IPED Digital Forensic Tool

IPED is open-source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.

Introduction

IPED – Digital Evidence Processor and Indexer (translated from Portuguese) is a tool implemented in java and originally and still developed by digital forensic experts from Brazilian Federal Police since 2012. Although it was always open source, only in 2019 its code was officially published.

Since the beginning, the goal of the tool was efficient data processing and stability. Some key characteristics of the tool are:

• Command-line data processing for batch case creation
• Multiplatform support tested on Windows and Linux systems
• Portable cases without installation, you can run them from removable drives
• Integrated and intuitive analysis interface
• High multithread performance and support for large cases: up to 135 million items as of 12/12/2019

Currently, IPED uses the Sleuthkit Library only to decode disk images and file systems, so the same image formats are supported: RAW/DD, E01, ISO9660, AFF, VHD, VMDK. Also, there is support for UDF(ISO), AD1 (AccessData), and UFDR (Cellebrite) formats. Recently support for APFS was added, thanks to BlackBag implementation for Sleuthkit.

Features

Some of IPED several features are listed below:

• Supported hashes: md5, sha-1, sha-256, sha-512, and edonkey. PhotoDNA is also available for law enforcement (please contact iped@dpf.gov.br)
• Fast hash deduplication, NIST NSRL, ProjectVIC and LED hashset lookup
• Signature analysis
• Categorization by file type and properties
• Recursive container expansion of dozens of file formats
• Image and video gallery for hundreds of formats
• Georeferencing of GPS data (needs Google Maps Javascript API key)
• Regex searches with optional script validation for credit cards, emails, urls, money values, bitcoin, ethereum, ripple wallets…
• Embedded hex, Unicode text, metadata, and native viewers
• File content and metadata indexing and fast searching, including unknown files and unallocated space
• Efficient data carving engine (takes < 10% processing time) that scans much more than unallocated, with support for +40 file formats, including videos, extensible by scripting
• Optical Character Recognition powered by tesseract 4
• Encryption detection for known formats and using entropy test
• Processing profiles: forensic, pedo (csam), triage, fastmode (preview), and blind (for automatic data extraction)
• Detection for +70 languages
• Named Entity Recognition (needs Stanford CoreNLP models to be downloaded)
• Customizable filters based on any file metadata
• Similar document search with configurable threshold
• Similar image search, using an internal or external image
• Powerful file grouping (clustering) based on ANY metadata
• Support for multicases up to 135 million items
• Extensible with javascript and python (including CPython extensions) scripts
• External command line tools integration for file decoding
• Browser history for Edge, Firefox, Chrome, and Safari
• Custom parsers for Emule, Shareaza, Ares, WhatsApp, Skype, Telegram, Bittorrent, ActivitiesCache, and more…
• Fast nudity detection for images and videos using random forests algorithm (thanks to its author Wladimir Leite)
• Nudity detection using Yahoo open-nsfw deep learning model (needs Keras and jep)
• Audio Transcription, implementations with Azure and Google Cloud services
• Graph analysis for communications (calls, emails, instant messages…)
• Stable processing with out-of-process file system decoding and file parsing
• Resuming or restarting of stopped or aborted processing (–continue/–restart options)
• Web API for searching remote cases, get file metadata, raw content, decoded text, thumbnails, and posting bookmarks
• Creation of bookmarks/tags for interesting data
• HTML, CSV reports, and portable cases with tagged data

Changelog v4.1.5

This release fixes a critical vulnerability in Google libwebp library CVE-2023-4863. We strongly recommend all users to upgrade. There are other important fixes, listed below:

#1903: RCE vulnerability in libwebp dependency (@tc-wleite, @lfcnassif)
#1879: Many dates read from UFDR can be decoded using a wrong timezone (@tc-wleite)
#1898: Discord Parser can show wrong attachment file (@felipecampanini, @lfcnassif)
#1843: Some deleted chats or messages not being tagged as deleted (@hauck-jvsh)
#1868: PDF xmp timestamps aren’t extracted with timezone info (@patrickdalla)
#1833: Transcribing audios with more than 2GB on remote service never ends (@hauck-jvsh, @lfcnassif)
#1880: Error while parsing WhatsApp contacts (@tc-wleite)
#1840: Fix links to audio and videos in WhatsApp chats, if files are in an input folder (@tc-wleite, @lfcnassif)
#1836: Broken links in Whatsapp chats when attachments file names contain emojis (@tc-wleite, @gfd2020)
#1897: Just first regex hit is shown if multiple regex patterns match the same input string (@tc-wleite)
#1870: NPE in SleuthkitClient when generating report with a virtual disk (@aberenguel, @lfcnassif)
#1875: ALT+Key to remove from bookmark not working properly with CRTL and SHIFT shortcuts (@tc-wleite)
#1846: APFS password not set when opening the case on Linux (@aberenguel)
#1909: Vosk transcription may slow down during large cases processing (@tc-wleite)
#1842: Improve layout for audio and video tags in whatsapp chats opened in browser (@tc-wleite)

Install & Use

Copyright (C) 2020 sepinf-inc