That's a good question. I do know one thing though: I deploy multiple times per day and typically none of my gems have changed.

I guess it would depend on the folks doing the investigation. If an exact timestamp could be determined for when things could have been compromised, you just roll back to a short while before that time.