README.md

File Metadata Preservation Scripts for Linux

✅ Tested and working on Linux systems

These scripts help you edit files while preserving the file's modification date (mtime) in Linux filesystems. This is useful when you need to maintain the appearance of when a file was last modified, even after editing it.

Primary Use Cases

🔴 Red Team Operations & Bait File Creation

These scripts were developed for red teaming and security testing purposes. They enable security professionals to:

• Create Authentic Bait Files: Generate files that appear to have been created or modified at specific historical dates, making them more convincing for honeypots and deception operations
• Maintain Operational Security: Edit files during red team exercises without leaving obvious traces of recent modification timestamps
• Test Security Controls: Evaluate how security tools and analysts respond to files with manipulated timestamps
• Simulate Historical Artifacts: Create files that blend into existing file systems by matching modification dates of surrounding files

Ethical Use: These scripts are intended for authorized security testing, red team exercises, and legitimate security research only. Unauthorized use to deceive or harm is strictly prohibited.

Supported File Types

The scripts work with any file type:

• Office documents (.docx, .xlsx, .pptx, etc.)
• Text files (.txt, .md, .json, etc.)
• Images, videos, PDFs
• Any file you can edit with applications

Scripts Overview

Universal Scripts (Recommended)

These scripts automatically detect Linux and use appropriate commands:

1. preserve_metadata.sh - Automated workflow

Monitors file changes and automatically restores timestamp after saving.

2. capture_timestamp.sh - Manual workflow step 1

Captures the current timestamp before editing.

3. restore_timestamp.sh - Manual workflow step 2

Restores the timestamp after editing.

Usage

Automated workflow (Recommended):

./preserve_metadata.sh yourfile.ext

This script will:

1. Capture the current modification time
2. Monitor for changes and automatically restore the timestamp when you save

Manual workflow:

# Step 1: Capture timestamp before editing
./capture_timestamp.sh yourfile.ext

# Step 2: Edit file normally, then save

# Step 3: Restore timestamp after editing
./restore_timestamp.sh yourfile.ext

Using a Reference File:

If you have a backup with the desired timestamp:

./restore_timestamp.sh yourfile.ext reference_file.ext

Setup

1. Make the scripts executable:

   chmod +x *.sh

2. The scripts automatically detect Linux and use:

   • stat -c %Y <file> - Get modification time
   • touch -d @<timestamp> <file> - Set modification time
   • date -d @<timestamp> - Format timestamps

How It Works

The scripts use Linux system tools to:

1. Capture the original file modification time using stat -c %Y
2. Allow normal editing - file content updates normally
3. Restore the original filesystem timestamp using touch -d

Red Team Considerations

When using these scripts for red team operations:

• Forensic Detection: Advanced forensic tools may detect timestamp manipulation through:

  • File system journal analysis
  • MAC (Modified, Accessed, Created) time inconsistencies
  • Application-level metadata (e.g., Office document properties)
  • File content hash changes without timestamp updates

• Best Practices:

  • Use reference files from the target environment when possible
  • Test timestamp restoration on similar systems before operations
  • Consider application-specific metadata that may reveal manipulation
  • Document timestamp changes for post-operation analysis

Limitations

1. Application Internal Metadata: Some applications (like Office suites) maintain internal metadata that cannot be preserved while saving changes.

2. File Permissions: Scripts need read/write access to the file and directory.

3. Monitoring Accuracy: The automated script monitors file size changes to detect saves, which may not catch all scenarios.

4. Multiple Saves: If you save multiple times during editing, the timestamp will be restored after each save.

5. Forensic Detection: These scripts only modify filesystem timestamps. Advanced forensic analysis may still detect manipulation.

Troubleshooting

"Permission denied"

Ensure you have write permissions to the file and directory.

"Command not found"

Ensure stat, touch, and date are installed (they come pre-installed on most Linux distributions).

Timestamp not restored

Check that the file exists and you have write permissions.

Excel/LibreOffice doesn't open automatically

The Linux version doesn't automatically open files. Open them manually in your preferred application.

Advanced Usage

Batch processing multiple files:

for file in *.xlsx; do
    ./capture_timestamp.sh "$file"
    # Edit files...
    ./restore_timestamp.sh "$file"
done

Check current timestamp:

stat -c "Modification time: %y" yourfile.ext

Batch processing:

for file in *.pdf; do
    ./capture_timestamp.sh "$file"
    # Edit files...
    ./restore_timestamp.sh "$file"
done

Examples

Red Team: Create bait file matching existing file timestamp:

# Capture timestamp from a legitimate file in the target directory
./capture_timestamp.sh /home/user/legitimate_document.docx

# Create/edit your bait file, then restore using the captured timestamp
./restore_timestamp.sh bait_file.docx /home/user/legitimate_document.docx

Preserve document timestamp:

./preserve_metadata.sh thesis.docx
# Edit in LibreOffice, save, timestamp automatically restored

Preserve spreadsheet timestamp:

./capture_timestamp.sh budget.xlsx
# Edit spreadsheet...
./restore_timestamp.sh budget.xlsx

Testing Results

✅ Successfully tested on Linux VM (Ubuntu-based system)

Test results:

• Original timestamp: Fri Jan 16 08:58:26 AM EST 2026
• After modification: Fri Jan 16 08:58:45 AM EST 2026
• After restoration: ✓ Successfully restored modification time: Fri Jan 16 08:58:26 AM EST 2026

License

These scripts are provided as-is for educational and practical use.