The find command in Linux is a powerful tool for locating files based on various criteria. One of the most useful options is finding files according to their modification time, also known as mtime. This allows you to pinpoint when a file was last changed.
In this comprehensive guide, you‘ll learn multiple methods for finding files by mtime in Linux. We‘ll cover basic and advanced techniques using the find, ls, stat and other commands. By the end, you‘ll have mastered mtime search in Linux.
Understanding Modification Time in Linux
Every file and directory on a Linux system has three timestamps in its metadata that record when it was:
- Modified (mtime) – The content or data of the file was changed
- Accessed (atime) – The file was opened or read
- Metadata changed (ctime) – Attributes like permissions or ownership were changed
The modification time is updated whenever a file‘s data is altered, such as editing a text document or reconfiguring a system file. This does not include opening or reading a file. It strictly tracks content changes.
Knowing a file‘s mtime can be useful for a variety of reasons:
- Determine when configuration files were edited
- Find recently added documents or media
- Identify suspicious changes to system binaries
- Build automation around modified files
- Assist with backup processes and synchronization
- Diagnose issues stemming from file edits
The mtime contains the date and time the last modification occurred. On Linux, it‘s displayed in the following format:
Oct 22 17:15
As you‘ll see shortly, there are a number of techniques for leveraging mtime to pinpoint files in Linux.
Viewing Modification Time with ls
The most straightforward method for checking a file‘s mtime is using the ls command. By passing the -l flag, ls will display detailed file metadata including mtime:
ls -l /etc/fstab
This will output something like:
-rw-r--r-- 1 root root 1.1K Jun 20 08:48 /etc/fstab
The mtime is shown after the permissions, in this case Jun 20 08:48
.
You can combine ls with wildcards for checking groups of files:
ls -l /etc/*.conf
This will show mtime for all .conf files in /etc.
While simple, ls has limitations:
- Only shows files in a single directory
- Does not allow complex mtime searches
- Must be combined with other utilities like grep to filter further
In most cases, you‘ll want to use find for locating files by mtime across the filesystem. But keep ls in mind for quick checks on individual directories.
Finding Files by Mtime with Find
The find command offers advanced features for searching files and folders based on mtime and other criteria. The main flag used to filter results by modification time is:
-mtime n
Here n defines a period of time in days. Some examples:
-mtime 2
– Files modified in last 2 days-mtime 7
– Files modified in last week-mtime +15
– Files modified over 15 days ago
You can chain these together for complex time ranges:
-mtime +7 -mtime -30
– Files modified between 7-30 days ago
Now let‘s walk through some real-world examples demonstrating how to leverage find‘s mtime capabilities.
Finding Recently Modified Files
To locate files edited within the last 5 days across your entire Linux system, use:
sudo find / -mtime -5
It will recurse through all mount points starting at root and display matches.
To restrict it to a particular subtree, provide the base path instead of /. For example, to search only /etc and subfolders:
find /etc/ -mtime -5
You can home in on a specific folder as well:
find /var/log -mtime -5
Adjust the number passed to -mtime to control the age window.
Finding Files Modified Between Two Dates
Suppose you want to find files that were changed between 2-7 days ago, ignoring anything modified more recently or longer ago.
Use mtime + and – together:
find /opt -mtime +2 -mtime -7
This locates files under /opt last modified between 2-7 days in the past.
Here is how this works:
-mtime +2
– Files changed over 2 days ago-mtime -7
– Files changed within last 7 days
Combined using AND logic, this gives us the intersection – changes between 2-7 days ago.
You can tweak the mtime thresholds to build whatever custom date range you need.
Finding Old Modified Files
To search for really old file changes, use a large number with +mtime.
For instance, to find files modified over 6 months ago:
find / -mtime +180
The 180 refers to the number of days.
This technique can uncover stale files lingering on your system. Review and clean them up with confidence by verifying the actual mtime.
Find Files Changed Before Specific Date
With a bit of math, you can craft mtime searches based on calendar dates too.
For example, to locate files modified before August 1, 2022 on a system:
find / -newermt "2022-08-01" ! -newermt "2022-08-02"
This calculates the number of days between the current date and August 1, then matches files edited prior to that period.
By also supplying an end date of August 2, we exclude anything modified after August 1.
Use this date-based technique to find files changed before Linux updates, security incidents, website launches and other timeline events.
Displaying Modification Time with Stat
The stat command reveals detailed metadata for a given file, including its mtime timestamp.
To view mtime for a single file:
stat /etc/passwd
File: /etc/passwd
Size: 1470 Blocks: 8 IO Block: 4096 regular file
Device: 800h/2048d Inode: 657874 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Context: system_u:object_r:passwd_file_t:s0
Access: 2022-09-14 06:45:08.936843724 +0530
Modify: 2022-09-11 13:28:37.588089472 +0530
Change: 2022-09-14 06:45:00.336841481 +0530
Birth: -
The Modify line contains the file‘s mtime value formatted in a human readable timestamp.
Stat is less flexible than find for targeted mtime searches across many files. But it‘s useful for confirming the modification date on individual files.
Sorting ls Output by Modification Time
A handy way to view files ordered by mtime is passing the -t flag to ls:
ls -l -t
This will sort the output with newest files at the top based on mtime.
You can reverse the order using -r:
ls -ltr
Now oldest modified files appear first.
Combine this with other ls filters like wildcards for sorting specific groups of files by mtime:
ls -lrt /var/log/*.log
This technique helps identify the most recently and least recently changed files in directories.
Finding Files Between Two Modification Times
Need to pinpoint files changed between two specific periods of time? The find command handles this through mtime range matching.
The key is using + and – together to set both an upper and lower bound.
