How to Find Out When a File Was Created in Linux

Keeping track of files in Linux is an important part of system administration. Whether you're investigating a security issue or debugging a program, the details of when a file was created can provide essential insights.

In this blog post, we’ll discuss how to create a file in Linux and the different types of files. Then, we'll explore the three methods of finding out when a file was created. Let’s get started!

How to Create a File in Linux

In Linux, new files can be created using the touch, cat, echo, or printf commands. Below are examples of how to use each of the commands:

#1. Creating a Linux file using the touch command:

touch file1.txt

#2. Creating a Linux file using the cat command:

cat file2.txt

#3. Creating a Linux file using the echo command:

echo ‘This is a new file’ > file3.txt

#4. Creating a Linux file using the printf command:

printf 'This is a new file\n’ file4.txt

Types of Files in Linux

In Linux, there are several types of files:

  • Regular files: These are the most common files and contain data, text, or program instructions. This can be created with or without an extension.
  • Directory files: These files are used to organize other files and directories in a hierarchical structure.
  • Link files: Also known as symlinks, these are pointers to other files. These files can either be hard links or soft links.
  • Device files: These files are stored under the /dev directory and are used to access hardware devices such as hard drives, printers, and serial ports. There are two types of device files: block special files and character special files.
  • Named pipes files: These files are used for inter-process communication and allow processes to communicate with each other.
  • Socket files: These files enable data exchange within the local system without setting up a complex network. They use names as their address instead of IP addresses and port numbers.

To check the file type, use the file command. For instance, to get the type for a file named test, run the command:

file test

Prerequisite

To follow along with the examples in this blog post, you'll need access to a Linux operating system. For the purpose of this blog post, I'll be using Ubuntu as my Linux distribution of choice.

Understanding the Concept of File Creation Time in Linux

Before diving into the main topic of how to find when a file was created, it's important to have a basic understanding of file timestamps in Linux and why finding the file creation date/time might not always be straightforward.

There are three types of timestamps typically associated with a file in Linux:

  • atime (Access time): This is the time when the file was last accessed.
  • ctime (Change time): This is the time when changes were made to the file’s metadata. Note that this is not the creation time of the file, despite what the name might suggest.
  • mtime (Modification time): This is the time when the contents of the file were last modified.

However, traditionally, Linux did not track the actual creation time of a file, known as the birth time. The addition of the file creation time (birth time) is relatively recent and is not universally supported across all filesystems.

In Linux, a filesystem defines how an operating system manages data storage and retrieval. Each filesystem has a specific structure and rules for controlling how files are named, stored, and organized.

Certain filesystems such as ext4 (which is the default on many Linux distributions including Ubuntu) and a few others, do store the creation time of a file. (We'll go over how to check what the primary filesystem in your Linux distribution is in the next section.) But keep in mind, there's no readily available list of Linux filesystems that we know for sure store the file creation time. So, you’ll have to run the commands and see for yourself.

If you find that you're on a filesystem that doesn't support birth time, then there's no way to retrieve the creation time of the file.

Check Filesystem of Your Linux Distribution

To check the filesystem of your Linux distribution, run the following command:

df -T

Running this command will list all mounted filesystems, as shown below:

The filesystem mounted on / is the primary filesystem. The primary filesystem is the starting point for the entire filesystem hierarchy, and every other filesystem and directory structure branches off from it. Essentially, it's the base or "root" of the tree that forms the directory structure of the entire system.

As you can see above, the ext4 filesystem is mounted on /, making it the primary filesystem in my Linux distribution (Ubuntu).

Next, let’s explore three different ways we can find out when a file was created in Linux.

Find File Creation Date/Time Using stat Command

First, let's create a new file named demo.txt. Open your terminal and run the following command:

touch demo.txt

After creating the file, run the following command to identify its full path:

realpath demo.txt

You’ll see the full path of the file displayed on the terminal, as shown below:

Keep this information handy; we’ll need it in an upcoming section.

Now, let’s use the stat command to obtain the creation time of the demo.txt file. Run the following command:

stat demo.txt

After running this command, you'll see an output similar to this:

This output provides a wealth of information about the file. The line we're interested in is the one that begins with Birth (highlighted above). This is the file's creation date and time.

In the output above, the Birth time is 2023-06-27 10:25:50.479994998 +0530, which means the file demo.txt was created on June 26, 2023, at 10:25:50 local time.

