# Install mac-robber with Homebrew, apt, dnf, Nix, zypper

Digital investigation tool. Version 1.02 via Homebrew; verified from local package data.

## Install

```sh
sudo av install brew:mac-robber
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install mac-robber
```

  Evidence: local Homebrew formula metadata

### Linux

- Debian apt (92%):

```sh
sudo apt install mac-robber
```

  Evidence: Debian stable package indexes: mac-robber from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install mac-robber
```

  Evidence: Fedora Rawhide package metadata: mac-robber from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#mac-robber
```

  Evidence: nixpkgs package indexes: pkgs/by-name/ma/mac-robber/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- zypper (92%):

```sh
sudo zypper install mac-robber
```

  Evidence: openSUSE Tumbleweed package metadata: mac-robber from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst

## Package facts

- **Package key:** brew:mac-robber
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/mac-robber>
- **Version:** 1.02
- **Source summary:** Digital investigation tool
- **Homepage:** <https://www.sleuthkit.org/mac-robber/>
- **Repository:** <https://github.com/sleuthkit/mac-robber>
- **Upstream docs:** <https://www.sleuthkit.org/mac-robber>
- **License:** GPL-2.0-or-later
- **Source archive:** <https://downloads.sourceforge.net/project/mac-robber/mac-robber/1.02/mac-robber-1.02.tar.gz>
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- mac-robber (cli)
- mac-robber (alias)

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_big_sur, arm64_linux, arm64_monterey, arm64_sequoia, arm64_sonoma, arm64_tahoe, arm64_ventura, big_sur, catalina, monterey, sonoma, ventura

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.02
- Local data: ok
- Upstream repository: https://www.sleuthkit.org/mac-robber/
- info: No package-manager update timestamp was available.
- info: Release/tag comparison is only available for GitHub repositories.
## Project history and usage

mac-robber is a small digital forensics and incident-response tool from the Sleuth Kit ecosystem. It collects metadata from allocated files on a mounted file system and emits data that can be fed to The Sleuth Kit's mactime tool to create file-activity timelines.

### Project history

The Sleuth Kit site traces mac-robber to the early open-source UNIX forensics lineage around The Coroner's Toolkit. In the February 2003 Sleuth Kit Informer, Brian Carrier described writing mac-robber as similar to Rob Lee's mac-daddy, itself a variation of TCT's grave-robber, but implemented in C instead of Perl.

The project page describes the tool's scope and limits: it requires the file system to be mounted by the operating system, does not collect deleted files or files hidden by rootkits, and can modify directory access times when run against writable mounts. Those limitations are part of its forensic model rather than incidental bugs.

### Adoption history

mac-robber has remained useful because it covers file systems that The Sleuth Kit or other file-system analysis tools may not support directly. The official page calls out obscure UNIX file systems and common UNIX systems such as AIX as use cases.

Package metadata shows mac-robber distributed through Homebrew and several Unix/Linux package managers. Its adoption is niche, but it is durable niche software: the 1.02 release from 2010 is still packaged because the body-file/mactime workflow remains recognizable to forensic practitioners.

### How it is used

The tool is used during live incident response or lab analysis when a suspect file system has been mounted, ideally read-only on a trusted system. Its output is consumed by mactime to produce a timeline of file activity.

The official page warns that mac-robber is basic C intended to compile on any UNIX system, but also that it cannot see deleted or rootkit-hidden files because it relies on the mounted file-system view exposed by the operating system.

### Why package nerds care

mac-robber is package-nerd significant because it is a tiny, old, command-line forensic utility whose value comes from interoperability with a larger toolchain. It represents the classic Unix package pattern: one focused binary, plain-text output, and composition with mactime.

### Timeline

- 2000: The Coroner's Toolkit released, establishing the open-source UNIX forensics lineage cited by The Sleuth Kit.
- 2003-02: The Sleuth Kit Informer described mac-robber as a C tool derived from the mac-daddy/grave-robber idea.
- 2010-02: mac-robber 1.02 released with the newer mactime body format.
- 2026: The official mac-robber project page links the 1.02 source release to the sleuthkit/mac-robber GitHub repository.

### Related projects

- Related tools include The Coroner's Toolkit, grave-robber, mac-daddy, The Sleuth Kit, and mactime. mac-robber is best understood as a companion collector for timeline analysis rather than a standalone forensic suite.

### Sources

- <https://github.com/sleuthkit/mac-robber>
- <https://www.sleuthkit.org/informer/sleuthkit-informer-1.html>
- <https://www.sleuthkit.org/mac-robber>
- <https://www.sleuthkit.org/sleuthkit/man/mactime.html>
- source_facts.package-manager


## Security Notes

narrow executable package without higher-risk signals.

- **Geiger risk:** green / low
- narrow executable package without higher-risk signals

## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** mac-robber
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable

## Other Package-Manager Records

- Debian apt - mac-robber - 1.02-13: normalized package name match | Debian stable package indexes: mac-robber from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | collects data about allocated files in mounted filesystems | https://www.sleuthkit.org/mac-robber
- Nix - mac-robber: normalized package name match | nixpkgs package indexes: pkgs/by-name/ma/mac-robber/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - mac-robber - 1.02-13: normalized package name match | Ubuntu 24.04 LTS package indexes: mac-robber from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | collects data about allocated files in mounted filesystems | https://www.sleuthkit.org/mac-robber
- dnf - mac-robber - 1.02-40.fc45: normalized package name match | Fedora Rawhide package metadata: mac-robber from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Tool to create a timeline of file activity for mounted file systems | http://sourceforge.net/projects/mac-robber/
- zypper - mac-robber - 1.02-14.6: normalized package name match | openSUSE Tumbleweed package metadata: mac-robber from https://download.opensuse.org/tumbleweed/repo/oss/repodata/be8d3611d25469107f32075a1697e69ec57a2b850b42348a658cc671ad5ec2b50760d02c3e59524d50da9a11d5be799bdaffba2e166e8ca8858512e3c0bd665d-primary.xml.zst | Tool to create a timeline of file activity for mounted file systems | http://sourceforge.net/projects/mac-robber/


## Related links

- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [Security and crypto packages](https://www.automicvault.com/pkg/security-crypto-tools/) - Matched security, identity, cryptography, password, signing, or certificate metadata.
- [Homebrew utility packages](https://www.automicvault.com/pkg/brew-utility-packages/) - Matched Homebrew package provider.
- [dcfldd](https://www.automicvault.com/pkg/brew/dcfldd/) - Shares av.db curated category or tags: cli, forensics, security.
- [afflib](https://www.automicvault.com/pkg/brew/afflib/) - Shares av.db curated category or tags: cli, forensics, security.
- [chainsaw](https://www.automicvault.com/pkg/brew/chainsaw/) - Shares av.db curated category or tags: cli, forensics, security.
- [dc3dd](https://www.automicvault.com/pkg/brew/dc3dd/) - Shares av.db curated category or tags: cli, forensics, security.
- [evtx](https://www.automicvault.com/pkg/brew/evtx/) - Shares av.db curated category or tags: cli, forensics, security.
- [hack-browser-data](https://www.automicvault.com/pkg/brew/hack-browser-data/) - Shares av.db curated category or tags: cli, forensics, security.
- [ssdeep](https://www.automicvault.com/pkg/brew/ssdeep/) - Shares av.db curated category or tags: cli, forensics, security.
- [aide](https://www.automicvault.com/pkg/brew/aide/) - Shares av.db curated category or tags: cli, security.
- [sleuthkit](https://www.automicvault.com/pkg/brew/sleuthkit/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, digital, digital-forensics, forensics, security.
- [libewf](https://www.automicvault.com/pkg/brew/libewf/) - Security-sensitive metadata or terminology overlaps. Shared terms: cli, digital, digital-forensics, forensics, security.

## Combined YAML source

View the package source record on GitHub. [combined/mac-robber.yml](https://github.com/automic-vault/db/blob/main/combined/mac-robber.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
