IPED supports multicase analysis, allowing you to search and analyze multiple processed cases simultaneously. This is essential for large investigations spanning multiple evidence sources or tracking patterns across related cases.
Overview Multicase support enables:
Unified Search : Search across all cases with a single queryCross-Case Correlation : Find connections between items in different casesMassive Scale : Handle up to 135 million items across multiple casesCentralized Bookmarks : Create bookmarks that span multiple casesGraph Analysis : Build relationship graphs across case boundaries
IPED achieved processing 135 million items in a multicase as of December 12, 2019, demonstrating its capability to handle extremely large investigations.
Creating a Multicase Prerequisites Each case must be fully processed before being added to a multicase:
Process Individual Cases
Process each case separately first: # Process case 1 java -jar iped.jar --dataSource /evidence/suspect1 --output /cases/case1 # Process case 2 java -jar iped.jar --dataSource /evidence/suspect2 --output /cases/case2 # Process case 3 java -jar iped.jar --dataSource /evidence/suspect3 --output /cases/case3
Launch with Multicase Flag
Open IPED with the -multicases flag: java -jar iped.jar -multicases
This opens a case selection dialog.
Select Cases
In the UI, select multiple case folders:
Hold Ctrl/Cmd to select multiple folders
Choose all cases you want to analyze together
Click OK to load the multicase
Command-Line Method You can also specify cases directly:
java -jar iped.jar \ -multicases \ -d /cases/case1 \ -d /cases/case2 \ -d /cases/case3
Multicase Interface Source Identification In multicase mode, the interface shows which case each item belongs to:
Source Column : Displays the originating case for each itemColor Coding : Different cases may have distinct colorsFiltering : Filter results by source case
Search Across Cases Search queries automatically span all loaded cases:
# Find all emails across all cases type:email # Find documents mentioning "offshore" in any case offshore AND type:pdf # Find images in a specific case type:image AND source:case1
Cross-Case Bookmarks Bookmarks in multicase mode can contain items from multiple sources:
1. Search: password AND (type:doc OR type:pdf) 2. Select relevant items from all cases 3. Create bookmark: "Password Documents" 4. Bookmark now contains items from multiple cases
Hardware Requirements Multicase analysis requires substantial resources:
Small Multicase
Medium Multicase
Large Multicase
< 10 million items
RAM : 16 GB minimumCPU : 4+ coresStorage : SSD recommendedJava Heap : -Xmx8G 10-50 million items
RAM : 32 GB minimumCPU : 8+ coresStorage : Fast SSD requiredJava Heap : -Xmx16G 50-135 million items
RAM : 64 GB+ recommendedCPU : 16+ coresStorage : NVMe SSDJava Heap : -Xmx32G or more Memory Configuration Adjust Java heap size based on your multicase:
# Small multicase (< 10M items) java -Xmx8G -jar iped.jar -multicases # Medium multicase (10-50M items) java -Xmx16G -jar iped.jar -multicases # Large multicase (50M+ items) java -Xmx32G -Xms32G -jar iped.jar -multicases
Loading Time Multicase loading time varies by size:
Items Typical Load Time Notes 1M < 1 minute Fast 10M 2-5 minutes Acceptable 50M 10-20 minutes Prepare coffee 135M 30-60 minutes Be patient
Use filtered sub-cases for daily work, and only load the full multicase when necessary.
Use Cases Corporate Investigation Investigate multiple employees’ devices:
# Process each employee's device java -jar iped.jar --dataSource /evidence/employee1_laptop --output /cases/emp1 java -jar iped.jar --dataSource /evidence/employee2_laptop --output /cases/emp2 java -jar iped.jar --dataSource /evidence/employee3_laptop --output /cases/emp3 # Analyze together java -jar iped.jar -multicases -d /cases/emp1 -d /cases/emp2 -d /cases/emp3
Search scenarios:
Find communications between suspects: from:emp1 AND to:emp2
Track document sharing: author:emp1 AND path:*emp2*
Identify common files: hash:abc123 (finds duplicates across cases)
Criminal Investigation Multiple suspects with multiple devices:
# Suspect 1: phone + laptop java -jar iped.jar --dataSource /evidence/suspect1_phone --output /cases/s1_phone java -jar iped.jar --dataSource /evidence/suspect1_laptop --output /cases/s1_laptop # Suspect 2: phone + tablet java -jar iped.jar --dataSource /evidence/suspect2_phone --output /cases/s2_phone java -jar iped.jar --dataSource /evidence/suspect2_tablet --output /cases/s2_tablet # Multicase analysis java -jar iped.jar -multicases \ -d /cases/s1_phone \ -d /cases/s1_laptop \ -d /cases/s2_phone \ -d /cases/s2_tablet
Analysis goals:
Timeline correlation across devices
Communication patterns between suspects
Shared contacts and locations
File transfers between devices
Long-Term Investigation Add cases over time as new evidence arrives:
# Start with initial evidence java -jar iped.jar -multicases -d /cases/2023_01_evidence # Later, add new evidence without reprocessing old java -jar iped.jar --dataSource /new_evidence --output /cases/2023_06_evidence # Analyze everything together java -jar iped.jar -multicases \ -d /cases/2023_01_evidence \ -d /cases/2023_06_evidence \ -d /cases/2023_12_evidence
Cross-Case Features Duplicate Detection Find identical files across cases using hash matching:
# Find files appearing in multiple cases hash:abc123def456 # Find duplicate emails type:email AND messageId:"<[email protected] >"
The duplicate counter shows how many times each file appears across all cases.
