Linux and UNIX: Understanding and modifiying File timestamps

Posted on October 22, 2012 by Hamdan

In UNIX, there is a record of three timestamps with every file/directory: mtime (last modification time),atime (last access time), and ctime (last change time of the inode).

Unfortunately, there’s no way in UNIX/Linux to know the creation time of the file.

We will explore how to read the different timestamps, and understand when they get updated.

1. mtime (last modification time).

root@hamdan # ls -l testFile
-rw-r--r--   1 root     root          23 Oct 22 09:46 testFile
root@hamdan #

Note that if the year is not showing, this means that the modification happened this year.

The last modification time is 09:46, 22-October-2012.

if we edit the file, this time will be updated. For example:

root@hamdan # echo "hello" > testFile
root@hamdan # ls -l testFile
-rw-r--r--   1 root     root           6 Oct 22 10:50 testFile
root@hamdan # date 
Mon Oct 22 10:50:46 AST 2012
root@hamdan #

The modification time has been updated to current time.

2. atime (last access time).

This timestamp gets updated each time the contents of the file is accessed (read).

root@hamdan # ls -lu testFile
-rw-r--r--   1 root     root          6 Oct 22 09:51 testFile
root@hamdan # cat testFile
hello
root@hamdan # ls -lu testFile
-rw-r--r--   1 root     root           6 Oct 22 10:59 testFile
root@hamdan # date
Mon Oct 22 10:59:20 AST 2012

3. ctime (last change to inode information (metadata)).

The ctime timestamp gets updated with there’s a modification to the contents of the file OR when there’s a change on the file’s information (such as a permission change). While the atime gets updated only when there’s a change to the contents of the file.

For example:

root@hamdan # ls -l testFile 
-rw-r--r--   1 root     root           0 Oct 22 10:30 testFile
root@hamdan # chmod g+x testFile 
root@hamdan # ls -l testFile 
-rw-r-xr--   1 root     root           0 Oct 22 10:30 testFile
root@hamdan # 
root@hamdan # ls -lc testFile 
-rw-r-xr--   1 root     root           0 Oct 22 11:15 testFile
root@hamdan #

Those time stamps can be altered manually using the “touch” utility. For example, if you changed a file and you want to hide your tracks, you can change the time stamp ;)

For example, let’s modify our file “testFile”:

root@hamdan # ls -l testFile 
-rw-r--r--   1 root     root           0 Oct 22 10:30 testFile
root@hamdan # echo "We are modifying the file" > testFile
root@hamdan # ls -l testFile 
-rw-r--r--   1 root     root           26 Oct 22 11:21 testFile
root@hamdan # touch -t 201210221030 testFile 
root@hamdan # ls -l testFile 
-rw-r-xr--   1 root     root          26 Oct 22 10:30 testFile
root@hamdan #

the format of the touch command is : touch -t YYYYMMDDhhmm (yearMonthDayHourMinute).

This entry was posted in Digital Forensics, forensics, HOW-To, security, Unix and tagged . Bookmark the permalink.

One Response to Linux and UNIX: Understanding and modifiying File timestamps

  1. Chris F.A. Johnson says:
    November 2, 2012 at 2:57 am

    The GNU version of touch, which is standard on GNU/Linux, also has a -d option.

    It takes a date or time argument in any form that is accepted by the same option to the GNU date command, e.g.:


    touch -d 2010-09-08 "$filename"

    touch -d "7 April" "$filename"

    touch -d 'Thu Nov 1 22:54:21 EDT 2012' "$filename"

    touch -d 12:34:56 "$filename"

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>