deadPix3l
commented
5 years ago this is something I've been looking into implementing lately, although some issues have arisen. TL;DR Linux is a complex ecosystem and OS agnostic code is hard af.
So windows and other OS's are pretty straight forward. I need to test with metasploit to see how it handles linux (TODO) but from all my reading: The linux kernel does not directly support file creation times. It's left up to the filesystem. the field used in windows for creation (ctime) is usually used as "change time" which is for metadata changes to the file, such as changing any other timestamp, renaming or copying, or other metadata changes. If the file has never undergone metadata changes, then it will be the creation date which is technically the first metadata change, but this is unreliable.
some filesystems do support creation time, but some extremely common ones such as XFS, EXT3, and others don't.
bottom line: this tool requires some weird choices to be made, makes a point for why we need CI testing and likely wont be completed until I've tested meterpreter's implementation.
Similar to this: https://www.offensive-security.com/metasploit-unleashed/TimeStomp/