Every digital file (and in fact, entire media, of course) can be hashed. One agency that does so routinely is the National Center for Missing and Exploited Children (NCMEC), which maintains a database of SHA-1 hash values for images of known child pornography (i.e., images that have been judicially linked to a specific, identified victim). As a general rule, law enforcement officers and prosecutors tend to concentrate on images of known child pornography as one means of eliminating potential defenses of mistake or morphing.

The availability of a database of SHA-1 hash values for known child pornography has enabled law enforcement, Internet Service Providers, and other online entities to monitor Internet traffic for contraband. For instance, ISPs like AOL and NetZero will calculate SHA-1 hash values for file uploads, compare it to the NCMEC database, and if contraband is detected, refer it to NCMEC for further investigation.

Once a suspect's computer has been seized, a computer forensics examination will quickly reveal whether there is any contraband contained on the hard drive. A suspect's use of client software like LimeWire makes the process of gathering evidence particularly straightforward. For instance, LimeWire's "Shared" directory is essentially a detailed list of all of the files that an individual successfully downloaded, an operation that requires affirmative action by the user. The "Incomplete" directory is similarly useful, since it shows the files the user tried to download (albeit unsuccessfully). Various other files contain information about the default settings for LimeWire and its day-to-day use.

From: Frosted Limes: The Unintended Consequences of Shutting Down LimeWire by Frederick Lane