04.File Analysis Stat command linux
π File Analysis Using the stat Command in Linux
π― Lesson Objective:
Learn how to perform an initial analysis of a file using built-in tools in the Linux system, specifically the stat command, to examine the fileβs metadata, which represents the first step in any Digital Forensics investigation.
π§ Real Case β BTK Killer Case
The lesson began by referring to the famous BTK case, which is one of the cases where Digital Forensics helped solve the mystery after analyzing a floppy disk from which some files had been deleted.\ By recovering the deleted files and examining the metadata, investigators were able to reach important information about the fileβs owner.
πΈ Scenario Used in the Lab
We have an image file obtained (for example, from the suspectβs device), and we want to examine its metadata to determine:
-
When was it created?
-
Who created it?
-
Was it recently modified?
-
Was it opened after creation?
π§° Tools and Environment Used:
-
Operating System: Ubuntu OR SIFT (or any Linux distribution)
-
Image file located in the folder:
DigitalForensics -
Tools:
ls,stat,cp,mv
π§Ύ Detailed Steps for Analyzing Metadata Using ls -lh
πΉ 1. Accessing the File via Terminal:
cd Desktop/DigitalForensics
ls -lh
Expected output:
-rw-r--r-- 1 user user 1.2K Jul 20 20:15 notes.txt
drwxr-xr-x 2 user user 4.0K Jul 20 18:00 documents
πΉ 2. Understanding ls -lh Command
| Part | Meaning |
|---|---|
ls |
Lists files and directories in the current path. |
-l |
Displays details in long listing format, including: permissions, link count, owner, group, size, and last modified date. |
-h |
Displays sizes in human-readable format (e.g., KB, MB instead of just bytes). |
πΉ 3. Analyzing ls -lh Output
| Part | Explanation |
|---|---|
-rw-r--r-- |
File permissions (read and write for owner, read for group and others). |
1 |
Number of links to the file (how many times the filesystem points to it). |
user |
Username of the file owner. |
user |
Group that owns the file. |
1.2K |
File size (1.2 kilobytes). |
Jul 20 20:15 |
Last modified date and time. |
notes.txt |
File name. |
β οΈ Important Note:
The ls -lh command does not show all metadata of the file, such as:
-
Creation time
-
Last access time
π οΈ To get this info, use:
stat notes.txt
πΉ 2. Displaying Data Using stat
stat trip_photo.jpg
It shows:
-
Access time: Last time the file was opened
-
Modify time: Last time the file content was changed
-
Change time: Last time file properties (not content) were changed
-
Birth/Creation time: When the file was created
-
Inode: The fileβs identifier on disk (physical location)
-
Block size / Block count: Number and size of blocks occupied by the file
π
statprovides detailed information useful for tracking a fileβs timeline.
π§ͺ Hands-On File Experiments
β Opening File to Change Access Time
xdg-open trip_photo.jpg
stat trip_photo.jpg
- Just by opening the file (without modifying it), only Access Time changes.
β
Moving the File Using mv
mv trip_photo.jpg ..
cd ..
stat trip_photo.jpg
-
Result: Inode does not change, because the file wasnβt copied but moved on the same disk.
-
Timestamps (like Modify or Change) also do not change.
β Moving doesnβt affect the file physically on disk.
β
Copying the File Using cp
cp ../trip_photo.jpg DigitalForensics/
stat DigitalForensics/trip_photo.jpg
-
A new file is actually created:
-
New Inode
-
All timestamps (Access, Modify, Change, Birth) change to the moment of copy
π Copying creates a new file as if you did a βSave Asβ.
π Detailed Comparison: mv vs cp in Forensics Analysis
| Property | mv (Move) |
cp (Copy) |
|---|---|---|
| Primary Function | Moves file to another location | Copies file to another location (creates new file) |
| Effect on Original | Not changed | Original remains unchanged |
| Is New File Created? | β No β just relocated | β Yes β new file is created |
| Inode (physical location) | Unchanged (on same disk) | Changed β new file has new inode |
| Access Time | Unchanged unless opened | Set to new access time of copied file |
| Modify Time | Unchanged | Copied from original (same modify time) |
| Change Time | May change if attributes changed (rare) | New timestamp reflecting copy time |
| Creation Time (Birth Time) | Remains unchanged | Reflects copy time (new file) |
| Permissions | Remains same | May be copied or differ depending on system settings |
| Ownership | Remains same | May differ based on current user |
| Forensics Impact | Hard to detect change unless opened | New copy can be tracked with timestamps |
π Practical Example
1. Moving the File:
mv photo.jpg ..
stat ../photo.jpg
-
Inode remains the same
-
Timestamps do not change
-
Itβs the same file, just moved
2. Copying the File:
cp ../photo.jpg .
stat photo.jpg
-
New Inode
-
All timestamps reflect copy moment
-
Now there are two independent files
π§ Case Analysis β What Metadata Tells Us
| Situation | Conclusion |
|---|---|
| Only Access time changed | File was opened recently without being modified |
| Same Inode after mv | File was moved, not copied |
| All timestamps are identical | File was newly created or recently copied |
| Creation date is older than first appearance | File came from another system (e.g., from Windows to Linux) |
π§ Very Important Fact
If a file was created on a Windows machine and transferred to Linux, the last modified date remains (from the old system), but the creation date reflects the moment it was introduced into the Linux system.
π΅οΈββοΈ Importance in Digital Forensics:
Using stat, the forensic investigator can:
-
Determine if the file was accessed recently
-
Check if it was copied from another device
-
Verify permissions: who can modify it?
-
Track digital evidence with timestamps and ownership
β Comparison Summary
| Key Point | mv |
cp |
|---|---|---|
| Preserves timestamps | βοΈ | β |
| Preserves inode | βοΈ | β |
| Only changes file path | βοΈ | β |
| Creates new forensic trace | β | βοΈ |
π§ Lesson Summary:
-
ls -l⨠General file info -
stat⨠Deep metadata analysis -
Copying vs Moving is crucial in digital evidence tracking
-
Metadata reveals the complete file history, even after changes or moves
| Tool | Benefit |
|---|---|
ls -l |
Surface info: permissions, size, last modified |
stat |
Comprehensive: access, modify, creation, physical location |
mv |
Doesnβt change file physically |
cp |
Creates a completely new file |
π§βπ» Advice for Digital Forensics Investigators
Donβt rely solely on file content; analyze the metadata as it may contain very important clues about the fileβs history and source.
π― Real-life Example:\ If you find a suspicious image with a recent creation date but an older modify date, it might have been copied from another machine or downloaded from the internet.