You are correct the name of the show was lone gunmen. I got the name wrong.
It's hard to say if he knew something or if there were just good writers. The same group made a spin off called the smoking gun about the hackers from the x files. The first episode is about remote controlling planes into the twin towers. It was some years before 9-11.
Theres a chain of custody that the auditors can follow. That will most likely be broken because we know in some states mail in envelopes were deatroyed and adjucation occured at extremely high rates. This is a good legal area to start in.
You can look for deleted files and time stamps to look or tampering. They can image the drives to take off site for further testiglng. I would hope they can test directly on one of the machines too.
The forensic guys should have more info on the internals of the machine. I'm sure there is plenty more for them to do when it comes to checking what the software did. One key item that look at is why they used floating point calculations.
I am not an auditor, I'm basing this statement off my decades or IT work.
Ransomware attacks like the Cuba are still normal right now. There's also been a big increase in phishing attempts against companies. Unless they give out more information this is currently a normal issue IT deals with.
As an example Honda and our local wind farm got hit. Both were down for weeks. The company I work for got hit a year ago and it took 3 days to restore bare minimum. Several weeks to be running at normal capacity. When you're restoring terabytes of data from an attack that used built in encryption to attack your system it's messy and it takes a while to correct and mitigate future attacks.