Introduction

Maltego Client Requirements

Operating System

Maltego works on Windows 7, 8 and 10, Linux (various distributions) as well as OS X. As Maltego is

Java based it should work on most operating systems.

Bottom line: Maltego can be installed on all platforms.

Software Requirements

Maltego uses Java version 8, and requires Java 1.8 or greater to be installed (update 101 or later) which is available for most popular operating systems. It is recommended to use the Oracle version of Java and keep it updated with the latest release.

Bottom line: You need Java 1.8 installed on your machine to use Maltego.

Hardware Requirements

Maltego loves memory and raw CPU power. Rendering views take a lot of computing power and the slower your

computer, the longer it will take. If your computer is under-powered this can become frustrating. If you plan to

work on large graphs you’ll also need some memory.

Maltego 4 requires a minimum of 2GB of RAM, though >4GB is recommended. More RAM will allow for larger and more complex graphs, and offer an improved experience.

You also need a link to the Internet if you want to use the Paterva CTAS transform servers. Almost all the data collection and processing happens on the server but the results still need to get to your computer. A fast Internet link makes Maltego work faster. Lastly, if you ever needed a reason to get a big screen you now have it. Maltego also loves big displays. Running it in 1024×768 just wouldn’t feel right – but you can do it if you really must.

Bottom line:

Minimum (yuk): 2GB RAM, 2GHz, 1MB Internet access, 1024×768 display.

Recommended (yummy): 16GB RAM, Intel I7, 10Mb+ Internet access, 1920×1080 display.

Installation

Which version is right for me?

The Maltego client comes in four different versions each suited for different purposes. The main difference between Maltego Classic, Maltego XL and Maltego CE are the number of entities that can be returned from a single transform and the maximum number of entities that can be on a single graph. CaseFile on the other hand is mostly used by analysts using offline data who do not need access to the standard transforms within Maltego. This table provides more details on the differences between the four clients. Maltego Classic and Maltego XL are commercial products and require a license key to use, while CaseFile and Maltego CE are completely free.

Download Installation Files

The different installation files for Windows, Linux and OS X can be downloaded from the downloads page of our website:

Figure 1: Maltego downloads page

Each of the client types has download options for Windows, Linux and MAC described in the next sections.

Windows Installation

The correct operating system should automatically be detected on the webpage. In this case, Windows has been detected as shown in the image below:

Figure 2: Windows installation

From the FILETYPE dropdown menu you can choose between installing just the .exe install, the .exe install with Java x64 or x32. If you do not already have Java 1.8 installed on your machine, it is recommended to install the .exe + Java bundle. Once the FILETYPE has been selected you can click Download! to start the download.

Once the download is done, double click the installer to start the installation process. Follow the next few screens that will prompt you for information to complete the installation process.

The screens that you will see are as follows (These images are taken from a Maltego XL 4.0.8 installation file):

Figure 3: The Maltego 4 setup welcome screen

Figure 4: The license agreement screen

Figure 5: Select users that will use Maltego

Figure 6: Installation location and disk storage requirements

Figure 7: Start Menu setup

Figure 8: Installation

Figure 9: Choose to create a desktop shortcut

After the installation, you should see an icon on the desktop or find it in the start menu under Paterva -> Maltego.

Linux Installation

You will need to have a windows (X11) system – Maltego is a graphical application. Maltego is available as a .DEB

package (ideal for Debian based operating systems) as well as an .RPM package (ideal for systems that can use the RPM Package Manager) and a .zip archive. Each of these file types can be selected from the FILETYPE dropdown when Linux is selected:

Figure 10: Linux installation

After you have downloaded the package you can install it as follows:

.deb (debian package)

The Debian packages can be installed by either double clicking on the file within your window manager (such as

KDE) or allowing the window managers installer to install the package. Alternatively, you can also install it from

command line as follows:

> cd downloads/Maltego (assuming that you’ve downloaded it here)

> dpkg –i <maltegofile>.deb

.RPM

The RPM file can be installed as above via your window manager by double clicking on the file or via command line as follows:

> cd downloads/Maltego (assuming that you’ve downloaded it here)

> rpm –i <maltegofile>.rpm

.zip

The zip archive is the entire extracted Maltego installation, you can simply extract this to wherever you want Maltego installed and then run maltego from the bin directory.

Also, note the following:

  1. Maltego requires the Oracle Java JRE and it is important that you install this version rather than the OpenJDK that comes with a lot of the operating systems.

  2. Make sure that you can read and write in the directory where you've installed the application. E.g. when you've installed the application as root and you run it under a normal user you might find that reading and writing your configuration files fails. This might cause problems.

  3. If you have different versions of Java on your machine you need to make sure that you are using version 1.8 for Maltego.

MAC Installation

Choose the MAC download from the downloads page on our website:

Figure 11: MAC download

.DMG

After you have downloaded the .dmg file, it can be installed by dragging it into your Application folder as shown below:

Figure 12: Installing Maltego on a Mac

Also, ensure that you have installed the latest release of Java 1.8 on your machine.

Maltego Client Setup

The first time you start the Maltego client you will be greeted a setup wizard which will help activate your Maltego client and install transforms from a CTAS transform seed. The first page of the wizard is a welcome page and is shown below:

Figure 13: Welcome page

Click Next> to continue to the License Agreement step of the wizard. Read our license agreement carefully before continuing to the next step.

Figure 14: Maltego license agreement

After reading our license agreement you can activate your Maltego license. There are two different methods for activating Maltego, namely online activation and offline activation. Both methods are described in the upcoming sections.

Figure 15: Activation options

Online Activation

The online activation method is the recommended way to activate your Maltego client and should be a quick and easy process. To activate online select the Activate Online option and click Next>.

You will then be prompted to enter your 26-digit license key that should be provided to you via email after you made your purchase. The license key has a checksum digit (the last digits to check that you have not made a typo. When the license key is in the correct format you will see check mark appear next to the license key that you entered. You can then click Next> and the application will check if the license entered is valid.

Note: A single license can only be used on one computer at a time.

If the license is valid, the product will be activated and you will receive the following screen:

Figure 16: Activation successful

Offline Activation

In the case where your Maltego client is operating in a completely offline environment, you can do an offline activation. To do so, first you will pick Request License File then Activate Offline:

Figure : Request License File then Activate Offline

Clicking Next> you will be prompted to enter your Maltego license key just as you would have done when activating online:

Figure : Entering your Maltego License Key

After entering your key and clicking Next> you will be led to a page that provides a License Request blob and a link to the activation website:

Figure : License Request Blob

Copy the License Request blob and browse to the link specified (from a machine connected to the Internet if you Maltego client host is offline). This will lead you to the following web page:

Figure : Offline Activation Webpage

Copying your License Request blob into the form and clicking Generate Key >> will create a license file (maltego.lic) that will be downloaded from your web browser. You can then return to the activation wizard in the Maltego client and upload the new license file. Once uploaded, you can then click Next> to check if the license file is valid. If valid your Maltego client will be activated.

Installing from a Transform Server

You can click Next> to continue to select the transform server to install the standard CTAS transforms from. By default, the Maltego public server will be selected. If you have a private CTAS server, you can enter either the hostname or IP address of that server.

Figure 17: Selecting the public transform server

Selecting Maltego public servers will install transforms, entities, machines and other transform configurations from the public Paterva CTAS transform server.

After clicking Next>, the transforms will be installed. When the installation is done, you will receive the following summary of what was installed to your Maltego client.

Figure 18: Transform discovery summary

You will have the option to run a machine, start a new graph or open an example graph. We will select Go away… I have done this before! for now and then click Finish to complete the startup wizard.

After finishing the setup wizard, you will be led to the following Maltego Start Page which includes the Transform Hub and the Maltego Start Page which is shown in the image below. We will discuss this in more detail later.

Figure 19: Start page

Start a Machine popup window

By default, when starting the Maltego client or when clicking on an empty graph, the Start a Machine wizard will open to assist you to run a machine on a new target.

Figure 20: Start a Machine Wizard

In the first page of this wizard there are checkboxes that, if unchecked, the wizard won’t automatically appear on Maltego startup and when you click on an empty graph. For now, you can just close this window as it will be explained in the machine section of this document.

Configuring Java for Maltego

Before starting your first graph it is always a good idea to check your Java configuration for Maltego to ensure that there is enough memory allocated for your Maltego client. Usually it is adequate to just set the recommended settings. Instructions for doing this can be found in the Java Options sections of the document.

Updating your Maltego Client

Before starting anything, it is always a good idea to update your Maltego client to the latest version. This can be done by clicking the Application Button (the large button in the top left-hand corner on the main client window), then go down to Tools and clicking Check for Updates. These steps are shown in the image below:

Figure 21: Check for updates

The Maltego update wizard will open and check for updates. If your Maltego client is already update-to-date, then you can click Finish. If there are new updates to be installed, you will be prompted to install the updates with the window below:

Figure 22: Install updates

You can click Next> to allow the Maltego client to download and install the latest updates. Once the updates are finished installing, your Maltego client will automatically restart. Once restarted you will notice that the installed update number will be displayed on the main window handle:

Getting started

Maltego Concepts

Before we get our hands dirty, there are a three of important concepts in Maltego that need to be defined.

  1. An Entity is represented as a node on a graph and can be anything such as a DNS Name, Person, Phone number, etc. The Maltego client comes with about 20 entities targeted for use in online investigations, but you can also make your own custom ones.

  2. A Transform is a piece of code that takes one entity to another. It does this by querying a data source and returning the results as new entities on your graph. The data sources are places like DNS servers, search engines, social networks, WHOIS information, etc.

  3. Machines chain multiple transforms together to automate common/tedious tasks.

The Home Page

When you start up your Maltego client, you are first greeted by the Home page shown earlier in Figure 19: Start page. The Home page includes the Maltego Start Page on the left which includes links to our social media accounts. We general use Twitter to post notifications about new features and we use YouTube to post any new video tutorials that we do. Any critical notifications will be posted directly on this page.

On the right-hand side of the Home page you will find the Transform Hub. The Transform Hub allows you to install transforms that are provided by 3rd party transform vendors as well as additional transforms that are provided by Paterva. Each of the transform packages on the Transform Hub are referred to as Transform Hub Items. If you followed the steps in the previous section, you should have the PATERVA CTAS transform hub item installed as shown below:

Figure 23: PATERVA CTAS transform hub item

This transform hub item includes all the standard OSINT transforms for querying public information sources online. There will be more information about the Transform Hub in an upcoming section. But for now, let’s start our first graph. For those who are not familiar with the term OSINT, here is a definition from Wikipedia:

Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term "open" refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.

Your First Graph

There are three ways to create a new graph in Maltego:

  1. You can click the (+) button in the top left-hand corner of the Maltego client window next to the Application Button:

  2. Figure 24: New graph shortcut

  3. You can create a new graph by clicking the Application Button and then clicking New:

  4. Figure 26: New Graph from The Application Menu

  5. But the easiest way is to use the keyboard shortcut Ctrl + T.

Once you have created a new graph you will get a fresh page within a new tab, surrounded by a range of control windows as shown in the image below.

Figure : New Graph

Entity Palette

Entities

Entities in Maltego are used to represent different types of information and are represented as nodes on your graph. All the entities that are available in your Maltego client will be found in the Entity Palette which, by default, is found on the left-hand side of your graph. The entities in the palette are categorized into groups with the main categories being Infrastructure and Personal.

There are three aspects of an entity that should be understood before going forward.

  1. The type – this is the type of information that the entity is representing

  2. The value – this is the primary information field for and entity and is always displayed on the graph:

  3. Figure 28: Entity value

  4. The properties – these are additional information fields for the entity

Adding an Entity to your Graph

To add a new entity to your graph, click and hold on the desired entity and drag it onto the graph area as depicted below:

Figure 29: Dragging an entity to graph

Once an entity has been dragged onto a graph it becomes one of the nodes on the graph.

Editing an Entity Value

Double click on the text on the entity to edit the entity’s value, the text will become highlighted and you can quickly edit the value:

Figure 30: Editing an entity's value

Selecting an Entity

Left-click on the node you want to select. You will see the selection circle appear around it.

Figure 31: Select a single entity

Selecting Multiple Entities

Drag a block with mouse around the entities you want to select– while keeping the left-click button in.

Figure 32: Select multiple entities

Once selected, the nodes will be highlighted as in the picture below.

Figure 33: Multiple entities selected

Selecting Multiple Entities one at a time

When faced with multiple nodes but you only want to select specific nodes, use Shift + left-click. Shift + left-click on each node you want to select and they will be added to the selection.

