Skip to main content
IPED provides a powerful command-line interface for batch processing of digital evidence. This allows for automation, scripting, and headless operation on servers.

Basic Usage

The basic syntax for running IPED from the command line: 
java -jar iped.jar -d <data_source> -o <output_folder> [options]

Required Parameters

Data Source Input

-d
file
required
Input data source (can be used multiple times for multiple sources)Supported formats:
  • Disk images: DD, E01, Ex01, VHD, VHDX, VMDK
  • Forensic formats: AD1 (AccessData), UFDR (Cellebrite), AFF (Linux)
  • Virtual disks: ISO, ISO9660, UDF
  • Physical drives
  • Local folders
  • IPED files (*.iped with tagged files)
Alias: -data
Terminal
java -jar iped.jar -d /evidence/disk.E01 -o /cases/case001

Output Directory

-o
path
required
Output folder where the processed case will be created
Alias: -output If not specified, IPED creates an “iped” folder in the parent directory of the data source.
Terminal
java -jar iped.jar -d /evidence/device.dd -o /cases/investigation_2024

Processing Options

Profile Selection

-profile
string
Select a processing profile that optimizes IPED for specific investigation typesAvailable profiles:
  • forensic - Full forensic analysis (default)
  • pedo - CSAM investigations with specialized detection
  • triage - Fast on-scene processing with basic indexing
  • fastmode - Fastest preview mode (minimal processing)
  • blind - Automated data extraction without GUI
Terminal
java -jar iped.jar -d /evidence/phone.dd -o /cases/csam_case -profile pedo
See Processing Profiles for detailed information about each profile.

Multiple Data Sources

Process multiple evidence sources into a single case:
Terminal
java -jar iped.jar \
  -d /evidence/laptop.E01 \
  -d /evidence/phone.dd \
  -d /evidence/usb_drive \
  -o /cases/multi_device

Data Source Names

-dname
string
Custom display name for the preceding data source
Terminal
java -jar iped.jar \
  -d /evidence/disk1.E01 -dname "Suspect Laptop" \
  -d /evidence/disk2.dd -dname "USB Drive" \
  -o /cases/case001

Advanced Options

Continue and Restart

--continue
boolean
Resume a stopped or aborted processing from where it left off
--restart
boolean
Discard the last aborted processing and start from the beginning
Terminal
# Resume interrupted processing
java -jar iped.jar --continue -o /cases/case001

# Start over after failure
java -jar iped.jar --restart -d /evidence/disk.E01 -o /cases/case001

Append to Existing Case

--append
boolean
Add new data sources to an existing processed case
Terminal
java -jar iped.jar --append -d /evidence/new_device.dd -o /cases/existing_case
The IPED version must match when appending. Cannot append to cases created with different minor versions.

Remove Evidence

-remove
string
Remove a specific evidence source by name from an existing case
Terminal
java -jar iped.jar -remove "USB Drive" -o /cases/case001

Encryption and Security

Passwords

-p
string
Password for encrypted images or volumes (can be used multiple times)
Alias: -password
Terminal
java -jar iped.jar -d /evidence/encrypted.E01 -p "password123" -o /cases/case001
For multiple encrypted sources:
Terminal
java -jar iped.jar \
  -d /evidence/disk1.E01 -p "pass1" \
  -d /evidence/disk2.E01 -p "pass2" \
  -o /cases/case001

Search and Analysis

Keyword Lists

-l
file
Line-delimited file with keywords to import and search. Keywords with no hits are automatically filtered out.
Alias: -keywordlist
Terminal
java -jar iped.jar -d /evidence/disk.E01 -l /config/keywords.txt -o /cases/case001
Example keywords.txt: 
confidential
password
credit card
suspect name
company name

Selective OCR

-ocr
string
Run OCR only on specific categories or bookmarks (can be used multiple times)
Terminal
java -jar iped.jar -d /evidence/disk.E01 -ocr "Images" -ocr "Documents" -o /cases/case001

File System Options

Timezone

-tz
string
Original timezone of FAT file systems (e.g., GMT-3, GMT-4). Uses local system timezone if not specified.
Alias: -timezone
Terminal
java -jar iped.jar -d /evidence/disk.dd -tz GMT-5 -o /cases/case001

Block Size

-b
integer
Sector block size in bytes. Required for devices with 4K sectors.
Alias: -blocksize
Terminal
# For 4K sector drives
java -jar iped.jar -d /evidence/disk.E01 -b 4096 -o /cases/case001

File Owner Information

--addowner
boolean
Index file owner information when processing local folders. This is slow over network shares.
Terminal
java -jar iped.jar -d /network/share --addowner -o /cases/case001

Export and Reporting

Report Configuration

-nocontent
string
Do not export file contents to report for a specific category/bookmark, only thumbnails and properties
Terminal
java -jar iped.jar -d /evidence/disk.E01 -nocontent "Videos" -o /cases/case001
--nopstattachs
boolean
Do not automatically export PST/OST email attachments to reports
--nolinkeditems
boolean
Do not automatically export items linked to chats
Terminal
java -jar iped.jar -d /evidence/disk.E01 --nopstattachs --nolinkeditems -o /cases/case001

