investigations in Salt Lake County, Davis County, Weber County, Utah County, Summit County, Tooele County, Box Elder County, Cache County, and surrounding areas.

A national platform report may lead to a search warrant executed by a local Utah agency. A detective in Bountiful, Layton, Ogden, Salt Lake City, Lehi, or Provo may work with an ICAC affiliate, another local agency, the Utah Attorney General’s Office, or federal investigators.

Those agency relationships can affect who possesses the evidence, who conducts the forensic examination, which prosecutor reviews the case, and how quickly a charging decision is made.

The core defense questions remain the same: what does the evidence actually prove, how was it obtained, and can it be reliably connected to the accused person?

Frequently Asked Questions About Utah CSAM Investigations

Can someone be charged if police find only one or two alleged files?

Yes. Utah law does not require prosecutors to allege a large collection before filing a felony charge. A single item may support a charge if the State can prove that the accused person knowingly possessed or viewed it, accessed it with the intent to view it, or maintained access with that intent.

The file count still requires careful review. Forensic software may separately identify an original file, thumbnail, cached copy, synchronized copy, partial artifact, or deleted remnant. Several entries in a report may therefore arise from one source event rather than several independent acquisitions.

The defense should determine what the software counted, where each artifact was located, whether it was accessible, and whether the evidence proves knowing conduct. A low file count does not make the case insignificant, but a high number reported by police may not always mean what it initially appears to mean.

Does finding material on a computer prove that the owner committed the offense?

No. Ownership is relevant evidence, but it does not necessarily establish who used the device or knew that the material existed.

A computer may have several user profiles. Family members may share passwords. A phone may remain connected to another person’s account. A workplace device may have multiple authorized users. Applications, backups, caches, and cloud services may also create data without the owner deliberately saving each item.

The defense should compare device ownership with login records, browser profiles, account sessions, timestamps, communications, location history, work schedules, and other evidence identifying the actual user.

The strongest attribution analysis does not rely on a general statement that someone else had access. It identifies the specific users and tests their access against the alleged activity.

What does it mean when files are found only in browser cache, thumbnails, or unallocated space?

Those locations can carry very different evidentiary meaning from a file deliberately saved in a personal folder.

A browser cache may store webpage content automatically. A thumbnail database may contain small previews generated by software. Unallocated space may retain fragments of deleted data that the ordinary user could no longer see or access.

The defense should determine whether the artifact was complete, visible, opened, deliberately saved, moved, renamed, or organized. It should also identify what application created it and whether the person could reach it through ordinary device use.

These technical locations do not automatically create a defense. The surrounding activity may still establish knowledge. They do, however, require more careful analysis than a police-report statement that files were simply found on the computer.

Can cloud synchronization place material on a device without a separate download?

Yes. Cloud services may automatically copy data among connected phones, computers, tablets, online accounts, and backup systems.

A file originating on one device can later appear on several others. A backup may restore old data to a replacement device. An account used by several people may synchronize one person’s files onto equipment primarily used by someone else.

The defense should identify the original source, linked devices, account users, synchronization settings, and meaning of the timestamps. It may also matter whether the file was stored locally or existed only through remote cloud access.

Cloud synchronization can affect both attribution and file counting. Several recovered copies may reflect one original event followed by automatic replication rather than several intentional downloads.

Can police identify the responsible person from an IP address?

An IP address usually identifies the internet connection assigned to a subscriber at a particular time. It does not necessarily identify the individual person using that connection.

A home network may be shared by family members, roommates, guests, and numerous devices. A business connection may serve employees, contractors, customers, and tenants. Investigators may also need to verify dynamic IP assignments, timestamps, time zones, and provider records.

The IP address can be an important lead and may support an application for a search warrant. Police ordinarily need additional evidence to connect the online event to a particular device and user.

The defense should review how investigators made that transition and whether the warrant affidavit acknowledged other plausible users.

What should someone do when Utah officers seize phones and computers?

The person should preserve the warrant, property inventory, receipt, and any other documents provided by officers. It is also helpful to make a contemporaneous record of what officers said, what property they took, whether they requested passwords, and whether anyone was interviewed.

Do not remotely erase data, reset devices, close accounts, alter files, or ask another person to change anything. Those actions may destroy favorable evidence and create additional legal problems.

