“Decoding Political Violence with OSINT and Lessons from the Frontline”

Join deep dive: Wed, Dec 18, 16:00 CET
24 Aug 2022

Detecting and Tracking Criminal Activity with FlightAware and Maltego

Maltego Team

Introduction 🔗︎

In an era in which the relevance of information lies not only in its quality and veracity, but also in its immediacy, the need for tools that allow us to access important data in a very narrow margin of time is becoming more crucial than ever. For example, it’s utterly important to track a flight when you are on your way to the airport, or picking up someone, or checking on the route or status of a particular flight.

Nowadays, the best way to do so is with FlightAware. For criminal investigations, like the ones involving drug smuggling to set an example, information provided in real time by FlightAware helps law enforcement agencies in combating transnational air smuggling. It is also quite useful to quickly identify a departure or arrival point of a flight in person of interest investigations with partial information.

The Flight Aware integration allows users to analyze flight data. They can gain insights on a flight’s origin, destination, the operator and uncover ownership details. These can also be used to pivot into Person of Interest investigations. The typical users of FlightAware data are Criminal Investigators, Intelligence Collection Teams, Journalists and Researchers, to mention a few.

Maltego Enterprise users can simply install and start using the Hub item with a data allowance of 800 Transform credits/month. For credit consumption details, please see our technical documentation. For Maltego Community users, you can simply plug in your own API key and start using the Hub item.

With the FlightAware integration to Maltego, what was once a stressful investigation becomes results that are obtained within minutes. In this article, we will showcase the capabilities of FlightAware Transforms with two use cases. 

Use Case: Uncovering Flight Routes 🔗︎

On July 13th, 2022, Sri Lanka’s embattled president Gotabaya Rajapaksa fled the country to Malé (Maldives) onboard a Sri Lankan military aircraft. He reportedly arrived in Malé around 03:00 am local time. After arriving in the Maldives, he was expected to head to Singapore next, according to the Senior Executive Director of the Maldives Ministry of Toursim, Thayyib Shaheem. Media reported that Rajapaksa left the capital of the Maldives on board a “Saudi flight” around 11:30 am on July 14th. Other portals reported that due to security concerns, Rajapaksa did not board the SQ437 flight, which arrived in Singapore at 07:50am, but instead landed at Singapore’s Changi Airport on the 14th of July at 7:17 pm (1117 GMT).

With this briefing, we know the departure and arrival, the probable hour of arrival, and the airline Rajapaksa chose. Note that the Saudi Arabian Airlines codes are IACO-SVA, IATA-SV. We might have to cross-check some data, but using Maltego’s FlightAware integration, the process will be a piece of cake.

Let’s break it down:

Step 1: Add two FlightAware Airport Entities into a new graph. Change the names of the Entities to:

  • Malé Velana Airport ICAO code: VRMM
  • Singapore Changi Airport IACO code: WSSS

Step 2: Select the FlightAware Airport Entities individually and run the To Schedule Departure Flights [FlightAware] Transform on each of them.

As we know the most likely departure time from Malé is 06:30 CEST, let us set a six-hour window on the early hours of the 14th of July AND a one-hour window for the arrival time in Singapore. Note that the time must be set to CEST time and that the Transform erases the previous collections if you run a new schedule departure search. You must pin the flights of interest before running a new search.

Departure flight from Malé:

Departure flight from Malé

Arrival flight in Singapore:

Arrival flight in Singapore

The Transform returns two sets of collections for each airport code (VRMM and WSSS), the collection above the Airport Entity stands for arrivals and the collection at the bottom for departures. These are the results of the searches into the airports of interest:

Step 3: Use the Search Tool to find Entities with the code, “SV”. With FlightAware, we can filter for specific airlines while searching for scheduled flights. Click on the Collection Node Results and Search for the Saudi Arabian Airlines Code “SV”. The only result matching our search is flight SVA788.

Step 4: Pin the Entity to take it out of the Collection Node. Select it and run the Extract Flight ID [FlightAware] and the Extract Route [FlightAware] Transforms.

Run Extract Flight ID and Extract Route Transforms

With very few steps and a considerable short time, we can narrow down the route search and being able to identify the flight the target used by cross checking the departures and arrivals with estimated times. The results on Maltego are consistent with the July 14th flight plan, the airline and media reports regarding Gotabaya Rajapaksa’s arrival in Singapore.

Identify the target’s flight by cross checking

Summary 🔗︎

In the case of Gotabaya’s escape from Sri Lanka, the public opinion was very interested not only on his final destination, but also all the details regarding his arrival in Singapore, especially after two commercial flights refused to carry the President and his entourage on their flight. During the initial turmoil, various conjectures were published about the route taken by the President, which could only be corroborated when the media had visual confirmation of Gotabaya’s arrival at the Singapore airport.

In the case of a target linked to a criminal warrant, waiting for visual confirmation means in most cases losing track of the suspect. For further investigation and within the proper legal framework, a law enforcement agent might ask for the records of the passengers. This can be used in the cases of Interpol Red Notices, for example.

