Use the find command to locate files on your box that were accessed or modified recently, or to find files based on size or owner.
If you've not used the find utility before, you may want to start by reading "Getting Started with the Find Utility".
Find will allow you to search for files based on the file size. Firstly, lets look at how you'd search for files of an exact size.
find / -size 2048c
Note that the "c" represents bytes (characters). So the command above will match files in your filesystem that are exactly 2048 bytes in size, no file with size more or less than this will be matched. If you would like to search for all files under the current directory that are less than a certain size, simply prefix the number with a "-". For example, to search for all files that are less than 50KB, you could use:
find . -size -50k
The "k" used above simply stands for Kilobytes (KB). If you need to find all files on your system that are greater than 100 Megabytes, use:
find / -size +100M
Similarly, to find files greater than 3 Gigabytes, you could use:
find / -size +3G
As you probably know already, each file has three timestamps associated with it. Lets just clarify or refresh ourselves about what these timestamps are for:
|access time||the last time a file was accessed|
|change time||the last time the file's metadata (or "status") changed (i.e. inodes etc...)|
|modify time||the last time the contents of the file were changed|
When you want to find files that have been accessed, you use the "-amin" option. So, to find files in the current directory that were accessed exactly 10 minutes ago, you could use:
find . -amin 10
To find files that were accessed within the last few minutes, precede the number of minutes with a "-". To find files accessed within the last 30 minutes, run:
find . -amin -30
If you want to find all files than have been modified you would use "-mmin" and to find files who's metadata or status has changed, you'd use "-cmin". Hence, to search for config files in /etc who's contents has been modified over the last 30 minutes, use the command:
find /etc -name "\*.conf" -mmin -30
To find files accessed/changed/modified in the last n*24 hours, use "-atime", "-ctime", and "-mtime" respectively. So to find any files on your system that have been accessed in the last 24 hours, you could use:
find / -atime 0
The number of 24 hour periods actually gets rounded off so that fractions of a day are ignored. This means that to find files accessed in the last 0 to 24 hours, use "-atime 0" as above, and to find files accessed in the last 24 to 48 hours ago, use "-atime 1", and so on. This can be used in conjunction with "+" which basically means "older than" (in this case). So to find files that were accessed at least 3 days ago, you could use:
find / -atime +2
i.e. "older than" the 24 hour period between 48 --> 72 hours ago, or in other words, to be part of the results, the files must have been accessed more than 2 days ago (at least 3 days). Note that for the -amin, -cmin, -mmin, -atime, -ctime, and -mtime options, you can specify to measure times from the beginning of the day rather than the last 24 hours by using the "-daystart" option. e.g.
find /var/log -daystart -mtime 0
will show all files in /var/log modified since the beginning of today rather than in the last 24 hours.
If you need to find files belonging to a particular owner use the "-user" option as shown below for the user tutonics:
find / -user tutonics -name "file.txt"
If file.txt exists on on the system, but is owned by another user, it will not be retured in the results. You can also search for files in a particular group by using the "-group" option, for example to search for all .log files in group adm, you could use:
find /var/log -group adm -name "\*.log"
If you need to check for both a specific owner and group, just use both as in:
find / -user username -group groupname -name filename
To check for files with no known user or group, use the options "-nouser" and "-nogroup" respectively. If a user account gets removed from your desktop or server it is always a good idea to find files that have no user or group and give them a user/group or even remove them from your system. To identify files on your system that have no user:
find / -nouser
To find files that have no user and no group use:
find / -nouser -nogroup
If you don't want find to descend directories of other file systems that you've mounted, use the "-mount" option or the equivalent "-xdev" option: e.g.
find / -mount -name "\*.txt"
find / -xdev -name "\*.txt"