For example, to match files modified between 7-15 days ago:
find / -mtime +7 -mtime -15
Breaking this down:
-mtime +7
– Changed over 7 days ago-mtime -15
– Changed within last 15 days
Combined, this filters for the mtime period in between those values – files changed between 7-15 days in the past.
You can tweak the numbers to build any custom range. Just ensure the + value is lower than the – value.
Here are some more examples:
# Files changed between 10-30 days ago
find / -mtime +10 -mtime -30
# Files changed between 1-2 months ago
find /home -mtime +30 -mtime -60
Use this mtime range matching technique to scope your searches and precisely isolate file changes by date.
Finding Files Modified Before Specific Date
To find files changed before a known timeline date, use newermt which allows datestamp matching.
For example, to search for files modified before Sept 5, 2022:
find / -newermt "2022-09-05" ! -newermt "2022-09-06"
This locates files changed up to Sept 5 by excluding anything after Sept 6.
Breaking this down:
-newermt "2022-09-05"
– Match files edited on or before Sept 5! -newermt "2022-09-06"
– Ignore anything after Sept 6
With this approach, you provide exact calendar dates instead of relying on +/- days.
Use cases include identifying files changed:
- Before security patches installed
- Prior to system upgrades
- Before website launches or content migrations
- Pre-dating configuration changes
Knowing what files reside before certain dates assists with diagnosing issues, change tracking, and more.
Finding Files Older Than a Year
What about locating really old file changes? Finding files with mtimes over a year can uncover stale content.
Use the +mtime method along with a number representing 365 days:
sudo find / -mtime +365
This will recurse the entire system seeking files modified over a year ago.
Adjust the depth by increasing/decreasing +mtime. You could search for files older than 180 days, 90 days, etc.
Examining ancient mtimes helps clean up unused files lingering on your disks. It also highlights config files due for modernization.
Viewing Modification Time Across File Types
When searching mtime with find, you typically locate a mix of files, directories, symlinks and other objects.
To isolate just files or directories, add -type:
# Just files
find /etc -mtime -10 -type f
# Just directories
find /var/log -mtime -5 -type d
This filters based on object type after the mtime search occurs.
You can use f for regular files, d for directories or l for symbolic links.
Getting mtime results separated by file type helps avoid sorting through unwanted directories and links.
Finding Files Changed Between Two Dates
An extremely useful mtime technique is locating files modified between two dates. This allows drilling down on changes inside specific periods of time.
The key is using +mtime to set the earlier date and -mtime for the later date.
For example, to match files changed between June 1-7, 2022, run:
find / -newermt 2022-06-01 ! -newermt 2022-06-08
This works by:
-newermt 2022-06-01
– Match files on or after June 1! -newermt 2022-06-08
– Exclude anything after June 7
So we end up with files between those two dates.
Another example – find files changed between April 1-15:
find /var -newermt 2022-04-01 ! -newermt 2022-04-16
Use this technique to scope mtime searches to specific date ranges. This helps narrow down file changes around events like:
- System upgrades
- Configuration tweaks
- Security patches
- New code pushes
- Policy changes
Knowing what files were altered between certain timeline dates assists debugging, auditing and forensics.
Getting File Counts by Modification Time
When searching mtimes with find, you can append various actions to summarize the matches instead of listing every single file.
One helpful option is -printf which formats the output. Combine this with wc -l to count matches:
find /var -mtime -5 -printf ‘.‘ | wc -l
This will print a dot for every file match, then wc -l tallies up the dots to output a total count.
For example, it might return:
46
Indicating 46 files modified under /var in the last 5 days.
For a count of older changes, try:
find /etc -mtime +30 -printf ‘.‘ | wc -l
This sums up all files under /etc changed over 30 days ago.
Getting mtime counts is useful for charting file change trends over time without wading through endless log files.
Finding Files Changed at Specific Times
Pinpointing files modified at exact hours and minutes can assist with security forensics and troubleshooting.
The easiest method is combining find with stat output filtering:
sudo find / -mmin -720 -exec stat -c ‘%n modified %y‘ {} \;
This will locate files modified in the last 12 hours (-720 minutes), then extract just the filename and mtime via stat.
Sample output revealing specific file change times:
/var/log/auth.log modified 2022-10-21 14:34:23.196105170 +0200
/root/.bash_history modified 2022-10-21 15:02:32.347700715 +0200
With this granular data, you can reconstruct precise event timelines across your infrastructure.
Adjust the mmin value to widen or narrow your modification time window as needed.
Modification vs Access vs Metadata Times
While the focus of this guide is mtime, Linux tracks two other timestamp types:
- Access time (atime) – When contents were read/opened
- Metadata change time (ctime) – Altering of permissions, ownership and other file attributes besides data
The atime and ctime have their own find options:
-atime
– Match files accessed X days ago-ctime
– Match files with metadata changes X days ago
These can assist with security analysis and filesystem diagnostics in different ways than mtime searches.
But remember mtime specifically reflects content/data changes to files themselves. This makes it uniquely useful for tracking edits, updates and other writes.
Final Thoughts
Finding files by modification time is a critical Linux admin skill supporting security, forensics, automation, backup and more.
Following the examples in this guide, you‘ve mastered locating files by mtime using:
- The ls command for viewing individual file changes
- The find command to search across entire system
- Mixing find with stat and other utilities
You‘ve also learned advanced mtime techniques like:
- Finding changes between dates
- Getting counts of modified files
- Isolating edits by file type
- Matching changes to timeline events
With Linux‘s extensive mtime search capabilities, you can now solve real world problems like:
- Reconstruct security incidents
- Audit policy and configuration changes
- Build scripts triggered by file modifications
- Identify stale content for clean up
- Analyze modification trends over time
So put these new mtime search skills to work on your own Linux environment! They will unlock all sorts of forensic insights and automation opportunities.