Time & Size Predicates
find ~/atelier/_bibliotheca/domus-captures/docs -name "*.adoc" -mtime 0 -type ffind /var/log -name "*.log" -mtime +30 -type f 2>/dev/null | head -10find ~/atelier/_bibliotheca/domus-captures -name "*.adoc" -mmin -60 -type ffind /var/log -atime +90 -type f 2>/dev/null | head -10touch -t 202604010000 /tmp/ref-timestamp
find ~/atelier/_bibliotheca/domus-captures/docs -newer /tmp/ref-timestamp -name "*.adoc" -type f | head -10find ~/atelier/_bibliotheca/domus-captures -size +50k -type f | head -10find ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/partials -size -1k -type f -name "*.adoc"find ~/atelier/_bibliotheca/domus-captures/docs -size +10k -size -100k -type f -name "*.adoc"find ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT -empty -type ffind ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT -empty -type dThe Three Timestamps
Every file has three timestamps. ls only shows mtime. stat shows all three.
| Flag | Timestamp | What triggers it | Fakeable? |
|---|---|---|---|
|
modification |
|
Yes ( |
|
access |
|
Yes ( |
|
change |
Inode metadata changed (permissions, owner, rename, link count, or content) |
No |
ctime is the honest timestamp — it updates on any inode change and cannot be set manually. If mtime and ctime diverge significantly, someone used touch(1) to backdate the file.
stat /etc/ssh/sshd_configstat -c '%y %n' /etc/ssh/sshd_configstat -c 'A:%x M:%y C:%z %n' /etc/ssh/sshd_config-printf — Custom Output with Sorting
find -printf eliminates the need to pipe through ls or stat. Sortable, scriptable, precise.
find . -maxdepth 3 -type f -mtime -7 -printf '%T+ %p\n' | sort -r | head -20%T+ = YYYY-MM-DD+HH:MM:SS.nnnnnn — ISO-sortable, sub-second precision.
find . -type f -mtime -7 -printf '%s\t%T+\t%p\n' | sort -rn | head -20ls -ltfind . -type f -mtime -3 -printf '%M %u %T+ %p\n' | sort -k3 -rfind . -type f -printf '%TY-%Tm-%Td %p\n' | awk -v today="$(date +%F)" '$1 == today'
-mtime 0 means "last 24 hours." -newermt "$(date +%F)" means "since midnight today." The awk approach above gives the same precision as -newermt but works on older find versions.
|
-newerXY — Timestamp Comparisons
The X is which timestamp to test, Y is the reference type. Both are one of: a (access), m (modify), c (change), t (explicit time string).
find . -name "*.adoc" -type f -newermt "$(date +%F)"find . -type f -newermt "2026-05-01" ! -newermt "2026-05-15"find . -type f -newercm . -printf '%C+ ctime | %T+ mtime | %p\n' 2>/dev/null | head -20Forensic — Detecting Timestamp Manipulation
When mtime and ctime are on different dates, either the file was moved/renamed, permissions changed, or someone used touch to set a false modification time. ctime always tells the truth.
sudo find / -maxdepth 3 -type f -printf '%C+ ctime | %T+ mtime | %p\n' 2>/dev/null \
| awk -F'|' '{split($1,c," "); split($2,m," "); if(c[1] != m[1]) print}' \
| head -20find /etc -type f -printf '%Cs %Ts %p\n' 2>/dev/null \
| awk '$1 - $2 > 86400 {print strftime("%F", $1), "ctime |", strftime("%F", $2), "mtime |", $3}'%Cs and %Ts are epoch seconds — arithmetic comparison, then strftime for human display.