Figure 34: Selecting multiple entities

Entity Details

To open the full entity Details window, you can double-click anywhere else on the entity icon besides from the entity’s value. The entity Details window includes four separate tabs described below:

Summary

The entity Summary tab will open first when the entity Details window is opened. The tab contains a summary of all the information of the entity that can be found in more detail in the subsequent tabs in the entity Details window.

The image below shows the Summary page of a domain entity. Thumbnails for all entity attachments are also shown at the bottom of the summary window. There is also a large text area where entity notes can be added or edited.

Figure 35: Entity summary page

Attachments

The Attachments tab allows you to view a list of all the file attachments for the entity.

Figure 36: Attachment tab in entity details

New file attachments can be added by clicking the Attach button. This will open a dialog where a local file can be selected or a URL to a file can be specified which will be fetched by the Maltego client.

Figure 37: choosing a file attachment

File attachments can also be added to an entity by dragging and dropping it from your file manager onto an entity on the graph.

On a Maltego graph, it is shown that an entity has a file attached to it with a paper-clip icon that is displayed on the left-hand side of the entity’s icon as shown in the image below:

Figure 38: Entity attachment

Notes

The Notes tab includes a large text area where a note for an entity can be added or modified.

Figure 39: Entity note tab in entity details

On a Maltego graph, entities with notes can be identified by the yellow page icon on the right-hand side of the entity icon as shown below. Double-clicking the yellow page icon will show the note in a dialog box on the graph as depicted below. This dialog can be closed again by clicking the [X] in the top right-hand corning of the dialog box.

Figure 40: Entity note

Properties

The Properties tab in the entity Details window show a list of key-value pairs for the different properties that the entity includes. The values for an entity’s properties can also be edited from this window too.

Figure 41: Properties tab in entity details

Using your mouse

Panning and Zooming

To pan around your graph, right-click and hold while moving the mouse in the desired direction. You can also use the arrow keys to jump to the next entity in the graph. This is useful when navigating large graphs and is a lot faster than using the scroll bars.

Figure 42: Panning around your graph with the mouse

You can move the visible frame (white box) around on the Overview window (top-right corner) using the mouse (left-click, drag) – the main graph window will update in real time. Depending on the zoom level the visible frame becomes larger (zoomed out) or smaller (zoomed in).

Figure 43: Using the Overview view to navigate a large graph

Zooming with your Mouse

The mouse wheel can be used to zoom in and out of your graph. The zoom will always be based relative to the position of your mouse pointer on the graph. For example, if your mouse pointer was at the far left of a graph, zooming in would mean that the graph would be slowly moved to the left until the central point was where the mouse pointer was rather than the central point being that of the center of the graph.

There are two different ways entities are rendered on a graph depending on the zoom level. When zoomed closely into the graph, each entity will be represented as an entity icon with its value written beneath as shown in the image below:

Figure 44: Icon view

When zooming out entities will become solid round circles where the color of the circle indicates the entity’s type. A color legend is then displayed in the bottom right-hand corner of the graph for each entity type on the graph:

Figure 45: Legend view

Note that the colors are not always the same – e.g. the IP address entity will not always be orange. This happens because Maltego can be used with custom entities, and the number of entities used is not known to the program.

The Context Menu

The context menu allows you to run transform on the selected entities on your graph. When you right-click on an entity (or group of entities) a context menu is displayed. The context menu is grouped into three different layers, namely the Top level, the Set level and the Transform level which are each explained in the following sub-sections.

Top level

The top level of the context menu is where the different transform hub items that you have installed are listed. By default, the Maltego client will only have the PATERVA CTAS transform hub item installed from the transform hub. If Maltego only has a single transform hub item installed the context menu will open in the set level as there is only one item to choose from in the top level. For the sake of this example additional transform hub items have been installed.

Figure 46: Context menu - top level

In the image above, the context menu has been opened for a domain entity by selecting the entity and right-clicking anywhere on the graph. Each line item in the menu represent a different transform hub item, clicking on one of these items will open the set level for that hub item.

The first item in this list reads All Transforms and clicking it will skip the set level and open the transform level of the context menu with all the transform listed for the selected entity/ies.

Clicking the double arrow icon (>>) in line with each of the hub items will run all the transforms found in that transform hub item that are available to the selected entity.

When your mouse is over a transform hub item, a configure icon will appear. Clicking the configure button will open a configuration menu for that transform hub item which allows global settings to be changed. These setting are applied to the entire transform hub item.

At the bottom of the context menu the action bar is found. This allows various actions to be performed on the selected entities. Each of these actions will be described in later sections. The action bar remains the same regardless of what level you are on in the context menu.

Note: Running all transforms is almost always a bad idea as it is important to know what you are running and where the transform is getting the information from.

Set level

Left-clicking on a transform hub item will take you to the set level. In Maltego, sets are used to group transforms into categories of transforms that perform similar tasks and/or are often run together.

The image below shows the different sets available to a domain entity that are in the PATERVA CTAS transform hub item. Left-clicking the side-bar on the left of the context menu will navigate back up a level in the context menu (in this case back to the transform hub level). Right-clicking anywhere on the context menu will also navigate up a level. Each set also has a configure button which, when pressed, will open the set configuration window that will allow you to configure the transforms that are included in the set.

Figure 47: Context menu - Set level

Left-clicking the double arrow head (>>) will run all the transforms in the set while left-clicking anywhere else will open the transform level on the context menu for that set.

It is possible for the transforms from a transform hub item to not be categorized into sets, in this case selecting the transform hub item in the context menu will go straight to the transform level in the menu.

Transform level

The transform level of the context menu is where transforms are run from. Left-clicking on a single transform will run the transform. Alternatively, you can left-click the single arrow icon (>) on the right side of the context menu. Clicking the configuration icon in the transform line item will open the Transform Manager with correct transform selected. The transform manager shows more information about the transform as well as allow the configuration of the transform’s settings – it will be discussed in later sections.

Figure 48: Context menu - Transform level

Clicking the star icon in a transform line item will add the transform to the favorites category which will always be listed at the top of the context menu as a separate category regardless of what level of the context menu you are on.

Figure 49: Favorites item in the context menu

Finally, hovering over a transform’s line item will display a short description of what the transform does.

Figure 50: Transform description

It is important to note that the context menu is entity specific meaning that the items that are shown in the context menu are related to the transforms that are available to the entity type that you have selected. If the graph selection includes entities of different types, then the context menu will include all items that are available to either of the selected entities.

Action bar

The action bar, found at the bottom of the context menu, allows you to perform a range of actions on the selected portion of your graph. The ten actions from the action bar are labelled in the image below and then described further below that.

Figure 51: Action bar with labels

  1. Copy to new graph: Copies your current selections to a new graph.

  2. Delete Entities: Delete the selected entities. This can also be done with the delete key on the keyboard.

  3. Change Entity Type: Opens a dropdown menu that includes all entities from the entity palette. Picking an entity from the dropdown will change all your selected entities to that type.

  4. Figure 52: Change type dropdown menu

  5. Merge entities: Creates a single entity with properties from all the entities that were merged. Clicking the merge action will open a window that is used to select a primary entity for the merge. The primary entity will take preference over the other entities and its entity type will be used for the newly merged entity. The image below shows the merge window for three entities being merged: a person, an alias and a Twitter Affiliation.

  6. Figure 53: Merging window

    Merging these three entities making the Twitter Affiliation the primary entity results in the image below. Note that the properties from the other two entities are now in the Dynamic properties of the merged entity:

    Figure 54: Merged entity

  7. Copy in different formats: Copy your graph selection in different formats. Each format is described below:

  8. Figure 55: Copy entity selection to clipboard

    • Copy (as GraphML) - this will copy your graph to your system clipboard as an XML based graph format. This format will include information about the entities and the links between the entities in your selection.

    • Copy (as ‘value’ list) – this will copy a list of the entities that are currently selected on your graph. The list will only include the value of the entity and does not include any information about the links between entities on your graph.

    • Copy (as ‘type#value’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type. Each item in the list will be in the format ‘type#value’. The list does not include any information about the links between entities on your graph.

    • Copy (as ‘type#value#weight’ list) – this will copy a list of the entities that are currently selected on your graph as well as the entity type and weight. Each item in the list will be in the format ‘type#value#weight’. The list does not include any information about the links between entities on your graph.

  9. Cut Entities: Cut your entity selection to your clipboard.

  10. Add Attachment: Attach files to the entity. Clicking this button will open a window to choose the file to be attached:

  11. Figure 56: Choose the file to attach

  12. Send to URL: Opens a “developer friendly” feature in Maltego. It takes the selected segment of the graph and POSTs a hybrid GraphML/XML to the page which then returns a URL that Maltego will open in a browser. No documentation is provided with this as it is purely for demonstration purposes.

  13. Type Actions: quickly search Google or Wikipedia for an entities value. When a type action is run, your default web browser will open and the search will be performed there.

  14. Figure 57: The two default type actions

  15. Clear and refresh images: Re-fetch all downloaded images on your graph.

Running a Transform

When running a transform, a progress bar will appear in the bottom-right corner of the screen.

Figure 58: Transform progress bar

When running multiple transforms on multiple entities the progress bar will give an indication of the overall progress of all transforms.

The [X] (far right of the status bar) allows you to easily cancel all transforms that are currently running (for example – if you have selected the incorrect transform and don’t want the results to distort your graph with irrelevant entities). To cancel a running transform, simply select the [X] at the bottom of the screen. You will then be given a confirmation dialog that looks as follows:

Figure 59: Cancel Transform conversation dialog

By simply selecting Yes you can cancel the running transforms. Selecting No will allow the transforms to complete as usual.

When running multiple transforms, you can click on the transform progress to see which transform is currently running:

Figure 60: Viewing current transform being run

A maximum of five transforms will be run at once. Additional transforms will be queued until the earlier transforms have completed.

Graph Options

Screen real estate is very valuable and there is a lot of information that needs to be displayed by Maltego. Depending on the size of your screen you will need to move things around, display the differently and sometimes hide them to be able to see what you want to see. This section is all about getting the most out of your GUI.

Graph Tabs

When multiple graphs are opened in the Maltego client, they will each have their own tab above the main graph window. Graphs that have not been saved yet will be displayed as New Graph (number). Once a graph is saved, the display name on the name tag will change to the name under which it was saved. The * behind a graph indicates that it contains data that has not yet been saved.

The first tab is always the Home screen that includes the Start Page and Transform Hub:

Figure 61: Tabs for each graph that is open in the Maltego client

Right-clicking on a graph’s tab will open the dropdown menu described in the image below.

Figure 62: Options for graph tabs

Shift Left and Shift Right can be used to change tab ordering. The other items not described in the image above are used to make a graph tab into its own floating window however these options are rarely used.

Graph tabs can also be re-arranged by clicking and dragging the tab to another position:

Figure 63: Moving graph tabs

Graph Tab Buttons

Navigating the display is always an issue of being able to see only what you want to see. For this reason, the Maltego client has been made very versatile and adaptable. As discussed previously graphs are maintained in tabs which can be flipped through. The next section details some of the options available display information windows. On the top right-hand side of the graph the following options are available:

Figure 64: Graph bar buttons

When there are more tabs than can be displayed, the additional tabs will not be shown. The first two buttons in the image above allow you to scroll left and right through the tabs that are not shown.

The third button in the tab bar opens a drop down that shows all the graphs that are currently open. The arrow points to the graph that is currently in view.

Figure 65: List of graphs that are currently open

The last button in the tab bar will maximize the graph window and minimize all other windows in the Maltego client as shown in the image below. Double clicking the graph tab will also maximize the graph window.

Figure 66: Graph window maximized

Clicking the button again will restore the windows to their previous state.

Layout Sidebar

The layout sidebar is always found on the left-hand side of your graph window. It allows you to configure various view and layout options for your Maltego graphs. The image below provides labels for each of the items in the layout sidebar.

Figure 67: Layout sidebar with labels

  1. Full screen mode - Makes your Maltego client full screen (shown in the image below). Alt + Enter pressed together on your keyboard will also enter full screen mode. Exit full screen mode by pressing the Esc key on your keyboard. Full screen mode is shown in the image below:

Figure 68: Full screen mode with annotations

  1. Lock Layout – Locks all entities that are currently on the graph from moving when transforms return. The new entities that are returned by transforms will still be laid out.

