You can change the date on a file to whatever you want. And not only the access time, but also the last modified and creation time. For example, we could change a file to be 3000 years old, which may seem impossible, but it will say that.
I wrote this because lots of customers at work kept saying, “This file says it’s really old. It was on there before my account was ever made! Were your systems hacked?!”
Me: “Nope, that’s called malware that either was in a zip/tar file and extracted it’s timestamp with itself, or changed it’s timestamp to try to hide.”
After I showed them how to make a really old file, they said “Dude! This is crazy!” I simply laughed.
Make the file
First, let’s create our file that says it’s 3000 years old.
[root]# touch -d "today - 3000 years" file.txt
[root]# ls -lh file.txt
-rw-r--r-- 1 root root 0 Nov 17 -984 file.txt
There you have it. A file that’s 3000 years old from 984 BC. No joke.
Breakdown
The command uses the touch
command to make the file, which can specify the date using the -d
argument. This can also be done with just about any programming language.
By default, the touch
command will update the access and modified times. Using -a
or -m
we can update only one or the other.
Get the real date
You can still find the real date of the file creation. This will require root/admin access, and assume that no file system level changes have been done. (Those can still be detected using special means and methods, but are beyond the scope of this article.)
The date is the evening of Nov 17, 2016.
We need to get the inode of the file:
[root]# ls -i file.txt
393454 file.txt
So the inode for the file is 393454
. Let’s make sure we know which partition we are on:
[root]# df -h file.txt
Filesystem Size Used Avail Use% Mounted on
/dev/vda1 20G 8.0G 11G 44% /
Ok, so drive /dev/vda1
.
Now all we need to do is use debugfs
to, using the inode and the drive, to get the creation, last access, and modification times:
[root]# debugfs -R 'stat <393454>' /dev/vda1
debugfs 1.42.9 (28-Dec-2013)
Inode: 393454 Type: regular Mode: 0644 Flags: 0x80000
Generation: 3258162841 Version: 0x00000000:00000001
User: 0 Group: 0 Size: 0
File ACL: 0 Directory ACL: 0
Links: 1 Blockcount: 0
Fragment: Address: 0 Number: 0 Size: 0
ctime: 0x582e02bb:1c549188 -- Thu Nov 17 20:19:23 2016
atime: 0x4d5abab7:1c86b6e2 -- Tue Feb 15 18:41:11 2011
mtime: 0x4d5abab7:1c86b6e2 -- Tue Feb 15 18:41:11 2011
crtime: 0x582e02bb:1c549188 -- Thu Nov 17 20:19:23 2016
Size of extra inode fields: 28
EXTENTS:
As you can see, the crtime
is the actual one, not the fake 3000 years old. Using stat
we get even odder values:
[root]# stat file.txt
File: ‘file.txt’
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 393454 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2016-11-17 21:15:03.775938026 -0700
Modify: 2283-05-01 08:37:43.119647672 -0600
Change: 2016-11-17 20:19:23.118826082 -0700
Birth: -
But you can see that the Change
time says the actual time it was created.
Of course, there are ways the change even those… but that’s for another day.
The idea of using debugfs
to read get the real date originally came from
this Stackoverflow post.