Linux debugfs command
Displaying File Creation Times
In the following example, we are going to use the "debugfs" to obtain the following creation/access information for a file:
ctime: This is the inode or file change time. The ctime attribute is updated when a files attributes are changed.
atime: This is the file access time. The atime attribute is updated when a file is opened.
mtime: This is the file modification time. The mtime attribute is updated when a file is modified or updated in any way.
crtime: This is the time the file was created.
Finding the Creation Date of a file
The first step involved in finding a file's creation date "crtime" is to locate the inode of the file. To do this we can simply use the "ls -i" command. In the example, we run this command against a file called "knowm_hosts".
[root@rhel01a .ssh]# ls -i known_hosts 524296 known_hosts
From the above we can see that the file "known_hosts" has an inode number of "524296". Make a note of this unique number as we will be using this in the next steps. (Your inode number will be unique to your system)
Identify the filesystem
To locate the filesystem that your file resides in, simply navigate to the location of the file and issue the following command to identify the file system.
df -h .
[root@rhel01a .ssh]# df -h . Filesystem Size Used Avail Use% Mounted on /dev/mapper/ctrlmVG-ctrlmLV 20G 1.5G 18G 8% /batch
From the above we have now identified that the file we are trying to find the creation date for resides within a filesystem called "/batch. Make a note of the line "/dev/mapper/ctrlmVG-ctrlmLV". This will be different on your system. This information will be used along with the inode number that you recorded earlier.
Issue debugfs command
The next step is now to run the following command with the information that was recorded earlier:
"debugfs" command: debugfs -R 'stat <524296>' /dev/mapper/ctrlmVG-ctrlmLV
debugfs -R 'stat <524296>' /dev/mapper/ctrlmVG-ctrlmLV debugfs 1.41.12 (17-May-2010) Inode: 524296 Type: regular Mode: 0644 Flags: 0x80000 Generation: 2757223085 Version: 0x00000000:00000001 User: 400 Group: 400 Size: 1395 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 8 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x57060764:00476e80 -- Thu Apr 7 08:08:20 2016 atime: 0x5706076f:238c5488 -- Thu Apr 7 08:08:31 2016 mtime: 0x57060764:00476e80 -- Thu Apr 7 08:08:20 2016 crtime: 0x55f7e829:2468caa8 -- Tue Sep 15 10:43:05 2015 Size of extra inode fields: 28 EXTENTS: (0): 2228401
If all has gone well, you should now see information displayed in a format similar to the example above. You will be able to see the "ctime", "atime", "mtime and the "crtime of your file.