How to see and change timestamps in Linux. How to perform timestamps-based searching
It all started with the fact that I became interested in how to find files created or modified in a system in a certain period of time. For example, how do you know which files in the /etc folder were changed in the last day or in the last week?
The find command does an excellent job with this task, but it turned out that the following timestamps are available for each file:
To understand what we found, you need to clearly know the difference between these properties of the file.
This article is devoted to this, it will be told:
- how to see the file modification time and how the modification time differs from the file change status time
- how to find out when the file was last opened
- how to find out when creation time of a file in Linux
- how to change the time of access, modification and changing status of the file.
- how to change file creation time in Linux and is it possible at all
- how to find files that have recently been changed or opened
- how to find files that were opened, edited or created on a certain day or a certain time ago
All these questions have practical meaning: from simple home use – searching for a file for which we do not remember the name, but for which we remember the time of creation; to a serious professional usage – the appearance of new files on the server, or recent modifications of important files, may indicate a hacking system or unauthorized access, may help in investigating such cases to understand the events of the incident. Either be applied with opposite motives — what and how should be changed in timestamps to reduce the possibilities of forensic investigation.
So let's get started!
File timestamps in file system and metadata
Before we start talking about file timestamps, you need to understand that this is part of the file system functionality. Consequently, some timestamps may not be available on some file systems.
Except file properties in the file system, timestamps can be stored in the metadata of the file itself. A great many formats have metadata and quite often this metadata contains its own set of timestamps, which differ in composition and even in their current value from timestamps in the file system. For example, for Word documents, in addition to the creation date, metadata may also contain timestamps on the date the file was printed, the total time the file was edited, and so on.
For images, EXIF metadata may also contain file system-independent information about the time at which the file was created.
You should never forget about metadata if your goal is to edit timestamps! Various applications are used for accessing/editing metadata these subjects are not included in the topic of this article. This article focuses on the timestamps of files and folders that the file system stores.
How to view the time when file was created, edited or opened the last time
Immediately all file timestamps can be viewed using the stat command. The run is very simple:
For example, I want to know information about the prog.txt file:
File: prog.txt Size: 7024 Blocks: 16 IO Block: 4096 regular file Device: 10302h/66306d Inode: 3971903 Links: 1 Access: (0755/-rwxr-xr-x) Uid: ( 1000/ mial) Gid: ( 985/ users) Access: 2019-07-08 14:28:11.990817492 +0300 Modify: 2019-07-08 14:28:11.994150836 +0300 Change: 2019-07-09 10:58:09.136962008 +0300 Birth: 2019-07-08 14:28:11.990817492 +0300
With the creation time (Birth), everything is clear – this is when the file was created. By the way, the stat program began to show this information quite recently. Prior to that, to the question “how to find out the file creation time?”, experts answered that the Linux kernel does not support this. As a working solution, you had to look at the inode of the file of interest, and then use another command to look at the date of changing of this inode – this was considered as the time of file creation.
The above shows the output for a command on the ext4 file system. For the ext2 file system, the file creation date is still unavailable:
Now let's see what other timestamps in Linux mean.
What is file Access time, file Modify time and file Change time in Linux
Access (last access) – the time when the file was last read. This time changes when such system calls are used as mknod (2), utimes (2), and read (2) are accessed. If it is a text file, the last access date is updated each time it is opened. If it is an executable file, the access date will be updated when it is launched.
But before you come up with a practical use of the time of the last access to the file (for example, to check which commands were launched in the last hour), you must take into account very important nuances. The above shows that support for certain time stamps depends on the file system. Also, the behavior of time stamps depends on the options with which the file system was mounted. For example, when starting a script, we expect that the access time to this file will change to the current one. This is true – to execute the script, it must be read and atime should be changed to the execution time. This is usually the case. But if a file are accessed in a file system that is mounted with the noatime or relatime options (or other possible options that may affect the atime change — for example, read-only), then the behavior will be different.
Do not update the inode access time on this file system (for example, to speed up performance by eliminating unnecessary operations)
Update inode access time relative to modification or change status time. The access time is updated only if the previous access time was older than the modification or change status time, or if the previous access time is older than 1 day.
So – the last file access time may not be accurate! In fact, if the relatime option is used when mounting the disk, it turns out that it shows:
1) the time of the last status change or content modification of the file
2) the time of today's first opening of the file
3) SOMETIMES it really shows the time of the last access to the file (if the file was opened only once), or if this access to the file is performed after its modification or status change
Modify (last modified) – the time of the last change in the contents of the file. That is, if it is a text file, the modification time will change when you open it and delete some word or add something. Changed by system calls mknod (2), utimes (2) and write (2).
