How to Find File Creation Time (crtime) in Linux
Abstract: Step 2 – Find File Creation Time (crtime) After getting the inode number of fileI am using an existing file. Step 1 – Find Inode Number of File First
File creation time is stored in inode in EXT4 file system. An earlier version of EXT files systems doesn’t support file creation time.
There is a crtime
(create time) timestamp in the debugfs stat
output. finally EXT4 supports create time just like btime
in NTFS windows.
Follow below instructions to how to find file creation time. Select an existing file or create a new file for testing. For this example, I am using an existing file.
Step 1 – Find Inode Number of FileFirst of all, find the inode number of any file using the following command on terminal.
$ ls -i /var/log/secure 13377 /var/log/syslogStep 2 – Find File Creation Time (crtime)
After getting the inode number of file, Use debugfs command with inode number stats following by disk path.
$ debugfs -R 'stat <inode_number>' /dev/sda1Implementation:
$ debugfs -R 'stat <13377>' /dev/sda1 debugfs 1.41.12 (17-May-2010) Inode: 13377 Type: regular Mode: 0600 Flags: 0x80000 Generation: 2326794244 Version: 0x00000000:00000001 User: 0 Group: 0 Size: 223317 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 440 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 atime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 mtime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 crtime: 0x4eeacc8a:0948eb58 -- Fri Dec 16 10:13:54 2011 Size of extra inode fields: 28 Extended attributes stored in inode body: selinux = "system_u:object_r:var_log_t:s000" (31) EXTENTS: (0-24): 35008-35032, (25-54): 164224-164253
Find the entry of crtime in above output. This is the actual file creation time.
References:
Read more about ext4 file system: https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout