Raspagem de dados
Introdução
Requisitos do cliente Maltego
Sistema operacional
Maltego trabalha no Windows 7, 8 e 10, Linux (várias distribuições) e OS X. Como Maltego é
A base de Java deve funcionar na maioria dos sistemas operacionais.
Bottom line : Maltego pode ser instalado em todas as plataformas.
Requisitos de software
A Maltego usa a versão Java 8 e requer que Java 1.8 ou superior seja instalado (atualização 101 ou posterior), que está disponível para a maioria dos sistemas operacionais populares. Recomenda-se usar a versão Oracle do Java e mantê-la atualizada com a versão mais recente.
Bottom line : você precisa do Java 1.8 instalado em sua máquina para usar o Maltego.
Requisitos de hardware
Maltego adora memória e potência de CPU bruta. As visualizações de renderização recebem muito poder de computação e mais lento você
computador, quanto mais demora. Se o seu computador estiver sub-alimentado, isso pode se tornar frustrante. Se você planeja
Trabalhe em gráficos grandes, você também precisará de alguma memória.
O Maltego 4 requer um mínimo de 2 GB de RAM, embora seja recomendado 4 GB. Mais RAM permitirá gráficos maiores e mais complexos e oferece uma experiência aprimorada.
Você também precisa de um link para a Internet se quiser usar os servidores de transformação da Paterva CTAS. Quase toda a coleta e processamento de dados acontece no servidor, mas os resultados ainda precisam chegar ao seu computador. Um link rápido na Internet faz o Maltego funcionar mais rápido. Por último, se você alguma vez precisou de um motivo para obter uma tela grande, agora você tem. Maltego também adora grandes exibições. Executá-lo em 1024 × 768 simplesmente não se sentiria bem - mas você pode fazê-lo se você realmente precisa.
Bottom line:
Mínimo (yuk): 2 GB de RAM, 2 GHz, 1 MB de acesso à Internet, 1024 × 768.
Recomendado (gostoso): 16GB de RAM, Intel I7, 10Mb + acesso à Internet, 1920 × 1080.
Instalação
Qual versão é certa para mim?
O cliente Maltego vem em quatro versões diferentes, cada uma para diferentes finalidades. A principal diferença entre Maltego Classic, Maltego XL e Maltego CE é o número de entidades que podem ser retornadas de uma única transformação e o número máximo de entidades que podem ser em um único gráfico. O CaseFile, por outro lado, é usado principalmente por analistas usando dados off-line que não precisam acessar as transformações padrão no Maltego. Esta tabela fornece mais detalhes sobre as diferenças entre os quatro clientes. Maltego Classic e Maltego XL são produtos comerciais e requerem uma chave de licença para usar, enquanto o CaseFile e o Maltego CE são totalmente gratuitos.
Baixar arquivos de instalação
The different installation files for Windows, Linux and OS X can be downloaded from the downloads pageof our website:
Figure 1: Maltego downloads page
Each of the client types has download options for Windows, Linux and MAC described in the next sections.
Windows Installation
The correct operating system should automatically be detected on the webpage. In this case, Windows has been detected as shown in the image below:
Figure 2: Windows installation
From the FILETYPE dropdown menu you can choose between installing just the .exe install, the .exe install with Java x64 or x32. If you do not already have Java 1.8 installed on your machine, it is recommended to install the .exe + Java bundle. Once the FILETYPE has been selected you can click Download! to start the download.
Once the download is done, double click the installer to start the installation process. Follow the next few screens that will prompt you for information to complete the installation process.
The screens that you will see are as follows (These images are taken from a Maltego XL 4.0.8 installation file):
Figure 3: The Maltego 4 setup welcome screen
Figure 4: The license agreement screen
Figure 5: Select users that will use Maltego
Figure 6: Installation location and disk storage requirements
Figure 7: Start Menu setup
Figure 8: Installation
Figure 9: Choose to create a desktop shortcut
After the installation, you should see an icon on the desktop or find it in the start menu under Paterva -> Maltego.
Linux Installation
You will need to have a windows (X11) system – Maltego is a graphical application. Maltego is available as a .DEB
package (ideal for Debian based operating systems) as well as an .RPM package (ideal for systems that can use the RPM Package Manager) and a .zip archive. Each of these file types can be selected from the FILETYPE dropdown when Linux is selected:
Figure 10: Linux installation
After you have downloaded the package you can install it as follows:
.deb (debian package)
The Debian packages can be installed by either double clicking on the file within your window manager (such as
KDE) or allowing the window managers installer to install the package. Alternatively, you can also install it from
command line as follows:
> cd downloads/Maltego (assuming that you’ve downloaded it here)> dpkg –i.deb
.RPM
The RPM file can be installed as above via your window manager by double clicking on the file or via command line as follows:
> cd downloads/Maltego (assuming that you’ve downloaded it here)> rpm –i.rpm
.zip
The zip archive is the entire extracted Maltego installation, you can simply extract this to wherever you want Maltego installed and then run maltego from the bin directory.
Also, note the following:
- A Maltego requer o Oracle JRE Java e é importante que você instale esta versão em vez do OpenJDK que vem com muitos dos sistemas operacionais.
- Verifique se você pode ler e escrever no diretório onde você instalou o aplicativo. Por exemplo, quando você instalou o aplicativo como root e você executá-lo em um usuário normal, você pode achar que a leitura e a escrita de seus arquivos de configuração falham. Isso pode causar problemas.
- Se você tiver versões diferentes do Java em sua máquina, você precisa ter certeza de que está usando a versão 1.8 para o Maltego.
Instalação MAC
Escolha o download de MAC da página de downloads em nosso site:
Figura 11: download MAC
.DMG
Depois de baixar o arquivo .dmg, ele pode ser instalado arrastando-o para a pasta do aplicativo, conforme mostrado abaixo:
Figura 12: Instalando o Maltego em um Mac
Além disso, assegure-se de ter instalado a versão mais recente do Java 1.8 em sua máquina.
Configuração do cliente Maltego
Na primeira vez que você inicia o cliente Maltego, você receberá um assistente de configuração que ajudará a ativar seu cliente Maltego e a instalar transformações de uma semente de transformação CTAS. A primeira página do assistente é uma página de boas-vindas e é exibida abaixo:
Figura 13: Página de boas-vindas
Clique em Avançar> para continuar com o passo do contrato de licença do assistente. Leia atentamente nosso contrato de licença antes de continuar para o próximo passo.
Figura 14: contrato de licença de Maltego
Depois de ler nosso contrato de licença, você pode ativar sua licença Maltego. Existem dois métodos diferentes para ativar o Maltego, a saber, ativação on-line e ativação off-line. Ambos os métodos estão descritos nas próximas seções.
Figure 15: Activation options
Online Activation
The online activation method is the recommended way to activate your Maltego client and should be a quick and easy process. To activate online select the Activate Online option and click Next>.
You will then be prompted to enter your 26-digit license key that should be provided to you via email after you made your purchase. The license key has a checksum digit (the last digits to check that you have not made a typo. When the license key is in the correct format you will see check mark appear next to the license key that you entered. You can then click Next> and the application will check if the license entered is valid.
Note: A single license can only be used on one computer at a time.
Se a licença for válida, o produto será ativado e você receberá a seguinte tela:
Figura 16: Ativação bem sucedida
Ativação off-line
No caso em que seu cliente Maltego esteja operando em um ambiente completamente off-line, você pode fazer uma ativação off-line. Para fazer isso, primeiro você escolherá Solicitar arquivo de licença, depois ativar off-line:
Figura: Solicitar arquivo de licença e ativar off-line
Clicando em Avançar> você será solicitado a inserir sua chave de licença Maltego tal como você teria feito ao ativar on-line:
Figura: inserindo sua chave de licença Maltego
Depois de inserir sua chave e clicar em Avançar> você será levado a uma página que fornece um blob de Solicitação de Licença e um link para o site de ativação:
Figura: Blob de pedido de licença
Copie o blob da Solicitação de Licença e navegue até o link especificado (de uma máquina conectada à Internet se o host do cliente Maltego estiver desconectado). Isso o levará à seguinte página da Web:
Figura: Página de Ativação Offline
Copiar o blob da sua Solicitação de Licença no formulário e clicar em Gerar Chave >> criará um arquivo de licença (maltego.lic) que será baixado do seu navegador. Você pode retornar ao assistente de ativação no cliente Maltego e fazer o upload do novo arquivo de licença. Uma vez carregado, você pode clicar em Avançar> para verificar se o arquivo de licença é válido. Se for válido, o seu cliente Maltego será ativado.
Instalando a partir de um servidor de transformação
You can click Next> to continue to select the transform server to install the standard CTAS transforms from. By default, the Maltego public server will be selected. If you have a private CTAS server, you can enter either the hostname or IP address of that server.
Figure 17: Selecting the public transform server
Selecting Maltego public servers will install transforms, entities, machines and other transform configurations from the public Paterva CTAS transform server.
After clicking Next>, the transforms will be installed. When the installation is done, you will receive the following summary of what was installed to your Maltego client.
Figure 18: Transform discovery summary
Você terá a opção de executar uma máquina, iniciar um novo gráfico ou abrir um gráfico de exemplo. Vamos selecionar Vá embora ... Eu fiz isso antes! Por enquanto, clique em Concluir para concluir o assistente de inicialização.
Depois de terminar o assistente de configuração, você será conduzido para a seguinte página inicial doMaltego, que inclui o Transform Hub e a página de início do Maltego, que é mostrado na imagem abaixo. Vamos discutir isso com mais detalhes mais tarde.
Figura 19: Página de início
Inicie uma janela popup da Máquina
Por padrão, ao iniciar o cliente Maltego ou ao clicar em um gráfico vazio, o assistente Iniciar uma Máquina será aberto para ajudá-lo a executar uma máquina em um novo alvo.
Figura 20: Iniciar um Assistente de Máquina
Na primeira página deste assistente, existem caixas de seleção que, se não for verificada, o assistente não aparecerá automaticamente no inicialização do Maltego e quando você clicar em um gráfico vazio. Por enquanto, você pode fechar esta janela, pois será explicado na seção de máquina deste documento.
Configurando Java para Maltego
Antes de iniciar seu primeiro gráfico, é sempre uma boa idéia verificar sua configuração Java para o Maltego para garantir que haja suficiente memória alocada para o seu cliente Maltego. Normalmente, é adequado configurar as configurações recomendadas. As instruções para isso podem ser encontradas nas seções de Opções Java do documento.
Atualizando seu Cliente Maltego
Antes de começar qualquer coisa, é sempre uma boa idéia atualizar o seu cliente Maltego para a versão mais recente. Isso pode ser feito clicando no botão Aplicativo (o botão grande no canto superior esquerdo na janela principal do cliente), então vá até Ferramentas e clique em Verificar atualizações . Essas etapas são mostradas na imagem abaixo:
Figura 21: verifique se há atualizações
O assistente de atualização do Maltego será aberto e verificará se há atualizações. Se o seu cliente Maltego já estiver atualizado, você pode clicar em Concluir . Se houver novas atualizações a serem instaladas, você será solicitado a instalar as atualizações com a janela abaixo:
Figura 22: Instalar atualizações
Você pode clicar em Avançar> para permitir que o cliente Maltego faça o download e instale as atualizações mais recentes. Uma vez que as atualizações terminaram a instalação, seu cliente Maltego reiniciará automaticamente. Uma vez reiniciado, você notará que o número de atualização instalada será exibido no identificador da janela principal:
Começando
Conceitos de Maltego
Antes de nos sujar as mãos, existem três conceitos importantes em Maltego que precisam ser definidos.
- Uma Entidade é representada como um nó em um gráfico e pode ser qualquer coisa, como nome DNS, Pessoa, número de telefone, etc. O cliente Maltego vem com cerca de 20 entidades direcionadas para uso em investigações online, mas você também pode fazer seu próprio costume uns.
- A Transform é um código que leva uma entidade a outra. Ele faz isso consultando uma fonte de dados e retornando os resultados como novas entidades em seu gráfico. As fontes de dados são lugares como servidores DNS, motores de busca, redes sociais, informações WHOIS, etc.
- As máquinas encadear várias transformações para automatizar tarefas comuns / tediosas.
A Página Inicial
Quando você inicia o seu cliente Maltego, primeiro você é saudado pela página inicial mostrada anteriormente na Figura 19: Página inicial . O Início página inclui o Maltego Start Page na esquerda que inclui links para as nossas contas de mídia social. Utilizamos o Twitter em geral para publicar notificações sobre novos recursos e usamos o YouTube para publicar qualquer novo tutorial de vídeo que façamos. Todas as notificações críticas serão postadas diretamente nesta página.
No lado direito da página inicial , você encontrará o Transform Hub . A Transform Hub permite que você instale as transformações que são fornecidos por 3 rd partido transformar fornecedores, bem como as transformações adicionais que são fornecidos por Paterva. Cada um dos pacotes de transformação no Transform Hub são referidos como Transform Hub Items . Se você seguiu as etapas da seção anterior, você deve ter o elemento de hub transformar PATERVA CTAS instalado como mostrado abaixo:
Figura 23: elemento de hub transformar PATERVA CTAS
Este elemento transformar hub inclui todas as transformações OSINT padrão para consulta de fontes públicas de informações on-line. Haverá mais informações sobre o Transform Hub em uma próxima seção. Mas, por enquanto, vamos começar nosso primeiro gráfico. Para aqueles que não estão familiarizados com o termo OSINT, aqui está uma definição da Wikipedia:
A inteligência de fonte aberta ( OSINT ) é coletada de informações de fontes publicamente disponíveis. Na comunidade de inteligência (IC), o termo "aberto" refere-se a fontes abertas, publicamente disponíveis (em oposição a fontes secretas ou clandestinas); não está relacionado ao software de código aberto ou à inteligência pública.
Seu primeiro gráfico
Existem três maneiras de criar um novo gráfico no Maltego:
- Você pode clicar no botão (+) no canto superior esquerdo da janela do cliente Maltego ao lado do botão Aplicação :
- Você pode criar um novo gráfico clicando no botão Aplicativo e clicando em Novo :
- Mas a maneira mais fácil é usar o atalho de teclado Ctrl + T .
Figura 24: Novo atalho de gráfico
Figura 26: Novo gráfico do menu de aplicativos
Depois de criar um novo gráfico, você receberá uma nova página dentro de uma nova guia, cercada por um intervalo de janelas de controle, conforme mostrado na imagem abaixo.
Figura: Novo Gráfico
Paleta de Entidade
Entidades
As entidades em Maltego são usadas para representar diferentes tipos de informações e são representadas como nós em seu gráfico. Todas as entidades que estão disponíveis no seu cliente Maltego serão encontradas na Paleta de Entidades que, por padrão, é encontrada no lado esquerdo do seu gráfico. As entidades na paleta são categorizadas em grupos com as categorias principais sendo Infraestrutura e Pessoal .
Existem três aspectos de uma entidade que deve ser entendida antes de prosseguir.
- O tipo - este é o tipo de informação que a entidade está representando
- O valor - este é o campo de informação principal e entidade e sempre é exibido no gráfico:
- As propriedades - estes são campos de informações adicionais para a entidade
Figura 28: Valor da Entidade
Adicionando uma Entidade ao seu Gráfico
Para adicionar uma nova entidade ao seu gráfico, mantenha pressionada a entidade desejada e arraste-a para a área do gráfico conforme descrito abaixo:
Figura 29: Arrastando uma entidade para representar um gráfico
Uma vez que uma entidade foi arrastada para um gráfico, ela se torna um dos nós no gráfico.
Editando um Valor de Entidade
Clique duas vezes no texto na entidade para editar o valor da entidade, o texto ficará realçado e você poderá editar rapidamente o valor:
Figura 30: Editando o valor de uma entidade
Selecionando uma Entidade
Clique com o botão esquerdo no nó que deseja selecionar. Você verá o círculo de seleção aparecer ao redor dele.
Figura 31: Selecione uma única entidade
Selecionando múltiplas entidades
Arraste um bloco com o mouse em torno das entidades que deseja selecionar, enquanto mantém o botão do botão esquerdo do mouse .
Figura 32: Selecione várias entidades
Uma vez selecionado, os nós serão destacados como na imagem abaixo.
Figura 33: várias entidades selecionadas
Selecionando várias entidades um de cada vez
Quando confrontado com múltiplos nós, mas você só deseja selecionar nós específicos, use Shift + clique esquerdo . Shift + clique esquerdo em cada nó que você deseja selecionar e eles serão adicionados à seleção.
Figura 34: Selecionando várias entidades
Detalhes da Entidade
Para abrir a janela Detalhes da entidade completa , você pode clicar duas vezes em qualquer outro lugar no ícone da entidade além do valor da entidade. A janela Detalhes da entidade inclui quatro abas separadas descritas abaixo:
Resumo
A guia Resumo da entidade será aberta primeiro quando a janela Detalhes da entidade for aberta. A guia contém um resumo de todas as informações da entidade que podem ser encontradas com mais detalhes nas guias subseqüentes na janela Detalhes da entidade .
A imagem abaixo mostra a página Resumo de uma entidade de domínio. As miniaturas para todos os anexos da entidade também são mostradas na parte inferior da janela de resumo. Há também uma grande área de texto onde as notas de entidade podem ser adicionadas ou editadas.
Figura 35: página de resumo da entidade
Anexos
A guia Anexos permite que você veja uma lista de todos os anexos de arquivos para a entidade.
Figura 36: guia anexo em detalhes da entidade
Novos anexos de arquivos podem ser adicionados clicando no botão Anexar . Isso abrirá uma caixa de diálogo onde um arquivo local pode ser selecionado ou um URL para um arquivo pode ser especificado, que será buscado pelo cliente Maltego.
Figura 37: escolhendo um anexo de arquivo
Os anexos de arquivos também podem ser adicionados a uma entidade, arrastando e soltando-o do seu gerenciador de arquivos para uma entidade no gráfico.
Em um gráfico de Maltego, mostra-se que uma entidade possui um arquivo anexado a ele com um ícone de gramatura de papel que é exibido no lado esquerdo do ícone da entidade como mostrado na imagem abaixo:
Figura 38: anexo da entidade
Notas
A guia Notas inclui uma área de texto grande onde uma nota para uma entidade pode ser adicionada ou modificada.
Figura 39: guia de nota de entidade em detalhes da entidade
Em um gráfico do Maltego, entidades com notas podem ser identificadas pelo ícone da página amarela no lado direito do ícone da entidade, conforme mostrado abaixo. Ao clicar duas vezes no ícone da página amarela, será exibida a nota em uma caixa de diálogo no gráfico conforme descrito abaixo. Esta caixa de diálogo pode ser fechada novamente clicando no [X] no canto superior direito da caixa de diálogo.
Figura 40: nota de entidade
Propriedades
A guia Propriedades na janela Detalhes da entidade mostra uma lista de pares chave-valor para as diferentes propriedades que a entidade inclui. Os valores das propriedades de uma entidade também podem ser editados desta janela também.
Figura 41: guia Propriedades em detalhes da entidade
Usando o mouse
Panning e Zoom
Para navegar em torno do seu gráfico, clique com o botão direito do mouse e segure enquanto move o mouse na direção desejada. Você também pode usar as teclas de seta para ir para a próxima entidade no gráfico. Isso é útil ao navegar em gráficos grandes e é muito mais rápido do que usar as barras de rolagem.
Figura 42: Panorâmica em torno do seu gráfico com o mouse
Você pode mover o quadro visível (caixa branca) na janela Visão geral (canto superior direito) usando o mouse ( clique com o botão esquerdo , arrastar ) - a janela do gráfico principal será atualizada em tempo real. Dependendo do nível de zoom, o quadro visível torna-se maior (ampliado) ou menor (ampliado).
Figura 43: Usando a visão geral para navegar em um grande gráfico
Zoom com o mouse
A roda do mouse pode ser usada para aumentar e diminuir o seu gráfico. O zoom sempre será baseado em relação à posição do ponteiro do mouse no gráfico. Por exemplo, se o ponteiro do mouse estava no extremo esquerdo de um gráfico, o zoom significaria que o gráfico seria lentamente movido para a esquerda até o ponto central onde o ponteiro do mouse era em vez de o ponto central ser o centro do gráfico.
Existem duas maneiras diferentes de renderizar as entidades em um gráfico dependendo do nível de zoom. Quando ampliado de perto no gráfico, cada entidade será representada como um ícone de entidade com seu valor escrito abaixo, conforme mostrado na imagem abaixo:
Figura 44: Visualização de ícone
Quando o zoom das entidades se tornará círculos redondos sólidos, onde a cor do círculo indica o tipo da entidade. Uma legenda de cores é então exibida no canto inferior direito do gráfico para cada tipo de entidade no gráfico:
Figura 45: visualização da legenda
Observe que as cores não são sempre as mesmas - por exemplo, a entidade de endereço IP nem sempre será laranja. Isso ocorre porque o Maltego pode ser usado com entidades personalizadas e o número de entidades utilizadas não é conhecido pelo programa.
O Menu de Contexto
O menu de contexto permite que você execute a transformação nas entidades selecionadas em seu gráfico. Quando você clica com o botão direito do mouse em uma entidade (ou grupo de entidades), um menu de contexto é exibido. O menu de contexto é agrupado em três camadas diferentes, ou seja, o nível superior , o nível de conjunto eo nível de transformação que são explicados nas seguintes sub-seções.
Nível superior
O nível superior do menu de contexto é onde os diferentes itens de hub de transformação que você instalou estão listados. Por padrão, o cliente Maltego só terá o elemento de hub de transformação PATERVA CTAS instalado do hub de transformação. Se o Maltego tiver apenas um único elemento de hub de transformação instalado, o menu de contexto será aberto no nível definido, pois há apenas um item para escolher no nível superior. Para o bem deste exemplo, os itens do hub de transformação adicionais foram instalados.
Figura 46: menu de contexto - nível superior
Na imagem acima, o menu de contexto foi aberto para uma entidade de domínio selecionando a entidade e clicando com o botão direito do mouse em qualquer lugar no gráfico. Cada item de linha no menu representa um elemento de hub de transformação diferente, clicando em um desses itens abrirá o nível definido para esse item do hub.
O primeiro item desta lista lê Todas as Transformações e clicando nela saltará o nível definido e abrirá o nível de transformação do menu de contexto com toda a transformação indicada para a (s) entidade (s) selecionada (s).
Ao clicar no ícone de seta dupla (>>) em linha com cada um dos itens do hub, serão executadas todas as transformações encontradas nesse elemento de hub de transformação que esteja disponível para a entidade selecionada.
Quando o mouse está sobre um elemento de hub de transformação, um ícone de configuração aparecerá. Ao clicar no botão Configurar, abrirá um menu de configuração para aquele elemento transformar hub, que permite que as configurações globais sejam alteradas. Essas configurações são aplicadas a todo o elemento do hub de transformação.
At the bottom of the context menu the action bar is found. This allows various actions to be performed on the selected entities. Each of these actions will be described in later sections. The action bar remains the same regardless of what level you are on in the context menu.
Note: Running all transforms is almost always a bad idea as it is important to know what you are running and where the transform is getting the information from.
Set level
Left-clicking on a transform hub item will take you to the set level. In Maltego, sets are used to group transforms into categories of transforms that perform similar tasks and/or are often run together.
The image below shows the different sets available to a domain entity that are in the PATERVA CTAS transform hub item. Left-clicking the side-bar on the left of the context menu will navigate back up a level in the context menu (in this case back to the transform hub level). Right-clicking anywhere on the context menu will also navigate up a level. Each set also has a configure button which, when pressed, will open the set configuration window that will allow you to configure the transforms that are included in the set.
Figure 47: Context menu - Set level
Left-clicking the double arrow head (>>) will run all the transforms in the set while left-clicking anywhere else will open the transform level on the context menu for that set.
It is possible for the transforms from a transform hub item to not be categorized into sets, in this case selecting the transform hub item in the context menu will go straight to the transform level in the menu.
Transform level
The transform level of the context menu is where transforms are run from. Left-clicking on a single transform will run the transform. Alternatively, you can left-click the single arrow icon (>) on the right side of the context menu. Clicking the configuration icon in the transform line item will open the Transform Manager with correct transform selected. The transform manager shows more information about the transform as well as allow the configuration of the transform’s settings – it will be discussed in later sections.
Figure 48: Context menu - Transform level
Clicking the star icon in a transform line item will add the transform to the favorites category which will always be listed at the top of the context menu as a separate category regardless of what level of the context menu you are on.
Figure 49: Favorites item in the context menu
Finally, hovering over a transform’s line item will display a short description of what the transform does.
Figure 50: Transform description
It is important to note that the context menu is entity specific meaning that the items that are shown in the context menu are related to the transforms that are available to the entity type that you have selected. If the graph selection includes entities of different types, then the context menu will include all items that are available to either of the selected entities.
Action bar
The action bar, found at the bottom of the context menu, allows you to perform a range of actions on the selected portion of your graph. The ten actions from the action bar are labelled in the image below and then described further below that.
Figure 51: Action bar with labels
- Copy to new graph: Copies your current selections to a new graph.
- Delete Entities: Delete the selected entities. This can also be done with the delete key on the keyboard.
- Change Entity Type: Opens a dropdown menu that includes all entities from the entity palette. Picking an entity from the dropdown will change all your selected entities to that type.
- Merge entities: Creates a single entity with properties from all the entities that were merged. Clicking the merge action will open a window that is used to select a primary entity for the merge. The primary entity will take preference over the other entities and its entity type will be used for the newly merged entity. The image below shows the merge window for three entities being merged: a person, an alias and a Twitter Affiliation.
- Copy in different formats: Copy your graph selection in different formats. Each format is described below:
- Copy (as GraphML) - this will copy your graph to your system clipboard as an XML based graph format. This format will include information about the entities and the links between the entities in your selection.
- Copy (as ‘value’ list) – this will copy a list of the entities that are currently selected on your graph. The list will only include the value of the entity and does not include any information about the links between entities on your graph.
- Copy (as ‘type#value’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type. Each item in the list will be in the format ‘type#value’. The list does not include any information about the links between entities on your graph.
- Copy (as ‘type#value#weight’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type and weight. Each item in the list will be in the format ‘type#value#weight’. The list does not include any information about the links between entities on your graph.
- Cut Entities: Cut your entity selection to your clipboard.
- Add Attachment: Attach files to the entity. Clicking this button will open a window to choose the file to be attached:
- Send to URL: Opens a “developer friendly” feature in Maltego. It takes the selected segment of the graph and POSTs a hybrid GraphML/XML to the page which then returns a URL that Maltego will open in a browser. No documentation is provided with this as it is purely for demonstration purposes.
- Type Actions: quickly search Google or Wikipedia for an entities value. When a type action is run, your default web browser will open and the search will be performed there.
- Clear and refresh images: Re-fetch all downloaded images on your graph.
Figure 52: Change type dropdown menu
Figure 53: Merging window
Merging these three entities making the Twitter Affiliation the primary entity results in the image below. Note that the properties from the other two entities are now in the Dynamic properties of the merged entity:
Figure 54: Merged entity
Figure 55: Copy entity selection to clipboard
Figure 56: Choose the file to attach
Figure 57: The two default type actions
Running a Transform
When running a transform, a progress bar will appear in the bottom-right corner of the screen.
Figure 58: Transform progress bar
When running multiple transforms on multiple entities the progress bar will give an indication of the overall progress of all transforms.
The [X] (far right of the status bar) allows you to easily cancel all transforms that are currently running (for example – if you have selected the incorrect transform and don’t want the results to distort your graph with irrelevant entities). To cancel a running transform, simply select the [X] at the bottom of the screen. You will then be given a confirmation dialog that looks as follows:
Figure 59: Cancel Transform conversation dialog
By simply selecting Yes you can cancel the running transforms. Selecting No will allow the transforms to complete as usual.
When running multiple transforms, you can click on the transform progress to see which transform is currently running:
Figure 60: Viewing current transform being run
A maximum of five transforms will be run at once. Additional transforms will be queued until the earlier transforms have completed.
Graph Options
Screen real estate is very valuable and there is a lot of information that needs to be displayed by Maltego. Depending on the size of your screen you will need to move things around, display the differently and sometimes hide them to be able to see what you want to see. This section is all about getting the most out of your GUI.
Graph Tabs
When multiple graphs are opened in the Maltego client, they will each have their own tab above the main graph window. Graphs that have not been saved yet will be displayed as New Graph (number). Once a graph is saved, the display name on the name tag will change to the name under which it was saved. The * behind a graph indicates that it contains data that has not yet been saved.
