Measurements of the Internet for law enforcement purposes must be forensically valid. We examine the problems inherent in using various network- and application-level identifiers in the context of forensic measurement, as exemplified in the policing of peer-to-peer file sharing networks for sexually exploitative imagery of children. First, we present a one-year measurement performed in the law enforcement context. Our proposed tagging method offers remote machines application- or system-level data that is valid, but which covertly has meaning to investigators. These tags, when recovered, allow investigators to link network observations with physical evidence in a legal, forensically strong, and valid manner. We present a detailed model and analysis of our method, show how tagging can be used in several specific applications, discuss the general applicability of our method, and detail why the tags are strong evidence of criminal intent and participation in a crime. We then describe the tagging mechanisms that have we implemented using the eMule file sharing client.