  2. Full vs incremental Layouts – This option should be used during collaborative sessions when you want to preserve your graph layout.

Layouts

Buttons 4 to 8 in the layout sidebar are used to determine how entities will be arranged on the graph. There are four standard layouts.

  1. Block layout - In this layout nodes are shown using the following rules:

  1. In blocks of nodes

  2. Sorted by entity type

  3. Sorted by entity weight

An entities relevance is represented by the entities weight. For example, entities that are returned from any of the search engine transforms will be weighted according to how relevant they are (their page rank).

The image below shows an example of block layout.

Figure 69: Block layout

  1. Hierarchical layout - In hierarchical layout entities are grouped by layers that are stacked on top of each other. Think of this as a tree based layout – like a file manager.

  2. Figure 70: Hierarchical layout

  3. Circular layout - Nodes that are most central to the graph (e.g. most links) appear in the middle of circles with the other nodes scattered around it.

  4. Figure 71: Circular layout

  5. Organic layout - In organic layout nodes are packed tight together in such a way that the distance between each entity and all the other entities are minimized. The closer the entities are to each other the more connected they are.

  6. Figure 72: Organic layout

  7. Interactive organic – this layout is a lot like the organic layout. Entities are positioned according to how connected they are to the rest of the graph. The two differences with interactive organic are:

  8. When new entities are returned to the graph, only entities that are closely connected to the returned entities are moved instead of the entire graph laying out again every time new results are returned. For this reason, putting a graph into interactive organic layout will improve performance when dealing with larger graphs as less layout computation is required.

  9. Entities are not as tightly packed to each other as they are in organic layout.

The graph below shows the same graph as above, but in interactive organic layout. It can clearly be seen that the entities are less tightly packed.

Figure 73: Interactive organic layout

Freezing and refreshing the graph

  1. Freezing the graph – The freeze button is used when you have many nodes that are coming into the graph (e.g. running a lot of transforms on many nodes) and don’t wish for the layout to be constantly updating. By delaying the layout, the application can process transforms faster as it does not need to update the display after every transform. To unfreeze the graph simply press the same button and the graph will resume as normal.

  2. Refresh graph – Enabled when your graph is frozen and new entities have been returned. Allows you to manually refresh the graph layout.

Views

The next section in the layout sidebar is under View. Views are used to extract non-obvious information from large graphs – where the analyst cannot see clear relationships by manual inspection of data. Views can be used to determine the size and color of entities based on different properties of the graph. It is possible to write your own views however is beyond the scope of this document. The seven views that come with Maltego out-the-box size entities according to different properties.

  1. Normal View – When you are zoomed in close to entities, the entity icon will be rendered on the graph. When you zoom out to legend view, each entity is represented by the same sized ball with a color that corresponds to the entity type. This view is the default view when you start a new graph.

  2. Figure 74: Example graph shown in normal view

  3. Diverse decent – this view is probably the most difficult to understand. With diverse decent, entities are sized according to the number of incoming links the entity has. However, incoming links with different grandparent entities are weighted higher. This is better explained with a graph.

  4. Figure 75: Diverse descent explanation

    In the image above, the IP address entities are sized differently even though they both have two incoming links. The reason for this is that the IP address on the left has two incoming links that originate from two different sources while the IP address on the right has two incoming links but they both originate from the same source. There are many cases where this view is useful. In this case, it emphasizes IP addresses that are related to different domains. The graph below shows the example graph using the diverse descent view:

    Figure 76: Example graph with diverse descent view

  5. Ball size by all links – Entities are sized according to the total number of links (incoming and outgoing) it has. The more links an entity has the bigger the it is sized on the graph. The graph below shows the example graph using this view:

  6. Figure 77: Example graph with view set to ball size by total number of links

  7. Ball size by incoming links - Entities are sized according to the total number of incoming links it has. The more incoming links an entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:

  8. Figure 78: Example graph with view set to ball size by total number of INCOMING links

  9. Ball size by outgoing links - Entities are sized according to the total number of outgoing links it has. The more outgoing links an entity has the bigger it is sized on the graph. The graph below shows the example graph using this view:

  10. Figure 79: Example graph with view set to ball size by total number of OUTGOING links

  11. Ball size by rank – This will size entities based on its own number of links and the sum of its neighbor’s links. The graph below shows the example graph using this view:

  12. Figure 80: Example graph with view set to ball size by rank

  13. Ball size by Weight – This will size entities based on the entity’s weight. Some transforms (such as the search engine ones) return a weight field that represents the relevance of the entity. The graph below shows the results of a search engine transform. As you can see from the graph, in block layout, the entities are ordered according to their weight.

Figure 81: Graph with search engine results with view set to size by weight

Ribbon menu

The main ribbon menu in the Maltego client is where you will find buttons for perform most of the tools functionality. The buttons are separated into tabs each outlined in the following sections.

Investigate - Tab

The Investigate tab is open by default when starting a graph in Maltego 4. It provides you with numerous options to manipulate and navigate a graph. The options available are grouped in logical groups.

Figure 82: Investigate tab

Clipboard

Figure 83: Clipboard tools on the investigate tab

The clipboard tool provides the following intuitive functionality:

Copying

Selecting a portion of your graph and selecting the Copy dropdown will provide the options shown below:

Figure 84: Copying options

If you choose the last option in the list, To New Graph, you will get another set of options to choose from shown below:

Figure 85: Copying to new graph

You can decide if you want the sub graph or just the entities that are selected (Copy With Links vs. Copy Without Links). Another option is Copy With Neighbors. This allows you to easily focus on the part of the graph that is interesting – by isolating nodes around the node of interest. There are three sub categories:

Any will select, copy and paste child and parent nodes to a new graph, Children will only select child nodes and Parents will only select parent nodes. The numeric field indicated how many levels should be selected. Let’s assume we want all the parents and children of the IP number selected in the example above. We’ll use Any and the number 1. This will result in a new graph that looks as follows:

Figure 86: Result of copy

Copy from the Action bar

From the action bar in the context menu there are also options for copying portions of your graph in different formats. The button on the far left of the action bar (shown below) is a shortcut to copy your current graph selection to a new graph.

Figure 87: Copy to new graph

The action bar also has options for copying your selection to your system clipboard in different formats, like you can do from the ribbon menu:

Figure 88: Copy selection to clipboard

Copying from the detail view

The Detail View on the right-hand side of your Maltego client lists information about the entities that are currently in your selection.

Figure 89: Detail View

You can copy this information out of Maltego as a comma separated list by selecting the entities from the list and then pressing Ctrl + C or right-clicking on them to open the context menu. To select entities from the list you can:

Pasting your selection into a text editor will result in a CSV as shown in the image below:

Figure 90: CSV copied from the Detail View

Pasting onto a graph

When you paste text onto a graph, Maltego tries to identify the type of entity that is pasted from text. Consider the following example:

Figure 91: Text to be copied from a text editor

Copying and pasting all the above text into Maltego leads to the following entities:

Figure 92: Result of copy from text

Note that the URL entity type displays the title of the URL not the entire URL (but the entity will work as expected as the full URL is stored as an entity property).

Keep in mind that Maltego will fail at recognition of complex entities in some cases (think phone numbers in unusual formats!) In these cases, you might want to tell Maltego what the entity type is. This can be done by prepending the entity value with the entity type. Consider the following text:

Figure 93: Text to be copied

When the above is selected, and pasted it results in the following graph:

Figure 94: Forcing entity type to phrase

Entity types (e.g. what’s inserted before the #) can be obtained by dragging an entity to the graph and looking in the Detail View at the entity type description (highlighted in orange below):

Figure 95: Finding an entity type

Transform slider

Figure 96: Selecting the number of transform results.

The transform results slider is used to set the number of results returned when a transform is run. The numbers that the transform slider can be set to differs between the different versions of the of the Maltego client as follows:

The transform slider (i.e. the max number of results that can be returned to the Maltego client from a single transform) is one of the main differentiating factors between the different Maltego client.

When set to the very left, Maltego will only show the top 12 results based on weight. One needs to understand the implications of these settings. Many transforms have no concept of weight. In fact, only search engine transforms uses weight as an indication of relevance. Think about the reverse DNS results for a class C network – it can potentially return 255 results – each of them with a weight value of 100 (the default value), as no one DNS entry is more important than the other. Setting the slider to 12 results will only show the first 12 results – useful for simply getting an idea of what in the network, but useless for enumerating ALL the reverse DNS information of the block. In the same way setting the slider to 255 results for a search engine transform (e.g. looking for someone specific but who has a very common name) is not clever as you will be flooded with results. You must be careful to understand how the slider works and spend time experimenting with it.

Take Note. When you do not see the amount of results that you expected to see, check how many results the transform result selector is set to return.

Find

Figure 97: Find tool in form the investigate tab

From the find options in Maltego, you can search your current graph as well as saved graphs stored on your machine.

Quick find

The Quick Find option on the investigate tab is a very handy tool to find something specific in a very large graph. The following toolbar will open at the bottom of your graph (the find toolbar can also be opened by clicking Ctrl + F:

Image:maltego-find1.jpg

Figure 98: The Find Toolbar at the bottom of a graph

You can now enter a search term, select the specific entity type or specify All (the whole graph) and you have the option to search all the Properties, Notes and Detail View. Once you click the Find button, the relevant entities will be highlighted in the graph and the search hits will be listed in the Detail View. If you check the Zoom checkbox, then your graph will zoom to your results that match your search criteria.

Find in files

Find in Files does exactly what the title suggests, it allows you to perform text searches on multiple Maltego graphs that are saved in a specified folder on your machine.

Clicking the Find in Files button open the window shown below:

Figure 99: Find in files

Under the Where field you can specify the folder that you wish to search. This folder must include .mtgl and/or .mtgx graph files. The Browse button can be used to open a directory window where you can find the folder you wish to search. If the folder that you choose has multiple sub-directories that you also wish to search, then you must check the Recursive checkbox.

The Find input field allows you to specify your search term. The Case Sensitive checkbox can be used to choose whether the search should be case sensitive or not.

The options from the Graph items field will allow you to choose whether to search entities and/or links. It also allows you to limit your search to a specific entity type from the drop down menu.

Finally, the Search in field allows you to choose which of the entities text fields should be searched in.

Entity selection

The entity selection panel has various options allowing you to manipulate the graph selection.

Figure 100: Entity selection panel from the investigate tab

Maltego can operate in two different modes – Link Selection mode, or Entity Selection mode. The default mode is Entity Selection mode. To switch between modes, you can press Ctrl + M or click on the mode selection icon at the top (this icon indicates the current mode):

Figure 101: Entity and Links selection buttons

To quickly switch between the two, you can also press and hold the Ctrl key on your keyboard while dragging or selecting.

In Link Selection mode, you will be selecting links. Dragging a box around links will select multiple links:

Figure 102: Selecting Links

The selection in the image above will result in the selection below:

Figure 103: Links selected

Link Selection mode is enabled in the image above, you will notice the selected links are highlighted yellow.

Links can also be selected by selecting nodes (in Entity Selection mode) and then switching to Link Selection mode.

Manual links can be established by left-clicking and holding on an unselected source entity, then dragging a link to target entity. This action is shown in the image below:

Figure 104: Manually creating a link

Once you release left-click on the target entity, a link properties menu will appear that allows you to specify properties for the link.

Figure 105: Entity properties

The properties settings shown in the image above will result in the link below being created:

Figure 106: Manual link with custom properties

The label of the link is displayed on the link on your graph. Link labels can be set to be visible or invisible. When working with a large graph you might not want to show all the transform link labels, as things get confusing quick if you have a lot of link labels. By default, transform link labels are set to be invisible in global settings.

When a link is selected the Property View and Detail View will display additional information about the link. Link properties that are created by a transform cannot be edited by the user, however, links that are created manually by the user can be edited.

Figure 107: Link details and property view

In the Detail View, in the image above, it is shown that the link was manually created and it specifies the two entities that the link is between.

Remember: The Detail View displays read-only information about the selection while Property View shows properties that can be edited by the user.

The Property View for the link shows the properties that were set at the time that the link was created. Each of these properties can be edited from the Property View window.

To set the properties of multiple links at once do the following:

Figure : Properties of Multiple links being edited

From the Property View the style, thickness and color can also be configured. Link labels can be set to be visible or not – independent of the global settings. This is done by selecting the link/links and changing the Show Label field.

The Details window for a link can be opened by double-clicking on the entity link just as the Detail window is opened for an entity.