The first tab is always the Home screen that includes the Start Page and Transform Hub:
Figure 61: Tabs for each graph that is open in the Maltego client
Right-clicking on a graph’s tab will open the dropdown menu described in the image below.
Figure 62: Options for graph tabs
Shift Left and Shift Right can be used to change tab ordering. The other items not described in the image above are used to make a graph tab into its own floating window however these options are rarely used.
Graph tabs can also be re-arranged by clicking and dragging the tab to another position:
Figure 63: Moving graph tabs
Graph Tab Buttons
Navigating the display is always an issue of being able to see only what you want to see. For this reason, the Maltego client has been made very versatile and adaptable. As discussed previously graphs are maintained in tabs which can be flipped through. The next section details some of the options available display information windows. On the top right-hand side of the graph the following options are available:
Figure 64: Graph bar buttons
When there are more tabs than can be displayed, the additional tabs will not be shown. The first two buttons in the image above allow you to scroll left and right through the tabs that are not shown.
The third button in the tab bar opens a drop down that shows all the graphs that are currently open. The arrow points to the graph that is currently in view.
Figure 65: List of graphs that are currently open
The last button in the tab bar will maximize the graph window and minimize all other windows in the Maltego client as shown in the image below. Double clicking the graph tab will also maximize the graph window.
Figure 66: Graph window maximized
Clicking the button again will restore the windows to their previous state.
Layout Sidebar
The layout sidebar is always found on the left-hand side of your graph window. It allows you to configure various view and layout options for your Maltego graphs. The image below provides labels for each of the items in the layout sidebar.
Figure 67: Layout sidebar with labels
- Full screen mode - Makes your Maltego client full screen (shown in the image below). Alt + Enterpressed together on your keyboard will also enter full screen mode. Exit full screen mode by pressing the Esc key on your keyboard. Full screen mode is shown in the image below:
Figure 68: Full screen mode with annotations
- Lock Layout – Locks all entities that are currently on the graph from moving when transforms return. The new entities that are returned by transforms will still be laid out.
- Full vs incremental Layouts – This option should be used during collaborative sessions when you want to preserve your graph layout.
Layouts
Buttons 4 to 8 in the layout sidebar are used to determine how entities will be arranged on the graph. There are four standard layouts.
- Block layout - In this layout nodes are shown using the following rules:
- In blocks of nodes
- Sorted by entity type
- Sorted by entity weight
An entities relevance is represented by the entities weight. For example, entities that are returned from any of the search engine transforms will be weighted according to how relevant they are (their page rank).
The image below shows an example of block layout.
Figure 69: Block layout
- Hierarchical layout - In hierarchical layout entities are grouped by layers that are stacked on top of each other. Think of this as a tree based layout – like a file manager.
- Circular layout - Nodes that are most central to the graph (e.g. most links) appear in the middle of circles with the other nodes scattered around it.
- Organic layout - In organic layout nodes are packed tight together in such a way that the distance between each entity and all the other entities are minimized. The closer the entities are to each other the more connected they are.
- Interactive organic – this layout is a lot like the organic layout. Entities are positioned according to how connected they are to the rest of the graph. The two differences with interactive organic are:
- When new entities are returned to the graph, only entities that are closely connected to the returned entities are moved instead of the entire graph laying out again every time new results are returned. For this reason, putting a graph into interactive organic layout will improve performance when dealing with larger graphs as less layout computation is required.
- Entities are not as tightly packed to each other as they are in organic layout.
Figure 70: Hierarchical layout
Figure 71: Circular layout
Figure 72: Organic layout
The graph below shows the same graph as above, but in interactive organic layout. It can clearly be seen that the entities are less tightly packed.
Figure 73: Interactive organic layout
Freezing and refreshing the graph
- Freezing the graph – The freeze button is used when you have many nodes that are coming into the graph (e.g. running a lot of transforms on many nodes) and don’t wish for the layout to be constantly updating. By delaying the layout, the application can process transforms faster as it does not need to update the display after every transform. To unfreeze the graph simply press the same button and the graph will resume as normal.
- Refresh graph – Enabled when your graph is frozen and new entities have been returned. Allows you to manually refresh the graph layout.
Views
The next section in the layout sidebar is under View. Views are used to extract non-obvious information from large graphs – where the analyst cannot see clear relationships by manual inspection of data. Views can be used to determine the size and color of entities based on different properties of the graph. It is possible to write your own views however is beyond the scope of this document. The seven views that come with Maltego out-the-box size entities according to different properties.
- Normal View – When you are zoomed in close to entities, the entity icon will be rendered on the graph. When you zoom out to legend view, each entity is represented by the same sized ball with a color that corresponds to the entity type. This view is the default view when you start a new graph.
- Diverse decent – this view is probably the most difficult to understand. With diverse decent, entities are sized according to the number of incoming links the entity has. However, incoming links with different grandparent entities are weighted higher. This is better explained with a graph.
- Ball size by all links – Entities are sized according to the total number of links (incoming and outgoing) it has. The more links an entity has the bigger the it is sized on the graph. The graph below shows the example graph using this view:
- Ball size by incoming links - Entities are sized according to the total number of incoming links it has. The more incoming links an entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:
- Ball size by outgoing links - Entities are sized according to the total number of outgoing links it has. The more outgoing links an entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:
- Ball size by rank – This will size entities based on its own number of links and the sum of its neighbor’s links. The graph below shows the example graph using this view:
- Ball size by Weight – This will size entities based on the entity’s weight. Some transforms (such as the search engine ones) return a weight field that represents the relevance of the entity. The graph below shows the results of a search engine transform. As you can see from the graph, in block layout, the entities are ordered according to their weight.
Figure 74: Example graph shown in normal view
Figure 75: Diverse descent explanation
In the image above, the IP address entities are sized differently even though they both have two incoming links. The reason for this is that the IP address on the left has two incoming links that originate from two different sources while the IP address on the right has two incoming links but they both originate from the same source. There are many cases where this view is useful. In this case, it emphasizes IP addresses that are related to different domains. The graph below shows the example graph using the diverse descent view:
Figure 76: Example graph with diverse descent view
Figure 77: Example graph with view set to ball size by total number of links
Figure 78: Example graph with view set to ball size by total number of INCOMING links
Figure 79: Example graph with view set to ball size by total number of OUTGOING links
Figure 80: Example graph with view set to ball size by rank
Figure 81: Graph with search engine results with view set to size by weight
Ribbon menu
The main ribbon menu in the Maltego client is where you will find buttons for perform most of the tools functionality. The buttons are separated into tabs each outlined in the following sections.
Investigate - Tab
The Investigate tab is open by default when starting a graph in Maltego 4. It provides you with numerous options to manipulate and navigate a graph. The options available are grouped in logical groups.
Figure 82: Investigate tab
Clipboard
Figure 83: Clipboard tools on the investigate tab
The clipboard tool provides the following intuitive functionality:
- Paste - To paste nodes that have been cut or copied.
- Clear All - Clear the entire contents of the graph.
- Copy - To copy selected nodes.
- Cut - Cut selected nodes.
- Delete - Delete selected nodes.
Copying
Selecting a portion of your graph and selecting the Copy dropdown will provide the options shown below:
Figure 84: Copying options
- Copy (as GraphML) - this will copy your graph to your system clipboard as an XML based format. This format will include information about the entities and the links between the entities in your selection.
- Copy (as ‘value’ list) – this will copy a list of the entities that are currently selected on your graph. The list will only include the value of the entity and does not include any information about the links between entities on your graph.
- Copy (as ‘type#value’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type. Each item in the list will be in the format ‘type#value’. The list does not include any information about the links between entities on your graph.
- Copy (as ‘type#value#weight’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type and weight. Each item in the list will be in the format ‘type#value#weight’. The list does not include any information about the links between entities on your graph.
If you choose the last option in the list, To New Graph, you will get another set of options to choose from shown below:
Figure 85: Copying to new graph
You can decide if you want the sub graph or just the entities that are selected (Copy With Links vs. Copy Without Links). Another option is Copy With Neighbors. This allows you to easily focus on the part of the graph that is interesting – by isolating nodes around the node of interest. There are three sub categories:
Any will select, copy and paste child and parent nodes to a new graph, Children will only select child nodes and Parents will only select parent nodes. The numeric field indicated how many levels should be selected. Let’s assume we want all the parents and children of the IP number selected in the example above. We’ll use Any and the number 1. This will result in a new graph that looks as follows:
Figure 86: Result of copy
Copy from the Action bar
From the action bar in the context menu there are also options for copying portions of your graph in different formats. The button on the far left of the action bar (shown below) is a shortcut to copy your current graph selection to a new graph.
Figure 87: Copy to new graph
The action bar also has options for copying your selection to your system clipboard in different formats, like you can do from the ribbon menu:
Figure 88: Copy selection to clipboard
Copying from the detail view
The Detail View on the right-hand side of your Maltego client lists information about the entities that are currently in your selection.
Figure 89: Detail View
You can copy this information out of Maltego as a comma separated list by selecting the entities from the list and then pressing Ctrl + C or right-clicking on them to open the context menu. To select entities from the list you can:
- Click on them individually,
- hold down Ctrl and click on each entity to select multiple entities one at a time,
- or hold Shift and click to select multiple entities sequentially.
Pasting your selection into a text editor will result in a CSV as shown in the image below:
Figure 90: CSV copied from the Detail View
Pasting onto a graph
When you paste text onto a graph, Maltego tries to identify the type of entity that is pasted from text. Consider the following example:
Figure 91: Text to be copied from a text editor
Copying and pasting all the above text into Maltego leads to the following entities:
Figure 92: Result of copy from text
Note that the URL entity type displays the title of the URL not the entire URL (but the entity will work as expected as the full URL is stored as an entity property).
Keep in mind that Maltego will fail at recognition of complex entities in some cases (think phone numbers in unusual formats!) In these cases, you might want to tell Maltego what the entity type is. This can be done by prepending the entity value with the entity type. Consider the following text:
Figure 93: Text to be copied
When the above is selected, and pasted it results in the following graph:
Figure 94: Forcing entity type to phrase
Entity types (e.g. what’s inserted before the #) can be obtained by dragging an entity to the graph and looking in the Detail View at the entity type description (highlighted in orange below):
Figure 95: Finding an entity type
Transform slider
Figure 96: Selecting the number of transform results.
The transform results slider is used to set the number of results returned when a transform is run. The numbers that the transform slider can be set to differs between the different versions of the of the Maltego client as follows:
- Maltego CE 12
- Maltego Classic 12, 50, 255, 10k
- Maltego XL 12, 255, 4k, 64k
The transform slider (i.e. the max number of results that can be returned to the Maltego client from a single transform) is one of the main differentiating factors between the different Maltego client.
When set to the very left, Maltego will only show the top 12 results based on weight. One needs to understand the implications of these settings. Many transforms have no concept of weight. In fact, only search engine transforms uses weight as an indication of relevance. Think about the reverse DNS results for a class C network – it can potentially return 255 results – each of them with a weight value of 100 (the default value), as no one DNS entry is more important than the other. Setting the slider to 12 results will only show the first 12 results – useful for simply getting an idea of what in the network, but useless for enumerating ALL the reverse DNS information of the block. In the same way setting the slider to 255 results for a search engine transform (e.g. looking for someone specific but who has a very common name) is not clever as you will be flooded with results. You must be careful to understand how the slider works and spend time experimenting with it.
Take Note. When you do not see the amount of results that you expected to see, check how many results the transform result selector is set to return.
Find
Figure 97: Find tool in form the investigate tab
From the find options in Maltego, you can search your current graph as well as saved graphs stored on your machine.
Quick find
The Quick Find option on the investigate tab is a very handy tool to find something specific in a very large graph. The following toolbar will open at the bottom of your graph (the find toolbar can also be opened by clicking Ctrl + F:
Figure 98: The Find Toolbar at the bottom of a graph
You can now enter a search term, select the specific entity type or specify All (the whole graph) and you have the option to search all the Properties, Notes and Detail View. Once you click the Find button, the relevant entities will be highlighted in the graph and the search hits will be listed in the Detail View. If you check the Zoom checkbox, then your graph will zoom to your results that match your search criteria.
Find in files
Find in Files does exactly what the title suggests, it allows you to perform text searches on multiple Maltego graphs that are saved in a specified folder on your machine.
Clicking the Find in Files button open the window shown below:
Figure 99: Find in files
Under the Where field you can specify the folder that you wish to search. This folder must include .mtgl and/or .mtgx graph files. The Browse button can be used to open a directory window where you can find the folder you wish to search. If the folder that you choose has multiple sub-directories that you also wish to search, then you must check the Recursive checkbox.
The Find input field allows you to specify your search term. The Case Sensitive checkbox can be used to choose whether the search should be case sensitive or not.
The options from the Graph items field will allow you to choose whether to search entities and/or links. It also allows you to limit your search to a specific entity type from the drop down menu.
Finally, the Search in field allows you to choose which of the entities text fields should be searched in.
Entity selection
The entity selection panel has various options allowing you to manipulate the graph selection.
Figure 100: Entity selection panel from the investigate tab
Link vs. Entity mode
Maltego can operate in two different modes – Link Selection mode, or Entity Selection mode. The default mode is Entity Selection mode. To switch between modes, you can press Ctrl + M or click on the mode selection icon at the top (this icon indicates the current mode):
Figure 101: Entity and Links selection buttons
To quickly switch between the two, you can also press and hold the Ctrl key on your keyboard while dragging or selecting.
Link mode – selecting links
In Link Selection mode, you will be selecting links. Dragging a box around links will select multiple links:
Figure 102: Selecting Links
The selection in the image above will result in the selection below:
Figure 103: Links selected
Link Selection mode is enabled in the image above, you will notice the selected links are highlighted yellow.
Links can also be selected by selecting nodes (in Entity Selection mode) and then switching to Link Selection mode.
Creating manual links between entities
Manual links can be established by left-clicking and holding on an unselected source entity, then dragging a link to target entity. This action is shown in the image below:
Figure 104: Manually creating a link
Once you release left-click on the target entity, a link properties menu will appear that allows you to specify properties for the link.
