Skip to content
Luis Filipe Nassif edited this page Feb 18, 2023 · 43 revisions

Basic dependencies

Java with JavaFx

IPED versions 3.x are built and tested with Java 8. Oracle JDK 8 already includes JavaFx. IPED-4.x is built and tested with Java 11. Oracle JDK 11 doesn't include JavaFx automatically. If you use OpenJDK, the matching OpenJFX version must be installed (openjfx, libopenjfx-java, libopenjfx-jni) and configured to compile from source or to run the user graphics interface. A good distribution is Liberica OpenJDK 11 Full package (not standard!), it already includes JavaFx.

The Sleuthkit

To use IPED on a Linux system, it is needed to compile The Sleuthkit Library with Java support enabled. Although you can use official Sleuthkit versions, we suggest one of the forks below. Please read the INSTALL.txt file of sleuthkit for its full requirements. Forks below needs openssl (libssl-dev) installed. You also must have ant installed to enable java support. Then try the following commands depending on your IPED version:

  • For IPED-3.x: the following fork is recommended: https://github.com/lfcnassif/sleuthkit-APFS. It is based on sleuthkit-4.6.5, with APFS support integrated, fixes from sleuthkit-4.6.6 and 4.6.7 back ported, and some optimization patches used by IPED already applied.
    git clone https://github.com/lfcnassif/sleuthkit-APFS.git
    
  • IPED-4.x: the following fork is recommended: https://github.com/sepinf-inc/sleuthkit/tree/4.12.0_iped_patch. It is based on sleuthkit-4.12.0, allows to decrypt APFS with non empty passwords, has important fixes for APFS and some optimization patches used by IPED already applied.
    git clone -b 4.12.0_iped_patch https://github.com/sepinf-inc/sleuthkit
    

After cloning do:

./bootstrap
./configure

After configure, make sure java support is enabled in the summary result. After that:

make
make install

After building it should generate a bindings/java/dist/sleuthkit-4.x.y.jar artifact. Its path must be configured in tskJarPath parameter in IPED LocalConfig.txt file.

Additional dependencies

To use all IPED features, the following dependencies should be installed or compiled:

It is recommended to disable Linux swap or to decrease Linux willingness to swap (set swappiness = 10). Most distributions prefer to prioritize IO cache, and as hundreds or thousands of gigabytes are read from images while they are ingested, some processes, like those related to X11, could be paged to disk, freezing your system GUI.

IPED Docker

Instead of building or installing all above dependencies, you could try the iped-docker project (https://github.com/iped-docker/iped). The docker images are automatically published at https://hub.docker.com/r/ipeddocker/iped/

Please report any issues found directly to that project.

Running

After building, to show the tool help run:

java -jar iped.jar

To open a case after processing, from inside the output folder run:

java -jar iped/lib/iped-search-app.jar