Skip to main content
IPED provides five specialized processing profiles that optimize the tool for different investigation scenarios. Each profile enables or disables specific features to balance processing speed, resource usage, and analysis depth.

Overview

Processing profiles are pre-configured sets of options that adjust IPED’s behavior for specific use cases:

Forensic

Full forensic analysisComplete processing with all standard forensic features enabled

Pedo (CSAM)

Child exploitation investigationsSpecialized detection and analysis for CSAM cases

Triage

Fast on-scene analysisQuick processing with basic indexing for immediate results

Fastmode

Rapid previewMinimal processing for fastest possible case preview

Blind

Automated extractionHeadless processing for automatic data extraction

Using Profiles

Specify a profile using the -profile parameter:
Terminal
java -jar iped.jar -d /evidence/disk.E01 -o /cases/case001 -profile forensic
If no profile is specified, IPED uses the default configuration (similar to forensic mode).

Profile Details

Forensic Profile

Best for: Complete forensic investigations The forensic profile enables comprehensive analysis suitable for most digital forensic investigations. It provides a balanced approach with all standard features.

Enabled Features

  • Hash computation - MD5, SHA-1, SHA-256, SHA-512, edonkey
  • Hash database lookups - NIST NSRL, NIST CAID, Project VIC
  • QR code detection - Scan and decode QR codes
  • Data carving - Recover deleted files from unallocated space
  • Image similarity - Find similar and duplicate images
  • Signature analysis - Verify file types by magic bytes
  • Container expansion - Extract embedded archives and containers
  • Full text indexing - Index file contents for searching
  • Regex searches - Find credit cards, emails, URLs, etc.
  • File parsing - Extract metadata from common file types

Configuration

IPEDConfig.txt
enableHashDBLookup = true
enableQRCode = true
enableCarving = true
enableImageSimilarity = true

Use Cases

  • Criminal investigations requiring comprehensive evidence analysis
  • Corporate fraud and intellectual property theft cases
  • General-purpose digital forensics examinations
  • Cases requiring detailed reporting and documentation

Processing Time

Expect 400GB/hour on modern hardware (16+ cores, 32GB+ RAM, SSD storage).

Pedo Profile (CSAM)

Best for: Child exploitation investigations
This profile is specifically designed for law enforcement investigating child sexual abuse material (CSAM). It includes specialized detection capabilities.
The pedo profile maximizes detection capabilities for CSAM investigations with advanced image analysis and classification.

Enabled Features

All forensic profile features plus:
  • PhotoDNA hashing - Microsoft PhotoDNA for known CSAM detection (law enforcement only)
  • PhotoDNA lookups - Check against PhotoDNA databases
  • LED carving - Enhanced carving for known exploitative content
  • Known metadata carving - Recover files matching known CSAM metadata
  • Face recognition - Detect and match faces across evidence
  • Age estimation - Estimate ages of individuals in images
  • Remote image classifier - Cloud-based image content classification
  • Enhanced video processing - More comprehensive video analysis

Configuration

IPEDConfig.txt
enablePhotoDNA = true
enableHashDBLookup = true
enablePhotoDNALookup = true
enableLedDie = true
enableQRCode = true
enableCarving = true
enableLedCarving = true
enableKnownMetCarving = true
enableImageSimilarity = true
enableFaceRecognition = true
enableAgeEstimation = true
enableRemoteImageClassifier = true

Use Cases

  • Law enforcement CSAM investigations
  • Cases requiring PhotoDNA database matching
  • Investigations needing face recognition and age analysis
  • Enhanced image and video content detection

Requirements

PhotoDNA is available only for law enforcement. Contact [email protected] for access.

Processing Time

Expect 150-250GB/hour due to intensive image analysis (requires significant CPU and RAM).

Triage Profile

Best for: On-scene rapid assessment The triage profile provides fast processing with basic search capabilities for immediate results at the scene or during initial case assessment.

Enabled Features

  • Basic file enumeration - List all files with metadata
  • File signature detection - Limited signature verification
  • Text indexing - Basic content indexing for searches
  • File parsing - Essential metadata extraction
  • Regex searches - Search for patterns (emails, phones, etc.)
  • Container expansion - Extract archives (disabled by default)
  • Cryptocurrency wallet detection - Find hardware wallet files

Disabled Features

  • Hash computation
  • PhotoDNA
  • Hash database lookups
  • Carving
  • Image/video thumbnails
  • Image similarity
  • Face recognition
  • Language detection
  • Named entity recognition
  • Graph generation
  • Audio transcription
  • HTML report generation

Configuration

IPEDConfig.txt
enableHash = false
enableHashDBLookup = false
enableCarving = false
enableImageThumbs = false
enableImageSimilarity = false
enableFaceRecognition = false
indexFileContents = true
enableRegexSearch = true
enableSearchHardwareWallets = true

Use Cases

  • On-scene processing for immediate keyword searches
  • Quick assessment before full forensic analysis
  • Time-sensitive investigations requiring fast results
  • Preview processing to determine investigation direction

Processing Time

Expect 800-1200GB/hour - approximately 2-3x faster than forensic profile.
Use triage profile at the scene, then reprocess with forensic profile in the lab for complete analysis.

