File & Directory Operations
Introduction
Creating, copying, moving, and removing files are the most basic filesystem operations — and among the most dangerous when done carelessly. In forensic triage, incident response, or shared lab environments, these commands demand discipline. A misplaced rm -rf, an overwritten evidence file, or a temporary file left readable by other users can compromise an investigation or break a system.
This note covers mktemp, mkdir, cp, mv, and rm with a focus on safe practices, forensic integrity, and operational awareness.
mktemp — Isolated Environments
mktemp creates a uniquely named temporary file or directory in a safe location — typically /tmp. The randomised suffix prevents collisions with other processes or users sharing the same system.
Creating Temporary Files and Directories
mktemp # Creates a temporary file in /tmp
mktemp -d # Creates a temporary directory
my_workspace=$(mktemp -d) # Capture the path in a variableThe path is printed to stdout, which is why capturing it in a variable is the standard pattern:
tmpdir=$(mktemp -d)
cp /var/log/auth.log "$tmpdir/"
# ... work on the copy ...
rm -rf "$tmpdir"Custom Naming and Locations
By default, mktemp uses a template like tmp.XXXXXXXXXX in /tmp. You can override both:
mktemp /tmp/analysis_XXXXXX # Custom prefix in /tmp
mktemp -t analysis_XXXXXX # Same — -t uses $TMPDIR or /tmp
mktemp -d /opt/evidence/capture_XXXXXX # Custom location for directoriesThe X characters are replaced with random alphanumeric values. At least three Xs are required for sufficient uniqueness.
Forensic Workflow Pattern
When triaging a suspicious system, work on copies — never on originals:
evidence_dir=$(mktemp -d /tmp/evidence_XXXXXX)
cp -a /var/log/* "$evidence_dir/"
chmod 700 "$evidence_dir"
# ... analyse within $evidence_dir ...This keeps your work isolated, prevents naming collisions with previous triage runs, and makes cleanup trivial — rm -rf "$evidence_dir" removes everything in one command.
Key Flags
| Flag | Description |
|---|---|
-d |
Create a directory instead of a file |
-t |
Interpret argument as a template (uses $TMPDIR or /tmp) |
-p <dir> |
Use the specified directory instead of $TMPDIR or /tmp |
-q |
Suppress errors — useful in scripts where failure is handled separately |
Security note: Temporary files created with
mktemphave restrictive permissions by default — only the creating user can read or write them. This prevents other users on a shared system from snooping on your working data.
mkdir — Directory Creation
mkdir creates new directories. Its most important flag is -p, which creates parent directories as needed and silently succeeds if the target already exists.
Recursive Creation
mkdir -p /opt/evidence/2024/03/case_47This creates the entire path — evidence, 2024, 03, case_47 — in one command, regardless of which intermediate directories already exist.
Without -p, mkdir fails if any parent directory is missing:
mkdir /opt/evidence/2024/03/case_47 # Fails if /opt/evidence/2024/03 doesn't existSetting Permissions at Creation
mkdir -m 700 /opt/evidence/sensitive # Create with restricted permissionsThe -m flag sets permissions directly — no need for a separate chmod call. Mode 700 means the owner has full access and everyone else is locked out.
Key Flags
| Flag | Description |
|---|---|
-p |
Create parent directories as needed; don’t error if directory exists |
-m <mode> |
Set permissions at creation time |
-v |
Verbose — print a message for each created directory |
Scripting note:
mkdir -pis idempotent — running it twice produces the same result without error. This makes it safe in automated workflows where the directory’s existence isn’t guaranteed.
cp — Copying with Integrity
cp copies files and directories. In forensic and security work, the flags you choose determine whether the copy is faithful to the original or a loose approximation.
Archive Mode
The -a flag (archive) is the forensic standard for copying. It preserves everything — permissions, ownership, timestamps, symbolic links, and extended attributes:
cp -a /var/log/auth.log /tmp/evidence/auth.log.bak
cp -a /etc/ /tmp/evidence/etc_backup/Without -a, copied files receive new timestamps and may lose ownership or permission data — unacceptable when preserving evidence integrity.
