How to Use Shell Scripts to Manipulate Linux File Timestamps and Hide Traces

Using shell scripts on a Linux server, attackers can control, destroy, or obtain anything, and they can also hide their traces by forging file timestamps.

File modification dates are a primary source of forensic evidence, but they can be manipulated with tools such as touch, stat, and ls, or automated via custom scripts.

Operation Steps

Step 1: View and Manipulate Timestamps

The touch command creates a new file or updates an existing file's modification time to the current system time. touch file Using a wildcard updates every file in the current directory. touch * The stat command displays detailed timestamp information for a file. stat file Listing files with ls -l also shows timestamps.

ls -l

Step 2: Organize the Shell Script

Before writing the script, decide which actions are needed: saving original timestamps, restoring them, or handling errors when no parameters are provided.

No parameters – return an error message; Save timestamp markers – write timestamps to a file; Restore timestamp markers – read the file and reset timestamps.

Step 3: Create the Script

Open nano timestamps.sh and add a shebang with basic argument checking.

#!/bin/bash
if [ $# -eq 0 ]; then
  echo "Use -s (save) or -r (restore) parameter."
  exit 1
fi

Make the script executable:

chmod +x timestamps.sh

Step 4: Write Timestamps to a File

When the -s flag is used, remove any existing timestamps file, list files with ls -l, and use sed to extract the date, converting month names to numbers.

rm -f timestamps
ls -l | sed -n 's/^.*Jan/01/p; s/^.*Feb/02/p; ... ; s/^.*Dec/12/p' >> timestamps

The resulting file contains lines with year, month, day, and filename.

Step 5: Restore File Timestamps

When the -r flag is used, read each line from the timestamps file, parse the fields, and apply them with touch -d. The script also determines the current year if the saved entry lacks a year.

cat timestamps | while read line; do
  MONTH=$(echo $line | cut -f1 -d ' ')
  DAY=$(echo $line | cut -f2 -d ' ')
  YEAR=$(echo $line | cut -f3 -d ' ')
  FILENAME=$(echo $line | cut -f4 -d ' ')
  if [[ $YEAR == *:* ]]; then
    CURRENTYEAR=$(cal | head -1 | cut -f6- -d ' ' | tr -d ' ')
    touch -d "$CURRENTYEAR-$MONTH-$DAY $YEAR:00" $FILENAME
  else
    touch -d "$YEAR-$MONTH-$DAY" $FILENAME
  fi
done

Step 6: Use the Script

Typical commands:

./timestamps.sh -s   # Save timestamps
touch -d "2050-10-12 10:00:00" *   # Change timestamps of all files
ls -a   # Verify changes
./timestamps.sh -r   # Restore original timestamps

After restoration, run ls -a again to confirm that timestamps match the saved values.

Conclusion

The script demonstrates how to erase forensic evidence by altering file timestamps, reminding system administrators that logs and timestamps can be forged and should not be trusted blindly.