Figure 105: Entity properties
The properties settings shown in the image above will result in the link below being created:
Figure 106: Manual link with custom properties
The label of the link is displayed on the link on your graph. Link labels can be set to be visible or invisible. When working with a large graph you might not want to show all the transform link labels, as things get confusing quick if you have a lot of link labels. By default, transform link labels are set to be invisible in global settings.
Link Detail and Property view
When a link is selected the Property View and Detail View will display additional information about the link. Link properties that are created by a transform cannot be edited by the user, however, links that are created manually by the user can be edited.
Figure 107: Link details and property view
In the Detail View, in the image above, it is shown that the link was manually created and it specifies the two entities that the link is between.
Remember: The Detail View displays read-only information about the selection while Property Viewshows properties that can be edited by the user.
The Property View for the link shows the properties that were set at the time that the link was created. Each of these properties can be edited from the Property View window.
To set the properties of multiple links at once do the following:
- Select the links.
- Set the properties of the links in the Property View (highlighted in the screenshot below):
Figure : Properties of Multiple links being edited
From the Property View the style, thickness and color can also be configured. Link labels can be set to be visible or not – independent of the global settings. This is done by selecting the link/links and changing the Show Label field.
The Details window for a link can be opened by double-clicking on the entity link just as the Detailwindow is opened for an entity.
Figure : Details Window for a Link
Link properties can also be edited from the Details window for the link in the second tab.
Figure : Properties tab in Details Window for a Link
Entity Selection Shortcuts
The remaining buttons in the entity selection panel provide shortcuts for manipulating your entity selection and will be outlined in the upcoming sections.
Select all and Select none
Figure 111: Select all and select none
Select All and Select None will do what their names suggest, respectively they will select all entities on your graph and de-select all entities on your graph.
The keyboard shortcut for selecting all entities on your graph is Ctrl + A:
Invert selection
Figure 112: Invert entity selection
Inverting the entity selection will de-select all currently selected entities and select all currently de-selected entities. Clicking the Invert Selection button with the graph below:
Figure 113: Before inverting entity selection
Will result in the graph below:
Figure 114: Selection after Inverting the selection
Add Parents
Figure 115: Add Parents to selection
You can select a child node and press Control + Shift + Up arrow to select the parents while keeping the children in the selection. This is useful for selecting a family tree, but from a child node’s perspective.
Figure 116: Add parents
Add Children
Figure 117: Add Children to selection
Select child nodes while keeping parents selected.
Figure 118: Add children
Add Similar siblings
Figure 119: Add Similar Siblings
Add Similar Siblings will add all entities to your selected that have the same parent entities and are of the same entity type.
Figure 120: Add similar siblings
Add Neighbours
Figure 121: Add Neighbors to selection
Add Neighbors will keep the present nodes selected and select the nodes directly adjacent to the present node as well.
Figure 122: Add Neighbors
Add Path
Figure 123: Add Path between two selected entities
The Add Path selection shortcut is most useful. It selects the nodes in the path between multiple nodes (this function is disabled unless multiple nodes are selected). This is best shown with an example. Let’s assume the following nodes are selected:
Figure 124: Selecting two entities from the graph
On a complicated graph, such as the one above, it would be quite difficult to find all the entity that connect the person and the email address. Clicking the Add Path button selects all the entities that connect the two selected entities together as shown in the next image. (The Detail View shows all selected entities).
Figure 125: Clicking add path selects all entities connecting the initial two
Copying the selection to a new graph shows how this person and email address is connected:
Figure 126: Copied selection to a new graph
Add Path - Another example
The example below (with a simpler graph) will demonstrate how entity links can also be added to the selection between two entities using Add Path function. The selected links will then be edited to change their properties to highlight the path between the two originally selected entities.
Figure 127: Select two entities
When these nodes are selected and the Add path button is clicked the following nodes will be selected (those along the path):
Figure 128: Path selected
If the above graph is switched to Link Selection mode, the links between the highlighted entities are selected:
Figure 129: Links of path selected
They can now be edited. Let’s assume we want to mark the path between the entities with a thick, dotted red line:
Figure 130: Properties of path links changed
The Property View for these links ends up looking like this:
Figure 131: Link property view
Select Parents
Figure 132: Select Parent entities
You can select a parent of a node (e.g. the source of the selected node). This is useful to get to the original source of a child node. You can also select the node and pressing Ctrl + Up arrow.
Figure 133: Select parents
Select Children
Figure 134: Select Parent entities
It is very useful to be able to select the children of a node (e.g. all the nodes that were created from the node). You can also do this by selecting the parent and pressing Ctrl + Down arrow.
Figure 135: Select Children
Select Neighbours
Figure 136: Select Neighbors
Select Neighbors will select the nodes directly adjacent to the present selected node (incoming and outgoing nodes).
Figure 137: Select neighbors
Select Bookmarked
Select Bookmarked allows you to select bookmarked entities by the different colors.
Figure 138: Select Bookmarked
Select by Type
Figure 139: Select by Type dropdown menu
Select by Type is very useful when want to select all the entities on your graph of a certain type. Clicking the dropdown will show you all the entity types that are currently on your graph which you can choose from to select.
Figure 140: Select by type
Select Links
Figure 141: Select Links dropdown
Select Links has three options in the dropdown menu. Each of the options help select links related to entities that are current in the selection.
Select Links – Incoming and Outgoing and Incoming
Select links – (Ctrl + L): Selects incoming and outgoing links for currently selected entities.
Figure 142: Select links – outgoing and incoming
Select Links – Outgoing (Ctrl + End): Selects outgoing links for currently selected entities.
Figure 143: Select links - outgoing
Select Links – Incoming (Ctrl + Home): Selects incoming links for currently selected entities.
Figure 144: Select links - incoming
Reverse Links
Figure 145: Reverse Links
Reverse Links: reverses the direction of a selected link (manually created links only). The button will only become when a link is selected.
Figure 146: Reverse links
Zooming
The zoom tools under the Investigate tab includes a range of shortcuts for zooming to different areas of a graph. The following sections will cover these zooming shortcuts.
Figure 147: Zoom Tools on the investigate tab
Zoom In and Out
Use the scroll wheel of the mouse to zoom in and out of the graph.
Figure 148: Zooming with mouse scroll wheel
If you are using a notebook without a mouse (not recommended) you can use the buttons on the Investigate tab of the GUI. The Zoom In and Zoom Out buttons can be used in place of the scroll wheel on the mouse to navigate in and out of a graph:
Figure 149: Zoom in and out
Zoom to Fit
The Zoom to Fit button is very handy to quickly center graphs to zoom around the full graph (Ctrl + Q on the keyboard).
Figure 150: Zoom to fit
Figure 151: Zoom to fit
Zoom 100%
Figure 152: Zoom 100%
Zoom 100% will zoom to a 100% zoom level on the graph. The current zoom level of a graph is shown in top right-hand corner of the graph:
Figure 153: Zoom level (%)
Zoom to (%)
Figure 154: Zoom to (%)
Zoom To (%) has a dropdown menu that allows for the selection of the zoom level as a percentage.
Zoom Selection
Figure 155: Zoom to selection
Zoom Selection allows you to select a portion of the graph using normal selection techniques and then quickly zoom to the area. This can be done by clicking on the Zoom Selection button, or by pressing Ctrl + W.
Figure 156: Zoom to selection
View – Tab
The View tab in the Maltego client allows you to configure settings relating to the view of your graph. The following sections will describe what each of the view options will do to your graph.
Figure 157: View tab
Views
Views are used to extract non-obvious information from large graphs – where the analyst cannot see clear relationships by manual inspection of data. Views can be used to determine the size and color of entities based on different properties of the graph. It is possible to write your own views however is beyond the scope of this document.
Custom views can be created from the Manage View window that can be opened from the dropdown menu shown below:
Figure : Manage Views
The seven views that come with Maltego out-the-box are covered in layout sidebar section.
Graph layout
Figure 159: Graph layout options
The graph layout allows you to configure various layout options for your Maltego graphs which determine how entities are drawn in relation to each other. Each of the graph layout options are explained in the layout sidebar sections.
Entity Alignment
Figure 160: Entity alignment panel
Options found under the entity alignment panel can be used to “justify” entities to a different alignments on the graph.
Link Labels and Properties
Figure 161: Link label panel
The link labels and properties panel in under the View tab allows you to set what is shown on a link.
Show custom/transform link labels
Show Custom Link Labels allows you to choose whether link labels are shown on the graph. This is a global setting that can be overwritten by individually set link label properties. Show Transform Link Labels will show the name of the transform that created the link when the option is checked.
Figure :Show Transform Link Labels Checked
Properties affect appearance
The Properties Affect Appearance checkbox allows you to choose whether a link’s properties affect the appearance of the link on the graph.
Entity Notes
Figure 163: Entity notes panel
The entity notes panel under the View tab simply allows you to set a global setting of whether entities notes should be shown on the graph:
Figure 164: Hiding entity notes
Entities – Tab
The Entities tab allows you to manage the entities that are available your Maltego client, add new entities and create your own entities.
Figure 165: Entities tab
Creating New Entities
The first button under the Entities panel allows you to create a New Entity Type. Clicking the dropdown opens two new entity options:
Figure 166: New entity type dropdown menu
The New Entity Type (Advanced) will provide more options when creating a new entity.
Clicking New Entity Type (Advanced) opens a wizard that will guide you through the process of creating a new custom entity. The first step of the New Entity Wizard is shown in the image below:
Figure 167: New Entity Wizard - Step 1
- Display name – this is the name of the entity that will be shown in the entity palette.
- Short description – this field must describe the new in one sentence. This description will also be shown in the entity palette.
- Unique type name – this is a unique identifier for your new entity and must be unique. Unique type names are prefixed with the creator’s alias. For example, all entities that come with Maltego have a Unique type name prefixed by “maltego.”
- Inheritance – Transforms are designed to run only on a specific type of entity. E.g. The 'To MX Record' transform runs on a Domain, but not a person. Sometimes however you do want transforms to run on additional entities that might extend base entities. In Maltego inheritance allows you to inherit transforms from a base entity. If the new custom entity inherits from another entity (the parent entity), then all the transforms that run on the parent entity will also run on the new custom. This is useful when creating a more specific type of an already existing entity. For example, if a “police officer” was created it would inherit from a person entity as a police officer is a type of person and it would be useful to have all the transforms for a person also run on the new police officer entity.Note: Transforms that are built to run on the child entity (the entity inheriting) will not run on the parent entity.
- Icons - An entity icon must then be chosen for the new entity type. The Maltego client comes with standard entity icons that can be chosen from. More icons can also be added under Manage Iconswhich will be explained later.
Figure 168: New Entity Wizard - Step 1 – Complete
After clicking Next>, the main property for the new entity can be configured.
Figure 169: New Entity Wizard - Step 2
The main property (also called the entity value) is the property of the entity that is going to be shown on the graph. This step allows for the configuration of this main property:
- Property display name – This is the property name that will be displayed in the property view.
- Short description – This provides a description of the property in one sentence.
- Unique property name – this name uniquely identifies this property and should not be re-used.
- Data type – this allows you to specify the type of information that the property is representing. The data type can be selected between: string, date, integer or double.
- Sample value – the sample value will be the default value for this entity type when a new entity is dragged onto a graph from the entity palette.
Once these fields have been completed click Next> to continue to the next step of the wizard.
The next step simply allows you to choose which category the new entity type should be found under:
Figure 170: Choose the entity category - Step 3
The Personal category is chosen for the new Police Officer entity.
Clicking Next> will lead to the Additional Properties section of the wizard:
Properties for an entity describe the extra fields that an entity contains. Several entities contain just a single field such as a DNS Name and for most entities creating a single field is enough.
From the Additional Properties step, you can add additional properties for your entity to represent pieces of information that is commonly found with the new entity type. At this stage, it is important to consider whether additional information relating to the new entity type should be made as a property of the new entity or an entirely new entity on its own.
Figure 171: Additional properties - Step 4
By default, there will be one property populated which is the main property (entity value) that was configured in step 2.
To add new properties clicking the Add property… button in the top left-hand corner of the wizard window. This will open a new window where the new property can be configured. In this case, a “badge number” will be added for the new “Police Officer” entity:
Figure 172: Adding a new property
For the new property, the following fields must be completed:
- Name – this name uniquely identifies the property
- Display name – this is the name that will be shown in the Property View in the Maltego UI
- Type – this allows you to specify the data type that the property will be representing. There is a range of data types to choose from the dropdown menu.
Once these three fields have been chosen, clicking OK will add the new property to the entity. From the main wizard window, additional configurations can be made to the new property:
Figure 173: New entity property
- Required - If this is checked then this property cannot be left blank when adding this entity type to your graph.
- Read only – If this is checked then the property cannot be set by you. It can only be set by transforms
- Description – This field can be used to set a short description for the property.
- Default value – This is the default value of the property.
- Sample value – This is the value of the property when it is dragged onto a graph from the entity palette.
The next step in the wizard allows you to set Display Settings for the new entity. The display settings allow you to set which property is displayed on the graph.
Figure 174: Display settings - Step 5
Display Settings determine three different properties for an entity: what is edited when changing the value on the graph, what value is displayed on the graph and what icon should be used in place of the default icon. It might seem very strange to have a different property edited to what is displayed but as an example to illustrate this look at the URL entity. Whilst you still need the actual URL of a page (that could be very long) you do not want that displayed on the graph, but rather something like the title of the page.
- Edit Value - This property determines which field is edited when you double click on the entity text by default.
- Display Value - The property that is displayed on the graph.
- Large Image - If a property is a URL to an image you can use this to replace the icon on the graph (useful for showing things like a thumbnail of a website where it is different for each website entity).
The last step in the New Entity Wizard is the Advanced Settings page.
Figure 175: Advanced settings - Step 6
The Advanced Settings page allows you to specify the following fields:
- Plural display name - allows you to set the plural options for when multiple entities are described in the tool.
- Palette item – this allows you to choose whether the new entity type will be displayed in the entity palette. By default, this option is checked. If an entity type should only be returned a transform and not ever be added to the graph manually by you, then this field should be un-checked.
- Use regex converter – This checkbox allows you to choose whether a regular expression is used to automatically identify an entity when text is pasted onto a graph from the clipboard.
- Conversion order – The priority given to this entity, when pasted text matches multiple regex expressions.
