Donning an investigative hat

["WALI" <hkhasgiwale () gmail com>]

Hi All

Want to investigate an issue that seems to delve a bit into IT Forensics and 
seek your help.

Here's the scenario.

A windows 2000 networked PC belonging to abc domain, is in posession of a 
secretary, has a confidential Excel file (password protected) lying on her 
local HDD.

This file is suddenly found on the desktop of a PC meant for general 
internet access, usually logged in as Administrator and is lying on the 
desktop of local admin profile. This pc is alsoconnected to the same abc 
domain. The file is now in pdf format.

When I checked doc properties of this file, it's created using the domain 
username profile of the same secretary.

I check secretary's local hard disk and this pdf doc exists on local HDD but 
secretary maintains that she cannot recollect converting excel to doc.

Findings:

Secretary has lots of share enabled and has admin access to her win2k PC.
It's not patched and has lots of vulnerabilties when I did a nessus scan.

Challenge.

How to find, the IP from where the file reached general access PC is it was 
shifted thru a network drive?
If secretary did not convert this excel file to doc, then someone first 
cracked excel password and then converted to pdf. Why would someone convert 
to pdf if the information has been already obtained via cracked excel file. 
Seems like the secretary hersself forgot.

How can I go forward in this investigation?