I configured auditing for MS Office files (Word, Excel) in a certain folder and the Event Log indicated that deletions were taking place. In fact, it appears that when you modify a Office document, a copy is made (with the changes) and the original is deleted. This appears as a deletion in the Event Viewer Security Log. Without looking into the folder to see what files are still there (this could be challenging if there were hundreds to keep track of), is there a way to distinguish a "true" deletion from the deletion of the "old" copy of a Office document that was discarded following a simple modification?