writes "A friend suspects some of his employees (that access the network using remote desktop connections over a VPN) may be up to no good, due to certain suspicious activities. The business has an Active Directory domain setup on a Windows Server box, as well as several desktops. What are some things I can look for that might indicate whether or not further investigation (ie. professional forensic analysis) is warranted? What tools are recommended for accomplishing those tasks without compromising the courtroom validity of the data? Would it be better/safer, in terms of preserving the data, to install stealth monitoring software to track the users' movements and simply analyze that, instead?"