To investigate the unauthorized access and deletion of files at a local corporation, the first step is

to secure the scene and preserve any digital evidence. The investigator would begin by
interviewing the corporation's information technology staff to determine the nature of a breach
and possible entry points. After that, the investigator would gather the server, workstation, and
network device logs that could allow them to identify the source of the unauthorized access. Of
particular interest would be those former employees who had access privileges; readily available
information would then target those who had been recently terminated or had resigned.

The traces of this crime would be reflected through logs in the system, security software data,
and the devices of the perpetrator, presumably a former employee. The investigator would regard
these log files for any sign of insecure activity, for example, attempts to log in from unfamiliar
IP addresses or access to specific files of unauthorized access. Moreover, searching for related
information or correspondence on the suspect's devices may yield more proof.

Some of the problems that may be faced involve encrypted or deleted logs through which one is
likely to track unauthorized access. Another problem could be the anonymity of the perpetrator;
for example, they can use an anonymous network or VPN. Finally, the investigator may
experience challenges because the corporation's IT system may not record well or, at times, the
incident may not be reported early enough, thus leading to the loss of vital evidence.