SMART for Linux
SMART, by ASR Data, is a commercial (not free) GUI based forensic tool for Linux that has a great interface allowing access to a full set of forensic analysis capabilities.
Figure 14. Smart splash screen and log**in**
We are not going to do a full practical exercise with SMART, since it is a commercial tool, and not many beginner readers will have it available. Following is a small tour to give you a taste of the SMART interface.
Opening SMART provides theuser with a view of the physical layout of all the devices recognized on the system, including internal and external drives. This gives the examiner an overall picture of what file systems reside on each drive, the sizes of each partition, and the amountof unallocated space on the drive.
Figure 15. Smart’s opening window with drive identification
SMART is a “right click” driven program. Most functions available to an examiner for a given object are accessed through a mouse driven menu system.For instance, right clicking on a physical device (disk or partition) provides a menu that includes “Acquire”. Selection of this item provides a dialog box to allow forensic imaging.
Figure 16. Forensic image acquisition dialog box. Red text indicates incomplete items…
Figure 17. The "Image" tab under "Acquire".
Case management under SMART is straightforward. Once a forensic image (or multiple images) is added as evidence to a case, SMART will parse the image and provide details on the contents. Here we’ve added our_able2.dd_image to a case:
Figure 18. A SMART look at our evidence image
We see each of the partitions as a graphical representation of the same sort of information we might gather usingfdisk –lon a physical disk.
Right clicking on a partition allows you to “Study” it and obtain information and a file listing (including deleted files). Additional right clicks on the files will access menus that allow us to export the file(s) or view them as raw data for closer study.
Figure 19. Right click on a deleted file
The right click menu displayed for a file in a file listing allows you to perform a number of tasks. In the above screenshot, we see that we have the ability to export the contents of the deleted file at inode 2139, leading us to the same steps as we took with Sleuthkit/Autopsy on the same data.
Additionally, we can use SMART to loop mount the partitions with a simple click and browse the file system in either a terminal or in the file manager of your choice. This provides us the ability to use allour favorite Linux tools to search the logical file system and display the information we need for our analysis.
As with all advanced forensic tools, SMART provides excellent session and Case logging functions.