How to Find Linux File Creation Time using Debugfs

Linux file creation time

In Linux systems, everything is treated like a file and crucial metadata about a file such as the creation and modification date are stored in inodes. We have already looked at how you can check the last modified date of a file in Linux system using the stat,  httpie and date commands. 

In this tutorial, we will show you how to find file creation time using debugfs command.

Find file creation using debugfs

To get the creation time, you first need to find the inode number of the target file using the stat command. The stat command is a command-line tool used to print detailed information about a file's metadata such as:

  1. File size
  2. Inode number
  3. UID & GID of the file
  4. I/O Block
  5. Access, modification and change times.

You can use the stat command in its basic form to check the inode number of the file using the syntax:

$ stat filename

For example:

$ stat file1.txt

The command gives us the inode number of the file 'file1.txt' as 1078474. To skip all the other information and just display the inode number alone, use the syntax:

$ stat -c %i file_name

For example:

$ stat -c %i file1.txt

Once you have the inode number, you can proceed to easily get the file creation time using the debugfs command using the syntax shown:

$  sudo debugfs -R 'stat <inode number>' DEVICE

The DEVICE represents the block device where your file resides for example /dev/sda1, /dev/sda2 etc. To check the block device run the command:

$ lsblk

Using the inode number we got earlier on, the command will therefore be:

$  sudo debugfs -R 'stat <1078474>' /dev/sda
find file creation time using debugfs

The creation time is prefixed by the directive crtime: as shown in the output above. We can see that the file was created on the 13th Fri December 2019 at 01:39:18 hrs.

Alternatively, instead of specifying the inode number, you can pass the full path to the file as shown:

$  sudo debugfs -R 'stat /home/winnie/file1.txt' /dev/sda1

The above command will yield the same results as when you are using the inode number.

Conclusion

And this wraps up this tutorial, hoping Linux would have a straight forward command to find file creation time. Here we have used debugfs command to check the creation time of a file.

Winnie Ondara 2:50 am

Comments

Your email address will not be published. Required fields are marked *

4 Comments

  1. Thanks for the article.

    One question, how do we do this on a logical volume?

    For example, I am getting below error.

    [rkumar@ts-mum1-dsr06 ~]$ sudo debugfs -R 'stat /home/rkumar/hosts' /dev/vg0/home
    debugfs 1.42.9 (28-Dec-2013)
    /home/rkumar/hosts: File not found by ext2_lookup

    1. The one-line method doesn't work for me - it appears to be necessary to get the inode number first.
      Also (just guessing) creation times show the date when an ext3 filesystem was converted to ext4?

  2. When I tried the above discoverd that the filespec has to be the tree from the device
    eg
    .dev/sdb4 is monted on /mnt/Data
    The filepath would be /mnt/Data/somefolder/somefilename
    However debugfs expects it to be of the form /dev/sdb4/somefolder/somefilename not the mounted name
    i e debugfs -R 'stat /somefolder/somfilename' /dev/sdb4.

    Perhaps Ram could check that