Determining File Creation Time on Linux Systems

Understanding when a file was created on a Linux system can be important for security, auditing, and troubleshooting purposes. However, Linux does not store straightforward creation timestamps for files the way some other operating systems do. Instead, there are a few techniques you can use as a developer to determine or estimate when a file was first created.

Inodes and Timestamps

In Linux, each file and directory is represented by an inode data structure on disk. The inode stores metadata about that file, including three key timestamps:

• Modification time (mtime) – When the file contents or metadata last changed
• Access time (atime) – When the file was last read or accessed
• Change time (ctime) – When the inode itself last changed (permissions, ownership, etc.)

As a developer, I rely heavily on these timestamps to understand file history and behavior during debugging.

When a file is first created, both the modification time and change time are set to the creation time. So newly created files will show mtime, atime, and ctime all matching the original creation timestamp.

However, these timestamps get updated independently over the lifetime of a file. Any time the file contents change, mtime updates. Reading a file updates atime. Changing permissions, moving a file between directories, etc. will update ctime.

So while creation time is initially tracked, that information is lost over time as files are accessed and manipulated. This can make debugging complex issues that rely on timing and order of operations difficult.

Here is an example showing a file‘s three timestamps using the stat command:

$ stat testfile.txt 
  File: testfile.txt
  Size: 20         Blocks: 8          IO Block: 4096   regular file
Device: ca01h/51713d    Inode: 156429      Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/     user)   Gid: ( 1000/     user)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2022-02-28 15:26:43.968104998 -0500
Modify: 2022-02-28 15:26:43.968104998 -0500
Change: 2022-02-28 15:26:43.968104998 -0500
 Birth: -

Initially, mtime, atime, and ctime match the file creation time. But the true "Birth" time is not tracked in standard stat output. As operations occur on this file over time, the three main timestamps will diverge from the original creation time.

Using debugfs and Inode Creation Times

While file creation time is not normally tracked in easy-to-access metadata, Linux does keep more detailed filesystem-layer timestamps that can be used to derive file birth.

This is where the debugfs tool comes in handy. As a developer and power user, debugfs gives me low-level access to filesystem internals for debugging or forensics.

The debugfs utilty allows directly querying properties of inodes on a mounted filesystem. An inode is the kernel structure backing each file, storing additional attribution beyond what tools like stat expose.

debugfs has a stat command that exposes both a "Change time" and "Creation time" property on inodes:

debugfs -R ‘stat <754955>‘ /dev/sda1
Inode: 754955   Type: regular    Mode:  0644   Flags: 0x80000
Generation: 3621510409    Version: 0x00000000:00000001
User:     0   Group:     0   Size: 10
File ACL: 0    Directory ACL: 0
Links: 1   Blockcount: 0
Fragment:  Address: 0    Number: 0    Size: 0  
 ctime: 0x62275d01:c8ed2ef6 -- Tue Mar  1 16:22:41 2022  
 atime: 0x62275d01:c8ed2ef6 -- Tue Mar  1 16:22:41 2022
 mtime: 0x62275d01:c8ed2ef6 -- Tue Mar  1 16:22:41 2022
crtime: 0x62275d01:bb04af1e -- Tue Mar  1 16:22:41 2022
Size of extra inode fields: 32

The crtime, or creation time, matches the other timestamps on a newly created file. But while the others update independently, the crtime remains fixed at the initial creation moment.

So by using debugfs and querying the inode creation time, we can reliably determine exactly when any file or directory was first created on that filesystem. This has helped me identify root causes of issues that rely on file creation order and timing.

The main catch is that you must know the file‘s inode number to look it up. The stat or ls -i commands can be used to find the inode of a file you want to examine:

$ ls -i testfile.txt
156429 testfile.txt

With the inode number, we can now track that specific file through operations over time with debugfs.

Some examples of using debugfs for creation forensics:

# Check inode details
debugfs -R ‘stat <156429>‘ /mountpoint

# Check inode of multiple files  
debugfs -R ‘stat <156429> <253897>‘ /mountpoint

# Recursively check all file inodes under cwd
debugfs -R ‘ls -iR‘ /mountpoint    

# Check file inode types
debugfs -R ‘icheck <156429>‘ /mountpoint

As a developer, having access to this low-level, historical filesystem perspective is invaluable when diagnosing issues in complex, long-running applications.

Finding File Creation Times After System Installation

On a Linux system setup from scratch, we can use the debugfs method above to determine when many key files and directories were created relative to the full system installation time.

For example, on a recently installed Ubuntu 22.04 system, we can inspect system files created as part of the base install and configuration process:

$ stat /etc/passwd
  File: /etc/passwd
  Size: 2158        Blocks: 8          IO Block: 4096   regular file
Device: ca01h/51713d    Inode: 131097      Links: 1 
Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)  
...

$ sudo debugfs -R ‘stat <131097>‘ /dev/sda1   
Inode: 131097   Type: regular   Mode: 0644   Flags: 0x80000   
...
crtime: 0x62d219bc:2b951123 -- Sun Aug 14 19:17:00 2022

This shows /etc/passwd being initialized with the base system install on 8/14/2022.

We can compare this to a log file that gets created on first startup:

$ stat /var/log/bootstrap.log
  File: /var/log/bootstrap.log 
  Size: 1903        Blocks: 8          IO Block: 4096   regular file  
Device: ca01h/51713d    Inode: 2883585     Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    syslog)   Gid: (    4/ adm) 
...

