Linux – Fake File Access, Modify and Change TimeStamps

Files in Linux have 3 types of timestamps: atime (access), mtime (modify) and ctime (change).

Someday you may have a situation when you would like to fake a timestamps of some file.

atime and mtime timestamps can be easily changed using touch command, but there is no a standard way to set a different ctime timestamp.

As a possible workaround you can set the system time to the ctime you want to impose, then touch the file and then restore the system time.

Read the below article to learn how to change a file’s timestamps and keep anonymity.

Cool Tip: To cover up the traces – clear the last login history. Read more →

Get a File’s TimeStamps

Use the stat command to see the current file’s timestamps:

$ stat file.txt
  File: ‘file.txt’
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: 804h/2052d	Inode: 2501536     Links: 1
Access: (0644/-rw-r--r--)  Uid: ( 1000/     admin)   Gid: ( 1000/     admin)

Access: 2015-02-19 11:43:08.503408793 +0200
Modify: 2015-02-19 11:43:08.503408793 +0200
Change: 2015-02-19 11:43:08.503408793 +0200

Difference Between “atime”, “mtime” and “ctime”

Timestamp When it gets updated?
atime Access time gets updated when you open a file or when a file is used for other operations like grep, cat, head and so on.
mtime Modify time gets updated when you whenever update content of a file or save a file.
ctime Change time gets updated when the file attributes are changed, like changing the owner, changing the permission or moving it to another filesystem, but will also be updated when you modify a file.

Change File “Access” & “Modification” Time

Change a file’s atime (access time):

$ touch -a --date="1988-02-15" file.txt
$ touch -a --date="1988-02-15 01:00" file.txt
$ touch -a --date="1988-02-15 01:00:17.547775198 +0300" file.txt

Change a file’s mtime (modification time):

$ touch -m --date="2020-01-20" file.txt
$ touch -m --date="2020-01-20 23:05" file.txt
$ touch -m --date="2020-01-20 23:05:43.443117094 +0400" file.txt

Change File “Change” Time

As i have already said there is no a standard solution to fake a ctime (change time) timestamp.

Nevertheless, if you are ready to risk, it is possible;)

Firstly you can set the system time to the ctime you want to impose.

Then touch the file and immediately rollback the system time.

Unexpected impact: Modification of a system time may cause an unexpected impact! Use the below commands on your own risk!

Save the current system’s date and time in the variable NOW:

$ NOW=$(date)

Set the fake date and time (requires root):

$ date --set "2030-08-15 21:30:11"

Touch the file to fake the all timestamps:

$ touch file.txt

Rollback the date and time (requires root):

$ date --set "$NOW"

Cool Tip: Clear the BASH history effectively! Read more →

To speedup modification and reduce the possible impact, execute the above commands as follows:

$ NOW=$(date) && date -s "2030-08-15 21:30:11" && touch file.txt && date -s "$NOW"

Stay Stealthy

To stay stealthy – unset the variable, clear logs and history.

Unset the variable NOW:

$ unset NOW

Remove the information about changed time from /var/log/messages (requires root):

Feb 24 06:32:46 centos7 systemd: Time has been changed
Aug 15 14:30:11 centos7 systemd: Time has been changed

atime and mtime timestamps can be easily changed using touch command, but there is no a standard way to set a different ctime timestamp.

Cool Tip: Want to stay anonymous? Learn how to use PROXY on the Linux command line. Read more →

Clear the last login history (requires root):

$ echo > /var/log/wtmp
$ echo > /var/log/btmp
$ echo > /var/log/lastlog

Clear the history of the current session:

$ history -r
Was it useful? Share this post with the world!

7 Replies to “Linux – Fake File Access, Modify and Change TimeStamps”

  1. Надо бы исправить заголовок/описание кода:
    Изменить [s]ctime[/s] mtime файла (время модификации):

    $ touch -m --date="2020-01-20" file.txt
    $ touch -m --date="2020-01-20 23:05" file.txt
    $ touch -m --date="2020-01-20 23:05:43.443117094 +0400" file.txt
    1. Поправил. Спасибо.

  2. It’s better to reset the date/time from ntp afterwards, using (for 2018 kernels):
    && timedatectl set-ntp off && timedatectl set-ntp on

    Note – doesn’t work if the file is on a share from a NAS or server, unless you run the command on the server (not recommended).
    Also note date -s format is sensitive to locale.

  3. Thanks, this is useful

  4. Thanks, useful information.

    Is it possible to SAFELY disable the touch command? Sometimes it is handy to disallow it so that if a server is hacked, the creation/modification times can’t be changed using touch. Obviously not as an entire solution, but so that if you see files changed at a glance you’ll know something is up. Obviously there are other ways to change it, but it seems some of the scripts just rely on touch.

    1. Touch is such a useful general purpose command and it’s used by many perfectly legitimate scripts that you shouldn’t disable it in any way.

  5. you were looking for faketime

    https://github.com/wolfcw/libfaketime

Leave a Reply