How to check file creation time in Linux

Your operating system relies heavily on files to keep everything running smoothly and functional. It's occasionally crucial for security reasons to know the date that system files were truly generated.

For instance, if a system file was altered, you may quickly identify the modifications that were done.

There are several ways to check file creation time in Linux. This is helpful if you need to know the creation date of a file for troubleshooting purposes or to know some information about your files.

In this article, we'll explore three distinct approaches to finding file creation time in Linux.

Using debugfs command

The debugfs command is the most effective technique to check when a file is created in Linux. This tool can be used for debugging. It can also display details about a file, such as when it was created. The debugfs command can be used in two different ways, as explained in the following. 

debugfs -R ‘stat file path’ /dev/device

For this debugfs command, you need the device path and file path that the device contains.

On a Linux system, information on disk space usage may be viewed using the df command. Additionally, you can use this command to get the device path for a certain file. You must use the following syntax to use this command:

df [options] filename

When you run this command, the output should resemble something like this:

# df -h /etc/fstab

Filesystem      Size  Used Avail Use% Mounted on

/dev/vda1   47G  2.2G   45G   5% /

The device path is shown in the "Filesystem" column.

debugfs -R ‘stat <inode>’ /dev/device

The inode number of the file you want to inspect must be obtained for the second technique.

A data structure called an inode is used to hold details about files. It includes details like the file's size, owner, group, rights, and creation time. On a Linux system, each file has its inode.

Using the ls -i command, you may determine a file's inode number. With this command, all the files in a directory are listed with their inode numbers. 

You can check file creation time in Linux using the debugfs command and this inode number.

Find the file creation time with stat command. 

A file's size, creation and modification times, among other details, can all be displayed with the stat command. You must use the syntax shown below when using the stat command:

stat [options] filename

The "Birth" column displays the file creation time.

If the Birth field in the stat command is blank, you need to upgrade the coreutils package to the most recent version, or you can use the debugfs technique.

The commands to check the coreutils package version are shown below. Version 8.32-4.1 is the least you need.

• rpm -qa|grep coreutils
• yum info coreutils

Check file creation time in Linux using xfs_io command

Another approach to finding the file creation time in Linux is with the xfs io command. The XFS filesystem includes this command, which can display details about a file, including the time the file was created.

You will need to know the path to the file you wish to inspect to use this command.

There is a ton of information about the file provided by the xfs io command. The "stat.btime" column displays the file creation time.

Conclusion

Linux OS may support numerous users, and system administrators, in particular, may find it useful to know when files were created. 

For auditing purposes, it is essential to know which person is producing which sort of file because it can be infected with viruses. This is because various users have varied levels of skill.

To examine the file creation time in Linux, you might employ three alternative techniques. Every technique has benefits and drawbacks, so you must select the one that best meets your requirements.

People also read: 

• What Are The Easiest Ways to Create Files in Linux?
• How to open files in Linux
• How to Move Files in Linux
• How to delete a directory in Linux?