BestHub
Sign in
Information Security 9 min read

Hide Your Linux Footprints: Master Timestamp Manipulation with Bash

This guide explains how to use Linux shell commands and a custom Bash script to view, modify, save, and restore file timestamps, enabling attackers to hide forensic evidence while also showing administrators how timestamps can be forged and why they must remain vigilant.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Hide Your Linux Footprints: Master Timestamp Manipulation with Bash

Step 1: View and Modify Timestamps

Linux stores a modification time for every file. Administrators can detect suspicious activity by checking these timestamps, but attackers can alter them using the touch command. touch file If the file does not exist, touch creates it; otherwise it updates the modification time to the current system time. Wildcards can update many files at once: touch * Details of a file can be inspected with stat and ls -l:

stat file
ls -l file

Step 2: Organize the Shell Script

The script should support two operations:

No parameters – display an error message. -s – save current timestamps to a file. -r – restore timestamps from the saved file.

Step 3: Create the Script File

Open nano timestamps.sh and add a shebang and parameter check:

#!/bin/bash
if [ $# -eq 0 ]; then
  echo "Use -s (save) or -r (restore) parameter."
  exit 1
fi

Make the script executable:

chmod +x timestamps.sh

Step 4: Save Timestamps

When -s is supplied, the script records the original timestamps. It lists files, extracts the month, day, year, and filename, converts month names to numbers, and appends the data to a timestamps file.

ls -l file | sed -n 's/^.*Jan/01/p; s/^.*Feb/02/p; ...'

Example of appending the processed line:

do echo $x | ls -l | sed -n 's/^.*Jan/01/p; ...' >> timestamps

Step 5: Restore Timestamps

When -r is supplied, the script reads each line from the timestamps file, parses month, day, year, and filename, determines the correct year (using cal if necessary), and restores the timestamp with touch -d:

while read line; do
  MONTH=$(echo $line | cut -f1 -d )
  DAY=$(echo $line | cut -f2 -d )
  YEAR=$(echo $line | cut -f3 -d )
  FILENAME=$(echo $line | cut -f4 -d )
  touch -d "$YEAR-$MONTH-$DAY 00:00:00" $FILENAME
done < timestamps

Step 6: Use the Script

Typical usage:

./timestamps.sh -s   # save timestamps
./timestamps.sh -r   # restore timestamps
ls -a                # verify changes

The script can also modify all files in a directory with a custom date:

touch -d "2050-10-12 10:00:00" *

Conclusion

This script demonstrates how attackers can erase forensic traces by forging file timestamps, and it reminds system administrators that timestamps are not trustworthy evidence and must be corroborated with additional logs and security measures.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxSecurityShellTimestampsForensics
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment