I had been struggling a lot, A LOT(I mean it) to find *any* possible solution to get the file creation date on Linux systems. But, I had given up at one point.
All in all, suddenly I came across a post on garage4hackers, and was so happy to see it.
So here we go...
Also AFAIK, this is possible with ext4 filesystems:
Please note various timestamps mentioned in output
atime: Last time file was opened or executed
ctime: Time the inode information was updated. ctime also gets updated when file is modified
mtime: Last modified time
And most importantly
crtime: File creation time
Thanks to Hackuin, who had posted about it on garage4hackers forum.
Reference: http://www.garage4hackers.com/f30/did-you-know-330-2.html
..............Done!!!
All in all, suddenly I came across a post on garage4hackers, and was so happy to see it.
So here we go...
Also AFAIK, this is possible with ext4 filesystems:
user@ubuntu:~$ touch test.txt && ls -l test.txt -rw-r--r-- 1 user user 0 2011-09-27 18:38 test.txt user@ubuntu:~$ cat << __eof > test.txt Hi there, Hope you all fine. __eof user@ubuntu:~$ ls -l test.txt -rw-r--r-- 1 user user 29 2011-09-27 19:44 test.txt user@ubuntu:~$ ls -i test.txt 14552801 test.txt user@ubuntu:~$ sudo debugfs -R 'stat <14552801>' /dev/sda7 [sudo] password for user: Inode: 14552801 Type: regular Mode: 0644 Flags: 0x80000 Generation: 340511001 Version: 0x00000000:00000001 User: 1000 Group: 1000 Size: 29 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 8 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x4e81da5b:513cbff4 -- Tue Sep 27 19:44:51 2011 atime: 0x4e81da5e:c8725434 -- Tue Sep 27 19:44:54 2011 mtime: 0x4e81da5b:513cbff4 -- Tue Sep 27 19:44:51 2011 crtime: 0x4e81cacc:966104fc -- Tue Sep 27 18:38:28 2011 Size of extra inode fields: 28 EXTENTS: (0): 58665199 debugfs 1.41.11 (14-Mar-2010) |
Please note various timestamps mentioned in output
atime: Last time file was opened or executed
ctime: Time the inode information was updated. ctime also gets updated when file is modified
mtime: Last modified time
And most importantly
crtime: File creation time
Thanks to Hackuin, who had posted about it on garage4hackers forum.
Reference: http://www.garage4hackers.com/f30/did-you-know-330-2.html
..............Done!!!
This is a good news for Linux Users. I too struggled a lot for the same solution and shared my test results in this post.
ReplyDeletehttp://ashok-linux-tips.blogspot.com/2010/11/finding-file-creation-time-in-linux.html
Indeed. Most importantly to the Forensic Investigators, whose job will be nearly impossible without it.
ReplyDelete#!/bin/bash
ReplyDelete# File Name: createdate
# This will get the create date or crtime if it is stored.
# Change the /dev/sda3 to what your mount point is.
# make it executable, then call like this: ./createdate FileName
fileInodeNum=`ls -i $1 |awk '{print $1}' `
echo $fileInodeNum # This is the inode of the file your concerned with.
fileCrTime=`debugfs -R "stat <$fileInodeNum>" /dev/sda3 | awk -F -- '/crtime/ {print $2}'`
echo $fileCrTime # Look it up by inode, and return crtime if there.
exit 0