debugfs

Linux debugfs command

Displaying File Creation Times


In the following example, we are going to use the "debugfs" to obtain the following creation/access information for a file:

ctime: This is the inode or file change time. The ctime attribute is updated when a files attributes are changed.
atime: This is the file access time. The atime attribute is updated when a file is opened.
mtime: This is the file modification time. The mtime attribute is updated when a file is modified or updated in any way.
crtime: This is the time the file was created.



Finding the Creation Date of a file


The first step involved in finding a file's creation date "crtime" is to locate the inode of the file. To do this we can simply use the "ls -i" command. In the example, we run this command against a file called "knowm_hosts".



[root@rhel01a .ssh]# ls -i known_hosts
524296 known_hosts

From the above we can see that the file "known_hosts" has an inode number of "524296". Make a note of this unique number as we will be using this in the next steps. (Your inode number will be unique to your system)


Identify the filesystem


To locate the filesystem that your file resides in, simply navigate to the location of the file and issue the following command to identify the file system.

df -h .



[root@rhel01a .ssh]# df -h .

Filesystem            Size  Used Avail Use% Mounted on

/dev/mapper/ctrlmVG-ctrlmLV

                       20G  1.5G   18G   8% /batch

From the above we have now identified that the file we are trying to find the creation date for resides within a filesystem called "/batch. Make a note of the line "/dev/mapper/ctrlmVG-ctrlmLV". This will be different on your system. This information will be used along with the inode number that you recorded earlier.


Issue debugfs command


The next step is now to run the following command with the information that was recorded earlier:

"debugfs" command: debugfs -R 'stat <524296>' /dev/mapper/ctrlmVG-ctrlmLV



debugfs -R 'stat <524296>' /dev/mapper/ctrlmVG-ctrlmLV

debugfs 1.41.12 (17-May-2010)

Inode: 524296   Type: regular    Mode:  0644   Flags: 0x80000

Generation: 2757223085    Version: 0x00000000:00000001

User:   400   Group:   400   Size: 1395

File ACL: 0    Directory ACL: 0

Links: 1   Blockcount: 8

Fragment:  Address: 0    Number: 0    Size: 0

ctime: 0x57060764:00476e80 -- Thu Apr  7 08:08:20 2016

atime: 0x5706076f:238c5488 -- Thu Apr  7 08:08:31 2016

mtime: 0x57060764:00476e80 -- Thu Apr  7 08:08:20 2016

crtime: 0x55f7e829:2468caa8 -- Tue Sep 15 10:43:05 2015

Size of extra inode fields: 28

EXTENTS:

(0): 2228401

If all has gone well, you should now see information displayed in a format similar to the example above. You will be able to see the "ctime", "atime", "mtime and the "crtime of your file.