Note that on some Linux distros there is an installation log that you can find under /var/log or /root. That will give you a much more exact timeline, if present.
I'm going to give @stoney27 credit on this one-- his answer was "date on the device of the root file system". Since there is no standard artifact for install date on Linux systems, the creation date on the root directory (or "/lost+found") is generally used.
Trivia Answer #5 - It means “Every five minutes execute the script /tmp/.ICEd-unix/.src.sh”. You’ll often see entries like this used for persistence after a successful exploitation event.
Daily Linux Forensics Trivia #5 - What is the meaning of this crontab entry: "*/5 * * * * /tmp/.ICEd-unix/.src.sh"? [and don't forget I'll be teaching Linux Foreniscs live in-person and streamed @WWHackinFest Deadwood wildwesthackinfest.com/deadw…]
Trivia Answer #4 - Congrats to @obnoxious4n6 for being first with the correct answer. The "last" command displays the contents of /var/log/wtmp. Use the "-f" option to specify an alternate wtmp file, for example from a mounted forensic image.
Trivia Answer #3 -- False. mlocate.db does contain directory timestamps. This timestamp is the larger of the directory's mtime or ctime at the time the database is created. There are no timestamps on the individual file entries.
Trivia Answer #1 — File type was originally only stored in the inode. It was later added to directory entries so that commands like “ls -F” would not have to read every inode in a directory in order to display the file type.