Before we get our hands dirty, there are a three of important concepts in Maltego that need to be defined.
An Entity is represented as a node on a graph and can be anything such as a DNS Name, Person, Phone number, etc. The Maltego client comes with about 20 entities targeted for use in online investigations, but you can also make your own custom ones.
A Transform is a piece of code that takes one entity to another. It does this by querying a data source and returning the results as new entities on your graph. The data sources are places like DNS servers, search engines, social networks, WHOIS information, etc.
Machines chain multiple transforms together to automate common/tedious tasks.
When you start up your Maltego client, you are first greeted by the Home page. The Home page includes the Maltego Start Page on the left which includes links to our social media accounts and sometimes important notifications. We general use Twitter to post notifications about new features and we use YouTube to post any new video tutorials that we do. Any critical notifications will be posted directly on this page.
On the right-hand side of the Home page you will find the Transform Hub. The Transform Hub allows you to install transforms that are provided by 3rd party transform vendors as well as additional transforms that are provided by Paterva. Each of the transform packages on the Transform Hub are referred to as Transform Hub Items. If you followed the steps in the previous section, you should have the PATERVA CTAS transform hub item installed as shown below:
Figure 23: PATERVA CTAS transform hub item
This transform hub item includes all the standard OSINT transforms for querying public information sources online. There will be more information about the Transform Hub in an upcoming section. But for now, let’s start our first graph. For those who are not familiar with the term OSINT, here is a definition from Wikipedia:
Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.
There are three ways to create a new graph in Maltego:
You can click the (+) button in the top left-hand corner of the Maltego client window next to the Application Button:
Figure 24: New graph shortcut
You can create a new graph by clicking the Application Button and then clicking New:
Figure 26: New Graph from The Application Menu
But the easiest way is to use the keyboard shortcut Ctrl + T.
Once you have created a new graph you will get a fresh page within a new tab, surrounded by a range of control windows as shown in the image below.
Figure : New Graph
Entities in Maltego are used to represent different types of information and are represented as nodes on your graph. All the entities that are available in your Maltego client will be found in the Entity Palette which, by default, is found on the left-hand side of your graph. The entities in the palette are categorized into groups with the main categories being Infrastructure and Personal.
There are three aspects of an entity that should be understood before going forward.
Figure 28: Entity value
The type – this is the type of information that the entity is representing
The value – this is the primary information field for and entity and is always displayed on the graph:
The properties – these are additional information fields for the entity
To add a new entity to your graph, click and hold on the desired entity and drag it onto the graph area as depicted below:
Figure 29: Dragging an entity to graph
Once an entity has been dragged onto a graph it becomes one of the nodes on the graph.
Double click on the text on the entity to edit the entity’s value, the text will become highlighted and you can quickly edit the value:
Figure 30: Editing an entity's value
Left-click on the node you want to select. You will see the selection circle appear around it.
Figure 31: Select a single entity
Drag a block with mouse around the entities you want to select– while keeping the left-click button in.
Figure 32: Select multiple entities
Once selected, the nodes will be highlighted as in the picture below.
Figure 33: Multiple entities selected
When faced with multiple nodes but you only want to select specific nodes, use Shift + left-click. Shift + left-click on each node you want to select and they will be added to the selection.
Figure 34: Selecting multiple entities
To open the full entity Details window, you can double-click anywhere else on the entity icon besides from the entity’s value. The entity Details window includes four separate tabs described below:
The entity Summary tab will open first when the entity Details window is opened. The tab contains a summary of all the information of the entity that can be found in more detail in the subsequent tabs in the entity Details window.
The image below shows the Summary page of a domain entity. Thumbnails for all entity attachments are also shown at the bottom of the summary window. There is also a large text area where entity notes can be added or edited.
Figure 35: Entity summary page
The Attachments tab allows you to view a list of all the file attachments for the entity.
Figure 36: Attachment tab in entity details
New file attachments can be added by clicking the Attach button. This will open a dialog where a local file can be selected or a URL to a file can be specified which will be fetched by the Maltego client.
