The Investigate tab is open by default when starting a graph in Maltego 4. It provides you with numerous options to manipulate and navigate a graph. The options available are grouped in logical groups.
Figure 82: Investigate tab
Figure 83: Clipboard tools on the investigate tab
The clipboard tool provides the following intuitive functionality:
Paste - To paste nodes that have been cut or copied.
Clear All - Clear the entire contents of the graph.
Copy - To copy selected nodes.
Cut - Cut selected nodes.
Delete - Delete selected nodes.
Selecting a portion of your graph and selecting the Copy drop-down will provide the options shown below:
Figure 84: Copying options
Copy (as GraphML) - this will copy your graph to your system clipboard as an XML based format. This format will include information about the entities and the links between the entities in your selection.
Copy (as ‘value’ list) – this will copy a list of the entities that are currently selected on your graph. The list will only include the value of the entity and does not include any information about the links between entities on your graph.
Copy (as ‘type#value’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type. Each item in the list will be in the format ‘type#value’. The list does not include any information about the links between entities on your graph.
Copy (as ‘type#value#weight’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type and weight. Each item in the list will be in the format ‘type#value#weight’. The list does not include any information about the links between entities on your graph.
If you choose the last option in the list, To New Graph, you will get another set of options to choose from shown below:
Figure 85: Copying to new graph
You can decide if you want the sub graph or just the entities that are selected (Copy With Links vs. Copy Without Links). Another option is Copy With Neighbors. This allows you to easily focus on the part of the graph that is interesting – by isolating nodes around the node of interest. There are three sub categories:
Any will select, copy and paste child and parent nodes to a new graph, Children will only select child nodes and Parents will only select parent nodes. The numeric field indicated how many levels should be selected. Let’s assume we want all the parents and children of the IP number selected in the example above. We’ll use Any and the number 1. This will result in a new graph that looks as follows:
Figure 86: Result of copy
From the action bar in the context menu there are also options for copying portions of your graph in different formats. The button on the far left of the action bar (shown below) is a shortcut to copy your current graph selection to a new graph.
Figure 87: Copy to new graph
The action bar also has options for copying your selection to your system clipboard in different formats, like you can do from the ribbon menu:
Figure 88: Copy selection to clipboard
The Detail View on the right-hand side of your Maltego client lists information about the entities that are currently in your selection.
Figure 89: Detail View
You can copy this information out of Maltego as a comma separated list by selecting the entities from the list and then pressing Ctrl + C or right-clicking on them to open the context menu. To select entities from the list you can:
Click on them individually,
hold down Ctrl and click on each entity to select multiple entities one at a time,
or hold Shift and click to select multiple entities sequentially.
Pasting your selection into a text editor will result in a CSV as shown in the image below:
Figure 90: CSV copied from the Detail View
When you paste text onto a graph, Maltego tries to identify the type of entity that is pasted from text. Consider the following example:
Figure 91: Text to be copied from a text editor
Copying and pasting all the above text into Maltego leads to the following entities:
Figure 92: Result of copy from text
Note that the URL entity type displays the title of the URL not the entire URL (but the entity will work as expected as the full URL is stored as an entity property).
Keep in mind that Maltego will fail at recognition of complex entities in some cases (think phone numbers in unusual formats!) In these cases, you might want to tell Maltego what the entity type is. This can be done by prepending the entity value with the entity type. Consider the following text:
Figure 93: Text to be copied
When the above is selected, and pasted it results in the following graph:
Figure 94: Forcing entity type to phrase
Entity types (e.g. what’s inserted before the #) can be obtained by dragging an entity to the graph and looking in the Detail View at the entity type description (highlighted in orange below):
Figure 95: Finding an entity type
Figure 96: Selecting the number of transform results.
The transform results slider is used to set the number of results returned when a transform is run. The numbers that the transform slider can be set to differs between the different versions of the of the Maltego client as follows:
Maltego CE 12
Maltego Classic 12, 50, 255, 10k
Maltego XL 12, 255, 4k, 64k
The transform slider (i.e. the max number of results that can be returned to the Maltego client from a single transform) is one of the main differentiating factors between the different Maltego clients.
When set to the very left, Maltego will only show the top 12 results based on weight. One needs to understand the implications of these settings. Many transforms have no concept of weight. In fact, only search engine transforms uses weight as an indication of relevance. Think about the reverse DNS results for a class C network – it can potentially return 255 results – each of them with a weight value of 100 (the default value), as no one DNS entry is more important than the other. Setting the slider to 12 results will only show the first 12 results – useful for simply getting an idea of what in the network, but useless for enumerating ALL the reverse DNS information of the block. In the same way setting the slider to 255 results for a search engine transform (e.g. looking for someone specific but who has a very common name) is not clever as you will be flooded with results. You must be careful to understand how the slider works and spend time experimenting with it.
Take Note. When you do not see the amount of results that you expected to see, check how many results the transform result selector is set to return.
