Automating Linux File Timestamp Manipulation to Hide Traces

Introduction

File modification times are a common indicator of intrusion on Linux systems, but they can be forged. This article shows how to use basic commands such as touch, stat, and ls to inspect timestamps and then automates saving and restoring them with a Bash script.

Step 1: View and Modify Timestamps

The touch command creates a new file or updates an existing file's access and modification times to the current system time. Examples:

touch file

touch *

To inspect a file’s timestamps, use stat: stat file Listing detailed information for many files can be done with ls -l: ls -l Custom timestamps can be set with the -d option of touch using the format yyyy-mm-dd HH:MM:SS:

touch -d "2001-01-01 20:00:00" file

Step 2: Organize the Shell Script

The script must handle three scenarios based on its arguments:

No arguments – print an error message and exit. -s – save current timestamps to a file. -r – restore timestamps from the saved file.

Conditional logic is implemented with if statements.

Step 3: Create the Script

Open a new file with nano timestamps.sh and add the following header:

#!/bin/bash
if [ $# -eq 0 ]; then
  echo "Use -s (save) or -r (restore) parameter."
  exit 1
fi

Make the script executable:

chmod +x timestamps.sh

Step 4: Save Timestamps

When the -s flag is supplied, the script removes any previous timestamps file, iterates over target files, extracts the month, day, year, and filename using ls -l and sed, converts month names to numbers, and appends the cleaned data to the timestamps file.

if [ $1 = "-s" ]; then
  rm -f timestamps
  for x in *; do
    echo $x | ls -l | sed -n 's/^.*Jan/01/p;...;s/^.*Dec/12/p;' >> timestamps
  done
fi

Step 5: Restore Timestamps

When the -r flag is used, the script reads each line from the timestamps file, parses month, day, year, and filename, determines the current year if the saved entry lacks a year, and then applies the original timestamps with touch -d.

if [ $1 = "-r" ]; then
  while read line; do
    MONTH=$(echo $line | cut -f1 -d' ')
    DAY=$(echo $line | cut -f2 -d' ')
    YEAR=$(echo $line | cut -f3 -d' ')
    FILENAME=$(echo $line | cut -f4 -d' ')
    if [[ $YEAR == *:* ]]; then
      CURRENTYEAR=$(cal | head -1 | cut -f6- -d' ' | tr -d ' ')
      touch -d "$CURRENTYEAR-$MONTH-$DAY $YEAR" $FILENAME
    else
      touch -d "$YEAR-$MONTH-$DAY" $FILENAME
    fi
  done < timestamps
fi

Step 6: Using the Script

Typical usage: ./timestamps.sh -s – save timestamps of all files. touch -d "2050-10-12 10:00:00" * – modify timestamps arbitrarily. ls -l – verify changes. ./timestamps.sh -r – restore original timestamps.

After restoration, a final ls -l should show that the timestamps match the saved values, confirming that the script has successfully hidden and then recovered the original file times.