Figure 37: choosing a file attachment
File attachments can also be added to an entity by dragging and dropping it from your file manager onto an entity on the graph.
On a Maltego graph, it is shown that an entity has a file attached to it with a paper-clip icon that is displayed on the left-hand side of the entity’s icon as shown in the image below:
Figure 38: Entity attachment
The Notes tab includes a large text area where a note for an entity can be added or modified.
Figure 39: Entity note tab in entity details
On a Maltego graph, entities with notes can be identified by the yellow page icon on the right-hand side of the entity icon as shown below. Double-clicking the yellow page icon will show the note in a dialog box on the graph as depicted below. This dialog can be closed again by clicking the [X] in the top right-hand corning of the dialog box.
Figure 40: Entity note
The Properties tab in the entity Details window show a list of key-value pairs for the different properties that the entity includes. The values for an entity’s properties can also be edited from this window too.
Figure 41: Properties tab in entity details
To pan around your graph, right-click and hold while moving the mouse in the desired direction. You can also use the arrow keys to jump to the next entity in the graph. This is useful when navigating large graphs and is a lot faster than using the scroll bars.
Figure 42: Panning around your graph with the mouse
You can move the visible frame (white box) around on the Overview window (top-right corner) using the mouse (left-click, drag) – the main graph window will update in real time. Depending on the zoom level the visible frame becomes larger (zoomed out) or smaller (zoomed in).
Figure 43: Using the Overview view to navigate a large graph
The mouse wheel can be used to zoom in and out of your graph. The zoom will always be based relative to the position of your mouse pointer on the graph. For example, if your mouse pointer was at the far left of a graph, zooming in would mean that the graph would be slowly moved to the left until the central point was where the mouse pointer was rather than the central point being that of the center of the graph.
There are two different ways entities are rendered on a graph depending on the zoom level. When zoomed closely into the graph, each entity will be represented as an entity icon with its value written beneath as shown in the image below:
Figure 44: Icon view
When zooming out entities will become solid round circles where the color of the circle indicates the entity’s type. A color legend is then displayed in the bottom right-hand corner of the graph for each entity type on the graph:
Figure 45: Legend view
Note that the colors are not always the same – e.g. the IP address entity will not always be orange. This happens because Maltego can be used with custom entities, and the number of entities used is not known to the program.
The context menu allows you to run transform on the selected entities on your graph. When you right-click on an entity (or group of entities) a context menu is displayed. The context menu is grouped into three different layers, namely the Top level, the Set level and the Transform level which are each explained in the following sub-sections.
The top level of the context menu is where the different transform hub items that you have installed are listed. By default, the Maltego client will only have the PATERVA CTAS transform hub item installed from the transform hub. If Maltego only has a single transform hub item installed the context menu will open in the set level as there is only one item to choose from in the top level. For the sake of this example additional transform hub items have been installed.
Figure 46: Context menu - top level
In the image above, the context menu has been opened for a domain entity by selecting the entity and right-clicking anywhere on the graph. Each line item in the menu represent a different transform hub item, clicking on one of these items will open the set level for that hub item.
The first item in this list reads All Transforms and clicking it will skip the set level and open the transform level of the context menu with all the transform listed for the selected entity/ies.
Clicking the double arrow icon (>>) in line with each of the hub items will run all the transforms found in that transform hub item that are available to the selected entity.
When your mouse is over a transform hub item, a configure icon will appear. Clicking the configure button will open a configuration menu for that transform hub item which allows global settings to be changed. These setting are applied to the entire transform hub item.
At the bottom of the context menu the action bar is found. This allows various actions to be performed on the selected entities. Each of these actions will be described in later sections. The action bar remains the same regardless of what level you are on in the context menu.
Note: Running all transforms is almost always a bad idea as it is important to know what you are running and where the transform is getting the information from.
Left-clicking on a transform hub item will take you to the set level. In Maltego, sets are used to group transforms into categories of transforms that perform similar tasks and/or are often run together.
