Skip to main content
IPED provides sophisticated filtering and grouping features that allow investigators to focus on specific subsets of evidence and discover patterns across millions of items.

Filter Types

IPED supports multiple complementary filtering mechanisms:

Query Filters

Lucene-based searches that filter by content and metadata

Category Filters

Automatic file type categorization and hierarchical filtering

Tree Filters

File system structure-based filtering

Bookmark Filters

Filter by tagged evidence sets

Column Filters

Quick filters on table column values

Metadata Filters

Dynamic filtering by property values

Filter Dropdown

The main filter dropdown in the toolbar provides quick access to common filters:
Filter Dropdown

Built-in Filters

  • No Filter: Show all items
  • Checked: Show only checked/marked items
  • Duplicates: Hide duplicate files (by hash)

Filter Manager

Access via OptionsFilter Manager to create and manage custom filters.

Creating Custom Filters

1

Open Filter Manager

Click Options button → Filter Manager
2

Click New

Enter a descriptive name for your filter
3

Enter Lucene Query

Type the query expression in the text area:
category:Images AND length:>1048576 AND modified:>2023-01-01
4

Save Filter

Click Save to store the filter
5

Apply Filter

Select from the filter dropdown to apply

Filter Examples

length:>10485760 AND modified:[NOW-30DAYS TO NOW] AND NOT deleted:true
Files larger than 10MB modified in the last 30 days, not deleted
category:Documents AND path:*Users* AND NOT name:~*
Documents in user folders, excluding temporary files
(ext:exe OR ext:dll) AND (path:*AppData* OR path:*Temp*) AND NOT signatureValid:true
Executables in temporary locations without valid signatures
path:*Removable* OR deviceName:"USB*" OR volumeLabel:*
Files from removable media and external drives
category:"Instant Messages" AND (encrypted:true OR content:"end-to-end encryption")
Encrypted chat messages
category:Images AND accessed:[NOW-7DAYS TO NOW]
Images accessed in the last week
Test complex filters by entering them directly in the search box before saving as a custom filter.

Category Filtering

The Categories tree provides automatic file type classification:

Category Hierarchy

IPED organizes files into hierarchical categories: 
Documents
├─ Office Documents
│  ├─ Word Documents
│  ├─ Excel Spreadsheets
│  └─ PowerPoint Presentations
├─ PDF Files
├─ Text Files
└─ E-Books

Multimedia
├─ Images
│  ├─ JPEG Images
│  ├─ PNG Images
│  └─ RAW Images
├─ Videos
├─ Audio
└─ 3D Models

Communications
├─ Email
├─ Instant Messages
│  ├─ WhatsApp
│  ├─ Telegram
│  └─ Skype
└─ Contact Lists

System Files
├─ Windows Registry
├─ Logs
├─ Databases
└─ Shortcuts

Using Categories

1

Expand Category Tree

Click the Categories tab in the navigation panel
2

Select Category

Click any category to filter results
3

View Results

Results table updates to show only items in that category
4

Clear Filter

Click the Clear Filters button or select root node
Selecting a parent category automatically includes all subcategories in the filter.

Custom Categories

Categories are defined in configuration files and can be customized:
  • Based on MIME types, extensions, and signatures
  • Support for custom detection rules
  • Scriptable category assignment

Duplicate Filtering

Automatic hash-based duplicate detection:

Enabling Duplicate Filter

  1. Check the Filter Duplicates checkbox in the toolbar
  2. Results automatically hide duplicate files (same hash)
  3. One representative from each hash group is shown

Viewing Duplicates

To see all duplicates of a file:
  1. Select an item in the results table
  2. Check the Duplicates tab in the detail panel
  3. All files with matching hashes are listed
Duplicate detection uses MD5, SHA-1, or SHA-256 hashes computed during processing.

Evidence Tree Filtering

Filter by file system location:

Recursive Listing

  • Enabled (default): Selecting a folder shows all descendant files
  • Disabled: Shows only direct children of selected folder
Toggle via checkbox above the evidence tree.

Path-Based Filtering

path:"C:\Users\John\Documents\*"
path:*AppData*
parentPath:"/home/user/Downloads"

Column Header Filtering

Quick filtering directly from table column headers:
1

Right-click Column Header

Right-click any column header in the results table
2

Select Filter Option

  • Filter by Value: Enter specific value
  • Filter by Range: Enter min/max values
  • Filter Unique: Show only unique values
  • Clear Filter: Remove column filter
3

View Filtered Results

Table updates to show matching items
Multiple column filters can be applied simultaneously and are combined with AND logic.

