Actually, I have found some good access logs: On the Synology NAS systems they can be found by first pressing main menu, than select the icon "Log-center", then select on the left side "log-books" from there use the dropdown and select the second item: "Connection" and then search for "guest" (all small caps). In that list I noted that 1 second before the encryption started a connection was made using smb2:  Date/time: User [guest] from [description(IP adres)] via [CIFS(SMB2)] accessed shar