So basically at the beginning of the year a database of intellectual property (IP) disappeared at the close of a falling out between some upper-level employees and the executive staff at my company. Why there was no backup, or why no one suspected anything foul is beyond me.
I did a little digging of my own in the database software logs and $UsnJrnl (using JournalViewer) and discovered that: the database management software has three distinct launch timestamps within the course of an hour. In that hour, the UsnJrnl shows basically every file in the database volume undergoing within the span of those timestamps:
Security_Change
Security_Change; Close
File_Delete; Close
Is this reasonable evidence to suspect, considering the tensions, that an employee may have maliciously tampered with the database and deleted everything? The database software may only be accessed from a single desktop PC, by a generic company login. The database is housed on an onboard HDD on the same PC.