How Unix Timestamps Work

Unix stores two times for every file, the last modification time of the file and the last access time of the file.

`ls -lT` displays the last modification time of files.

bash-2.05a$ ls -lT timestamp.shtml -rw-r–r– 1 will staff 885 Mar 5 01:50:53 2004 timestamp.shtml

`ls -lTu` displays the last access time of files.

bash-2.05a$ ls -lTu timestamp.shtml -rw-r–r– 1 will staff 885 Mar 5 01:51:57 2004 timestamp.shtml

To edit these times, you will need a program like SaintStat or fix.c. These programs are normally packaged with rootkit’s.

You can write your own utility to modify timestamps fairly easily using the utime function of C or PERL.

The purpose of editing timestamps is usually to modify files without making them look as if they have been modified. This technique won’t fool a message digest algorithm like MD5.