In Linux, every file has some timestamps that provide some crucial analytics about when the file or its attributes were modified or changed. Let’s see these timestamps in detail.
What are Linux timestamps?
Any file in Linux has typically these three timestamps:
- atime – access time
- mtime – modify time
- ctime – change time
atime stands for access time. This timestamp tells you when was the last time the file was accessed. By access, it means if you used cat, vim, less or some other tool to read or display the content of the file.
mtime stands for modify time. This timestamp tells you when was the last time the file was modified. By modify, it means if the contents of a file were changed by editing the file.
ctime stands for status change time. This timestamp tells you when was the last time the property and metadata of the file were changed. The metadata includes file permissions, ownership, name and location of the file.
How to see the timestamps of a file?
You can use the stat command to see all the timestamps of a file. Using stat command is very simple. You just need to provide the filename with it.
The output will be like this:
stat abhi.txt File: abhi.txt Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 10305h/66309d Inode: 11936465 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/abhishek) Gid: ( 1000/abhishek) Access: 2018-08-30 12:19:54.262153704 +0530 Modify: 2018-08-30 12:19:54.262153704 +0530 Change: 2018-08-30 12:19:54.262153704 +0530 Birth: -
You can see all three timestamps (access, modify and change) time in the above output. All three timestamps are the same here because I just created this empty file with touch command.
Now let’s modify these timestamps.
If I use the less command to read the file, it will change only the access time because the content and metadata of the file remain the same.
$ less abhi.txt $ stat abhi.txt File: abhi.txt Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 10305h/66309d Inode: 11936465 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/abhishek) Gid: ( 1000/abhishek) Access: 2018-08-30 12:25:13.794471295 +0530 Modify: 2018-08-30 12:19:54.262153704 +0530 Change: 2018-08-30 12:19:54.262153704 +0530 Birth: -
Now let’s change the modify time. I’ll use cat command to add new text to this file. This will prevent the change in access time.
$ cat >> abhi.txt demo text ^C $ stat abhi.txt File: abhi.txt Size: 10 Blocks: 8 IO Block: 4096 regular file Device: 10305h/66309d Inode: 11936465 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/abhishek) Gid: ( 1000/abhishek) Access: 2018-08-30 12:25:13.794471295 +0530 Modify: 2018-08-30 12:32:34.751320967 +0530 Change: 2018-08-30 12:32:34.751320967 +0530 Birth: -
Did you notice something weird? You modified the file and expected the mtime to be changed but it also changed the ctime.
Remember, ctime is always changed with mtime. It’s because while mtime is under the control of user, ctime is controlled by the system. It represents when the last time the data blocks or metadata of a file was changed. If you modify the file, the data blocks change and thus ctime is changed.
You can also not change ctime in the past by normal means. It is a kind of security feature because it tells you the last time the file was changed. Even if someone modifies mtime and set it in the past for malicious purposes, ctime will indicate the actual time when the mtime was changed.
Remember: ctime will always be modified by mtime change.
What are the usage of file timestamps?
It helps a lot in analyzing. There could be a number of situations where you need to refer to the timestamps of a file. For example, you can see if a file was modified recently or not when it was supposed to be modified.
One of my favorite use was to locate log files of an application with mtime. Run the application and just go into the parent directory of the application and search for the files that have been modified in last few minutes.
I already showed you above that it can also help in analyzing if someone accessed the files or modified it maliciously. Timestamps play an important role in such situations.
How to know when a file was originally created?
Did you notice the last line of stat command output? It says ‘Birth’. You may guess that this represents the timestmap when the file was ‘born’ (or created to be more precise).
Actually, there is one more timestamp called creation time (cr). Not all filesystems support this timestamp. Ext4 is one of the popular Linux filesystems and though it supports the creation timestamp, the stat command at present is not able to show it. Maybe the future versions of stat command will show the creation timestamp in the Birth section.