User delting files, whats the best way to catch and prove who it is?

[vyaw2003]

I have a suspect who i think is deleting files from a Windows XP
machine (not theirs).
I have checked event viewer and cannot see anything under System and
Security.
They have not logged onto the machine (they dont have a profile). They
could have used the local administrators account, but event viewer
doesnt suggest this.
How can i install some tiny software that monitors these events of
files that are being deleted?
What would this software be called?
I can change the local password but i want to catch this person first.

 

[Guest]

You can turn on auditing for any or all files, so that an event will be
logged when a specific user or group modifies them. I've never used the
feature, but to get to the GUI, select properties on a folder or file,
security/advanced/auditing.

The auditing access controls can be inherited, so you can easy apply it to
all subfolders and files.

 

[Shenan Stanley]

I have a suspect who i think is deleting files from a Windows XP
machine (not theirs).
I have checked event viewer and cannot see anything under System and
Security.
They have not logged onto the machine (they dont have a profile).
They could have used the local administrators account, but event
viewer doesnt suggest this.
How can i install some tiny software that monitors these events of
files that are being deleted?
What would this software be called?
I can change the local password but i want to catch this person
first.

Do they have administrative rights on the machine?
If so, anything you can check for, they can undo.

If you don't believe they are 'swift enough' to know how to remove their
tracks - then take away their admin rights - most users should not be
running with them anyway. Then ensure that they do not have rights to other
users folders and have everyone change their passwords.