Graph Analysis Graph analysis can merge data across cases:
Enable Graph Analysis
Ensure GraphTask is enabled in all case processing: < task class = "iped.engine.graph.GraphTask" ></ task >
Open Graph View
In multicase mode:
Tools → Graph Analysis
Select entities to analyze (contacts, locations, etc.)
Graph shows connections across all cases
Analyze Patterns
Find common contacts across suspects
Identify communication clusters
Track money transfers
Map location patterns
Timeline Analysis Unified timeline across all cases:
Open Timeline view
Events from all cases appear together
Color-coded by source case
Filter by case, date range, or event type
Example workflow: 1. Set date range: 2023-01-15 to 2023-01-20 2. Filter event types: Calls, Messages, File Access 3. Identify suspicious time overlaps between suspects 4. Create bookmark: "Timeline Correlation - Jan 15"
Web API for Multicases The Web API supports multicase access:
[ { "id" : "suspect1_phone" , "path" : "/cases/s1_phone" }, { "id" : "suspect1_laptop" , "path" : "/cases/s1_laptop" }, { "id" : "suspect2_phone" , "path" : "/cases/s2_phone" } ]
# Start Web API with multicase java -jar iped-web-api.jar --sources sources.json # Search across all cases curl "http://localhost:8080/search?q=cocaine" # Search specific case curl "http://localhost:8080/search?q=cocaine&sourceID=suspect1_phone"
See Web API for full API documentation.
Multicase Storage Directory Structure Multicase creates metadata in a shared directory:
iped-multicases/ └── multicase-{hash}/ ├── graph/ # Cross-case graph database ├── bookmarks/ # Shared bookmarks └── cache/ # Timeline and search cache
Disk Space Multicase metadata is minimal compared to source cases:
Items Case Size Multicase Overhead 1M ~50 GB ~500 MB 10M ~500 GB ~2 GB 50M ~2 TB ~10 GB 135M ~5 TB ~25 GB
Best Practices
Process Cases Consistently
Use the same processing profile for all cases in a multicase: # Use same profile for all java -jar iped.jar --dataSource /evidence/case1 --output /cases/case1 --profile forensic java -jar iped.jar --dataSource /evidence/case2 --output /cases/case2 --profile forensic java -jar iped.jar --dataSource /evidence/case3 --output /cases/case3 --profile forensic
Inconsistent processing can lead to missing correlations.
Use Meaningful Case Names
Name cases clearly in the file system: Good: /cases/2023_investigation/suspect1_phone /cases/2023_investigation/suspect1_laptop /cases/2023_investigation/suspect2_phone Bad: /cases/case1 /cases/case2 /cases/output
Start with a subset of cases, then expand: # Week 1: Analyze primary suspects java -jar iped.jar -multicases -d /cases/suspect1 -d /cases/suspect2 # Week 2: Add related cases java -jar iped.jar -multicases \ -d /cases/suspect1 \ -d /cases/suspect2 \ -d /cases/suspect3 \ -d /cases/witness1
Organize bookmarks by source or topic:
[S1] Communication Evidence[S2] Financial Documents[ALL] Shared Files[Timeline] Jan 15-20 Activity Prefix indicates scope.
Export key findings regularly: # Export bookmarked items to portable case Tools → Generate Report → Portable Case # Export to CSV for external analysis Tools → Generate Report → CSV Report
Limitations Known limitations in multicase mode:
Image Viewing : Robust image reading may not work in all multicase scenariosGraph Merging : Currently copies nodes from single cases (not true merge)Processing : Cannot trigger new processing in multicase modeReports : Some report types work better with single cases Workarounds For image issues:
Open individual cases when detailed image analysis is needed
Use thumbnails in multicase mode
Export images for external viewing
For graph limitations:
Generate graphs in individual cases first
Use graph view for cross-case visualization
Export graph data for external analysis
JVM Options Optimize for large multicases:
java -Xmx32G \ -Xms32G \ -XX:+UseG1GC \ -XX:MaxGCPauseMillis=200 \ -XX:+ParallelRefProcEnabled \ -XX:+UseStringDeduplication \ -jar iped.jar -multicases
Case Optimization Before creating multicase:
Remove unnecessary items : Use filters during processingDeduplicate : Enable hash deduplicationCompact indices : Optimize Lucene indicesArchive old cases : Move inactive cases out of multicase
Query Optimization # SLOW - searches all text in all cases *keyword* # FASTER - narrow by field path:*keyword* # FASTEST - specific field with no wildcards type:email AND from:[email protected]
Troubleshooting Out of Memory Error : java.lang.OutOfMemoryError: Java heap spaceSolution : Increase heap size:java -Xmx64G -jar iped.jar -multicases
Slow Loading Problem : Multicase takes too long to loadSolutions :
Reduce number of cases
Use faster storage (NVMe SSD)
Increase RAM allocation
Close other applications
Case Not Found Error : Case directory not found or invalidChecks :
Ensure case is fully processed
Check for .iped marker file
Verify path is correct
Confirm case index is intact
Indexing Issues Problem : Some cases don’t appear in searchSolutions :
Rebuild case index: java -jar iped.jar --reindex /cases/case1
Check case processing logs for errors
Verify all cases use compatible IPED versions
Next Steps
Web API Access multicases remotely via REST API
Scripting Automate multicase analysis with scripts