|
|
|
|
|
|
by graylights
4181 days ago
|
|
|
"Do note that file creation time in unix requires kernel level access and quite a bit of low level filesystem knowledge to truly forge." Timestamps are a mess on unix. POSIX doesn't support creation time but instead has ctime (change time). Newer filesystems add crtime but common utilities don't ever display crtime. Also partitions sometimes are mounted to not update atime for performance reasons. crtime (and ctime) can be modified with root privileges without kernel access with debugfs. Or you can go the ugly hackish way:
date -s $forgedate && touch tmp && date -s $realdate && cat original >> tmp && mv tmp original Neither are elegant, but certainly not hard. What's really hard to forensically cover up is the order of inodes on a filesystem. That file with forged timestamps to 2012 will still have an inode that looks much more recent. |
|
|