Skip to main content
IPED supports a wide variety of digital evidence formats, from forensic disk images to physical devices and local folders. This comprehensive support allows investigators to process evidence from virtually any source.

Supported Formats Overview

IPED uses the Sleuthkit Library for disk image decoding and file system parsing, providing broad format compatibility.

Forensic Images

E01, Ex01, AFF, AD1, UFDR formats

Raw Images

DD, RAW, split segments

Virtual Disks

VMDK, VHD, VHDX (including differential disks)

Optical Media

ISO9660, UDF, ISO formats

Physical Devices

Direct access to physical drives

File Systems

NTFS, FAT, exFAT, ext2/3/4, HFS+, APFS

Local Folders

Process live file systems and network shares

IPED Cases

Reprocess tagged files from existing cases

Forensic Disk Images

EnCase Evidence Files (E01/Ex01)

Expert Witness Format by Guidance Software Supported variants:
  • E01 - Standard EnCase format
  • Ex01 - Extended EnCase format
  • Split segments - E01, E02, E03, etc.
  • Compressed - Built-in compression supported
  • Encrypted - Password-protected images
Terminal
# Single segment
java -jar iped.jar -d /evidence/disk.E01 -o /cases/case001

# Split segments (specify first segment only)
java -jar iped.jar -d /evidence/disk.E01 -o /cases/case001

# Encrypted image
java -jar iped.jar -d /evidence/encrypted.E01 -p "password" -o /cases/case001
IPED automatically detects and loads all segments when you specify the first file (.E01).

AccessData (AD1)

AccessData Forensic Toolkit image format Features:
  • Single file or segmented
  • Compressed and encrypted variants
  • Preserves metadata and hash information
Terminal
java -jar iped.jar -d /evidence/image.AD1 -o /cases/case001

Cellebrite (UFDR)

Cellebrite Universal Forensic Data Reader format Common sources:
  • Mobile device extractions
  • Cellebrite Physical Analyzer exports
  • UFED extractions
Terminal
java -jar iped.jar -d /evidence/extraction.UFDR -o /cases/case001

Advanced Forensic Format (AFF)

Open-source forensic disk image format Platforms:
  • Full support on Linux
  • Limited support on Windows
Features:
  • Compression
  • Encryption
  • Metadata storage
  • Chain of custody
Terminal Linux
java -jar iped.jar -d /evidence/disk.aff -o /cases/case001
AFF support requires proper libraries installed. On Linux, ensure libaff and afflib are available.

Raw Disk Images

DD / RAW Format

Bit-for-bit copy of storage media Variants:
  • Single file - Complete image in one file
  • Split segments - disk.001, disk.002, etc.
  • DD - Unix/Linux dd utility output
  • RAW - Generic raw format
Terminal
# Single file
java -jar iped.jar -d /evidence/disk.dd -o /cases/case001

# Split segments (specify first segment)
java -jar iped.jar -d /evidence/disk.001 -o /cases/case001

Split Segment Naming

IPED recognizes these naming patterns:
  • disk.001, disk.002, disk.003, …
  • disk.aa, disk.ab, disk.ac, …
  • disk.000, disk.001, disk.002, …
Always specify only the first segment. IPED automatically finds and loads subsequent segments.

Virtual Disk Formats

VMware (VMDK)

VMware Virtual Machine Disk Supported types:
  • Monolithic sparse
  • Monolithic flat
  • Split sparse (2GB segments)
  • Split flat
  • Differential disks (snapshots with parent chain)
Terminal
java -jar iped.jar -d /evidence/vm-disk.vmdk -o /cases/case001
IPED supports differential VMDKs and automatically resolves parent disk chains.

VirtualBox / Hyper-V (VHD/VHDX)

Microsoft Virtual Hard Disk formats VHD Features:
  • Fixed size
  • Dynamic (sparse)
  • Differencing disks
VHDX Features:
  • Larger disk support (64TB)
  • Improved performance
  • Better corruption resistance
Terminal
# VHD format
java -jar iped.jar -d /evidence/vm.vhd -o /cases/case001

# VHDX format
java -jar iped.jar -d /evidence/vm.vhdx -o /cases/case001

Optical Media

ISO / ISO9660

Optical disc image format Supported:
  • ISO9660 (CD-ROM)
  • UDF (DVD/Blu-ray)
  • Hybrid ISO9660/UDF
  • Joliet extensions
  • Rock Ridge extensions
Terminal
java -jar iped.jar -d /evidence/disc.iso -o /cases/case001
Common sources:
  • CD/DVD images
  • Software distributions
  • Backup archives
  • Bootable media