Figure : Details Window for a Link

Link properties can also be edited from the Details window for the link in the second tab.

Figure : Properties tab in Details Window for a Link

Entity Selection Shortcuts

The remaining buttons in the entity selection panel provide shortcuts for manipulating your entity selection and will be outlined in the upcoming sections.

Select all and Select none

Figure 111: Select all and select none

Select All and Select None will do what their names suggest, respectively they will select all entities on your graph and de-select all entities on your graph.

The keyboard shortcut for selecting all entities on your graph is Ctrl + A:

Invert selection

Figure 112: Invert entity selection

Inverting the entity selection will de-select all currently selected entities and select all currently de-selected entities. Clicking the Invert Selection button with the graph below:

Figure 113: Before inverting entity selection

Will result in the graph below:

Figure 114: Selection after Inverting the selection

Add Parents

Figure 115: Add Parents to selection

You can select a child node and press Control + Shift + Up arrow to select the parents while keeping the children in the selection. This is useful for selecting a family tree, but from a child node’s perspective.

Figure 116: Add parents

Add Children

Figure 117: Add Children to selection

Select child nodes while keeping parents selected.

Figure 118: Add children

Add Similar siblings

Figure 119: Add Similar Siblings

Add Similar Siblings will add all entities to your selected that have the same parent entities and are of the same entity type.

Figure 120: Add similar siblings

Add Neighbours

Figure 121: Add Neighbors to selection

Add Neighbors will keep the present nodes selected and select the nodes directly adjacent to the present node as well.

Figure 122: Add Neighbors

Add Path

Figure 123: Add Path between two selected entities

The Add Path selection shortcut is most useful. It selects the nodes in the path between multiple nodes (this function is disabled unless multiple nodes are selected). This is best shown with an example. Let’s assume the following nodes are selected:

Figure 124: Selecting two entities from the graph

On a complicated graph, such as the one above, it would be quite difficult to find all the entity that connect the person and the email address. Clicking the Add Path button selects all the entities that connect the two selected entities together as shown in the next image. (The Detail View shows all selected entities).

Figure 125: Clicking add path selects all entities connecting the initial two

Copying the selection to a new graph shows how this person and email address is connected:

Figure 126: Copied selection to a new graph

Add Path - Another example

The example below (with a simpler graph) will demonstrate how entity links can also be added to the selection between two entities using Add Path function. The selected links will then be edited to change their properties to highlight the path between the two originally selected entities.

Figure 127: Select two entities

When these nodes are selected and the Add path button is clicked the following nodes will be selected (those along the path):

Figure 128: Path selected

If the above graph is switched to Link Selection mode, the links between the highlighted entities are selected:

Figure 129: Links of path selected

They can now be edited. Let’s assume we want to mark the path between the entities with a thick, dotted red line:

Figure 130: Properties of path links changed

The Property View for these links ends up looking like this:

Figure 131: Link property view

Select Parents

Figure 132: Select Parent entities

You can select a parent of a node (e.g. the source of the selected node). This is useful to get to the original source of a child node. You can also select the node and pressing Ctrl + Up arrow.

Figure 133: Select parents

Select Children

Figure 134: Select Parent entities

It is very useful to be able to select the children of a node (e.g. all the nodes that were created from the node). You can also do this by selecting the parent and pressing Ctrl + Down arrow.

Figure 135: Select Children

Select Neighbours

Figure 136: Select Neighbors

Select Neighbors will select the nodes directly adjacent to the present selected node (incoming and outgoing nodes).

Figure 137: Select neighbors

Select Bookmarked

Select Bookmarked allows you to select bookmarked entities by the different colors.

Figure 138: Select Bookmarked

Select by Type

Figure 139: Select by Type dropdown menu

Select by Type is very useful when want to select all the entities on your graph of a certain type. Clicking the dropdown will show you all the entity types that are currently on your graph which you can choose from to select.

Figure 140: Select by type

Figure 141: Select Links dropdown

Select Links has three options in the dropdown menu. Each of the options help select links related to entities that are current in the selection.

Select links – (Ctrl + L): Selects incoming and outgoing links for currently selected entities.

Figure 142: Select links – outgoing and incoming

Select Links – Outgoing (Ctrl + End): Selects outgoing links for currently selected entities.

Figure 143: Select links - outgoing

Select Links – Incoming (Ctrl + Home): Selects incoming links for currently selected entities.

Figure 144: Select links - incoming

Figure 145: Reverse Links

Reverse Links: reverses the direction of a selected link (manually created links only). The button will only become when a link is selected.

Figure 146: Reverse links

Zooming

The zoom tools under the Investigate tab includes a range of shortcuts for zooming to different areas of a graph. The following sections will cover these zooming shortcuts.

Figure 147: Zoom Tools on the investigate tab

Zoom In and Out

Use the scroll wheel of the mouse to zoom in and out of the graph.

Figure 148: Zooming with mouse scroll wheel

If you are using a notebook without a mouse (not recommended) you can use the buttons on the Investigate tab of the GUI. The Zoom In and Zoom Out buttons can be used in place of the scroll wheel on the mouse to navigate in and out of a graph:

Figure 149: Zoom in and out

Zoom to Fit

The Zoom to Fit button is very handy to quickly center graphs to zoom around the full graph (Ctrl + Q on the keyboard).

Figure 150: Zoom to fit

Figure 151: Zoom to fit

Zoom 100%

Figure 152: Zoom 100%

Zoom 100% will zoom to a 100% zoom level on the graph. The current zoom level of a graph is shown in top right-hand corner of the graph:

Figure 153: Zoom level (%)

Zoom to (%)

Figure 154: Zoom to (%)

Zoom To (%) has a dropdown menu that allows for the selection of the zoom level as a percentage.

Zoom Selection

Figure 155: Zoom to selection

Zoom Selection allows you to select a portion of the graph using normal selection techniques and then quickly zoom to the area. This can be done by clicking on the Zoom Selection button, or by pressing Ctrl + W.

Figure 156: Zoom to selection

View – Tab

The View tab in the Maltego client allows you to configure settings relating to the view of your graph. The following sections will describe what each of the view options will do to your graph.

Figure 157: View tab

Views

Views are used to extract non-obvious information from large graphs – where the analyst cannot see clear relationships by manual inspection of data. Views can be used to determine the size and color of entities based on different properties of the graph. It is possible to write your own views however is beyond the scope of this document.

Custom views can be created from the Manage View window that can be opened from the dropdown menu shown below:

Figure : Manage Views

The seven views that come with Maltego out-the-box are covered in layout sidebar section.

Graph layout

Figure 159: Graph layout options

The graph layout allows you to configure various layout options for your Maltego graphs which determine how entities are drawn in relation to each other. Each of the graph layout options are explained in the layout sidebar sections.

Entity Alignment

Figure 160: Entity alignment panel

Options found under the entity alignment panel can be used to “justify” entities to a different alignments on the graph.

Figure 161: Link label panel

The link labels and properties panel in under the View tab allows you to set what is shown on a link.

Show Custom Link Labels allows you to choose whether link labels are shown on the graph. This is a global setting that can be overwritten by individually set link label properties. Show Transform Link Labels will show the name of the transform that created the link when the option is checked.

Figure :Show Transform Link Labels Checked

Properties affect appearance

The Properties Affect Appearance checkbox allows you to choose whether a link’s properties affect the appearance of the link on the graph.

Entity Notes

Figure 163: Entity notes panel

The entity notes panel under the View tab simply allows you to set a global setting of whether entities notes should be shown on the graph:

Figure 164: Hiding entity notes

Entities – Tab

The Entities tab allows you to manage the entities that are available your Maltego client, add new entities and create your own entities.

Figure 165: Entities tab

Creating New Entities

The first button under the Entities panel allows you to create a New Entity Type. Clicking the dropdown opens two new entity options:

Figure 166: New entity type dropdown menu

The New Entity Type (Advanced) will provide more options when creating a new entity.

Clicking New Entity Type (Advanced) opens a wizard that will guide you through the process of creating a new custom entity. The first step of the New Entity Wizard is shown in the image below:

Figure 167: New Entity Wizard - Step 1

Figure 168: New Entity Wizard - Step 1 – Complete

After clicking Next>, the main property for the new entity can be configured.

Figure 169: New Entity Wizard - Step 2

The main property (also called the entity value) is the property of the entity that is going to be shown on the graph. This step allows for the configuration of this main property:

Once these fields have been completed click Next> to continue to the next step of the wizard.

The next step simply allows you to choose which category the new entity type should be found under:

Figure 170: Choose the entity category - Step 3

The Personal category is chosen for the new Police Officer entity.

Clicking Next> will lead to the Additional Properties section of the wizard:

Properties for an entity describe the extra fields that an entity contains. Several entities contain just a single field such as a DNS Name and for most entities creating a single field is enough.

From the Additional Properties step, you can add additional properties for your entity to represent pieces of information that is commonly found with the new entity type. At this stage, it is important to consider whether additional information relating to the new entity type should be made as a property of the new entity or an entirely new entity on its own.

Figure 171: Additional properties - Step 4

By default, there will be one property populated which is the main property (entity value) that was configured in step 2.

To add new properties clicking the Add property… button in the top left-hand corner of the wizard window. This will open a new window where the new property can be configured. In this case, a “badge number” will be added for the new “Police Officer” entity:

Figure 172: Adding a new property

For the new property, the following fields must be completed:

Once these three fields have been chosen, clicking OK will add the new property to the entity. From the main wizard window, additional configurations can be made to the new property:

Figure 173: New entity property

The next step in the wizard allows you to set Display Settings for the new entity. The display settings allow you to set which property is displayed on the graph.

Figure 174: Display settings - Step 5

Display Settings determine three different properties for an entity: what is edited when changing the value on the graph, what value is displayed on the graph and what icon should be used in place of the default icon. It might seem very strange to have a different property edited to what is displayed but as an example to illustrate this look at the URL entity. Whilst you still need the actual URL of a page (that could be very long) you do not want that displayed on the graph, but rather something like the title of the page.

The last step in the New Entity Wizard is the Advanced Settings page.

Figure 175: Advanced settings - Step 6

The Advanced Settings page allows you to specify the following fields:

Figure 176: Regular expression for a domain entity

Figure 177: Group to property mapping - person entity

In the current “Police Officer” example, both the Regular expression and Group to property mapping fields are left blank.

Clicking finish will complete the wizard. The new entity type can be found in the entity palette under the Personal category:

Figure 178: New entity type in the entity palette

Managing Entities

Figure 179: Manage entities

Clicking the Manage Entities button will open the Entity Manager window:

Figure 180: Entity manager

The Entity Manager list all entities currently in the Maltego client and allows you to edit or delete entities.

Figure 181: Delete entity confirmation

Figure 182: Editing an entity

From the entity editor window, you can change any of the settings and properties that were made to the entity when the entity was first created.

Importing and Exporting Entities

Custom entities can easily be shared between users by exporting and importing them. It’s also possible to share entities by simply saving a graph containing custom entities and loading it in another (clean) Maltego.

Exporting Entities

Figure 183: Export entities

Clicking the Export Entities button will open the Export Wizard. The first step in this wizard is to decide if you want to export all entities in your Maltego client or export a custom selection:

After clicking Next>, entities which are to be exported can be selected. In this example, only the custom police officer entity will be exported:

Figure 184: Select entities to be exported

Next the filename and folder directory must be chosen for where the entities will be exported to. The file extension for all Maltego configuration files is .mtz.

There is also an option to encrypt the entity file with AES-128:

Figure 185: Choose file location

If the encryption option is checked, the next page will allow you to choose a password for the file.

Figure 186: Choose encryption password

After choosing the password and clicking next a final summary page will appear showing a summary of what was exported:

Figure 187: Export summary

The Finish can be clicked to exit the export wizard.

Importing Entities

Figure 188: Import entities

Now that the custom entity has been exported to an .mtz file, it can be shared with other Maltego users by using the Import Wizard in the Maltego client.

Clicking Import Entities will open the Import Wizard. In the first step of the Import Wizard the .mtz file can be selected:

Figure 189: Select the required .mtz file

If the file was encrypted, then you will need to enter the encryption password:

Figure 190: Enter password

The next step shows the contents of the configuration file and allows you select what they which items to import. In this case, there is only the single Police Officer entity that already exists in this Maltego client:

Figure 191: Select entities to be imported

Clicking next will go to a summary page of what was imported:

Figure 192: Import summary

Clicking Finish will close the Import Wizard.