The person should also avoid giving an immediate technical explanation for files or activity that has not been reviewed. Statements about passwords, exclusive use, accounts, applications, or browsing practices may later become central evidence.

Counsel can communicate with investigators, address interview requests, preserve favorable records, and begin evaluating the warrant while the forensic examination is still underway.

Should someone agree to an interview to explain that the files were accidental or belonged to another user?

Not without first obtaining legal advice and understanding what investigators already possess.

Police may have forensic information, account records, or timelines the person has never seen. An explanation based on assumptions may conflict with the actual data. Even a truthful attempt to cooperate can create damaging inconsistencies.

Investigators may be seeking confirmation that the person exclusively used the device, controlled the account, recognized particular filenames, knew how an application operated, or had access to a folder. Those statements may supply evidence of knowledge or control that the technical record does not independently establish.

Communication can sometimes help during a prefiling investigation, but it should be deliberate and informed rather than an improvised interview.

Can police search every electronic device found inside the home?

Not automatically. The lawful scope depends on the facts set out in the affidavit and the language of the warrant.

The warrant should establish probable cause connecting the location and categories of devices to the alleged offense. In a home containing several people and many devices, the attribution analysis may be more complicated than in a single-user residence.

The defense should examine whether each seized device had a sufficient connection to the suspected activity, whether officers searched data outside the authorized categories, and whether the warrant was adequately particular.

It may also be important to determine whether the affidavit accurately described the online report, IP information, account records, timing, and other residents.

Can an independent forensic expert review the government’s evidence?

In many cases, the defense can seek appropriate access to forensic images, extraction reports, raw data, account records, and related discovery. Because alleged CSAM must be handled under strict legal controls, the evidence is not ordinarily provided directly to the defendant.

An independent expert may examine file paths, timestamps, application artifacts, cache data, cloud activity, account sessions, user profiles, deleted information, and whether files were opened or accessible. The expert may also evaluate whether the government’s timeline and technical conclusions are supported by the underlying data.

An expert is not automatically required in every case. Independent review is most important when knowledge, access, user attribution, synchronization, file location, or the interpretation of forensic artifacts is genuinely disputed.

Can Utah prosecutors file multiple counts based on one search?

Yes. Utah law permits separate charges based on each minor depicted and different items depicting the same minor. This can result in multiple counts arising from material recovered during one search.

The defense should examine whether each charged item is actually distinct, whether apparent duplicates arose through synchronization or caching, and whether the State’s counting method is legally and forensically sound.

A forensic report may list several technical copies of the same source file. Whether each supports a separate criminal count is a different question that should be reviewed carefully.

Can a Utah CSAM investigation become a federal case?

Yes. Federal involvement may arise when the alleged activity crosses state lines, involves a broader investigation, uses certain online networks or services, or is investigated by a federal task-force partner.

The use of a national platform does not automatically make every case federal. Many cases remain in Utah state court and are prosecuted by a county or district attorney or by the Utah Attorney General’s Office.

The identity of the investigating agency, search-warrant applicant, forensic examiner, and reviewing prosecutor can help reveal the likely path of the case. State and federal proceedings involve different statutes, sentencing structures, and strategic considerations.

Can an attorney help before charges are filed?

Yes. The prefiling stage may offer the best opportunity to preserve evidence and correct an inaccurate investigative theory before it becomes a public criminal case.

Counsel may collect work and travel records, identify shared users, preserve account history, address an interview request, consult a forensic expert, and communicate with investigators or prosecutors.

In an appropriate case, the defense may present evidence showing that the accused person was elsewhere, another user controlled the device, the account was compromised, or the files were generated or synchronized in a manner inconsistent with the State’s assumptions.

No attorney can guarantee that charges will be declined. Early involvement can ensure that the prosecutor receives reliable defense information before making the filing decision.

Speak With a Utah CSAM Defense Attorney Before Answering Questions

CSAM investigations often proceed quietly while law enforcement reviews online reports, subscriber records, warrants, devices, accounts, and forensic data.

A person should not assume that the police report accurately explains every artifact or that an interview will clear up the situation. The defense should begin by identifying what investigators actually possess, what the evidence proves, what it merely suggests, and what information must be preserved before the State’s theory becomes fixed.

If devices have been seized, detectives have requested an interview, or there is reason to believe that a Utah CSAM investigation is underway, contact McAdams Law PLLC at (801) 449-1247, or click below, to schedule a confidential consultation.