An (now ex) employee is denying sending company information to their home e-mail address before leaving. Unfortunately for him, all e-mails in and out are copied to the Administrator account (Exchange 2003 on SBS2003) so we know it was sent despite him clearing out his 'sent items'. However, the claim now is that 'someone else must have sent it from a different PC'.
We can tie him down to being at a certain PC at a certain time when the e-mails were sent. Is there any way of the system giving us the IP address or computer name of PC that these e-mails were sent from?