Entity Palette

Figure 193: Entity palette

Clicking the Entity Palette button will simply open the Entity Palette again if it has been closed.

Manage Icons

Figure 194: Manage Icons

Clicking the Manage Icon button will open the Icon Manage for entity icons.

Figure 195: Icon Manager

In the Icon Manager, the built-in icons are categorized and can be browsed through or searched for using the search input field at the top of the window.

It is also possible to add new icons that can be used for new entities that are created. To add a new entity icon, click the plus (+) button in the top left-hand corner of the Icon Manager window. This will open another window where the image file for the new icon can be chosen:

Figure 196: Select image file for new icon

Once the image file has been chosen, the category for the icon must be selected:

Figure 197: Choosing a category for the new icon

Clicking OK will add the new entity icon to your Maltego client.

Collections - Tab

Collection nodes overview

Introduced in Maltego 4, collections aim to clean up the graph by grouping 'similar' entities, making it easier to view portions of the graph and find the key relationships you are looking for. The underlying collection rules all adhere to the following criteria:

  1. Only entities of the same type may be collected together in a single collection,

  2. Entities that are pinned (pinned to the graph) may not be collected,

  3. A minimum entity limit exists which must be satisfied for a collection node to form, i.e. a collection node may not contain less than the minimum limit of entities.

The image below shows the controls on the Collections tab of the ribbon as configured for a fresh install of Maltego.

Figure 198: Collections tab

Collections are enabled by default and may be toggled off/on by pressing the Disable/Enable Collections button. On the Simplify Graph section a slider and spinner work in tandem to control the level of graph simplification. The numbers on the slider and that of the spinner correspond, designating the minimum number of entities that any collection node may contain. Dragging the slider to the left decreases this global minimum entity limit for collections, thereby increasing the amount of graph simplification. The Show Collections Tutorial button shows this tutorial in the Maltego client. The Select Collections button selects all the collection nodes on the current graph.

Levels of Simplification

A typical use case for using collection nodes is analysing Twitter followers. The image below shows the Detail View for three different Twitter accounts for which their followers where found, sorted alphabetically according to the entity name. Since transforms were run on these entities as input, none of them have incoming links. "Paterva" has the highest number of Twitter followers (outgoing links) among the 3 entities, with 3432, which according to the transform rules resulted in a weight of 100.

Figure 199: Detail view of starting three Twitter accounts

With collections disabled (and for pre-Maltego4 versions), the graph output looks like the image below when in organic layout (zoomed to 2%). The graph consists of 4164 entities (4489 links in total), making it difficult to visualise the interesting relationships and common followers without having to continuously zoom in and out of the graph.

Figure 200: Followers of the initial three Twitter accounts

With collections enabled and the slider in its default position of 25 entities, the graph output looks as follows in circular layout (zoomed to 15%).

Figure 201: Collections enabled in circular view

Notice the circular entities (uncollected) and square collection nodes. Dragging the slider to the far left for the greatest amount of graph simplification, renders the graph as follows (zoomed to 100%). The graph is now simpler and much easier to work with.

Figure 202: Collection enabled - full simplification

With the collection node containing 269 entities selected (designated by "269" in the collection node heading on the graph), the selected entities can be viewed in list form in the Detail View, and sorted according to various columns (multi-column sorting is also supported using the Shift key in conjunction with mouse clicks on the column headings). Hovering over or clicking on the entities in this list shows the relevant entity properties in the Property View.

Figure 203

Clicking on the icon in the Inspect column in the image above (shown by the orange plus (+) sign), shows in-depth details of that single entity (image below). Double-clicking on the Twitter user icon in the image below, will open the Details dialog. Clicking on the Back To List button (or right-clicking inside the Detail View component) in the image below, returns to the Detail View list of the entities in the collection node as in the image above.

Figure 204

By double-clicking on the entity name in the Detail View list (or clicking on the icon in the Collected column which shows the number of entities in the collection node), the graph will automatically pan and zoom to the selected entity, briefly flashing the entity inside the collection node in white as in the image below.

Figure 205

Pin/Unpin Entities

Collections are simply visual elements -- if an entity is of specific interest and it must not be grouped within the collection node, one can press on the pin icon of that entity, either on the graph's collection component (as in the image below) or in the Detail View list. Having multiple entities selected and then clicking on the pin icon will pin all selected entities to the graph (uncollect from collection). Alternatively, all entities in a collection can be pinned to the graph by clicking the larger pin icon in the collection component heading (seen as a very faint overlay in the top-right corner of the image below).

Figure 206

By clicking on the pin icon with only the "Black Hat" entity selected, this isolates the entity from the collection node, essentially pinning the entity to the graph (see image below). Other rules for exclusion from a collection node are if the entity has attachments or notes. When dragging entities onto the graph, they are pinned by default.

If the orange pin icon of a pinned entity, such as the "Black Hat" entity below, is clicked to unpin the entity from the graph, the entity becomes available to be collected, and will only be collected should it satisfy the criteria outlined in the overview (top of page), and share relationships with (i.e. are 'similar' to) other entities of the same type. Typically, this will boil down to whether it is linked to (shares) common parent and child entities, although the rules can understandably become quite complex for heavily meshed graphs.

Figure 207

Exploring with the Detail View list

With collection nodes, there is the same functionality that has always been in Maltego. For instance, one can find entities on the graph containing certain word(s), whether they form part of a collection node or not, by using the Quick Find functionality on the Investigate tab of the ribbon.

Alternatively, when using the Detail View list with the "269" collection node selected, the "Black Hat" entity can be pinned to the graph from this listed view, which would uncollect it but keep it among the selected entities displayed in the list. The list entities can then further be filtered according to entities containing the word "black" in them as in the image below. As can be seen by the text inside the icon in the "Collected" column, the collection node now only contains 268 entities, and the pinned "Black Hat" entity is displayed as a normal (circle) entity.

Figure 208

While on the graph all 269 entities of the original collection node are still selected, the Detail View list only shows the 2 filtered entities. By clearing the filter textfield, all 269 entities will again be displayed within the list. Alternatively, by selecting the 2 list entities in the image above, and clicking on the Sync Selection to Graph button to the left of the filter textfield, the graph selection changes to only these 2 entities and will be displayed as in the image below.

Figure 209

Solid orange borders signify full selection (all entities within the visual element selected), while a dashed orange border (as for the "268" collection node above), signifies partial selection. The collection node heading in this case indicates that only 1 of the 268 entities within the collection node is selected. Since pinned entities (and other entities not in collection nodes) only represent a single entity, these entities can therefore never be in a state of partial selection.

Transforms can also be run within the Detail View list using the context menu (on either single or multiple entities). Simply select the entities in the Detail View list, right-click to invoke the context menu (see image below), and run transforms as usual.

Figure 210

Transforms – Tab

The Transform tab includes options for managing and configuring the transforms that are available in the Maltego client.

Figure 211: Transform tab

Transform Hub

Clicking the Transform Hub button will navigate to the Transform Hub page that shows all the different transform providers.

Figure 212: Transform hub

Maltego’s flexibility, when it comes to integrating external data, has resulted in many data vendors choosing to use Maltego as a data delivery platform for their users. The Transform Hub is built into each Maltego client and allows Maltego users to easily install transforms built by different data providers. The commercial Maltego client is shown in the image below:

Figure 213: Transform hub page

A Transform Hub Item

Each item on the transform hub is called a Transform hub Item and consists of the following:

Figure 214: Transform hub item

When the transform hub item is hovered over with your mouse, the item will change to show the following options if the item is installed:

Figure 215: Transform hub item – Hovered Over

Installing/Uninstalling a transform hub item

Installing

To install a new transform hub item simply click the Install button found when the mouse pointer is over the item:

Figure 216: Installing a new transform hub item

Then there will be an installation confirmation dialog:

Figure 217: Installation confirmation

Clicking Yes will lead to the installing wizard which will take a few seconds to install:

Figure 218: Transform hub installation wizard

Once the transform hub item is finished installing there will be an installation summary page that lists everything that was installed:

Figure 219: Transform hub installation summary

Note: It is not just transforms that are installed from a transform hub item. Any one or more of the items in the list below can be installed to the Maltego client when installing a new transform hub item.

  1. Transform

  2. Transform sets

  3. Entities

  4. Machines

  5. Icons

Once the installation is complete, the new transform hub item will be found in the context menu when running transforms and the hub item will be shown as installed on the transform hub:

Figure 220: Installed transform hub item

Figure 221: Context menu showing the newly installed transform hub item

Settings

Some of the transform hub items will have a Settings button when the item is hovered over:

Figure 222: Transform Hub Item Settings

Clicking the Settings button will open the Transform Seed Settings window that is used to set global settings that will be used for all transforms in the hub item. These settings are often used for commercial transform hub items to manage API keys.

Figure 223: Transform Seed Settings

Uninstalling
Uninstalling transforms from the transform hub can be done simply by clicking the Uninstall button on the hub item:

Figure 224: Uninstall transform hub item

Note: Entities that are added from a transform hub item will not be deleted when the transform hub item is uninstalled. This is because often transform hub item’s use some of the same entities.

Updating/Refreshing the Transform Hub

In the top left-hand corner of the transform hub there are two buttons:

Manually Adding a Transform hub item

To manually add a new transform hub item to a Maltego client click the plus (+) button in the top left-hand corner of the transform hub.

Figure 225: Manually adding a new transform seed

After clinking the plus (+) button the Add Transform Seed window will open as shown below. The transform seed URL and other meta details for the transform seed can be added as shown in the image below:

After clicking OK, the transform seed will appear as a new transform hub item in the transform hub:

Figure 226: Manually added transform seed

Clicking Install will add the transforms to the Maltego client.

Manage Transforms

`

Figure 227: Manage transforms button

Transform Manager is a tool located within Maltego to help with the addition of transform application servers (TAS) as well as the configuration of transforms from those servers and sets (groupings of transforms).

Clicking the Manage Transforms button will open the Transform Manager Window which is split between three tabs. Namely, All Transforms, Transform Servers and Transform Sets.

All Transforms

Figure 228: All transforms tab in the transform manager

Transforms can be edited from the default Transform Manager window (see above). From this window, you can sort transforms by:

This window can also be searched via the control at the top right which will search the transform names column:

Figure 229: Search bar within the Transform Manager

With the default layout of the Transform Manager the following sections are also available:

Transform servers

Figure 230: Transform server tab in the Transform manager

The Transform Servers tab displays the servers that are available to you which you can easily turn on and off to set if they are used. This is useful when you have multiple servers and would prefer not to specify every time you run a transform which server it should be run on. You can also view transforms on specific servers by expanding each server with the (+) icon, as seen below:

Figure 231: Transform Servers – Expanded

Transform Sets

Figure 232: Transform sets in the transform manager

Sets are a way of grouping transforms that are commonly run together. With the default installation of Maltego you will notice various sets have been preconfigured for you, such as the Resolve to IP set which groups the transforms that convert DNSName, MX Record, NS Record and Website Entities to IP addresses. This has been done so that instead of having to select each individual entity type you can run a set of transforms on them.

Create a New Set

To create a new set simply select the New Set... button within the Set Manager and fill in the Set Name and a Description for the set (optional).

Figure : New Transform Set

Adding/Removing Transforms from Sets

To add or remove transforms from a set, start by selecting the set you wish to modify from the list of available sets within the right-hand pane and then drag the transform from the left-hand pane over it.

To add more than one transform to the set simply select multiple transforms by using either the shift or Ctrl modifiers and then drag the selection onto the set. Alternatively, you can simply select the transforms you wish to add, right-click on them and use the Add to Set-> context menu and select the set you wish to use.

To remove specific transforms to a set, select the transforms that you wish to remove within the selected set, right-click and select Remove from set.

Deleting Sets

To permanently delete a set, select the set from the right-hand pane, right-click on it and click Delete....

Figure 234: Delete set

You will then be given a dialog to confirm that you wish to delete the set:

Figure 235: Confirmation to delete the transform set

Selecting OK on this dialog will delete the set permanently.

Local Transforms

Figure : Local Transforms

Local transforms are pieces of code that run on the same machine which the client application is. Details on writing your own local transforms can be found on Paterva’s developer portal. This section will only explain how local transforms can be added to the Maltego client.

Clicking the Local Transform button will open the Local Transform Wizard. From here you will be greeted with the first screen of the wizard, this screen describes the Meta information as well as the Input entity type and Transform set.

