Need to preserve date stamps (creation, access, etc) when copying files
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need to preserve date stamps (creation, access, etc) when copying files
I have about 1,000 screen shots that I took which I need to preserve for later use, possibly in court. I have not looked at them since I took them as I don't want to alter any of the time stamps on them such as the access stamps so they can't be claimed that they were altered.
I have all the files in one folder on my ubuntu system.
I don't even know what stamps are used with the system and if it is just creation time/date and access time/date or if there are more of them.
What would be the best way to preserve these so that can be considered authentic if it ever needs to be proven. I was thinking of just zipping the entire folder, but IDK if that would change the dates inside the zip file and then change the access date since the command accesses the files to incorporate it into the file.
I'd also like to review the files but I don't want to do this until I have them completely preserved and backed up a couple of times.
What would be the best way of doing this and are there any special tools/software that can do this in an "official" manner, such as if a police copied a USB drive, would they be able to copy the files over to preserve everything?
Would using DD to copy the folder work? I know I can use it for partitions and drives, but am unsure about folders.
If you know anything about this, please let me know what my best options are. Thank you!
You will need to dd the entire partition to ensure immutability. dd can do individual files, but that would be messy.
FWIW, on this (non-Ubuntu) system screenshots are png and contain limited exif metadata that exiftool can extract which includes the standard timestamps. If the files are on ext4, they also contain the creation timestamp. Not easily extracted, but can be using debugfs.
Simply copying the files to a USB will update the access time.
You will need to dd the entire partition to ensure immutability. dd can do individual files, but that would be messy.
FWIW, on this (non-Ubuntu) system screenshots are png and contain limited exif metadata that exiftool can extract which includes the standard timestamps. If the files are on ext4, they also contain the creation timestamp. Not easily extracted, but can be using debugfs.
Simply copying the files to a USB will update the access time.
Sorry, been out of computing for a while, been forcusing on some other topics. forgot to mention Ext4, which it is. DD'ing would be a task, it is a 4TB drive..
Is there anyway to copy a sector somehow with a different program that will not alter any file data? This may not be super important, but the shots are of a live event online where there is proof of either severely bad programming, a very sly virus or lots of fraud going on. The site is an auction site. If it is a virus, then it has been programmed in the favor of the auction house. I just want to be able to prove that I haven't edited the screen shots and screen capture video and the only way I thought this could work is to copy the files and preserve the data somehow.
If there isn't, I can just buy a new drive and either DD it or just use that in place of the old one until I have the files verified.
-p same as --preserve=mode,ownership,timestamps
--preserve[=ATTR_LIST]
preserve the specified attributes (default: mode,ownership,timestamps), if possible additional attributes: context, links, xattr, all
FYI: You don't "dd a folder"
To preserve the evidence chain,
dd the whole disk. The image can be inspected without losing integrity of the files in it.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
You can also use rsync -av /path/to/source/ /path/to/dest
This will preserve time stamps and everything. But it you want to use this in court I would not use anything else but the original, unmodified and uncopied drive. I am not even sure that that is accepted as evidence.
So yes, you would have to dd the entire drive. And preferably use the copy in you machine.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
