-->

How to Find File Creation Time in Linux

Author Piyush Gupta

 File creation time is stored in inode in EXT4 file system. An earlier version of EXT files systems doesn’t support file creation time.

 There is a crtime (create time) timestamp in the debugfs stat output. finally EXT4 supports create time just like btime in NTFS windows.

 Follow below instructions to how to find file creation time. Select an existing file or create a new file for testing. For this example, I am using an existing file.

Step 1 – Find Inode Number of File

First of all, find the inode number of any file using the following command on terminal.
$ ls -i /var/log/secure

13377 /var/log/syslog

Step 2 – Find File Creation Time (crtime)

After getting the inode number of file, Use debugfs command with inode number stats following by disk path.
$ debugfs -R 'stat <inode_number>' /dev/sda1
Implementation:
$ debugfs -R 'stat <13377>' /dev/sda1

debugfs 1.41.12 (17-May-2010)
Inode: 13377   Type: regular    Mode:  0600   Flags: 0x80000
Generation: 2326794244    Version: 0x00000000:00000001
User:     0   Group:     0   Size: 223317
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 440
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013
 atime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013
 mtime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013
crtime: 0x4eeacc8a:0948eb58 -- Fri Dec 16 10:13:54 2011
Size of extra inode fields: 28
Extended attributes stored in inode body:
  selinux = "system_u:object_r:var_log_t:s000" (31)
EXTENTS:
(0-24): 35008-35032, (25-54): 164224-164253
Find the entry of crtime in above output. This is the actual file creation time.
References: Read more about ext4 file system
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)