IPED’s behavior is controlled through a comprehensive configuration system that allows fine-tuned control over processing, analysis, and export options.
Configuration Overview IPED uses a hierarchical configuration system with multiple configuration files:
IPEDConfig.txt Main configuration file controlling enabled features and processing options
LocalConfig.txt Local system settings like CPU threads, memory, and temporary folders
Module Configs Individual configuration files for specific processing modules
Profiles Pre-configured sets of options for different investigation types
Configuration Locations IPED looks for configuration files in this order:
Profile directory (if specified)
iped-app/resources/config/profiles/<profile_name>/
Default configuration directory
iped-app/resources/config/
Case directory (for existing cases)
/cases/case001/iped/config/
Profile settings override default settings. Case settings are stored but don’t override new processing.
Main Configuration (IPEDConfig.txt) The primary configuration file controls which processing features are enabled.
File Location iped-app/resources/config/IPEDConfig.txt
Or within a profile:
iped-app/resources/config/profiles/<profile>/IPEDConfig.txt
Configuration files use a simple key-value format:
# Comments start with # enableSomeFeature = true disableSomeFeature = false numericOption = 100 stringOption = value
Core Processing Options Compute file hashes (MD5, SHA-1, SHA-256, SHA-512, edonkey)
Enable PhotoDNA hashing (law enforcement only)
Lookup hashes in configured databases (NSRL, CAID, ProjectVIC, etc.)
Lookup PhotoDNA hashes in configured databases
Verify file types using signature analysis (magic bytes)
Parse files to extract metadata and embedded content
Recursively expand archives, compressed files, and containers
Process embedded disk images (E01, VMDK, VHD, etc. found within evidence)
Search and Indexing Index file contents for full-text search
Search for patterns: credit cards, emails, URLs, phone numbers, etc.
Detect document languages (70+ languages supported)
enableNamedEntityRecogniton
Detect named entities (people, organizations, locations) - requires Stanford CoreNLP models
Image and Video Analysis Generate thumbnails for images (hundreds of formats)
Generate thumbnails for video files
Generate thumbnails for documents (PDF, Office, etc.)
Enable similar image search functionality
Detect and recognize faces in images (CPU-optimized)
Estimate ages of individuals in images
Use Yahoo open-nsfw deep learning model for nudity detection (requires Keras and TensorFlow)
Data Recovery Carve deleted files from unallocated space (40+ file formats)
Enhanced carving for known exploitative content (CSAM investigations)
Carve files matching known metadata signatures
Advanced Features Scan for and decode QR codes in images
Generate communication graphs (calls, emails, messages)
Transcribe audio files (local or cloud services: Azure, Google Cloud)
Detect encrypted files using entropy analysis
enableSearchHardwareWallets
Search for cryptocurrency hardware wallet files
Export and Reporting Export file properties to reports
enableAutomaticExportFiles
Automatically export files matching configured criteria
Generate HTML reports of case data
Skip processing of duplicate files (based on hash)
Example Configuration ######################################################################## # IPED Processing Configuration ######################################################################## # Hashing enableHash = true enablePhotoDNA = false enableHashDBLookup = true # File Processing processFileSignatures = true enableFileParsing = true expandContainers = true processEmbeddedDisks = true # Indexing and Search indexFileContents = true enableRegexSearch = true enableLanguageDetect = true enableNamedEntityRecogniton = false # Image/Video Analysis enableImageThumbs = true enableVideoThumbs = true enableImageSimilarity = true enableFaceRecognition = false # Data Recovery enableCarving = true enableLedCarving = false # Advanced enableQRCode = true enableGraphGeneration = true entropyTest = true # Export exportFileProps = true enableHTMLReport = true ignoreDuplicates = true
Local Configuration (LocalConfig.txt) Controls system-specific settings and resource allocation.
File Location iped-app/resources/config/LocalConfig.txt
Number of processing threads. Set to number of CPU cores or leave blank for auto-detection.
Number of threads for text indexing. Usually 1 is optimal.
Size of processing queue. Increase for systems with more RAM.
Storage Settings Temporary folder for index creation. Use fast SSD storage.
Optimize for SSD output storage
Temporary folder for extracted embedded files
Example Configuration ######################################################################## # Local System Configuration ######################################################################## # Processing threads (leave empty for auto-detection) numThreads = 16 indexerThreads = 1 # Queue size (higher = more RAM usage) queueSize = 10000 # Temporary folders (use fast storage) indexTemp = /tmp/iped-index embutidos = /tmp/iped-extracted # Storage optimization outputOnSSD = true
Module Configuration Individual modules have dedicated configuration files in the conf/ subdirectory.
