Managed devices containing a Trusted Platform Module (TPM) to provide a trusted environment generate a device certificate at initialization of the TPM and send the device certificate to a management console for storing in a certificate database. Upon detecting a file of interest, the TPM signs the file, adding to a signature list created by previous managed devices. The signature list can be used to analyze the spread of the file across the system of managed devices, including tracking the file to the first managed device to have had a copy, without requiring real-time access to the managed devices during the spread of the file. In some embodiments, additional security measures may be taken responsive to determining the first managed device and the path the file has taken across the system of managed devices.