macOS
brew install mac-robberlocal Homebrew formula metadata
brew
Digital investigation tool. Version 1.02 via Homebrew; verified from local package data.
install
brew install mac-robberlocal Homebrew formula metadata
sudo apt install mac-robberDebian stable package indexes · mac-robber · source: deb.debian.org
sudo dnf install mac-robberFedora Rawhide package metadata · mac-robber · source: dl.fedoraproject.org
nix profile install nixpkgs#mac-robbernixpkgs package indexes · pkgs/by-name/ma/mac-robber/package.nix · source: api.github.com
sudo zypper install mac-robberopenSUSE Tumbleweed package metadata · mac-robber · source: download.opensuse.org
overview
Digital investigation tool
history
mac-robber is a small digital forensics and incident-response tool from the Sleuth Kit ecosystem. It collects metadata from allocated files on a mounted file system and emits data that can be fed to The Sleuth Kit's mactime tool to create file-activity timelines.
The Sleuth Kit site traces mac-robber to the early open-source UNIX forensics lineage around The Coroner's Toolkit. In the February 2003 Sleuth Kit Informer, Brian Carrier described writing mac-robber as similar to Rob Lee's mac-daddy, itself a variation of TCT's grave-robber, but implemented in C instead of Perl.
The project page describes the tool's scope and limits: it requires the file system to be mounted by the operating system, does not collect deleted files or files hidden by rootkits, and can modify directory access times when run against writable mounts. Those limitations are part of its forensic model rather than incidental bugs.
mac-robber has remained useful because it covers file systems that The Sleuth Kit or other file-system analysis tools may not support directly. The official page calls out obscure UNIX file systems and common UNIX systems such as AIX as use cases.
Package metadata shows mac-robber distributed through Homebrew and several Unix/Linux package managers. Its adoption is niche, but it is durable niche software: the 1.02 release from 2010 is still packaged because the body-file/mactime workflow remains recognizable to forensic practitioners.
The tool is used during live incident response or lab analysis when a suspect file system has been mounted, ideally read-only on a trusted system. Its output is consumed by mactime to produce a timeline of file activity.
The official page warns that mac-robber is basic C intended to compile on any UNIX system, but also that it cannot see deleted or rootkit-hidden files because it relies on the mounted file-system view exposed by the operating system.
mac-robber is package-nerd significant because it is a tiny, old, command-line forensic utility whose value comes from interoperability with a larger toolchain. It represents the classic Unix package pattern: one focused binary, plain-text output, and composition with mactime.
security posture
narrow executable package without higher-risk signals.
green risk · low confidence · appliance
Before unattended agent use, check whether the tool reads plaintext credentials, writes remote state, publishes artifacts, or shells out to plugins.
executables
| Command | Kind | Exposure | Note |
|---|---|---|---|
mac-robber | cli | global executable |
freshness
These signals separate page generation age, package-manager activity, and upstream release comparison. Version lag is warned only when an evidence URL and comparable versions are present.
https://www.sleuthkit.org/mac-robber/
install metadata
| Package key | brew:mac-robber |
|---|---|
| Version | 1.02 |
| Package manager | Homebrew |
| Package manager page | https://formulae.brew.sh/formula/mac-robber |
| Homepage | https://www.sleuthkit.org/mac-robber/ |
| Repository | https://github.com/sleuthkit/mac-robber |
| Upstream docs | https://www.sleuthkit.org/mac-robber |
| License | GPL-2.0-or-later |
| Source archive | https://downloads.sourceforge.net/project/mac-robber/mac-robber/1.02/mac-robber-1.02.tar.gz |
| Bottle | available (on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, catalina, monterey, sonoma, ventura, x86_64_linux) |
| Homebrew post-install | not defined |
| Service | none declared |
registry facts
| Source Database | Homebrew formula API |
|---|---|
| Tap | homebrew/core |
| Full Name | mac-robber |
| Version Scheme | 0 |
| Revision | 0 |
| Bottle Stable Root URL | https://ghcr.io/v2/homebrew/core |
| Deprecated | no |
| Disabled | no |
| Keg Only | no |
| URL Keys |
|
source database matches
Matches are pulled from external package-manager indexes and kept separate from local Automic Vault package links.
mac-robber 1.02-13
collects data about allocated files in mounted filesystems
https://www.sleuthkit.org/mac-robber
sudo apt install mac-robbermac-robber
nix profile install nixpkgs#mac-robbermac-robber 1.02-13
collects data about allocated files in mounted filesystems
https://www.sleuthkit.org/mac-robber
sudo apt install mac-robbermac-robber 1.02-40.fc45
Tool to create a timeline of file activity for mounted file systems
http://sourceforge.net/projects/mac-robber/
sudo dnf install mac-robbermac-robber 1.02-14.6
Tool to create a timeline of file activity for mounted file systems
http://sourceforge.net/projects/mac-robber/
sudo zypper install mac-robbersource trail
This page is generated by av-web from the private package SQLite artifact built by scripts/generate-pkg-sqlite.py.
View the package source record on GitHub.