Investigate Tab


The Investigate tab is open by default when starting a graph in Maltego 4. It provides you with numerous options to manipulate and navigate a graph. The options available are grouped in logical groups.

Figure 82: Investigate tab

Clipboard

Figure 83: Clipboard tools on the investigate tab

The clipboard tool provides the following intuitive functionality:

  • Paste - To paste nodes that have been cut or copied.

  • Clear All - Clear the entire contents of the graph.

  • Copy - To copy selected nodes.

  • Cut - Cut selected nodes.

  • Delete - Delete selected nodes.

Copying

Selecting a portion of your graph and selecting the Copy drop-down will provide the options shown below:

Figure 84: Copying options

  • Copy (as GraphML) - this will copy your graph to your system clipboard as an XML based format. This format will include information about the entities and the links between the entities in your selection.

  • Copy (as ‘value’ list) – this will copy a list of the entities that are currently selected on your graph. The list will only include the value of the entity and does not include any information about the links between entities on your graph.

  • Copy (as ‘type#value’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type. Each item in the list will be in the format ‘type#value’. The list does not include any information about the links between entities on your graph.

  • Copy (as ‘type#value#weight’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type and weight. Each item in the list will be in the format ‘type#value#weight’. The list does not include any information about the links between entities on your graph.

If you choose the last option in the list, To New Graph, you will get another set of options to choose from shown below:

Figure 85: Copying to new graph

You can decide if you want the sub graph or just the entities that are selected (Copy With Links vs. Copy Without Links). Another option is Copy With Neighbors. This allows you to easily focus on the part of the graph that is interesting – by isolating nodes around the node of interest. There are three sub categories:

Any will select, copy and paste child and parent nodes to a new graph, Children will only select child nodes and Parents will only select parent nodes. The numeric field indicated how many levels should be selected. Let’s assume we want all the parents and children of the IP number selected in the example above. We’ll use Any and the number 1. This will result in a new graph that looks as follows:

Figure 86: Result of copy

Copy from the Action bar

From the action bar in the context menu there are also options for copying portions of your graph in different formats. The button on the far left of the action bar (shown below) is a shortcut to copy your current graph selection to a new graph.

Figure 87: Copy to new graph

The action bar also has options for copying your selection to your system clipboard in different formats, like you can do from the ribbon menu:

Figure 88: Copy selection to clipboard

Copying from the detail view

The Detail View on the right-hand side of your Maltego client lists information about the entities that are currently in your selection.

Figure 89: Detail View

You can copy this information out of Maltego as a comma separated list by selecting the entities from the list and then pressing Ctrl + C or right-clicking on them to open the context menu. To select entities from the list you can:

  • Click on them individually,

  • hold down Ctrl and click on each entity to select multiple entities one at a time,

  • or hold Shift and click to select multiple entities sequentially.

Pasting your selection into a text editor will result in a CSV as shown in the image below:

Figure 90: CSV copied from the Detail View

Pasting onto a graph

When you paste text onto a graph, Maltego tries to identify the type of entity that is pasted from text. Consider the following example:

Figure 91: Text to be copied from a text editor

Copying and pasting all the above text into Maltego leads to the following entities:

Figure 92: Result of copy from text

Note that the URL entity type displays the title of the URL not the entire URL (but the entity will work as expected as the full URL is stored as an entity property).

Keep in mind that Maltego will fail at recognition of complex entities in some cases (think phone numbers in unusual formats!) In these cases, you might want to tell Maltego what the entity type is. This can be done by prepending the entity value with the entity type. Consider the following text:

Figure 93: Text to be copied

When the above is selected, and pasted it results in the following graph:

Figure 94: Forcing entity type to phrase

Entity types (e.g. what’s inserted before the #) can be obtained by dragging an entity to the graph and looking in the Detail View at the entity type description (highlighted in orange below):

Figure 95: Finding an entity type

Transform slider

Figure 96: Selecting the number of transform results.

The transform results slider is used to set the number of results returned when a transform is run. The numbers that the transform slider can be set to differs between the different versions of the of the Maltego client as follows:

  • Maltego CE 12

  • Maltego Classic 12, 50, 255, 10k

  • Maltego XL 12, 255, 4k, 64k

The transform slider (i.e. the max number of results that can be returned to the Maltego client from a single transform) is one of the main differentiating factors between the different Maltego clients.

When set to the very left, Maltego will only show the top 12 results based on weight. One needs to understand the implications of these settings. Many transforms have no concept of weight. In fact, only search engine transforms uses weight as an indication of relevance. Think about the reverse DNS results for a class C network – it can potentially return 255 results – each of them with a weight value of 100 (the default value), as no one DNS entry is more important than the other. Setting the slider to 12 results will only show the first 12 results – useful for simply getting an idea of what in the network, but useless for enumerating ALL the reverse DNS information of the block. In the same way setting the slider to 255 results for a search engine transform (e.g. looking for someone specific but who has a very common name) is not clever as you will be flooded with results. You must be careful to understand how the slider works and spend time experimenting with it.

Take Note. When you do not see the amount of results that you expected to see, check how many results the transform result selector is set to return.

