Microsoft published a step-by-step guide on how to investigate a suspected computer crime on your network. I’ve only had time to have a quick glance but it looks pretty good.
Be careful if you are invovled in this sort of thing. This stuff is a legal minefield. You cannot go trouncing around stikning your nose in peoples business or retaliating to suspected attacks. The link I followed to this document dtated this guide was intended for US customers. The law in the US does appear to be on the side of the company, i.e. the owner of the infrastructure. Things can be very diffferent in other jurisdictions, e.g. in Ireland there is still a grey and untested (in court) area between the right to privacy for employees and the requirement of the company to apply the law and protect shareholders. In places like Germany, it’s very clear that you must have solid evidence of a problem before you start an investigation.
To quote an old TV show, let’s be careful out there.