Skip to main content

Overview

This guide walks you through processing a digital evidence case and analyzing the results with IPED’s GUI interface.
Before proceeding, ensure IPED is installed and you have evidence to process (disk image, folder, or supported forensic format).

Basic Workflow

1

Process Evidence

Run command-line processing to index and analyze the evidence
2

Analyze Results

Open the generated case in IPED’s analysis GUI
3

Search and Filter

Use search, filters, and visualization tools to investigate
4

Tag and Export

Create bookmarks and generate reports

Processing Your First Case

Command Syntax

The basic command structure for processing evidence: 
iped -d <input> -o <output> [options]
Parameters:
  • -d, -data: Input data source (required, can be used multiple times)
  • -o, -output: Output case folder (required)
  • -profile: Processing profile (optional)

Example 1: Process a Folder

./iped.sh -d /evidence/suspect_laptop -o /cases/case001
This command:
  1. Processes all files in /evidence/suspect_laptop
  2. Creates indexed case in /cases/case001
  3. Uses default forensic profile
  4. Opens processing GUI showing progress

Example 2: Process a Disk Image

# Process E01 forensic image
./iped.sh -d /evidence/disk.E01 -o /cases/case002

# Process raw DD image
./iped.sh -d /evidence/disk.dd -o /cases/case003

# Process multiple segments (automatically detected)
./iped.sh -d /evidence/disk.001 -o /cases/case004

Example 3: Use Processing Profile

# Fast triage profile (quick analysis)
./iped.sh -d /evidence/usb_drive -o /cases/triage001 -profile triage

# Complete forensic profile (default, most comprehensive)
./iped.sh -d /evidence/disk.E01 -o /cases/forensic001 -profile forensic

# Fast mode (preview only)
./iped.sh -d /evidence/folder -o /cases/preview001 -profile fastmode
Processing Profiles:
  • forensic: Complete analysis (default) - enables all features
  • triage: Quick analysis - faster, essential features only
  • fastmode: Preview mode - minimal processing for quick review
  • pedo: CSAM-focused - optimized for child exploitation investigations
  • blind: Automatic extraction - for scripted/batch processing

Example 4: Multiple Evidence Sources

# Process multiple sources into one case
./iped.sh \
  -d /evidence/disk1.E01 \
  -d /evidence/usb_drive \
  -d /evidence/cloud_download \
  -o /cases/multicase001

Example 5: Command-Line Only (No GUI)

# Process without GUI (useful for servers/scripts)
./iped.sh -d /evidence/data -o /cases/case005 --nogui

Understanding Processing Output

During processing, you’ll see a GUI window (unless --nogui is used) displaying:
IPED Processing Window
Key Metrics:
  • Items Discovered: Total files and artifacts found
  • Items Processed: Number of items analyzed
  • Processing Speed: MB/s throughput
  • Time Remaining: Estimated completion time
  • Current Task: Active processing module

Processing Tasks

IPED executes multiple analysis tasks in sequence: 
// Processing pipeline (from Main.java)
manager = new Manager(dataSource, output, keywords);
manager.process();

// Tasks include:
// - File signature analysis
// - Hash computation (MD5, SHA-1, SHA-256)
// - Container expansion (ZIP, RAR, PST, etc.)
// - Text extraction and indexing
// - Thumbnail generation
// - Carving for deleted files
// - Parser execution (emails, chats, browsers)
// - Regex searches (emails, URLs, credit cards)
// - And many more...
Typical processing tasks:
  1. Signature Analysis: Identify file types
  2. Hash Calculation: Compute file hashes
  3. Expansion: Extract archives and containers
  4. Parsing: Extract metadata and text
  5. Indexing: Build searchable index
  6. Carving: Recover deleted files
  7. Analysis: Run specialized detectors

Case Output Structure

After processing, the output folder contains: 
case001/
├── index/                 # Lucene search index
├── data/                  # Extracted files (if applicable)
├── view/                  # Chat HTML views
├── thumbs/                # Image thumbnails
├── tools/                 # Case-specific tools
├── indexador/             # Processing metadata
├── palavras-chave.txt     # Extracted keywords
├── Lista de Arquivos.csv  # File listing
└── iped-process.log       # Processing log

Opening the Analysis GUI

After processing completes, open the case for analysis: 
./iped-search-app.sh /cases/case001
Alternatively, if processing GUI is still open, click “Analyze Case” button.

