Data center: Ashburn, VA

Telegram Chat : MBHH_x86

Email Us:

Mobile Hacker For Hire, hire a hacker, hiring a hacker, hacker with proof

Precise Geospatial Link Analysis using Maltego

Table of Contents

Whether untangling a global web of offshore legal entities and records or mapping a target’s cyber-physical infrastructure – location data enters investigators’ work every day and across the board.

There are two common challenges that arise when working with location data in a link analysis context: Matching identical addresses across alternative spellings and understanding patterns across location granularities without losing precision.

Maltego’s Google Maps Geocoding Transforms, our latest addition to the Transform Hub, helps investigators solve both problems seamlessly in their investigations.

The integration makes use of the Google Maps Geocoding API to search any address as text and retrieve the most likely result in a highly structured form. This means that even misspelled or partial addresses that refer to the same physical location will be mapped and identified. Surfacing object identities and their patterns across data sources is one of the key benefits of link analysis in Maltego, making this a highly valuable tool to integrate into your investigative work.

Matching addresses through normalization 🔗︎

When combing through datasets that include address data, one often finds inconsistencies in the way that addresses are rendered. This can take several forms, such as varying abbreviations (for example, both CT and Conn. indicate the US state of Connecticut), disparate spellings across local languages (for example, “Carrer” in Catalan and “Calle” in Spanish), and different transliterations of foreign addresses into Latin characters.

Address normalization, well, addresses that problem by standardizing such location data. In addition to normalizing various ways of rendering the same address, as mentioned above, it can also recognize partial addresses or identify when multiple locations belong to, say, multiple suites in the same building.

To illustrate this, let’s take a look at business connected to a Chilean politician using the Orbis – Bureau von Dijk dataset. We can achieve this by identifying the Entity for the politician-in-interest in the Orbis dataset, then running the Transform [Orbis] To Companies on the Entity.

Use the Orbis – Bureau von Dijk dataset in Maltego

The image above shows various organizations connected to the Chilean politician. We have obfuscated the names of individuals and organizations for data privacy reasons.

Next, we are interested in learning more about the locations of these organizations. We will select our company Entities and now run the Transform [Orbis] Get Address.

Run the Transform [Orbis] Get Address in Maltego

Our results show that nearly all the companies are registered at unique addresses, with the exception of two. If we normalize these addresses, however, we find some new connections. Let’s run the Transform Normalize Location [Google Maps Geocoding].

Run the Transform Normalize Location [Google Maps Geocoding] in Maltego

With the normalized addresses, we see that three of the company Entities have been identified as being located at the same address. Let’s take a closer look.

Identify three of the company Entities in Maltego

Referencing the Property View in Maltego, we can learn more about the addresses of these organizations. The addresses for each are:

  • APOQUINDO 3000

The new, normalized Entity contains this address: Avenida Apoquindo 3000

One of the organizations appears to have a partial addresses, while the addresses for the other two Entities suggest that they may be located in separate suites within the same building.

Helpful tip!

Now that we’ve established that these three Entities are all likely located in the same building, we can elect to merge the three separate Address Entities that currently appear on our graph. We can make this decision based on the level of granularity we are interested in; in this case, we are assuming that the shared address is more important than the various suite numbers.

Let’s select our newest, normalized Entity. In this example, that is “Las Condes, Chile.” Next, select the “Add Parents” option in Maltego. This will keep selected the Las Condes Entity that we started with, as well as highlight the three other addresses at Avenida Apoquindo.

Select the Add Parents” option in Maltego

If we right-click on our graph, it will open the Transform Menu. At the bottom of our Transform Menu are several interesting options, such as Copy to New Graph, Change Type, and Merge. We are interested in this Merge option. With the four Entities of interest highlighted, let’s hit Merge!

Select Primary Entity in Maltgo Transform Menu

After hitting Merge, a pop-up will appear that asks for more information about how we’d like to merge Entities. When normalizing addresses as in this example, it often makes sense to merge all the Entities into that final, normalized addresses. Once we designate the normalized address as the primary Entity, we can select “OK” and see our merged results!

 Merge all the Entities into that final normalized addresses in Maltego

Merging Entities aids in making the visualization and link analysis aspects of Maltego prettier and more compelling – the story is easier to follow, and the ties between different data points becomes clearer.

Visually understanding global patterns in locations 🔗︎

The new Google Maps Geocoding Transforms in Maltego also permit analysts to more easily identify global patterns by identifying clusters of relevant information such as country or city. This can allow researchers to zoom out and gain a more comprehensive bigger picture understanding.

