如何找出上次挂载 NTFS 的时间?

How to find out when NTFS was last mounted?

有没有办法找出上次安装 NTFS 的时间?

文件系统元数据中有任何信息吗?

在 Linux、MacOS 或至少 Windows...

上使用实用程序

谢谢!

对不起,

root@xDevAd:/home/hans/ntfs# truncate -s 2M ntfs.img;
root@xDevAd:/home/hans/ntfs# mkdir -p ./mount;
root@xDevAd:/home/hans/ntfs# losetup /dev/loop9 ntfs.img;
root@xDevAd:/home/hans/ntfs# mkfs.ntfs /dev/loop9;
The partition start sector was not specified for /dev/loop9 and it could not be obtained automatically.  It has been set to 0.
The number of sectors per track was not specified for /dev/loop9 and it could not be obtained automatically.  It has been set to 0.
The number of heads was not specified for /dev/loop9 and it could not be obtained automatically.  It has been set to 0.
Cluster size has been automatically set to 4096 bytes.
To boot from a device, Windows needs the 'partition start sector', the 'sectors per track' and the 'number of heads' to be set.
Windows will not be able to boot from this device.
Initializing device with zeroes: 100% - Done.
Creating NTFS volume structures.
mkntfs completed successfully. Have a nice day.
root@xDevAd:/home/hans/ntfs# mount /dev/loop9 ./mount;
root@xDevAd:/home/hans/ntfs# umount ./mount; 
root@xDevAd:/home/hans/ntfs# b3sum ./ntfs.img;
0b5e9867996a2a4ce2abb6689d59a7719b040da35db7cd6f39d8084e6dd81466  ./ntfs.img
root@xDevAd:/home/hans/ntfs# sleep 1;
root@xDevAd:/home/hans/ntfs# mount /dev/loop9 ./mount;
root@xDevAd:/home/hans/ntfs# sleep 1;
root@xDevAd:/home/hans/ntfs# umount ./mount;
root@xDevAd:/home/hans/ntfs# sleep 1; 
root@xDevAd:/home/hans/ntfs# b3sum ./ntfs.img;
0b5e9867996a2a4ce2abb6689d59a7719b040da35db7cd6f39d8084e6dd81466  ./ntfs.img

由此我们可以得出结论,如果“上次安装时间”存在,则其精度小于 2 秒,

但这可能意味着您要查找的信息不存在:(

(另一种可能性是 ntfs-3g 中的错误阻止了最后一次安装时间的记录,但我对此表示怀疑)

编辑:好消息是:在比较整个文件系统上的所有文件时找到最后的 atime/last 时间,可能是一个很好的指标..

这个脚本

#!/usr/bin/env php
<?php
function fs_get_last_time(string $mountpoint, int &$time_out, string &$file_out):void{
    $time_out=0;
    $file_out="";
    $files = glob($mountpoint.DIRECTORY_SEPARATOR."*",GLOB_NOESCAPE|GLOB_NOSORT);
    foreach($files as $file){
        $stat = stat($file);
        $file_last_time = max($stat["atime"]??0, $stat["mtime"]??0,$stat["ctime"]??0);
        if($file_last_time>$time_out){
            $time_out=$file_last_time;
            $file_out = $file;
        }
        if(is_dir($file)){
            $inner_time = 0;
            $inner_file = "";
            fs_get_last_time($file,$inner_time, $inner_file);
            if($inner_time > $time_out){
                $time_out = $inner_time;
                $file_out = $inner_file;
            }
        }
    }
}

应该告诉你最后一次使用文件系统的时间,至少...用法:


$time=0;
$file="";
fs_get_last_time("/path/to/ntfs/mount", $time,$file);
echo date(DateTime::RFC3339,$time).": ".$file."\n";