Overview
MAC Robber is a specialized forensic utility that extracts and analyzes MAC times (Modified, Accessed, Changed) from files and filesystems. It’s designed for digital forensic investigators and incident responders who need to build detailed timelines of system activity. MAC times are critical indicators of system modifications and user activity during investigations. The tool parses filesystem metadata to create comprehensive forensic timelines in formats compatible with timeline analysis tools.
Installation
Linux (Debian/Ubuntu)
sudo apt-get update
sudo apt-get install mac-robber
mac-robber --version # Verify installation
Linux (RHEL/CentOS/Fedora)
sudo yum install mac-robber
# Or on newer systems
sudo dnf install mac-robber
macOS
brew install mac-robber
mac-robber --version
Windows (via WSL2 or Cygwin)
# Install within WSL2 Ubuntu environment
wsl bash -c 'sudo apt-get install mac-robber'
# Or build from source
# Download from https://github.com/sleuthkit/mac-robber
tar xzf mac-robber-VERSION.tar.gz
cd mac-robber-VERSION
./configure
make
sudo make install
Command Syntax
Basic Structure
mac-robber [options] <device|file>
Core Commands
| Command | Purpose |
|---|
-d <device> | Analyze specific device or filesystem image |
-f <format> | Output format (body, csv, json) |
-i <image_file> | Analyze disk image file |
-z <timezone> | Timezone for timestamp conversion |
-l | List mode (detailed output) |
-b | Body file format (bodyfile) |
-V | Verbose mode |
# Collect MAC times from entire filesystem
mac-robber / > /tmp/macrobber.txt
# Extract from specific directory tree
mac-robber /home/username > /tmp/user_timeline.txt
# Output verbose details
mac-robber -V /var > /tmp/var_timeline.txt
# Analyze forensic image
mac-robber -i /evidence/disk_image.dd > timeline.txt
# Analyze EWF image
mac-robber -i /evidence/case.E01 > timeline.txt
Body File Format (Bodyfile)
# Generate bodyfile format compatible with timeline tools
mac-robber -b /home > bodyfile.txt
# Output structure: inode|name|device|mode|nlink|uid|gid|size|atime|mtime|ctime|blksize
# Example line:
# 1234|/home/user/documents/report.pdf|2049|33188|1|1000|1000|245632|1609459200|1609459200|1609459200|4096
# Generate CSV for spreadsheet analysis
mac-robber -f csv / > mac_times.csv
# Result includes columns:
# inode,filename,device,mode,nlink,uid,gid,size,atime,mtime,ctime,blksize
# Generate JSON for programmatic processing
mac-robber -f json /var > var_timeline.json
Timezone Handling
Convert to Specific Timezone
# Extract times in EST/EDT
mac-robber -z EST /home > timeline_est.txt
# UTC timezone
mac-robber -z UTC / > timeline_utc.txt
# PST/PDT
mac-robber -z PST /var > var_timeline_pst.txt
# Custom offset (UTC+8)
mac-robber -z UTC+8 /tmp > timeline_plus8.txt
Timezone Reference
# Common timezone abbreviations:
# EST = Eastern Standard Time (UTC-5)
# EDT = Eastern Daylight Time (UTC-4)
# CST = Central Standard Time (UTC-6)
# PST = Pacific Standard Time (UTC-8)
# PDT = Pacific Daylight Time (UTC-7)
# UTC = Coordinated Universal Time
# GMT = Greenwich Mean Time
Forensic Timeline Analysis
Create Comprehensive Filesystem Timeline
# Extract all MAC times with verbose output
mac-robber -V / > /tmp/full_timeline.txt
# Parse and sort by modification time
mac-robber / | sort -t' ' -k8 > sorted_timeline.txt
# Generate timeline for specific user directory
mac-robber /home/username > user_activity.txt
Filter and Analyze Specific Directories
# Focus on web server logs
mac-robber /var/log > webserver_timeline.txt
# Database directory analysis
mac-robber /var/lib/mysql > database_timeline.txt
# Temporary files (suspicious activity indicator)
mac-robber /tmp > temp_timeline.txt
Multi-Device Timeline Correlation
# Extract from primary drive
mac-robber -i /evidence/disk1.dd > timeline_disk1.txt
# Extract from secondary drive
mac-robber -i /evidence/disk2.dd > timeline_disk2.txt
# Combine for correlation analysis
cat timeline_disk1.txt timeline_disk2.txt | sort -k8 > combined_timeline.txt
Export for Mactime Analysis
# Create bodyfile for mactime processing
mac-robber -b / > bodyfile.csv
# Process with mactime to generate sorted timeline
mactime -b bodyfile.csv -d -z UTC > sorted_mactime.csv
# Human-readable timeline
mactime -b bodyfile.csv -z UTC > human_readable.txt
# Generate body file format
mac-robber -b /home > home.bodyfile
# Use with tsk_timeline
tsk_timeline -b home.bodyfile > timeline_report.txt
Integration with PLASO
# Extract MAC times in log2timeline format
mac-robber / > mac_events.txt
# Convert for PLASO processing
log2timeline.py -f mac_robber -o plaso /evidence/mac_robber.plaso /tmp/mac_events.txt
Common Forensic Scenarios
Timeline Creation After Suspected Breach
# Extract complete filesystem MAC times
mac-robber / > /tmp/breach_timeline.txt
# Focus on recent modifications (last 7 days)
mac-robber / | awk '{if ($8 > systime()-604800) print}' > recent_timeline.txt
# Extract suspicious directories
mac-robber /etc /var/www /home > critical_timeline.txt
