Windows PowerShell scripts to preserve file modification timestamps while editing.
These scripts help you edit files while maintaining their original "Modified" date in Windows Explorer. This is useful when you need to preserve the appearance of when a file was last modified, even after editing it.
These scripts were developed for red teaming and security testing purposes. They enable security professionals to:
- Create Authentic Bait Files: Generate files that appear to have been created or modified at specific historical dates, making them more convincing for honeypots and deception operations
- Maintain Operational Security: Edit files during red team exercises without leaving obvious traces of recent modification timestamps
- Test Security Controls: Evaluate how security tools and analysts respond to files with manipulated timestamps
- Simulate Historical Artifacts: Create files that blend into existing file systems by matching modification dates of surrounding files
Ethical Use: These scripts are intended for authorized security testing, red team exercises, and legitimate security research only. Unauthorized use to deceive or harm is strictly prohibited.
The scripts work with any file type:
- Office documents (
.docx,.xlsx,.pptx, etc.) - Text files (
.txt,.md,.json, etc.) - Images, videos, PDFs
- Any file you can edit with applications
Monitors file changes and automatically restores timestamp after saving.
Captures the current timestamp before editing.
Restores the timestamp after editing.
.\preserve_metadata.ps1 yourfile.extThis script will:
- Capture the current modification time
- Open the file in your default application
- Monitor for changes and automatically restore the timestamp when you save
# Step 1: Capture timestamp before editing
.\capture_timestamp.ps1 yourfile.ext
# Step 2: Edit file normally, then save
# Step 3: Restore timestamp after editing
.\restore_timestamp.ps1 yourfile.extIf you have a backup with the desired timestamp:
.\restore_timestamp.ps1 yourfile.ext reference_file.ext-
PowerShell Execution Policy: You may need to allow script execution:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
-
The scripts use Windows PowerShell cmdlets:
Get-Item- Get file information(Get-Item).LastWriteTime- Get/set modification time(Get-Item).Length- Get file sizeStart-Process- Open file in default application
The scripts use Windows PowerShell to:
- Capture the original file modification time using
Get-ItemandLastWriteTime - Allow normal editing - file content updates normally
- Restore the original filesystem timestamp by setting
LastWriteTimeproperty
When using these scripts for red team operations:
-
Forensic Detection: Advanced forensic tools may detect timestamp manipulation through:
- NTFS MFT (Master File Table) analysis
- MAC (Modified, Accessed, Created) time inconsistencies
- Application-level metadata (e.g., Office document properties)
- File content hash changes without timestamp updates
- Windows Event Logs (if auditing is enabled)
-
Best Practices:
- Use reference files from the target environment when possible
- Test timestamp restoration on similar systems before operations
- Consider application-specific metadata that may reveal manipulation
- Document timestamp changes for post-operation analysis
- Be aware that NTFS stores multiple timestamps (Created, Modified, Accessed)
- File Content Changes: File content updates normally - only filesystem timestamp is preserved
- File Permissions: Scripts need read/write access to files
- Monitoring Accuracy: Automated script monitors file size changes
- Application Internal Metadata: Some applications maintain internal metadata that cannot be preserved while saving changes
- Forensic Detection: These scripts only modify filesystem timestamps. Advanced forensic analysis may still detect manipulation
- NTFS Timestamps: Windows maintains Created, Modified, and Accessed times. These scripts primarily modify the Modified time
- PowerShell Version: Requires PowerShell 5.1 or later (included in Windows 10/11)
Run: Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Ensure you have write permissions to the file and directory. Right-click PowerShell and select "Run as Administrator" if needed.
Check file permissions and ensure no other processes are accessing the file. Some applications may lock files.
The Start-Process command may not work in all environments. Open files manually if needed.
Ensure you're running PowerShell (not Command Prompt) and the execution policy allows scripts.
# Capture timestamp from a legitimate file in the target directory
.\capture_timestamp.ps1 C:\Users\Target\Documents\legitimate_document.docx
# Create/edit your bait file, then restore using the captured timestamp
.\restore_timestamp.ps1 bait_file.docx C:\Users\Target\Documents\legitimate_document.docx.\preserve_metadata.ps1 report.xlsx
# Edit in Excel, save, timestamp automatically restored.\capture_timestamp.ps1 thesis.docx
# Edit document...
.\restore_timestamp.ps1 thesis.docxGet-ChildItem -Filter *.pdf | ForEach-Object {
.\capture_timestamp.ps1 $_.FullName
# Edit files...
.\restore_timestamp.ps1 $_.FullName
}(Get-Item yourfile.ext).LastWriteTime$file = Get-Item yourfile.ext
$file.LastWriteTime = Get-Date "2024-01-15 10:30:00"$file = Get-Item yourfile.ext
Write-Host "Created: $($file.CreationTime)"
Write-Host "Modified: $($file.LastWriteTime)"
Write-Host "Accessed: $($file.LastAccessTime)"These scripts are provided as-is for educational and practical use.