Fastmode Profile

Best for: Ultra-fast case preview The fastmode profile provides the absolute fastest processing with minimal analysis. Use this when you need to open and browse evidence as quickly as possible.

Enabled Features

  • Basic file enumeration - List files with basic metadata
  • Minimal indexing - No content indexing for maximum speed

Disabled Features

Almost all processing features are disabled:
  • Hash computation
  • File signature verification
  • File parsing
  • Container expansion
  • Text indexing
  • Regex searches
  • Carving
  • Thumbnails
  • All image/video analysis
  • Report generation

Configuration

IPEDConfig.txt
enableHash = false
enableFileParsing = false
expandContainers = false
indexFileContents = false
enableRegexSearch = false
enableCarving = false
enableImageThumbs = false
enableVideoThumbs = false
enableHTMLReport = false

Use Cases

  • Emergency situations requiring immediate evidence access
  • Preview before deciding on full processing
  • Checking evidence integrity and contents
  • Quick file listing and basic browsing

Processing Time

Expect 2000-3000GB/hour - the fastest possible processing mode.
Fastmode does NOT index file contents. You can browse files but cannot perform text searches.

Blind Profile

Best for: Automated data extraction The blind profile is designed for automated, headless processing that extracts and exports specific data without requiring user interaction or GUI.

Enabled Features

  • Hash database lookups - Identify known files
  • Automatic export - Export files matching configured criteria
  • Data carving - Recover deleted files
  • Selective processing - Process only specified file types

Typical Configuration

  • No GUI required
  • Automatic export of categorized files
  • Minimal user interaction
  • Optimized for scripting and automation

Configuration

IPEDConfig.txt
enableHashDBLookup = true
enableAutomaticExportFiles = true
enableCarving = true

Use Cases

  • Automated batch processing of multiple cases
  • Extraction of specific file types (e.g., all documents)
  • Integration with other tools via scripting
  • Headless server-based processing
  • Continuous integration/automated workflows

Example Script

automation.sh
#!/bin/bash

# Automated processing with blind profile
for case in /evidence/*.E01; do
  output="/cases/$(basename "$case" .E01)"
  
  java -jar iped.jar \
    --nogui \
    -profile blind \
    -d "$case" \
    -o "$output" \
    --nologfile
    
  # Export results to central repository
  rsync -av "$output/data/" "/repository/$(basename "$case" .E01)/"
done

Processing Time

Variable depending on enabled features, typically 300-500GB/hour.

Profile Comparison

FeatureForensicPedoTriageFastmodeBlind
Hash computation
Hash lookups
PhotoDNA
Data carving
Text indexing
Image similarity
Face recognition
Regex searches
File parsing
Container expansion
HTML reports
Auto export

Customizing Profiles

Profiles are stored in iped-app/resources/config/profiles/<profile_name>/ and can be customized.

Profile Structure

profiles/
├── forensic/
│   ├── IPEDConfig.txt          # Main profile configuration
│   └── conf/
│       ├── IndexTaskConfig.txt  # Index settings
│       ├── HashTaskConfig.txt   # Hash settings
│       └── ...                  # Other module configs
├── pedo/
│   ├── IPEDConfig.txt
│   └── conf/
├── triage/
│   ├── IPEDConfig.txt
│   └── conf/
└── ...

Creating Custom Profiles

1

Copy existing profile

Terminal
cd iped-app/resources/config/profiles
cp -r forensic custom_profile
2

Edit IPEDConfig.txt

Modify the configuration to enable/disable features:
IPEDConfig.txt
enableHash = true
enableCarving = false
enableImageSimilarity = true
# Add more settings...
3

Customize module configs

Edit files in the conf/ subdirectory for fine-tuned control.
4

Use your profile

Terminal
java -jar iped.jar -d /evidence/disk.E01 -profile custom_profile -o /cases/case001

Profile Selection Workflow

Best Practices

Process large cases first with triage profile to get initial results, then determine if full forensic processing is needed:
Terminal
# Step 1: Triage
java -jar iped.jar -d /evidence/large.E01 -profile triage -o /cases/triage_001

# Review results, then...

# Step 2: Full processing
java -jar iped.jar -d /evidence/large.E01 -profile forensic -o /cases/full_001
Don’t use the pedo profile for general cases - the extra processing takes significant time. Match the profile to your investigation needs.
Record which profile was used in your case notes for reproducibility and to explain processing decisions in court.
Before processing critical evidence, test different profiles on sample data to understand processing times and results.
  • Fastmode/Triage: Can run on laptops at the scene
  • Forensic: Requires workstation with 16GB+ RAM
  • Pedo: Requires powerful workstation with 32GB+ RAM

Next Steps

Command-Line Options

Learn all available command-line parameters for processing

Configuration

Deep dive into IPED configuration files and options

Data Sources

Understand supported evidence formats and sources

Performance Tuning

Optimize IPED for maximum processing speed

Build docs developers (and LLMs) love

Get started for freeTalk to us