How to Hide Linux File Timestamps with a Bash Script
This guide explains how attackers can conceal their activities on a Linux system by manipulating file timestamps using the touch, stat, and ls commands and by automating the process with a Bash script that saves, restores, and reapplies timestamps to hide evidence of compromise.
Background
File modification times are a common forensic clue. On Linux every file stores an access, modification, and change timestamp, which administrators often check to detect unauthorized changes. However, these timestamps can be forged, allowing an attacker to erase traces of their actions.
Step 1 – Viewing and Modifying Timestamps
The touch command creates a new file or updates the timestamp of an existing one. Examples: touch file Updates the timestamp of file to the current time. touch * Updates the timestamps of all files in the current directory.
To inspect timestamps, use stat or ls -l:
stat filels -lSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.