Analysis Interface Overview

IPED Analysis Interface
The interface consists of several panels:
  1. Search Bar (Top): Full-text and advanced search
  2. Filter Tree (Left): Category and metadata filters
  3. Results Table (Center): File listing with metadata
  4. Preview Pane (Right): File content viewer
  5. Gallery (Bottom): Image/video thumbnail gallery
  6. Tabs: Evidence, Bookmarks, Duplicates, Timeline, Map, Graph

Basic Search and Analysis

Full-Text Search

Search for text content across all indexed files: 
# Simple search
password

# Phrase search
"confidential document"

# Boolean operators
password AND (admin OR root)

# Wildcard search
pass*

# Field-specific search
name:report*.pdf
email:[email protected]
hash:5d41402abc4b2a76b9719d911017c592
Press TAB in the search box for property autocomplete.

Filter by Category

Click categories in the left filter tree:
  • Documents: Office files, PDFs, text files
  • Images: Photos, graphics, screenshots
  • Videos: Video files and frames
  • Audio: Music, recordings, voice notes
  • Email: Email messages and attachments
  • Chats: WhatsApp, Telegram, other messaging apps
  • Databases: SQLite, MySQL dumps, etc.
  • Compressed: Archives (ZIP, RAR, 7Z)
  • Executables: Programs and scripts

Property Filters

Filter by metadata properties: 
# Files larger than 10MB
size > 10485760

# Created in 2024
created:[2024-01-01 TO 2024-12-31]

# Images with high resolution
image:width > 3000 AND image:height > 2000

# Files by extension
ext:docx OR ext:xlsx

# Files with specific hash
hash:*abc123*

Advanced Features

View files and events on a timeline:
  1. Click Timeline tab
  2. Select event types (Created, Modified, Accessed)
  3. Use chart to filter by date range
  4. Analyze temporal patterns
Timeline View
Visualize GPS coordinates on a map:
  1. Click Map tab
  2. Items with GPS data appear as markers
  3. Click markers to view associated files
  4. Useful for photos, mobile data, navigation history
Map View
Analyze relationships in communications:
  1. Click Graph tab
  2. View connections between contacts
  3. Filter by communication type (calls, SMS, email)
  4. Identify key participants
Graph View
Find visually similar images:
  1. Right-click an image
  2. Select “Similar Images”
  3. Adjust similarity threshold
  4. Review matches
Find duplicate files by hash:
  1. Click Duplicates tab
  2. View files grouped by hash
  3. Identify redundant data
  4. Useful for deduplication

Creating Bookmarks

Tag items of interest for reporting:
1

Select Items

Check boxes next to relevant files in the results table
2

Create Bookmark

Right-click → “Add to Bookmark” → Enter bookmark name
3

View Bookmarks

Click Bookmarks tab to see all tagged items organized by bookmark
Keyboard Shortcuts:
  • CTRL + Click: Multi-select items
  • SHIFT + Click: Select range
  • CTRL + A: Select all visible items
  • Space: Toggle selection

Generating Reports

Export findings to HTML report:
1

Tag Items for Export

Create bookmarks with items to include in report
2

Generate Report

FileGenerate Report → Select bookmark(s) → Choose output folder
3

Report Contents

The report includes:
  • HTML pages with file listings
  • Thumbnails and previews
  • Extracted file copies (optional)
  • Metadata CSV files
  • Portable viewer (optional)
# Generate report from command line
./iped.sh -d /cases/case001.iped -o /reports/report001

# The .iped file contains bookmarks to export

Advanced Processing Options

Encryption and Passwords

# Provide password for encrypted images/volumes
./iped.sh -d /evidence/encrypted.E01 -o /cases/case006 -p "MyPassword123"