An example of this screen populated is as follows:

Figure 237: Local Transform wizard - Configure details

The setup for Maltego is slightly more involved and you will be required to know the Command to execute, the Script name / Parameters and the Working Directory:

An example of these fields populated are as follows:

Figure 238: Local transform Wizard - command line details

Clicking finish will complete the wizard and add your local transform to the Maltego client.

From here you can simply drag in the entity you initially selected when adding the transform (in this example it is an Alias). There will now be a Local Transform item in the top level of the transform hub:

Figure 239: Local transform item in the context menu

Clicking Local Transforms in the context menu will show the local transform that was just added to the Maltego client:

Figure 240: Local transform in the context menu

Managed Services

Figure 241: Manage services

Some transforms use public APIs to get their results. These public APIs sometimes have strict rate limits to prevent abuse. Signing in to these services with your own account allows for the rate limits to be applied per user instead of having the same rate limits shared between everyone using these transforms. Some of the transform hub members also use Managed Services to control access to their transforms instead of using API keys.

By default, the Maltego client comes with a single managed service for using the Twitter transforms. To use any of the standard Twitter transform you will need to sign into a Twitter account.

Clicking the Managed Services button will open the Service Manager window:

Figure 242: Managed services window

The steps below can be taken to sign into a new managed service. In this example, Twitter will be signed into:

  1. Click on one of the Sign In.

  2. A page will open in your default browser:

Figure 243: Authorize Maltego to Use your Twitter Account

  1. Sign into the account with your details. If your default web browser is already signed in you will just need to authorize the Maltego application

  2. After successfully signing in you will be shown the following image in your web browser and you can close the browser tab and go back to the Maltego client:

Figure 244: Successfully Authorized

The managed service will now be shown as signed in:

Figure 245: Managed Services Now Singed-In

Note: In Maltego, the managed services use a standard protocol named OAUTH where Maltego doesn’t ever receive or store your user account details. The Maltego client will receive a temporary access token from the service that is used to make requests on behalf of the user.

Run View

Figure 246: Button to Open the Run View

Clicking the Run View button will simply open the Run View window if it wasn’t already open in the Maltego client.

Machines – Tab

In Maltego, a machine is a script/macro that runs multiple transforms with different types of filters. Machines are useful for completing common tasks such as forward footprints of domains.

Figure 247: The Machines tab

Maltego has a custom scripting language that can be used to create new machines. Custom machine creation is covered in Paterva’s developer portal.

Run Machine

`

Figure : Run Machine Button

Clicking Run Machine will open the Start a Machine window which can assist in running your first machine.

Figure 249: Start a machine

The first step to start a machine is to select the machine you would like to run from the list of machines that are available in your Maltego client.

By default, Show on startup and Show on empty graph click will be checked. This means that in these two conditions the Start a Machine window will open automatically. These can be switched off by unchecking these options.

Clicking next will take you to the next page where you can input the start parameter.

Machines require a start parameter, from which subsequent transforms can be run. For example, the Footprint L2 machine requires a target domain as the input entity.

Figure 250: Start a machine - select a target

Clicking Finish will start the machine on the target that was specified. The Machines window will open which provides details on the status of the machine that is running, it is described in the next section.

Machine window

The image below provides labels for each feature in the Machines window:

Figure 251: Machine window

Machine User Filters

Some of the machines that come with Maltego include User Filter that allows you to choose which entities you want to continue in the machine’s pipeline. This is important as the it allows you to specify what is relevant and what is not and prevents the machine from gathering information on entities that are irrelevant to the current investigation.

In the case of the Footprint L2 machine, a user filter will pop up to ask you if you want the machine to look for additional domains that use the same MX and NS records as the target domain:

Figure 252: User filter

Here it seems that paterva.com uses Google for their MX records and Linode for their NS records. If you were investigating paterva.com you would not want the machine to look for domains that use these records as it would return thousands of unrelated results for companies and organizations that use Google for their mail servers and Linode for their name serves. So, in this case, you should deselect these entities in you filter window, click the Next> button and the machine will continue running.

User Filter Window – In Detail

In the case of Footprint L2, after clicking Next> the machine will pause again to display the User Filter window for paterva.com’s MX records as shown in the image below:

Figure 253: User Filter Fields

After making selections for each of the user filters, the machine will continue to run all its transforms excluding the entities deselected in the user filter. When the machine is complete there will be a chime sound made by the Maltego client to indicate that the machine is complete.

Figure 254: Graph after machine is complete

In Maltego there is also such thing as a perpetual machine. A perpetual machine can be configured to run every x seconds and useful for monitoring data that changes regularly. When a perpetual machine finishes running, a countdown timer will appear in the Machines window that will count down until it is time for the machine to run again.

Figure 255: Perpetual machine counter

Stop all Machines

Figure 256: Stop All Machines Button

Clicking the Stop all Machines button will stop all the machines that are currently running in your Maltego client. This is useful when you have multiple machines running in different tabs in your client and want to stop them all at once.

New Machine

Figure 257: New Machine Button

Clicking the New Machine button will open the new machine wizard that guides you through the process of creating a new machine. Creating a new machine is out of the scope of this document, more information on building custom machines can be found on our developer portal.

Manage Machines

Figure 258: Manage Machines Button

Clicking Manage Machines will open the Machine Manager window which lists all the machines that are currently in the Maltego client. The image below provides labels for all buttons in the Machine Manager:

Figure 259: Machine manager

The list in the Machine Manager can be sorted by the following fields:

If you want to edit one of the transforms that have been installed from a transform hub item, you can clone the transform and then edit the clone as the original is read-only.

Machines Window

The Machines Window button will simply open the machine window in the Maltego client if it is not already open.

Figure 260: Machines Window Button

Collaboration – Tab

Collaboration in Maltego provides the ability to share graphs and have multiple users work on a graph at the same time.

Figure 261: collaboration tab

Share Current Graph

Figure 262: Share Current Graph Button

Clicking Share Current Graph will open the Graph sharing window which consists of three tabs for setting up your shared graph sessions, namely: Session, Server and Encryption.

Session -Tab

Figure 263: Graph sharing window – Session tab

From the Session tab, you can configure your shared graph sessions:

Sever - Tab

Figure 264: Session tab

Under the Server tab you will be able to configure the server that you wish to use for your shared graph session. There are three options:

  1. Paterva (Public) – Using the Paterva’s public communication server is the easiest way to start a shared graph session in Maltego. All graph traffic will travel over a server owned by Paterva on the Internet. All graph traffic is encrypted (end-to-end) with the security key that was chosen in the previous step. The Maltego clients also communicate with the graphs server over HTTPS.

  2. Paterva (Private) – Paterva sells copies of the communication server to customers. Allowing it to be hosted internally. This private communications server is almost an exact copy of the one that is hosted by Paterva. You will need to enter the IP address or hostname of the communications server on your network.

  3. Other – It is also possible to run a shared graph session on your own Jabber (XMPP) server. Details on configuring your own XMPP server are beyond the scope of this user guide.

Encryption - Tab

Figure 265: Encryption tab

By default, packets transferred during a shared graph session are encrypted end-to-end with AES 128 bit. To use 256 bit AES encryption JCE Unlimited Strength Jurisdiction needs to be installed on the machine running the Maltego client. JCE Unlimited Strength Jurisdiction can be downloaded from the links found in the client.

Starting a Shared Graph Session

To start a new shared graph session, navigate back to the session tab and click Connect. The Maltego client will establish a connection to the communication server and then open the graph window. If a shared graph with the same session name already exists on the communications server that you are using and you enter the correct security key, then the Maltego client will join the existing shared graph session. If a shared graph with the same session name does not exist, the a new one will be created with the security key that was specified.

When the you are in a shared graph session there are a few things that you will notice. On the graph title tab, shared graphs will always have their name written in aqua color. Additionally, YOUR_ALIAS@SESSION_NAME will be written in the graph’s title:

Figure 266

Two new windows will also be opened.

Collaboration Session Window

The Collaboration Session window will list all the users that are currently in the shared graph session as well as their status and the version of Maltego that they are running. Additionally, the collaboration window will list meta information about the graph session.

Figure 267: Collaboration window

Shared graph sessions are cross platform which means Maltego XL, Maltego Classic, Maltego CE and CaseFIle can all join the same shared graph. However, graph size limitations in the different clients will still apply when in a shared graph.

Chat – Window

The Chat window will also open when a shared graph is created, it is found at the bottom of the Maltego client window tabbed next to the transform output. This Chat window allows user on the graph to communicate as well as provides status updates about what is happening on the graph.

Figure 268: Chat window

Each different type of message in the chat window has a different color. Clicking the Message filter button will open a window where you can choose which message types you want to display in the Chat window. The image below shows the types of messages that can be filtered and the color that they correspond to in the chat window:

Figure 269: Filter message types

The next button in the Chat window is used to send the graph selection link as a chat message. This will create a message with a hyper link to the selected entities selected on your graph. Any user that clicks the hyper link will zoom to the relevant entities.

Messages can also be typed and sent from the bottom input bar in the Chat window.

Collaboration – Additional Things to Note

The following few sub-sections cover additional important things to know about when working with shared graphs in Maltego.

Entity attribution

Figure 270: Entity added by Roelof

In all shared graph sessions, each entity added to the graph will have the name of the user who added it shown on the graph above the entity icon as seen in the image above.

User Permissions with Shared Graphs

When in a shared graph session, it is important to note that every user that in the graph has complete control to read/write to the graph. Be careful who you give the security key to for the graph.

Shared Graph Layout

If a single user changes the layout of a graph, then the layout will change for every user that is in the graph. However, when a user changes their view, it will only change for the person who made the change.

Graph Existence

The communication for the shared graph session is managed with an XMPP server. None of the data for the graph is ever stored on the server, the data is stored on each client that is in the shared graph session. The graph will be available if there is at least one person with the graph open.

Work offline

Under the Collaboration tab, there is a Work Offline button, clicking it will disconnect you from the shared graph but keep a copy of the shared graph in an offline window. From this offline graph, you can Reconnect to the shared graph by clicking the Reconnect button:

Figure 271: Reconnect button

Open collaboration Windows

The two buttons, Chat Window and Collaboration Window, will open the two respective windows in the client if they are not already open.

Show Usernames

The Show Usernames checkbox will allow the user to toggle between showing and not showing the username above entities that are added in a shared graph session.

Import/Export - Tab

Figure 272: Import/Export tab

The Import/Export tab provides ways to get data in and out of Maltego as well as backing up configuration files and importing new ones.

Import Graph from Table

Figure 273: Import graph from table

Overview

Clicking Import graph from Table will open a wizard that will allow you to Import a Graph from a Table structured format. The basic steps involve selecting an input file, mapping columns of the input file to entities and creating links between entities. The information that defines a mapping is known as a mapping configuration and the wizard allows you to save and load existing mapping configurations.

Select a file

First choose whether you want to create a new mapping configuration or load a saved one. By default, the most recent saved mapping configuration will be chosen.

Clicking the Manage button will bring up the Mapping Manager window which shows a table of all the currently saved mapping configurations. Mapping configurations are persisted according to their name which must be unique. The name and description of a saved mapping configuration can be edited by clicking the edit icon (black arrow below). Mappings can also be deleted by clicking the corresponding delete icon (red arrow below).

After choosing a new or existing mapping configuration, choose the file to be imported and click on Next>.

Note: When loading a saved mapping configuration, Maltego will alert you if the selected mapping is not compatible with the data-file selected.

Mapping Configuration

In this step the user is presented with three tabs which separate mapping configuration creation into three logical processes. At least one entity needs to be defined in the Map Columns to Entities tab, and for two or more defined entities you can then optionally create and edit links between them (Connectivity tab) and/or assign link properties to input file columns (Map Columns to Links tab).

Note: If a saved mapping configuration were chosen in the Select File step, the entities, links and column mappings would be pre-configured for this step.

Map Columns to Entities tab

Entity mapping is performed by completing three steps for each entity that will be mapped. First, one or more ‘unmapped’ columns must be selected, then the entity to which the selected columns are mapped must be selected from the Map to list.

Tip: To add or remove a column from the selected entity hold down Ctrl and click on the column.

Once an entity has been chosen, the property to which each column maps can be edited in step 3.

Steps 1 to 3 are repeated for each entity that should be mapped.

Connectivity tab

Maltego will automatically generate links between newly mapped entities in the Map Columns to Entities tab. These can be viewed and deleted or additional links can be created in the Connectivity tab to customize the connectivity of the entities that will be created. Multiple links can be selected by holding down Ctrl or Alt and dragging the mouse across the graph to create a selection box.

