My best guess is that something on the unencrypted Mac Pro was referencing files on the encrypted drive. I'm not sure what kind of metadata macOS stores or what a third-party app would have, but it wouldn't be hard to imagine that something had hashes for files on the external drive.
How on earth is this supposed to work? Unless they can decrypt the hard drives I am pretty sure that this is impossible to deduce.
Maybe he used freenet or something in his unencrypted hard drive?
reply