ASAP Integration

-asap
file
Brazilian Federal Police .asap file with case information to include in HTML reports
Terminal
java -jar iped.jar -d /evidence/disk.E01 -asap /cases/case001.asap -o /cases/case001

Portable Cases

--portable
boolean
Use relative paths to forensic images so the case can be moved to other machines (images must be on the same volume)
Terminal
java -jar iped.jar -d ./evidence/disk.E01 --portable -o ./cases/case001

Interface Options

No GUI Mode

--nogui
boolean
Run in text mode without progress windows for batch/automated processing
Terminal
java -jar iped.jar --nogui -d /evidence/disk.E01 -o /cases/case001

Logging

-log
file
Redirect log output to a specific file
--nologfile
boolean
Send log messages to standard output instead of a file
Terminal
# Custom log location
java -jar iped.jar -d /evidence/disk.E01 -log /logs/case001.log -o /cases/case001

# Log to stdout for piping
java -jar iped.jar --nogui --nologfile -d /evidence/disk.E01 -o /cases/case001 | tee processing.log

Custom Splash Message

-splash
string
Custom message to display in the splash screen
Terminal
java -jar iped.jar -splash "Processing Case #2024-001" -d /evidence/disk.E01 -o /cases/case001

Network Features

Internet Data Download

--downloadInternetData
boolean
Download Internet data to enrich evidence (e.g., WhatsApp media files still available on servers)
Terminal
java -jar iped.jar -d /evidence/phone.dd --downloadInternetData -o /cases/case001
This downloads external data from the internet. Ensure you have proper legal authorization and network access.

Module-Specific Parameters

Extra Parameters

-X
key=value
Pass extra configuration options to specific modules
Terminal
java -jar iped.jar -d /evidence/disk.E01 -Xmodule.option=value -o /cases/case001

Help and Information

--help
boolean
Display help information with all available parameters
Aliases: -h, /?
Terminal
java -jar iped.jar --help

Complete Examples

Basic Forensic Case

Terminal
java -jar iped.jar \
  -d /evidence/laptop.E01 \
  -o /cases/investigation_001 \
  -profile forensic \
  -l /config/keywords.txt

CSAM Investigation

Terminal
java -jar iped.jar \
  -d /evidence/suspect_device.dd \
  -o /cases/csam_investigation \
  -profile pedo \
  --nogui \
  -log /logs/csam_case.log

Multi-Device Case

Terminal
java -jar iped.jar \
  -d /evidence/laptop.E01 -dname "Suspect Laptop" \
  -d /evidence/phone.dd -dname "iPhone 12" -p "1234" \
  -d /evidence/usb_drive -dname "USB Drive" \
  -o /cases/fraud_investigation \
  -profile forensic \
  -tz GMT-5 \
  --portable

Fast Triage Processing

Terminal
java -jar iped.jar \
  -d /evidence/seized_device.dd \
  -o /cases/triage_001 \
  -profile fastmode \
  --nogui \
  -l /config/urgent_keywords.txt

Encrypted Device with Resume

Terminal
# Initial processing
java -jar iped.jar \
  -d /evidence/encrypted.E01 \
  -p "SecurePassword123" \
  -o /cases/encrypted_case \
  -profile forensic

# Resume if interrupted
java -jar iped.jar --continue -o /cases/encrypted_case

Batch Processing Script

batch_process.sh
#!/bin/bash

# Process multiple cases in batch
for evidence in /evidence/*.E01; do
  case_name=$(basename "$evidence" .E01)
  echo "Processing $case_name..."
  
  java -jar iped.jar \
    --nogui \
    -d "$evidence" \
    -o "/cases/$case_name" \
    -profile forensic \
    -log "/logs/$case_name.log"
  
  if [ $? -eq 0 ]; then
    echo "$case_name completed successfully"
  else
    echo "$case_name failed"
  fi
done

Exit Codes

CodeDescription
0Processing completed successfully
1Processing failed or was aborted

Performance Tips

1

Use appropriate profiles

Select the right profile for your investigation type. Using fastmode for triage can save hours.
2

Optimize Java heap size

Allocate sufficient memory for large cases:
Terminal
java -Xmx32G -jar iped.jar -d /evidence/large.E01 -o /cases/case001
3

Process locally

Process evidence on local drives, not network shares, for optimal performance.
4

Use SSD storage

Store output on SSD drives for 2-3x faster processing.
5

Monitor resources

IPED can process at up to 400GB/h with modern hardware and proper configuration.

Common Issues

Increase Java heap size:
Terminal
java -Xmx16G -jar iped.jar -d /evidence/disk.E01 -o /cases/case001
See the Troubleshooting guide for more solutions.
Ensure versions match. IPED checks minor version compatibility:
Appending to case with old version X.Y.Z not supported.
Use the same IPED version or create a new case.
Verify the profile name is spelled correctly and exists:
Terminal
ls iped-app/resources/config/profiles/
Ensure the password is provided correctly:
Terminal
java -jar iped.jar -d /evidence/encrypted.E01 -p "YourPassword" -o /cases/case001

Next Steps

Processing Profiles

Learn about the five processing profiles and when to use each

Configuration

Customize IPED processing options and module settings

Data Sources

Detailed information about supported evidence formats

Troubleshooting

Solutions to common processing issues

Build docs developers (and LLMs) love

Get started for freeTalk to us