How to optimize Maltego for OSINT Investigations with Maltego Transforms
In my experience, Maltego is an important and useful addition to other OSINT investigation tools and methods.
It is a very versatile tool for a range of very different users. For example, threat intelligence teams, analysts at the SOC, incident response teams, investigators, cyber investigators, prosecutors, and many others. But which Maltego transforms do they use?
Maltego for Corporate Investigations
The User Needs to Understand Maltego Transformations
Using Maltego and finding the best course of action for your own application is not difficult. In my courses, I rarely need longer than one day for this part of the training. However, it is much more important for users to know and understand the installed transformations. This is also the biggest hurdle in the workshops and takes the most time.
I need to know my transformations and (exactly) understand:
- Which data sources do these transformations query?
- What information can I query and how?
- What data do the transformations query, and how do they do it?
- What are the expected results?
- What transformations can I use with the results?
The first time you try the software, you’ll want to start all existing transformations for an entity. However, this leads to unclear results and frustration. See the image below as an example:
Understanding the Basics of Transformations
The goal is to use transformations in a structured way with knowledge of their fundamentals, and having good documentation from the transform providers would be a real help. Unfortunately however, the different providers have one thing in common: there is often no sufficient documentation of the offered Maltego transformations.
And, this is not only true for the free offers ̶ even the expensive suppliers do not shine here. Of course, there are exceptions:
Luckily, some transformations provide good documentation. For instance, the Paterva transforms are well documented. This explains, for example, why the user cannot compare the search engine results from the transformations with his own Google results. (Patervas uses the Bing API).
Farsight has also published very good documentation.
The vast majority of transformations offered in the “Transform Hub” are subject to a charge. However, some of these providers (marked “purchased separately”) offer queries that are limited in scope, which means that they make sense to use for more basic needs.
I will also address these transformations in this post and a related article. I will also go into the current limitations in more detail.
Recommended Maltego Transformations
Outside the Transforms Hub:
Hunchly Maltego Transforms
Additional API keys needed:
Details about the Maltego transformations
Standard Patervas Transformations, (Maltego Classic / XL)
148 Transformations as part of the Classic/XL license.
These cover many areas very well, e.g. everything around the infrastructure of the domain or also about Twitter.
dataprovider.com has crawlers that navigate from link to link in order to index all sites in a country. In this way, the company collects extensive data on over 280 million domains from 50 different countries every month.
The database has information with 200 different variables, including phone numbers, email addresses, IP addresses, analysis IDs, and more. It is updated monthly. The transformations provide access to this structured database.
dataprovider.com offers free but limited use of the service. For more intensive use, an API key from the provider is required:
Farsight offers one of the largest databases of passive DNS data.
For example, users can query information about DNS record types such as domains, IPs, NX, MX, AAAA, SOA. A wildcard search is also available.
They offer free limited queries – including instant access, no registration, no API key required!
Free query limits:
12 queries per hour
Maltego Classic and XL – 50 answers per request
Social Links provides transformations for open source and social media intelligence.
It contains more than 750 transformations (3,000 queries per day) to retrieve data from over 50 sources.
- Social networks: Facebook, Instagram, LinkedIn, Twitter, Skype, Xing, Foursquare, Badoo, Blogger, Classmates, Flickr, Github, FullContact, MyMail, Myspace, Odnoklassniki, Snapchat, Sqoop, Vkontakte, Youtube, Photobucket, Deviantart, Pinterest, Tinypic, Imageshack and others.
- Messenger: Telegram, Signal and others.
- Unique search in more than 30 darknet forums and marketplaces.
- Companies: CompaniesHouse, Open Corporates, Google Companies, OCCRP, Offshores.
- Integration with third-party services: Pipl, Bitcoinwhoswho, Securitytrails, Censys, Shodan, ZoomEye and others.
- Access to Social Links database with 7 TB of emails, aliases, names, phone numbers.
- Cryptocurrency: Ethereum Platform Analysis, Bitcoinwhoswho, TokenView;
- Other sources: DocumentCloud, Ebay, Torrents, TruePeopleSearch, Wikileaks, Dating sites such as Match, Chemistry, Fling, Meetup, okcupid, ask.fm, rsvp.com.au and others.
Trial Key available from https://www.mtg-bi.com
The 24 transformations were written by Patervas and a Shodan API key is needed for better results.
From the data of the Shodan database there is then e.g. IP information, network blocks, services/port, domain queries. But also native Shodan queries for terms or phrases are possible.
SocialNet offers more than 700 transfroms with data from 70+ social media networks.
Query is possible by e-mail address, alias, phone number or name.
Trial can be obtained via https://www.shadowdragon.io/
8 Maltego transformations to visualize the Bitcoin blockchain.
Contains queries about Bitcoin addresses, transactions, and details.
Five transformations supported by ThreatCrowd.org:
- From domains and IPs to historical DNS resolutions and links to malware.
- From MD5 hashes from malware to C&C domains and IP addresses.
ThreatCrowd is a non-commercial website and there is no private API.
Query the VirusTotal Public API for information about IP addresses, hashes, domains, and URLs.
This set of 121 transformations is based on the PassiveTotal API. Queries are possible to entities such as domain, IPv4 address, URL, email, SSL certificates and many others.
Limited use of 25 requests per day.
If you need more, you need to register under https://www.passivetotal.org/enterprise.
Passive Total is a product of RiskIQ.
Community information: https://community.riskiq.com
Six Maltego transformations to https://haveibeenpwned.com
Has a [hashed] password, domain been violated or an alias/email listed in a post to Pastebin, etc.?
Queries for Breach name, domain, alias, email.
Python 2.7 is (still) required to use the transformations.
The transformations access the case data within the Hunchly software.
The starting point is the query of a Hunchly Case. From there you can go to secured pages and photos and to the data and keywords contained therein.
The transformations are still quite simple and improved, but also give a good insight into the possibilities of local transformations.
Maltego needs the right Open Source Intelligence (OSINT) add-on modules – so-called transformations – to show its full strength. These can be transformations bought from a professional provider or local transformations.
This post contains the most important selection of transformations for Maltego from my point of view. I will update it as needed.
Want to discuss a confidential matter in more detail?
Need a private investigator in Germany or Europe?
Get in touch and we’ll work out a free tailor-made
proposal for you.