- Linux – Fake File Access, Modify and Change TimeStamps
- Get a File’s TimeStamps
- Difference Between “atime”, “mtime” and “ctime”
- Change File “Access” & “Modification” Time
- Change File “Change” Time
- Stay Stealthy
- Setting creation or change timestamps
- 5 Answers 5
- The easiest way:
- How can I change ‘change’ date of file?
Linux – Fake File Access, Modify and Change TimeStamps
Files in Linux have 3 types of timestamps: atime (access), mtime (modify) and ctime (change).
Someday you may have a situation when you would like to fake a timestamps of some file.
atime and mtime timestamps can be easily changed using touch command, but there is no a standard way to set a different ctime timestamp.
As a possible workaround you can set the system time to the ctime you want to impose, then touch the file and then restore the system time.
Read the below article to learn how to change a file’s timestamps and keep anonymity.
Cool Tip: To cover up the traces – clear the last login history. Read more →
Get a File’s TimeStamps
Use the stat command to see the current file’s timestamps:
$ stat file.txt File: ‘file.txt’ Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 804h/2052d Inode: 2501536 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1000/ admin) Gid: ( 1000/ admin) Access: 2015-02-19 11:43:08.503408793 +0200 Modify: 2015-02-19 11:43:08.503408793 +0200 Change: 2015-02-19 11:43:08.503408793 +0200
Difference Between “atime”, “mtime” and “ctime”
| Timestamp | When it gets updated? |
|---|---|
| atime | Access time gets updated when you open a file or when a file is used for other operations like grep, cat, head and so on. |
| mtime | Modify time gets updated when you whenever update content of a file or save a file. |
| ctime | Change time gets updated when the file attributes are changed, like changing the owner, changing the permission or moving it to another filesystem, but will also be updated when you modify a file. |
Change File “Access” & “Modification” Time
Change a file’s atime (access time):
$ touch -a --date="1988-02-15" file.txt $ touch -a --date="1988-02-15 01:00" file.txt $ touch -a --date="1988-02-15 01:00:17.547775198 +0300" file.txt
Change a file’s mtime (modification time):
$ touch -m --date="2020-01-20" file.txt $ touch -m --date="2020-01-20 23:05" file.txt $ touch -m --date="2020-01-20 23:05:43.443117094 +0400" file.txt
Change File “Change” Time
Nevertheless, if you are ready to risk, it is possible;)
Firstly you can set the system time to the ctime you want to impose.
Then touch the file and immediately rollback the system time.
Unexpected impact: Modification of a system time may cause an unexpected impact! Use the below commands on your own risk!
Save the current system’s date and time in the variable NOW :
Set the fake date and time (requires root):
Touch the file to fake the all timestamps:
Rollback the date and time (requires root):
Cool Tip: Clear the BASH history effectively! Read more →
To speedup modification and reduce the possible impact, execute the above commands as follows:
$ NOW=$(date) && date -s "2030-08-15 21:30:11" && touch file.txt && date -s "$NOW"
Stay Stealthy
To stay stealthy – unset the variable, clear logs and history.
Remove the information about changed time from /var/log/messages (requires root):
Feb 24 06:32:46 centos7 systemd: Time has been changed Aug 15 14:30:11 centos7 systemd: Time has been changed
atime and mtime timestamps can be easily changed using touch command, but there is no a standard way to set a different ctime timestamp.
Cool Tip: Want to stay anonymous? Learn how to use PROXY on the Linux command line. Read more →
Clear the last login history (requires root):
$ echo > /var/log/wtmp $ echo > /var/log/btmp $ echo > /var/log/lastlog
Clear the history of the current session:
Setting creation or change timestamps
Using utimes , futimes , futimens , etc., it is possible to set the access and modification timestamps on a file. Modification time is the last time the file data changed. Similarly, «ctime» or change time, is the last time attributes on the file, such as permissions, were changed. (Linux/POSIX maintains three timestamps: mtime and ctime, already discussed, and ‘atime’, or access time.) Is there a function to set change timestamps? (Where «change» is the attribute modification or ‘ctime’, not modification time ‘mtime’.) (I understand the cyclic nature of wanting to change the change timestamp, but think archiving software — it would be nice to restore a file exactly as it was.) Are there any functions at all for creation timestamps? (I realize that ext2 does not support this, but I was wondering if Linux did, for those filesystems that do support it.) If it’s not possible, what is the reasoning behind it not being so?
@Madhur Ahuja: touch does not have a parameter (at least, my version does not or is not documented to have one) for changing creation or change times. touch will change modification or access times, however.
I see nothing on that page to indicate that touch has the capability to set change timestamps in any way. Note that I’m looking for change timestamps, which are a different beast from modification timestamps. I’ve tried to clarify my post on this point, if this is what is confusing. If it is not, what passage from that page gives you that suggestion?
@Madhur Ahuja: And pardon my unclear post. I will re-read it in a bit, to see if I can improve it once I’ve let myself get unfamiliar with it.
5 Answers 5
For ext2/3 and possibly for ext4 you can do this with debugfs tool, assuming you want to change the ctime of file /tmp/foo which resides in disk /dev/sda1 we want to set ctime to 201001010101 which means 01 January 2010, time 01:01:
Warning: Disk must be unmounted before this operation
# Update ctime debugfs -w -R 'set_inode_field /tmp/foo ctime 201001010101' /dev/sda1 # Drop vm cache so ctime update is reflected echo 2 > /proc/sys/vm/drop_caches Information taken from Command Line Kung Fu blog.
@eitan27 AFAIK debugfs will refuse to work if the disk is mounted, given it can harm the data on the disk.
