trace windows 2000 terminal services token across internet to catch intruder

Hi, I had someone get into our windows 2000 server and delete some files.  This person did it via terminal services.  He(she) had a printer on their local computer that did not get automatically configured so it logged an error in the event log.  This gave me the person's computer name and date and time of the intrusion.  It also gave their computer a token from the terminal services licensing with exact date and time of issuance.

Here is some backgound:  The office administrator brought in an outside company to do a system audit and propose new hardware and software.  The office administrator gave the system administrator password to at least 2 of this outside company's employees.  The person who hacked into our system knew which folders to delete in our various applications, so they had a working knowledge of our system, but they did not wipe out everything.  I think they were mad because we did not go with their solution.  I was able to restore the missing files and change the administrator password.  Yes, it would have been better if I had changed the administrator password right away, but I did not know about it.

The company would like to trace this to the person and prosecute.  Any ideas?  Does anyone know a good forensics person?