MAC Robber is a specialized forensic utility that extracts and analyzes MAC times (Modified, Accessed, Changed) from files and filesystems. It’s designed for digital forensic investigators and incident responders who need to build detailed timelines of system activity. MAC times are critical indicators of system modifications and user activity during investigations. The tool parses filesystem metadata to create comprehensive forensic timelines in formats compatible with timeline analysis tools.
sudo apt-get update
sudo apt-get install mac-robber
mac-robber --version # Verify installation
sudo yum install mac-robber
# Or on newer systems
sudo dnf install mac-robber
brew install mac-robber
mac-robber --version
# Install within WSL2 Ubuntu environment
wsl bash -c 'sudo apt-get install mac-robber'
# Or build from source
# Download from https://github.com/sleuthkit/mac-robber
tar xzf mac-robber-VERSION.tar.gz
cd mac-robber-VERSION
./configure
make
sudo make install
mac-robber [options] <device|file>
| Command | Purpose |
|---|
-d <device> | Analyze specific device or filesystem image |
-f <format> | Output format (body, csv, json) |
-i <image_file> | Analyze disk image file |
-z <timezone> | Timezone for timestamp conversion |
-l | List mode (detailed output) |
-b | Body file format (bodyfile) |
-V | Verbose mode |
# Collect MAC times from entire filesystem
mac-robber / > /tmp/macrobber.txt
# Extract from specific directory tree
mac-robber /home/username > /tmp/user_timeline.txt
# Output verbose details
mac-robber -V /var > /tmp/var_timeline.txt
# Analyze forensic image
mac-robber -i /evidence/disk_image.dd > timeline.txt
# Analyze EWF image
mac-robber -i /evidence/case.E01 > timeline.txt
# Generate bodyfile format compatible with timeline tools
mac-robber -b /home > bodyfile.txt
# Output structure: inode|name|device|mode|nlink|uid|gid|size|atime|mtime|ctime|blksize
# Example line:
# 1234|/home/user/documents/report.pdf|2049|33188|1|1000|1000|245632|1609459200|1609459200|1609459200|4096
# Generate CSV for spreadsheet analysis
mac-robber -f csv / > mac_times.csv
# Result includes columns:
# inode,filename,device,mode,nlink,uid,gid,size,atime,mtime,ctime,blksize
# Generate JSON for programmatic processing
mac-robber -f json /var > var_timeline.json
# Extract times in EST/EDT
mac-robber -z EST /home > timeline_est.txt
# UTC timezone
mac-robber -z UTC / > timeline_utc.txt
# PST/PDT
mac-robber -z PST /var > var_timeline_pst.txt
# Custom offset (UTC+8)
mac-robber -z UTC+8 /tmp > timeline_plus8.txt
# Common timezone abbreviations:
# EST = Eastern Standard Time (UTC-5)
# EDT = Eastern Daylight Time (UTC-4)
# CST = Central Standard Time (UTC-6)
# PST = Pacific Standard Time (UTC-8)
# PDT = Pacific Daylight Time (UTC-7)
# UTC = Coordinated Universal Time
# GMT = Greenwich Mean Time
# Extract all MAC times with verbose output
mac-robber -V / > /tmp/full_timeline.txt
# Parse and sort by modification time
mac-robber / | sort -t' ' -k8 > sorted_timeline.txt
# Generate timeline for specific user directory
mac-robber /home/username > user_activity.txt
# Focus on web server logs
mac-robber /var/log > webserver_timeline.txt
# Database directory analysis
mac-robber /var/lib/mysql > database_timeline.txt
# Temporary files (suspicious activity indicator)
mac-robber /tmp > temp_timeline.txt
# Extract from primary drive
mac-robber -i /evidence/disk1.dd > timeline_disk1.txt
# Extract from secondary drive
mac-robber -i /evidence/disk2.dd > timeline_disk2.txt
# Combine for correlation analysis
cat timeline_disk1.txt timeline_disk2.txt | sort -k8 > combined_timeline.txt
# Create bodyfile for mactime processing
mac-robber -b / > bodyfile.csv
# Process with mactime to generate sorted timeline
mactime -b bodyfile.csv -d -z UTC > sorted_mactime.csv
# Human-readable timeline
mactime -b bodyfile.csv -z UTC > human_readable.txt
# Generate body file format
mac-robber -b /home > home.bodyfile
# Use with tsk_timeline
tsk_timeline -b home.bodyfile > timeline_report.txt
# Extract MAC times in log2timeline format
mac-robber / > mac_events.txt
# Convert for PLASO processing
log2timeline.py -f mac_robber -o plaso /evidence/mac_robber.plaso /tmp/mac_events.txt
# Extract complete filesystem MAC times
mac-robber / > /tmp/breach_timeline.txt
# Focus on recent modifications (last 7 days)
mac-robber / | awk '{if ($8 > systime()-604800) print}' > recent_timeline.txt
# Extract suspicious directories
mac-robber /etc /var/www /home > critical_timeline.txt
