look for date created file on disk, real date


In linux system you can easily change date created file on disk.Sometimes you need tools for check original date modification file by user. Helpfulness can be debugfs tools .
This simple bash script generate log from debugfs about files user, in output you get ctime atime mtime and most importan crtime

run script with aparameter usrename

exmaple

./script erick

ctime: 0x55809d96:18b83f10 -- Wed Jun 17 00:05:10 2015
atime: 0x559b6c08:5e0d8d1c -- Tue Jul 7 08:04:56 2015
mtime: 0x551c470e:00000000 -- Wed Apr 1 21:29:18 2015
crtime: 0x55809d94:2f9ba018 -- Wed Jun 17 00:05:08 2015

   #!/bin/bash
 
 
  IFS=" "
 
  f1=$(find / -type f -user "$1" -print 2>;/dev/null)
  echo $f1
  logfile="$1log.log"
 
 
  echo " Log" > $logfile
  while read -r line; do
 
          name=$line
              echo "Name of file:  $name>>$logfile
              idfile=$(ls -i $name | cut -d' ' -f1 )
              diskfile=$(df -P $name  | awk  '{if (NR!=1) {print $1}}')
             echo " Nr of gegister in disk :$diskfile:$idfile >>$logfile
              debugfs -R 'stat <'$idfile'>'  $diskfile>>$logfile
             done <<<;"$f1"
  unset IFS
  echeo "Created logfile $logfile"
~

#bash #files #hack #ctime #crtime #datefile

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s