When a file is modified, certain attributes (such as creation time, modification time, access time, and encoding software) will change. However, by modifying the file's metadata, these modification traces can be effectively concealed.
Brief introduction to metadata modification commands:
- exiftool
View and modify file metadata, such as images, videos, and PDF files.
Installation:
macOS: - Homebrew:
Open Terminal and enter the following command to install Homebrew (if not already installed):
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Install ExifTool:
brew install exiftool
Manual download:
Go to the ExifTool official website to download the version for macOS.
Unzip the downloaded file and move the exiftool executable to /usr/local/bin or another system path.
Windows:
- Using Chocolatey:
Open Command Prompt (run as administrator) and enter the following command to install Chocolatey (if not already installed):
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command "iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))" && SET "PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin"
Install ExifTool:
choco install exiftool
Common parameters:
- -Author=<>: Set the author.
- -Title=<>: Set the title.
- -Subject=<>: Set the subject.
- -Keywords=<>: Set the keywords.
- -Creator=<>: Set the content creator.
- -Producer=<>: Set the encoding software.
- -overwrite_original: Overwrite the original file.
- -All=: Clear all metadata.
Example:
exiftool -Author= -Creator= -Producer= -overwrite_original /path/to/file.pdf
- touch
Modify file timestamps (access time and modification time).
Installation:
macOS:
touch is a built-in tool in macOS and does not require additional installation. It can be used directly in the terminal.
Windows:
Windows does not have a built-in touch command, but you can obtain it by installing the GnuWin32 tool package.
Go to the GnuWin32 Core Tools download page to download the Core Tools package.
After installation, add the bin directory (usually located at C:\Program Files (x86)\GnuWin32\bin) to the system path.
Common parameters:
- -a: Modify access time.
- -m: Modify modification time.
- -t [[CC]YY]MMDDhhmm[.ss]: Specify the time.
- -d: Use a date string.
Example:
touch -t 202406202335 /path/to/file.txt
- SetFile
Modify the creation date and modification date of a file (macOS only).
Installation: - macOS:
SetFile is part of Xcode, the developer toolset for macOS.
Install Xcode command line tools:
xcode-select --install
Parameters:
- -d <MM/DD/YYYY hh:mm>: Set the creation date.
- -m <MM/DD/YYYY hh:mm>: Set the modification date.
Example:
SetFile -d '06/20/2024 23:35:00' /path/to/file.txt
SetFile -m '06/20/2024 23:35:00' /path/to/file.txt
- Windows:
SetFile is a macOS-specific tool and does not have a direct equivalent on Windows.
Using PowerShell, you can modify the file's timestamps using the Get-Item and Set-ItemProperty commands. Here are the specific steps and example code:
Open PowerShell: Run PowerShell as an administrator.
Parameters:
- $filePath: The path of the file.
- $newDateTime: The new date and time.
- $file.CreationTime: Set the file's creation date.
- $file.LastWriteTime: Set the file's modification date.
- $file.LastAccessTime: Set the file's access date.
Example:
To modify the file's creation date, use the following command:
$file = Get-Item "C:\path\to\file.txt"
$file.CreationTime = "2024-06-20 23:35:00"
To modify the file's modification date, use the following command:
$file = Get-Item "C:\path\to\file.txt"
$file.LastWriteTime = "2024-06-20 23:35:00"
To modify the file's access date, use the following command:
$file = Get-Item "C:\path\to\file.txt"
$file.LastAccessTime = "2024-06-20 23:35:00"
Some installation commands require configuring the network environment in advance.