When did that change?

Trying to shutdown an old web server from the late 1990’s that had it’s guts transplanted onto a newer system around 2003 and again around 2009. As you can imagine there are accounts and files that are like those items in your junk drawer, they beg the question…why is this here?!

In an attempt to determine last use of accounts we combined some log analysis with some unix timestamp forensics to prove that no one really needs this anymore!

The log analysis was pretty easy, track non-robot traffic to determine which accounts were being accessed and at what frequency and volume. The timestamp wasn’t difficult just had to isolate which files we wanted to analyze. Using the `stat`, `find` and/or the `ls` commands make this easy. In case you are not aware of this Linux/Unix stores a number of timestamps for each file.  These timestamps store when any file or directory was last accessed (read from or written to),  changed (file access permissions were changed) or modified (written to).

Three times tracked for each file in Linux/Unix are:

  • access time – atime
  • change time – ctime
  • modify time – mtime

Aside from using atime, ctime or mtime, the easiest way to get the information we are looking for is using the `stat` command:

# stat /home/myhome/file1 
  File: `/home/myhome/file1'
  Size: 1498906   	Blocks: 2928       IO Block: 4096   regular file
Device: fd01h/64769d	Inode: 3414009     Links: 1
Access: (0664/-rw-rw-r--)  Uid: (  500/   myhome)   Gid: (  500/   users)
Access: 2016-01-26 12:53:01.309089993 -0500
Modify: 2013-07-15 10:28:05.241847000 -0400
Change: 2013-07-15 10:28:05.315848001 -0400

If you are looking for a large set of files that have been accessed/modified/changed before or after a specific date then using the `find` command is your best bet.

For single files or a small set of files the `ls` command is probably easier.

For information on how to use atime, ctime and mtime with `find` and `ls` refer to the man page for the specific command.