File Timestamps in Linux: atime, mtime, ctime Explained
Let's see what are the various kinds of file timestamps in Linux, how to see the timestamps for a file and how to change the timestamps.
In Linux, every file has some timestamps that provide some crucial analytics about when the file or its attributes were modified or changed. Let’s see these timestamps in detail.
What are Linux timestamps?
Any file in Linux has these three timestamps typically:
- atime – access time
- mtime – modify time
- ctime – change time
atime stands for access time. This timestamp tells you when was the last time the file was accessed. By access, it means if you used cat, vim, less, or some other tool to read or display the content of the file.
mtime stands for modify time. This timestamp tells you when was the last time the file was modified. Modifying means the contents of a file were changed by editing the file.
ctime stands for status change time. This timestamp tells you when was the last time the property and metadata of the file were changed. The metadata includes file permissions, ownership, name, and location of the file.
How to see the timestamps of a file?
You can use the stat command to see all the timestamps of a file. Using stat command is very simple. You just need to provide the filename with it.
The output will be like this:
stat abhi.txt File: abhi.txt Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 10305h/66309d Inode: 11936465 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/abhishek) Gid: ( 1000/abhishek) Access: 2018-08-30 12:19:54.262153704 +0530 Modify: 2018-08-30 12:19:54.262153704 +0530 Change: 2018-08-30 12:19:54.262153704 +0530 Birth: -
You can see all three timestamps (access, modify and change) time in the above output. All three timestamps are the same here because I just created this empty file with the touch command.
Now let’s modify these timestamps.
$ less abhi.txt $ stat abhi.txt File: abhi.txt Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 10305h/66309d Inode: 11936465 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/abhishek) Gid: ( 1000/abhishek) Access: 2018-08-30 12:25:13.794471295 +0530 Modify: 2018-08-30 12:19:54.262153704 +0530 Change: 2018-08-30 12:19:54.262153704 +0530 Birth: -
Now let’s change the modify time. I’ll use the cat command to add new text to this file. This will prevent the change in access time.
$ cat >> abhi.txt demo text ^C $ stat abhi.txt File: abhi.txt Size: 10 Blocks: 8 IO Block: 4096 regular file Device: 10305h/66309d Inode: 11936465 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/abhishek) Gid: ( 1000/abhishek) Access: 2018-08-30 12:25:13.794471295 +0530 Modify: 2018-08-30 12:32:34.751320967 +0530 Change: 2018-08-30 12:32:34.751320967 +0530 Birth: -
Did you notice something weird? You modified the file and expected the mtime to be changed, but it also changed the ctime.
Remember, ctime is always changed with mtime. It’s because while mtime is under the control of user, ctime is controlled by the system. It represents the last time the data blocks or metadata of a file was changed. If you modify the file, the data blocks change, and thus ctime is changed.
You can also not change ctime in the past by normal means. It is a kind of security feature because it tells you the last time the file was changed. Even if someone modifies mtime and sets it in the past for malicious purposes, ctime will indicate the actual time when the mtime was changed.
Remember: ctime will always be modified by mtime change.
What is the use of file timestamps?
It helps a lot in analyzing. There could be several situations where you need to refer to the timestamps of a file. For example, you can see if a file was modified recently or not when it was supposed to be modified.
One of my favorite use was to locate log files of an application with mtime. Run the application and just go into the parent directory of the application and search for the files that have been modified in the last few minutes.
I already showed you above that it can also help in analyzing if someone accessed the files or modified them maliciously. Timestamps play an important role in such situations.
How to know when a file was originally created?
Did you notice the last line of stat command output? It says ‘Birth’. You may guess that this represents the timestmap when the file was ‘born’ (or created, to be more precise).
Actually, there is one more timestamp called creation time (cr). Not all filesystems support this timestamp. Ext4 is one of the popular Linux filesystems, and though it supports the creation timestamp, the stat command is currently unable to show it. Maybe the future versions of the stat command will show the creation timestamp in the Birth section.