Images posted to file-sharing networks without a person’s permission can remain available indefinitely. When the image is sexually explicit and involves a child, the scale of this privacy violation grows tremendously worse and can have repercussions for the victim’s whole life. Providing investigators with tools that can identify the perpetrators of child pornography (CP) trafficking is critical to addressing these violations. Investigators are interested in identifying these perpetrators on Freenet, which supports the anonymous publication and retrieval of data and is widely used for CP trafficking. We confirmed that 70,000 manifests posted to public forums dedicated to child sexual abuse contained tens of thousands of known CP images including infants and toddlers. About 35% of traffic on Freenet was for these specific manifests. In this paper, we propose and evaluate a novel approach for investigating these privacy violations. In particular, our approach aims to distinguish whether a neighboring peer is the actual requester of a file or just forwarding the requests for other peers. Our method requires only a single peer that passively analyzes the traffic it is sent by a neighbor. We derive a Bayesian framework that models the observer’s decision for whether the neighbor is the downloader, and we show why the sum traffic from downloaders relayed by the neighbor is not a significant source of false positives. We validate our model in simulation, finding near perfect results, and we validate our approach by applying it to real CP-related manifests and actual packet data from Freenet, for which we find a false positive rate of about 2%. Given these results, we argue that our method is an effective investigative method for addressing privacy violations resulting from CP published on Freenet.