Linux Commands

How to Determine When the File Was Created on Linux

Files play a key role for your operating system as they are critical to run everything smoothly and function properly. Knowing the file creation date of system files is sometimes important for security reasons as it tells you when the file was actually created. For example, if someone made changes to any system file then you can easily find then some changes were made. You can find the file creation time of any file using a utility named “debugfs” but to utilize this command you need to first find the inode number of the file which is a unique number assigned to every new file when it was created first so for that first create a test file first by typing.

$ touch testfile.txt

After that, find the file inode by typing:

$ stat testfile.txt

Or you can also type:

$ ls -i testfile.txt

After getting the inode number you need to type the following command to get the information regarding the disk:

$ sudo fdisk -l

In the above image /dev is the device file that is present in the root directory whereas sda5 is the hard disk that belongs to the Linux OS as shown below and you can get the information regarding this specific directory by typing.

$ sudo debugfs -R 'stat <719790>' /dev/sda5

In the above image “crtime” will tell the file creation time of a certain file and along with that you can also see “ctime”, “atime” and “mtime”.

So in the above image, mtime will show you the time when the file was altered or modified last time. For example, you might have added something to the file, removed something from the file, or changed the file’s contents.

The next one is the atime represents when the last time a file was accessed or read, for example, you may have opened the file or used the cat command to read the contents of a file. The file has not been altered or changed in any way.

The ctime does not refer to modifications made to a file’s contents. Rather, it refers to the moment when the file’s information was updated for example changes in the file permissions.

Now let’s try to find the file creation time of any system file for example ”systemd” and for that, you need to first find the inode number by typing.

$ stat /etc/systemd

As you can see, the inode number for the “systemd” file is 131200, so to find the file creation time you need to type.

$ sudo debugfs -R 'stat <131200>' /dev/sda5

Similarly, you can find the file creation timestamp for multiple files by writing a single command:

$ stat /etc/systemd /etc/sysctl.d

If you are interested in when the created files were modified last time, you can do that by typing:

$ ls -l

If you are looking for a specific file, you need to follow the general syntax below:

$ ls -l file_name

For example:

$ ls -l testfile.txt

Similarly, you can see that when the timestamp for when the file was modified, and its content changed by typing:

$ ls -lc testfile.txt

$ ls -lu testfile.txt

As you can see that the timestamp for the above commands is the same, so to give you a better picture, let’s edit the text file by writing any random lines and then save that file. This will change the time stamp, and you will see a new time, as shown below:

Conclusion

Linux OS can have multiple users in it and knowing file creation time is sometimes important especially for system administrators. Different users have different types of expertise so for auditing purposes, it is necessary to know which user is creating which type of file for security reasons as it might contain viruses as well.

About the author

Taimoor Mohsin