Install Docker version 19.03.5 and above if you want to use GPU's.
FAST TIP Num.1: If you just want to use the latest docker (without building or customizing it), go directly to "Adjusting the environment for execution" section and follow the instructions until the end of the page.
FAST TIP Num.2: If you just want to process the evidences with latest docker (again, without building or customizing it), in text mode and without analysis interface on linux (graphical analysis of the resulting case can be made afterwards in another computer for example, running Windows or Linux), use the following command:
sudo docker run --rm -it -v /mnt/evidences:/evidences \
-v /mnt/ipedtmp:/mnt/ipedtmp \
-v /mnt/plugins:/mnt/plugins \
-v /mnt/hashesdb:/mnt/hashesdb \
ipeddocker/iped:processor java -jar iped.jar --nogui \
-d /evidences/test/test.dd \
-o /evidences/test/iped-output
It can be used without the optional features also. We recommend that at least the evidences and temporary folder be used as volumes:
sudo docker run --rm -it -v /mnt/evidences:/evidences \
-v /mnt/ipedtmp:/mnt/ipedtmp \
ipeddocker/iped:processor java -jar iped.jar --nogui \
-d /evidences/test/test.dd \
-o /evidences/test/iped-output
Of course, in both cases you'll have to change the volumes to reflect your environment.
It's possible to change IPED settings using environment variables with the iped_ prefix (a list of suported variables is at the end of this page). Here we can see an example of changing the IPED locale for German, as enabling NER, Audio Transcription and OCR for the locations.
docker run --rm -it -e TZ="Europe/Berlin" -e iped_locale="de-DE" \
-e iped_enableOCR="true" -e iped_OCRLanguage="deu+frk" -e iped_phone_region="DE" \
-e iped_enableNamedEntityRecogniton="true" \
-e iped_enableAudioTranscription="true" \
-v /mnt/evidences:/evidences \
-v /mnt/ipedtmp:/mnt/ipedtmp \
-v /mnt/plugins:/mnt/plugins \
-v /mnt/Downloaded_Hashesdb:/mnt/hashesdb \
-v /mnt/Downloaded_Vosk_Model:/root/IPED/iped/models/vosk/de-DE
-v /conf/YourNERConfig.txt:/root/IPED/iped/conf/NamedEntityRecognitionConfig.txt
ipeddocker/iped:processor java -jar iped.jar --nogui \
-d /evidences/test/test.dd \
-o /evidences/test/iped-output
Extra plugins (other than the default IPED plugins) must be inserted as a volume on /mnt/plugins, so that entrypoint.sh will add them to the correct folder during the container run.
Models and hash bases are NOT inserted on the docker (that only carry applications for the container size sake), and they must be inserted via volumes. So you have to download your desired model and insert it as volume.
It's suggested to insert NER config through volume also.
sudo docker run --rm -it ipeddocker/iped:processor java -jar iped.jar --help
- ipeddocker/iped - Full processing and analysis capable environment (larger container)
- ipeddocker/iped:processor - Environment optimized for evidence processing (smaller container)
-
Clone the repository
git clone https://github.com/iped-docker/iped cd iped
-
(Optional) Download optional IPED dependencies: The default config files are configured to use these directories inside the docker:
- Plugins: /mnt/plugins
- HASHDB: /mnt/hashdb
If these directories are empty, the entrypoint.sh will disable these features.
Note: You don't need to change it, it is completely optional, but if you want to change default values for the internal container directories, you can adjust LocalConfig.txt and IPEDConfig.txt to your environment before building it. You just have to take care when configuring the docker volumes.
-
Build the IPED docker images:
docker build . -f Dockerfile.processor -t ipeddocker/iped:processor docker build . -t ipeddocker/iped
To use the IPED java program on a graphical interface, it's imperative to configure the docker environment to use a X server. We created a script (the script dkr.source) to easily deploy/execute IPED on X graphical local enviroments.
The script in dkr.source creates a bash function "dkr" that extends the docker command, setting some usefull docker options.
What is inside dkr.source:
```
#!/bin/bash
dkr ()
{
xhost +
docker run --rm -it -v "`pwd`":"`pwd`":Z \
-e DISPLAY -e GDK_BACKEND \
-e GDK_SCALE \
-e SAL_USE_VCLPLUGIN=gen \
-e GDK_DPI_SCALE \
-e QT_DEVICE_PIXEL_RATIO \
-e LANG=C.UTF-8 \
-e LC_ALL=C.UTF-8 \
-e NO_AT_BRIDGE=1 \
--device /dev/dri \
--device /dev/snd \
-v /etc/localtime:/etc/localtime:ro \
-v /tmp/.X11-unix/:/tmp/.X11-unix/ "$@"
}
export -f dkr
```
To use it:
source dkr.source
dkr ipeddocker/iped
It's strongly recommended to use the source directories of /mnt/ipedtmp and /mnt/hashesdb volumes on SSD disks!!!
sudo dkr -v /mnt/evidences:/evidences \
-v /mnt/ipedtmp:/mnt/ipedtmp \
-v /mnt/plugins:/mnt/plugins \
-v /mnt/hashesdb:/mnt/hashesdb \
ipeddocker/iped java -jar iped.jar \
-d /evidences/test/test.dd \
-o /evidences/test/iped-output
sudo dkr -v /mnt/evidences:/evidences \
-v /mnt/ipedtmp:/mnt/ipedtmp \
ipeddocker/iped java -jar \
/evidences/test/iped-output/iped/lib/iped-search-app.jar
Runtime configuration adjustment can be done setting an environment variable with iped_ prefix following the variable name. The variables bellow are currently supported.
