I'm assuming the files were downloaded using Bittorrent or some other file sharing service, and the hashes of the downloaded files were logged on his Mac.
Ah, that makes perfect sense. Since they could log into his Mac, looking at the Bittorrent metadata would be trivial (apparently he didn't clear history, or at least do so securely), and some clients would indicate not only the downloaded file, but where it was saved to locally.
