mac-robber is an open source tool that can be used to collect time information from a live computer. The output of this tool can be used to make a timeline of file activity.
Unlike the TSK tools, mac-robber relies on the OS to gather information about a mounted file system. This makes it more vulnerable to rootkits, but it allows an investigator to collect data on file systems that are not supported by TSK.
http://www.sleuthkit.org/mac-robber/(http://www.sleuthkit.org/mac-robber/)
Last modified: 2016-05-18