RTC in an offline scenario

in a 100% offline user scenario, if a malicious user makes an image of our ecrypted SD in production mode, and, when our app expires, restores that image on the same physical SD, overwriting it, will the system date (controlled by the RTC) continue to retain its original date-time, or will it be replaced by the backup one (bypassing our expiration checks) ?

Thank you for the clarifications