File creation time is stored in inode in EXT4 file system. An earlier version of EXT files systems doesn’t support file creation time.
There is a
crtime (create time) timestamp in the
debugfs stat output. finally EXT4 supports create time just like
btime in NTFS windows.
Follow below instructions to how to find file creation time. Select an existing file or create a new file for testing. For this example, I am using an existing file.
Step 1 – Find Inode Number of File
First of all, find the inode number of any file using the following command on terminal.
$ ls -i /var/log/secure
Step 2 – Find File Creation Time (crtime)
After getting the inode number of file, Use debugfs command with inode number stats following by disk path.
$ debugfs -R 'stat <inode_number>' /dev/sda1
$ debugfs -R 'stat <13377>' /dev/sda1 debugfs 1.41.12 (17-May-2010) Inode: 13377 Type: regular Mode: 0600 Flags: 0x80000 Generation: 2326794244 Version: 0x00000000:00000001 User: 0 Group: 0 Size: 223317 File ACL: 0 Directory ACL: 0 Links: 1 Blockcount: 440 Fragment: Address: 0 Number: 0 Size: 0 ctime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 atime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013 mtime: 0x5230b7ae:55efa068 -- Thu Sep 12 00:04:22 2013
crtime: 0x4eeacc8a:0948eb58 -- Fri Dec 16 10:13:54 2011Size of extra inode fields: 28 Extended attributes stored in inode body: selinux = "system_u:object_r:var_log_t:s000" (31) EXTENTS: (0-24): 35008-35032, (25-54): 164224-164253
Find the entry of
Read more about ext4 file system: https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout