How to Use Shell Scripts to Manipulate Linux File Timestamps and Hide Traces
This guide explains how attackers can use Linux shell commands such as touch, stat, and ls, combined with custom Bash scripts, to record, modify, and restore file timestamps, enabling them to conceal evidence of intrusion and automate timestamp manipulation on compromised servers.
Background
File modification timestamps are a common forensic artifact on Linux systems. Attackers can alter these timestamps to hide their activity, and defenders can use the same tools to detect tampering. This article provides a step‑by‑step Bash solution for saving, modifying, and restoring timestamps.
Step 1 – Viewing and Changing Timestamps
The touch command creates a file or updates its access and modification times. Examples: touch file If the file exists, its modification time is set to the current system time. Wildcards can update many files at once: touch * To inspect a file’s timestamps, use stat: stat file Listing files with ls -l also shows timestamps:
ls -lCustom timestamps can be set with the -d flag: touch -d "2001-01-01 20:00:00" file Verify the change with:
ls -l fileSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Liangxu Linux
Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.