Have you ever wanted to view a list of all files or subdirectories within a directory in Linux and order them by when they were last changed or modified? Then you have come to the right place! Here we are going to provide and explain some useful commands that when piped together will give us this result, allowing us to recursively list files and directories by date.
This is one of my favourite commands to use when trying to build a timeline of events, for instance if a server or website has been compromised and you want to see when files have been modified with malicious content. By seeing other files that were modified around the same time you can get a better idea of what took place and when, allowing you to correlate these events with your logs.
So here are the simple commands piped together, run this within a directory and you will be provided with a list of all files and subdirectories along with the date they were last modified. The most recently changed contents will be at the bottom of the list, so after running it you’ll see the most recent changes with the older changes as you scroll up. If you have a lot of output piping the whole lot into ‘less’ may be a good idea so that you can easily scroll through.
find . -printf '%[email protected] %t %p\n' | sort -k 1 -n | cut -d' ' -f2-
Below is an example output from running this full command.
# find . -printf '%[email protected] %t %p\n' | sort -k 1 -n | cut -d' ' -f2- Wed Aug 26 09:25:04.0000000000 2015 ./images/1.jpg Tue Sep 1 06:27:43.0000000000 2015 ./1.JPG Sat Sep 12 12:36:51.0000000000 2015 ./directory/6.jpg Sat Sep 12 12:43:48.0166880221 2015 ./directory Mon Oct 12 05:18:21.0000000000 2015 ./images/7.jpg Sun Oct 18 08:29:46.0000000000 2015 ./8.jpg Wed Oct 21 10:50:16.0672628610 2015 ./index.html
As shown we can see the files sorted from oldest date and time modified to newest. Now let’s break down what each part is actually doing for us.
First off the find command is run which finds us the list of all files and subdirectories recursively within the current working directory, as specified by the “.” after the find command. To confirm your current working directory you can run the “pwd” command. You can change the “.” to a full directory path instead to list all files and subdirectories in there instead if required, this way you don’t have to be in the directory.
The “-printf” flag is used to print the output in the format specified, in this case this is ‘%[email protected] %t %p\n’. The %[email protected] displays the epoch time, that is the amount of seconds since the 1st of January 1970, the %t shows the files last modification time, the %p displays the files name while \n is simply a new line so that each result in our output shows up on a new line which makes it easier to read and work with.
It is worth noting that you could also replace %t with %c, which will instead use the files last status change time rather than the modification time. This should show things such as permission changes which don’t actually modify the contents file but change the metadata.
The output of this find command alone looks like this.
1445424616.6726286100 Wed Oct 21 10:50:16.0672628610 2015 ./index.html
At this stage the output does not display in any sort of chronological order. We can see the output displayed as expected, the files epoch time followed by the last modification date and time, followed by the file name.
Now with this output you may have noticed that there is no order applied, this is taken care of with the sort command. The -k flag specifies a start position which in this case is 1, the first column being the epoch time.
The output with the sort is shown below, now we have the files in the same order as the output of the full command string shown previously after sorting by column 1, the epoch time. As the epoch time is all numbers, we also use -n to perform a numerical based sort.
1440581104.0000000000 Wed Aug 26 09:25:04.0000000000 2015 ./images/1.jpg 1441088863.0000000000 Tue Sep 1 06:27:43.0000000000 2015 ./1.JPG 1442061411.0000000000 Sat Sep 12 12:36:51.0000000000 2015 ./directory/6.jpg 1442061828.1668802210 Sat Sep 12 12:43:48.0166880221 2015 ./directory 1444627101.0000000000 Mon Oct 12 05:18:21.0000000000 2015 ./images/7.jpg 1445156986.0000000000 Sun Oct 18 08:29:46.0000000000 2015 ./8.jpg 1445424616.6726286100 Wed Oct 21 10:50:16.0672628610 2015 ./index.html
We can change -n to -nr which will reverse the output, resulting in the oldest modified files showing at the bottom of the output, rather than the newest.
Now that we have our sorted output we use the cut command to tidy up and print out a more specific selection. By specifying a delimiter with -d of ‘ ‘ we find the first white space which comes after the epoch time and cut everything afterwards.
At this point we now have the complete output which lists all files by date recursively from the specified directory. The epoch time provided an easy way to perform the sort, but we don’t really need to see that in the final output as it isn’t particularly human readable so it’s been removed after the sort.
Of course you can always use the much simpler “ls -lrt” within a directory to view all files within the current working directory from oldest to newest, however this does not take into consideration subfolder contents. Even if we use the recursive option and use “ls -lRrt” we only see the files ordered based on the dates within each directory and not a combination of all subdirectories.
If you aren’t interested in the subdirectories themselves you could also add a “-type f” to the find command which will only list files, as shown below.
find . -type f -printf '%[email protected] %t %p\n' | sort -k 1 -n | cut -d ' ' -f2-
This still lists files within subdirectories, it simply no longer also shows the subdirectory names themselves in the output.
The opposite can also be done, by using “-type d” which will display only directories and no files.
find . -type d -printf '%[email protected] %t %p\n' | sort -k 1 -n | cut -d ' ' -f2-
By combining a few relatively simple bash commands in Linux we have been able to successfully list all files and subdirectories within a specified directory recursively by their modification or change date, in either ascending or descending order. We can also optionally specify to only view files or directories in the output.
This command is a great way of building a timeline of events as the chronological output allows us to see the order of file modifications, regardless of where the file is actually located.