Automic VaultAutomic Vault

brew

Install mac-robber with Homebrew, apt, dnf, Nix, zypper

Digital investigation tool. Version 1.02 via Homebrew; verified from local package data.

install

Additional install commands

macOS

Homebrewverified · 100%
brew install mac-robber

local Homebrew formula metadata

Linux

Debian aptverified · 92%
sudo apt install mac-robber

Debian stable package indexes · mac-robber · source: deb.debian.org

Fedora dnfverified · 92%
sudo dnf install mac-robber

Fedora Rawhide package metadata · mac-robber · source: dl.fedoraproject.org

Nixverified · 92%
nix profile install nixpkgs#mac-robber

nixpkgs package indexes · pkgs/by-name/ma/mac-robber/package.nix · source: api.github.com

openSUSE zypperverified · 92%
sudo zypper install mac-robber

openSUSE Tumbleweed package metadata · mac-robber · source: download.opensuse.org

overview

Package summary

Digital investigation tool

Commands and aliases

  • mac-robber

history

Project history and usage

mac-robber is a small digital forensics and incident-response tool from the Sleuth Kit ecosystem. It collects metadata from allocated files on a mounted file system and emits data that can be fed to The Sleuth Kit's mactime tool to create file-activity timelines.

Project history

The Sleuth Kit site traces mac-robber to the early open-source UNIX forensics lineage around The Coroner's Toolkit. In the February 2003 Sleuth Kit Informer, Brian Carrier described writing mac-robber as similar to Rob Lee's mac-daddy, itself a variation of TCT's grave-robber, but implemented in C instead of Perl.

The project page describes the tool's scope and limits: it requires the file system to be mounted by the operating system, does not collect deleted files or files hidden by rootkits, and can modify directory access times when run against writable mounts. Those limitations are part of its forensic model rather than incidental bugs.

Adoption history

mac-robber has remained useful because it covers file systems that The Sleuth Kit or other file-system analysis tools may not support directly. The official page calls out obscure UNIX file systems and common UNIX systems such as AIX as use cases.

Package metadata shows mac-robber distributed through Homebrew and several Unix/Linux package managers. Its adoption is niche, but it is durable niche software: the 1.02 release from 2010 is still packaged because the body-file/mactime workflow remains recognizable to forensic practitioners.

How it is used

The tool is used during live incident response or lab analysis when a suspect file system has been mounted, ideally read-only on a trusted system. Its output is consumed by mactime to produce a timeline of file activity.

The official page warns that mac-robber is basic C intended to compile on any UNIX system, but also that it cannot see deleted or rootkit-hidden files because it relies on the mounted file-system view exposed by the operating system.

Why package nerds care

mac-robber is package-nerd significant because it is a tiny, old, command-line forensic utility whose value comes from interoperability with a larger toolchain. It represents the classic Unix package pattern: one focused binary, plain-text output, and composition with mactime.

Timeline

  • 2000: The Coroner's Toolkit released, establishing the open-source UNIX forensics lineage cited by The Sleuth Kit.
  • 2003-02: The Sleuth Kit Informer described mac-robber as a C tool derived from the mac-daddy/grave-robber idea.
  • 2010-02: mac-robber 1.02 released with the newer mactime body format.
  • 2026: The official mac-robber project page links the 1.02 source release to the sleuthkit/mac-robber GitHub repository.

Related projects

  • Related tools include The Coroner's Toolkit, grave-robber, mac-daddy, The Sleuth Kit, and mactime. mac-robber is best understood as a companion collector for timeline analysis rather than a standalone forensic suite.

security posture

Risk level: green

narrow executable package without higher-risk signals.

Risk classifier

green risk · low confidence · appliance

Why

  • narrow executable package without higher-risk signals

Signals

  • metadata:no-higher-risk-signals

Install behavior

  • No Homebrew post-install hook is recorded in formula metadata.
  • Homebrew bottle metadata is available for 13 platform targets.

