The courts won't convict you of having a file that hashes to a known bad number. They will convict you of having an actual image of child porn. The hash digests are just a way for ISPs and law enforcement to perform a comparison without needing the actual thing to compare against.
There's a lot more to this than just saying "child porn". Once an automated system discovers a file that matches a hash, they involve an investigator. The investigator first views the image in question, and if it's a false positive, discards it, case closed.
If the data in question is or could be child porn, they investigate further, obtaining logs from the parties involved, finding out who else this person communicates with, online forums they frequent, etc., and compares the images they've already recovered to other cases involving child pornography. They document every finding. Once they've built up a case, they present their evidence to a judge and request a warrant. During the exercise of the warrant, they'll try to monitor the suspect to determine the exact moment he is online, then execute the warrant without warning in hopes of catching the suspect in the act of viewing child porn, or at least of having the files decrypted at the time they execute it. They'll bring a "mouse wiggler", which is a USB stick that emulates a mouse moving up/left/down/right every few seconds in order to prevent the activation of any screen savers or auto-locking mechanisms. They use a UPS to keep the device powered up in order to bring it to the digital forensic investigator, who will take an image of the computer's memory and image all the writable storage they find. They may have only once chance to recover the encryption keys used by the suspect, and it's possible if they're still in memory. And they will confiscate every digital device in the suspect's home. The forensic investigator will then trawl through the drive image, looking at any image files. There are forensic investigation programs such as Encase and Autopsy that provide a quick way to display any files it can encounter. These programs include knowledge of the various file systems in common use, and can find images in ZIP files, images inside nested ZIP files, image files in the recycle bins, and any deleted files in unallocated disk space that they can still recover. They have specific capabilities of searching for many various things including cached IP addresses, browser histories, password managers, and pretty much any regexp the investigator can come up with. Perhaps there's a password reset message still lurking in the Trash mailbox. Or there might be record of an online payment to a co-conspirator. It's surprising how few people have good enough operational security to erase all their tracks.
Once they've found evidence, anything the investigator can do to help identify the scene of the crime and/or the identities of the parties involved is top priority. This might include obvious things like EXIF tags in the images, or a hotel room service menu in the corner of an image, or they may check out clothing, decor, monogrammed towels, etc. There have been cases where the child's face was distorted with a paint tool but was recovered by the investigator.
If any usable data comes of this, the police will contact child services to see if the victim(s) can be identified, located, and helped.
Investigating these is a really awful job, and it takes someone with an iron stomach to do it, but it comes with the occasional reward that you've helped put away someone who is involved in the rape and torture of little children, and sometimes even helped rescue a child from a horrific situation. I have a friend who's been doing it for over a decade, and I still don't know how he can go home and sleep some nights. Most of his co-workers burn out after just a year or two on the job, because it really is heart wrenching. Sickening as it can be at times, it is a truly necessary job.