What Is Maltego?
In the communities of OSINT specialists and Cyber Security experts, a software solution is discussed controversially again and again. Maltego is for some the “One-Stop-Shop” for OSINT and for others a book with seven seals. I want to serve both sides in this new blog series, the newcomers and the experts.
I still remember well my beginnings with the software. It was not always clear to me what was happening on the monitor. How to interpret the results? I’m now sharing my experiences with the tool with this blog series. It includes practical tips and instructions. In the following first post, I give an overview of the tool, who uses it and what the Maltego concept looks like.
OSINT, Interactive Data Mining, and Link Analysis
Maltego excels as an interactive data mining tool that creates directional graphs for link analysis. “Graphs” are graphical representations, also known as relationship graphs or charts. The tool can be used to obtain information for various areas and from various sources. It is also referred to as an open-source intelligence (OSINT) and forensics application.
Paterva (Pty) Ltd. has developed the proven product in South Africa since 2008.
Maltego Technologies GmbH, based in Munich (Germany), is the official partner for Maltego.
The investigators and intelligence analysts at corma GmbH use the software in the Classic and XL versions. From my perspective, the Community Edition is neither suitable nor intended for professional investigative work.
The “Classic” tool is perfect for us to identify relationships between information from different sources on the Internet during online investigations. Maltego uses the idea of transformation to automate the process of querying different data sources.
This information is then displayed in a node-based graph. Such a visual representation is ideally suited for link analysis. In this way, “real” relationships (e.g. computer networks or social networks) between people, websites, domains and other “objects” can be analyzed.
How Does Maltego Query the Sources and Get the Data?
The tool can query different public sources using the available transformations, such as:
- Bing
- DNS-Server
- GeoIP Databases
- PGP Key Server
Other queries can be started using the API key via “closed databases”, e.g:
In the application, all objects found with the (directed) relationships are then represented as nodes in a relationships diagram. The entities in such a graph are for example person, domain, phone number, DNS name or email address. The individual information is automatically linked by Maltego and presented to the user in a “network graph”. It is not uncommon for previously unknown relationships to be identified.
Who Uses Maltego?
The number of active users is growing daily. There are currently around 600,000 community users. In addition, commercial customers use the clients and certainly also the server solutions offered by Paterva. For example, these users come from the areas:
Intelligence Agencies
Banks
Pentester
Private Investigators
Police Authorities
Security/Threat Analysts
What Is the Best Way to Use Maltego?
The answer to the question as to how Maltego can best be used depends to a large extent on its intended use.
Maltego is certainly not the “one-click-and-the-case-is-solved” software, even though many users imagine it to be so. Right from the start, the software was designed to support and complement investigations with the browser. That’s why even today you have to leave the tool during an investigation and search for missing data in the browser. This information can then be used to start new transformations in Maltego.
Cases can also be handled completely in the application, e.g. to determine the infrastructure of a domain.
In other use cases, users work exclusively in the internal data and use self-programmed transformations. The provided scripts are not used by them.
The context in which Maltego is used determines the type of use. Maltego is a unique tool, but should not be the only one in your toolbox.
How Do Entities and Links Work in Maltego?
Maltego is based on a similar principle to the web. Websites are connected by links. With Maltego, entities and their relationships can be represented through links. These can be fixed or flexible.
Example 1:
A link between a DNS name and an IP address is fixed.
maltego1.paterva.com –→ 104.200.18.205
The “link” here is the DNS.
Example 2:
A link between a telephone number and a mail address, on the other hand, is flexible.
27 83 448 6996 –→ roelof-govform1@myowndomain.com
The “link” here is a website where these entities are mentioned in the immediate vicinity. There is no context and no certainty, overall fuzzy results.
What Is the Maltego concept?
The manufacturer understands this as a combination of entities, transformations, and machines in the software context. In detail, that means:
Entities are real objects, such as individuals, DNS names, phone numbers, and email addresses. An entity is visually represented as a node on the graph. The Maltego Client (Classic/XL) contains approximately 20 entities, specifically for online investigations. However, you can also create your own entities.
Transformations represent relationships between entities. This is done by querying a data source and returning the results as a new entity on your graphs. The data sources include DNS servers, search engines, social networks, whois information, own databases, etc.
Machines use a script to merge transformations to automate tasks intelligently. They then either run completely on their own or wait for interaction with the user at predefined points.
What Can We Do with It Now?
Machines are good at automating tasks, we achieve this with transformations. We humans are good at pattern recognition, but there is a visual representation (graph).
This cooperation offers the potential for solving cases, finding fresh information, or recognizing new contexts.
Maltego is an essential tool for intelligence analysis in Germany, and we are ready to support you. For more information, please click here:
Intelligence Analysis in Germany and Europe
Conclusion
Maltego is a visual link analysis tool that comes as a standard with Open Source Intelligence (OSINT) add-on modules – so-called transformations. The tool offers data mining and information collection in real-time.
Maltego searches for existing relationships between information from different sources. Possible sources include providers of databases, websites, search engines, social networks, and online services.
The obtained data can be displayed in a node-based diagram. This makes patterns and connections between this information easily recognizable in several order levels.
In my view, Maltego has virtually no alternative on the market. Why this is the case will become clearer in the coming articles.
In my next post, I’ll go to Maltego’s installation, setup, and settings notes.
Maltego is an essential tool for intelligence analysis in Germany, and we are ready to support you. For more information, please click here:
