In our made up scenario here I have a couple of thoughts. First, they make an entry in the log since they can write to the drive. Or find out the retention period of the logs, and date the file before any existing log entries and then just state that it has been on there long enough for the logs to roll off. My point is that you cannot trust these logs when a drive can be written to externally. Another option, remove the logs, install them on a windows machine not connected to any network. Change the date/time to something you want, boot windows and drop the file on the machine, making a log entry. Maybe resort the logs, or just copy the log entry back over to the original machine. There are plenty of ways these logs could be faked or modified. When someone has physical access, all bets are off and everything becomes suspect.

Btw, 20 years ago I had to testify in court as a photographer that the images I had, that were introduced as evidence to the court, were the originals and that is what I saw through my viewfinder. So none of this is new, and courts have always needed to have provenance.