Tool For OSINT Investigations Pt. 1 | Corma Investigations

The All-Round Tool for OSINT Internet Investigations – Part 1

Table of Contents

Table of Contents

Which Maltego transforms are best suited for Open Source Intelligence (OSINT) research?

Transforms remain at the core of Maltego. They enable the process of querying the entities depicted on the graph through the respective data sources. The respective transform connects the entity (e.g., email address) to the data source (e.g., GitHub). The result (user has an account there) is then visually presented as a new entity on the graph.

The Maltego Transform Hub currently offers more than 40 transform packages. Not all of these are specifically required for OSINT research or internet investigations. My first choice for investigative purposes is the Social Links transform. A good overview of the functions can be viewed here via the manufacturer’s site. Such professional tools do not come cheap. Hence, I recommend booking a demo and having an offer drawn up before sealing the deal.

Find out why Social Links proves to be such an indispensable tool for me on a daily basis and what areas are covered by its transforms. The second part of this post features a slew of practical tips & tricks from my personal experience.

Which areas does Social Links cover?

Social Links currently includes over 800 transforms. These are assigned to the respective entities and only work with them.

I have zeroed in on the choice options and divided them up into different categories:

These categories do not fit the offered transforms to a tee, plus some overlap is unavoidable. However, they are meant to provide you with a better overview of what is available and should also facilitate opting for a trial version.

Without further ado, I now get into the individual categories together with the fitting transforms. It helps if the user knows the databases/websites queried by the transforms. The specific possibilities of the individual offers are too extensive to elaborate on within this post. However, we delve deeper into these topics within the framework of my workshops. As already mentioned, the results can only be interpreted correctly if the transforms are fully understood.

Social Networks

More than 120 transforms are currently available for Facebook. From the analysis of friend lists, through people, group, or post searches down to the evaluation of extensive Facebook reports. Many tasks can thus be taken care of quickly and easily for the investigator.

Topping the charts is the “Mutual Friends” search option, which is invaluable for invisible friend lists.

Profiles and users can be found via Foursquare. Searches by phone number, email, and alias are another option.

In the realm of GitHub, in-depth research can be carried out with the transforms. For example, the search for files, GitHub repositories, contributors, and other information is made possible.

Transforms for background checks on Instagram allow inquiries in the areas of “User Details,” “Comments,” “User Following,” or “Search Person.”

Investigations on LinkedIn are currently a sensitive subject matter. The site pulls out all the stops to seal itself off and deny external access/research. Nevertheless, transforms on the topics of “Search Person by Company,” “Check if Profile Exists,” or “Search Person” offer useful support.

Further transforms access data from MySpaceSnapchat, and social networks in Russia.

Many transforms are also available for Twitter. The option “Advanced Search” is offered together with user search options utilizing the alias, company research, locating tweets, and, of course, the analysis of “Follower/Following.” With the help of these transforms, a link analysis on connections/intersections is made possible.

Vkontakte is an important network for investigations of a different kind. Originating from Russia, is a multilingual social network. Often referred to as the Russian Facebook alternative, it also serves as a pool for extremists of all stripes.

The Social Links transform enables queries such as: “Search Users,” “Friends,” “Group Members,” “User Details,” “User Followers,” and “User Following.”

Overall, the queries are as extensive as Facebook transforms.

The transforms for Xing are subject to challenges similar to those over at LinkedIn. At least searches for “Company,” “User by Name,” “User Details,” or “Company Details” are feasible.

I have defined Messenger as a separate category, to be discussed in greater detail in the second part of this post.


The transforms support (worldwide) research on companies as well as the associated corporate bodies. They serve as an immediate example of the intersection just mentioned, specifically for inquiries related to individuals. In our investigations, the potential connections of people to companies play an integral role.

Social Links offers transforms to OpenCorporates, thereby enabling access to over 180 million companies worldwide with more than 230 million corporate officers. Not all countries are included, but the exact numbers can be seen in this overview.