Note: The part .479994998 +0530 in the timestamp 2023-06-27 10:25:50.479994998 +0530 represents fractions of a second and the time zone offset from Coordinated Universal time (UTC), respectively.

Find File Creation Date/Time Using debugfs Command

Another way we can find the file creation date and time of a file is by using the debugfs command. But first, we need to identify the filesystem device of our filesystem, as the debugfs command requires this information to work properly. Here's how to get it:

Run the following command:

df -T

The output will be something like this:

Here, /dev/sda3 is our filesystem device that holds the ext4 filesystem.

Note: In Linux, storage devices are represented as files and are located in the /dev/ directory, which stands for device. Each storage device is given an identifier that represents a specific hardware device on your system.

For example, /dev/sda3 is a representation of a specific storage device. The sda part signifies that it is a storage device (specifically, the first hard drive), and the 3 means it's the third partition on that drive.

So, when we say /dev/sda3 is the identifier for the filesystem device, we are referring to the unique identifier that Linux uses to interact with this specific partition on your hard drive.

Now that we have the filesystem device information, we can use the debugfs command to check the creation time. Run the following command:

sudo debugfs -R 'stat /home/hemanta/demo.txt' /dev/sda3

Note: Because demo.txt is not located in the root directory, we need to provide the full path of the demo.txt file relative to the filesystem root.

In this command, we're invoking debugfs with sudo, which means we're running it with root (or superuser) privileges. This is necessary because when you use a command like debugfs, you are interacting with the filesystem at a very low level. This kind of operation can be risky. If you were to accidentally modify the wrong piece of data, you could potentially damage the filesystem, causing data loss or system instability. For this reason, these operations typically require higher permissions than a normal user has.

The -R option tells debugfs to run a specific command and then exit. If we didn't use this option, debugfs would enter an interactive mode where we could run multiple commands.

The command we're telling debugfs to run is stat /home/hemanta/demo.txt. This will display detailed information about the demo.txt file, including its creation time (or "crtime").

Finally, /dev/sda3 tells debugfs to examine the ext4 filesystem present in this filesystem device.

After running the above command, the system will ask for the password. After you enter your password, you'll see an output similar to the following:

Here, crtime is the creation time of the file. The timestamp after crtime is the creation date and time of the demo.txt file.

Now, press q to return to the terminal prompt.

Note that when we run the debugfs command, the output is presented in a viewer, in a scrollable format. This is why we press q to exit the viewer and come back to our terminal.

Find File Creation Date/Time Using ls Command

The ls command is one of the most frequently used commands in Linux. It has an option called --time that can be used to find the creation time of a file.

Run the following command to find the creation time of the demo.txt file:

ls -l –time=birth demo.txt

In this command, we are using the ls command to find information about a specific file. The -l option tells ls to use a long listing format, which includes more details about the file. --time=birth tells ls to display the time of the file's birth, which is another term for its creation time. demo.txt is the name of the file we want to know the creation time of.

After running this command, you will receive an output similar to the following:

In the above output, we can see that the demo.txt file was created on June 27 at 10:25.

Conclusion

In this blog post, we explored three distinct commands - stat, debugfs, and ls (with the "--time=birth" flag) - to determine the creation date/time of a file in Linux. So, which command should you choose?

Each of these commands is capable of fulfilling the task at hand. However, it's important to note that the debugfs command offers additional information, including access time (atime), change time (ctime), and modification time (mtime), alongside creation time (crtime). However, debugfs requires you to find out both the file path and the filesystem device. This requirement means you'll need to execute two additional commands before you can even run the debugfs command.

Therefore, if the extra details provided by debugfs aren't needed, and you're solely interested in the file's birth time, using stat or ls with the --time=birth flag might be a more convenient choice. These commands will give you the desired information in a simpler and more straightforward manner.

Looking to build a solid foundation in Linux? Check out the following course from KodeKloud:

  • Linux Basics Course: In this hands-on course, you'll master Linux basics. You'll learn how to use shells and package managers. You’ll also learn important Linux concepts such as networking, security, and storage. After each lecture, you'll get a chance to try out what you've learned with exercises you can do right in your web browser. This helps to make sure you really understand and remember what the course has covered. By the end of this course, you'll be able to confidently use a Linux CLI to navigate around a Linux operating system.