top of page
Search

Timestomping in Linux: Techniques, Detection, and Forensic Insights

  • May 1
  • 3 min read
ree

------------------------------------------------------------------------------------------------------

Before we dive into timestomping on Linux, a quick note:

I've already written a detailed article on timestomping in Windows, where I covered what it is, how attackers use it, and most importantly—how to detect it effectively. If you're interested in understanding Windows-based timestomp techniques and detection strategies, make sure to check out the article linked below:



Now, let’s explore how timestomping works on Linux systems and what you can do to uncover such activity.

------------------------------------------------------------------------------------------------------


Let’s talk about something that often flies under the radar in Linux investigations—timestomping.


If you’re into forensics or incident response, you’ve probably come across files where the timestamps just don’t seem right. Maybe a malicious script claims it was modified months before the attack even happened.

Suspicious, right? That’s timestomping in action.

🔧 So, What Exactly Is Timestomping?

Timestomping is a sneaky little trick attackers use to manipulate file timestamps in order to hide their activities. Basically, they change the "last modified," "last accessed," or even "created" dates of files, so things don’t look out of place during an investigation.


Here are the four main timestamps you’ll see in Linux:

  • atime – last time the file was accessed

  • mtime – last time the content was modified

  • ctime – last time metadata (like permissions) changed

  • crtime – file creation time (only visible on some filesystems like ext4, and not easily accessible)


The goal is simple: blend in. If the file looks like it’s been sitting around for months, maybe you won’t look at it twice.

🛠️ The Classic Way: Using touch in Linux

The most common and dead-simple way to timestomp in Linux is with the touch command.


🧪 Basic Syntax:

touch -t [YYYYMMDDhhmm.ss] file

🎯 Some Practical Examples:

  • Set a custom access & modification time:

touch -t 202501010830.30 malicious.sh

  • Change only the access time:

touch -a -t 202501010101.01 report.log

  • Change only the modification time:

touch -m -t 202501010101.01 report.log
❗ Important Note: touch cannot change ctime or crtime. That’s metadata Linux protects more tightly.

-------------------------------------------------------------------------------------------------------------


🧠 Pro Trick: Copy Timestamps from Another File


Want to make one file mimic another?

touch -r /home/akash/legitfile suspiciousfile
ree

Now suspiciousfile will have the same access and modification times as legitfile. Handy for blending in!


👀 But... Can We Detect This?

Yes. Even though timestomping is subtle, there are a few tells if you know what to look for.


🕵️‍♀️ 1. Subsecond Precision = 0?

Run stat on the file:

stat suspiciousfile

If you see nanoseconds like .000000000, it might’ve been altered using touch—since manual timestamps usually don’t include fine-grained precision.


-----------------------------------------------------------------------------------------------------------


⏳ System Time Manipulation: Another Sneaky Method

Here’s another trick some attackers use—they change the system clock to backdate files.


🧪 How it Works:

  1. Turn off NTP (time syncing):

sudo timedatectl set-ntp false

  1. Set a fake date/time:

sudo date -s "1999-01-01 12:00:00"

  1. Create or drop your malicious files:

touch payload.sh

  1. Restore the actual time:

sudo timedatectl set-ntp true
Now those files look like they were created in 1999—even though they were dropped minutes ago.

🔍 Real-World Detection Tips

Here’s how we can catch these kinds of timestamp games:


📋 1. Command Monitoring

Keep an eye on suspicious commands in your logs:

  • touch -t

  • touch -r

  • date -s

  • timedatectl

  • hwclock


🧭 2. Timeline Inconsistencies

  • Does a file’s mtime predate surrounding system events?

  • Is ctime suspiciously newer than atime/mtime?

  • Are there clusters of files all modified at the same weird timestamp?


Use stat to dig into these or check timelines with forensic tools (more on that below).

🛠️ Forensic Tools That Can Help

Here are some tools I often use when digging into possible timestomping:

  • auditd – Can log file events and command execution (like touch, date)

  • Sysmon for Linux – A great way to track suspicious process activity

  • Plaso / log2timeline – My go-to for creating timelines and spotting weird timestamp gaps

  • Velociraptor – Awesome for live hunting across multiple systems

  • Eric Zimmerman's Tools – These are more for Windows, but worth mentioning if you’re working across platforms or with NTFS images



🔚 Final Thoughts

Timestomping isn’t flashy—but it’s effective. That’s what makes it dangerous. A single altered timestamp can throw off your entire investigation if you’re not paying attention.


But once you know what to look for—whether it's zeroed-out nanoseconds, unusual ctime, or oddly-timed files—you can start to see through the smoke and mirrors.
Stay curious, stay forensic. 🕵️‍♂️

------------------------------------------------------------Dean--------------------------------------------

 
 
 
bottom of page