Find all recently modified files

Have you ever wanted a list of the files that have been recently changed on your machine—either in a given directory, or across the entire machine? For instance, assume you wanted to see every file that has been changed in the last 24 hours within your Documents folder. One way to do this, of course, is to navigate to the Documents folder in the Finder, press Command-F, and then set the search conditions to “Last Modified” and “Since Yesterday.” And if everything you want to see is within folders that have been indexed by Spotlight, this is clearly the easiest solution.

But what if you want the output of your search to go to a text file? Or what if you want to search folders that Spotlight won’t index? Or to see what a program may have installed, even if it didn’t leave a nice entry in the /Library -> Receipts folder? Enter Terminal and Unix…

Using the same example as above, here’s one way to get a similar list in Unix, without relying on Spotlight:

find ~/Documents -type f -ctime -0 | more

The output should be a list of all files that have changed in your Documents folder within the last 24 hours. Here’s how it works, step by step:

• find ~/Documents: Runs the Unix find command, starting in the Documents folder, and then reading all other directories at or below that level. To start find in the current directory, you would use find ., and then the rest as shown above.
• -type f: Finds only files, not directories, symbolic links, or other special Unix file types.
• -ctime -0: Limits the modification time to the latest 24-hour period (rounded).
• | more: This just sends the output to the Unix paging system, so you can read it one screen at a time.

Obviously, you could easily change the command to show files that have been changed 24 hours ago ( ctime -1 ) or 48 hours ago ( ctime -2 )—or any other full-day increment you’d like to use. In case I wasn’t completely clear with this example, ctime works via matching, not as a limit. That is, you won’t find all files that are “at least” 24 hours old, you’ll find only those files that are exactly (with rounding) 24 hours old.

How about a more complex example? Assume you’ve just installed Gargantua App (version 2, now a Universal Binary), and you’re curious to see what files it may have created or changed during the installation. Use the following commands to get a list of every file that has been changed on your system within the last 24 hours, with the output sent to a file on your desktop:

sudo find / -type f -ctime 0 > ~/Desktop/modfiles.txt

You’ll need to supply your password (due to the use of sudo ), and this version will take a few minutes to run—it’s searching every file on your machine to find the matches. Also keep in mind that since you’re searching the root directory of your machine, this will also search any mounted file servers and any CDs or DVDs that you have in your Mac (because they’re all listed in /Volumes). As such, you may wish to dismount your connected servers and eject your CDs and DVDs before using this command.

The other change in the above command is that the output is sent to a file (via the > ) on your desktop, so you can then open it in a text editor to browse and search.

Obviously, this tip is just touching the tip of the very large iceberg that is system modification analysis. If you’re interested in such things, there are packages out there that do this (and much more), and many of them are free. Here are a few things to look at to get started:

• Tripwire
• fseventer
• Apple’s Common Criteria Tools for 10.4
• radmind
• FileControl
• Osiris

I have not tested most of these myself, but all are some form of security package designed to track and report on changes to files on your Mac.