User Activity Timeline
# Collect user home directory timeline
mac-robber /home/username > user_timeline.txt
# Desktop and documents
mac-robber /home/username/Desktop /home/username/Documents > user_docs_timeline.txt
# Download directory (often important)
mac-robber /home/username/Downloads > downloads_timeline.txt
System Administration Audit
# Configuration files and changes
mac-robber /etc > config_timeline.txt
# System binaries and libraries
mac-robber /usr/bin /usr/lib > binaries_timeline.txt
# Cron and scheduled tasks
mac-robber /var/spool > scheduler_timeline.txt
Malware Investigation Timeline
# System directories where malware hides
mac-robber /tmp /var/tmp /dev/shm > hidden_timeline.txt
# Web-accessible directories
mac-robber /var/www /home/*/public_html > web_timeline.txt
# System library compromise detection
mac-robber /lib /usr/lib > library_timeline.txt
Output Processing and Analysis
Parse and Filter by Time Range
# Extract modifications in specific date range (example: Jan 2024)
mac-robber / > raw_timeline.txt
awk '$9 >= 1704067200 && $9 <= 1706745600 {print}' raw_timeline.txt > jan_2024_timeline.txt
# Convert epoch to human-readable in output
mac-robber / | awk '{cmd="date -d @"$9; cmd | getline date; close(cmd); print date" "$0}' > readable_timeline.txt
Identify Recent File Modifications
# Files modified in last 24 hours
mac-robber / | awk '{if ((systime() - $9) < 86400) print}' > last_24h.txt
# Files modified between specific times
mac-robber / | awk '$9 >= 1609459200 && $9 <= 1609545600 {print}' > time_range.txt
Sort by Different MAC Times
# Sort by access time (important for user activity)
mac-robber / | sort -t'|' -k9 -rn > sorted_by_atime.txt
# Sort by change time (metadata modifications)
mac-robber / | sort -t'|' -k11 -rn > sorted_by_ctime.txt
# Sort by modification time (data changes)
mac-robber / | sort -t'|' -k10 -rn > sorted_by_mtime.txt
Advanced Techniques
Differential Timeline Analysis
# Create baseline timeline
mac-robber / > baseline_timeline.txt
# Later timeline for comparison
mac-robber / > current_timeline.txt
# Identify newly modified files
diff baseline_timeline.txt current_timeline.txt | grep "^>" > new_modifications.txt
Correlating Multiple Evidence Sources
# Extract timeline from multiple filesystem images
mac-robber -i /evidence/disk1.dd > disk1_timeline.txt
mac-robber -i /evidence/disk2.dd > disk2_timeline.txt
mac-robber -i /evidence/usb_drive.dd > usb_timeline.txt
# Merge and deduplicate
cat disk1_timeline.txt disk2_timeline.txt usb_timeline.txt | \
sort -u > combined_evidence_timeline.txt
# Process large images in background with progress
nice -n 10 mac-robber -i /evidence/large_image.dd > timeline.txt &
# Monitor with process status
ps aux | grep mac-robber
# Use with tee for simultaneous writing and monitoring
mac-robber / | tee timeline_live.txt | wc -l
Troubleshooting
Common Issues and Solutions
| Issue | Solution |
|---|
| ”Permission denied” | Run with sudo for full filesystem access: sudo mac-robber / |
| Slow performance | Large filesystems take time; use nice to background process |
| Incomplete data | Ensure filesystem is not actively writing; use forensic image |
| Timestamp inconsistency | Verify system timezone matches evidence collection context |
| Image mounting errors | Use correct image format flag; verify image integrity first |
Verify Installation
# Check version and capabilities
mac-robber --version
# Test on single directory
mac-robber /tmp
# Verify output format
mac-robber -b /tmp | head -5
Best Practices
Forensic Investigation Workflow
- Acquire image: Use forensic imaging tools to create bit-for-bit copy
- Mount read-only: Mount filesystem image in read-only mode
- Extract timeline: Use mac-robber to collect all MAC times
- Export format: Choose appropriate format (body, CSV, JSON)
- Analyze timeline: Sort and filter by investigation parameters
- Correlate events: Cross-reference with other evidence
- Document findings: Maintain chain of custody
Data Preservation
# Create write-protected timeline
mac-robber / > /tmp/timeline.txt
chmod 444 /tmp/timeline.txt
# Create backup copy on external drive
sudo cp /tmp/timeline.txt /mnt/evidence/timeline_backup.txt
md5sum /tmp/timeline.txt # Calculate hash for integrity verification
Investigation Hygiene
# Document analysis environment
echo "Analysis performed on $(date)" > investigation_log.txt
echo "MAC Robber version: $(mac-robber --version)" >> investigation_log.txt
echo "System timezone: $TZ" >> investigation_log.txt
# Generate analysis report
mac-robber / > investigation_timeline.txt
md5sum investigation_timeline.txt >> investigation_log.txt
See Also
- Sleuth Kit (TSK): Forensic analysis framework with timeline tools
- MACTIME: Timeline analysis and correlation tool
- PLASO: Log2timeline framework for forensic artifact processing
- Autopsy: Graphical interface to Sleuth Kit tools
- AXIOM: Commercial digital forensics platform
- Timeline Buddy: Timeline analysis assistant
