Donich Law - Jordan Donich - Courtroom Sketch

Child Pornography Forensics

Our Firm conducts in-house computer forensics on computers, smartphones and electronics seized by law enforcement and local police in child pornography investigations, which is reflected in our background in cybersecurity. The Firm has handled some of the most complex child pornography investigations in Ontario, and one of the few businesses to have successfully defended international projects involving police forces from around the world. The Firm’s background in cybersecurity enables it to thoroughly review police investigative techniques which involve the use of highly sophisticated and often secret technology. Governments are continuing to develop and deploy advanced technology to successfully apprehend cybercriminals. The Firm has defeated international child pornography investigations initiated by all social media companies including, Facebook, Instagram, Twitter, Kik, Skype, Apple, Mega, BitTorrent and may more,

NSO Group out of Isreal produces the Pegasus prgram, which is a mobile phone spyware program that allows operators to monitor a target. This advanced program can be installed without permission overriding the phone’s security system. It can send private information of the device to the operator and even give access to the microphone or camera.

We typically obtain a system image of all material and software. operating systems seized by police for independent analysis where applicable, which requires special forensic law enforcement software to review. We reverse engineer the process to determine whether information corresponds with that used by law enforcement to obtain a search warrant, such as the information provided by the Officer in Charge in the Information to Obtain (ITO). The Firm also employs on contract retired Internet Child Exploitation (ICE) police officers, for expert opinion.

We provide an independent categorization of the alleged material seized by law enforcement. Including relevant defence details associated with this material frequently used and important to sentencing. We have been retained to advance defences associated with inflated number counts and duplicate content between different storage mediums, as law enforcement does not distinguish these categories in detail when the size of a collection becomes excessive.

In the case R. v. C.S. [2024], the firm achieved a withdrawal of distribution of child pornography charges following nearly three years of rigorous litigation. This case encompassed almost 40,000 images and videos identified as child sexual abuse material. The investigation, conducted through the use of BitTorrent by undercover officers, was further complicated by allegations that the accused had engaged in the prolonged downloading and storage of illegal pornography. The firm adeptly challenged the validity of the software utilized by law enforcement in the proceedings through is internal forensic practice.

In 2022, the Firm successfully represented an individual charged with 7 child pornography charges including making child pornography, possessing child pornography and distributing child pornography in R. v. E.Z. [2022]. The accused, a second-time offender, was charged after he was discovered by law enforcement to be communicating with other offenders online and trading child pornography material. The large amount of child pornography material found in the client’s possession was particularly heinous, leading to the Crown asking for 7 years prison upon conviction. Donich Law conducted a forensic analysis of the devices seized by police and analyzed all production warrants and search warrants. The Firm uncovered an error in the information used to obtain the search warrant and launched a section 8 Charter challenge as well as a section 11(b) Charter challenge. The challenges led to the Crown significantly altering their position on sentence and ultimately withdrawing 5 of the worst charges against the client.

When this material is disclosed to defence counsel by law enforcement, it is generally a system image or copy of the alleged material. Some of our clients are unaware of the material or its origin, notwithstanding its existence on the hard drive. Accordingly, we have worked with Police Technological Crimes Officers to convert this system image into a Virtual Machine, i.e., enabling the user to browse the seized computer as if it were fully functioning. This was accomplished in the Firm’s R. v. M.C. [2020], where it was able to secure a withdrawal of Distribution of Child Pornography. The client indicated the existence of the material was unknown, the Firm was eventually able to prove the existence of malicious software of Russian origin on the computer.

Internet Child Exploitation is a Global Problem

Donich Law - International Child Pornography Investigations we have Defended

This type of examination enables a more comprehensive level of testing than simply browsing the system image. Extreme caution is required when undertaking these measures, as the forensic examiner risks distribution of the child pornography upon booting the Virtual Machine, depending on which programs were running at the time of seizure. Special safeguards are required if you are undertaking this level of analysis.

We have been involved in investigations with the National Child Exploitation Coordination Centre (NCECC) and the FBI, who often receive complaints from the National Centre for Missing and Exploited Children (NCMEC), located in the United States. We have also defended numerous allegations where the agencies have worked in collaboration with the Internet Child Exploitation Unit (ICE), here in Ontario.

Many of the Firm’s clients are surprised to have been caught downloading illegal content on Tor Browser, Virtual Private Networks and Proxy Servers as a way to conceal their online identity. Even though an individual’s data is encrypted along each of the relay nodes, their final connection point at the last relay in the chain may be compromised if the site the user is accessing does now have a secure socket layer. Since Tor was created alongside the United States Navy and is currently used by numerous American government agencies, many governments actively look out for Tor users. VPN providers are also required to reveal logs should a government agency demand it. These sophisticated offenders are often aggressively prosecuted for their substantial efforts to avoid detection and preserve illegal material.

Online Sex Offence are on the Rise in Canada

In the Firm’s R. v. A.B. [2020], it was able to secure a withdrawal of Making Child Pornography x2, Possession of Child Pornography and Voyeurism x2 after obtaining a forensic image of the computer seized by law enforcement. The file took 2 years to resolve and ultimately it was proven the accused did not create the alleged sexually explicit material. After forensic examination, the Firm was also able to prove the images did not meet the definition of child pornography in the criminal code.

Offences involving the possession or distribution of child pornography are very serious allegations of sexual misconduct. Crown prosecutors vigorously prosecute individuals charged with these offences. The consequences of a conviction can be enormous, and include serious social, relationship, employment and travel consequences in addition to potentially severe penal sanctions.

Law Newbie is a free AI research assistant that can help you safely answer questions about criminal law.

Learn More

Frequently Asked Questions

Why do people Commit Cybercrime?

There are a number of reasons why people commit cybercrime, which are often similar to other form of criminality. For many its financial gain, the thrill of breaking the law or “outsmarting” the authorities or in some cases of child pornography, an addiction.

When an organization is breached, cybercriminals profit from selling stolen data or extorting money from organizations through the use of ransomware. Some hackers or groups have ideological views which motivate their behaviors or simply want bragging rights.

Smartphones and Child Pornography

Online child sexual abuse is a serious global issue that is not constrained by geopolitical boundaries. As technology has become democratized and cheaper to access, the marketplace and demand for child pornography has unfortunately continued to grow. Simply put, it’s now faster to access, share and create than ever before.

Offenders accessing child pornography can in some cases be abusing their own children which is why the charges are aggressively investigated and prosecuted. Unfortunately, with all the good technology brings us, it can also fuel an equal amount of suffering. Smartphones make it easier to create, share and distribute child pornography, which continues to re-victimize children and sustain a marketplace for illegal content.

What’s a Cyberwarefare Vendor?

These are professional suppliers of cyber weapons who supply governments. Israel’s NSO Group is a vendor who produces the Pegasus program. This program is a form of spyware which allows government operators or law enforcement to monitor and track a target. Unlike traditional spyware, the user may not actually have to click on anything. The program can be installed without permission from the user, which overrides the operating system. Once enabled, Pegasus can access most of the smartphones data, including messages, location, calls and even the microphone and camera.

Whare are common types of Cyberattacks?

Phishing Attacks

These types of attacks are used to collect sensitive information so a cybercriminal can gain access to an organization’s network or sensitive data. These attacks are often disguised in email links or private messages designed to redirect users to a dummy website they believe is trusted. Users will then enter their credentials, providing this information to hackers to use for financial gain or other malicious purposes. Some sophisticated attacks known as spear-phishing will attempt to target specific individuals in an organization. For example, a law clerk may receive an email from who they believe to be the senior partner in the firm, this trust will be leveraged to increase the success of an attack.

Distributed Denial-of-Service Attacks (DDoS)

In its simplest form, a DDoS attack is an attempt to render an entity inoperable by overwhelming it with traffic or data. Hackers will deploy a zombie army of infected computers also known as a botnet, to flood the targeted system’s network. With the increased and focused traffic, the organizations critical infrastructure fails, rendering it inoperable.

Brute-Force Attacks

These attacks are basically trial and error methods used to guess the correct password to a network. Software generally is deployed to undertake this process with advances in machine learning and artificial intelligence being used to increase the effectiveness of these attacks.

What is Malware?

Malware is essentially malicious code intended to be planted on a targeted computer or server. Generally speaking, malware can include several types of malicious software designed to take control of a computer, render it inoperable or to acquire confidential information. Some of the common forms of malware include:

Viruses and Worms

Viruses are a type of computer program which can replicate by modifying other software. When compromised files are transferred, viruses can spread to other computers. The primary function of a worm is to self-replicate and infect other computers on the network. Unlike viruses, worms are able to spread without the original infected file.


A rootkit is a form of malicious software designed to provide unauthorized access to a computer or network. Rootkits can be installed in the operating system of the computer making them difficult to detect and unlike viruses, they are unable to replicate.


Spyware is a type of malicious software designed to track users and gather data. In some circumstances cyberwarfare vendors design spyware and sell it to governments or law enforcement. This software can then be used to copy details on a smartphone or even access the camera and microphone.


Cybercriminals often use ransomware to extort money from an organization. Hackers will instal ransomware on critical infrastructure or data in an organization rendering it inoperable. Businesses will then be extorted to pay in order to have their data returned.


A Trojan is another form of malicious code designed to grant a hacker access to a targeted computer. Trojans can be dangerous because they are disguised to look like legitimate programs. Once infected, a hacker will be able to monitor all activity on the computer, almost as if they were secretly watching your screen.

Donich Law - In the News
Donich Law - In the News - Media Logos

Breakfast Television

Mental Health Concerns in the Justice System.


The Difference between Criminal and Civil Liability.

CTV News National

The Rise of Gun Violence in Toronto.

Global News

New Changes to Pardons in Canada.

About the Author

Jordan Donich Profile Photo

Jordan Donich

Jordan Donich has been a Lawyer for over 10 years and is a trusted legal analyst by Canadian Media. He is as a leader in Canada’s tech sector for lawyers and developer of Law Newbie. Jordan is a Black Belt with the Japan Karate Association and trained in Krav Maga. He won a Gold Medal at 2004 Canadian National Championships and was published in the National Newspaper Awards.

Jordan has been featured in Forbes and is a member of DMZ Angels in Toronto.