As paper trails have gone digital, investigating persons of interest has become a complicated game of cat and mouse. Navigating such a digital landscape can be a challenging task for both law enforcement agencies and investigators. At the same time, it is becoming easier and easier for criminals and attackers to hide behind fake online identities. With Maltego, researchers can quickly and easily connect seemingly disparate traces and create a complete map of a target’s digital footprint. Integrated with a variety of OSINT, social intelligence and identity data sources, Maltego is the ideal tool to quickly acquire and analyze the digital presence of a person of interest. The Social Links resource is actively developing, its architecture is open to new modules, rules, integration with APIs, databases, web services, information processing systems. New ones are constantly being added to the presented set of functions and data sources.
Social Links works with social network data, links, photos, videos, geotags, messages, comments, reposts, friend and subscriber lists. In the graphical interface of Social Links, you can select sources of information, filter search results, evaluate the most important factors and adjust the depth of viewing. The system allows viewing relationships between websites, domains, services, network and IP addresses in several modes. (Very useful thing.)
First, a short tour of how it works. Social Links offers its API for Maltego’s ability to find information about people, companies, events and more.
According to the company’s official website:
With this extension for Maltego (the commercial version itself), you can search for information in more than 50 social networks, databases and Dark Net sources. More than 700 methods of information search are available to you, enhanced by the capabilities of visual recognition of people and georeferenced search.
That is, the addition works on the “territory” of such social networks as Facebook, Instagram, LinkedIn, Twitter, Skype, VKontakte, Odnoklassniki, YouTube. And it even extends to messengers (eg Telegram, Signal). And here:
Dark Net search is more than 30 forums without registration and SMS;
Open access databases: Companies House, Companies OC, Google Companies, OCCRP, Offshores;
Integration with various APIs of other search engines is available: Pipl, Bitcoinwhoswho, Securitytrails, Censys, Shodan, ZoomEye, etc.
First, a short tour of how it works. Social Links offers its API for Maltego’s ability to find information about people, companies, events and more. In addition to all of the above, we still have access to the database of the Social Links company, which apparently already amounts to about 7 TB of information collected from open sources (e-mail, phone numbers, addresses and attendance, but, unfortunately, without passwords. So far). I will test the functionality myself, because there were no other interested parties. As paranoid as I am, I will black out some of my personal information.
MALTEGO and all its add-ons are NOT A MAGIC BUTTON that I clicked and got any info about a person, system, company… This tool, like any other, will be effective only in the hands of a person who is familiar with at least the basics of OSINT and data analysis from open sources. If it seems that one click and all the information is in the palm of your hand – forget it.
To begin with, let’s see what Social Links can show if we only know a person’s email, and whether we can immediately find him on Facebook. Of course, it was not possible to find my profile by e-mail alone. It is understandable. My email address is hidden by Facebook privacy settings.
Many who have been engaged in OSINT more than once will agree with me that looking for information on a person who has been following the basic principles of digital hygiene for at least a few years is another activity. But, as they say, the higher the complexity, the greater the interest) The first result was obtained from Transform, which converts an e-mail into a Skype profile. Hit 100% – Skype is mine.
Now let’s try to download the maximum amount of information from the Skype profile. With the help of 3 Transforms, we converted the information from the Skype profile into Entities, with which we can now work further. We can also view all information about the profile on the Properties tab in the Entity properties.
The second “half-hit” came from Transform, which checks for the presence of a user on Twitter. Here, as I understood, data is collected through the password recovery page. As a result, Twitter burned that I basically had it, and also showed the last two digits of my phone number. Not a lot, but still a plus.
Now let’s try to download the maximum amount of information from the Skype profile. With the help of 3 Transforms, we converted the information from the Skype profile into Entities, with which we can now work further. We can also view all information about the profile on the Properties tab in the Entity properties.
And then my attention was drawn to the Entitie of the Alias format… All people are lazy to one degree or another. In this case, I was no exception. As many of you have already guessed, Alias is a nickname or, in relation to the Facebook social network, an ID.
By running Transform – [Facebook] Get Profile, Maltego found my Facebook profile.
For those who did not understand what happened, I will explain: My Skype and Facebook ID are the same. This is one of the basic OSINT techniques where we have a probable nickname or a list of nicknames associated with a person and check all popular services for users with the same nicknames. With a high probability, we will find matches and as a result – user profiles in various social networks.
So now we have a Facebook account. Let’s try some interesting Transforms. For example, let’s find out which of my friends is subscribed to Olga Buzova.
Here, by the way, is a life hack for working with Maltego. If you’re not sure that you’ve filled in the fields in the Entity properties correctly, just take the link to the person’s account and use the Entity URL. With the help of Transform, get an Entity of the desired type, and through it you will get an Entity of a social network profile. You can see an example in the picture with Olga’s account.
As a result of these, here we have the correctly loaded Entity of Olga Buzova’s social network profile.
Well, now let’s start catching “friends”. It took little effort. Downloading the list of Olga’s followers and my list of friends. Maltego will do the rest for me.
A simple and effective technique for finding someone/something’s affiliation with someone/something using Maltego. Problems begin to arise when there is not one such connection, but, for example, 100 or 1000. Then the graph begins to take complex forms of chemical elements.
