Tracking Down Internal Misuse?

Intrusion Detection System notifies that a file has been accessed on a company's server. After the server logs have been discovered, the file was accessed by a computer on the internal network with some e-mails with attachments sent around the same time to an address in Canada. The e-mail messages had the subject line "Vacation Photos." It's suspected that confidential company files were being sent instead of photos. How can this incident be verified?