Not possible unless you have a trace on literally every command made by every session in the system and even then I'd bet a truly determined person could sidestep that. You may be able to view command history of the various users and catch something. This also depends highly on the integrity of the user accounts. Someone could've logged in not as their self, they could have used an unattended terminal, they could've changed to root. Better instead to look for ways to not have critical files deleted in the future. If there is collaborative work; such as development, then best to use a revision control system to maintain historical changes to the file by various users.
|