They would have only needed a log of all connections within a very short time window (a timing attack, which ofc is not tor specific, after all someone might chain a proxy and tor). If the terrorism card is on the table I wouldn't be surprised if they had done that first and only after that constructed a legal case. Remember that there was a good period of time during which they had the bomb threat but they didn't necessarily know it was fake.
