Assuming that your intentions are legal, meaning that you are officially backed by your bosses, there are certain things you could do.
The most easiest thing to do would be to regularly monitor the bash history file of that person to see what commands he he/she has issued. You need access to his account or root privilege.
You could use a modified shell application that logs all his actions without keeping these from being done. You must modify his user settings to use that shell as a default. He/she could find out about this when accessing /etc/passwd. Or modify the shell to log only when he/she is logged in, and replace the default shell with this modified one (affects all users).
Or if the person accesses logfiles for reading with, for example, less, then use a modified less to log events when certain files are accessed.
Modifying common tools to do some extra logging will also generate evidence.
Replacing the links with links to certain a script that acts/redirects data/contents from the original files is problematic. Easy to find out for the person that something is going on and difficult to mimic (for example plain text files during editing with vi, or something like that).
That's what I would do, if the amount of the person's "criminal activity" justifies the amount of work that has to be implemented to catch him.
Or just have a talk with him/her. Knowing that he/she is being monitored could put a hold on all that activity and solve the situation as well.