- Regular expression – The image below describes the regular expression used for matching a domain entity with the tool, essentially when you paste into the graph the tool will compare the text pasted to the regular expression and if matched automagically create an entity of that type. The regular expression for a domain is as follows:[-\w]{1,120}\.[-\w]{1,4}\.*[-\w]{0,4}
Figure 176: Regular expression for a domain entity
- Group to property mapping – Apart from matching you can also populate specific fields within the tool. An example of this is the person entity which when pasting will automatically populate the first name and last name fields of the entity if you paste something such as "Andrew MacPherson" into the tool. The regular expression for this is as follows:([A-Z]{1,15}[a-z]{0,15}) ([A-Z]{0,15}[a-z]{0,15} *[A-Z]{0,15}[a-z]{0,15} *[A-Z]{0,15}[a-z]{0,15})
Figure 177: Group to property mapping - person entity
In the current “Police Officer” example, both the Regular expression and Group to property mappingfields are left blank.
Clicking finish will complete the wizard. The new entity type can be found in the entity palette under the Personal category:
Figure 178: New entity type in the entity palette
Managing Entities
Figure 179: Manage entities
Clicking the Manage Entities button will open the Entity Manager window:
Figure 180: Entity manager
The Entity Manager list all entities currently in the Maltego client and allows you to edit or delete entities.
- Delete entity – clicking the delete entity button will open a confirmation dialog box before the entity is removed:
Figure 181: Delete entity confirmation
- Edit entity – Clicking the ellipsis button on the right of the entity line item will open another window that allows you to edit the entity:
Figure 182: Editing an entity
From the entity editor window, you can change any of the settings and properties that were made to the entity when the entity was first created.
Importing and Exporting Entities
Custom entities can easily be shared between users by exporting and importing them. It’s also possible to share entities by simply saving a graph containing custom entities and loading it in another (clean) Maltego.
Exporting Entities
Figure 183: Export entities
Clicking the Export Entities button will open the Export Wizard. The first step in this wizard is to decide if you want to export all entities in your Maltego client or export a custom selection:
After clicking Next>, entities which are to be exported can be selected. In this example, only the custom police officer entity will be exported:
Figure 184: Select entities to be exported
Next the filename and folder directory must be chosen for where the entities will be exported to. The file extension for all Maltego configuration files is .mtz.
There is also an option to encrypt the entity file with AES-128:
Figure 185: Choose file location
If the encryption option is checked, the next page will allow you to choose a password for the file.
Figure 186: Choose encryption password
After choosing the password and clicking next a final summary page will appear showing a summary of what was exported:
Figure 187: Export summary
The Finish can be clicked to exit the export wizard.
Importing Entities
Figure 188: Import entities
Now that the custom entity has been exported to an .mtz file, it can be shared with other Maltego users by using the Import Wizard in the Maltego client.
Clicking Import Entities will open the Import Wizard. In the first step of the Import Wizard the .mtz file can be selected:
Figure 189: Select the required .mtz file
If the file was encrypted, then you will need to enter the encryption password:
Figure 190: Enter password
The next step shows the contents of the configuration file and allows you select what they which items to import. In this case, there is only the single Police Officer entity that already exists in this Maltego client:
Figure 191: Select entities to be imported
Clicking next will go to a summary page of what was imported:
Figure 192: Import summary
Clicking Finish will close the Import Wizard.
Entity Palette
Figure 193: Entity palette
Clicking the Entity Palette button will simply open the Entity Palette again if it has been closed.
Manage Icons
Figure 194: Manage Icons
Clicking the Manage Icon button will open the Icon Manage for entity icons.
Figure 195: Icon Manager
In the Icon Manager, the built-in icons are categorized and can be browsed through or searched for using the search input field at the top of the window.
It is also possible to add new icons that can be used for new entities that are created. To add a new entity icon, click the plus (+) button in the top left-hand corner of the Icon Manager window. This will open another window where the image file for the new icon can be chosen:
Figure 196: Select image file for new icon
Once the image file has been chosen, the category for the icon must be selected:
Figure 197: Choosing a category for the new icon
Clicking OK will add the new entity icon to your Maltego client.
Collections - Tab
Collection nodes overview
Introduced in Maltego 4, collections aim to clean up the graph by grouping 'similar' entities, making it easier to view portions of the graph and find the key relationships you are looking for. The underlying collection rules all adhere to the following criteria:
- Only entities of the same type may be collected together in a single collection,
- Entities that are pinned (pinned to the graph) may not be collected,
- A minimum entity limit exists which must be satisfied for a collection node to form, i.e. a collection node may not contain less than the minimum limit of entities.
The image below shows the controls on the Collections tab of the ribbon as configured for a fresh install of Maltego.
Figure 198: Collections tab
Collections are enabled by default and may be toggled off/on by pressing the Disable/Enable Collectionsbutton. On the Simplify Graph section a slider and spinner work in tandem to control the level of graph simplification. The numbers on the slider and that of the spinner correspond, designating the minimum number of entities that any collection node may contain. Dragging the slider to the left decreases this global minimum entity limit for collections, thereby increasing the amount of graph simplification. The Show Collections Tutorial button shows this tutorial in the Maltego client. The Select Collections button selects all the collection nodes on the current graph.
Levels of Simplification
A typical use case for using collection nodes is analysing Twitter followers. The image below shows the Detail View for three different Twitter accounts for which their followers where found, sorted alphabetically according to the entity name. Since transforms were run on these entities as input, none of them have incoming links. "Paterva" has the highest number of Twitter followers (outgoing links) among the 3 entities, with 3432, which according to the transform rules resulted in a weight of 100.
Figure 199: Detail view of starting three Twitter accounts
With collections disabled (and for pre-Maltego4 versions), the graph output looks like the image below when in organic layout (zoomed to 2%). The graph consists of 4164 entities (4489 links in total), making it difficult to visualise the interesting relationships and common followers without having to continuously zoom in and out of the graph.
Figure 200: Followers of the initial three Twitter accounts
With collections enabled and the slider in its default position of 25 entities, the graph output looks as follows in circular layout (zoomed to 15%).
Figure 201: Collections enabled in circular view
Notice the circular entities (uncollected) and square collection nodes. Dragging the slider to the far left for the greatest amount of graph simplification, renders the graph as follows (zoomed to 100%). The graph is now simpler and much easier to work with.
Figure 202: Collection enabled - full simplification
Navigating a Collection
With the collection node containing 269 entities selected (designated by "269" in the collection node heading on the graph), the selected entities can be viewed in list form in the Detail View, and sorted according to various columns (multi-column sorting is also supported using the Shift key in conjunction with mouse clicks on the column headings). Hovering over or clicking on the entities in this list shows the relevant entity properties in the Property View.
Figure 203
Clicking on the icon in the Inspect column in the image above (shown by the orange plus (+) sign), shows in-depth details of that single entity (image below). Double-clicking on the Twitter user icon in the image below, will open the Details dialog. Clicking on the Back To List button (or right-clicking inside the Detail View component) in the image below, returns to the Detail View list of the entities in the collection node as in the image above.
Figure 204
By double-clicking on the entity name in the Detail View list (or clicking on the icon in the Collectedcolumn which shows the number of entities in the collection node), the graph will automatically pan and zoom to the selected entity, briefly flashing the entity inside the collection node in white as in the image below.
Figure 205
Pin/Unpin Entities
Collections are simply visual elements -- if an entity is of specific interest and it must not be grouped within the collection node, one can press on the pin icon of that entity, either on the graph's collection component (as in the image below) or in the Detail View list. Having multiple entities selected and then clicking on the pin icon will pin all selected entities to the graph (uncollect from collection). Alternatively, all entities in a collection can be pinned to the graph by clicking the larger pin icon in the collection component heading (seen as a very faint overlay in the top-right corner of the image below).
Figure 206
By clicking on the pin icon with only the "Black Hat" entity selected, this isolates the entity from the collection node, essentially pinning the entity to the graph (see image below). Other rules for exclusion from a collection node are if the entity has attachments or notes. When dragging entities onto the graph, they are pinned by default.
If the orange pin icon of a pinned entity, such as the "Black Hat" entity below, is clicked to unpin the entity from the graph, the entity becomes available to be collected, and will only be collected should it satisfy the criteria outlined in the overview (top of page), and share relationships with (i.e. are 'similar' to) other entities of the same type. Typically, this will boil down to whether it is linked to (shares) common parent and child entities, although the rules can understandably become quite complex for heavily meshed graphs.
Figure 207
Exploring with the Detail View list
With collection nodes, there is the same functionality that has always been in Maltego. For instance, one can find entities on the graph containing certain word(s), whether they form part of a collection node or not, by using the Quick Find functionality on the Investigate tab of the ribbon.
Alternatively, when using the Detail View list with the "269" collection node selected, the "Black Hat" entity can be pinned to the graph from this listed view, which would uncollect it but keep it among the selected entities displayed in the list. The list entities can then further be filtered according to entities containing the word "black" in them as in the image below. As can be seen by the text inside the icon in the "Collected" column, the collection node now only contains 268 entities, and the pinned "Black Hat" entity is displayed as a normal (circle) entity.
Figure 208
While on the graph all 269 entities of the original collection node are still selected, the Detail View list only shows the 2 filtered entities. By clearing the filter textfield, all 269 entities will again be displayed within the list. Alternatively, by selecting the 2 list entities in the image above, and clicking on the Sync Selection to Graph button to the left of the filter textfield, the graph selection changes to only these 2 entities and will be displayed as in the image below.
Figure 209
Solid orange borders signify full selection (all entities within the visual element selected), while a dashed orange border (as for the "268" collection node above), signifies partial selection. The collection node heading in this case indicates that only 1 of the 268 entities within the collection node is selected. Since pinned entities (and other entities not in collection nodes) only represent a single entity, these entities can therefore never be in a state of partial selection.
Transforms can also be run within the Detail View list using the context menu (on either single or multiple entities). Simply select the entities in the Detail View list, right-click to invoke the context menu (see image below), and run transforms as usual.
Figure 210
Transforms – Tab
The Transform tab includes options for managing and configuring the transforms that are available in the Maltego client.
Figure 211: Transform tab
Transform Hub
Clicking the Transform Hub button will navigate to the Transform Hub page that shows all the different transform providers.
Figure 212: Transform hub
Maltego’s flexibility, when it comes to integrating external data, has resulted in many data vendors choosing to use Maltego as a data delivery platform for their users. The Transform Hub is built into each Maltego client and allows Maltego users to easily install transforms built by different data providers. The commercial Maltego client is shown in the image below:
Figure 213: Transform hub page
A Transform Hub Item
Each item on the transform hub is called a Transform hub Item and consists of the following:
Figure 214: Transform hub item
When the transform hub item is hovered over with your mouse, the item will change to show the following options if the item is installed:
Figure 215: Transform hub item – Hovered Over
Installing/Uninstalling a transform hub item
Installing
To install a new transform hub item simply click the Install button found when the mouse pointer is over the item:
Figure 216: Installing a new transform hub item
Then there will be an installation confirmation dialog:
Figure 217: Installation confirmation
Clicking Yes will lead to the installing wizard which will take a few seconds to install:
Figure 218: Transform hub installation wizard
Once the transform hub item is finished installing there will be an installation summary page that lists everything that was installed:
Figure 219: Transform hub installation summary
Note: It is not just transforms that are installed from a transform hub item. Any one or more of the items in the list below can be installed to the Maltego client when installing a new transform hub item.
- Transform
- Transform sets
- Entities
- Machines
- Icons
Once the installation is complete, the new transform hub item will be found in the context menu when running transforms and the hub item will be shown as installed on the transform hub:
Figure 220: Installed transform hub item
Figure 221: Context menu showing the newly installed transform hub item
Settings
Some of the transform hub items will have a Settings button when the item is hovered over:
Figure 222: Transform Hub Item Settings
Clicking the Settings button will open the Transform Seed Settings window that is used to set global settings that will be used for all transforms in the hub item. These settings are often used for commercial transform hub items to manage API keys.
Figure 223: Transform Seed Settings
Uninstalling
Uninstalling transforms from the transform hub can be done simply by clicking the Uninstall button on the hub item:
Uninstalling transforms from the transform hub can be done simply by clicking the Uninstall button on the hub item:
Figure 224: Uninstall transform hub item
Note: Entities that are added from a transform hub item will not be deleted when the transform hub item is uninstalled. This is because often transform hub item’s use some of the same entities.
Updating/Refreshing the Transform Hub
In the top left-hand corner of the transform hub there are two buttons:
- Refresh Transform Hub – This button will update any changes made to transform hub items that are already installed to a Maltego client. This update will also intermittently automatically update itself.
- Update Transforms – This button refreshes the installed transforms for any changes that are made. The transform hub will also intermittently automatically refresh itself.
Manually Adding a Transform hub item
To manually add a new transform hub item to a Maltego client click the plus (+) button in the top left-hand corner of the transform hub.
Figure 225: Manually adding a new transform seed
After clinking the plus (+) button the Add Transform Seed window will open as shown below. The transform seed URL and other meta details for the transform seed can be added as shown in the image below:
After clicking OK, the transform seed will appear as a new transform hub item in the transform hub:
Figure 226: Manually added transform seed
Clicking Install will add the transforms to the Maltego client.
Manage Transforms
`
Figure 227: Manage transforms button
Transform Manager is a tool located within Maltego to help with the addition of transform application servers (TAS) as well as the configuration of transforms from those servers and sets (groupings of transforms).
Clicking the Manage Transforms button will open the Transform Manager Window which is split between three tabs. Namely, All Transforms, Transform Servers and Transform Sets.
All Transforms
Figure 228: All transforms tab in the transform manager
Transforms can be edited from the default Transform Manager window (see above). From this window, you can sort transforms by:
- Transform – The name of the transform.
- Status – Whether the transform is ‘ready’ or has requirements such as a disclaimer or input that needs to be set.
- Location – The Transform Application Servers (TAS) that this transform is found on.
- Default Set – The default set this transform can be found in.
- Input – The input entity type (what you click on to run this transform).
- Output – The output entity type(s) (What is returned after running this transform).
This window can also be searched via the control at the top right which will search the transform names column:
Figure 229: Search bar within the Transform Manager
With the default layout of the Transform Manager the following sections are also available:
- Transform Information (bottom left) - This section describes the transform, gives additional transform information such as transform author and informs of any user action needed, such as accepting disclaimers or if additional settings are needed.
