Each file has three timestamps associated with it (stored as the number of seconds since the Epoch, Jan 1, 1970). The three timestamps are:
- Access time (atime): The timestamp when the file was last accessed.
- Modification time (mtime): The timestamp when the file was last modified.
- Change time (-ctime): The timestamp when the metadata for a file (such as permissions or ownership) was last modified.
In a long directory listing, the timestamp shown is the Modify time (mtime). To see all timestamps and a lot of other useful information, use the stat program with the verbose option (-x):
$ stat -x filename
Here is sample output from stat:
$ stat -x test.sh File: "test.sh" Size: 54 FileType: Regular File Mode: (0644/-rw-r--r--) Uid: ( 501/ geek) Gid: ( 20/ staff) Device: 1,4 Inode: 8954360 Links: 1 Access: Sat Jan 18 08:30:54 2020 Modify: Sat Jan 18 08:30:49 2020 Change: Sat Jan 18 08:30:49 2020
Without the “-x” option, a summary of filesystem permissions, ownerships and access time will be shown. For example:
$ stat test.sh 16777220 8954360 -rw-r--r-- 1 sandy staff 0 54 "Jan 18 08:30:54 2020" "Jan 18 08:30:49 2020" "Jan 18 08:30:49 2020" "Jan 18 08:30:49 2020" 4096 8 0 test.sh
MAC does not store file creation time by default; however, some filesystems (ufs2, ext4, zfs, btrfs, jfs) save the creation time. The creation time can be accessed with the stat command. Given that some applications modify a file by creating a new file and then deleting the original, the creation date may not be accurate.
Using find Command to search by file timestamp
The -atime, -mtime, and -ctime option are the time parameter options available with find. They can be specified with integer values in number of days. The number may be prefixed with – or + signs. The – sign implies less than, whereas the + sign implies greater than.
Consider the following examples:
1. Print files that were accessed within the last seven days:
$ find . -type f -atime -7 -print
2. Print files that have an access time exactly seven days old:
$ find . -type f -atime 7 -print
3. Print files that have an access time older than seven days:
$ find . -type f -atime +7 -print
The -mtime parameter will search for files based on the modification time; -ctime searches based on the change time.