DEBUGFS Command – Show File Creation Times in Linux

In Unix-like systems such as Linux, everything is considered a file, and all information about a file (metadata or file attributes such as creation time, last modification etc..), except the actual file content are...

In Unix-like systems such as Linux, everything is considered a file, and all information about a file (metadata or file attributes such as creation time, last modification etc..), except the actual file content are stored in an inode and Linux identifies each and every file by its inode number other than the human readable filename.

In addition, the Linux stat program is a useful utility for displaying file or file system status. It shows information such as inode number, time of file birth, last data modification, last access, last status change and much more. We will combine both programs to find actual file creation time in Linux.

In this article, we will explain how to find one of the critical attributes of a file using the debugfs and stat programs to obtain the following creation/access information for a file in Linux filesystems.

  • ctime: Shows file change time.
  • atime: Shows file access time.
  • mtime: Shows file modification time.
  • crtime: Shows file creation time.

Find File Creation Date in Linux

1. To find a file creation date and time “crtime” is to find the inode of the file using the stat command against a file called “About-TecMint”.

$ stat About-TecMint File: 'About-TecMint'
Size: 260 Blocks: 8 IO Block: 4096 regular file
Device: 80ah/2058d Inode: 14420015 Links: 1
Access: (0777/-rwxrwxrwx) Uid: ( 1000/ tecmint) Gid: ( 1000/ tecmint)
Access: 2017-02-23 14:15:20.263337740 +0530
Modify: 2015-10-22 15:08:25.236299000 +0530
Change: 2016-08-01 10:26:36.603280013 +0530
Birth: -


Alternatively, you can use the ls -i command against a file called “About-TecMint”.

$ ls -i About-TecMint
14420015 About-TecMint

From the output of the above commands, the file inode number is 14420015. Please make a note of this unique inode number as we will be using this inode number in the following steps.

2. Now we need to find the root filesystem that our file resides in, simply issue the following df -h command to identify the root file system.

$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 3.9G 0 3.9G 0% /dev
tmpfs 788M 9.7M 779M 2% /run
/dev/sda10 324G 277G 31G 91% /
tmpfs 3.9G 192M 3.7G 5% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 3.9G 0 3.9G 0% /sys/fs/cgroup
/dev/loop3 87M 87M 0 100% /snap/core/4486
/dev/loop0 87M 87M 0 100% /snap/core/4407
/dev/loop1 82M 82M 0 100% /snap/core/4206
/dev/loop2 181M 181M 0 100% /snap/vlc/190
/dev/loop4 189M 189M 0 100% /snap/vlc/158
cgmfs 100K 0 100K 0% /run/cgmanager/fs
tmpfs 788M 40K 788M 1% /run/user/1000

From the above output, the filesystem for the root partition is /dev/sda10 (make a note of this filesystem). This will be different on your system.

3. Next, use the debugfs command to find the creation time of the file called “About-TecMint”, with the -R flag which instructs debugfs to execute the single external command specified with inode number 14420015 (stat in this case) and then exit.

$ sudo debugfs -R 'stat <14420015>' /dev/sda10
Inode: 14420015 Type: regular Mode: 0777 Flags: 0x80000
Generation: 2130000141 Version: 0x00000000:00000001
User: 1000 Group: 1000 Size: 260
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x579ed684:8fd54a34 -- Mon Aug 1 10:26:36 2016
atime: 0x58aea120:3ec8dc30 -- Thu Feb 23 14:15:20 2017
mtime: 0x5628ae91:38568be0 -- Thu Oct 22 15:08:25 2015
crtime: 0x579ed684:8fd54a34 -- Mon Aug 1 10:26:36 2016
Size of extra inode fields: 32
EXTENTS:
(0):57750808
(END)

From the above output it clears that the file “About-TecMint” was created on Mon Aug 1 10:26:36 2016 as provided by crtime. You will also see “ctime“, “atime” and “mtime” of your file.

Posted by wiredgorilla