[weinzierl]

Exactly, but the original quote doesn't say that they compared decrypted content with known hashes. It doesn't say anything about how they learned about the "content stored on the encrypted hard drive".

"Investigators said content stored on the encrypted hard drive matched file hashes for known child pornography content."

I read it like this: They figured out that the disk had some incriminating files, as I described in another comment of this thread. To make this work hashes are of no use, they need the original files. For various reasons they might not want to admit that they are in possession of the original files, hence the cryptic and vague phrasing.

[foldr]

If they're in possession of the original files they can just look at the files to see what they contain.

[weinzierl]

Sure. My point was more that they might possibly not want to openly admit that they are in the possession of the original files.

I'm sure law enforcement has lists with hashes of incriminating files, but I'm not sure if they are allowed to keep the original files. Even if they are, maybe they just want to avoid public discussion about it.

[foldr]

It's logically impossible for them to have the hashes of the files without having had the files at some point. If they no longer have the files, you might just as well take their word for it as to the content of the files as take their word for it what the hashes of the files are.

[beisner]

There could be a hash collision, which might be enough to provide reasonable doubt for a jury.

[johncolanduoni]

The chances of a hash collision are drastically lower than the false positive rate of a DNA test, and US courts have accepted the latter for a long time.

[foldr]

No, I mean if they have the image files, they can look at the images. It would be irrelevant what the image hashes to.