Maltego is used by investigators globally for data gathering and link analysis. One common Maltego use case, particularly used by Law Enforcement, is to analyze social media accounts in order to track profiles, understand social networks of influence, interests and groups. Maltego makes this type of investigation simple through one of our data partners, SocialNet. In the current COVID-19 crisis, Maltego can be used to aid containment efforts and scientific study of the virus spread by helping to create an overview of the spread of the disease, especially by identifying tourists or visitors from coronavirus hotspots and then tracing their movements to other locations and even back to their hometowns.
What follows is an example of such an investigation built in Maltego with SocialNet data, (in this case, primarily from Instagram) for one of the most popular locations, Ischgl, a famous ski resort in Austria and a COVID-19 hotspot where it is believed that hundreds of tourists from across Europe had become infected. Additionally, some data is depicted which we presume to be the hometowns (these are marked in red pins under Maltego’s Detail View in the image below) of these returning holiday-goers.
In this post, we will explore the many ways that such an investigation can be approached.
How to get started 🔗︎
In Maltego, there are multiple starting points for this type of investigation.
A Location based starting point
Since this investigation is aimed at tracing people from a specific location, we can use one of the following starting points:
- A geolocation
- A circular area (Latitude, longitude + a defined area radius around that point on the map)
- A location name (as a Phrase Entity)
A Persona based starting point
For example, if you want to start by investigating a person whom we know was infected and whom we know visited a café in Italy, (note that the location of the café can also be added). Or, if we begin investigating a person who we know was skiing in Ischgl, Austria during the outbreak, then you can begin with the following Entities:
- An Alias or user handle on Facebook, Twitter or Instagram
- An Email address for the Persona
- A Person name (however, this may lead to more false negatives in comparison to more specific Entities such as Email or Alias.
An Event based starting point
With SocialNet you can also identify events or event locations such as specific parties, bars, concerts or planned public gatherings. There are two ways to approach this scenario using Maltego.
- The location of the event (refer to Location based starting points above).
- Start with a phrase of the event which will then help look for hashtags or mentions of the event in the description of the post
Where to pivot 🔗︎
For locations
One can pivot from locations into posts (and this is especially true for Instagram) made at that location. This post can then be pivoted towards the person who posted. This person directed pivot takes the form described under the next step, “For Persona”.
For Personas
Alias: When you have an Alias (either directly or through a location as detailed in the earlier step), there are a few things you can do. From an Alias, you can obtain all of the posts made by the person, and then pivot back out into the locations they were posted from. In Maltego’s Detail View, the date the picture was posted is evident. If these images are made on/after the second week of March (after the shutdown), then we may have identified some leads to areas where the infection may have spread. Alternatively, using an Alias and their posts, one can also find persons “tagged” in the posts (exposing additional leads that can be investigated using Alias) and the tracing process may then be initiated again, studying the posts of these new leads and tracing their movements during the COVID-19 outbreak.
Let’s use Twitter for example, using an Alias, one can discover the Hometown in the bio of the Persona, making it fairly easy to trace an individual back to their hometown and state even if that individual has not posted to Twitter since the lockdown took effect. Using this kind of information pre-emptively may prevent further virus spread to their hometown and state before their departure from the COVID-19 hotspot. The Bio aspect is particularly useful when used with a Facebook profile but less so for an Instagram profile.
Email address: There are two ways to look up email addresses. One can use Namechk (on the Maltego Standard Transform set), a site where usernames are checked for availability to verify if a profile may exist on some specific social media outlets. Alternatively, one can use SocialNet to quickly verify if the email address is used for any specific social media outlet, which will then lead to a user, which will then lead to an Alias.
For person names: This is a tricky one! There can be many people with the same name and therefore this can lead to false positives. An outlet to solving this is either being able to recognize their face in their display pictures or having a few attributing factors that would set them apart from the others such as Age, Hometown, current occupation, school they went to, mutual friends, etc. This starting point can therefore take more time than starting from a specific source rather than a generalist one.
For Events:
Once you have an event, it is easy to pivot into a specific location and then follow the methods described under locations. Alternatively, one can also use the foursquare Transform from SocialNet to find the “topmost visited places” in a specific area (these can be bars, restaurants or hotels, among many others) and then run a check for any posts reflecting any of the most visited places defined.
How to look beyond the Maltego graph
The Maltego graph itself returns a treasure trove of data points that can very quickly explode into a puzzle of its own, so one must always be very sure that:
- A person was at that location at the time of the spread
- the other locations they have posted are not “throwback/ #tbt” posts, which a lot of people tend to do since they are shut indoors; and that
- the persons’ posts are after the date of visiting the location in question.
Therefore, it is essential to also look at the profiles from outside of Maltego often to verify if the results make sense with the hypothesis. One such tactic is to use the profile link on the Detail View in Maltego and actually study the profile on Instagram in person after you have confirmed that a specific profile was indeed present in the Coronavirus hotspot. Often, this can provide a lot of hints which you may have otherwise overlooked. For example, separating the persons workplace from their favorite restaurant e.g. if the target profile being investigated worked at a McDonalds then through Maltego it may not be evident right away that this is their workplace and not just a restaurant they visited. Often, the people which were tagged may be living elsewhere which may become a bit of an information overload on the Maltego graph and simply scrutinizing the profile directly and then bringing any relevant information found into the Maltego graph using a note or a bookmark in Maltego.
In general, making a habit of studying a profile directly is recommended to ensure that any relevant pivots and data points are not overlooked.
To summarize, while Maltego can be used for OSINT and threat intelligence during times of crises, Maltego also enables investigators to quickly switch the usage of the tool to access valuable data sets like those through SocialNet to expand the investigation further than just a single social media outlet but merge multiple in one graph.
A few social media “cheat-codes” to get things started! 🔗︎
- Events – Location – Alias – Posts – hometown/other places visited
- Alias – Posts – people tagged in the posts – locations they have been to – other people who visited the location
- Posts – Aliases- events they have mentioned – other people at the same events
- Events – people RSVP’d “attending” the event on a Facebook event – usernames – posts – locations
…and the list goes on!
We would love to hear more about your own investigations with Maltego. Subscribe to our RSS feed to stay up to date with our blog and follow our Twitter and LinkedIn page for more interesting use cases.