What is the owner userid of the file?
If the create or last modification date of the file is always the same time each day, look at that userid's crontab. It's probably a cron job.
If you think it's someone that's logged on and running something, type "[tt]last[/tt]" and see who might have been logged on at that time.
If the file always has the same name, or at least a predictable name, create a file with that name and change the permissions on it to "000" ([tt]chmod 000 filename[/tt]). Then wait to see if something fails. This is kind of a shot in the dark since you may not see a failure message.
You could look for which file (program or script) had the filename in it. Say the file is called "[tt]mystery.file[/tt]", try something like this...
Code:
find / -type f -exec fgrep mystery.file {} \; 2>/dev/null
# or maybe
find / -type f -print -exec strings {} \; | egrep '^/|mystery.file' > hunt.log
This hasn't been tested, so I'm sure it's not quite correct, but you get the idea.
Can you tell us the name of the file? And the directory it's in? Maybe it's a known file.