edit: Different backup reference.
So why do we need this data?
The data from the physical disk? Because a hacker requires a payload to be delivered to a local drive, and needs elevated privilege to run that payload.. on completion of the attack, the hacker will purge the logs of that capture the elevation of privileged, and delete the payload. A backup of the server would capture the nature of the disk after the that cleanup was done, while the hacker can't actually clean the magnetic residue on the disks where any purged logs were written, or the payload that was written to the server.
With the physical server you can reconstruct a lot of deleted data, and can see, with the right equipment up to 6 previous block states for any given block. These tools will read all the block states for every block and the move up and down the stack of previous writes searching for file header traces like piecing together up to six jigsaw puzzles, each with billions of pieces all dumped in the same box and the only clues you have is that certain puzzles were dumped in the box later, and so those pieces would likely be closer to the top.
It's a daunting task, but these devices create essentially a 3D image of the disk and the various block states, and then upload them into blinding fast computers that reconstruct previous disk states. From that you can usually find enough of a file (usually not the whole files) to grab a bit pattern than is a telltale sign of the payload used, as well and usually entire log entries as they tend to be much smaller, and require fewer blocks.
There is no way for a hacker to combat this really, if their goal is to steal information without detection. Any real clean up of the crime scene becomes too time consuming.
Now, there are plenty of cases of smash and grab where the hacker will take what they want and then kick off a bleach bit style wipe with the understanding that the system in question will be unattended for long enough to thoroughly kill the disk, at which point you are left with a black box reconstruction and can only track the case from network logging... but then there are ways around that as well, and the big players take care of that, usually, as well. You determine big players more from the
lack of evidence and profiling from the choice of target. But before you get to that step you need the physical server in order to know the next step in the investigative process... if you make an assumption on what you expected to find on a non-available server then you're likely starting in the wrong direction.
tl;dr Disk write forensics.