How to Find File Creation Time (crtime) in Linux

By 2 Mins Read

File creation time is stored in inode in EXT4 file system. An earlier version of EXT files systems doesn’t support file creation time.

Advertisement

There is a crtime (create time) timestamp in the debugfs stat output. finally EXT4 supports create time just like btime in NTFS windows.

Follow below instructions to how to find file creation time. Select an existing file or create a new file for testing. For this example, I am using an existing file.

Step 1 – Find Inode Number of File

First of all, find the inode number of any file using the following command on terminal.

$ ls -i /var/log/secure

13377 /var/log/syslog

Step 2 – Find File Creation Time (crtime)

After getting the inode number of file, Use debugfs command with inode number stats following by disk path.

$ debugfs -R 'stat <inode_number>' /dev/sda1
Implementation:
$ debugfs -R 'stat <13377>' /dev/sda1

debugfs 1.41.12 (17-May-2010)
Inode: 13377   Type: regular    Mode:  0600   Flags: 0x80000
Generation: 2326794244    Version: 0x00000000:00000001
User:     0   Group:     0   Size: 223317
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 440
Fragment:  Address: 0    Number: 0    Size: 0
 ctime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013
 atime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013
 mtime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013
crtime: 0x4eeacc8a:0948eb58 -- Fri Dec 16 10:13:54 2011
Size of extra inode fields: 28
Extended attributes stored in inode body:
  selinux = "system_u:object_r:var_log_t:s000" (31)
EXTENTS:
(0-24): 35008-35032, (25-54): 164224-164253

Find the entry of crtime in above output. This is the actual file creation time.

References:
Read more about ext4 file system: https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout

Share.

Related Posts

9 Comments

  2. shell on

    Hi ,

    I wanted to to copies files from one location to another which is created on time 00:05 .

    File names := a****.txt (after a ther is incremental number but i need to choose file with time)
    Could you please suggest as soon as …..

    Reply
  3. Akash on

    sudo debugfs -R ‘stat ‘ /dev/sddb1

    I am using google cloude shell and above command returns same results as “debugfs 1.43.4 (31-Jan-2017)” for all file inode number

    Reply
    • Wakar Khan on

      I am also retrieving the creation date of file but your suggested is not working for me and getting “Bad magic number in super-block while opening the file system” . Please suggest appropriate solution for this.

      Reply
  5. Benjamin Abbott-Scott on

    You can also simply specify filename (at least on CentOS and AmazonOS) instead of inode:

    $ sudo debugfs -R ‘stat /bin/ls’ /dev/xvda1

    crtime: 0x57699f20:712d39fc — Tue Jun 21 13:10:08 2016

    Reply
    • Wakar Khan on

      I am also retrieving the creation date of file but your suggested command is not working for me and getting “Bad magic number in super-block while opening the file system” . Please suggest appropriate solution for this.

      Reply
  7. kn on

    On my system, which is Ubuntu 16.04.2, the ctime, mtime, and crtime come-up the same when I run your debugfs command. The atime field is also incorrect.

    However, did find a script that is supposed to output the correct crtime. Here’s the link:

    https://unix.stackexchange.com/a/92748

    Will check-it and post back the results.

    Reply
Leave A Reply

Exit mobile version