Figure 274: Connectivity tab

The steps for mapping columns to links are the same as the steps for mapping columns to entities, the only difference being that the Map to combo box will present the list of links (created in the Connectivity tab) as opposed to entities.

Settings

After the mapping configuration, has been defined, the wizard presents a Settings screen where various tabular import settings can be set such as sampling, empty values, graph size and link merging. If a current graph exists, you will have the option to merge the imported graph with it. You are also given the option to save the mapping configuration (checked by default) with a default name and description. Mapping configurations are saved with a non-empty, unique name. If the entered name is not unique the existing mapping configuration will be overwritten but a warning will be shown in such cases.

If you choose not to save the mapping configuration, Maltego will save it automatically as Auto-saved mapping — overwriting the existing auto-saved mapping configuration if it exists.

Note: When the Auto-saved mapping is loaded in the Select File step, the default name will be blank forcing you to define a more descriptive name.

Import

If the import has failed, the wizard will inform you and give as much information as possible about the problem. If the import completed successfully a summary of the import result is presented which include the name under which the mapping configuration has been saved.

Figure 275: Import complete

Tabular Mappings

Figure 276: Mappings – Tabular Import Button

Clicking the Mappings – Tabular Import up the Mapping Manager window which shows a table of all the currently saved mapping configurations. The name and description of a saved mapping configuration can be edited by clicking the edit icon (black arrow below). Mappings can also be deleted by clicking the corresponding delete icon (red arrow below).

Export Graph to Table

Figure 277: Export Graph to Table Button

The Export Graph to Table option allows you to export your graph into a tabular format. Clicking the Export Graph to Table button will open the Graph Export Wizard:

Figure 278: Graph export wizard - Step 1

The first step of the graph export wizard is to decide whether to export the whole graph or to just export the selected portion of the graph. There is also the option to choose to remove duplicate rows. A duplicate row would occur when there are 2 links that connect the same two entities.

Clicking Next> will lead to the second step in the wizard where the filename and file type can be chosen for the export:

Figure 279: Graph export wizard - Step 2

From the Files of Type field the file type for the table can be chosen from CSV, XLS or XLSX.

Figure 280: Export table file types

Clicking Next> will export your graph to the chosen format. Once the export is complete there will be a summary page that shows everything that was exported to the tabular file:

Figure 281: Export graph to table – Summary

Export Graph as Image

Figure 282: Export Graph as Image Button

As the name suggest, Export Graph as Image will export a Maltego graph to an image format. Clicking the Export Graph as Image will open the following window:

Figure 283: Export graph as image

The file type to can be chosen for the File of Type dropdown field. Image file types can be chosen from png, jpeg, bmp.

Figure 284: Image file types

The image scale can also be chosen as a number between 100% and 500% from the Scale image dropdown field.

Figure 285: Export image scale

The higher this number is, the higher the resolution of the exported image will be. Keep in mind that with large graphs a high image scale can result in very large image files.

Once these options have been chosen, clicking the save button will save a copy of your graph to the selected image format.

Generate Report

Figure 286: Generate Report Button

The Generate Report button in Maltego creates a pdf report that contains all information about the current graph in a single document. As a Maltego reports will contain all information about your graph, they can end up being very long. (i.e.: a 30-entity graph can easily generate a 20-page report)

Clicking Generate Report will open a save dialog where the filename and location can be provided:

Figure 287: Save Maltego report dialog window

In a Maltego report the following will be included:

  1. Image of the full graph

  2. Top 10 Entities – lists of entities ranked by the following features:

    1. Ranked by Incoming Links

    2. Ranked by Outgoing Links

    3. Ranked by Total Links

  3. Entities by Type - lists of entities categorized by their type.

  4. Entity details – lists each entity and includes all the information from the property view and detail view. The image below shows an example of one item from the Entity detail list:

Figure 288: Entity detail from a Maltego Report

Export Config

Figure : Export Config Button

All custom configurations to a Maltego client can be exported and imported to/from a configuration file that can be used to either back-up your configurations when re-installing your Maltego client or if you wish to share your Maltego configurations with other users.

When exporting custom configurations, the following can be exported:

Clicking the Export Config button will open the Export Wizard. To complete the Export Wizard, similar steps to Export Entities can be taken. The only difference is that in the second step of the wizard all the items listed above can be chosen for the export:

Figure 290: Choose configurations to be exported

Import Config

Figure : Import Config Button

All configuration listed in the Export Config section can be imported to a Maltego client from a .mtz file format. Similar steps described in the Import Entities section can be followed to import a Maltego configuration file.

Windows - Tab

Under the main client ribbon the Windows tab is found on the far right. The Windows tab is used to open windows that are found in Maltego’s user interface. This section will describe what each button does under the Windows tab.

Figure 292: Windows tab

Window’s buttons

Each window that is open will have two buttons in the top right-hand corner:

Figure 293: Window taskbar buttons

The options available are to minimise the window (>>) or to close it completely (X). Once a windows has been minimised it remain available as a tab at the side of the Maltego client.

Figure 294: Minimized widows

Each of the minimized window has a single button to maximize the window again.

While the window is still minimized, if you hover over one of the window tabs, the window will open as seen below. The window will minimize again when you move the mouse away from the window.

Clicking on the window tab will open the window until it is de-selected again by clicking elsewhere in the Maltego client.

Figure 295: Hovering over minimized window

The solid dot button () in the top left-hand corner of the window will pin the window back into place so that it stays there permanently.

The windows can also be dragged around to snap into place in different configurations. It is all up to you to decide how you want to setup your working and of course the amount of screen real estate available.

Windows quick actions

The windows quick actions allow you to perform three useful tasks:

  1. Close All Graphs - This will close all the graphs that are currently open. Maltego will first ask if you want to save the each of the graphs before they are closed.

  2. Close Other Graphs - This option will close all the other graphs that are open except for the one that is currently being viewed. Maltego will first ask if you want to save any of the other graphs before they are closed.

  3. Reset Windows – The reset windows button will reset all the windows in Maltego client to default as they were when the tool was first installed. Resetting Windows will require a restart of the Maltego client.

Maltego windows

When starting a new graph, there are six default windows that will open that are used when creating and viewing Maltego graphs. The six windows are highlighted in the image below:

Figure 296: Window layout

Additionally, there are another five windows used for other specific tasks. Each of these widows will be explained in the upcoming sections.

Overview

The Overview window will be open by default when you start a new graph. If the Overview window is closed, it can be re-opened with the button in the image below:

Figure 297: Overview window button

By default, the Overview window is found in the top left-hand corner of the Maltego client. It shows the current viewport on the graph in relation to the entire graph. The Overview window can also be used to pan your graph as discussed previously.

Figure 298: Overview window

Detail View

The Detail View window will be open by default when you start a new graph. If the Detail View window is closed, it can be re-opened with the button in the image below:

Figure 299: Detail View window button

The Detail View contains information about the entity that cannot be displayed in the main graph window. These are things that the transform author wants you to see about the entity. As the mouse is moved over entities both the entity Property View and Detail View is updated. Some transforms will return additional fields in the Property View depending on what the entity type is. Once the transform has returned an entity it is not possible to manually edit the information in the Detail View.

Figure 300: Entity detail view

The Detail View when Multiple Entities are Selected

When more than one entity is selected the Detail View will change to a multi column item list. This gives you a lot more flexibility in terms of selection. As shown below:

Figure 301: Detail View with multiple entities selected

Searching the detail view

You can now search for entities in the text area and press Enter to see which nodes match. The selection on the graph will remain the same at this stage:

Figure 302: Searching your Detail View

After selecting entities from the entity list the Sync Selection to Graph button will be enabled. This button is found on the left-hand side of the search input field. You can now select nodes within the list (i.e. Ctrl + A for all, Shift selects ranges and Ctrl to select entities one by one) and when the sync button is pressed the selected entities on the graph will update according to the selection from the Detail View:

Figure 303: Sync entity selecting to the graph

Other buttons in the Detail View

Pressing the plus (+) button on the left-hand side column will show that specific entity’s Detail View shown below:

Figure 304: Detail view of specific entity from list.

Right-clicking in the Detail View or clicking the Back To List button will navigate back to the entity list that includes all entities in your graph selection.

Running transforms from Detail View

The context menu is also available from the Detail View when more than one entity is selected. This is useful as you can filter and sort entities and then run transforms or perform actions on them from the context menu:

Figure 305: Opening the context menu from the detail view

Entity list columns

The entity list in the Detail View can be sorted according to the different columns of the list. From left-to-right the columns of the list are:

  1. The entity type which is represented in each item on the list as the entity icon.

  2. The entity’s value.

  3. The bookmark color of the entity.

  4. Whether the entity is pinned to the graph (meaning it will never join a collection node).

  5. Number of nodes in the entity’s collection.

  6. Number of incoming links.

  7. Number of outgoing links.

  8. Entity’s weighting.

Property View window

By default, the Property View in Maltego can be found in the bottom right-hand corner of your Maltego client. The properties of an entity are used by transforms and are passed along with the entity’s value to the transform. Detail View information is not passed to the transform. Unlike the Detail View, information in the Property View can be edited by the user after the information has been returned from a transform.

The Property View of an entity is in three sections, namely the Properties, the Dynamic Properties and the Graph Info.

Properties

Under the Properties heading you will find the default properties for an entity. These properties are inherent to the entity type and will be included when a new entity is manually added to your graph from the Entity Palette.

Dynamic Properties

Dynamic Properties of an entity are properties that are added to the entity by the transform that returns the entity. These properties are specific to the transform that created the entity and will not appear in a new entity that is added from the Entity Palette.

Graph into

The Graph Info includes meta information about the entity that you currently have selected.

Hereby the entity property of a netblock:

Figure 306: Netblock properties

Editing properties

Clicking on an entity properties value will allow you to edit the text. Some properties contain long values and it is easier to edit them by opening a text editing window. This can be done by clicking the ellipsis button next to the property value. This will open the window shown in the image below where the property value can be edited:

Figure 307: Editing entity property

Entity palette

The Entity Palette lists entities that are available to be used in the Maltego client. The entity categories can be expanded and collapse using the (+) and (-) buttons next to the category name.

Figure 308: Entity palette

As more transform hub items are installed to the Maltego client from the transform hub more entities will be added to the Maltego client. By pressing Ctrl + F while the focus is on the Entity Palette, a search field will open that allows entity types to be searched:

Figure 309: Search through entity types

When you right-click on the palette, options to customize the display will be provided as shown below:

Figure 310: Options to customize palette

Right-clicking on an entity category will provide a different set of options that will apply to all the entities in the category:

Figure 311: Options for a category in the entity palette

Transform output

The Transform Output window displays information that is returned from a transform server when a transform is run. It displays messages about which transform has run, the number of results returned from a transform, transform warnings as well as error information if something goes wrong. The image below labels the elements of the Transform Output window:

Figure 312: Transform output

In the Transform Output window, the button in the top-left-hand corner allows you to filter the different types of messages that are included in the Transform Output. Clicking on the filter button opens the window, shown below, that allow you to select the types of messages you wish to see in the Transform Output.

Figure 313: Filter transform output messages

The button under the filter button can be used to clear all messages from the Transform Output to start with a fresh output window.

Each message that is returned in the Transform Output also includes a link to the entity that caused the message to display. Clicking the link in the Transform Output will zoom to and select this entity on your graph.

Right-clicking in the transform output provides additional actions that can be performed on the text in the Transform Output.

Figure 314: Right-clicking in the transform output

The following can be performed from the Transform Output window context menu:

Figure 315: Searching the transform output window

Figure 316: Filter transform messages

Machine Window

The Machine window provides status information about a machine that is currently running. The features of this window are described in the machines section.

Run view

Beneath the Entity Palette is the Run View which allows you to run transforms and machines. Running a transform from the Run View is the same process as running one from the context menu and it will not be repeated here.

Expanding the Machines heading (+) shows all the machines that are available to run on the current entity selection on the graph.

Figure 317: Machines in the Run view

Each of the line items display the machine’s name and the start of their description. Hovering over the machine name will display the full description for the machine. On the right-hand side of each item there are three icons. The star icon will add the machine to the favorites category making it easier to find this machine in the future. Clicking the configure icon will open a window with the script that makes up the machine. Finally, clicking the single arrow icon (>) will start running the machine.

Chat Window

The Chat window is used in shared graph sessions to communicate with other users on the same graph. The chat window is described in the Collaboration section.

