How to Hide Linux File Timestamps with Shell Scripts – A Step‑by‑Step Guide

Linux file systems store modification timestamps for every file, which administrators often check to detect possible attacks. However, these timestamps can be forged using shell commands and scripts, allowing an attacker to hide traces.

Step 1: View and Change Timestamps

The touch command creates a new file or updates an existing file's modification time to the current system time. Examples: touch file Using a wildcard updates all files in the current directory: touch * To inspect timestamps, the stat command provides detailed file information, while ls -l lists timestamps for multiple files.

stat file

ls -l

Step 2: Organize the Shell Script

The script must support three modes based on parameters:

No parameters – print an error message. -s – save current timestamps to a file. -r – restore timestamps from the saved file.

Step 3: Create the Script File

Open a new file with nano timestamps.sh and add the header and argument check:

#!/bin/bash
if [ $# -eq 0 ]; then
  echo "Use -s to save or -r to restore parameters."
  exit 1
fi

Make the script executable:

chmod +x timestamps.sh

Step 4: Save Timestamps to a File

When the -s flag is used, the script removes any previous timestamps file, lists each file with ls -l, and uses sed to extract the month, day, year, and filename, converting month names to numeric values.

ls -l file | sed 's/^.*Jan/01/p; ... ; s/^.*Dec/12/p'

The processed lines are appended to a file named timestamps:

do echo $x | ls -l | sed -n 's/^.*Jan/01/p; ... ; s/^.*Dec/12/p' >> timestamps

Step 5: Restore Original Timestamps

With the -r flag, the script reads each line from the timestamps file, parses month, day, year, and filename, and reconstructs the original timestamp. If the year field contains a time (e.g., 12:00:00), the current year is inserted.

if [ $YEAR == *:* ]; then
  touch -d "$CURRENTYEAR-$MONTH-$DAY $YEAR:00" $FILENAME
else
  touch -d "$YEAR-$MONTH-$DAY" $FILENAME
fi

Step 6: Using the Script

Typical commands: ./timestamps.sh -s – save timestamps. touch -d "2050-10-12 10:00:00" * – modify timestamps of all files in a directory. ls -a – verify changes. ./timestamps.sh -r – restore original timestamps.

After restoration, a final ls -a confirms that the timestamps match the saved values, completing the conceal‑and‑restore process.

Conclusion

The presented script automates the capture and restoration of file timestamps, demonstrating how attackers can erase forensic evidence on a compromised Linux server. System administrators should be aware that timestamps, like logs, can be manipulated and therefore cannot be solely relied upon for intrusion detection.