Two thoughts that come to mind are

1. Dictionary attack. They would use all non-encrypted data they could find on his machine as source material. Also, if they have any browser history form his machine, or internet usage records from his ISP, they would use the contents of every web page they suspect he may have viewed. Having an idea of his interests from whatever else they can find in his home, car, ISP logs, e-mail, etc., also allows for further customization of the dictionary.

2. Side channel attack. If Steven was running with every volume in the machine encrypted, with a pre-boot password, then all they have to go on is a dictionary attack. But, if anything was unencrypted there will be leaks. There is some discussion of volume encryption issues here: http://www.jetico.com/bcve.htm

See what you can find out about his case. I, for one, would be very interested in the encryption issues. Personally, I don't trust windows at all. Thanks.

Student