I don't do forensics. But I am a reverse-engineer and I am familiar with the techniques: more familiar than Tarbell, it seems. (That's really his name? Tarballs from Tarbell? My goodness.) Tarbell's declaration reads to me more like a textbook demonstration of (bad) parallel construction in action.

They could have done it legitimately, without compromising the server and potentially tainting the evidence any way they wanted: DPR indeed made a few rookie mistakes that would potentially provide for that. But the logs don't seem to actually have evidence supporting that, which is very unusual and at this time not explained? The declarations filed so far do not really seem to support that either, which is very odd and strongly suggests that we don't have the whole picture here: and we really should.

(Of course, we don't have the whole image, so we don't have the whole picture here. BTW: They used tar, not dd or ddfldd? Boo.)