Applied Filters Panel

The Applied Filters panel shows all active filters:
  • Query Filters: Current search query
  • Category Filters: Selected categories
  • Tree Filters: Selected evidence paths
  • Bookmark Filters: Selected bookmark groups
  • Column Filters: Active column filters
  • Similar Item Filters: Similar search results

Clear All Filters

The Clear Filters button (⊗ icon) in the toolbar removes all active filters:
  • Resets to showing all items
  • Clears search query
  • Resets category selection
  • Removes column filters
  • Clears bookmark filters
Clearing filters does not affect checked/bookmarked items, only the current view.

Grouping and Clustering

IPED supports powerful grouping based on any metadata field:

File Grouping

Group items by common properties: Available via Options → Group By:

By Hash

Group duplicate files together

By Category

Organize by file type

By Extension

Group by file extension

By Parent

Group by container file

By Author

Group by document author

By Date

Group by date ranges

Custom Metadata

Group by any indexed field

Timeline Grouping

View items chronologically:
  1. Enable Timeline View (clock icon button)
  2. Items grouped by timestamp
  3. Chart view shows temporal distribution
  4. Filter by date ranges

Metadata Panel Filtering

The Metadata panel provides dynamic filtering:

Interactive Filtering

  1. Select an item to view its metadata
  2. Click any metadata value
  3. Filter to show items with matching metadata
  4. Combine with other active filters

Metadata Value Statistics

View distribution of metadata values:
  • Count of items per value
  • Percentage breakdown
  • Click to filter by value

AI-Generated Filters

IPED can generate filters based on AI analysis results:

Face Recognition Filters

  • Files with Faces: Images containing detected faces
  • Files with Child Faces: Age estimation for child protection
  • Face Clusters: Group by similar faces

Content Classification

  • Nudity Detection: Adult content filters
  • Object Detection: Filter by detected objects
  • Scene Classification: Group by image content
AI filters require corresponding features to be enabled during case processing.

Combining Filters

Filters work together using AND logic:
1

Apply First Filter

Select a category, e.g., “Images”
2

Add Search Query

Enter search term: vacation
3

Apply Additional Filter

Select from filter dropdown: “Recent Files”
4

View Combined Results

Only items matching ALL filters are shown
Example Combined Filter:
  • Category: Images
  • Search: vacation
  • Custom Filter: Recent Files (modified in last 30 days)
  • Result: Recent image files containing the word “vacation”

Filter Performance

Optimization Tips

Filter Order

Apply most restrictive filters first to reduce result set size

Index Usage

Filters use Lucene index for fast execution even on large cases

Cached Results

Repeatedly used filters benefit from result caching

Complex Queries

Break down very complex filters into multiple steps

Bitmap Filtering

IPED uses efficient bitmap-based filtering:
  • Query results stored as compressed bitmaps
  • Fast intersection/union operations
  • Low memory overhead
  • Scales to millions of items

Export Filtered Results

Export current filtered result set:
  1. Apply desired filters
  2. OptionsExport
  3. Choose format:
    • CSV report
    • HTML report
    • ZIP archive with files
  4. Only filtered items are exported
Check items before export to include only specific files from the filtered set.

Filter Use Cases

  1. Filter by date range
  2. Enable timeline view
  3. Examine temporal patterns
  4. Correlate events across evidence
  1. Filter by user path (e.g., /Users/john/)
  2. Group by document type
  3. Examine recently accessed files
  4. Identify user-specific artifacts
  1. Filter by volume label or device name
  2. Examine file timestamps
  3. Look for copied files (duplicates)
  4. Trace data exfiltration
  1. Filter suspicious executables
  2. Check code signing status
  3. Examine suspicious paths
  4. Correlate with timeline events
  1. Filter deleted:true
  2. Add carved:true
  3. Filter by category (e.g., Images)
  4. Examine recovered artifacts

Next Steps

Searching

Master advanced search techniques

Bookmarks

Organize filtered results with bookmarks

Build docs developers (and LLMs) love

Get started for freeTalk to us