When attacking an encrypted flash, the idea is to trigger the sampling based on the activity of the external SPI flash signals.

This is detailed in the paper that inspired this article, or in in this more recent blog post: https://courk.cc/breaking-flash-encryption-of-espressif-part...