Collaboration Window

The Collaboration window is used in shared graph sessions and shows who is currently on the graph as well as other meta info about the shared graph. The window is described in the Collaboration section of this document.

Hub Transform Inputs

Hub Transform Inputs are transform settings that can be applied to different transforms from a transform hub item but only need to be set once. The Hub Transform Inputs window is used to manage these transform settings:

Figure 318: Hub Transform Inputs Window

Application Menu

Button and Shortcuts

Figure 319: Application shortcut buttons

The button in the top-left corner of the Maltego client is called the Application Button (sometimes also called the Globe Icon) and opens the Application Menu. The Application Menu will be described in the upcoming sections.

The buttons to the right of the Application Button are application shortcut buttons and are labelled in the image above. The Undo and Redo buttons both include dropdown menu’s, clicking the dropdown will show a list of graph actions that can either be undone or redone depending on which dropdown was selected:

Figure 320: Undoing graph actions

Hovering over an action will also select all actions before it.

The Start a Machine button also includes a dropdown menu which shows a list of all the machines that are available in the Maltego client when clicked:

Figure 321: Machines dropdown menu

Clicking anyone of the machines from the list will open a dialog where the machine target can be entered after which the machine will run.

The downward facing arrow beneath the new graph button is used to minimize the main ribbon. Doing this results in a main ribbon that looks like the following image:

Figure 322: Minimize the main ribbon

When minimized, clicking each of the tabs in the ribbon will temporary open the ribbon on the clicked tab until you click away. Allowing you to free up screen real estate when dealing with large graphs.

Clicking the rightward facing arrow will maximize the main ribbon again so that it is always shown.

The Maltego Application Button provides access to the following standard functionality:

Maltego can Open and Save graphs that are saved with an mtgl extension. Graphs that are created in Maltego 3 are saved with a mtgx file extension and can also be opened in Maltego 4.

Note: Maltego is backwards compatible. Graphs with a mtgl file extension cannot be opened in Maltego 3, however Maltego 4 has the options to save both mtgl and mtgx.

Opening the Application Menu provides the options shown in the image below:

Figure 323: Application Menu dropdown

On the right side of the Application Menu dropdown, recently opening Maltego graphs will be listed. These graphs can quickly be opened by clicking on them.

Import

Figure 324: Import options

Under the Import section of the Application Menu, various import options are listed for importing data into Maltego. These options will not be covered here as they are already covered in the Import section.

Export

Figure 325: Export options

Under the Export section of the Application Menu, various export options are listed for getting data out of the Maltego client. These options will not be covered here as they are already over in the Export section.

Printing

The Application Button menu also gives you the option to Print or Preview the Current Graph.

Figure 326: Print option in the application menu

Clicking Print Preview Current Graph will open will open a Print Preview window (shown below) that provides also provides different printing options.

Figure 327: Print preview

Maltego can send the current graph (in whatever view or layout is it) to a printer. You can print to a single page or to multiple pages. With multiple pages, you need to specify how many rows and how many columns of pages should be printed.

Figure 328: Print options

Tools

Figure 329: Tools

Home

Clicking the Home button will open the Maltego Start Page and the Transform Hub in a new tab.

Graph Meta

The Graph Meta button will open a new window that contains meta data for the graph. The Author field in the meta for the current graph can be edited from this widow:

Figure 330: Graph meta data

Metrics on the number of entities and links for any graph can always be found in the bottom right-hand corner of a graph:

Figure 331: Graph metrics

The first number is the number of entities on a graph including all the entities found in collection nodes. The second number is the number of nodes on the graph, this will count a collection (with multiple entities) as a single node. The third number is the number of links on a graph and the last number is the number of edges where connections between collections nodes are counted as one edge.

Open Example Graph

Clicking Open Example Graph will open a small-sized example graph. This example graph is useful when a quick graph is needed for demonstration purposes:

Figure 332: Example graph

Find In Files

Find in Files allows you to search through multiple Maltego graphs at once that are stored on the client machine. The Find in Files function is explained in detail in the following section.

Activate Maltego

Clicking Activate Maltego will open a wizard that will display your Maltego client’s activation status. If the Maltego client is already active, then activation details are provided. If the Maltego client still needs to be activated, then the activation wizard can be followed to activate the client. The activation steps are outlined in the following section.

Check for Updates

Clicking Check for Updates will open a wizard that looks to see if new updates are available to be downloaded and installed. The update process is outlined in more detail in the following sections.

Factory Reset

Factory Reset will reset your Maltego client as if it were a fresh installation. This means that all custom Maltego configurations will be lost if a Factory Reset is performed on a Maltego client. Clicking the Factory Reset button will open a confirmation dialog to continue with the Maltego client Factory Reset:

Figure 333: Factory reset confirmation

More About Maltego

Figure 334: More about Maltego

The More about Maltego sections of the Application Menu provides links to open the following web pages:

Clicking the last option in this section, About Maltego, will open a page that provides information about the current Maltego client installation and your system setup:

Figure 335: About Maltego

Options menu

In the bottom, right-hand corner of the Application dropdown menu, the Options button can be found:

Figure 336: The options button

Next to the Options button, there is also an Exit button which, when clicked, will close the Maltego application.

Clicking the Options button opens the main options menu where various setting for the Maltego client can be configured. The options menu is sorted by different tabs, each of which are explained in the following sub-sections.

General

Figure 337: General Options menu

The first tab in the Options menu is General options where you can choose the default web browser for the Maltego client to use and to setup a proxy.

Default web browser

By default, the Maltego client will use your system’s default web browser. Clicking the Web Browser dropdown field will show a list of web browsers that are installed on the system and allow you to choose a new web browser for Maltego to use.

Figure 338: Select default web browser for Maltego to use

Proxy settings

Proxies are often used within corporate networks as methods of controlling how clients within the network get out to the Internet. Maltego requires an Internet connection and if you do need to use it within your corporate network use this option to set it up.

There are three proxy options in Maltego described below:

Figure 339: Advanced Proxy Options

From the Advanced Proxy Options, you can choose to use the proxy specified for all protocols or specify different proxies for HTTPS and SOCKS. You can also add to the No Proxy Host list, each item in this list should be comma separated. Finally, from these options you can specify proxy authentication details if you are connecting to the Internet through an authenticated proxy.

Once proxy settings have been configured, the Test connection button can be clicked to check whether the Maltego client can connect to the Internet using the proxy details. If the Maltego client can make a connection to the Maltego servers, a tick mark will be returned as in the image below:

Figure 340: Connection successful

Java Options

The next tab in the Options menu is the Java Options.

Figure 341: Java Options

Any changes that are made to the Java Options will be applied the next time Maltego is run.

Clicking the Set Recommended Options button will detect which versions of Java is installed on the machine and set the most suitable one, it will also automatically allocate memory for Maltego to use depending on how much memory is available on the system.

Java Runtime

Details about the version of Java that is being used can be found under the Java Runtime section.

Figure 342: Java Runtime section

Clicking the dropdown menu for the Path field will list all the versions of Java that are detected on the system. If your installation of Java is not found in the list, Browse can be used to manually specify the path to Java’s home directory.

For Maltego 4, the recommended of Java to use is the Oracle version of Java 1.8.

Memory

The last option that can be set from the Java Options tab is the maximum amount of memory that the Maltego client can use. Remember, Maltego loves memory so don’t be stingy.

Figure 343: Setting max memory usage

Collections

From the Collections tab, the rule ratio for collection nodes can be set. The default value for the ratio is 1.5:

Figure 344: Collection node options

In Maltego there are two main collection methods called neighbor rule and chain rule.

Neighbor rule - When node A links to B,C,D,E...Z then A->[B-Z] is collected in what's called the neighbor rule.

Figure: Neighbor Rule

Chain rule - If A->B, C->D, E->F....Y->Z then it results in two collections - call them [#]->[%] where [#] is A,C,E,G and [%] is B,D,F,H - that is the chain rule. In order for the chain rule to trigger you still need a common node at the top too - e.g. A->[#]->[%] and everything in [#] need to be same entity type (same with [%]). They also need to 1:1 relationship - in other words each website needs to resolve to one IP address - e.g. they need to be connected in the same way.

Figure: Chain Rule

In tests we've notice that we want to collect with the neighbor rule much earlier (e.g. smaller numbers) than when we want to collect using the chain rule. In other words - you want to chain-rule-collect only if there are LOTS of pairs. The 'ratio' shows the relationship between those thresholds. For instance - if the ratio is 2 and the collection limit is set on 10 then neighbors will collect when it hits 10 nodes and chains (or pairs) will only collect when there are 20 nodes.

Files

From the Files tab, you can choose whether images from a graph are saved with the Maltego graph file. Leaving this option checked enhances offline support and bandwidth usage at the cost of increased file size.

Figure 345: File options

Audio

The Maltego client makes various sounds when different events happen on a graph to notify you. These sounds can be disabled from the Audio tab in the options menu:

Figure 346: Audio options

Discovery

From the Discovery options, you can choose what happens when an entity type is installed that already exists in the Maltego client. You can also choose what happens when an icon, that matches an existing icon, is installed. The image below shows the different options that are available to choose from (the defaults settings are shown):

Figure 347: Discovery options tab

Transforms

From the Transforms tab in the options menu you can choose whether links between the same two entities that are created from the same transform should merge or not. The default setting for this is to have the links merge. You can also choose the timeout for transforms, the default value for this setting is 2 minutes and is given in milli-seconds. This means if a transform does not provide a result within two minutes, the transform will fail. Setting this option to 0, means the transforms will never timeout.

Figure 348: Transform options

Display

From the Display tab, there are various settings that can be configured to adjust the user interface of the Maltego client.

Figure 349: Display options

The following sections will cover each part of the Display options tab.

Figure 350: Manual link settings

The first setting in the Manual Links settings allows you to choose if the Edit properties dialog should open when a new manual link is created.

The next two settings set the color for manual and transform created links. The default colors are two different shades of gray. Clicking the change button will open a color palette where a new default color for the type of links can be chosen:

Figure 351: Color palette to set default link color

Overlay Icons

Figure 352: Overlay icon options

The first checkbox lets you choose if the entity type icon should be overlaid for entities that have custom images for their icons. For example, the Twitter Affiliation entity returned from a transform will set the entity icon to the Twitter user’s profile image, when this option is checked (which is the default option). The entity type icon will be overlaid the profile image in the bottom left-hand corner of the entity as shown in the image below:

Figure 353: Twitter Affiliation entity with entity type overlay

By default, when an attachment is added to an entity, a small paper-clip icon will be overlaid the entity icon on the left-hand side. The second checkbox allows you to choose whether this paper clip icon is shown when an attachment is added.

Figure 354: Entity with an attachment

Font Sizes

Figure 355: Font sizing options

The Maltego client attempts to set font sizes according to the pixel density detected on the system. However, this section allows you to choose your own font sizes for different windows in the Maltego client. It is often useful to bump up all the font sizes when using a 4k monitor that is physically small.

The first option sets the font of the Detail View. The image below shows the Detail View with two different font sizes for this option set:

Figure 356: Two different fonts set in the detail view

The next option is to choose the font size of the Machines window’s logs. Again, the image below shows a comparison of two different font sizes set for this option:

Figure 357: Two different font sizes for the machine window

Changing the Other components font field will adjust all other text in the Maltego client user interface. A restart is required before any changes are applied.

The font size for the Transform Output window can be changed by right-clicking anywhere in the transform output window and then either increasing or decreasing the font sizes as shown in the image below:

Figure 358: Adjusting the transform output font size

The font anti-aliasing provides various options for changing the anti-aliasing that is used to render text on a Maltego graph. The options are shown in the image below. The Maltego client will need to be restarted before any changes are made.

Figure 359: Options for font anti-aliasing

Entity label length

In the Maltego client, entity values will be truncated with an ellipsis to help neaten the graph from long entity values. By default, all values that are longer than 32 characters will be truncated. The image below shows an example of a truncated domain entity:

Figure 360: Truncated entity value

The full entity value can be seen by double clicking the entity’s value:

Figure 361: Selected entity value to show truncated text

The Max Entity Label Length option allows you to choose how many characters an entity value can be before it is truncated. You can also choose to completely switch off truncating entity values.

Figure 362: Option to set entity label length before it is truncated

Home

From the Home options, you can choose if you want the Home page to open automatically when the Maltego client is started:

Figure 363: Home options

Updates

From the Updates tab, you can choose if you want the Maltego client to automatically check for updates.

Figure 364: Updates options