Find

Figure 97: Find tool in form the investigate tab

From the find options in Maltego, you can search your current graph as well as saved graphs stored on your machine.

Quick find

The Quick Find option on the investigate tab is a very handy tool to find something specific in a very large graph. The following toolbar will open at the bottom of your graph (the find toolbar can also be opened by clicking Ctrl + F:

Image:maltego-find1.jpg

Figure 98: The Find Toolbar at the bottom of a graph

You can now enter a search term, select the specific entity type or specify All (the whole graph) and you have the option to search all the Properties, Notes and Detail View. Once you click the Find button, the relevant entities will be highlighted in the graph and the search hits will be listed in the Detail View. If you check the Zoom checkbox, then your graph will zoom to your results that match your search criteria.

Find in files

Find in Files does exactly what the title suggests, it allows you to perform text searches on multiple Maltego graphs that are saved in a specified folder on your machine.

Clicking the Find in Files button open the window shown below:

Figure 99: Find in files

Under the Where field you can specify the folder that you wish to search. This folder must include .mtgl and/or .mtgx graph files. The Browse button can be used to open a directory window where you can find the folder you wish to search. If the folder that you choose has multiple sub-directories that you also wish to search, then you must check the Recursive checkbox.

The Find input field allows you to specify your search term. The Case Sensitive checkbox can be used to choose whether the search should be case sensitive or not.

The options from the Graph items field will allow you to choose whether to search entities and/or links. It also allows you to limit your search to a specific entity type from the drop down menu.

Finally, the Search in field allows you to choose which of the entities text fields should be searched in.

Entity selection

The entity selection panel has various options allowing you to manipulate the graph selection.

 

Figure 100: Entity selection panel from the investigate tab

Maltego can operate in two different modes – Link Selection mode, or Entity Selection mode. The default mode is Entity Selection mode. To switch between modes, you can press Ctrl + M or click on the mode selection icon at the top (this icon indicates the current mode):

Figure 101: Entity and Links selection buttons

To quickly switch between the two, you can also press and hold the Ctrl key on your keyboard while dragging or selecting.

In Link Selection mode, you will be selecting links. Dragging a box around links will select multiple links:

Figure 102: Selecting Links

The selection in the image above will result in the selection below:

Figure 103: Links selected

Link Selection mode is enabled in the image above, you will notice the selected links are highlighted yellow.

Links can also be selected by selecting nodes (in Entity Selection mode) and then switching to Link Selection mode.

Manual links can be established by left-clicking and holding on an unselected source entity, then dragging a link to target entity. This action is shown in the image below:

Figure 104: Manually creating a link

Once you release left-click on the target entity, a link properties menu will appear that allows you to specify properties for the link.

Figure 105: Entity properties

The properties settings shown in the image above will result in the link below being created:

Figure 106: Manual link with custom properties

The label of the link is displayed on the link on your graph. Link labels can be set to be visible or invisible. When working with a large graph you might not want to show all the transform link labels, as things get confusing quick if you have a lot of link labels. By default, transform link labels are set to be invisible in global settings.

When a link is selected the Property View and Detail View will display additional information about the link. Link properties that are created by a transform cannot be edited by the user, however, links that are created manually by the user can be edited.

Figure 107: Link details and property view

In the Detail View, in the image above, it is shown that the link was manually created and it specifies the two entities that the link is between.

Remember: The Detail View displays read-only information about the selection while Property View shows properties that can be edited by the user.

The Property View for the link shows the properties that were set at the time that the link was created. Each of these properties can be edited from the Property View window.

To set the properties of multiple links at once do the following:

  • Select the links.

  • Set the properties of the links in the Property View (highlighted in the screenshot below):

Figure : Properties of Multiple links being edited

From the Property View the style, thickness and color can also be configured. Link labels can be set to be visible or not – independent of the global settings. This is done by selecting the link/links and changing the Show Label field.

The Details window for a link can be opened by double-clicking on the entity link just as the Detail window is opened for an entity.

Figure : Details Window for a Link

Link properties can also be edited from the Details window for the link in the second tab.

Figure : Properties tab in Details Window for a Link

Entity Selection Shortcuts

The remaining buttons in the entity selection panel provide shortcuts for manipulating your entity selection and will be outlined in the upcoming sections.

Select all and Select none

Figure 111: Select all and select none

Select All and Select None will do what their names suggest, respectively they will select all entities on your graph and de-select all entities on your graph.

The keyboard shortcut for selecting all entities on your graph is Ctrl + A:

<embed src="/media/user_guide_img/image114.png" width="99"/>

Invert selection

Figure 112: Invert entity selection

Inverting the entity selection will de-select all currently selected entities and select all currently de-selected entities. Clicking the Invert Selection button with the graph below:

Figure 113: Before inverting entity selection

Will result in the graph below:

Figure 114: Selection after Inverting the selection

Add Parents

Figure 115: Add Parents to selection

You can select a child node and press Control + Shift + Up arrow to select the parents while keeping the children in the selection. This is useful for selecting a family tree, but from a child node’s perspective.

Figure 116: Add parents

Add Children

Figure 117: Add Children to selection

Select child nodes while keeping parents selected.