@Eitan: Because you’re changing bytes on disk, not going through the kernel’s VFS cache. So the kernel’s in-memory data could get out of sync with the data structures on disk.
I had a similar issue, and wrote my answer here.
There are essentially two options:
- Slight change in kernel (code included in link)
- Change the system clock to the desired ctime, touch the file, then restore current time. (shell script for that included in link).
According to http://lists.gnu.org/archive/html/coreutils/2010-08/msg00010.html ctime cannot be faked (at least it’s not intended to be fakeable):
POSIX says that atime and mtime are user-settable to arbitrary times via the utimensat() family of syscalls, but that ctime must unfakeably track the current time of any action that changes a file’s metadata or contents.
If you just need to change a file’s ctime for some testing/debugging, bindfs might be helpful. It’s a FUSE filesystem which mounts one directory into another place, and can do some transformation on the file attributes. With option —ctime-from-mtime the ctime of each file is the same as its mtime, which you can set with touch -t .
I’m not experienced in that area; but according to unix.stackexchange.com/a/20464 the various standards don’t require file creation time to be stored. Some filesystems store creation time anyway, and it can be accessed with nonstandard ways.
ctime is not create-time but file attributes’ change-time. For example, the file size is such an attribute. Hence if you modify a file, ctime and mtime get altered. So backup tools can rely on ctime , as it cannot be faked (except if you warp the system time).
The easiest way:
1) change System time 2) copy paste a file on another location. I tried this on windows 7 and I succeed to change all three timestamps. The stat command on linux shows that all three timestamps are changed.
The script below automates running debugfs . set_inode_field . ctime . in ismail’s answer for many files. It will copy ctime values from files in /media/MYUSER/MYFS/FOO/BAR (recursively) to /media/MYUSER/MYFS2/FOO/BAR , and umount /media/MYUSER/MYFS2 as a side effect. It will work only if the filesystem of /media/MYUSER/MYFS2 is ext2, ext3 or ext4 (because debugfs works only for these filesystems).
mydev2="$(df /media/MYUSER/MYFS2 | perl -ne '$x = $1 if !m@^Filesystem @ and m@([^ ]+) @; END < print "$x\n" >')" cd /media/MYUSER/MYFS find FOO/BAR -type f | perl -ne 'chomp; my @st = lstat($_); if (@st and -f(_)) < s@"@""@g; print "set_inode_field \"/$_\" ctime \@$st[10]\n" >' >/tmp/sif.out sudo umount /media/MYUSER/MYFS2 # Repeat until success. sudo debugfs -w -f /tmp/sif.out /dev/"$mydev2" It handles filenames with whitespace and special characters correctly.
It works independently of time zones. As a limitation of debugfs, its precision is seconds, it ignores anything smaller (e.g. milliseconds, microseconds, nanoseconds). Depending the version of debugfs used, it may use 32-bit timestamps, thus it works correctly with dates before 2038-01-19.
If the current user doesn’t have enough read permissions for /media/MYUSER/MYFS , then the commands above should be run as root ( sudo bash ).
How can I change ‘change’ date of file?
You cannot change the ctime by ordinary means. This is by design: the ctime is always updated to the current when you change any of the file’s metadata, and there is no way to impose a different ctime. To change the ctime of a file, you need to do one of the following:
- Set the system time to the ctime you want to impose, then touch the file, then reset the system time.
- Modify the kernel to add an interface to change the ctime.
- Access the disk image directly (e.g. with debugfs ) and twiddle the bits on the disk (don’t do it while the filesystem is mounted).
You have the answer on related SO question pointed by jw013, for extX, on unmounted disk :
# Update ctime debugfs -w -R 'set_inode_field /tmp/foo ctime 201001010101' /dev/sda1 # Drop vm cache so ctime update is reflected echo 2 > /proc/sys/vm/drop_caches $ NOW=$(date) && date -s «2030-08-15 21:30:11» && touch file.txt && date -s «$NOW»
The ctime of a file is updated when any of the metadata is changed.
$ ls -l x.py -rw-rw-r--. 1 ignacio ignacio 485 Mar 26 2010 x.py $ stat -c %z x.py 2010-03-26 11:57:56.237068175 -0400 $ chown ignacio x.py $ stat -c %z x.py 2012-04-08 15:31:33.682383575 -0400 $ ls -l x.py -rw-rw-r--. 1 ignacio ignacio 485 Mar 26 2010 x.py evandrix’s answer excerpted in the next line,
NOW=$(date) && date -s «2030-08-15 21:30:11» && touch file.txt && date -s «$NOW»
needs to be improved as described below :
In some systems like mine, date output doesn’t give a valid format to set with date -s
My system bash shell version : GNU bash, version 5.0.3(1)-release (x86_64-pc-linux-gnu)
My system date command version : date (GNU coreutils) 8.30
My system date command output and setting the date with this format is:
# date Tue 21 Jan 2020 01:36:22 PM +03 # date -s "Tue 21 Jan 2020 01:36:22 PM +03" date: invalid date ‘Tue 21 Jan 2020 01:36:22 PM +03’ So it is necessary to improve evandrix answer;
It would be better to assign the NOW variable to the timestamp value
change NOW=$(date) to NOW=$(date +@%s)
NOW=$(date +@%s) && date -s "2030-08-15 21:30:11" && \ touch file.txt && date -s "$NOW" Adding sudo command for non root user
sudo bash -c 'NOW=$(date +@%s); date -s "2030-08-15 21:30:11"; touch file.txt; date -s "$NOW"' sudo bash -c 'NOW=$(date +@%s); date -s "$2"; touch "$1"; date -s "$NOW"' -- \ "file.txt" "2030-08-15 21:30:11" In this way for easy use, the filename and setting date are assigned as arguments at the end of the line.