Maintaining and reviewing logs is the correct answer because logs track user activity, changes made to files, and system events. This information can be used to pinpoint when the unauthorized changes were made and by which user account, facilitating a proper investigation of the incident. It is an essential part of IT security to ensure accountability. Regular audits would involve reviewing such logs but they are not as direct in addressing the specific incident. Password changes, while important for security, would not directly reveal who made the file changes. Firewalls and backup restorations do not provide information about specific user activities.