Figure 97: Find tool in form the investigate tab
From the find options in Maltego, you can search your current graph as well as saved graphs stored on your machine.
The Quick Find option on the investigate tab is a very handy tool to find something specific in a very large graph. The following toolbar will open at the bottom of your graph (the find toolbar can also be opened by clicking Ctrl + F:
Figure 98: The Find Toolbar at the bottom of a graph
You can now enter a search term, select the specific entity type or specify All (the whole graph) and you have the option to search all the Properties, Notes and Detail View. Once you click the Find button, the relevant entities will be highlighted in the graph and the search hits will be listed in the Detail View. If you check the Zoom checkbox, then your graph will zoom to your results that match your search criteria.
Find in Files does exactly what the title suggests, it allows you to perform text searches on multiple Maltego graphs that are saved in a specified folder on your machine.
Clicking the Find in Files button open the window shown below:
Figure 99: Find in files
Under the Where field you can specify the folder that you wish to search. This folder must include .mtgl and/or .mtgx graph files. The Browse button can be used to open a directory window where you can find the folder you wish to search. If the folder that you choose has multiple sub-directories that you also wish to search, then you must check the Recursive checkbox.
The Find input field allows you to specify your search term. The Case Sensitive checkbox can be used to choose whether the search should be case sensitive or not.
The options from the Graph items field will allow you to choose whether to search entities and/or links. It also allows you to limit your search to a specific entity type from the drop down menu.
Finally, the Search in field allows you to choose which of the entities text fields should be searched in.
The entity selection panel has various options allowing you to manipulate the graph selection.
Figure 100: Entity selection panel from the investigate tab
Maltego can operate in two different modes – Link Selection mode, or Entity Selection mode. The default mode is Entity Selection mode. To switch between modes, you can press Ctrl + M or click on the mode selection icon at the top (this icon indicates the current mode):
Figure 101: Entity and Links selection buttons
To quickly switch between the two, you can also press and hold the Ctrl key on your keyboard while dragging or selecting.
In Link Selection mode, you will be selecting links. Dragging a box around links will select multiple links:
Figure 102: Selecting Links
The selection in the image above will result in the selection below:
Figure 103: Links selected
Link Selection mode is enabled in the image above, you will notice the selected links are highlighted yellow.
Links can also be selected by selecting nodes (in Entity Selection mode) and then switching to Link Selection mode.
Manual links can be established by left-clicking and holding on an unselected source entity, then dragging a link to target entity. This action is shown in the image below:
Figure 104: Manually creating a link
Once you release left-click on the target entity, a link properties menu will appear that allows you to specify properties for the link.
Figure 105: Entity properties
The properties settings shown in the image above will result in the link below being created:
Figure 106: Manual link with custom properties
The label of the link is displayed on the link on your graph. Link labels can be set to be visible or invisible. When working with a large graph you might not want to show all the transform link labels, as things get confusing quick if you have a lot of link labels. By default, transform link labels are set to be invisible in global settings.
When a link is selected the Property View and Detail View will display additional information about the link. Link properties that are created by a transform cannot be edited by the user, however, links that are created manually by the user can be edited.
Figure 107: Link details and property view
In the Detail View, in the image above, it is shown that the link was manually created and it specifies the two entities that the link is between.
Remember: The Detail View displays read-only information about the selection while Property View shows properties that can be edited by the user.
The Property View for the link shows the properties that were set at the time that the link was created. Each of these properties can be edited from the Property View window.
To set the properties of multiple links at once do the following:
Select the links.
Set the properties of the links in the Property View (highlighted in the screenshot below):
Figure : Properties of Multiple links being edited
From the Property View the style, thickness and color can also be configured. Link labels can be set to be visible or not – independent of the global settings. This is done by selecting the link/links and changing the Show Label field.
The Details window for a link can be opened by double-clicking on the entity link just as the Detail window is opened for an entity.
Figure : Details Window for a Link
Link properties can also be edited from the Details window for the link in the second tab.
Figure : Properties tab in Details Window for a Link
The remaining buttons in the entity selection panel provide shortcuts for manipulating your entity selection and will be outlined in the upcoming sections.
Figure 111: Select all and select none
Select All and Select None will do what their names suggest, respectively they will select all entities on your graph and de-select all entities on your graph.
The keyboard shortcut for selecting all entities on your graph is Ctrl + A:
<embed src="/media/user_guide_img/image114.png" width="99"/>
Figure 112: Invert entity selection
Inverting the entity selection will de-select all currently selected entities and select all currently de-selected entities. Clicking the Invert Selection button with the graph below:
Figure 113: Before inverting entity selection
Will result in the graph below:
Figure 114: Selection after Inverting the selection
Figure 115: Add Parents to selection
You can select a child node and press Control + Shift + Up arrow to select the parents while keeping the children in the selection. This is useful for selecting a family tree, but from a child node’s perspective.
