That is not what I heard. He could not attribute the source of the tampering (this witness equates spoilation with tampering in this case). He mentioned several possible means but did not assert that the Cisco VPN connection was the means.
He said file updates did not come from Microsoft, but came via a connection through the Cisco VPN. To me that indicates normal updates pushed from Cisco IT, instead of the normal updates pushed from Microsoft.
The timestamp anomalies were a bunch of nothing. Since that symptom was widespread, and not limited to the incriminating files.