# Collect user home directory timeline
mac-robber /home/username > user_timeline.txt
# Desktop and documents
mac-robber /home/username/Desktop /home/username/Documents > user_docs_timeline.txt
# Download directory (often important)
mac-robber /home/username/Downloads > downloads_timeline.txt
# Configuration files and changes
mac-robber /etc > config_timeline.txt
# System binaries and libraries
mac-robber /usr/bin /usr/lib > binaries_timeline.txt
# Cron and scheduled tasks
mac-robber /var/spool > scheduler_timeline.txt
# System directories where malware hides
mac-robber /tmp /var/tmp /dev/shm > hidden_timeline.txt
# Web-accessible directories
mac-robber /var/www /home/*/public_html > web_timeline.txt
# System library compromise detection
mac-robber /lib /usr/lib > library_timeline.txt
# Extract modifications in specific date range (example: Jan 2024)
mac-robber / > raw_timeline.txt
awk '$9 >= 1704067200 && $9 <= 1706745600 {print}' raw_timeline.txt > jan_2024_timeline.txt
# Convert epoch to human-readable in output
mac-robber / | awk '{cmd="date -d @"$9; cmd | getline date; close(cmd); print date" "$0}' > readable_timeline.txt
# Files modified in last 24 hours
mac-robber / | awk '{if ((systime() - $9) < 86400) print}' > last_24h.txt
# Files modified between specific times
mac-robber / | awk '$9 >= 1609459200 && $9 <= 1609545600 {print}' > time_range.txt
# Sort by access time (important for user activity)
mac-robber / | sort -t'|' -k9 -rn > sorted_by_atime.txt
# Sort by change time (metadata modifications)
mac-robber / | sort -t'|' -k11 -rn > sorted_by_ctime.txt
# Sort by modification time (data changes)
mac-robber / | sort -t'|' -k10 -rn > sorted_by_mtime.txt
# Create baseline timeline
mac-robber / > baseline_timeline.txt
# Later timeline for comparison
mac-robber / > current_timeline.txt
# Identify newly modified files
diff baseline_timeline.txt current_timeline.txt | grep "^>" > new_modifications.txt
# Extract timeline from multiple filesystem images
mac-robber -i /evidence/disk1.dd > disk1_timeline.txt
mac-robber -i /evidence/disk2.dd > disk2_timeline.txt
mac-robber -i /evidence/usb_drive.dd > usb_timeline.txt
# Merge and deduplicate
cat disk1_timeline.txt disk2_timeline.txt usb_timeline.txt | \
sort -u > combined_evidence_timeline.txt
# Process large images in background with progress
nice -n 10 mac-robber -i /evidence/large_image.dd > timeline.txt &
# Monitor with process status
ps aux | grep mac-robber
# Use with tee for simultaneous writing and monitoring
mac-robber / | tee timeline_live.txt | wc -l
| Issue | Solution |
|---|
| ”Permission denied” | Run with sudo for full filesystem access: sudo mac-robber / |
| Slow performance | Large filesystems take time; use nice to background process |
| Incomplete data | Ensure filesystem is not actively writing; use forensic image |
| Timestamp inconsistency | Verify system timezone matches evidence collection context |
| Image mounting errors | Use correct image format flag; verify image integrity first |
# Check version and capabilities
mac-robber --version
# Test on single directory
mac-robber /tmp
# Verify output format
mac-robber -b /tmp | head -5
- Acquire image: Use forensic imaging tools to create bit-for-bit copy
- Mount read-only: Mount filesystem image in read-only mode
- Extract timeline: Use mac-robber to collect all MAC times
- Export format: Choose appropriate format (body, CSV, JSON)
- Analyze timeline: Sort and filter by investigation parameters
- Correlate events: Cross-reference with other evidence
- Document findings: Maintain chain of custody
# Create write-protected timeline
mac-robber / > /tmp/timeline.txt
chmod 444 /tmp/timeline.txt
# Create backup copy on external drive
sudo cp /tmp/timeline.txt /mnt/evidence/timeline_backup.txt
md5sum /tmp/timeline.txt # Calculate hash for integrity verification
# Document analysis environment
echo "Analysis performed on $(date)" > investigation_log.txt
echo "MAC Robber version: $(mac-robber --version)" >> investigation_log.txt
echo "System timezone: $TZ" >> investigation_log.txt
# Generate analysis report
mac-robber / > investigation_timeline.txt
md5sum investigation_timeline.txt >> investigation_log.txt
- Sleuth Kit (TSK): Forensic analysis framework with timeline tools
- MACTIME: Timeline analysis and correlation tool
- PLASO: Log2timeline framework for forensic artifact processing
- Autopsy: Graphical interface to Sleuth Kit tools
- AXIOM: Commercial digital forensics platform
- Timeline Buddy: Timeline analysis assistant
