BestHub
Sign in
Information Security 9 min read

How to Hide Linux File Timestamps with a Shell Script – Step‑by‑Step Guide

This article explains how attackers can use Linux shell commands and a custom Bash script to view, modify, save, and later restore file timestamps, thereby concealing evidence of intrusion while providing the necessary code snippets and command examples for each step.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
How to Hide Linux File Timestamps with a Shell Script – Step‑by‑Step Guide

Linux administrators and attackers alike can control, destroy, or obtain anything on a server using shell scripts; timestamps are a common forensic clue, but they can be forged or hidden with simple commands.

Step 1: View and Modify Timestamps

The touch command creates a file or updates its modification time, while stat and ls -l display detailed timestamp information.

touch file
touch *
stat file
ls -l

Step 2: Organize the Shell Script

The script accepts parameters: -s to save timestamps, -r to restore them, and shows an error when no arguments are provided.

Step 3: Create the Script File

Use nano timestamps.sh and start with a shebang and argument check.

#!/bin/bash
if [ $# -eq 0 ]; then
  echo "Use -s or -r parameter."
  exit 1
fi

Step 4: Save Timestamps to a File

List files with ls -l, pipe through sed to extract month, day, year and filename, convert month names to numbers, and append the result to a file named timestamps.

ls -l | sed -n 's/^.*Jan/01/p; s/^.*Feb/02/p; … ; s/^.*Dec/12/p' >> timestamps

Step 5: Restore Timestamps

Read each line from the saved file, split it into month, day, year, and filename, then use touch -d to set the original timestamp. The script also handles timestamps that include a time component.

cat timestamps | while read line; do
  MONTH=$(echo $line | cut -f1 -d )
  DAY=$(echo $line | cut -f2 -d )
  YEAR=$(echo $line | cut -f3 -d )
  FILENAME=$(echo $line | cut -f4 -d )
  if [[ $YEAR == *:* ]]; then
    touch -d "$CURRENTYEAR-$MONTH-$DAY $YEAR" $FILENAME
  else
    touch -d "$YEAR-$MONTH-$DAY" $FILENAME
  fi
done

Step 6: Use the Script

Save timestamps: ./timestamps.sh -s. Modify timestamps with touch -d "2050-10-12 10:00:00" *. Verify with ls -a. Restore original timestamps: ./timestamps.sh -r.

./timestamps.sh -s   # save
./timestamps.sh -r   # restore

By automating the save and restore process, attackers can erase evidence of their actions, while system administrators must recognize that timestamps can be manipulated and should not rely solely on them for forensic analysis.

Source: FreeBuf.COM, author JingleCats
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxForensicsTimestamp manipulation
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment