I have a new client that just terminated an employee. Right after that event, they checked the employee's Pc and found company documents missing from his stand alone peer to peer Pc. They never took any backups.
I installed Recuva and ran a full system scan for deleted files. The only files found were from a few months ago and there were only a few files per day deleted at that time. Nothing that would point to a mass deletion which is what I was looking for.
I suspect he moved all documents to a USB flash drive and took it with him.
Is there any way to track this down in Windows Logs?