The image below shows the different sets available to a domain entity that are in the PATERVA CTAS transform hub item. Left-clicking the side-bar on the left of the context menu will navigate back up a level in the context menu (in this case back to the transform hub level). Right-clicking anywhere on the context menu will also navigate up a level. Each set also has a configure button which, when pressed, will open the set configuration window that will allow you to configure the transforms that are included in the set.
Figure 47: Context menu - Set level
Left-clicking the double arrow head (>>) will run all the transforms in the set while left-clicking anywhere else will open the transform level on the context menu for that set.
It is possible for the transforms from a transform hub item to not be categorized into sets, in this case selecting the transform hub item in the context menu will go straight to the transform level in the menu.
The transform level of the context menu is where transforms are run from. Left-clicking on a single transform will run the transform. Alternatively, you can left-click the single arrow icon (>) on the right side of the context menu. Clicking the configuration icon in the transform line item will open the Transform Manager with correct transform selected. The transform manager shows more information about the transform as well as allow the configuration of the transform’s settings – it will be discussed in later sections.
Figure 48: Context menu - Transform level
Clicking the star icon in a transform line item will add the transform to the favorites category which will always be listed at the top of the context menu as a separate category regardless of what level of the context menu you are on.
Figure 49: Favorites item in the context menu
Finally, hovering over a transform’s line item will display a short description of what the transform does.
Figure 50: Transform description
It is important to note that the context menu is entity specific meaning that the items that are shown in the context menu are related to the transforms that are available to the entity type that you have selected. If the graph selection includes entities of different types, then the context menu will include all items that are available to either of the selected entities.
The action bar, found at the bottom of the context menu, allows you to perform a range of actions on the selected portion of your graph. The ten actions from the action bar are labelled in the image below and then described further below that.
Figure 51: Action bar with labels
Copy to new graph: Copies your current selections to a new graph.
Delete Entities: Delete the selected entities. This can also be done with the delete key on the keyboard.
Change Entity Type: Opens a dropdown menu that includes all entities from the entity palette. Picking an entity from the dropdown will change all your selected entities to that type.
Merge entities: Creates a single entity with properties from all the entities that were merged. Clicking the merge action will open a window that is used to select a primary entity for the merge. The primary entity will take preference over the other entities and its entity type will be used for the newly merged entity. The image below shows the merge window for three entities being merged: a person, an alias and a Twitter Affiliation.
Merging these three entities making the Twitter Affiliation the primary entity results in the image below. Note that the properties from the other two entities are now in the Dynamic properties of the merged entity:
Copy in different formats: Copy your graph selection in different formats. Each format is described below:
Copy (as GraphML) - this will copy your graph to your system clipboard as an XML based graph format. This format will include information about the entities and the links between the entities in your selection.
Copy (as ‘value’ list) – this will copy a list of the entities that are currently selected on your graph. The list will only include the value of the entity and does not include any information about the links between entities on your graph.
Copy (as ‘type#value’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type. Each item in the list will be in the format ‘type#value’. The list does not include any information about the links between entities on your graph.
Copy (as ‘type#value#weight’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type and weight. Each item in the list will be in the format ‘type#value#weight’. The list does not include any information about the links between entities on your graph.
Cut Entities: Cut your entity selection to your clipboard.
Add Attachment: Attach files to the entity. Clicking this button will open a window to choose the file to be attached:
Send to URL: Opens a “developer friendly” feature in Maltego. It takes the selected segment of the graph and POSTs a hybrid GraphML/XML to the page which then returns a URL that Maltego will open in a browser. No documentation is provided with this as it is purely for demonstration purposes.
Type Actions: quickly search Google or Wikipedia for an entities value. When a type action is run, your default web browser will open and the search will be performed there.
Clear and refresh images: Re-fetch all downloaded images on your graph.
When running a transform, a progress bar will appear in the bottom-right corner of the screen.
Figure 58: Transform progress bar
When running multiple transforms on multiple entities the progress bar will give an indication of the overall progress of all transforms.
