mac-robber

mac-robber is a digital investigation tool that collects metadata from allocated files in a mounted filesystem. This is particularly useful during incident response when analyzing a live system or a dead system in a lab environment. The tool is based on the grave-robber tool from TCT (The Coroners Toolkit) and generates data compatible with the mactime tool in The Sleuth Kit for creating timelines of file activity.

Unlike tools in The Sleuth Kit that process filesystems directly, mac-robber requires the filesystem to be mounted by the operating system. This means it cannot collect data from deleted files or files hidden by rootkits. Additionally, mac-robber will modify Access times on directories mounted with write permissions.

The tool is especially valuable when dealing with filesystems not supported by The Sleuth Kit or other analysis tools. It can be run on obscure UNIX filesystems mounted read-only on a trusted system.

mac-robber scans mounted filesystems and extracts metadata (MAC times - Modified, Accessed, Changed) from allocated files. It requires the target filesystem to be mounted by the OS rather than processing raw disk images. The output is formatted for use with mactime from The Sleuth Kit to build file activity timelines. Note that it only captures data from currently allocated files and modifies directory access times on writable mounts.