Skip to content

Beginner's Start Guide

Jump to bottom Edit New page
Luis Filipe Nassif edited this page Jul 25, 2024 · 32 revisions

If you are on a Linux system, please first refer to the Linux section. After that, use java -jar iped.jar instead of iped.exe for all commands below.

Basic Configuration (recommended)

After you have built or downloaded the tool, it is recommended to set up its local configuration file LocalConfig.txt. It basically contains environment information about your computer.

It is recommended to change the temporary processing folder:

indexTemp = default

default value uses the user's temporary directory. If you use \ (backslash), you need to escape it with another backslash.

Put it on a volume different of your operating system volume, not monitored by antivirus, system indexing or snapshot services. Using a SSD disk is highly recommended, if you configure it on a SSD, enable indexTempOnSSD option.

Starting a new case

To start a new case with the default processing options, simply run:

iped.exe -d image.dd -o output

where image.dd is the full path to the forensic image you want to process and output is the folder where the case will be created. It must not exists or must be an empty folder.

Currently the following image formats are supported: dd/raw, e01, ex01, aff, iso, vhd, vhdx, vmdk, ad1. UFDR reports are also supported.

After the case is processed, you can open the IPEDSearchApp.exe program located inside the output folder to start the case analysis. If you are on Linux, run:

java -jar [output]/iped/lib/iped-search-app.jar

Timezone

If you are going to process an image with a FAT file system from (used at) a different timezone, you have to specify its timezone:

iped.exe -d image.dd -tz GMT-3 -o output

If unspecified, local system timezone is applied.

Additional commands

If you want to use an alias for the image name:

iped.exe -d image.dd -dname alias -o output

If you want to add more than one image at the same time:

iped.exe -d image1.dd -d image2.dd -o output

If you want to add an image to an existing case:

iped.exe -d image1.dd -o output --append

where output is the folder path to the existing case.

To see all command line options run iped.exe --help.

Processing options

All the main processing options can be found in the IPEDConfig.txt file. For example, you can enable or disable hash computation, hash lookup, signature analysis, container expansion, data carving, indexing, regex scan, OCR...

Please refer to the comments inside IPEDConfig.txt file, they describe each processing option. There are too many to describe in a quick start guide.

The tool comes with some pre built-in processing profiles. Refer to Profiles section for details.

Add a custom footer
Add a custom sidebar
Clone this wiki locally