Question:crtime timestamp not shown on some ext4 filesystems

Tool requests, development, and troubleshooting topics related to TSK.

Moderator: carrier

Question:crtime timestamp not shown on some ext4 filesystems

Postby nakens » Mon Aug 21, 2017 9:55 pm

I'm hoping someone can clue me into why two different ext4 filesystems don't handle creation timestamp entries the same... I am trying to get the creation timestamp from a file on /tmp (ext4) but I get results different than /var (also ext4). I don't think this is a issue with sleuthkit, but hoped someone could explain what is different between the two ext4 filesystems.

The mount flags look the same...

Code: Select all
user@host:~$ mount | grep ext4
/dev/sdd1 on / type ext4 (rw,relatime,errors=remount-ro,data=ordered)
/dev/sda1 on /data type ext4 (rw,relatime,data=ordered)
/dev/sdd7 on /tmp type ext4 (rw,relatime,data=ordered)
/dev/sdd5 on /var type ext4 (rw,relatime,data=ordered)
/dev/sdd8 on /home type ext4 (rw,relatime,data=ordered)


Here is an example of the /var mountpoint giving crtimestamps like I want...

Code: Select all
user@host:~$ ls -lai /var/log/messages
4984 -rw-r----- 1 root adm 290 Aug 21 06:25 /var/log/messages


Code: Select all
user@host:~$ sudo istat /dev/sdd5 4984
inode: 4984
Allocated
Group: 0
Generation Id: 443920491
uid / gid: 0 / 4
mode: rrw-r-----
Flags: Extents,
size: 290
num of links: 1

Inode Times:
Accessed:   2017-08-20 06:25:03.026141492 (EDT)
File Modified:   2017-08-21 06:25:02.074891050 (EDT)
Inode Modified:   2017-08-21 06:25:02.074891050 (EDT)
File Created:   2017-08-20 06:25:03.026141492 (EDT)

Direct Blocks:
33994


Now here is the odd lack of crtime timestamp on /tmp...

Code: Select all
user@host:~$ ls -lai /tmp/testfile.txt
16 -rw-r--r-- 1 root root 17 Aug 19 00:46 /tmp/testfile.txt


Code: Select all
user@host:~$ sudo debugfs -R 'stat /tmp/testfile.txt' /dev/sdd7
debugfs 1.42.12 (29-Aug-2014)
/tmp/testfile.txt: File not found by ext2_lookup


Code: Select all
user@host:~$ istat -V
The Sleuth Kit ver 4.1.3


Code: Select all
user@host:~$ sudo istat /dev/sdd7 16
inode: 16
Allocated
Group: 0
Generation Id: 3025348952
uid / gid: 0 / 0
mode: rrw-r--r--
Flags: Extents,
size: 17
num of links: 1

Inode Times:
Accessed:   2017-08-19 01:20:59 (EDT)
File Modified:   2017-08-19 00:46:56 (EDT)
Inode Modified:   2017-08-19 00:46:56 (EDT)

Direct Blocks:
12112
nakens
 
Posts: 1
Joined: Mon Aug 21, 2017 9:35 pm

Return to The Sleuth Kit (TSK)

Who is online

Users browsing this forum: No registered users and 1 guest