Figure 116: Add parents
Figure 117: Add Children to selection
Select child nodes while keeping parents selected.
Figure 118: Add children
Figure 119: Add Similar Siblings
Add Similar Siblings will add all entities to your selected that have the same parent entities and are of the same entity type.
Figure 120: Add similar siblings
Figure 121: Add Neighbors to selection
Add Neighbors will keep the present nodes selected and select the nodes directly adjacent to the present node as well.
Figure 122: Add Neighbors
Figure 123: Add Path between two selected entities
The Add Path selection shortcut is most useful. It selects the nodes in the path between multiple nodes (this function is disabled unless multiple nodes are selected). This is best shown with an example. Let’s assume the following nodes are selected:
Figure 124: Selecting two entities from the graph
On a complicated graph, such as the one above, it would be quite difficult to find all the entity that connect the person and the email address. Clicking the Add Path button selects all the entities that connect the two selected entities together as shown in the next image. (The Detail View shows all selected entities).
Figure 125: Clicking add path selects all entities connecting the initial two
Copying the selection to a new graph shows how this person and email address is connected:
Figure 126: Copied selection to a new graph
The example below (with a simpler graph) will demonstrate how entity links can also be added to the selection between two entities using Add Path function. The selected links will then be edited to change their properties to highlight the path between the two originally selected entities.
Figure 127: Select two entities
When these nodes are selected and the Add path button is clicked the following nodes will be selected (those along the path):
Figure 128: Path selected
If the above graph is switched to Link Selection mode, the links between the highlighted entities are selected:
Figure 129: Links of path selected
They can now be edited. Let’s assume we want to mark the path between the entities with a thick, dotted red line:
Figure 130: Properties of path links changed
The Property View for these links ends up looking like this:
Figure 131: Link property view
Figure 132: Select Parent entities
You can select a parent of a node (e.g. the source of the selected node). This is useful to get to the original source of a child node. You can also select the node and pressing Ctrl + Up arrow.
Figure 133: Select parents
Figure 134: Select Parent entities
It is very useful to be able to select the children of a node (e.g. all the nodes that were created from the node). You can also do this by selecting the parent and pressing Ctrl + Down arrow.
Figure 135: Select Children
Figure 136: Select Neighbors
Select Neighbors will select the nodes directly adjacent to the present selected node (incoming and outgoing nodes).
Figure 137: Select neighbors
Select Bookmarked allows you to select bookmarked entities by the different colors.
Figure 138: Select Bookmarked
Figure 139: Select by Type dropdown menu
Select by Type is very useful when want to select all the entities on your graph of a certain type. Clicking the dropdown will show you all the entity types that are currently on your graph which you can choose from to select.
Figure 140: Select by type
Figure 141: Select Links dropdown
Select Links has three options in the dropdown menu. Each of the options help select links related to entities that are current in the selection.
Select links – (Ctrl + L): Selects incoming and outgoing links for currently selected entities.
Figure 142: Select links – outgoing and incoming
Select Links – Outgoing (Ctrl + End): Selects outgoing links for currently selected entities.
Figure 143: Select links - outgoing
Select Links – Incoming (Ctrl + Home): Selects incoming links for currently selected entities.
Figure 144: Select links - incoming
Figure 145: Reverse Links
Reverse Links: reverses the direction of a selected link (manually created links only). The button will only become when a link is selected.
Figure 146: Reverse links
Selects all the nodes on the graph that have no outgoing nodes.
The zoom tools under the Investigate tab includes a range of shortcuts for zooming to different areas of a graph. The following sections will cover these zooming shortcuts.
Figure 147: Zoom Tools on the investigate tab
Use the scroll wheel of the mouse to zoom in and out of the graph.
Figure 148: Zooming with mouse scroll wheel
If you are using a notebook without a mouse (not recommended) you can use the buttons on the Investigate tab of the GUI. The Zoom In and Zoom Out buttons can be used in place of the scroll wheel on the mouse to navigate in and out of a graph:
Figure 149: Zoom in and out
The Zoom to Fit button is very handy to quickly center graphs to zoom around the full graph (Ctrl + Q on the keyboard).
Figure 150: Zoom to fit
Figure 151: Zoom to fit
Figure 152: Zoom 100%
Zoom 100% will zoom to a 100% zoom level on the graph. The current zoom level of a graph is shown in top right-hand corner of the graph:
Figure 153: Zoom level (%)
Figure 154: Zoom to (%)
Zoom To (%) has a dropdown menu that allows for the selection of the zoom level as a percentage.
Figure 155: Zoom to selection
Zoom Selection allows you to select a portion of the graph using normal selection techniques and then quickly zoom to the area. This can be done by clicking on the Zoom Selection button, or by pressing Ctrl + W.
Figure 156: Zoom to selection
© Copyright 2017, Paterva PTY Limited