Change (last changed) – The last time the file metadata was changed in the file system. That is, if you change the EXIF metadata in the image file, this will be a modification (since the file contents will essentially change). An example of a File Status Change is changing the permissions to access it (read, write, execute), change owner, group, etc. Changed by chmod (2), chown (2), link (2), mknod.
What is access time, modification time and change time of directories in Linux
You can also view the folder timestamps using the stat command:
For example, to view information about the current directory:
For folders, the last access time is updated when viewing the list of files inside it. The same rules apply as for files – its behavior depends on the options with which the file system is mounted.
When creating or deleting a new file inside a directory, when modifying the contents or changing the properties of a file inside a folder, the Change time and Modify time of this folder are also updated.
What time does the ls -l command show
If you run the ls command with the -l option, it will show the last time the file (or directory) has been modified. Using the --time option, you can display other timestamps:
--time=WORD with -l, show time as WORD instead of default modification time time - last access time ctime - last change time
As you can see, using ls it’s impossible to display the file creation time since this feature was recently added to the kernel.
If you add the option --sort=time, then it will also be sorted by the selected timestamp.
There are several abbreviated options:
-c with -lt: sort by, and show, ctime (time of last modification of file status information); with -l: show ctime and sort by name; otherwise: sort by ctime, newest first -t sort by modification time, newest first -u with -lt: sort by, and show, access time; with -l: show access time and sort by name; otherwise: sort by access time, newest first
You can select the time format:
--time-style=TIME_STYLE time/date format with -l; see TIME_STYLE below
The TIME_STYLE argument can be full-iso, long-iso, iso, locale, or +FORMAT. FORMAT is interpreted like in date(1). If FORMAT is FORMAT1<newline>FORMAT2, then FORMAT1 applies to non-recent files and FORMAT2 to recent files. TIME_STYLE prefixed with 'posix-' takes effect only outside the POSIX locale. Also the TIME_STYLE environment variable sets the default style to use.
There is a reduction of the popular option:
--full-time like -l --time-style=full-iso
How to search and sort files by modification, access and change status time
Now we come to the amazing find command. With its help, we will display the necessary files by the date of modification, as well as search for files that have been opened or which status was changed a certain time ago.
Using the find command, you can configure a very flexible search.
Suppose I want to see the files in the /etc folder sorted by modification date:
find /etc -type f -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
Similarly, but the files are sorted by access date:
find /etc -type f -printf '%AY-%Am-%Ad %AT %p\n' | sort -r
And again a similar example, but the files are sorted by time status change:
find /etc -type f -printf '%CY-%Cm-%Cd %CT %p\n' | sort -r
In the find command, you can customize the date format to your needs, as well as specify any filters that it supports. For example, below is the command to display files sorted by modification date, but only for those with ssh string in the name:
find /etc -type f -name '*ssh*' -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
Or only files with the .desktop extension:
find /etc -type f -name '*.desktop' -printf '%TY-%Tm-%Td %TT %p\n' | sort -r
Or any files sorted by access date, but only the first 20:
find /etc -type f -printf '%AY-%Am-%Ad %AT %p\n' | sort -r | head -n 20
Search files by change time
To do this, we will again use the find command. To search by time, it has the following options:
File was last accessed n minutes ago.
File was last accessed n*24 hours ago. When find figures out how many 24-hour periods ago the file was last accessed, any fractional part is ignored, so to match -atime +1, a file has to have been accessed at least two days ago.
File's status was last changed n minutes ago.
File's status was last changed n*24 hours ago. See the comments for -atime to understand how rounding affects the interpretation of file status change times.
File's data was last modified n minutes ago.
File's data was last modified n*24 hours ago. See the comments for -atime to understand how rounding affects the interpretation of file modification times.
That is, if in the option the word min – then the number n is treated as minutes, and if the option contains the word time, then n is treated as a day.
As the number n, you can specify the exact value, as well as the expression ‘greater than n’ and ‘less than n’ in the following ways:
+n for greater than n, -n for less than n, n for exactly n.
With find, you can build very complex conditions to find exactly what you need. Further, just a few examples – but the number of possibilities is unlimited. With the -name option, you can specify a name template, you can combine it with a search for any other file properties: size, permissions, etc.
