DEBUGFS Command to Show File Creation Times in Linux

The DEBUGFS command is a powerful utility in Linux that grants access to the file system of a block device. One of its notable features is its ability to reveal the creation time of a file, which cannot be easily obtained through typical Linux commands. This piece of information is stored in a data structure known as the inode, which houses diverse particulars about the file, including its creation time.

To obtain this data, the DEBUGFS command accesses the inode of the file and provides a comprehensive view of the file system. This command facilitates the identification of the inode number of a file, which can subsequently be utilized to disclose the creation time of the file. Having knowledge of a file's creation time can be remarkably valuable in forensic inquiries or when attempting to troubleshoot system issues.

Step 1 Find the File Creation Date in Linux

To find the creation date and time of a file on a Linux-based operating system, including the crtime, we can use the stat command. To accomplish this, we must first locate the inode of the file by executing the stat command against the file we are interested in. For example, let's take the file name example.txt.

Here is the command to find a file creation date and time

stat -c %w example.txt

The command stat -c %w example.txt displays the creation time of that file in YYYY-MM-DD HH:MM:SS format. Here's an example output

2022-10-21 15:42:57

This output displays that the file example.txt was created on October 21, 2022, at 15:42:57. However, the format of the output may be different based on the system settings and locale.

Step 2 Find the Inode Number of the File

To access a file on a Unix-based operating system, we need its inode number a unique identifier for every file and directory. We can find the inode number using the ls -i command in the terminal, which lists files in the current directory along with their inode numbers.

Execute the following command

ls -i <file_name>

For example, if you want to find the inode number of a file named example.txt in the current directory, you would type

ls -i example.txt

This will display the file's inode number as the first item in the output

1234567 example.txt

In this output, the inode number of example.txt is 1234567.

Step 3 Use the DEBUGFS Command to Display File Creation Time

To display the file creation time in Linux, we use the DEBUGFS command, which provides a command-line interface for interacting with the file system. First, we need to find the file system where the file is located by using the df command. Then, we can use the debugfs command with the -R flag followed by the path to the file system device.

The syntax for the debugfs command

sudo debugfs -R 'stat <inode_number>' /dev/<block_device>

Replace <inode_number> with the actual inode number of the file you want to check, and <block_device> with the actual block device that contains the file system. To find the block device, you can use the df command.

Example Usage

To display the creation time of the file example.txt (with inode number 1234567) on the block device /dev/sda1, you would run

sudo debugfs -R 'stat <1234567>' /dev/sda1

This will display detailed information about the file and include its creation time. The creation time is listed as crtime.

Here's an example output

debugfs 1.42.9 (28-Dec-2013)
Inode: 1234567   Type: regular    Mode:  0644   Flags: 0x0   Generation: 123456789
User:     0   Group:     0   Size: 0
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 0
Fragment:  Address: 0    Number: 0    Size: 0
ctime: 0x5d4090bb -- Wed Jul 31 14:28:27 2019
atime: 0x5d4090bb -- Wed Jul 31 14:28:27 2019
mtime: 0x5d4090bb -- Wed Jul 31 14:28:27 2019
crtime: 0x5d4090bb -- Wed Jul 31 14:28:27 2019
Size of extra inode fields: 28

Key Points

• crtime shows the file creation time (birth time)

• ctime shows the inode change time

• mtime shows the file modification time

• atime shows the file access time

Common Use Cases

• Forensic investigations Determining when files were originally created

• System troubleshooting Identifying when issues first appeared

• Security auditing Tracking file creation patterns

• Backup verification Confirming file timestamps after restoration

Conclusion

The DEBUGFS command provides a powerful method for accessing detailed file system information, including file creation times that are not available through standard Linux commands. By combining stat, ls -i, and debugfs commands, users can effectively retrieve file creation timestamps for forensic analysis, system troubleshooting, and security auditing purposes.