File timestamps in Linux: atime, mtime, ctime. Clarifications

Let’s see what are the different types of file timestamps in Linux, how to view the timestamps for a file, and how to change the timestamps.

In Linux, every file has some timestamps, which provide some important insights into when a file or its attributes were modified or changed. Let’s take a look at these timestamps in detail.

What are Linux timestamps?

Any file on Linux usually has three timestamps:

  • atime – access time
  • mtime – modify time
  • ctime – change time

atime

atime means access time. This timestamp tells you when the file was last accessed. On access, this means if you’ve used cat, vim, less or some other tool to read or display the contents of the file.

mtime

mtime stands for modification time. This timestamp tells you when the file was last modified. This means that the contents of the file have been changed by editing the file.

ctime

ctime means the time of the status change. This timestamp tells you when the properties and metadata of the file were last changed. Metadata includes permissions, ownership, file name and location.

How do I view the timestamps of a file?

You can use the stat command to view all the timestamps of a file. Using the stat command is very simple. You just need to provide a filename.

stat <filename>

The result will be like this:

stat andreyex.txt 
  File: andreyex.txt
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 10305h/66309d	Inode: 11936465    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/andreyex)   Gid: ( 1000/andreyex)
Access: 2018-10-07 23:10:25.134647523 +0530
Modify: 2018-10-07 23:10:25.134647523 +0530
Change: 2018-10-07 23:10:25.134647523 +0530
 Birth: -

You can see all three timestamps (access, modify and change) in the above output. All three timestamps are the same here because we just created this empty file with the touch command.

Now let’s change these timestamps.

If we use the less command to read the file, it only changes the access time, because the contents and metadata of the file remain unchanged.

$ less andreyex.txt 
$ stat andreyex.txt 
  File: andreyex.txt
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 10305h/66309d	Inode: 11936465    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/andreyex)   Gid: ( 1000/andreyex)
Access: 2018-10-07 23:15:12.847568584 +0530
Modify: 2018-10-07 23:10:25.134647523 +0530
Change: 2018-10-07 23:10:25.134647523 +0530
 Birth: -

Now let’s change the modification time. We will use the cat command to add new text to this file. This will prevent the access time from changing.

$ cat >> andreyex.txt 
demo text
^C
$ stat andreyex.txt 
  File: andreyex.txt
  Size: 10        	Blocks: 8          IO Block: 4096   regular file
Device: 10305h/66309d	Inode: 11936465    Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/andreyex)   Gid: ( 1000/andreyex)
Access: 2018-10-07 23:15:12.847568584 +0530
Modify: 2018-10-07 12:32:34.751320967 +0530
Change: 2018-10-07 12:32:34.751320967 +0530
 Birth: -

Have you noticed something strange? You changed the file and expected the mtime to change, but also changed the ctime.

Remember, ctime always changes mtime, this is because while the change time is under user control, ctime is controlled by the system. It represents when the data blocks or file metadata were last changed. If you change the file, the data blocks change and therefore the ctime changes.

You can only change the ctime by changing the file permissions using CHMOD or the chgrp command, but you cannot modify the mtime without changing the ctime.

You also cannot change ctime in the past in the usual ways. This is a kind of security feature because it tells you the last time a file was changed. Even if someone changes the mtime and sets it in the past for malicious purposes, ctime will indicate the actual time when the mtime was changed.

Remember: ctime will always be changed by changing mtime.

What is the use of file timestamps?

This helps in the analysis. There may be several situations where you need to reference the timestamps of a file. For example, you can see if a file has been changed recently or not when it should have been changed.

One of our favorite ways was to find application log files using mtime. Run the app and just go to the parent directory of the app and search for files that have changed in the last few minutes.

We have already shown you above that it can also help in the analysis of who accessed files or modified them maliciously. Time stamps play an important role in these situations.

How do I know when a file was originally created?

Did you notice the last line of the stat command output? It says “Birth”. You can guess what the timestmap represents when the file was “born” (or created to be more precise).

Actually, there is another timestamp called creation time (cr). Not all file systems support this timestamp. Ext4 is one of the popular Linux filesystems, and although it supports the creation timestamp, the stat command is currently unable to display it. Perhaps future versions of the stat command will show the creation timestamp in the Birth section.

Please disable your ad blocker or whitelist this site!

Related Posts