iped_locale=
iped_indexTemp=
iped_indexTempOnSSD=
iped_outputOnSSD=
iped_numThreads=
iped_hashesDB=
iped_tskJarPath=
iped_mplayerPath=
iped_pluginFolder=
iped_regripperFolder=
iped_enableHash=
iped_enablePhotoDNA=
iped_enableHashDBLookup=
iped_enablePhotoDNALookup=
iped_enableLedDie=
iped_enableYahooNSFWDetection=
iped_enableQRCode=
iped_ignoreDuplicates=
iped_exportFileProps=
iped_processFileSignatures=
iped_enableFileParsing=
iped_expandContainers=
iped_processEmbeddedDisks=
iped_enableRegexSearch=
iped_enableAutomaticExportFiles=
iped_enableLanguageDetect=
iped_enableNamedEntityRecogniton=
iped_enableGraphGeneration=
iped_entropyTest=
iped_enableSplitLargeBinary=
iped_indexFileContents=
iped_enableIndexToElasticSearch=
iped_enableMinIO=
iped_enableAudioTranscription=
iped_enableCarving=
iped_enableLedCarving=
iped_enableKnownMetCarving=
iped_enableImageThumbs=
iped_enableImageSimilarity=
iped_enableFaceRecognition=
iped_enableVideoThumbs=
iped_enableDocThumbs=
iped_enableHTMLReport=
iped_convertCommand=
iped_language=
iped_maxConcurrentRequests=
iped_mimesToProcess=
iped_requestIntervalMillis=
iped_serviceRegion=
iped_timeout=
iped_connect_timeout_millis=
iped_max_async_requests=
iped_min_bulk_items=
iped_min_bulk_size=
iped_protocol=
iped_timeout_millis=
iped_useCustomAnalyzer=
iped_validateSSL=
iped_hashes=
iped_retries=
iped_timeOut=
iped_updateRefsToMinIO=
iped_zipFilesMaxSize=
iped_enableExternalConv=
iped_externalConversionTool=
iped_extractThumb=
iped_galleryThreads=
iped_highResDensity=
iped_imgConvTimeout=
iped_imgConvTimeoutPerMB=
iped_imgThumbSize=
iped_logGalleryRendering=
iped_lowResDensity=
iped_maxMPixelsInMemory=
iped_excludeKnown=
iped_supportedMimes=
iped_supportedMimesWithLinks=
iped_autoManageCols=
iped_backupInterval=
iped_embedLibreOffice=
iped_maxBackups=
iped_openImagesCacheWarmUpEnabled=
iped_openImagesCacheWarmUpThreads=
iped_openWithDoubleClick=
iped_preOpenImagesOnSleuth=
iped_searchThreads=
iped_maxSimilarityDistance=
iped_searchRotatedAndFlipped=
iped_statusHashDBFilter=
iped_EnableCategoriesList=
iped_EnableImageThumbs=
iped_EnableThumbsGallery=
iped_EnableVideoThumbs=
iped_Examiner=
iped_FramesPerStripe=
iped_Header=
iped_Investigation=
iped_ItemsPerPage=
iped_Material=
iped_Record=
iped_RecordDate=
iped_Report=
iped_ReportDate=
iped_RequestDate=
iped_RequestDoc=
iped_Requester=
iped_ThumbSize=
iped_ThumbsPerPage=
iped_Title=
iped_VideoStripeWidth=
iped_faceDetectionModel=
iped_maxResolution=
iped_upSampling=
iped_commitIntervalSeconds=
iped_convertCharsToAscii=
iped_convertCharsToLowerCase=
iped_extraCharsToIndex=
iped_filterNonLatinChars=
iped_forceMerge=
iped_indexUnallocated=
iped_maxTokenLength=
iped_storeTermVectors=
iped_textSplitSize=
iped_useNIOFSDirectory=
iped_GalleryThumbs=
iped_Layout=
iped_Timeouts=
iped_Verbose=
iped_enableVideoThumbsOriginalDimension=
iped_enableVideoThumbsSubitems=
iped_maxDimensionSize=
iped_categoriesToIgnore=
iped_mimeTypesToIgnore=
iped_OCRLanguage=
iped_enableOCR=
iped_externalConvMaxMem=
iped_externalPdfToImgConv=
iped_maxConvImageSize=
iped_maxFileSize2OCR=
iped_maxPDFTextSize2OCR=
iped_minFileSize2OCR=
iped_pageSegMode=
iped_pdfToImgLib=
iped_pdfToImgResolution=
iped_processNonStandard=
iped_addFileSlacks=
iped_addUnallocated=
iped_ignoreHardLinks=
iped_minOrphanSizeToIgnore=
iped_numImageReaders=
iped_robustImageReading=
iped_skipFolderRegex=
iped_unallocatedFragSize=
iped_fragmentOverlapSize=
iped_itemFragmentSize=
iped_minItemSizeToFragment=
iped_libreOfficeThumbs=
iped_libreOfficeTimeout=
iped_maxPdfExternalMemory=
iped_pdfThumbs=
iped_pdfTimeout=
iped_thumbSize=
iped_timeoutIncPerMB=
iped_enableExternalParsing=
iped_externalParsingMaxMem=
iped_minRawStringSize=
iped_numExternalParsers=
iped_parseCorruptedFiles=
iped_parseUnknownFiles=
iped_phoneParsersToUse=
iped_processImagesInPDFs=
iped_sortPDFChars=
iped_storeTextCacheOnDisk=
iped_timeOut=
iped_timeOutPerMB=
iped_computeFromThumbnail=
iped_minFileSize=
iped_skipHashDBFiles=
iped_phone_region=