Hack_80, can you provide any additional information about the platforms involved and the access method used? Did the user have access to that file via: remote desktop, shared drives, remote shell, citrix, etc, etc, etc...? Were these windows/UNIX/etc boxes? Your answers to those questions are going to dictate where you'd go to get the relevant data.
CISSP, CISM, CISA, GCIH, GREM, CEH, HMFIC, KTHXBIROFLCOPTER