Recommended review

Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.

executables

Installed executables

CommandKindExposureNote
mac-robbercliglobal executable

freshness

Version and freshness

These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.

page generated2026-07-08
manager version1.02
manager updated
local dataok
upstreamnot checked
latest detectednot detected

https://www.sleuthkit.org/mac-robber/

  • infoNo package-manager update timestamp was available.low confidence
  • infoRelease/tag comparison is only available for GitHub repositories.https://www.sleuthkit.org/mac-robber/none confidence

install metadata

Package metadata

Package keybrew:mac-robber
Version1.02
Package managerHomebrew
Package manager pagehttps://formulae.brew.sh/formula/mac-robber
Homepagehttps://www.sleuthkit.org/mac-robber/
Repositoryhttps://github.com/sleuthkit/mac-robber
Upstream docshttps://www.sleuthkit.org/mac-robber
LicenseGPL-2.0-or-later
Source archivehttps://downloads.sourceforge.net/project/mac-robber/mac-robber/1.02/mac-robber-1.02.tar.gz
Bottleavailable (on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, catalina, monterey, sonoma, ventura, x86_64_linux)
Homebrew post-installnot defined
Servicenone declared

registry facts

Source database details

Source DatabaseHomebrew formula API
Taphomebrew/core
Full Namemac-robber
Version Scheme0
Revision0
Bottle Stable Root URLhttps://ghcr.io/v2/homebrew/core
Deprecatedno
Disabledno
Keg Onlyno
URL Keys
  • stable

source database matches

Other package-manager records

Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.

Debian apt95%

mac-robber 1.02-13

collects data about allocated files in mounted filesystems

https://www.sleuthkit.org/mac-robber

sudo apt install mac-robber
  • Section: utils
  • Architecture: amd64
  • 1 dependencies
  • 1 optional deps
  • normalized package name match
  • Matched by: Mac Robber
Debian stable package indexes · deb.debian.org · Debian stable package indexes: mac-robber from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz
Nix95%

mac-robber

nix profile install nixpkgs#mac-robber
  • normalized package name match
  • Matched by: Mac Robber
nixpkgs package indexes · api.github.com · nixpkgs package indexes: pkgs/by-name/ma/mac-robber/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
Ubuntu apt95%

mac-robber 1.02-13

collects data about allocated files in mounted filesystems

https://www.sleuthkit.org/mac-robber

sudo apt install mac-robber
  • Section: universe/utils
  • Architecture: amd64
  • 1 dependencies
  • 1 optional deps
  • normalized package name match
  • Matched by: Mac Robber
Ubuntu 24.04 LTS package indexes · archive.ubuntu.com · Ubuntu 24.04 LTS package indexes: mac-robber from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz
dnf95%

mac-robber 1.02-40.fc45

Tool to create a timeline of file activity for mounted file systems

http://sourceforge.net/projects/mac-robber/

sudo dnf install mac-robber
  • License: GPL-2.0-or-later
  • Category: Unspecified
  • Architecture: x86_64
  • Source Package: mac-robber
  • 2 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Mac Robber
Fedora Rawhide package metadata · dl.fedoraproject.org · Fedora Rawhide package metadata: mac-robber from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst
zypper95%

mac-robber 1.02-14.6

Tool to create a timeline of file activity for mounted file systems

http://sourceforge.net/projects/mac-robber/

sudo zypper install mac-robber
  • License: GPL-2.0+
  • Category: Productivity/Security
  • Architecture: x86_64
  • Source Package: mac-robber
  • 1 dependencies
  • 1 provides
  • normalized package name match
  • Matched by: Mac Robber
openSUSE Tumbleweed package metadata · download.opensuse.org · openSUSE Tumbleweed package metadata: mac-robber from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

source trail

Generated from repository data

This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.

Used sources

  • Geiger risk classifier
  • Nucleus package database
  • av.db category and tag curation
  • cross-ecosystem install command graph
  • curated package history
  • external package-manager database matches
  • package relationship graph
  • package version freshness
  • package-page enrichment