File Creation Time in Linux
Submitted by lev_lafayette on Sat, 10/18/2014 - 02:22
One can see
Linux offers most of the expected file attributes from the command line, including the owner of a file, the group, the size, the date modified and name. However often users want find out when a file was created. This requires a little bit of extra investigation.
Let's begin with a stock-standard long-listing of a file. This includes the file type ('-' is a normal file), the permissions (rw-r--r-- is read and write for the owner, read for group members, and read for everyone else). The file is 33251 bytes in size (use -lh if you want long listing in 'human' size), the file was last modified on December 17, 2013, and the file name is vimtutor.txt.
lev@isocracy:~/Desktop$ ls -l vimtutor.txt
-rw-r--r-- 1 lev users 33251 Dec 17 2013 vimtutor.txt
Other file status can be shown from the stat command.
lev@isocracy:~/Desktop$ stat vimtutor.txt
Size: 33251 Blocks: 72 IO Block: 4096 regular file
Device: 801h/2049d Inode: 13658745 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 1000/ lev) Gid: ( 100/ users)
Access: 2014-10-15 10:37:40.880000081 +1100
Modify: 2013-12-17 15:03:31.691001453 +1100
Change: 2013-12-17 15:03:31.691001453 +1100
This provides a more complete description of the file; all the information contained above, plus the inode, alast access time, last modification time, and last change time - where change means modification of owner, group, privileges or some other attribute. It's not necessarily the creation time, but sometimes is if none of those attributes have been changed. Alas, the user will witness the blank under "birth" time.
One of the results of the stat command was the inode, or index node. This is a data structure that stores various attributes and the location of the raw data. It can also be discerned form as an ls option.
lev@isocracy:~/Desktop$ ls -i vimtutor.txt
You can use the inode to discover the creation time with some modern file systems (e.g., ext4). First one can check their fstab to find out what file system they have:
lev@isocracy:~/Desktop$ cat /etc/fstab
/dev/sda5 swap swap defaults 0 0
/dev/sda1 / ext4 defaults 1 1
/extraswap none swap sw 0 0
#/dev/cdrom /mnt/cdrom auto noauto,owner,ro,comment=x-gvfs-show 0 0
/dev/fd0 /mnt/floppy auto noauto,owner 0 0
devpts /dev/pts devpts gid=5,mode=620 0 0
proc /proc proc defaults 0 0
tmpfs /dev/shm tmpfs defaults 0 0
From there, one has to go into root and run the debugfs command against the inode and the file system.
root@isocracy:~# sudo debugfs -R 'stat <13658745>' /dev/sda1
debugfs 1.42.6 (21-Sep-2012)
Inode: 13658745 Type: regular Mode: 0644 Flags: 0x80000
Generation: 2995209004 Version: 0x00000000:00000001
User: 1000 Group: 100 Size: 33251
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 72
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x52afcd13:a4bf61b4 -- Tue Dec 17 15:03:31 2013
atime: 0x543db3c4:d1cef144 -- Wed Oct 15 10:37:40 2014
mtime: 0x52afcd13:a4bf61b4 -- Tue Dec 17 15:03:31 2013
crtime: 0x52afcd13:a48258b4 -- Tue Dec 17 15:03:31 2013
Size of extra inode fields: 28
One can see
crtime: 0x52afcd13:a48258b4 -- Tue Dec 17 15:03:31 2013. It just so happens that in this case it was the same as ctime, but that certainly isn't something to rely upon. Perhaps in future we will - and should - see an expansion to the ls command which includes creation.
Thanks are given to co-investigator Dylan Graham in this exploration