Recursive Copying
cp -r /etc/nginx/ /tmp/nginx_backup/ # Copy directory tree
cp -a /etc/nginx/ /tmp/nginx_backup/ # Same, but preserves metadataUse -a instead of -r whenever metadata matters. In practice, -a subsumes -r — it copies recursively and preserves attributes.
Interactive and Safe Copying
cp -i important.conf /etc/important.conf # Prompt before overwriting
cp -n data.txt /backup/data.txt # Never overwrite — skip silently
cp --backup=numbered data.txt /backup/ # Create numbered backups of existing filesCopying Across Filesystems
cp handles cross-filesystem copies transparently — /tmp (often tmpfs) to /opt (often a physical disk) works without flags. However, when copying device files or special filesystem objects, use cp --preserve=all to retain extended attributes that -a might not cover on certain systems.
Key Flags
| Flag | Description |
|---|---|
-a |
Archive — preserve all metadata, copy recursively, follow symlinks |
-r |
Recursive — copy directory trees |
-i |
Interactive — prompt before overwriting |
-n |
No-clobber — never overwrite existing files |
-u |
Update — only copy if source is newer than destination |
--backup |
Create backup of destination before overwriting |
-v |
Verbose — list files as they’re copied |
-p |
Preserve permissions, ownership, and timestamps (subset of -a) |
Forensic standard: Always use
cp -awhen copying evidence. If you need to prove the copy is identical to the original, follow with a hash comparison:cp -a /var/log/auth.log /tmp/evidence/ sha256sum /var/log/auth.log /tmp/evidence/auth.log
mv — Moving and Renaming
mv relocates or renames files and directories. Within the same filesystem, it’s an instant metadata operation — no data is copied. Across filesystems, it behaves like cp followed by rm.
Basic Usage
mv old_name.txt new_name.txt # Rename
mv report.txt /opt/reports/ # Move to a different directory
mv *.log /var/log/archive/ # Move all .log filesSafe Moving
mv -i important.conf /etc/ # Prompt before overwriting
mv -n data.txt /backup/ # Never overwrite — skip silently
mv --backup=numbered file.txt /dest/ # Keep numbered backups of overwritten filesMoving Across Filesystems
When source and destination are on different filesystems, mv silently falls back to copy-then-delete. This means:
- Metadata may not be preserved unless you use
cp -aexplicitly - Large files will take time proportional to their size
- The operation is not atomic — there’s a window where both copies exist
For cross-filesystem moves where metadata matters, do it explicitly:
cp -a /tmp/staging/evidence.tar.gz /opt/evidence/
rm /tmp/staging/evidence.tar.gzKey Flags
| Flag | Description |
|---|---|
-i |
Interactive — prompt before overwriting |
-n |
No-clobber — never overwrite existing files |
-u |
Update — only move if source is newer or destination is missing |
-f |
Force — overwrite without prompting (default behaviour) |
-v |
Verbose — list files as they’re moved |
--backup |
Create backup of destination before overwriting |
Gotcha:
mv -fis the default. Unlikecp, there’s no implicit prompting unless you add-i. If you’re scripting, always use-ior-nto prevent accidental overwrites.
rm — Removal
rm deletes files and directories. It is permanent — there is no trash bin, no undo, no recovery window. On Linux, rm unlinks the inode immediately. Once the filesystem reclaims those blocks, the data is gone.
