Agents from the Department of Homeland Security then applied
for a federal search warrant to examine the seized devices.
Doe voluntarily provided the password for the Apple iPhone 5S,
but refused to provide the passwords to decrypt the Apple Mac Pro
computer or the external hard drives. Despite Doe’s refusal,
forensic analysts discovered the password to decrypt the Mac Pro
Computer, but could not decrypt the external hard drives.
Forensic examination of the
Mac Pro revealed an image of a pubescent girl in a sexually
provocative position and logs showing that the Mac Pro had
been used to visit sites with titles common in child
exploitation, such as "toddler_cp," "lolicam," "tor-childporn," and “pthc.”
The Forensic examination also disclosed that Doe had downloaded thousands
of files known by their “hash” values to be child pornography.
The files, however, were not on the Mac Pro, but instead had been
stored on the encrypted external hard drives. Accordingly,
the files themselves could not be accessed.
So it looks like they got the hashes from logs/forensic evidence collected from an decrypted Mac Pro.