The [X] (far right of the status bar) allows you to easily cancel all transforms that are currently running (for example – if you have selected the incorrect transform and don’t want the results to distort your graph with irrelevant entities). To cancel a running transform, simply select the [X] at the bottom of the screen. You will then be given a confirmation dialog that looks as follows:
Figure 59: Cancel Transform conversation dialog
By simply selecting Yes you can cancel the running transforms. Selecting No will allow the transforms to complete as usual.
When running multiple transforms, you can click on the transform progress to see which transform is currently running:
Figure 60: Viewing current transform being run
A maximum of 10 transforms will run at once in Maltego XL and a maximum of 5 for other client versions. Additional transforms will be queued until the earlier transforms have completed.
Screen real estate is very valuable and there is a lot of information that needs to be displayed by Maltego. Depending on the size of your screen you will need to move things around, display the differently and sometimes hide them to be able to see what you want to see. This section is all about getting the most out of your GUI.
When multiple graphs are opened in the Maltego client, they will each have their own tab above the main graph window. Graphs that have not been saved yet will be displayed as New Graph (number). Once a graph is saved, the display name on the name tag will change to the name under which it was saved. The graph name will be written in bold when changes are made to graph that have not been saved yet.
The first tab is always the Home screen that includes the Start Page and Transform Hub:
Figure 61: Tabs for each graph that is open in the Maltego client
Right-clicking on a graph’s tab will open the dropdown menu described in the image below.
Figure 62: Options for graph tabs
The Shift Left and Shift Right buttons from the drop down menu can be used to change tab ordering. The other items not described in the image above are used to make a graph tab into its own floating window however these options are rarely used.
Graph tabs can also be re-arranged by clicking and dragging the tab to another position:
Figure 63: Moving graph tabs
Navigating the display is always an issue of being able to see only what you want to see. For this reason, the Maltego client has been made very versatile and adaptable. As discussed previously graphs are maintained in tabs which can be flipped through. The next section details some of the options available display information windows. On the top right-hand side of the graph the following options are available:
Figure 64: Graph bar buttons
When there are more tabs than can be displayed, the additional tabs will not be shown. The first two buttons in the image above allow you to scroll left and right through the tabs that are not shown.
The third button in the tab bar opens a drop down that shows all the graphs that are currently open. The arrow points to the graph that is currently in view.
Figure 65: List of graphs that are currently open
The last button in the tab bar will maximize the graph window and minimize all other windows in the Maltego client as shown in the image below. Double clicking the graph tab will also maximize the graph window.
Figure 66: Graph window maximized
Clicking the button again will restore the windows to their previous state.
The layout sidebar is always found on the left-hand side of your graph window. It allows you to configure various view and layout options for your Maltego graphs. The image below provides labels for each of the items in the layout sidebar.
Figure 67: Layout sidebar with labels
Full screen mode - Makes your Maltego client full screen (shown in the image below). Alt + Enter pressed together on your keyboard will also enter full screen mode. Exit full screen mode by pressing Alt + Enter again on your keyboard. Full screen mode is shown in the image below:
Figure 68: Full screen mode with annotations
2. Lock Layout – Locks all entities that are currently on the graph from moving when transforms return. The new entities that are returned by transforms will still be laid out.
3. Full vs incremental Layouts – This option should be used during collaborative sessions when you want to preserve your graph layout.
Buttons 4 to 8 in the layout sidebar are used to determine how entities will be arranged on the graph. There are four standard layouts.
4. Block layout - In this layout nodes are shown using the following rules:
In blocks of nodes
Sorted by entity type
Sorted by entity weight
An entities relevance is represented by the entities weight. For example, entities that are returned from any of the search engine transforms will be weighted according to how relevant they are (their page rank).
The image below shows an example of block layout.
Figure 69: Block layout
5. Hierarchical layout - In hierarchical layout entities are grouped by layers that are stacked on top of each other. Think of this as a tree based layout – like a file manager.