Physical Devices

Direct Device Access

Process physical drives directly Linux:
Terminal
# Requires root/sudo
sudo java -jar iped.jar -d /dev/sda -o /cases/case001

# Specific partition
sudo java -jar iped.jar -d /dev/sda1 -o /cases/case001
Windows:
Terminal
# Requires administrator privileges
java -jar iped.jar -d \\.\PhysicalDrive0 -o D:\cases\case001

# Specific partition
java -jar iped.jar -d \\.\E: -o D:\cases\case001
Processing physical drives requires:
  • Administrator/root privileges
  • Write blocker or read-only mode
  • Proper forensic procedures
Never process evidence drives without write protection!

Windows Physical Drive Notation

Windows uses special notation for physical devices:
DeviceNotation
First physical drive\\.\PhysicalDrive0
Second physical drive\\.\PhysicalDrive1
Drive letter E:\\.\E:
Volume GUID\\?\Volume{guid}
Use a write blocker when processing physical drives to maintain evidence integrity.

File Systems

Supported File Systems

IPED supports all file systems recognized by Sleuthkit:
  • NTFS - Full support with all features
  • FAT12/16/32 - Including deleted file recovery
  • exFAT - Modern large-volume FAT
Features:
  • Alternate Data Streams (ADS)
  • File system journal parsing
  • Deleted file recovery
  • Slack space analysis

Timezone Handling

FAT file systems don’t store timezone information. Specify the original timezone:
Terminal
java -jar iped.jar -d /evidence/disk.dd -tz GMT-5 -o /cases/case001
NTFS and ext file systems store UTC timestamps and don’t require timezone specification.

Local Folders

Processing Live File Systems

Process folders directly from mounted file systems
Terminal
# Process local folder
java -jar iped.jar -d /mnt/evidence -o /cases/case001

# Process network share
java -jar iped.jar -d /mnt/network/share -o /cases/case001
Use cases:
  • Corporate network shares
  • Mounted disk images
  • Cloud storage sync folders
  • Live system analysis (with caution)

Owner Information

Include file owner information (slow over network):
Terminal
java -jar iped.jar -d /network/share --addowner -o /cases/case001
Processing live systems can alter timestamps. Use read-only mounts when possible.

Embedded Disk Images

Nested Disk Images

IPED automatically detects and processes disk images found within evidence Supported scenarios:
  • E01 files inside another disk image
  • VMDK inside a file system
  • VHD in email attachments
  • ISO files on a drive
Terminal
# Automatically processes embedded disks
java -jar iped.jar -d /evidence/laptop.E01 -o /cases/case001
Configuration:
IPEDConfig.txt
processEmbeddedDisks = true
IPED can process multiple layers of nested disk images automatically.

IPED Case Files

Reprocessing Tagged Data

Process files from existing IPED cases Use case: Export tagged/bookmarked files and reprocess with different settings
Terminal
# Process files tagged in previous case
java -jar iped.jar -d /cases/case001/export.iped -o /cases/case001_reprocess
Workflow:
1

Tag items in IPED viewer

Select and bookmark relevant files
2

Export tagged items

File → Export → Create .iped file
3

Reprocess with new settings

Process the .iped file with different profile or configuration

Multiple Data Sources

Processing Multiple Sources

Combine multiple evidence sources into one case
Terminal
java -jar iped.jar \
  -d /evidence/laptop.E01 -dname "Suspect Laptop" \
  -d /evidence/phone.dd -dname "iPhone 12" \
  -d /evidence/usb_drive -dname "USB Key" \
  -d /evidence/cloud_sync -dname "Dropbox" \
  -o /cases/multi_device_case
Benefits:
  • Unified search across all devices
  • Cross-device timeline analysis
  • Combined communication graphs
  • Single case for reporting

Adding to Existing Cases

Append new evidence to processed cases:
Terminal
java -jar iped.jar --append -d /evidence/new_device.dd -o /cases/existing_case
Version compatibility: IPED versions must match when appending to existing cases.

Encrypted Evidence

Password-Protected Images

Process encrypted disk images
Terminal
# Single encrypted source
java -jar iped.jar -d /evidence/encrypted.E01 -p "SecurePassword" -o /cases/case001

# Multiple encrypted sources
java -jar iped.jar \
  -d /evidence/disk1.E01 -p "password1" \
  -d /evidence/disk2.E01 -p "password2" \
  -o /cases/case001
Supported encryption:
  • EnCase password protection
  • BitLocker encrypted volumes (with recovery key)
  • VeraCrypt containers (with password)

Sector Size Configuration

4K Sector Drives

Modern drives with 4096-byte sectors
Terminal
java -jar iped.jar -d /evidence/4k_drive.dd -b 4096 -o /cases/case001
When to use:
  • Modern large-capacity drives (4TB+)
  • Advanced Format drives
  • Some SSDs
Most drives still use 512-byte sectors. Only specify -b 4096 if you’re certain the drive uses 4K sectors.

