Maltego began life as a penetration tester’s toolkit, a way to employ link analysis with computer network related objects. They’ve added capabilities over the years and now there are ninety six additional transform sets, which are packages of online queries, available via the Transform Hub, a configuration page that is the first thing you see upon opening Maltego.
There are several version of Maltego, but you are going to start with the free Community Edition. The returns from a transform are limited to twelve items, while the commercial version I use will permit 12, 50, 256, or 10,000. Even with the test drive only limit on transforms, the CE version is NOT crippleware. Near the end of this exercise you’ll find a link for a Maltego Samples files directory. One of the things in there is a hand draw graph of interesting Substacks I recently created.
Attention Conservation Notice: If you start down the path I am outlining in this Substack you will inevitably get to the point where your head is FULL. You must have some sort of mind mapping or link analysis tool or you will limit your understanding to that of an actor or collector on the edge of things. If you’ve already got a solution, you can quickly read this to make sure yours covers the needs If you don’t already have that, Maltego works well on all three major desktops.
Substacks:
Several weeks ago I was given the names of a couple Substacks that are part of an operation hostile to liberal democracies in general. I looked at the seeds, saw their recommendations, and decided I would draw a graph as I was adding them to an Inoreader account for long term tracking. You did Get Started With Inoreader, right? Anyway, once the bad guys were profiled, I decided to make this good guys graph, starting with the recommendations of Truth About Threats.
Long Term Effort:
As an example of how far this can go, here’s a graph I’ve been working on for the last three years, which has come to be known as the MAGA Meltdown Maltego. There are 3,227 names of people, 989 organizations, everything from companies to militias, and they participated in 229 events. Keeping this graph has put me in the position of being a sort of specialized search engine for journalists and other researchers. You give me a name or an event, and a few minutes later you’ll have a screen shot showing where it fits in the network and a list of relevant URLs from the 1,278 articles, court documents, and so forth that I used to create the graph.
That graph is unwieldly on a Xeon workstation with 128GB of memory and a 4k display. There are 237 related child graphs associated with it. It was starting to be a chonker by early 2021, so when I got a new article, I would check for key names, then pull them and their related entities out, saving them in files in the form YYYY-MM-DD-Name1-Name2 and so forth. Once I was done adding the new article entities and links, I would paste the results into the main graph. I didn’t intend to keep a timeline of modifications but in retrospect that’s proven to be important on occasion.
As an example on 2022-07-09 there were two articles regarding my favorite chew toy, Roger Stone. The contents of an email group called Friends of Stone was made available to the New York Times, and Alternet published an article that somewhat enriched the original. Here I used Maltego’s Named Entity Recognition capability to automatically extract names mentioned in the article, then I manually removed about half of the results. The system isn’t slick enough to know that Roger Stone and Mr. Stone are the same person. This is a repeat of what I did the day the article came out - showing methods and giving you some idea of what the $1,000/year commercial Maltego can do.
And this is what it looks like after being “processed’. The Person entities gets replaced with something more specific – there is a Gang Leaders and a couple Gang Members, Military Officers, a couple Lawyers, and Akbar and Stone are given the Businessman entity. Most links are just plain gray, but I follow a color code – blue for allies, red for opponents, green indicates funding flows. When someone is often the subject of articles it’s a terrible mess to find their actual entity, so I’ve adopted the convention of appending “Actual” to the names of those who are often mentioned.
Conclusion:
Maltego is in a fairly unique position – it’s not nearly so potent as intel/LE grade link analysis tools like Sentinel Visualizer, but it runs on every platform, and the free version works for taking notes and reviewing graphs created by those who do have the commercial version. As I mentioned above, here are some sample files for you to examine.
Having brought a number of people in to using Maltego over the years I know I need to record some new videos in the three to five minute range that show some of the basic things you can do. I’ll get after that in the near future.
As with Inoreader, you put an hour into this, you will have a good starting point. I believe there are three general use cases for Maltego – a portion of you are going to be creating your own graphs, others will not be making them, but will need to read them, and people with more general duties will have both graph creators and users they are managing. Even if you’re at the level of commissioning graphs, you’ll be a better director if you know what goes into making them.