The file creation time named ‘crtime’ stored in the inode of EXT4 file system. The earlier EXT file system versions like EXT2 and EXT3 do not support file creation time.
Linux OS has three timestamps for files, ‘atime’ is finding the last access of contents, ‘mtime’ is finding the last modification of contents in the particular file and the last one ‘ctime’ is finding the time of last modification of inode.
Please follow the steps below to find file creation time for an existing file.
1. Finding Inode number
For finding the inode number of the file, we can use the command below on linux terminal.
root@adminz:~# ls -i /var/log/syslog
1309442 /var/log/syslog
2. Finding the file creation time
Once we get the inode number of the file (/var/log/syslog), we can use the debugfs command with inode number and stats command following by disk path.
# debugfs -R ‘stat <inode-number>’ /dev/sda5
Executing Command for finding crtime:-
$ debugfs -R ‘stat <1309442>’ /dev/sda5
Inode: 1309442 Type: regular Mode: 0640 Flags: 0x80000
Generation: 3214204479 Version: 0x00000000:00000001
User: 101 Group: 4 Size: 845243
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 1664
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x5b06d245:73662dbc — Thu May 24 20:25:01 2018
atime: 0x5b0634ab:1929cc78 — Thu May 24 09:12:35 2018
mtime: 0x5b06d245:73662dbc — Thu May 24 20:25:01 2018
crtime: 0x5b0634ab:1929cc78 — Thu May 24 09:12:35 2018
Size of extra inode fields: 32
EXTENTS:(ETB0):5275732, (0):5405184, (1):4300759, (2):5821327, (3):2669034, (4):5820317,
(5-6):5859240-5859241, (7):5896864, (8):6006214, (9-10):5977856-5977857, (11):6003644,
(12-13):5979483-5979484, (14):6003691, (15-31):6693563-6693579, (32-127):
4328032-4328127, (128):4327459, (129-206):9510-9587
The highlighted entry crtime is the actual file creation time.
” margin_top=”50px” margin_bottom=”” animation_type=”slide” animation_direction=”left” animation_speed=”0.3″ class=”” id=””]
Leave A Comment
You must be logged in to post a comment.