I agree on this being a legal issue. I mean if I assist them in getting access to the domain and it turns out that they technically don't own it, then I am opening myself up to liability.
At this point my only option to support their hardware is to modify the root password on their VMWare server and then modify the domain admin password assuming there is no encryption in place. I would much rather the client contact their attorney and have the old IT hand everything over.