Find out who did (Delete records)what via an ip address or a network address? (no audit)
Before the damagedisasterdeletion you need to turn on the audit logs to all as especially to who use very important data .
If the records (Data) missing its a low (very low) chance to track and see who did it and when .
You can check Event Viewer on the server maybe some tracks are left but its low chance .
The question is why didnt you put audit logs on extremely important files and records and why you didnt put some permissions on thous datarecordsfolder .
If you do some backups you can see and restore the data …. but if you do backup on thous records .
Some solutions :
1) If you have an office with some sort off 25 PCs … you may check Event Viewer in all of thous PCs (you may find some sort of tracks) … or the PCs that have access to thous foldersrecordsdata.
2) Check Event Viewer on the server (you may find some sort of tracks)
3) You can use to some recovery 3th party programs … … … problematically but you can check . …
1) Always audit important data , users that using them and any one that opensdeletes etc .. . ( even in the users PCs do it ) 🙂
2) Always Backup important data !!!
3) Give permissions correctly to users that use important files .
4) Do an real secure form org. with firewall that stops attacksGPO configured to securitylock some files etc etc etc .
5) Configure GPO correctly )
6) Configure database security correctly . ..
Sit couple of days and do it … if that was the first one ( attack ) it would be second .. . be in low profile and you would track the thief .
Good luck .