Translate

Archives

File creation time in EXT4

Most Linux administrators are aware of the three standard timestamps associated with a file, i.e. ctime, atime and mtime. What you may not be aware of is that many of the modern filesystems on Linux such as EXT4 and BTRFS also support a file creation timestamp. Here is what the stat command outputs on RHEL 6.4: # stat helloworld File: `helloworld’ Size: 6470 Blocks: 16 IO Block: 4096 regular file Device: 803h/2051d Inode: 396942 Links: 1 Access: (0775/-rwxrwxr-x) Uid: ( 500/ fpm) Gid: ( 500/ fpm) Access: 2014-05-14 06:30:45.107878096 -0700 Modify: 2014-05-14 06:30:36.337878203 -0700 Change: 2014-05-14 06:30:36.337878203 -0700 and here

RHEL7 XFS Is A Step Backwards Forensically

Red Hat changed the default filesystem in Red Hat Enterprise Linux 7 (RHEL 7) to XFS. In RHEL 6, the default filesystem was EXT4. The rational for this change, according Denise Dumas, Director of Software Engineering for Red Hat was because “it is a better match for our enterprise customers”. I agree with this position, which incidentally is the position SUSE have maintained for a long time, except that forensically it is somewhat of a step backwards. You can examine a XFS file’s metadata using xfs_db but it is much easier to use the xfs_io utility. Just like xfs_db, xfs_io