This makes several assumptions. The first is that the crook didn't use something like NTPASSWD cracker and broke in to wipe the HD clean. The second thing it assumes is that the person was able to login and simply decided to use the machine as is.
Listen to Horse.

Back in my burglary days, I would usually use a NT password insertion disk to login as admin just to roam around directories out of curiousity. After checking through everything, I would just re-format and put a fresh install.