File System Types and Timestamps

Identify/Mount Filesystem Type

#Identify filesystem type
disktype /DISK_IMAGE_NAME

#Mount ext3 with ro - read only, no execution, no load.
mount -t ext3 -o ro,noexec,noload,offset=123456 /forensic_image /mount

#ext4
mount -t ext4 -o ro,noexec,offset=123456 /forensic_image /mount

#xfs
mount -t xfs -o ro,noexec,norecovery,offset=123456 /forensic_image /mount

Filesystem Table Configuration Location

  • /etc/fstab

Common filesystem types and their Timestamps

EXT3

  • Access (atime) - the last time the file was read

  • Modify (mtime) - the last time the file was modified (content modified)

  • Change (ctime) - the last time the meta data of the file was changed (timestamps, filetype, permissions).

EXT4

  • Access (atime) - the last time the file was read

  • Modify (mtime) - the last time the file was modified (content modified)

  • Change (ctime) - the last time the meta data of the file was changed (timestamps, filetype, permissions).

  • Created (crtime) - may be present on EXT4 filesystems.

XFS

  • Access (atime) - the last time the file was read

  • Modify (mtime) - the last time the file was modified (content modified)

  • Change (ctime) - the last time the meta data of the file was changed (timestamps, filetype, permissions).

  • Created (crtime) - may be present on XFS filesystems.

ZFS

  • Access (atime) - the last time the file was read

  • Modify (mtime) - the last time the file was modified (content modified)

  • Change (ctime) - the last time the meta data of the file was changed (timestamps, filetype, permissions).

  • Created (crtime) - may be present on ZFS filesystems.

PreviousCron JobsNextLD_PRELOAD

Last updated