- Transform Settings (bottom right) - This section allows the modification of transform specific settings such as API keys, timeouts, setting fields to popup and so on.
- Transform Servers (top tab) - This button allows you to access the Transform Servers tab whereby you can specify which transform servers are to be used and which not by turning checkboxes on and off. You can also view which transforms are available on each server.
- Transform Sets (top tab) - This button allows you to access the Set Manager where sets (groups of transforms) can be added, deleted and modified.
Transform servers
Figure 230: Transform server tab in the Transform manager
The Transform Servers tab displays the servers that are available to you which you can easily turn on and off to set if they are used. This is useful when you have multiple servers and would prefer not to specify every time you run a transform which server it should be run on. You can also view transforms on specific servers by expanding each server with the (+) icon, as seen below:
Figure 231: Transform Servers – Expanded
Transform Sets
Figure 232: Transform sets in the transform manager
Sets are a way of grouping transforms that are commonly run together. With the default installation of Maltego you will notice various sets have been preconfigured for you, such as the Resolve to IP set which groups the transforms that convert DNSName, MX Record, NS Record and Website Entities to IP addresses. This has been done so that instead of having to select each individual entity type you can run a set of transforms on them.
Create a New Set
To create a new set simply select the New Set... button within the Set Manager and fill in the Set Nameand a Description for the set (optional).
Figure : New Transform Set
Adding/Removing Transforms from Sets
To add or remove transforms from a set, start by selecting the set you wish to modify from the list of available sets within the right-hand pane and then drag the transform from the left-hand pane over it.
To add more than one transform to the set simply select multiple transforms by using either the shift or Ctrl modifiers and then drag the selection onto the set. Alternatively, you can simply select the transforms you wish to add, right-click on them and use the Add to Set-> context menu and select the set you wish to use.
To remove specific transforms to a set, select the transforms that you wish to remove within the selected set, right-click and select Remove from set.
Deleting Sets
To permanently delete a set, select the set from the right-hand pane, right-click on it and click Delete....
Figure 234: Delete set
You will then be given a dialog to confirm that you wish to delete the set:
Figure 235: Confirmation to delete the transform set
Selecting OK on this dialog will delete the set permanently.
Local Transforms
Figure : Local Transforms
Local transforms are pieces of code that run on the same machine which the client application is. Details on writing your own local transforms can be found on Paterva’s developer portal. This section will only explain how local transforms can be added to the Maltego client.
Clicking the Local Transform button will open the Local Transform Wizard. From here you will be greeted with the first screen of the wizard, this screen describes the Meta information as well as the Input entity type and Transform set.
- Meta Information - This is information describing the transform including the Display name, Description, Transform ID and Author
- Input Entity Type - This is the input entity that this transform will run on to return output.
- Transform Set - You can populate this if you want to automatically add this transform to a set.
An example of this screen populated is as follows:
Figure 237: Local Transform wizard - Configure details
The setup for Maltego is slightly more involved and you will be required to know the Command to execute, the Script name / Parameters and the Working Directory:
- Command - This is the interpreter or compiled application, for example the command for Python might be c:\Python26\Python.exe or /usr/bin/python.
- Script name / Parameters - If your executable takes parameters or if you are using an interpreted language such as Python you will set this field to one of these. For example, ours would be helloWorld.py if we are executing a Python script called helloWorld.py.
- Working Directory - This is the directory where the local scripts are stored.
An example of these fields populated are as follows:
Figure 238: Local transform Wizard - command line details
Clicking finish will complete the wizard and add your local transform to the Maltego client.
From here you can simply drag in the entity you initially selected when adding the transform (in this example it is an Alias). There will now be a Local Transform item in the top level of the transform hub:
Figure 239: Local transform item in the context menu
Clicking Local Transforms in the context menu will show the local transform that was just added to the Maltego client:
Figure 240: Local transform in the context menu
Managed Services
Figure 241: Manage services
Some transforms use public APIs to get their results. These public APIs sometimes have strict rate limits to prevent abuse. Signing in to these services with your own account allows for the rate limits to be applied per user instead of having the same rate limits shared between everyone using these transforms. Some of the transform hub members also use Managed Services to control access to their transforms instead of using API keys.
By default, the Maltego client comes with a single managed service for using the Twitter transforms. To use any of the standard Twitter transform you will need to sign into a Twitter account.
Clicking the Managed Services button will open the Service Manager window:
Figure 242: Managed services window
The steps below can be taken to sign into a new managed service. In this example, Twitter will be signed into:
- Click on one of the Sign In.
- A page will open in your default browser:
Figure 243: Authorize Maltego to Use your Twitter Account
- Sign into the account with your details. If your default web browser is already signed in you will just need to authorize the Maltego application
- After successfully signing in you will be shown the following image in your web browser and you can close the browser tab and go back to the Maltego client:
Figure 244: Successfully Authorized
The managed service will now be shown as signed in:
Figure 245: Managed Services Now Singed-In
Note: In Maltego, the managed services use a standard protocol named OAUTH where Maltego doesn’t ever receive or store your user account details. The Maltego client will receive a temporary access token from the service that is used to make requests on behalf of the user.
Run View
Figure 246: Button to Open the Run View
Clicking the Run View button will simply open the Run View window if it wasn’t already open in the Maltego client.
Machines – Tab
In Maltego, a machine is a script/macro that runs multiple transforms with different types of filters. Machines are useful for completing common tasks such as forward footprints of domains.
Figure 247: The Machines tab
Maltego has a custom scripting language that can be used to create new machines. Custom machine creation is covered in Paterva’s developer portal.
Run Machine
`
Figure : Run Machine Button
Clicking Run Machine will open the Start a Machine window which can assist in running your first machine.
Figure 249: Start a machine
The first step to start a machine is to select the machine you would like to run from the list of machines that are available in your Maltego client.
By default, Show on startup and Show on empty graph click will be checked. This means that in these two conditions the Start a Machine window will open automatically. These can be switched off by unchecking these options.
Clicking next will take you to the next page where you can input the start parameter.
Machines require a start parameter, from which subsequent transforms can be run. For example, the Footprint L2 machine requires a target domain as the input entity.
Figure 250: Start a machine - select a target
Clicking Finish will start the machine on the target that was specified. The Machines window will open which provides details on the status of the machine that is running, it is described in the next section.
Machine window
The image below provides labels for each feature in the Machines window:
Figure 251: Machine window
Machine User Filters
Some of the machines that come with Maltego include User Filter that allows you to choose which entities you want to continue in the machine’s pipeline. This is important as the it allows you to specify what is relevant and what is not and prevents the machine from gathering information on entities that are irrelevant to the current investigation.
In the case of the Footprint L2 machine, a user filter will pop up to ask you if you want the machine to look for additional domains that use the same MX and NS records as the target domain:
Figure 252: User filter
Here it seems that paterva.com uses Google for their MX records and Linode for their NS records. If you were investigating paterva.com you would not want the machine to look for domains that use these records as it would return thousands of unrelated results for companies and organizations that use Google for their mail servers and Linode for their name serves. So, in this case, you should deselect these entities in you filter window, click the Next> button and the machine will continue running.
User Filter Window – In Detail
In the case of Footprint L2, after clicking Next> the machine will pause again to display the User Filterwindow for paterva.com’s MX records as shown in the image below:
Figure 253: User Filter Fields
After making selections for each of the user filters, the machine will continue to run all its transforms excluding the entities deselected in the user filter. When the machine is complete there will be a chime sound made by the Maltego client to indicate that the machine is complete.
Figure 254: Graph after machine is complete
In Maltego there is also such thing as a perpetual machine. A perpetual machine can be configured to run every x seconds and useful for monitoring data that changes regularly. When a perpetual machine finishes running, a countdown timer will appear in the Machines window that will count down until it is time for the machine to run again.
Figure 255: Perpetual machine counter
Stop all Machines
Figure 256: Stop All Machines Button
Clicking the Stop all Machines button will stop all the machines that are currently running in your Maltego client. This is useful when you have multiple machines running in different tabs in your client and want to stop them all at once.
New Machine
Figure 257: New Machine Button
Clicking the New Machine button will open the new machine wizard that guides you through the process of creating a new machine. Creating a new machine is out of the scope of this document, more information on building custom machines can be found on our developer portal.
Manage Machines
Figure 258: Manage Machines Button
Clicking Manage Machines will open the Machine Manager window which lists all the machines that are currently in the Maltego client. The image below provides labels for all buttons in the Machine Manager:
Figure 259: Machine manager
The list in the Machine Manager can be sorted by the following fields:
- Checkbox to enable/disable the machine in the Maltego client.
- Name – the name of the machine.
- Status – is the machine ready to be used.
- Author – the person or company that built the machine.
- Description – a short description of what the machine does.
- Read-only – if a machine is read-only then the machine’s script cannot be edited by the user. All machines that are installed from the transform hub are read-only and cannot be edited.
If you want to edit one of the transforms that have been installed from a transform hub item, you can clone the transform and then edit the clone as the original is read-only.
Machines Window
The Machines Window button will simply open the machine window in the Maltego client if it is not already open.
Figure 260: Machines Window Button
Collaboration – Tab
Collaboration in Maltego provides the ability to share graphs and have multiple users work on a graph at the same time.
Figure 261: collaboration tab
Share Current Graph
Figure 262: Share Current Graph Button
Clicking Share Current Graph will open the Graph sharing window which consists of three tabs for setting up your shared graph sessions, namely: Session, Server and Encryption.
Session -Tab
Figure 263: Graph sharing window – Session tab
From the Session tab, you can configure your shared graph sessions:
- Session name – This is the name of the shared graph session.
- Security key – This is the security key that is used to encrypt all graph traffic. Only users who have this security key will be able to join the graph. Clicking the Generate will create a random and secure session key. Generated keys will be more secure, but difficult to remember.
- User Alias – this is the alias that you will be identified by in the shared graph session.
Sever - Tab
Figure 264: Session tab
Under the Server tab you will be able to configure the server that you wish to use for your shared graph session. There are three options:
- Paterva (Public) – Using the Paterva’s public communication server is the easiest way to start a shared graph session in Maltego. All graph traffic will travel over a server owned by Paterva on the Internet. All graph traffic is encrypted (end-to-end) with the security key that was chosen in the previous step. The Maltego clients also communicate with the graphs server over HTTPS.
- Paterva (Private) – Paterva sells copies of the communication server to customers. Allowing it to be hosted internally. This private communications server is almost an exact copy of the one that is hosted by Paterva. You will need to enter the IP address or hostname of the communications server on your network.
- Other – It is also possible to run a shared graph session on your own Jabber (XMPP) server. Details on configuring your own XMPP server are beyond the scope of this user guide.
Encryption - Tab
Figure 265: Encryption tab
By default, packets transferred during a shared graph session are encrypted end-to-end with AES 128 bit. To use 256 bit AES encryption JCE Unlimited Strength Jurisdiction needs to be installed on the machine running the Maltego client. JCE Unlimited Strength Jurisdiction can be downloaded from the links found in the client.
Starting a Shared Graph Session
To start a new shared graph session, navigate back to the session tab and click Connect. The Maltego client will establish a connection to the communication server and then open the graph window. If a shared graph with the same session name already exists on the communications server that you are using and you enter the correct security key, then the Maltego client will join the existing shared graph session. If a shared graph with the same session name does not exist, the a new one will be created with the security key that was specified.
When the you are in a shared graph session there are a few things that you will notice. On the graph title tab, shared graphs will always have their name written in aqua color. Additionally, YOUR_ALIAS@SESSION_NAME will be written in the graph’s title:
Figure 266
Two new windows will also be opened.
Collaboration Session Window
The Collaboration Session window will list all the users that are currently in the shared graph session as well as their status and the version of Maltego that they are running. Additionally, the collaboration window will list meta information about the graph session.
Figure 267: Collaboration window
Shared graph sessions are cross platform which means Maltego XL, Maltego Classic, Maltego CE and CaseFIle can all join the same shared graph. However, graph size limitations in the different clients will still apply when in a shared graph.
Chat – Window
The Chat window will also open when a shared graph is created, it is found at the bottom of the Maltego client window tabbed next to the transform output. This Chat window allows user on the graph to communicate as well as provides status updates about what is happening on the graph.
Figure 268: Chat window
Each different type of message in the chat window has a different color. Clicking the Message filter button will open a window where you can choose which message types you want to display in the Chat window. The image below shows the types of messages that can be filtered and the color that they correspond to in the chat window:
Figure 269: Filter message types
The next button in the Chat window is used to send the graph selection link as a chat message. This will create a message with a hyper link to the selected entities selected on your graph. Any user that clicks the hyper link will zoom to the relevant entities.
Messages can also be typed and sent from the bottom input bar in the Chat window.
Collaboration – Additional Things to Note
The following few sub-sections cover additional important things to know about when working with shared graphs in Maltego.
Entity attribution
Figure 270: Entity added by Roelof
In all shared graph sessions, each entity added to the graph will have the name of the user who added it shown on the graph above the entity icon as seen in the image above.
User Permissions with Shared Graphs
When in a shared graph session, it is important to note that every user that in the graph has complete control to read/write to the graph. Be careful who you give the security key to for the graph.
Shared Graph Layout
If a single user changes the layout of a graph, then the layout will change for every user that is in the graph. However, when a user changes their view, it will only change for the person who made the change.
Graph Existence
The communication for the shared graph session is managed with an XMPP server. None of the data for the graph is ever stored on the server, the data is stored on each client that is in the shared graph session. The graph will be available if there is at least one person with the graph open.
Work offline
Under the Collaboration tab, there is a Work Offline button, clicking it will disconnect you from the shared graph but keep a copy of the shared graph in an offline window. From this offline graph, you can Reconnect to the shared graph by clicking the Reconnect button:
Figure 271: Reconnect button
Open collaboration Windows
The two buttons, Chat Window and Collaboration Window, will open the two respective windows in the client if they are not already open.
Show Usernames
The Show Usernames checkbox will allow the user to toggle between showing and not showing the username above entities that are added in a shared graph session.
Import/Export - Tab
Figure 272: Import/Export tab
The Import/Export tab provides ways to get data in and out of Maltego as well as backing up configuration files and importing new ones.
