From Holt Sorenson’s “Incident Response Tools For Unix, Part Two: File-System Tools” (SecurityFocus: 17 October 2003):
Various commands change the MAC [modify, access, and change] times in different ways. The table below shows the effects that some common commands have on MAC times. These tables were created on Debian 3.0 using an ext2 file system contained in a flat file mounted on a loopback device. … Experimenting with your own system to verify the information in the tables below is encouraged. These tables can serve as a general guide, however.
How common commands change MACtimes for a directory (foo): | |||
Action | atime | ctime | mtime |
creation (mkdir foo) | X | X | X |
directory move (mv foo bar) | X | X | |
file creation (touch foo/foo) | X | X | |
file creation (dd if=/dev/zero of=foo/foo count=1) | X | X | |
list directory (ls foo) | X | ||
change directory (cd foo) | |||
file test (-f foo) | |||
file move/rename (mv foo foo_mvd) | X | X | |
permissions change (chmod/chown <some_perm> foo) | X | ||
file copy (mv foo_mvd foo) | X | X | |
file edit (vim foo) | X | X | |
file edit (emacs foo) | X | X | X |
file edit (nvi/nano foo) | |||
How common commands change MACtimes for a file (f1): | |||
Action | atime | ctime | mtime |
creation (touch foo) | X | X | X |
creation (dd if=/dev/zero of=foo count=1) | X | X | X |
rename (mv foo bar) | |||
permissions change (chmod <some_perm> foo) | X | ||
copy (cp foo bar) | X | ||
copy overwrite (cp bar foo) | X | X | |
append (cat >> foo) | X | X | |
overwrite (cat > foo) | X | X | |
truncate (cp /dev/null foo) | X | X | |
list file (ls foo) | |||
edit (vim/emacs/xemacs/joe/jed foo) | X | X | X |
edit (ed/nvi/vi (sun)/vi (obsd)/nano/pico foo) | X1 | X1 | X1 |
1 – all times changed, but atime is slightly older than mtime and ctime |
The ls command can be used to show the modify, access or change times of files. The following table shows various ls commands that sort in reverse order by mtime, atime, or ctime. This causes ls to list the most recent times last.
displaying MACtimes using ls: | |||
Linux (ls from GNU fileutils) | OpenBSD | Solaris | |
mtime | ls -latr –full-time | ls -latTr | ls -latr |
atime | ls -laur –full-time | ls -lauTr | ls -laur |
ctime | ls -lacr –full-time | ls -lacTr | ls -lacr |