Some hacking techniques leave scant or even ZERO tracks in the hard drive, and are transient in memory and network traffic. For those sorts of attack, access to the server -while it is running- is necessary to see the attack while it is underway. Also, some servers have crappy logging, so intrusions are not logged.
...and if it wasn’t a hack, but an insider who snagged a copy of the emails on the server from a backup, there would be nothing on the log. The dog that didn’t bark, so to speak.
Server log files get massive. But almost all servers have archiving and backups. These days, if security isn’t critical, backups are often cloud based. Otherwise they are local. You know someone is covering something up if logs and backups get erased or ‘disappear’.... or “beached”. heh.
Another good point. Assume there are two machines, a server, and a machine used to archive and backup. If the theft happens on the machine containing the backup, any logging would originate from that machine.
That said, and complicating things, it is possible for logging to be remote too. I administer a small network, and SOME activities are logged in two places - on the machine where the activity took place, and on a remote machine. Without remote logging, even if the backup machine logged somebody taking a copy, the server would have ZERO evidence of a person taking a copy from the backup machine.
At any rate, my general point was that most of the forensic work the FBI or anybody else would do (regarding intrusions) would use a disk image. Without more detail and questions, arguing over access to the server is a smokescreen/distraction. Ok, FBI didn't ask to access the server. Did it ask for a disk image and logs? I see no reporting that gets to the bottom of that.
Plus, as you see from my later remark, resolving the source of a hack does not rule out the INDEPENDENT taking of a copy by a leaker.