This crook is not to be commended at all but the assumptions you've stated aren't necessarily true.
While I agree the prudent thing to do is first mount the volume in another system (or a boot disk but that often grants less functionality) and scan for and look manually for suspicious files, ultimately you have to boot the system with the original drive to be sure you caught everything which includes poking around at files since it cannot be assumed any scanner catches everything.
Would he have spotted the drive filling with video? Perhaps, or perhaps not. Lots of junk running in the background can cause CPU spikes if it's a reasonably compressed format which hits the hard drive not all that much more than windows otherwise does when finishing booting and prefetching things, not to mention the idle time tasks like indexing or defragging, or that doing a scan for malware again is causing continual CPU spikes and HDD access.
If he'd searched for a video file, wouldn't we by the same token suggest he shouldn't have been searching for video files since the most likely reason is to get personal data, since windows operation does not depend on video files?
In a production environment you don't really want to do some kind of comprehensive PC analysis, only to get the job done for the price quoted then move on to whatever else you have to do or want to do.
As for trying passwords from a file marked password, why wouldn't those be the first to try, would you instead search for a file named "aunt betty's fruit cake recipe.doc"?