Figure 118: Add children

Add Similar siblings

Figure 119: Add Similar Siblings

Add Similar Siblings will add all entities to your selected that have the same parent entities and are of the same entity type.

Figure 120: Add similar siblings

Add Neighbours

Figure 121: Add Neighbors to selection

Add Neighbors will keep the present nodes selected and select the nodes directly adjacent to the present node as well.

Figure 122: Add Neighbors

Add Path

Figure 123: Add Path between two selected entities

The Add Path selection shortcut is most useful. It selects the nodes in the path between multiple nodes (this function is disabled unless multiple nodes are selected). This is best shown with an example. Let’s assume the following nodes are selected:

Figure 124: Selecting two entities from the graph

On a complicated graph, such as the one above, it would be quite difficult to find all the entity that connect the person and the email address. Clicking the Add Path button selects all the entities that connect the two selected entities together as shown in the next image. (The Detail View shows all selected entities).

Figure 125: Clicking add path selects all entities connecting the initial two

Copying the selection to a new graph shows how this person and email address is connected:

Figure 126: Copied selection to a new graph

Add Path - Another example

The example below (with a simpler graph) will demonstrate how entity links can also be added to the selection between two entities using Add Path function. The selected links will then be edited to change their properties to highlight the path between the two originally selected entities.

Figure 127: Select two entities

When these nodes are selected and the Add path button is clicked the following nodes will be selected (those along the path):

Figure 128: Path selected

If the above graph is switched to Link Selection mode, the links between the highlighted entities are selected:

Figure 129: Links of path selected

They can now be edited. Let’s assume we want to mark the path between the entities with a thick, dotted red line:

Figure 130: Properties of path links changed

The Property View for these links ends up looking like this:

Figure 131: Link property view

Select Parents

Figure 132: Select Parent entities

You can select a parent of a node (e.g. the source of the selected node). This is useful to get to the original source of a child node. You can also select the node and pressing Ctrl + Up arrow.

Figure 133: Select parents

Select Children

Figure 134: Select Parent entities

It is very useful to be able to select the children of a node (e.g. all the nodes that were created from the node). You can also do this by selecting the parent and pressing Ctrl + Down arrow.

Figure 135: Select Children

Select Neighbours

Figure 136: Select Neighbors

Select Neighbors will select the nodes directly adjacent to the present selected node (incoming and outgoing nodes).

Figure 137: Select neighbors

Select Bookmarked

Select Bookmarked allows you to select bookmarked entities by the different colors.

Figure 138: Select Bookmarked

Select by Type

Figure 139: Select by Type dropdown menu

Select by Type is very useful when want to select all the entities on your graph of a certain type. Clicking the dropdown will show you all the entity types that are currently on your graph which you can choose from to select.

Figure 140: Select by type

Figure 141: Select Links dropdown

Select Links has three options in the dropdown menu. Each of the options help select links related to entities that are current in the selection.

Select links – (Ctrl + L): Selects incoming and outgoing links for currently selected entities.

Figure 142: Select links – outgoing and incoming

Select Links – Outgoing (Ctrl + End): Selects outgoing links for currently selected entities.

Figure 143: Select links - outgoing

Select Links – Incoming (Ctrl + Home): Selects incoming links for currently selected entities.

Figure 144: Select links - incoming

Figure 145: Reverse Links

Reverse Links: reverses the direction of a selected link (manually created links only). The button will only become when a link is selected.

Figure 146: Reverse links

Added in Maltego 4.0.15 - Selecting leaf nodes

Selects all the nodes on the graph that have no outgoing nodes.

Zooming

The zoom tools under the Investigate tab includes a range of shortcuts for zooming to different areas of a graph. The following sections will cover these zooming shortcuts.

Figure 147: Zoom Tools on the investigate tab

Zoom In and Out

Use the scroll wheel of the mouse to zoom in and out of the graph.

Figure 148: Zooming with mouse scroll wheel

If you are using a notebook without a mouse (not recommended) you can use the buttons on the Investigate tab of the GUI. The Zoom In and Zoom Out buttons can be used in place of the scroll wheel on the mouse to navigate in and out of a graph:

Figure 149: Zoom in and out

Zoom to Fit

The Zoom to Fit button is very handy to quickly center graphs to zoom around the full graph (Ctrl + Q on the keyboard).

Figure 150: Zoom to fit

Figure 151: Zoom to fit

Zoom 100%

Figure 152: Zoom 100%

Zoom 100% will zoom to a 100% zoom level on the graph. The current zoom level of a graph is shown in top right-hand corner of the graph:

Figure 153: Zoom level (%)

Zoom to (%)

Figure 154: Zoom to (%)

Zoom To (%) has a dropdown menu that allows for the selection of the zoom level as a percentage.

Zoom Selection

Figure 155: Zoom to selection

Zoom Selection allows you to select a portion of the graph using normal selection techniques and then quickly zoom to the area. This can be done by clicking on the Zoom Selection button, or by pressing Ctrl + W.

Figure 156: Zoom to selection

Continue to the View Tab page.



© Copyright 2017, Paterva PTY Limited