To find all files whose contents were changed exactly 50 days ago:
find / -mtime 50
To find all the files accessed exactly 50 days ago:
find / -atime 50
To find all files whose contents were modified more than 50 days ago and less than 100 days ago:
find / -mtime +50 -mtime -100
To find files whose status has been changed in the last hour:
find / -cmin -60
To find files whose contents have been modified in the last hour:
find / -mmin -60
To find all the files that were accessed in the last hour:
find / -amin -60
To find all files in the current folder with the .php extension that have been modified or created in the last 10 days:
find . -name '*.php' -mtime -10
To find all executable files in the current folder that have been modified or created in the last 10 days:
find . -type f -perm /a=x -mtime -10
How to edit file timestamps
Using the touch command, you can change the three time stamps of a file or folder:
- access time
- modification time
- time status change
If you want to change all these values to the current time, then just run a command like this:
You can separately change only the access time or only the modification time with the options:
-a change only the access time -m change only the modification time
With the -t option you can set any time for which we want to change file timestamps. The time format is as follows:
In this line, what is in curly braces is optional. The meaning of the letters is as follows:
- CC - The first two digits of the year (from the word century)
- YY - The second two digits of the year.
- MM - Month of the Year (01-12)
- DD - Day of the month (01-31)
- hh - Hours of the day (00-23)
- mm - Minutes of the hour (00-59)
- ss - Seconds (00-59)
If you do not specify the century or year at all, then the current year will be used. If you do not specify a second, then the default value is 00.
touch -t '198306080301.23' file.txt
Using the -t option, it is impossible to specify a fraction of a second and in the output of the stat command in their place will always be 000000000
Using the -d option, you can use different, more humane ways to specify a time, for example, “two weeks ago.” This should work in English, I don’t know how with the national languages. The -d option (judging by the description) understands different syntax variants, but for me the most interesting feature is the ability to set fractions of a second so that time marks look natural, since time marks with nine zeros at the end suggest that they are spoofed. Example of setting the time with fractions of a second:
touch -d '1983-08-06 04:15:34.123456789' files.txt
That is, the format of the line is such (you can omit hyphens and colons from it – the -d option will still understand it, but I added them for clarity):
How to change file creation time in Linux
Although the ext4 file system supports such a file property as “creation time”, the ability to read this property was recently added to the Linux kernel. As for the possibility of changing the file creation time, there is no such function (and it’s not a fact that file systems support this at all).
But, as usual, there are some ideas.
Back to the future
When copying a file to another file, the current time becomes its creation time. If you change the system time to the one that you want to set for the file as the creation time, and then copy the contents of the file to a new one, this way you can set any creation time for the new file.
Change the creation time in other OS or file systems
On the Internet, there are instructions for changing the file creation time in operating systems that support it. It is also proposed to use some other file systems – for example, network, in which you can also change this property.
Indeed, in Windows, you can change not only the file modification time, but also the creation time. But the problem is that when migrating to Linux, only the modification time is saved. The current time is recorded as the creation time (that is, the inode creation time in the file system). And if this is understood – that the time for creating a file is the time of modification of the inode, then it becomes clear that it is impossible to transfer the file in any way (neither in the archive, nor in any other way) while preserving the creation time.
It also becomes clear that from Windows it is impossible to change the creation time of a file that is in a shared folder in the ext4 file system (although I tried it just in case).
That is, there are only two options to change the file creation date in Linux: 1) change the system time; 2) low-level editing of the file system (for example, with a hexadecimal editor or special tools (if they exist)) — with the corresponding risks to break everything in the file system.
That is, the bad news is that changing the file creation time is very difficult or almost impossible. But the good news is that the file creation time is almost never used in practice due to the fact that not all file systems support this, and this support has recently appeared in Linux itself. For example, the find command does not know anything about the file creation time (although it can search by other three timestamps: modification, access, status change), the ls command also does not know how to show creation time of a file (only the usual three timestamps).
Usually, the file modification time is used, which can be very easily spoofed using touch.
How to change file creation and modification time in Windows
By the way, if you are wondering how to change the file creation time in Windows, this can be done using the NirCmd utility:
nircmd.exe setfiletime "c:\temp\myfile.txt" "24-06-2003 17:57:11" "22-11-2005 10:21:56"
Or using PowerShell (examples by reference): https://superuser.com/questions/292630/how-can-i-change-the-timestamp-on-a-file
I checked the nircmd.exe command – it worked perfectly in the latest Windows 10.
The journey to the world of timestamping files in Linux turned out to be much longer than I expected. But we learned about four different timestamps, how to view and change them, and also how to search for files by any of the three time stamps.
I have already spoken about this, but let me remind you once again – when editing the file timestamps, you should not forget about the corresponding timestamps in the metadata of the file itself (not the file system metadata).
- How to view metadata in MS Word files. How to remove and edit Word metadata (54.7%)
- How to find all passwords (web browsers, email programs, etc.) in Windows and Linux (48.3%)
- How to extract all web site passwords stored in web bowser (46.4%)
- How to find out to which Wi-Fi networks a computer were connected to and stored Wi-Fi passwords (46.4%)
- Indicators of Man-in-the-middle attacks (45.4%)
- Why in Tails the history of the entered commands is not saved. How to make so that the history of the last Bash commands are saved (RANDOM - 12.5%)