How to pursue unauthorized server access?

Last week someone accessed the primary account of my design business on my server via FTP, downloaded files and defaced the website. I suspect it was a former business partner as the IP address traces to my city and it's really the only logical explanation for the actions in question.

I believe this falls outside of the user's AUP with their service provider (violation of privacy), however the user's service provider is asking for specific information from the firewall logs that I don't see in /var/logs/messages. Specifically, they want log entries that are stamped with time zone, the IP of my server, and the local port.

How should I pursue this further? I don't necessarily want to be punitive, but I want to determine if the attacker in question is in fact this former business partner as his actions would be in violation of a separation agreement.

 

I was able to find the IP and verify his connections and file transfers and I sent this in to his ISP. Unfortunately his ISP replied saying that they needed more specific information from the log files (specifically the Time Zone, local IP and Port). My logs only contain:

Jun 30 13:00:09 host pure-ftpd: (?@**.**.**.**) [INFO] New connection from **.**.**.**
Jun 30 14:12:05 host pure-ftpd: (******@**.**.**.**) [NOTICE] /****/****.jpg downloaded (784526 bytes, 186.33KB/sec)

etc etc, no time zone, local port (although 21 is implied by the ftpd connection) or local IP.