Dealing with File System Timestamps

This thread is for researching ways/tools to workaround the creation filestamp problem which can leak a lot of info about a files origin and whistelblowing timeline:

Jeremy Rand:

In some cases, opening and resaving a file can help, but that will only set the “modified” time field. A lot of filesystems also store a “created” time field, which will not be affected by opening/saving. Also, some file formats will actually leak additional info about what software opened them if you open/resave them. So I wouldn’t really recommend that approach. I think there exist tools that will wipe filesystem timestamp metadata; if such tools exist (I haven’t looked very carefully) then they’re probably preferable.

Patrick:
There’s a mount option noatime. Probably also one to not record creation time. Would be good if we enabled that in Whonix.

…without writing to /etc/fstab directly.

Related

Not easy to implement on Linux distribution level.

https://lists.freedesktop.org/archives/systemd-devel/2019-December/043844.html
https://lists.freedesktop.org/archives/systemd-devel/2019-December/043845.html

1 Like

The touch command fits the bill. To be tested and documented:

The stat command shows a Birth field which is exclusively used and populated by Windows to snitch on when a file was created. This isn’t supported/viewable on Linux easily, let alone modifiable. Touch can easily take care of access/modification info with Linux originating files, but stuff from Windows will always be a privacy risk.