Common Module Configs IndexTaskConfig.txt
HashTaskConfig.txt
HashDBLookupConfig.txt
CarvedTaskConfig.txt
VideoThumbsConfig.txt
ParsingTaskConfig.txt
Controls text indexing and search behavior. # Index configuration convertCharsToLowerCase = true convertCharsToAscii = false filterNonLatinChars = false # Minimum index fragment size minWordSize = 3 # Store term vectors for highlighting storeTermVectors = true # Content types to skip skipKnownFiles = true
Configure hash computation algorithms. # Hash algorithms to compute enableMD5 = true enableSHA1 = true enableSHA256 = true enableSHA512 = false enableEdonkey = true
Configure hash database lookups. conf/HashDBLookupConfig.txt
# Hash databases to use enableNSRL = true enableCAID = true enableProjectVIC = false # Database paths nsrlPath = /hashsets/NSRL/ caidPath = /hashsets/CAID/
Configure data carving options. conf/CarvedTaskConfig.txt
# Enable carving by category carveImages = true carveVideos = true carveDocuments = true carveArchives = false # Minimum file size to carve (bytes) minFileSize = 1024 # Carving sensitivity maxFragmentation = 3
Configure video thumbnail generation. conf/VideoThumbsConfig.txt
# Number of frames to extract per video numFrames = 10 # Thumbnail dimensions thumbWidth = 200 thumbHeight = 200 # Gallery layout galleryColumns = 5 # Skip known videos skipKnownVideos = true
Configure file parsing options. conf/ParsingTaskConfig.txt
# Parse embedded metadata parseMetadata = true # Extract embedded files extractEmbedded = true # OCR images in PDFs pdfOCR = false # Parse corrupted files parseCorrupted = true # Timeout per file (seconds) parsingTimeout = 60
Category Configuration Configure which file categories to process, expand, or export.
CategoriesToExpand.txt Specify which container types to automatically expand:
conf/CategoriesToExpand.txt
# Expand these categories Archives Compressed Email Instant Messengers Databases
CategoriesToExport.txt Define which categories to automatically export (blind profile):
conf/CategoriesToExport.txt
# Automatically export these categories Documents Spreadsheets Presentations Images
FileSystemConfig.txt Configure file system processing options:
conf/FileSystemConfig.txt
# Process deleted files processDeleted = true # Process unallocated space processUnallocated = true # Process file slack processSlack = false # Minimum file size to process minFileSize = 0
Advanced Configuration Regular Expression Searches Configure pattern searches in conf/RegexConfig.txt:
# Built-in patterns (enabled by default) enableCreditCards = true enableEmails = true enableURLs = true enablePhoneNumbers = true enableIPAddresses = true enableBitcoinWallets = true enableEthereumWallets = true # Validation scripts validateCards = true validateIBANs = true # Custom patterns customPattern1 = CASE-\d{4}-\d{6} customPattern2 = EVIDENCE-[A-Z]{3}-\d{8}
Named Entity Recognition Configure NER in conf/NERConfig.txt:
# Requires Stanford CoreNLP models enablePersonNames = true enableOrganizations = true enableLocations = true enableDates = true # Model path modelPath = /models/stanford-corenlp/ # Languages languages = en,es,fr,de
Audio Transcription Configure transcription in conf/AudioTranscriptionConfig.txt:
conf/AudioTranscriptionConfig.txt
# Service provider provider = azure # Options: azure, google, local # Azure settings azureKey = YOUR_API_KEY azureRegion = eastus # Languages to detect languages = en-US,es-ES,pt-BR # Skip known audio skipKnownAudio = true
Configuration Best Practices
Don’t configure from scratch. Start with the profile closest to your needs and modify it: cd iped-app/resources/config/profiles cp -r forensic my_custom_profile # Edit my_custom_profile/IPEDConfig.txt
Test configuration changes
Test configuration changes on sample data before processing critical evidence: java -jar iped.jar -d /test/sample.E01 -profile my_custom_profile -o /test/output
Document custom configurations
Keep notes on why specific options were enabled/disabled for court testimony and peer review.
Store custom profiles in version control (git) to track changes over time: cd iped-app/resources/config/profiles git init git add my_custom_profile/ git commit -m "Custom profile for corporate investigations"
Balance features and performance
More features = slower processing. Enable only what you need for each investigation.
Configuration Troubleshooting
Check configuration syntax
Ensure proper format: key = value with no extra spaces: enableHash = true # Correct enableHash=true # Also correct enableHash = true; # WRONG - no semicolons
Verify file locations
IPED must be able to find configuration files. Check the log for: Loading configuration from: /path/to/config
Check profile override
Profile settings override defaults. If changes aren’t applied, check if you’re using a profile: # This uses forensic profile settings, NOT default config java -jar iped.jar -profile forensic -d /evidence/disk.E01 -o /cases/case001
Review log file
Check the log for configuration errors: tail -f /cases/case001/iped/log/IPED_YYYYMMDD.log
Environment Variables Some settings can be controlled via environment variables:
export IPED_TEMP = / fast / ssd / temp export JAVA_TOOL_OPTIONS = "-Xmx32G" java -jar iped.jar -d /evidence/disk.E01 -o /cases/case001
Configuration Examples Fast Corporate Investigation custom_corporate/IPEDConfig.txt
# Fast processing for corporate investigations enableHash = true enableHashDBLookup = true processFileSignatures = true enableFileParsing = true expandContainers = true indexFileContents = true enableRegexSearch = true # Skip time-consuming features enableCarving = false enableImageSimilarity = false enableFaceRecognition = false enableVideoThumbs = false # Email and communication focus enableGraphGeneration = true
Comprehensive Malware Analysis custom_malware/IPEDConfig.txt
# Detailed analysis for malware investigations enableHash = true processFileSignatures = true enableFileParsing = true expandContainers = true entropyTest = true # Don't skip potential malware ignoreDuplicates = false skipKnownFiles = false # Minimal image/video processing enableImageThumbs = false enableVideoThumbs = false enableCarving = false
Next Steps
Command-Line Options Learn command-line parameters that work with configuration
Processing Profiles Explore pre-configured profiles for different scenarios
Data Sources Understand supported evidence formats and sources
Troubleshooting Solve common configuration issues