I have noticed this issue more than once and wanted to know what is the best way to approach the investigation. In this case, A user is suspected to have used his workstation to delete a large number of files from the server. the issue is that only the client machine is accessible as the first responder was of the view that the content was removed from that workstation, hence it was imaged.
Are there any files or logs that can atleast indicate that the user accessed and made changes to the server on a given date and time?
A shellbag may tell you if he browsed to a folder.
Are there any files or logs that can atleast indicate that the user accessed and made changes to the server on a given date and time?
I am guessing you are running windows, and if so
Windows file system logging is turned off by default. And for a good reason The logging is horrible, it is sometimes useful but most of the time you sit and guess what has been going on. There are lots and lots of events, even if the user just looks in a folder. This is something MS seriously needs to improve upon.
You are better off using other sources.
I've seen this before, albeit I haven't seen it since 1999. I had a client that asked me about the situation where a user would copy files from a network share to their local workstation, and then delete the files off of the server. No one knew why…it was just something that the user did.
Here's what I'd suggest…it appears as if you're trying to demonstrate that the user did these things, and as has been stated, the file system logging on Windows isn't all that good. The best you're going to be able to do is correlate the Security Event Log records on the server that illustrate the user "log in", with the time stamps you can find in the MFT and the USN Change Journal showing when the files were deleted. And that's *IF* you can get to the system to collect the information in a timely manner.
However, that will only give you circumstantial information, and not be definitive.