Source code doesn't matter as much, they could give us whatever they wanted and say that's the code, only thing that matters is a forensic audit of compiled code involved (which it sounds like we have some).
Having the supposed source code would tremendously help the analysis and could be used to prove if it's actually the same as the compiled, but taking any source code we aquire by itself at face value would be foolish.
Saying this we still should push for full discovery of the code, configurations, docs, and everything else involved, it may not be code so much as configuration files that allows fraudulent fun to take place. Every machine should be analyzed.
Source code doesn't matter as much, they could give us whatever they wanted and say that's the code, only thing that matters is a forensic audit of compiled code involved (which it sounds like we have some).
Having the supposed source code would tremendously help the analysis and could be used to prove if it's actually the same as the compiled, but taking any source code we aquire by itself at face value would be foolish.
Saying this we still should push for full discovery of the code, configurations, docs, and everything else involved, it may not be code so much as configuration files that allows fraudulent fun to take place. Every machine should be analyzed.