Portable Cases

Relative Path References

Create portable cases that can move between systems
Terminal
java -jar iped.jar -d ./evidence/disk.E01 --portable -o ./cases/portable_case
Requirements:
  • Evidence and case must be on same volume
  • Use relative paths when specifying evidence
  • Move evidence and case together
Use cases:
  • Cases on external drives
  • Sharing cases between investigators
  • Court presentation systems

Data Source Examples

Complete Forensic Workstation

Terminal
java -jar iped.jar \
  -d /evidence/laptop/disk.E01 -dname "Primary Laptop" \
  -d /evidence/laptop/bitlocker.E01 -p "recovery-key" -dname "Encrypted Volume" \
  -d /evidence/phone/android.dd -dname "Samsung Galaxy" \
  -d /evidence/phone/iphone.ufdr -dname "iPhone Extraction" \
  -d /evidence/cloud/gdrive -dname "Google Drive" \
  -d /evidence/usb/flash.dd -dname "USB Flash Drive" \
  -o /cases/comprehensive_case \
  -profile forensic \
  --portable

Virtual Machine Investigation

Terminal
java -jar iped.jar \
  -d /evidence/vm/suspect.vmdk -dname "VM Disk" \
  -d /evidence/vm/snapshot-001.vmdk -dname "Snapshot 1" \
  -d /evidence/vm/memory.vmsn -dname "Memory Dump" \
  -o /cases/vm_investigation

Corporate Network Share

Terminal
java -jar iped.jar \
  -d /mnt/fileserver/users/suspect \
  --addowner \
  -o /cases/corporate_investigation \
  -l /config/corporate_keywords.txt \
  -profile triage

Troubleshooting Data Sources

Symptoms: “File not found” or “Cannot read image”Solutions:
  • Verify file exists and path is correct
  • Check file permissions (read access required)
  • For split segments, ensure all parts are present
  • For physical drives, ensure administrator/root privileges
Symptoms: “Password incorrect” or “Cannot decrypt”Solutions:
  • Verify password is correct (case-sensitive)
  • Ensure quotes around password if it contains spaces
  • Check encryption method is supported
  • For BitLocker, use recovery key not password
Symptoms: “No file system found” or “Unknown file system”Solutions:
  • Verify image isn’t corrupted
  • Check if file system is supported by Sleuthkit
  • Try specifying sector size with -b option
  • For damaged file systems, use specialized recovery tools first
Symptoms: Very slow processing speedSolutions:
  • Copy evidence to local storage first
  • Use gigabit or faster network
  • Disable --addowner option for network shares
  • Consider using VPN or direct connection
Symptoms: “Cannot find segment X”Solutions:
  • Ensure all segments are in same directory
  • Verify segment numbering is sequential
  • Check for naming inconsistencies
  • Ensure no segments are missing

Best Practices

1

Verify evidence integrity

Always verify hash values before and after processing:
Terminal
md5sum /evidence/disk.E01
# Process evidence
md5sum /evidence/disk.E01  # Should match
2

Use write blockers

When processing physical devices, always use hardware or software write blockers.
3

Document data sources

Record all evidence sources, formats, and passwords in case documentation.
4

Process locally when possible

Copy evidence to local fast storage (SSD) for optimal processing speed.
5

Test with small samples

Test processing with sample data before processing large evidence sets.

Performance by Data Source

FormatRelative SpeedNotes
DD/RAWFast (baseline)Best performance
E01MediumDecompression overhead
Ex01MediumSimilar to E01
VMDKFastDirect access
VHD/VHDXFastEfficient format
Physical DeviceFastDirect I/O
Network ShareSlowNetwork latency
ISOFastSimple format
AD1MediumDepends on compression
UFDRMediumMobile extraction format
For fastest processing, convert compressed formats to DD or process from local SSD storage.

Next Steps

Command-Line Options

Learn parameters for processing different data sources

Processing Profiles

Choose optimal profiles for different evidence types

Configuration

Configure file system and parsing options

Troubleshooting

Solve data source processing issues

Build docs developers (and LLMs) love

Get started for freeTalk to us