Skip to content

Beginner's Start Guide

Jump to bottom Edit New page
Luis Filipe Nassif edited this page Jul 13, 2023 · 30 revisions
Add a custom sidebar
Clone this wiki locally

If you are on a Linux system, please first refer to the Linux section. After that, use java -jar iped.jar instead of iped.exe for all commands below.

Basic Configuration (recommended)

After you have built or downloaded the tool, it is recommended to set up its local configuration file LocalConfig.txt. It basically contains environment information about your computer.

It is recommended, but not mandatory, to change the temporary processing folder:

indexTemp = default

default value uses the user's temporary directory. If you use \ (backslash), you need to escape it with another backslash.

Put it on a volume different of your operating system volume, not monitored by antivirus, system indexing or snapshot services. Using a SSD disk is highly recommended, if you configure it on a SSD, enable indexTempOnSSD option.

Starting a new case

To start a new case with the default processing options, simply run:

iped.exe -d image.dd -o output

where image.dd is the full path to the forensic image you want to process and output is the folder where the case will be created. It must not exists or must be an empty folder.

Currently the following image formats are supported: dd/raw, e01, ex01, aff, iso, vhd, vhdx, vmdk, ad1. UFDR reports are also supported.

After the case is processed, you can open the IPEDSearchApp.exe program located inside the output folder to start the case analysis. If you are on Linux, run:

java -jar [output]/iped/lib/iped-search-app.jar

Timezone

If you are going to process an image with a FAT file system from (used at) a different timezone, you have to specify its timezone:

iped.exe -d image.dd -tz GMT-3 -o output

If unspecified, local system timezone is applied.

Additional commands

If you want to use an alias for the image name:

iped.exe -d image.dd -dname alias -o output

If you want to add more than one image at the same time:

iped.exe -d image1.dd -d image2.dd -o output

If you want to add an image to an existing case:

iped.exe -d image1.dd -o output --append

where output is the folder path to the existing case.

To see all command line options run iped.exe --help:

Options:
-d, -data
input data (can be used multiple times): folder, DD, 001, E01, EX01, VHD, VHDX, VMDK images, +AFF on Linux, ISO, physical drive, or *.iped file (with tagged files to export and reindex)
-dname
display name (optional) of data added with -d
-o, -output
output folder
--addowner
index file owner info when processing mounted folders (slow over network). Default: false
--append
add data to be processed to an existent case. Default: false
--continue
continue a stopped or aborted processing. Default: false
--help, -h, /?
display this help
--nogui
do not open progress windows, text mode processing. Default: false
--nolinkeditems
do not export automatically to report items linked to chats. Default: false
--nologfile
log messages to standard output. Default: false
--nopstattachs
do not export automatically to report PST/OST email attachments. Default: false
--portable
use relative references to forensic images, so case can be moved to other machines if the images are on the same volume. Default: false
--restart
discard last aborted processing and start from beginning. Default: false
-X
used to specify extra module options
Syntax: -Xkey=value
Default: {}
-asap
.asap file (Brazilian Federal Police) with case info to be included in html report
-b, -blocksize
sector block size (bytes), must set to 4k sector devices. Default: 0
-l, -keywordlist
line file with keywords to be imported into case. Keywords with no hits are filtered out.
-log
Redirect log to another file
-nocontent
do not export to report file contents of a specific category/bookmark, only thumbs and properties
-ocr
only run OCR on a specific category or bookmark (can be used multiple times)
-p, -password
password for encrypted images/volumes. For example, for an image that uses the standard APFS encryption, you can pass the password through this option
-profile
use a processing profile: forensic, pedo, fastmode, blind, triage. More details in manual.
-remove
removes the evidence with the specified name
-tz, -timezone
original timezone of FAT devices: GMT-3, GMT-4... If unspecified, local system timezone is used.

Processing options

All the main processing options can be found in the IPEDConfig.txt file. For example, you can enable or disable hash computation, hash lookup, signature analysis, container expansion, data carving, indexing, regex scan, OCR...

Please refer to the comments inside IPEDConfig.txt file, they describe each processing option. There are too many to describe in a quick start guide.

The tool comes with some pre built-in processing profiles. Refer to Profiles section for details.

Add a custom footer