The timeline and details, to me, implies a physical server or desktop.
But the question then is: why would super secret stuff be on a single physical server or desktop, as opposed to a centrally managed cloud device?
This matters because the evidence talked about all appears to be endpoint - there is hardly any, if any, network data.
Whatever superuser access the defendent may or may not have had - surely he didn't have the ability to access and modify network logs?