Figure 70: Hierarchical layout
6. Circular layout - Nodes that are most central to the graph (e.g. most links) appear in the middle of circles with the other nodes scattered around it.
Figure 71: Circular layout
7. Organic layout - In organic layout nodes are packed tight together in such a way that the distance between each entity and all the other entities are minimized. The closer the entities are to each other the more connected they are.
Figure 72: Organic layout
8. Interactive organic – this layout is a lot like the organic layout. Entities are positioned according to how connected they are to the rest of the graph. The two differences with interactive organic are:
When new entities are returned to the graph, only entities that are closely connected to the returned entities are moved instead of the entire graph laying out again every time new results are returned. For this reason, putting a graph into interactive organic layout will improve performance when dealing with larger graphs as less layout computation is required.
Entities are not as tightly packed to each other as they are in organic layout.
The graph below shows the same graph as above, but in interactive organic layout. It can clearly be seen that the entities are less tightly packed.
Figure 73: Interactive organic layout
9 Freezing the graph – The freeze button is used when you have many nodes that are coming into the graph (e.g. running a lot of transforms on many nodes) and don’t wish for the layout to be constantly updating. By delaying the layout, the application can process transforms faster as it does not need to update the display after every transform. To unfreeze the graph simply press the same button and the graph will resume as normal.
10. Refresh graph – Enabled when your graph is frozen and new entities have been returned. Allows you to manually refresh the graph layout.
The next section in the layout sidebar is under View. Views are used to extract non-obvious information from large graphs – where the analyst cannot see clear relationships by manual inspection of data. Views can be used to determine the size and color of entities based on different properties of the graph. It is possible to write your own views however is beyond the scope of this document. The seven views that come with Maltego out-the-box size entities according to different properties and are explained below.
11. Normal View – When you are zoomed in close to entities, the entity icon will be rendered on the graph. When you zoom out to legend view, each entity is represented by the same sized ball with a color that corresponds to the entity type. This view is the default view when you start a new graph.
Figure 74: Example graph shown in normal view
12. Diverse decent – this view is probably the most difficult to understand. With diverse decent, entities are sized according to the number of incoming links the entity has. However, incoming links with different grandparent entities are weighted higher. This is better explained with a graph.
Figure 76: Example graph with diverse descent view
Figure 75: Diverse descent explanation
In the image above, the IP address entities are sized differently even though they both have two incoming links. The reason for this is that the IP address on the left has two incoming links that originate from two different sources while the IP address on the right has two incoming links but they both originate from the same source. There are many cases where this view is useful. In this case, it emphasizes IP addresses that are related to different domains. The graph below shows the example graph using the diverse descent view:
13. Ball size by all links – Entities are sized according to the total number of links (incoming and outgoing) it has. The more links an entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:
Figure 77: Example graph with view set to ball size by total number of links
14. Ball size by incoming links - Entities are sized according to the total number of incoming links it has. The more incoming links an entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:
Figure 78: Example graph with view set to ball size by total number of INCOMING links
15. Ball size by outgoing links - Entities are sized according to the total number of outgoing links it has. The more outgoing links an entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:
Figure 79: Example graph with view set to ball size by total number of OUTGOING links
16. Ball size by rank – This will size entities based on its own number of links and the sum of its neighbor’s links. The graph below shows the example graph using this view:
Figure 80: Example graph with view set to ball size by rank
17. Ball size by Weight – This will size entities based on the entity’s weight. Some transforms (such as the search engine ones) return a weight field that represents the relevance of the entity. The graph below shows the results of a search engine transform. As you can see from the graph, in block layout, the entities are ordered according to their weight.
Figure 81: Graph with search engine results with view set to size by weight
18. List View -The List View can be used as an alternative to the above entity views as a way to view the graphs information in a tabular layout. The behaviour of the List View is the same as an entity view. Items selected in the List View will appear in the Detail View. The entity selection behavior and functionality is identical between the entity view and the list view. Changing from "Entity Selection" to "Link Selection" will display all the graph links in a List View instead of the entities.
© Copyright 2017, Paterva PTY Limited