Performance Tips

It is highly recommended to configure indexTemp folder on a SSD disk, different from your operating system partition or disk, free of antivirus scanning, system indexing or shadow copy services.

Use different disks for temp folder, output directory and forensic images. If possible, put your forensic images in a non parity RAID disk array.

Use java 8 64bits version. You need a very very minimum of 8GB of RAM. Do not allocate all your memory to IPED processing with java -Xmx option, IPED often just uses a few gigabytes, that increases at processing time if you have dozens of CPU cores and at analysis time if your case is huge (tens of millions of files). Generally, it is best to let the JVM allocate memory by itself instead setting it with -Xmx, although it may workaround some OOME errors (see https://github.com/sepinf-inc/IPED/wiki/Troubleshooting). IPED needs free memory to run external tools (imagemagick, mplayer, tesseract...) and to use as IO cache for your images and case index. IPED will need more free memory if you turn advanced options 'enableExternalParsing' or 'robustImageReading' on. Never allocate more than 32GB of heap, pointers will double in size and you will end with less heap to use.

If you are processing E01 images and have some memory available, enable robustImageReading in conf/AdvancedConfig.txt. It will uncompress data from e01 images in parallel using your multiple cpu cores and can result in great speed ups. Without that, just one item is uncompressed at a time by sleuthkit because libewf is not thread safe and it will bottleneck.