Trying to shutdown an old web server from the late 1990’s that had it’s guts transplanted onto a newer system around 2003 and again around 2009. As you can imagine there are accounts and files that are like those items in your junk drawer, they beg the question…why is this here?!
In an attempt to determine last use of accounts we combined some log analysis with some unix timestamp forensics to prove that no one really needs this anymore!
The log analysis was pretty easy, track non-robot traffic to determine which accounts were being accessed and at what frequency and volume. The timestamp wasn’t difficult just had to isolate which files we wanted to analyze. Using the `stat`, `find` and/or the `ls` commands make this easy. In case you are not aware of this Linux/Unix stores a number of timestamps for each file. These timestamps store when any file or directory was last accessed (read from or written to), changed (file access permissions were changed) or modified (written to).
Three times tracked for each file in Linux/Unix are:
- access time – atime
- change time – ctime
- modify time – mtime
Aside from using atime, ctime or mtime, the easiest way to get the information we are looking for is using the `stat` command:
# stat /home/myhome/file1 File: `/home/myhome/file1' Size: 1498906 Blocks: 2928 IO Block: 4096 regular file Device: fd01h/64769d Inode: 3414009 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 500/ myhome) Gid: ( 500/ users) Access: 2016-01-26 12:53:01.309089993 -0500 Modify: 2013-07-15 10:28:05.241847000 -0400 Change: 2013-07-15 10:28:05.315848001 -0400
If you are looking for a large set of files that have been accessed/modified/changed before or after a specific date then using the `find` command is your best bet.
For single files or a small set of files the `ls` command is probably easier.
For information on how to use atime, ctime and mtime with `find` and `ls` refer to the man page for the specific command.