You do realize that everyone confirms that 600+ files were altered, right? The state witness (Durham PD), the defense network expert (JW) and defense forensic expert (GM).
The last two delved further into it as they both had considerably more experience with this. The Durham PD witness had only tested 5 computers in his career and did not have an explanation for the altered files. And he was a prosecution witness.
The other two, with much more experience (GM had forensically tested 400+ computers) did. They felt the altered files pointed to intentional tampering.
The laptop was connected to the Cisco corporate network via VPN for 27 hours, starting from when the house was seized via search warrant through when the CPD computer experts arrived to collect the computers.
During that time, lots of automated processes would have happened: email downloads, data back-ups, software updates, and hard drive defragmentation.
The FBI witness said he looked at everyone of the 691 file changes and attributed them all to automatic processes.
GM said that, to him, "tampering" is the same as "spoilation" and "spoilation" is the change of any bit on a hard drive while in custody. When asked about updates, he said "nothing from Microsoft". Well, it came from Cisco IT. Nice choice of words.
Yes, it's too bad that the computer was left on, running, connected to a network, and VPNed to Cisco while in custody. But, that was the way Brad left it. And CPD process was to leave everything be until the computer trained officers could come.
Something else to think about: the computer was connected to VPN for those 27 hours. That kills the "boot with a linux CD and copy files idea", because rebooting would kill the VPN connection.
For the "plug a USB drive in" idea: what is in the windows system event log? If you plug something in, there would be a log. There is a log of someone configuring the IP address of a router at 10:21pm. Is there a log of someone attaching external media?