Everything is treated as a record in Linux, and all the data about a document is put away in inodes, which incorporates the essential metadata about a document, for example, creation time, last adjustment, and so forth Each record in Linux is distinguished by its inode number.
In this article, we will utilize debugf order to set aside Linux File Creation Opportunity with the assistance of stat(utility to track down record or document framework status order that is utilized to get Last Modified Date of File in Linux. Both detail order and Debugfs order together will be utilized to carve out genuine record creation opportunity in Linux.
In Linux frameworks, everything is dealt with like a record and essential metadata about a document, for example, the creation and change date are put away in inodes. We have as of now taken a gander at how you can check the last changed date of a record in Linux framework utilizing the detail, httpie and date orders.
Table of Contents
How to Find Linux File Creation Time using Debugfs?
Record creation time is put away in inode in EXT4 document framework. A prior variant of EXT documents frameworks doesn’t uphold record creation time. There is a crtime (make time) timestamp in the debugfs detail yield. at last EXT4 upholds make time very much like btime in NTFS windows. Adhere to underneath directions to how to set aside record creation opportunity. Select a current document or make another record for testing. For this model, I am utilizing a current record.
Step 1 – Find Inode Number of File
First of all, find the inode number of any file using the following command on terminal.
$ ls -i /var/log/secure 13377 /var/log/syslog
Step 2 – Find File Creation Time (crtime)
After getting the inode number of file, Use debugfs command with inode number stats following by disk path.
$ debugfs -R 'stat <inode_number>' /dev/sda1
Implementation:
$ debugfs -R 'stat <13377>' /dev/sda1 debugfs 1.41.12 (17-May-2010) Inode: 13377 Type: regular Mode: 0600 Flags: 0x80000 Generation: 2326794244 Version: 0x00000000:00000001 User: 0 Group: 0 Size: 223317 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 440 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 atime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 mtime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 crtime: 0x4eeacc8a:0948eb58 -- Fri Dec 16 10:13:54 2011 Size of extra inode fields: 28 Extended attributes stored in inode body: selinux = "system_u:object_r:var_log_t:s000" (31) EXTENTS: (0-24): 35008-35032, (25-54): 164224-164253
Find Linux file creation Time using debugfs
Step 1: To find the inode number of the file which we need to know for finding the file creation time and the date we have to use the following command :
$ stat <file name>
Alternatively, ls -i command can also be used that will only show the inode number and skip all the other information.
$ ls -i <file name>
So now we have got the inode number that is “7342019 ” for the file “tithi.jpeg”, copy that to your clipboard because we are going to need this inode number in our further steps.
Step 2: Find out the root filesystem in which the file resides using the following command:
$ df -h
So here, system the root partition is /dev/sda1, that might be different on your system, so make sure to check it properly and note it down.
Step 3: Now lastly, use the debugfs command for finding the creation time of the file called “tithi.jpeg” by using the following command :-
sudo debugfs -R 'stat <inode number>' /dev/sda1
In the above result you can see different prefix such as ctime, atime, mtime, crtime, each of these has its own meaning that is:
- ctime: file change time Displayed.
- atime: file access time Displayed.
- mtime: Shows file modification time.
- crtime: Shows file creation time. (This is what we needed)