Search This Blog

Tuesday, September 27, 2011

How to find file creation date in Linux

I had been struggling a lot, A LOT(I mean it) to find *any* possible solution to get the file creation date on Linux systems. But, I had given up at one point.
All in all, suddenly I came across a post on garage4hackers, and was so happy to see it.
So here we go...

Also AFAIK, this is possible with ext4 filesystems:


user@ubuntu:~$ touch test.txt && ls -l test.txt
-rw-r--r-- 1 user user 0 2011-09-27 18:38 test.txt
user@ubuntu:~$ cat << __eof > test.txt 
Hi there,
Hope you all fine.
__eof
user@ubuntu:~$ ls -l test.txt 
-rw-r--r-- 1 user user 29 2011-09-27 19:44 test.txt
user@ubuntu:~$ ls -i test.txt 
14552801 test.txt
user@ubuntu:~$ sudo debugfs -R 'stat <14552801>' /dev/sda7 
[sudo] password for user:
Inode: 14552801   Type: regular    Mode:  0644   Flags: 0x80000
Generation: 340511001    Version: 0x00000000:00000001
User:  1000   Group:  1000   Size: 29
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 8
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 0x4e81da5b:513cbff4 -- Tue Sep 27 19:44:51 2011
 atime: 0x4e81da5e:c8725434 -- Tue Sep 27 19:44:54 2011
 mtime: 0x4e81da5b:513cbff4 -- Tue Sep 27 19:44:51 2011
crtime: 0x4e81cacc:966104fc -- Tue Sep 27 18:38:28 2011
Size of extra inode fields: 28
EXTENTS:
(0): 58665199
debugfs 1.41.11 (14-Mar-2010)

Please note various timestamps mentioned in output

atime: Last time file was opened or executed
ctime: Time the inode information was updated. ctime also gets updated when file is modified
mtime: Last modified time
And most importantly
crtime: File creation time


Thanks to Hackuin, who had posted about it on garage4hackers forum.
Reference: http://www.garage4hackers.com/f30/did-you-know-330-2.html


..............Done!!!

3 comments:

  1. This is a good news for Linux Users. I too struggled a lot for the same solution and shared my test results in this post.

    http://ashok-linux-tips.blogspot.com/2010/11/finding-file-creation-time-in-linux.html

    ReplyDelete
  2. Indeed. Most importantly to the Forensic Investigators, whose job will be nearly impossible without it.

    ReplyDelete
  3. #!/bin/bash
    # File Name: createdate
    # This will get the create date or crtime if it is stored.
    # Change the /dev/sda3 to what your mount point is.
    # make it executable, then call like this: ./createdate FileName
    fileInodeNum=`ls -i $1 |awk '{print $1}' `
    echo $fileInodeNum # This is the inode of the file your concerned with.

    fileCrTime=`debugfs -R "stat <$fileInodeNum>" /dev/sda3 | awk -F -- '/crtime/ {print $2}'`
    echo $fileCrTime # Look it up by inode, and return crtime if there.

    exit 0

    ReplyDelete