Password for what?
While I may not be able to decrypt the files, I can usually tell pretty quickly if someone has been using encryption software, even if the software is on a thumb drive and not on the computer itself. The software will leave traces in the registry, in the page file, in the master file table, etc. If you can find when the encryption software was invoked and then find the names of files accesses shortly afterward, you can often find the encrypted containers (especially true for TrueCrypt). That doesn't mean you can decrypt them - just that you can locate them and show that encryption software was used to protect them.
But who is to say if it is the PC’s owner doing the encrypting or a trojan virus?