When was the last date the content of a file was modified? When was the file last opened/accessed? When did the file's properties change, such as ownership and permissions?
In this tutorial, we learn how to view and use Linux file timestamps in detail.
What are File Timestamps in Linux
In Linux, file timestamps are a record (metadata) of the date and time each file changed, last modified, and accessed. They are stored in the file system and updated automatically whenever a file is accessed or modified.
Timestamps can be useful for tracking the changes of a file over time, file integrity checks, and for various other purposes.
There are three different types of Linux file timestamps.
- Modified timestamp - the time when the file's contents were last modified.
- Changed timestamp - the time when the file's inode was last modified. Could be permissions or ownership changes.
- Access timestamp - the time when the file was last accessed. This could be read or written to.
How to View File Timestamps in Linux
The easiest and simplest way to show file timestamps in Linux is to use ls with -l option. The long format of the directory listing includes the timestamp of each file. For example:
ls -l [filename]
The output shows the timestamps for all the files and directories in the Pictures folder. The timestamp is the sixth field in the long format listing and includes the date and time that the file was last modified.
Another command to check file timestamps is the stat command. This command provides more detailed information about the file including the timestamps.
The stat command output shows all three file timestamp values for Pictures folder. The timestamps are: accessed, modified, and changed.
Let's learn about the three timestamps value: mtime, ctime, and atime.
Mtime (modification time) is the time of the last change to the file contents. 'Modification' means something inside the file was amended or deleted, or new data was added.
Use the -l (long listing) option with ls, you can see the modified timestamp.
ls -l filename
The image above shows that the modification time (mtime) for a file named sudo.conf in the /etc directory is February 14, 2022. The file contents were last changed on February 14, 2022.
Unlike mtime, ctime indicates the last time some file metadata was changed. When changes are made to file attributes, such as file permission or ownership, the change timestamp will get updated.
To see the change timestamp, use the -lc option:
ls -lc filename
The output shows the change timestamp of our sudo.conf file in the /etc directory is November 23, 2022. The change happened exactly at 18:13. In a nutshell, that was the date and time the file's metadata related was last changed.
atime stands for access timestamp. The atime value indicates the last time a file was read, read by one of the processes directly or through commands and scripts.
Use the -lu (access time) option with command ls to see access time:
ls -lu filename
The output shows the file sudo.conf file was last accessed on December 6, 2022, at precisely 12:44.
Remember timestamps for a file can also be affected by moving files or directories across the filesystem. The file timestamps can be manually modified using the touch command.
Comparing file timestamps comes very useful to verify the file has not been tampered with or corrupted.
Unfortunately, we won’t be able to find file creation time using ctime, atime or mtime or else we have to use the debugfs command.
Thanks for reading! Please leave your feedback and suggestions in the below comment section.