Import Graph from Table
Figure 273: Import graph from table
Overview
Clicking Import graph from Table will open a wizard that will allow you to Import a Graph from a Tablestructured format. The basic steps involve selecting an input file, mapping columns of the input file to entities and creating links between entities. The information that defines a mapping is known as a mapping configuration and the wizard allows you to save and load existing mapping configurations.
Select a file
First choose whether you want to create a new mapping configuration or load a saved one. By default, the most recent saved mapping configuration will be chosen.
Clicking the Manage button will bring up the Mapping Manager window which shows a table of all the currently saved mapping configurations. Mapping configurations are persisted according to their name which must be unique. The name and description of a saved mapping configuration can be edited by clicking the edit icon (black arrow below). Mappings can also be deleted by clicking the corresponding delete icon (red arrow below).
After choosing a new or existing mapping configuration, choose the file to be imported and click on Next>.
Note: When loading a saved mapping configuration, Maltego will alert you if the selected mapping is not compatible with the data-file selected.
Mapping Configuration
In this step the user is presented with three tabs which separate mapping configuration creation into three logical processes. At least one entity needs to be defined in the Map Columns to Entities tab, and for two or more defined entities you can then optionally create and edit links between them (Connectivity tab) and/or assign link properties to input file columns (Map Columns to Links tab).
Note: If a saved mapping configuration were chosen in the Select File step, the entities, links and column mappings would be pre-configured for this step.
Map Columns to Entities tab
Entity mapping is performed by completing three steps for each entity that will be mapped. First, one or more ‘unmapped’ columns must be selected, then the entity to which the selected columns are mapped must be selected from the Map to list.
Tip: To add or remove a column from the selected entity hold down Ctrl and click on the column.
Once an entity has been chosen, the property to which each column maps can be edited in step 3.
Steps 1 to 3 are repeated for each entity that should be mapped.
Connectivity tab
Maltego will automatically generate links between newly mapped entities in the Map Columns to Entitiestab. These can be viewed and deleted or additional links can be created in the Connectivity tab to customize the connectivity of the entities that will be created. Multiple links can be selected by holding down Ctrl or Alt and dragging the mouse across the graph to create a selection box.
Figure 274: Connectivity tab
Map Columns to Links tab
The steps for mapping columns to links are the same as the steps for mapping columns to entities, the only difference being that the Map to combo box will present the list of links (created in the Connectivitytab) as opposed to entities.
Settings
After the mapping configuration, has been defined, the wizard presents a Settings screen where various tabular import settings can be set such as sampling, empty values, graph size and link merging. If a current graph exists, you will have the option to merge the imported graph with it. You are also given the option to save the mapping configuration (checked by default) with a default name and description. Mapping configurations are saved with a non-empty, unique name. If the entered name is not unique the existing mapping configuration will be overwritten but a warning will be shown in such cases.
If you choose not to save the mapping configuration, Maltego will save it automatically as Auto-saved mapping — overwriting the existing auto-saved mapping configuration if it exists.
Note: When the Auto-saved mapping is loaded in the Select File step, the default name will be blank forcing you to define a more descriptive name.
Import
If the import has failed, the wizard will inform you and give as much information as possible about the problem. If the import completed successfully a summary of the import result is presented which include the name under which the mapping configuration has been saved.
Figure 275: Import complete
Tabular Mappings
Figure 276: Mappings – Tabular Import Button
Clicking the Mappings – Tabular Import up the Mapping Manager window which shows a table of all the currently saved mapping configurations. The name and description of a saved mapping configuration can be edited by clicking the edit icon (black arrow below). Mappings can also be deleted by clicking the corresponding delete icon (red arrow below).
Export Graph to Table
Figure 277: Export Graph to Table Button
The Export Graph to Table option allows you to export your graph into a tabular format. Clicking the Export Graph to Table button will open the Graph Export Wizard:
Figure 278: Graph export wizard - Step 1
The first step of the graph export wizard is to decide whether to export the whole graph or to just export the selected portion of the graph. There is also the option to choose to remove duplicate rows. A duplicate row would occur when there are 2 links that connect the same two entities.
Clicking Next> will lead to the second step in the wizard where the filename and file type can be chosen for the export:
Figure 279: Graph export wizard - Step 2
From the Files of Type field the file type for the table can be chosen from CSV, XLS or XLSX.
Figure 280: Export table file types
Clicking Next> will export your graph to the chosen format. Once the export is complete there will be a summary page that shows everything that was exported to the tabular file:
Figure 281: Export graph to table – Summary
Export Graph as Image
Figure 282: Export Graph as Image Button
As the name suggest, Export Graph as Image will export a Maltego graph to an image format. Clicking the Export Graph as Image will open the following window:
Figure 283: Export graph as image
The file type to can be chosen for the File of Type dropdown field. Image file types can be chosen from png, jpeg, bmp.
Figure 284: Image file types
The image scale can also be chosen as a number between 100% and 500% from the Scale imagedropdown field.
Figure 285: Export image scale
The higher this number is, the higher the resolution of the exported image will be. Keep in mind that with large graphs a high image scale can result in very large image files.
Once these options have been chosen, clicking the save button will save a copy of your graph to the selected image format.
Generate Report
Figure 286: Generate Report Button
The Generate Report button in Maltego creates a pdf report that contains all information about the current graph in a single document. As a Maltego reports will contain all information about your graph, they can end up being very long. (i.e.: a 30-entity graph can easily generate a 20-page report)
Clicking Generate Report will open a save dialog where the filename and location can be provided:
Figure 287: Save Maltego report dialog window
In a Maltego report the following will be included:
- Image of the full graph
- Top 10 Entities – lists of entities ranked by the following features:
- Ranked by Incoming Links
- Ranked by Outgoing Links
- Ranked by Total Links
- Entities by Type - lists of entities categorized by their type.
- Entity details – lists each entity and includes all the information from the property view and detail view. The image below shows an example of one item from the Entity detail list:
Figure 288: Entity detail from a Maltego Report
Export Config
Figure : Export Config Button
All custom configurations to a Maltego client can be exported and imported to/from a configuration file that can be used to either back-up your configurations when re-installing your Maltego client or if you wish to share your Maltego configurations with other users.
When exporting custom configurations, the following can be exported:
- Transform hub item - this will include all transform hub items that are installed the Maltego client. Note: the export will not include API keys that are stored in installed transform hub items.
- Entities – Custom and/or installed entity types that are defined in the Maltego client.
- Local Transforms – this will export the Maltego configuration for local transforms. Note: local transform scripts need to be backed up separately.
- Transform sets
- Views
- Icons
- Services
- Tabular mappings
Clicking the Export Config button will open the Export Wizard. To complete the Export Wizard, similar steps to Export Entities can be taken. The only difference is that in the second step of the wizard all the items listed above can be chosen for the export:
Figure 290: Choose configurations to be exported
Import Config
Figure : Import Config Button
All configuration listed in the Export Config section can be imported to a Maltego client from a .mtz file format. Similar steps described in the Import Entities section can be followed to import a Maltego configuration file.
Windows - Tab
Under the main client ribbon the Windows tab is found on the far right. The Windows tab is used to open windows that are found in Maltego’s user interface. This section will describe what each button does under the Windows tab.
Figure 292: Windows tab
Window’s buttons
Each window that is open will have two buttons in the top right-hand corner:
Figure 293: Window taskbar buttons
The options available are to minimise the window (>>) or to close it completely (X). Once a windows has been minimised it remain available as a tab at the side of the Maltego client.
Figure 294: Minimized widows
Each of the minimized window has a single button to maximize the window again.
While the window is still minimized, if you hover over one of the window tabs, the window will open as seen below. The window will minimize again when you move the mouse away from the window.
Clicking on the window tab will open the window until it is de-selected again by clicking elsewhere in the Maltego client.
Figure 295: Hovering over minimized window
The solid dot button () in the top left-hand corner of the window will pin the window back into place so that it stays there permanently.
The windows can also be dragged around to snap into place in different configurations. It is all up to you to decide how you want to setup your working and of course the amount of screen real estate available.
Windows quick actions
The windows quick actions allow you to perform three useful tasks:
- Close All Graphs - This will close all the graphs that are currently open. Maltego will first ask if you want to save the each of the graphs before they are closed.
- Close Other Graphs - This option will close all the other graphs that are open except for the one that is currently being viewed. Maltego will first ask if you want to save any of the other graphs before they are closed.
- Reset Windows – The reset windows button will reset all the windows in Maltego client to default as they were when the tool was first installed. Resetting Windows will require a restart of the Maltego client.
Maltego windows
When starting a new graph, there are six default windows that will open that are used when creating and viewing Maltego graphs. The six windows are highlighted in the image below:
Figure 296: Window layout
Additionally, there are another five windows used for other specific tasks. Each of these widows will be explained in the upcoming sections.
Overview
The Overview window will be open by default when you start a new graph. If the Overview window is closed, it can be re-opened with the button in the image below:
Figure 297: Overview window button
By default, the Overview window is found in the top left-hand corner of the Maltego client. It shows the current viewport on the graph in relation to the entire graph. The Overview window can also be used to pan your graph as discussed previously.
Figure 298: Overview window
Detail View
The Detail View window will be open by default when you start a new graph. If the Detail View window is closed, it can be re-opened with the button in the image below:
Figure 299: Detail View window button
The Detail View contains information about the entity that cannot be displayed in the main graph window. These are things that the transform author wants you to see about the entity. As the mouse is moved over entities both the entity Property View and Detail View is updated. Some transforms will return additional fields in the Property View depending on what the entity type is. Once the transform has returned an entity it is not possible to manually edit the information in the Detail View.
Figure 300: Entity detail view
The Detail View when Multiple Entities are Selected
When more than one entity is selected the Detail View will change to a multi column item list. This gives you a lot more flexibility in terms of selection. As shown below:
Figure 301: Detail View with multiple entities selected
Searching the detail view
You can now search for entities in the text area and press Enter to see which nodes match. The selection on the graph will remain the same at this stage:
Figure 302: Searching your Detail View
After selecting entities from the entity list the Sync Selection to Graph button will be enabled. This button is found on the left-hand side of the search input field. You can now select nodes within the list (i.e. Ctrl + A for all, Shift selects ranges and Ctrl to select entities one by one) and when the sync button is pressed the selected entities on the graph will update according to the selection from the Detail View:
Figure 303: Sync entity selecting to the graph
Other buttons in the Detail View
Pressing the plus (+) button on the left-hand side column will show that specific entity’s Detail View shown below:
Figure 304: Detail view of specific entity from list.
Right-clicking in the Detail View or clicking the Back To List button will navigate back to the entity list that includes all entities in your graph selection.
Running transforms from Detail View
The context menu is also available from the Detail View when more than one entity is selected. This is useful as you can filter and sort entities and then run transforms or perform actions on them from the context menu:
Figure 305: Opening the context menu from the detail view
Entity list columns
The entity list in the Detail View can be sorted according to the different columns of the list. From left-to-right the columns of the list are:
- The entity type which is represented in each item on the list as the entity icon.
- The entity’s value.
- The bookmark color of the entity.
- Whether the entity is pinned to the graph (meaning it will never join a collection node).
- Number of nodes in the entity’s collection.
- Number of incoming links.
- Number of outgoing links.
- Entity’s weighting.
Property View window
By default, the Property View in Maltego can be found in the bottom right-hand corner of your Maltego client. The properties of an entity are used by transforms and are passed along with the entity’s value to the transform. Detail View information is not passed to the transform. Unlike the Detail View, information in the Property View can be edited by the user after the information has been returned from a transform.
The Property View of an entity is in three sections, namely the Properties, the Dynamic Properties and the Graph Info.
Properties
Under the Properties heading you will find the default properties for an entity. These properties are inherent to the entity type and will be included when a new entity is manually added to your graph from the Entity Palette.
Dynamic Properties
Dynamic Properties of an entity are properties that are added to the entity by the transform that returns the entity. These properties are specific to the transform that created the entity and will not appear in a new entity that is added from the Entity Palette.
Graph into
The Graph Info includes meta information about the entity that you currently have selected.
Hereby the entity property of a netblock:
Figure 306: Netblock properties
Editing properties
Clicking on an entity properties value will allow you to edit the text. Some properties contain long values and it is easier to edit them by opening a text editing window. This can be done by clicking the ellipsis button next to the property value. This will open the window shown in the image below where the property value can be edited:
Figure 307: Editing entity property
Entity palette
The Entity Palette lists entities that are available to be used in the Maltego client. The entity categories can be expanded and collapse using the (+) and (-) buttons next to the category name.
Figure 308: Entity palette
As more transform hub items are installed to the Maltego client from the transform hub more entities will be added to the Maltego client. By pressing Ctrl + F while the focus is on the Entity Palette, a search field will open that allows entity types to be searched:
Figure 309: Search through entity types
When you right-click on the palette, options to customize the display will be provided as shown below:
Figure 310: Options to customize palette
Right-clicking on an entity category will provide a different set of options that will apply to all the entities in the category:
Figure 311: Options for a category in the entity palette
Transform output
The Transform Output window displays information that is returned from a transform server when a transform is run. It displays messages about which transform has run, the number of results returned from a transform, transform warnings as well as error information if something goes wrong. The image below labels the elements of the Transform Output window:
Figure 312: Transform output
In the Transform Output window, the button in the top-left-hand corner allows you to filter the different types of messages that are included in the Transform Output. Clicking on the filter button opens the window, shown below, that allow you to select the types of messages you wish to see in the Transform Output.
Figure 313: Filter transform output messages
The button under the filter button can be used to clear all messages from the Transform Output to start with a fresh output window.
Each message that is returned in the Transform Output also includes a link to the entity that caused the message to display. Clicking the link in the Transform Output will zoom to and select this entity on your graph.
Right-clicking in the transform output provides additional actions that can be performed on the text in the Transform Output.
Figure 314: Right-clicking in the transform output
The following can be performed from the Transform Output window context menu:
- Filter transform messages – This allows you to filter transform messages according to their type.
- Clear transform messages – This allows you to clear all transform output messages.
- Find – This will open a search windows to search existing transform messages. Text that matches the search will be highlighted:
Figure 315: Searching the transform output window
- Filter – This will add a text based filter to the transform message output where only messages that match the filter will be shown in the output:
Figure 316: Filter transform messages
- Wrap text – this will wrap long messages onto new lines
- Larger font – increased the font size
- Smaller Font – decreases the font size
- Save As – this option allows you to save your output to a text file.
