How can you even prove that a file is encrypted? The whole law is baloney.

Use TrueCrypt to do whole disk encryption on your Windows XP hard drive. Then boot your computer with a Linux Live CD and dd the first 512 bytes to stdout. This is what you'll see in plain text ASCII:

"TrueCrypt Boot Loader"

No expert is needed to prove that you are using TrueCrypt whole disk encryption. It has a huge stamp right up front.

That's certainly true for that particular instance, in that particular implementation. But it's not necessarily the case. Take some random file and encrypt it with gpg; there's nothing obvious in the contents to mark it out as encrypted data.

tom@ubuntu:~$ gpg -c flag.png

tom@ubuntu:~$ gpg -v --list-packets flag.png.gpg

   :symkey enc packet: version 4, cipher 3, s2k 3, hash 2

   salt eae60ad4255dc4e2, count 65536 (96)

   gpg: CAST5 encrypted data

OpenPGP encrypted data is easy to find too. It even tells you the algo used. The example is symmetrically encrypted, but it works the same with asymmetric keys. Even shows who it is encrypted for. Edit: formatting.

Here's what the gpg data looks like when using someone's public key to encrypt a file... now we know who to go hit over the head with a hammer ;)

tom@ubuntu:~$ gpg -v --list-packets file.gpg

   :pubkey enc packet: version 3, algo 16, keyid 63E6E0BBB9FEE3A5

	data: [2045 bits]

	data: [2047 bits]

   gpg: public key is B9FEE3A5

   gpg: using subkey B9FEE3A5 instead of primary key 7A997B0A

With option --throw-keyids, you'd have to try your hammer on several heads until one fits.

Just out of curiosity, what would happen if someone e-mailed you something with a title of 'Here are the files you requested about [illegal stuff]' and include an attachment with encrypted contents.

Then say I notify the cops about your 'illegal' activities.

They try to find his co-conspirator.