Removing Files
rm file.txt # Remove a single file
rm -i file.txt # Prompt before removal
rm -f nonexistent.txt # Suppress errors if file doesn't existRemoving Directories
rm -r directory/ # Recursively remove directory and contents
rm -rf directory/ # Force — no prompts, suppress errors
rm -ri directory/ # Interactive — prompt before each removalThe Danger of rm -rf
rm -rf is the most destructive command in Linux. A single typo can erase an entire system:
# This destroys your system:
rm -rf / home/user/data # Space between / and home makes / the target
# This is what was intended:
rm -rf /home/user/dataMitigations:
# 1. Use -i for interactive confirmation:
rm -ri directory/
# 2. Define an alias in your shell profile:
alias rm='rm -i'
# 3. Use a safe delete wrapper:
safe_rm() {
local target
for target in "$@"; do
if [[ "$target" == "/" || "$target" == "/*" ]]; then
echo "Refusing to remove $target"
return 1
fi
done
command rm -i "$@"
}Lab discipline: In a shared EVE-NG or forensic lab environment, never run
rm -rfwithout first listing what will be deleted. Uselsto verify the target, or prependechoto dry-run:echo rm -rf /tmp/evidence_* # Preview what would be deleted rm -rf /tmp/evidence_* # Execute only after verification
Key Flags
| Flag | Description |
|---|---|
-r |
Recursive — remove directories and their contents |
-f |
Force — ignore nonexistent files, never prompt |
-i |
Interactive — prompt before every removal |
-I |
Prompt once before removing more than three files (less intrusive than -i) |
-d |
Remove empty directories |
-v |
Verbose — list files as they’re removed |
-ivs-I: Use-iwhen working on critical files — it confirms every single deletion. Use-Iwhen batch-deleting many files — it asks once for the whole operation and only if more than three files are involved. This is a good default for interactive shell sessions:alias rm='rm -I'
Bonus: touch — Timestamp Manipulation
touch creates empty files or updates an existing file’s timestamps without modifying its content. It’s lighter than echo "" > file and more precise.
Creating Empty Files
touch newfile.txt # Create an empty file
touch /tmp/evidence/markers/{a,b,c}.txt # Create multiple files at onceUpdating Timestamps
touch -t 202403150930 report.txt # Set timestamp to 2024-03-15 09:30
touch -r reference.txt target.txt # Copy timestamp from reference file
touch -d "2 hours ago" log.txt # Set to relative timeForensic Context
touch can be used to verify timestamp behaviour — set a known timestamp, then check how a tool or process interacts with file modification times. It’s also useful for creating placeholder files during evidence staging.
Key Flags
| Flag | Description |
|---|---|
-t <stamp> |
Set timestamp to specific value ([[CC]YY]MMDDhhmm[.ss]) |
-r <file> |
Copy timestamp from another file |
-d <string> |
Set timestamp from human-readable string |
-a |
Change only the access time |
-m |
Change only the modification time |
-c |
Don’t create the file if it doesn’t exist |
Forensic Copying Workflow
A complete evidence collection pattern combining these tools:
# Step 1: Create an isolated working directory
evidence=$(mktemp -d /tmp/evidence_XXXXXX)
chmod 700 "$evidence"
# Step 2: Copy with full metadata preservation
cp -a /var/log/ "$evidence/logs/"
cp -a /etc/passwd "$evidence/"
cp -a /etc/shadow "$evidence/"
# Step 3: Verify integrity
sha256sum /var/log/auth.log "$evidence/logs/auth.log"
find "$evidence" -type f -exec sha256sum {} \; > "$evidence/hashes.txt"
# Step 4: Restrict access
chmod -R 400 "$evidence"
# Step 5: When done — clean removal
rm -ri "$evidence"Tool Comparison
| Tool | Purpose | Reversible | Key Risk |
|---|---|---|---|
mktemp |
Create temporary files/directories | No — cleanup is manual | Forgetting to remove temp files |
mkdir |
Create directories | Yes — rmdir or rm -d |
None significant |
cp |
Copy files and directories | N/A — source is untouched | Overwriting destination silently |
mv |
Move or rename | N/A — source is removed | Cross-filesystem metadata loss |
rm |
Delete files and directories | No — permanent | Accidental deletion of wrong path |
touch |
Create empty files or set timestamps | Yes — delete the file | Can be used to manipulate evidence timestamps |
Core principle:
rmis the only truly irreversible operation here. Treat it with appropriate caution — every other mistake can be recovered from.