Well you suspected wrong. Someone with administrative access “deleted” the database folder, but the audit team was able to recover the deleted folder and its files because that deletion was the last thing done to the machines before they were handed over. When stolen money is recovered no one says, “Well the police backtracked on the robbery.”
What are the chances that the "Deleter" copied the original database before the fraud was committed, altered the ballot data, then deleted the altered database and copied the original "legit" database over the top of it? Forensics can read several layers deep on the disk to read earlier data, did the Cyber Ninjas do this? If not, there could be egg on someone's face when/if nothing is found "wrong" in the "recovered" database.