How to get actual creation time of a file on Unix?

unix filesystems file-management administration stat

I'm inspecting some files in my dedicated web server via linux cli after a hack attack and found some files have been modified with the 'touch' command to change the dates. I'm willing to get the exact file creation date for these specific files. I've already tried following

stat
ls -ld

Those didn’t deliver the file written date on disk (creation date)

Also is there any other way to get the file creation date? (actual date which the file wrote to the disk)


What you are looking for is on *nix called the file birth time.

Unfortunately, most *nix file systems don't keep track of that piece of information.

If it is available, then a recent version of stat should display it. Otherwise, your best bet would probably be to compare against file listing from backups (you do have backups, right?) to see which files have been added.

~$ stat .bashrc
  File: `.bashrc'
  Size: 3539            Blocks: 9          IO Block: 3584   regular file
Device: 24h/36d Inode: 204095      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/ michael)   Gid: ( 1000/ michael)
Access: 2013-12-11 09:41:50.315475289 +0100
Modify: 2013-08-16 21:28:42.000000000 +0200
Change: 2013-09-14 01:55:27.167869741 +0200
 Birth: -
~$

As you can see, there is no "birth" timestamp, which means that the file system I'm using for my home directory (ZFS in my case) either does not store that information, or does not expose it through the Linux file system layer in a way that stat knows about. Either way the effect is largely the same: no information is available.

The above said, I wouldn't be particularly surprised if even on a system that does track file birth times, something like cp --copy-contents --preserve=timestamps /dev/null /tmp/somefile && cat ./somefile >> /tmp/somefile will effectively nullify anything like that. So even if birth times are available, you shouldn't rely on them for anything important, like evaluating the impact of a security breach.

The closest you can get on most systems is probably the file modification time or mtime, which stat does display and which most file systems do keep track of. However, as you have noticed, this is trivially changed using touch.

Related

How to run "time" on a function in zsh
Is it possible to select which folders to sync in OneDrive (Skydrive) on Windows 8.1?
Given that tar ignored my 2 sockets, how do I backup and then restore my login folder?
Narrator Keeps turning on on login screen
How does Streak email tracking work from Gmail to Gmail?
Why does my Canon inkjet printer require two black cartridges?
stop images from being downloaded on webpage in chrome
How do I verify a GPG symmetrically encrypted file?
watching output of "ps aux | grep blah" in tmux will not work?
Creating and splitting large multipage TIFF images
Is there any in-built Linux command to display the contents of a directory in real-time?
How to configure tmux/iTerm to display session name as title in terminal tab?