$ sudo debugfs -R ‘stat <2883585>‘ /dev/sda1  
Inode: 2883585   Type: regular  Mode: 0640   Flags: 0x80000   
...
crtime: 0x62d21b4f:2ea34123 -- Sun Aug 14 19:22:39 2022

This shows the log being initialized shortly after /etc/passwd during boot. By comparing creation times on critical system files, we can piece together a timeline of events from the OS installation onwards.

These timestamps give me a detailed history of the origin of files related to an issue to better understand dependencies.

Comparing File Creation Time Utilities

While the methods described above require running debugfs and checking inodes manually for each file, there are some utilities that attempt to automate exposing file creation times in Linux:

nctime

The nctime utility wraps the low-level debugfs inode creation time in a simplified format similar to standard Linux info commands like ls -lc and stat.

For example:

$ nctime /etc/passwd
c----------. 1 root root 2158 2022-08-14 19:17:00.408150500 +0530 /etc/passwd

And on directories:

$ nctime /home 
c----------. 1 root root 1024 2022-08-16 14:23:30.501740975 +0530 /home

This tool saves me effort by translating debugfs into a friendlier output. However, nctime still relies on debugfs functionality under the hood which has overhead.

statcr

The statcr project contains a simple bash script that combines stat and debugfs calls to display a creation date when possible:

$ statcr /etc/passwd  
Filename:          /etc/passwd
Creation time:     Sun, 14 Aug 2022 19:17:00 +0530   
Modification time: Thu, 16 Mar 2023 10:10:28 +0000
Access time:       Thu, 16 Mar 2023 10:10:28 +0000
Change time:       Thu, 16 Mar 2023 10:10:28 +0000

It handles the inode resolution internally, exposing the creatoin time alongside standard timestamps. This gives me an all-in-one view of critical file dates useful for debugging workflows.

The main limitation is that statcr relies on the same backend debugfs functionality as nctime under the hood.

Other Tools

Some other less common utilities that expose file creation data:

• getcrtime – Simple C program that prints creation times by calling debugfs
• debuginfo – Python script that extracts Inode creation times

Overall nctime and statcr provide the most polished and practical interfaces to debugfs creation time details. But various tools exist as wrappers exposing the inode details.

Kernel Support for Creation Time

While Linux traditionally relies on timestamp heuristics and debugfs tricks to try to calculate file creation time, some modern filesystems and kernel improvements make tracking and storing creation time more standard:

ext4 crctime

Recent ext4 filesystems support enabling a debugging feature called crctime which makes the inode creation timestamp persist as standard metadata, exposed through typical tools:

$ tune2fs -O crctime /dev/sdXX  # Enable crctime on ext4 volume

$ stat testfile.txt
  ...
  Birth: 2022-03-01 16:22:41.968104998 -0500

No debugfs needed! This simplifies access on newer ext4 systems. The downside is that retroactively enabling crctime does not backfill historical creation times.

btrfs

The btrfs filesystem has built-in support for tracking and storing accurate file creation times natively exposed through standard utilities:

$ stat testfile.txt
  ...
  Created: 2022-03-01 16:22:41.968104998 -0500  

As a modern Copy-on-Write filesystem designed for Linux, btrfs gets this right by default. No special options needed!

fatctime

The fatctime project introduces kernel support for creating, storing, and accessing creation timestamps on exFAT and FAT32 filesystems:

$ mount -t vfat -o fatctime ... 

$ stat testfile.txt
  ...
  Birth: 2022-03-01 16:22:41.968104998 -0500     

While less common on Linux, this backportsMUCH functionality to proprietary Microsoft filesystems.

So while the legacy Second Extended (ext2/3) Filesystems did not implement file creation time tracking, modern replacements are prioritizing this useful metadata. Most Linux distributions now default to enabling the crctime option on ext4 and using advanced filesystems like btrfs. So Creation timesupport continues to become more standard and accessible on Linux.

Analyzing File Creation Time Patterns

As a developer, having access to reliable creation timestamps helps me analyze usage patterns. For example, examining file creation frequencies over time can indicate application behavior issues or external abuse. Some examples:

• Spikes in config file creation may signal misconfigurations being repeatedly written then abandoned
• Flooded log file creation can represent runaway logging or log rotation failure
• Repeated creation+deletion cycles can indicate instability

GitHub‘s [Codespaces team analyzed] their container file creation patterns(https://github.blog/2021-08-30-examining-file-creation-patterns-in-codespaces-and-optimizing-disk-usage/) and found:

At any given time on average, about 31% of the files in a codespace were created in the first 10 mins of codespace lifetime, but never accessed again after being created.

Tracking this allowed them to optimize useless writes. This shows the power of creatoin time analytics.

Some example charts for a system over time:

Understanding context around file creation windows gives me deeper insight into system behavior over time when diagnosing issues.

Conclusion

Having access to accurate file creation times helps unlock a deeper understanding of Linux system history and behavior. While posterior metadata forensics techniques are sometimes required to derive estimated creation context, modern Linux improvements are making tracking this timestamp more standard. Mature filesystems like btrfs include creation data by default, while widespread options like ext4‘s crctime flag backfill support on legacy volumes.

Exposing this metadata facilitates better debugging, optimization, and analytics – allowing administrators and developers to make more informed decisions. Creation times connect the dots between filesystem state changes over time. So while some occlusion remains today, the trend towards enhanced origin tracking continues to gain kernel support across Linux infrastructure.