# Multiple passwords
./iped.sh -d /evidence/disk.E01 -o /cases/case007 \
  -p "password1" -p "password2" -p "password3"

Timezone Configuration

# Specify timezone for FAT filesystems
./iped.sh -d /evidence/usb.dd -o /cases/case008 -tz GMT-3

Continue/Restart Processing

# Continue interrupted processing
./iped.sh -d /evidence/data -o /cases/case009 --continue

# Restart from beginning (discard previous)
./iped.sh -d /evidence/data -o /cases/case009 --restart

Append to Existing Case

# Add more evidence to existing case
./iped.sh -d /evidence/new_data -o /cases/case001 --append

Portable Cases

# Create portable case (relative paths, works on removable drives)
./iped.sh -d /evidence/data -o /portable_cases/case010 --portable

Configuration Files

Customize processing behavior by editing files in conf/ folder:

IPEDConfig.txt

Main configuration file: 
# Enable/disable features
enableHash = true
enableOCR = false
enableCarving = false
enableImageThumbs = true
enableVideoThumbs = true
enableRegexSearch = true
enableGraphGeneration = true

# Processing options
processFileSignatures = true
expandContainers = true
processEmbeddedDisks = true
indexFileContents = true

# Performance
entriesTest = true
exportFileProps = true

Processing Profiles

Profiles are located in conf/profiles/: 
conf/
└── profiles/
    ├── forensic/      # Complete analysis
    ├── triage/        # Quick triage
    ├── fastmode/      # Fast preview
    ├── pedo/          # CSAM investigation
    └── blind/         # Automated extraction
Each profile contains customized configuration files.

Performance Tips

Use SSD Storage

Process cases on SSD drives for 3-5x speed improvement

Adjust Thread Count

Set numThreads in LocalConfig.txt to match CPU cores

Increase Memory

Set maxJavaMemory for large cases (16GB+ for 1TB+ evidence)

Disable Unused Features

Turn off OCR, carving, or transcription if not needed

Memory Configuration

Edit conf/LocalConfig.txt: 
# Maximum heap memory in MB (default: auto-detect)
maxJavaMemory = 16384

# Processing threads (default: CPU cores)
numThreads = 8

# Image thumbnail readers (default: 1)
numImageReaders = 2

Common Use Cases

# Process Android backup
./iped.sh -d /evidence/android_backup -o /cases/mobile001 -profile forensic

# Process iOS backup
./iped.sh -d /evidence/ios_backup -o /cases/mobile002 -profile forensic

# Process Cellebrite UFDR
./iped.sh -d /evidence/extract.ufdr -o /cases/mobile003
Key features:
  • WhatsApp chat parsing
  • Telegram message extraction
  • Browser history
  • GPS location mapping
  • Contact and call log analysis

Getting Help

Command-Line Help

./iped.sh --help
Shows all available command-line options:
  • -d, -data: Input data source
  • -o, -output: Output folder
  • -profile: Processing profile
  • -p, -password: Passwords for encrypted sources
  • -tz, -timezone: Timezone for FAT devices
  • --append: Add to existing case
  • --continue: Resume processing
  • --restart: Restart from beginning
  • --nogui: No GUI mode
  • --portable: Portable case
  • And more…

Documentation and Resources

User Manual

Comprehensive user guide on GitHub Wiki

Beginner's Guide

Step-by-step introduction for new users

Troubleshooting

Common issues and solutions

GitHub Issues

Report bugs and request features

Next Steps

Now that you’ve processed your first case, explore advanced features:
  • OCR: Enable optical character recognition for scanned documents
  • Audio Transcription: Automatically transcribe audio files
  • Face Recognition: Detect and search for faces in images
  • Custom Parsers: Add support for new file formats
  • Python Scripting: Extend IPED with custom analysis scripts
  • Distributed Processing: Use ElasticSearch and MinIO for large-scale cases
Check the Configuration Guide and Advanced Usage documentation for more details.

Build docs developers (and LLMs) love

Get started for freeTalk to us