With all due respect to them, bring up a forensic investigator and walk us through the basics of what to look for. You don't do forensics using FTK Imager. The fiddling around is causing damage because you are demonstrating to everyone who actually does IT or Cyber that you don't know what you are looking for. They could spend 5 minutes and download a poster from SANS DFIR of things to look for.

If this 3 days is meant to demonstrate to people at large they have solid evidence, this ain't it. Logs being deleted is certainly suspicious, but carve out the damn logs, throw them into ES and show the connection correlation graph with geoIP attribution and demonstrate external connectivity into the system. Also, show the SQL DB logs and the commands that were running on the DB, if in fact auditing was properly enabled.

They are discussing the disabling the DB encryption. That is via the ForceEncryption DWORD 0 (disables database encryption) https://support.microsoft.com/en-us/topic/how-sql-server-uses-a-certificate-when-the-force-protocol-encryption-option-is-turned-on-6b709b78-24c7-fb45-cb6b-ec4cd975c824

Does anyone have a clear grab screenshot of the BAT script. I believe that SQL line will disable encryption on the server, but I could not see the DWORD value clearly enough.