Case 2: Narcoplanes 🔗︎

Law enforcement agencies have long recognized that Transnational Criminal Organizations (TCO) air smuggling of illegal substances poses a serious threat. In 2020, cocaine trafficking on private aircraft increased notably to overcome COVID-19 restriction measures. As illegal flights increased, so did crashes of planes trafficking drugs. Many of the pilots try to avoid radar detection by flying at ultra-low altitudes, which leads in many cases to unavoidable crashes. When events of this nature happen, one of the first questions that comes to mind is: who is behind it? In these cases, the importance is more on the people behind the logistics rather than the people on the plane.

Tracking a private aircraft requires the plane’s tail registration number. Some flight information, like Elon Musk’s private jet, is “blocked at owners request”, but this is not usual with small aircrafts. Proving ownership is often tricky as owners and registrations can change, and assets can shift quickly in the narco-world. Normally, the search and collection of this information takes quite some time. By using FlightAware in Maltego our investigations can greatly benefit in terms of efficiency and timely delivery of results.

On August 5th, 2022, the Integrated Air Surveillance System (SIVA) of the Mexican Ministry of National Defense detected an unidentified aircraft coming from South America. Thanks to radar detection and later visual contact, it was observed that the suspicious aircraft landed 32 kilometers southeast of Mapastepec, Chiapas. Upon landing, the occupants fled the scene leaving 136 kilos of narcotics behind. The official report does not provide further information on the aircraft, however, media reports and pictures of the seizure show the aircraft and its tail number:

The aircraft and its tail number from media reports and pictures

Source: Infobae

Using the FlightAware Transforms in combination with OpenCorporates Transforms in Maltego, we can pivot from the tail number to eventually identifying the criminal organizations managing the logistics of the flight.

Step 1: Insert a FlightAware Flight ID Entity and change the Entity name to N761CF.

Step 2: Run To Owner Details [FlightAware] Transform. Maltego returns the Owner Entity, “GO NOTAM GO LLC,” which is consistent with the records provided by the Federal Aviation Administration (FAA).

Step 3: Select the new Entity and run the Search Companies [OpenCorporates] Transform.

Select new Entity and run the Search Companies [OpenCorporates] Transform

Step 4: Run the Fetch full information [OpenCorporates] Transform. It returns an OpenCorporates Officer Entity.

While we cannot allege direct involvement of the company, or its officer simply based on this data connection. However, it opens some avenues for questions. For example, if we run small online research about the company, it does not return a website or a phone, it lists only one registered official. For a company related to airspace and aircraft, it can be an indicator that it is a shell company. We can delve deeper into the elements behind the crashed aircraft.

Using the Pipl Transforms in Maltego, we pivot into a person of interest investigation targeting the company official linked to the plane.

Step 5: Run the Search Person [Pipl] Transform and run the Expand in Full [Pipl] Transform on the Pipl Person Entity result to obtain the full profile of the target.

Run the Search Person [Pipl] Transform and run the Expand in Full [Pipl] Transform on the Pipl Person Entity

We see that one of the Pipl Job Entities label is “Pilot”. After running the To Source Origin [Pipl] Transform, we found that the person holds a professional pilot license.

Step 6: Select the Pilot Entity. Run the To Source Origin [Pipl] Transform.

Step 7: Maltego returns a Pipl Source Entity labeled as “Professional License”.

To know more about the professional background of the only official of the Company Entity we got before, like the extent of the permissions the pilot license entails, select it and run the To Tags [Pipl] Transform.

Select Pilot Entity and run the To Tags [Pipl] Transform

Although issuing a Pilot License is not too hard, it is very rare to get one with a fake ID. When formulating an opinion on possible illicit activity, aircraft indicators and pilot profiles should be considered along with other suspicious activity, which may build up our case by pointing to new lines of investigation. We suspect that he could be the pilot of the crashed aircraft, as the Transforms return us that one of the properties of the license is for small aircraft. If we search for criminal records in the US about the Person of Interest derived from our investigation, Open Sources returns results like this one:

Result returned from Open Sources after searching for criminal records

From an official report and a news piece related to the event, we started from an aircraft’s tail number that led us to a company that is most likely to be a shell company. We were also able to identify a person of interest who is likely to be part of the criminal activity.

Summary 🔗︎

Drug trafficking knows no borders and the TCOs are always on the lookout for recruiting people from the drug shipment’s destination countries. When an aircraft crashes and it is related to illegal activities, the investigation does not end with the shipment seizure. The aircraft are often abandoned by the pilots, as the cost represents a small hit on the TCOs finances. By identifying the possible shell companies and the people behind it, the chances to map a whole drug trafficking organization increase to a great extent. Again, we cannot make assumptions. But the combination of a quick-paced investigation with Maltego and the use of law enforcement resources at hand can enhance not only the quality, but also the speed of an accurate answer for decision makers.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.