Dealing with File System Timestamps

This thread is for researching ways/tools to workaround the creation filestamp problem which can leak a lot of info about a files origin and whistelblowing timeline:

Jeremy Rand:

In some cases, opening and resaving a file can help, but that will only set the “modified” time field. A lot of filesystems also store a “created” time field, which will not be affected by opening/saving. Also, some file formats will actually leak additional info about what software opened them if you open/resave them. So I wouldn’t really recommend that approach. I think there exist tools that will wipe filesystem timestamp metadata; if such tools exist (I haven’t looked very carefully) then they’re probably preferable.

There’s a mount option noatime. Probably also one to not record creation time. Would be good if we enabled that in Whonix.

…without writing to /etc/fstab directly.


Not easy to implement on Linux distribution level.

1 Like

The touch command fits the bill. To be tested and documented:


The stat command shows a Birth field which is exclusively used and populated by Windows to snitch on when a file was created. This isn’t supported/viewable on Linux easily, let alone modifiable. Touch can easily take care of access/modification info with Linux originating files, but stuff from Windows will always be a privacy risk.


[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]