I've had success with Sysinternals Process Explorer. With this, you can search to find what process(es) have a file open, and you can use it to close the handle(s) if you want. Of course, it is safer to close the whole process. Exercise caution and judgement.
To find a specific file, use the menu option Find->Find Handle or DLL... Type in part of the path to the file. The list of processes will appear below.
If you prefer command line, Sysinternals suite includes command line tool Handle, that lists open handles.
Examples
c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "e:\" (finds all files opened from drive e:\"c:\Program Files\SysinternalsSuite>handle.exe |findstr /i "file-or-path-in-question"
Security Event Logging is something different to what you're after. I believe you want straight NetFlow (v5 will do) - exported to some type of analyzer.
I've used, and can recommend, ManageEngine Netflow Analyzer: http://www.manageengine.com/products/netflow/download-free.html
Grab the free edition, and fire this up on a server somewhere. Make sure the server's firewall permits traffic on port 9996 (UDP). Then, use the following config on your ASA to export network flow data:
flow-export destination outside_interface_name <netflow analyzer IP> 9996
flow-export template timeout-rate 1
flow-export delay flow-create 10
access-list netflow-export extended permit ip any any
class-map netflow-export-class
match access-list netflow-export
policy-map global_policy
class netflow-export-class
flow-export event-type all destination <netflow analyzer IP>
Note that in my example, I have assumed you have a global_policy policy-map defined.
Browse to Netflow Analyzer and log in. Netflow analyzer will break down the ASA output into source/destination connections, including traffic in megabytes per connection, and will even perform port analysis to show you the applications in use.
This makes it particularly easy to see when an employee is torrenting for instance. :-)
Best Answer
ntop can act as a NetFlow collector and is available for Win32. You will have to recompile it by yourself though, or find pre-made builds (shouldn't be too hard, it's GPLv3 open source) since the provided build is limited to capturing 1000 packets per session.