Evidence of fraud is a criminal matter. Contact legal representation, or police.
Apple devices can be and have been hacked.
Users’ credentials and practices can and have led to exploitations, as well.
What you have described as “timestomping” is much more likely a corruption.
31-Dec-1969 is the Unix epoch, with a timezone offset. It’s a zero in a data structure. So too is the reporte size. Another zero. That’s usually a corruption.
Apple does not document the internal operations and handling of an Apple ID.
You will not receive forensic help here, as that’s basically impossible without detailed and direct access. Whatever advice can be offered here will already be known to you, too. Which in aggregate means changing your approach. And in the unlikely case that you are the target of the sorts of exploits you claim—you won’t get the help around here, or in any other forum for that matter—sufficiently tailored to your particular situation.