Let’s take a look at one such example. Starting in May 2021 and continuing throughout the summer, mass unmarked graves were uncovered at Canadian Indian residential schools across the country. We are interested in learning more about the origin country of individuals making edits to the Wikipedia page “Canadian Indian residential school system” since the initial discovery of the unmarked graves in May 2021.

Start with a phrase Entity and name it “Canadian Indian residential school system.” We want to the name of the Phrase Entity to exactly mirror the name of the Wikipedia page. From here, run the Transform Search Page Titles [Wikipedia EN]. The Transform successfully returns an identically named Wikipedia page.

 Run the Transform Search Page Titles [Wikipedia EN] in Maltego

The next objective is to identify the editors of this Wikipedia page. To accomplish this, we will run the Transform To Page Editors [Wikipedia EN].

A pop-up appears prompting a date range input. We are only interested in edits that have been made to the page since the discovery of the first unmarked grave found in 2021. Unmarked graves were identified at the Kamloops Indian Residential School on May 28, 2021; for the sake of simplicity, let’s look at all edits from May 27, 2021 to the present.

Run the Transform To Page Editors [Wikipedia EN] in Maltego

Once the date range is defined, close the pop-up then click “Run!”. The Transform returns 105 Aliases, 22 IPv6 Addresses, and 53 IPv6 Addresses. For the next steps, we’re just going to focus on IPv4 addresses as neither the IPv6 addresses nor the aliases will provide information about the Wikipedia editors’ locations. As such, delete the IPv6 Addresses and the Aliases from the graph.

Delete the IPv6 Addresses and the Aliases from the Maltego graph

We now have 53 IPv4 addresses that have made edits to the Canadian Indian residential school system Wikipedia page since May 27, 2021. Let’s discover more information about what locations those IPs point to. To do this, we’ll use the IPInfo dataset, available for free on the Maltego Transform Hub. Select the 53 IPv4 addresses and run the Transform Enrich IPv4 Address – No Authentication [IPInfo]. The Transform returns information related to DNS names and locations associated with the IPs.

Run the Transform Enrich IPv4 Address – No Authentication [IPInfo] in Maltego

Image: A snippet of the data returned by running the Enrich IPv4 Address Transform.

Since our investigation focuses solely on the locations, we can delete these DNS name Entities in order to keep our graph cleaner. At the top of the graph, find the “Select by Type” option and select “DNS Name.” Delete the selected Entities.

Delete these DNS name Entities to keep graph cleaner in Maltego

The remaining graph looks quite clean and compelling.

 Remaining graph in Maltego

Now we have information on the cities that the Wikipedia editors are writing from (or at least the cities corresponding to their IPv4 addresses). This is interesting, but let’s take a step back and get a move high-level overview: Which countries are the editors writing from? Let’s find “Select by Type” again and this time select “Location.” This will select all the Location Entities on the graph.

Here, we will turn to our Google Maps Geocoding Transforms! Run the Transform Search for Country [Google Maps Geocoding].

Run the Transform Search for Country [Google Maps Geocoding] in Maltego

Several countries are returned to us. If we “Select by Type” and select “Country,” we can see more information about these new Entities in the Detail View in Maltego.

“Select by Type” and select “Country” in Maltego

22 of the editors are accessing Wikipedia from Canadian IP addresses. 10 of the editors appear to be located in the US, and 3 in the UK. There is also an editor each from Bahrain, France, New Zealand, Norway, Spain, and Sweden. Considering that the mass unmarked graves were discovered in Canada, it is logical that the majority (22 out of 41) of the editors are likely based in Canada. Given that we are investigating Wikipedia pages in English, it makes sense that many of the other editors are located in English-speaking countries such as the US, UK, and New Zealand.

The ability to cluster the locations based off of country allows us to gain a more high-level understanding of the individuals editing this Wikipedia page.

The integration is available for all Maltego users and includes the following free tiers:

  • CE users may run up to 20 Transforms per month
  • Pro users may run up to 200 Transforms per month
  • Enterprise users may run up to 500 Transforms per month

If you require a higher quota of Transform runs, you may sign up for your own Google Maps API key to use with the integration.

We hope you’ll find this integration a useful tool in your OSINT arsenal!

Don’t forget to follow us on Twitter and LinkedIn and sign up to our email newsletter to stay updated on the latest news, tutorials, and events.

Happy investigating!

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!