Machine Window
The Machine window provides status information about a machine that is currently running. The features of this window are described in the machines section.
Run view
Beneath the Entity Palette is the Run View which allows you to run transforms and machines. Running a transform from the Run View is the same process as running one from the context menu and it will not be repeated here.
Expanding the Machines heading (+) shows all the machines that are available to run on the current entity selection on the graph.
Figure 317: Machines in the Run view
Each of the line items display the machine’s name and the start of their description. Hovering over the machine name will display the full description for the machine. On the right-hand side of each item there are three icons. The star icon will add the machine to the favorites category making it easier to find this machine in the future. Clicking the configure icon will open a window with the script that makes up the machine. Finally, clicking the single arrow icon (>) will start running the machine.
Chat Window
The Chat window is used in shared graph sessions to communicate with other users on the same graph. The chat window is described in the Collaboration section.
Collaboration Window
The Collaboration window is used in shared graph sessions and shows who is currently on the graph as well as other meta info about the shared graph. The window is described in the Collaboration section of this document.
Hub Transform Inputs
Hub Transform Inputs are transform settings that can be applied to different transforms from a transform hub item but only need to be set once. The Hub Transform Inputs window is used to manage these transform settings:
Figure 318: Hub Transform Inputs Window
Application Menu
Button and Shortcuts
Figure 319: Application shortcut buttons
The button in the top-left corner of the Maltego client is called the Application Button (sometimes also called the Globe Icon) and opens the Application Menu. The Application Menu will be described in the upcoming sections.
The buttons to the right of the Application Button are application shortcut buttons and are labelled in the image above. The Undo and Redo buttons both include dropdown menu’s, clicking the dropdown will show a list of graph actions that can either be undone or redone depending on which dropdown was selected:
Figure 320: Undoing graph actions
Hovering over an action will also select all actions before it.
The Start a Machine button also includes a dropdown menu which shows a list of all the machines that are available in the Maltego client when clicked:
Figure 321: Machines dropdown menu
Clicking anyone of the machines from the list will open a dialog where the machine target can be entered after which the machine will run.
The downward facing arrow beneath the new graph button is used to minimize the main ribbon. Doing this results in a main ribbon that looks like the following image:
Figure 322: Minimize the main ribbon
When minimized, clicking each of the tabs in the ribbon will temporary open the ribbon on the clicked tab until you click away. Allowing you to free up screen real estate when dealing with large graphs.
Clicking the rightward facing arrow will maximize the main ribbon again so that it is always shown.
Drop Down
The Maltego Application Button provides access to the following standard functionality:
- New Graph
- Open Graph
- Save
- Save All
- Save As
Maltego can Open and Save graphs that are saved with an mtgl extension. Graphs that are created in Maltego 3 are saved with a mtgx file extension and can also be opened in Maltego 4.
Note: Maltego is backwards compatible. Graphs with a mtgl file extension cannot be opened in Maltego 3, however Maltego 4 has the options to save both mtgl and mtgx.
Opening the Application Menu provides the options shown in the image below:
Figure 323: Application Menu dropdown
On the right side of the Application Menu dropdown, recently opening Maltego graphs will be listed. These graphs can quickly be opened by clicking on them.
Import
Figure 324: Import options
Under the Import section of the Application Menu, various import options are listed for importing data into Maltego. These options will not be covered here as they are already covered in the Import section.
Export
Figure 325: Export options
Under the Export section of the Application Menu, various export options are listed for getting data out of the Maltego client. These options will not be covered here as they are already over in the Export section.
Printing
The Application Button menu also gives you the option to Print or Preview the Current Graph.
Figure 326: Print option in the application menu
Clicking Print Preview Current Graph will open will open a Print Preview window (shown below) that provides also provides different printing options.
Figure 327: Print preview
Maltego can send the current graph (in whatever view or layout is it) to a printer. You can print to a single page or to multiple pages. With multiple pages, you need to specify how many rows and how many columns of pages should be printed.
Figure 328: Print options
Tools
Figure 329: Tools
Home
Clicking the Home button will open the Maltego Start Page and the Transform Hub in a new tab.
Graph Meta
The Graph Meta button will open a new window that contains meta data for the graph. The Author field in the meta for the current graph can be edited from this widow:
Figure 330: Graph meta data
Metrics on the number of entities and links for any graph can always be found in the bottom right-hand corner of a graph:
Figure 331: Graph metrics
The first number is the number of entities on a graph including all the entities found in collection nodes. The second number is the number of nodes on the graph, this will count a collection (with multiple entities) as a single node. The third number is the number of links on a graph and the last number is the number of edges where connections between collections nodes are counted as one edge.
Open Example Graph
Clicking Open Example Graph will open a small-sized example graph. This example graph is useful when a quick graph is needed for demonstration purposes:
Figure 332: Example graph
Find In Files
Find in Files allows you to search through multiple Maltego graphs at once that are stored on the client machine. The Find in Files function is explained in detail in the following section.
Activate Maltego
Clicking Activate Maltego will open a wizard that will display your Maltego client’s activation status. If the Maltego client is already active, then activation details are provided. If the Maltego client still needs to be activated, then the activation wizard can be followed to activate the client. The activation steps are outlined in the following section.
Check for Updates
Clicking Check for Updates will open a wizard that looks to see if new updates are available to be downloaded and installed. The update process is outlined in more detail in the following sections.
Factory Reset
Factory Reset will reset your Maltego client as if it were a fresh installation. This means that all custom Maltego configurations will be lost if a Factory Reset is performed on a Maltego client. Clicking the Factory Reset button will open a confirmation dialog to continue with the Maltego client Factory Reset:
Figure 333: Factory reset confirmation
More About Maltego
Figure 334: More about Maltego
The More about Maltego sections of the Application Menu provides links to open the following web pages:
- Read the User guide – This will open the official Maltego documentation in your default web browser (https://www.paterva.com/web7/docs/documentation.php).
- Get Tech Support – This will open a contact us web form where technical questions can be sent directly to our technical support team (https://www.paterva.com/web7/contact.php).
- Log a Bug - This will open a contact us web form where any bugs in the Maltego client can be reported to Paterva (https://www.paterva.com/web7/contact.php).
- Read the Maltego Blog – This link will open the official Maltego blog where we post new features that are released for Maltego (https://maltego.blogspot.com/).
Clicking the last option in this section, About Maltego, will open a page that provides information about the current Maltego client installation and your system setup:
Figure 335: About Maltego
Options menu
In the bottom, right-hand corner of the Application dropdown menu, the Options button can be found:
Figure 336: The options button
Next to the Options button, there is also an Exit button which, when clicked, will close the Maltego application.
Clicking the Options button opens the main options menu where various setting for the Maltego client can be configured. The options menu is sorted by different tabs, each of which are explained in the following sub-sections.
General
Figure 337: General Options menu
The first tab in the Options menu is General options where you can choose the default web browser for the Maltego client to use and to setup a proxy.
Default web browser
By default, the Maltego client will use your system’s default web browser. Clicking the Web Browserdropdown field will show a list of web browsers that are installed on the system and allow you to choose a new web browser for Maltego to use.
Figure 338: Select default web browser for Maltego to use
Proxy settings
Proxies are often used within corporate networks as methods of controlling how clients within the network get out to the Internet. Maltego requires an Internet connection and if you do need to use it within your corporate network use this option to set it up.
There are three proxy options in Maltego described below:
- No proxy – Use this setting if you have a direct connection to the Internet and do not connect through a web proxy.
- Use System Proxy Settings – This option will use your system’s proxy settings. Clicking the Reload button will force Maltego to reload the proxy settings from the system in case of any changes to the system settings are made.
- Manual Proxy Settings – This options allows you to specify the hostname/IP address and the port number for your web proxy. Clicking the More button will open the Advanced Proxy Optionswindow:
Figure 339: Advanced Proxy Options
From the Advanced Proxy Options, you can choose to use the proxy specified for all protocols or specify different proxies for HTTPS and SOCKS. You can also add to the No Proxy Host list, each item in this list should be comma separated. Finally, from these options you can specify proxy authentication details if you are connecting to the Internet through an authenticated proxy.
Once proxy settings have been configured, the Test connection button can be clicked to check whether the Maltego client can connect to the Internet using the proxy details. If the Maltego client can make a connection to the Maltego servers, a tick mark will be returned as in the image below:
Figure 340: Connection successful
Java Options
The next tab in the Options menu is the Java Options.
Figure 341: Java Options
Any changes that are made to the Java Options will be applied the next time Maltego is run.
Set Recommended Options
Clicking the Set Recommended Options button will detect which versions of Java is installed on the machine and set the most suitable one, it will also automatically allocate memory for Maltego to use depending on how much memory is available on the system.
Java Runtime
Details about the version of Java that is being used can be found under the Java Runtime section.
Figure 342: Java Runtime section
Clicking the dropdown menu for the Path field will list all the versions of Java that are detected on the system. If your installation of Java is not found in the list, Browse can be used to manually specify the path to Java’s home directory.
For Maltego 4, the recommended of Java to use is the Oracle version of Java 1.8.
Memory
The last option that can be set from the Java Options tab is the maximum amount of memory that the Maltego client can use. Remember, Maltego loves memory so don’t be stingy.
Figure 343: Setting max memory usage
Collections
From the Collections tab, the rule ratio for collection nodes can be set. The default value for the ratio is 1.5:
Figure 344: Collection node options
In Maltego there are two main collection methods called neighbor rule and chain rule.
Neighbor rule - When node A links to B,C,D,E...Z then A->[B-Z] is collected in what's called the neighbor rule.
Figure: Neighbor Rule
Chain rule - If A->B, C->D, E->F....Y->Z then it results in two collections - call them [#]->[%] where [#] is A,C,E,G and [%] is B,D,F,H - that is the chain rule. In order for the chain rule to trigger you still need a common node at the top too - e.g. A->[#]->[%] and everything in [#] need to be same entity type (same with [%]). They also need to 1:1 relationship - in other words each website needs to resolve to one IP address - e.g. they need to be connected in the same way.
Figure: Chain Rule
In tests we've notice that we want to collect with the neighbor rule much earlier (e.g. smaller numbers) than when we want to collect using the chain rule. In other words - you want to chain-rule-collect only if there are LOTS of pairs. The 'ratio' shows the relationship between those thresholds. For instance - if the ratio is 2 and the collection limit is set on 10 then neighbors will collect when it hits 10 nodes and chains (or pairs) will only collect when there are 20 nodes.
Files
From the Files tab, you can choose whether images from a graph are saved with the Maltego graph file. Leaving this option checked enhances offline support and bandwidth usage at the cost of increased file size.
Figure 345: File options
Audio
The Maltego client makes various sounds when different events happen on a graph to notify you. These sounds can be disabled from the Audio tab in the options menu:
Figure 346: Audio options
Discovery
From the Discovery options, you can choose what happens when an entity type is installed that already exists in the Maltego client. You can also choose what happens when an icon, that matches an existing icon, is installed. The image below shows the different options that are available to choose from (the defaults settings are shown):
Figure 347: Discovery options tab
Transforms
From the Transforms tab in the options menu you can choose whether links between the same two entities that are created from the same transform should merge or not. The default setting for this is to have the links merge. You can also choose the timeout for transforms, the default value for this setting is 2 minutes and is given in milli-seconds. This means if a transform does not provide a result within two minutes, the transform will fail. Setting this option to 0, means the transforms will never timeout.
Figure 348: Transform options
Display
From the Display tab, there are various settings that can be configured to adjust the user interface of the Maltego client.
Figure 349: Display options
The following sections will cover each part of the Display options tab.
Manual Links
Figure 350: Manual link settings
The first setting in the Manual Links settings allows you to choose if the Edit properties dialog should open when a new manual link is created.
The next two settings set the color for manual and transform created links. The default colors are two different shades of gray. Clicking the change button will open a color palette where a new default color for the type of links can be chosen:
Figure 351: Color palette to set default link color
Overlay Icons
Figure 352: Overlay icon options
The first checkbox lets you choose if the entity type icon should be overlaid for entities that have custom images for their icons. For example, the Twitter Affiliation entity returned from a transform will set the entity icon to the Twitter user’s profile image, when this option is checked (which is the default option). The entity type icon will be overlaid the profile image in the bottom left-hand corner of the entity as shown in the image below:
Figure 353: Twitter Affiliation entity with entity type overlay
By default, when an attachment is added to an entity, a small paper-clip icon will be overlaid the entity icon on the left-hand side. The second checkbox allows you to choose whether this paper clip icon is shown when an attachment is added.
Figure 354: Entity with an attachment
Font Sizes
Figure 355: Font sizing options
The Maltego client attempts to set font sizes according to the pixel density detected on the system. However, this section allows you to choose your own font sizes for different windows in the Maltego client. It is often useful to bump up all the font sizes when using a 4k monitor that is physically small.
The first option sets the font of the Detail View. The image below shows the Detail View with two different font sizes for this option set:
Figure 356: Two different fonts set in the detail view
The next option is to choose the font size of the Machines window’s logs. Again, the image below shows a comparison of two different font sizes set for this option:
Figure 357: Two different font sizes for the machine window
Changing the Other components font field will adjust all other text in the Maltego client user interface. A restart is required before any changes are applied.
The font size for the Transform Output window can be changed by right-clicking anywhere in the transform output window and then either increasing or decreasing the font sizes as shown in the image below:
Figure 358: Adjusting the transform output font size
The font anti-aliasing provides various options for changing the anti-aliasing that is used to render text on a Maltego graph. The options are shown in the image below. The Maltego client will need to be restarted before any changes are made.
Figure 359: Options for font anti-aliasing
Entity label length
In the Maltego client, entity values will be truncated with an ellipsis to help neaten the graph from long entity values. By default, all values that are longer than 32 characters will be truncated. The image below shows an example of a truncated domain entity:
Figure 360: Truncated entity value
The full entity value can be seen by double clicking the entity’s value:
Figure 361: Selected entity value to show truncated text
The Max Entity Label Length option allows you to choose how many characters an entity value can be before it is truncated. You can also choose to completely switch off truncating entity values.
Figure 362: Option to set entity label length before it is truncated
Home
From the Home options, you can choose if you want the Home page to open automatically when the Maltego client is started:
Figure 363: Home options
Updates
From the Updates tab, you can choose if you want the Maltego client to automatically check for updates.
Figure 364: Updates options