-
Notifications
You must be signed in to change notification settings - Fork 222
Linux
IPED versions 3.x are built and tested with Java 8. Oracle JDK 8 already includes JavaFx. IPED-4.x is built and tested with Java 11. Oracle JDK 11 doesn't include JavaFx automatically. If you use OpenJDK, the matching OpenJFX version must be installed (openjfx, libopenjfx-java, libopenjfx-jni) and configured to compile from source or to run the user graphics interface. A good distribution is Liberica OpenJDK 11 Full package (not standard!), it already includes JavaFx.
To use IPED on a Linux system, it is needed to compile The Sleuthkit Library with Java support enabled. Although you can use official Sleuthkit versions, we suggest one of the forks below. Please read the INSTALL.txt file of sleuthkit for its full requirements. Forks below needs openssl (libssl-dev) installed. You also must have ant installed to enable java support. Then try the following commands depending on your IPED version:
- For IPED-3.x: the following fork is recommended: https://github.com/lfcnassif/sleuthkit-APFS. It is based on sleuthkit-4.6.5, with APFS support integrated, fixes from sleuthkit-4.6.6 and 4.6.7 back ported, and some optimization patches used by IPED already applied.
git clone https://github.com/lfcnassif/sleuthkit-APFS.git
- IPED-4.x: the following fork is recommended: https://github.com/sepinf-inc/sleuthkit/tree/4.12.0_iped_patch. It is based on sleuthkit-4.12.0, allows to decrypt APFS with non empty passwords, has important fixes for APFS and some optimization patches used by IPED already applied.
git clone -b 4.12.0_iped_patch https://github.com/sepinf-inc/sleuthkit
After cloning do:
./bootstrap
./configure
After configure, make sure java support is enabled in the summary result. After that:
make
make install
After building it should generate a bindings/java/dist/sleuthkit-4.x.y.jar artifact. Its path must be configured in tskJarPath parameter in IPED LocalConfig.txt file.
To use all IPED features, the following dependencies should be installed or compiled:
- libewf-dev version 20140808 or older to decode E01 images, must be installed before compiling sleuthkit. (https://github.com/libyal/libewf-legacy/releases)
- libvmdk and libvhdi to decode vmdk and vhd images respectively, must be installed before compiling sleuthkit.
- Tesseract version 5 and at least dictionaries for english, portuguese and OSD (orientation and script detection)
- Imagemagick tool, to support hundreds of image formats not supported by java
- Mplayer tool to extract video thumbnails
- LibreOffice version 6, to support rendering dozens of formats. You need to install libreoffice-java-common and libreoffice-gtk2 packages and set environment variable SAL_USE_VCLPLUGIN='gtk'
- Libpff to decode Outlook OST 2013 format and to recover deleted mails from PST mailboxes. Please make sure a version equal or newer than 20130722 is installed to have OST 2013 support (https://github.com/libyal/libpff/)
- libesedb-utils to decode windows EDB databases (https://github.com/libyal/libesedb)
- Perl module Parse::Win32Registry, used by RegRipper tool. Install libparse-win32registry-perl or run:
perl -MCPAN -e 'install Parse::Win32Registry'
- libmsiecf-utils to decode Internet Explorer <= 9 histories (https://github.com/libyal/libmsiecf)
- libscca-utils to decode Windows prefetch files (https://github.com/libyal/libscca)
- libevt-utils (https://github.com/libyal/libevt) and libevtx-utils (https://github.com/libyal/libevtx) to decode Windows event logs
- rifiuti2 do decode Windows recycle bin files (https://github.com/abelcheung/rifiuti2)
- Compile libagdb to decode Windows Superfetch files (https://github.com/libyal/libagdb)
- Install graphviz for graph layout options to work (apt-get install graphviz)
It is recommended to disable Linux swap or to decrease Linux willingness to swap (set swappiness = 10). Most distributions prefer to prioritize IO cache, and as hundreds or thousands of gigabytes are read from images while they are ingested, some processes, like those related to X11, could be paged to disk, freezing your system GUI.
Instead of building or installing all above dependencies, you could try the iped-docker project (https://github.com/iped-docker/iped). The docker images are automatically published at https://hub.docker.com/r/ipeddocker/iped/
Please report any issues found directly to that project.
After building, to show the tool help run:
java -jar iped.jar
To open a case after processing, from inside the output folder run:
java -jar iped/lib/iped-search-app.jar