For an example of demonstrating this problem, it is quite simple to disable the grouping of entities of the same type in the collection on the Collections tab and see what the full version of the graph of all Olga’s followers and my friends will look like.
Approx. author: This is, in my opinion, one of the biggest challenges you’ll face when doing OSINT through Maltego. It is necessary to constantly clean the graph from uninformative Entities, otherwise you risk drowning in a pile of information. This problem is partially solved by buying a good mouse and a BIG monitor. And better than two.
Here Social Links is ready to give us a helping hand. For example, the method of finding mutual friends between two Facebook profiles can be simplified by using an Entity called Facebook Mutual Friends. This Entity allows us two Facebook IDs to download ONLY mutual friends for these profiles. Without unloading profiles of other users. With the help of this technique, we can optimize the graph depending on the information retrieval tasks.
What does it look like live?
Option 1 – Download all friends and Maltego builds connections.
Option 2 – Upload mutual friends via the Facebook Mutual Friends Entity.
Thus, we reduced the number of output results per graph and saved ourselves from the need to delete unnecessary Entities.
But it’s not just friend lists that Transforms for Facebook is about. Also with the help of individual Transforms we can:
Download a list of posts, photos, accounts liked by the user;
Upload albums, posts, followers, commenters, etc. for a specific user, page, event, post, photo, etc.;
Search for photos, posts, users, groups, events by key phrases and time intervals;
Search users by photos using internal Face Recognition mechanisms through the Social Links service (we will talk about this in a separate article);
For organizations – perform a search for accounts that indicated this organization as a place of work;
Convert information from user profiles, groups, events, etc. Entities per graph for further use;
Execute a request with deferred processing (more on them below).
By default, the Transforms window is limited to two minutes. If we know that the time to download the information will be more than two minutes, we can send the task to the Social Links server and wait for the result. The execution time can reach 1 hour, but data deferred Transforms are used only in the case of a large amount of data to be unloaded. For example, we need to download a list of all followers from a millionaire blogger account.
A full list of all available Transforms can be found here. Of course, the outcome of using Transforms data depends on how many OSINT techniques you know and how well you can combine them. Let me emphasize once again: Maltego and Social Links are not a magic button that I clicked and received a complete dossier on a person.
Now let’s talk about integration with third-party APIs using the example of Transforms to search for people using the Pipl service. For this purpose we have a separate Entity called Pipl Search. You can see the properties of this Entity in the picture.
So, as many of you are already aware, the Pipl search engine has become paid and an API key will be required for its integration into Social Links. Here it is a matter of life – we go to the Pipl website, register, get a key and add it to the Maltego settings.
I especially want to note the option that I highlighted in the picture above. By ticking the Top Match column, you will receive only results that FULLY meet the entered criteria. In other words, if you entered your first name and e-mail, then without this check mark you will get all the results for a match separately for first name, last name and e-mail separately. If Top Match is checked, only accounts that match all 3 criteria. It is very useful if you have paid for search results set up in your Pipl account.
But! Often, when you check this box (Top Match), you can get zero search results. Even by famous people. The fact is that this function in the Pipl search system is still experimental and may not work correctly. Additionally, Pipl provides a JSON file with the results of its search engine, which contains everything it graphed.
Approx. Author: a very interesting detail is that the search service Pipl works on the principle “WHAT HAS GOT ON THE INTERNET, STAYES THERE FOREVER”. For example, you once had information on your Facebook profile that you work for company A, and your profile was indexed by the Pipl service. , About the fact that you were an employee of company A, and then with a clear conscience went to an interview at company B. But suddenly you are not hired there. You begin to understand each other. And it turns out that even in the case of deleting information from your profile in social networks and even after re-indexing this profile by the Pipl service, data about the work of company A was carefully preserved inside Pipl and issued to the right people at the request of company B. “WHAT HAPPENED ON THE INTERNET , THEN REMAINS THERE FOREVER.”
Following the glorious tradition, what article about Facebook can be without a mention of Zuckerberg. Let’s look for him. By the way, don’t forget to check the AND if selected parameter in the search query. This parameter sets an “AND” between all values. The default value is “OR”. Using “OR” will lead to the fact that we will have a general output of people with the name Mark + all people with the surname Zuckerberg, and we are specifically looking for only Mark Zuckerbergs.
Here we see a very vivid example of what is often found in OSINT. Even for such a well-known and unambiguous personality, the search engine Pipl issues as many as 21 fakes.
I noticed a very interesting detail. In Pipl, on the internal profile of the user, for some reason, a bunch of fake Zuckerberg page IDs are written, in addition to the real one.
Therefore, if we try to apply Transform [Facebook] Search Person, then the gates of OSINT-HELL will open before us, in the literal sense.
Well, let’s put it this way, for greater drama of what is happening…
That’s all for today. Don’t miss new articles on Maltego. Next, we will consider what is there from the search in other social networks. We will definitely touch on VK, Odnoklassniki and Instagram. Let’s talk about the possibility of searching for accounts and people by photo (similar to Find Face only in the Maltego ecosystem), let’s look at geolocation search. And for dessert, the most interesting thing is to find out what Social Links can offer in terms of searching in the Dark Net.