I am using Exchange 2010 on Windows Server 2008. I have been asked to prove that an item (two contacts to be exact) was deleted and if possible who deleted it. My guess is that they deleted it on the user's workstation that they belonged to. So the who is probably impossible. But I am trying to narrow down the time frame. I am guessing there is some kind of log that should store this. And I am guessing it is the transaction log. But I am not sure if there is a good way to "read" them and better yet, filter them. I have checked the security logs in Windows, but they are overwritten. Or if I am looking in the wrong place, I would really appreciate some help. Thanks.