How to Find Out When a File Was Accessed in Linux

Linux has a robust and mature file system that allows users to exploit a variety of built-in tools for a range of purposes. Most commonly, users will access files so that they can be copied, altered, opened and deleted. Sometimes this is intentional, on other occasions, especially in the case of servers, it can be malicious.

It is time to channel your inner Sherlock Holmes. We are going file hunting!

Knowing when a file was used, accessed or changed can help with unauthorized access or simply as a way to keep track of what has happened. This investigation could be on a professional level, with dedicated forensic analysis, or on a home-user level, trying to see which of their photos was copied and potentially where it ended up. This article is also meant to give System Administrators a vital guide to enhance their toolset for their daily activities and tasks.

Open your Terminal and gain root if you need it. Once done, you will be ready to search for that elusive file or check when things have been accessed.

The stat command can show file size, type, UID/GUID and the access/modify time.

Here is the stat of my “/etc” folder. Notice the simplicity of the command.

You can see the date it was last accessed, the modify time and the last change.

stat-min

This is a common occurrence, especially when digging through an old external hard drive for that document or photo you need. Luckily the Terminal comes to the rescue.

The command needed is ls.

There are four principal variables that you can use with ls:

This will list all files, including those which are hidden:

This enables the long list format:

This shows the time in a specified format:

This is the show/user date in %m/%d/%y format:

When put together, the command gives us this. It is the basic list of my home directory on an Ubuntu test installation.

lsfile-min

You can see the permissions, the username, date and the location. Mostly this will suffice in finding the file, but what if you have a directory with hundreds or thousands of files? Trawling through them manually is far too time consuming. Therefore, we can narrow down a little by adding the following flag:

This will list things alphabetically, or if you prefer, list the files by size like this:

Using the following commands, users can see when a file was accessed.

Here are some of the options you can set for the time parameter:

  • atime – updated when file is read
  • mtime — updated when the file changes
  • ctime — updated when the file or owner or permissions changes

Another great tool that Linux has is the find command (more about it here). Let’s say I need the most recently modified files, sorted by reverse order, I would type the following into the Terminal:

This looks like a very difficult command, but it really isn’t. More can be found on the Ubuntu man page. The result is below.

find-min

Hopefully this article will give you the skills you need to work within the Terminal to find out whats been happening with a given system. It will allow you to find out the, “who, where and what” which will let you secure your server or simply find the document you need. What do you use? Is there some killer tool or piece of software that you use? Is there a tool that can run in both the Terminal and has a slick GUI for beginners? Let us know in the comments section and help your fellow enthusiasts.

One comment

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.

Sponsored Stories