Additional queries access data from Companies House, the UK’s commercial register. The transforms facilitate the search for people and companies.

Further comparable queries are possible via links to the investigations of the Organized Crime and Corruption Reporting Project (OCCRP) and the Offshore Leaks Database of “The International Consortium of Investigative Journalists.“

Another source is Sqoop (journalist-only access), which monitors federal court cases and SEC documents in the United States. In addition, it tracks patents and company offerings. Click here for details. For the transforms, the access data (login) to the website must be specified.

DocumentCloud forms the last package in this category. The API interface allows the transforms to query entities such as company, email address, person, website, and document.


Bloxy offers blockchain analysis with access to Ethereum blockchain data as an example. The transforms require an additional API key from Bloxy, which makes it possible to query Ethereum addresses, tokens, and transactions. For example: “Token Holder,” “Ether Final Destination,” “All Money Transfers.”

Further interesting snippets of information can be unlocked through access to BitcoinWhosWho.

Domain – IP Address – Thread Intelligence

I have categorized some transform packages under this header that can prove most helpful for inquiries regarding websites, domains, and IP addresses. Especially to complement the existing CTAS transforms from Paterva.

Since 2015, Censys has tasked itself with creating “a complete database of all devices on the internet.” For example, scanners such as Zmap perform a weekly scan of the IPv4 address range. Access to much (not all) data is free, and the Social Links transforms can query this database using an API key. For OSINT analysts and investigators, Censys is a vital source that should be readily integrated.

For our investigations, we like to rely on the queries of SecurityTrails databases.

Founded in 2017, SecurityTrails aims to create the most extensive collection of IP addresses, domain names, and WHOIS data. An API key from Security Trails is required for the Social Links transform.

It enables the creation of queries such as historical DNS data, “Whois History,” “Associate Domains,” “Search Domain by Whois Email,” or “Search Domains by IP.”

ZoomEye is a cyberspace search engine that records information about devices, websites, services, and components, etc. These transforms also require the login credentials of the user registered with ZoomEye. Among other things, the database enables free queries on companies, DNS names, domains, IPv4 addresses, and similar information.

Shodan is one of the most popular search engines for computers and services connected to the internet. Numerous queries can also be carried out here using an additional API key. Starting entities are the domain, IPv4 address, and the “Phrase” for keyword research.

Further transforms in this category then enable queries about the encoded URL (i.e., a single webpage), such as: “External URL” and “Internal URL.”

Also worth mentioning is access to the Vulners databases. When it comes to the topic of “Vulnerabilities & Exploits Database,“ it is a good source on this particular subject matter even if it is not necessarily part of every investigation.

Social Links transforms enable uTorrent to be searched for torrents, peers, and IP addresses.


Maltego requires the corresponding transforms to unleash its full potential for OSINT research and Internet investigations. The transforms of Social Links prove to be an essential tool that gets to the heart of Open Source Intelligence (OSINT) investigations.

We definitely recommend a free trial version, which can be requested at any time via

The second part of this posting will be featured up next, where I will plot additional applications of Social Links in the area of OSINT investigations. Not to be missed, diving into the infamous Darknet is also a must.

To place this post in the right context:

Social Links licenses form an integral part of our investigations and are regularly updated accordingly. I do not procure a commission for my recommendations. As a regular feedback provider, I work closely with the manufacturer and thus receive “my” solutions. In turn, this can benefit other users.


You will find more information about my combined Maltego & Social Links course here:
Maltego Pro & Social Links Training

No time to take this course yourself?

No problem. We can conduct professional intelligence analysis in Germany and Europe on your behalf.

Intelligence Analysis in Germany and Europe

Share this Information On:
Talk to an expert!

Any information you provide us in advance will help us answer your request. You can also set up an online meeting right away.

We are at your disposal for an online meeting. Please book an appointment that suits you in our calendar.