I know that you can use lsof
(in Linux at least) to check which process has got a particular file opened currently, but is there anyway to find out which process created a particular file originally? Or even which process wrote/modified a particular file most recently?
Auditd would help with this. See http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/ for an introduction.