“Decoding Political Violence with OSINT and Lessons from the Frontline”

Join deep dive: Wed, Dec 18, 16:00 CET
21 Jun 2023

How to Conduct Person of Interest Investigations Using OSINT and Maltego

Carlos Fragoso

As paper trails turned digital, person of interest investigations have become a complex game of cat-and-mouse. It is becoming easier and easier for criminals and malicious actors to hide behind fake online identities. Navigating such a digital landscape can become challenging for law enforcement agencies and criminal investigators alike.

On the other hand, as many aspects of our lives depend on or exist only on the internet, we might be sharing information and details of our personal identities and private life without knowing. These digital footprints might seem and can often be harmless. In certain cases, however, they can also be points of vulnerability.

It is important for investigators to have effective methods and tools for mapping digital footprints—either for a criminal case or to protect a person of interest from external threats.

With Maltego, investigators can quickly and easily link seemingly disparate leads and build a comprehensive map of a target person’s digital footprint. Integrated with a variety of OSINT, social intelligence, and identity data sources, Maltego is the perfect tool to quickly obtain and analyze the digital presence of a person of interest.

In this tutorial, we will demonstrate how to conduct a person of interest investigation using OSINT in Maltego. We will start with the names of two public individuals and pivot into more personal identifiers, including social media accounts, private phone numbers, a company name, personal email addresses, and the network infrastructure of websites connected to them.

Watch the video now, or follow along to read the documented tutorial and download your cheat sheet below.


Conducting a Personal Recon Investigation 🔗︎

For this tutorial article, we’ll explore the digital footprint of two individuals, Aina and Marc Clotet, by using Maltego Data and by following the six steps below:

Steps for a Personal Recon Investigation

First, we’ll look for official information about the targets, such as their location and personal websites. Next, we will trace the digital trail left by our targets and then delve into their official and private social media profiles, gathering profile images and insights into their closed networks.

After that, we’ll explore a company with which both targets appear to be affiliated. Next, we’ll map the infrastructure of their websites in search of more detailed information, such as their personal email addresses. Finally, in the last step, we will utilize our findings to search for phone numbers associated with the targets.

If you would like to reproduce the steps in your Maltego or get an extensive overview of the investigation, download the workflow cheat sheet now!

Step 1: Discovery 🔗︎

Our targets are actors who also happen to be siblings: Aina and Marc Clotet. We will begin our investigation by identifying some basic information and connections.

First, we open a new graph in Maltego, paste the names of the actors as Phrase Entities, and run the To Search Page Titles [Wikipedia EN] to discover the official Wikipedia pages for both actors.

From there, we can run the To Links [found on web page] Transform to get a list of websites found on their respective Wikipedia pages. We will also get an overview of which websites are mentioned on both of their Wikipedia pages.

Two results are particularly relevant as they lead to the official websites of Aina and Marc Clotet: “www.ainaclotet[.]com” and “www.marcclotet[.]com.” They will serve as starting points in the later stages of this investigation.

Apart from searching for websites, we can also extract other relevant information mentioned on the official Wikipedia pages, such as locations and names.

To do that, we will run the To Entities [IBM Watson] Transform.

In doing so, we retrieved a list of names potentially linked to our targets and a location shared by both actors (Barcelona, Spain).

Step 2: Online Footprint 🔗︎

We will start our next step by dragging a Phrase Entity into a new graph and adding the actors’ names in inverted commas to limit the search results down to exact matching. This is a common search dorking technique to increase the relevance of a web search.

Our goal is to find websites associated with our targets using the Maltego Standard Transforms.

We do this by first running the To Website [using Search Engine], then the To URLs [show Search Engine results], and finally the To Links [Found on web page] Transforms.

These Transforms return a list of websites where the names “Aina Clotet” or “Marc Clotet” are mentioned. They include documenting websites such as Wikipedia, as well as a personal website we also saw in the first step, namely “ainaclotet[.]com.”

We will now try to extract contact information that is usually embedded in the website footer. It can serve as a starting point to investigate professional contacts of our target, aiding in profiling and potentially uncovering connections to their secondary or hidden profiles.

As an example, we will use the identified Entity “ainaclotet[.]com/i/es/” and run the To Email Addresses [found on webpage], and To Phone Numbers [found on webpage] Transforms.

Maltego returned a collection of Entities pointing to email addresses (such as “esther@paperstreet[.]es”) and phone numbers that are likely linked to talent managers.

To verify the retrieved data, we can double-click on the Entity on which we ran the Transforms and view the page by clicking on “Open all URLs.”

NOTE: Within Maltego, you can open retrieved URLs in the browser. Analysts can use this feature to document other relevant information, such as date of birth, names of family members, or country of residence available on those websites. This data can be important in the later stages of your investigation.

As we open the website and scroll down to the bottom of the page, we can observe the contact details of Aina’s representatives, thereby confirming the results obtained through Maltego.

Retrieved phone numbers and email addresses may also prove important in later stages of the research, so keep that in mind when you launch your own investigations.

Step 3: Social Media Footprint 🔗︎

Now, we will try to map the social media profiles of our targets. Let us open a new graph and start with two Person Entities.

This time, instead of applying dorking techniques, we will use a variety of Maltego Transforms tapping into social media intelligence (SOCMINT).

We will begin with the To Social Media Profiles Transform from the Google Social Network Transforms.

After refining the graph to display only relevant Entities, we can see a couple of accounts registered on popular social media platforms with photos of our targets.

If you take a closer look at the profiles, you will discover that these accounts are usually public and have thousands of followers. We can also easily list some of the aliases used across the platforms, such as “marc_clotet,” “marcclotetoficial,” “ainaclotet,” or “AinaClotetOfficial.”

The official accounts are often marked by checkmarks to show that they are verified and recognized by the public person.

We do, however, seem to have identified a personal Instagram account named “ainaclotetfriends” with the accompanying biography, “Page just for friends;) official page @ainaclotet.”

Since it has become quite common these days for public figures to use Instagram for both private activities and public promotion, we will now focus on mapping their Instagram activities and mutual connections.

We will first use the previously discovered usernames “ainaclotet” and “marc_clotet” to extract the Instagram Entities on a new graph using the Get Instagram User [Vetric] Transform. Then, we will map out the profiles they follow and those that follow them back by running the Find Mutual Following [Vetric] Transform.

The Transform returned a large number of relevant profiles, such as the Instagram account of what appears to be a company named “Funicular Films.”

We also stumbled upon following relationships to private accounts, indicating a potentially close relationship between the owners of those accounts and our targets, especially since these accounts also follow the targets back. This discovery could serve as a valid starting point for further investigations of a similar nature.

Step 4: Company Investigation 🔗︎

In a person of interest investigation, it is also important to consider the professional relationships and affiliations of our targets.

In the previous step, we found a link to the entity “Funicular Films,” which appears to be the name of a company. Let’s follow this lead and examine how it connects to our targets.

We will open a new graph and run the To Website [using Search Engine] Transform on the “Funicular Films” Phrase to find the official website of this Entity and the To URLs [show Search Engine results] Transform to find relevant pages.

There are two pages under the “funicularfilms[.]com” website that caught our attention: “Team – Funicular Films” and “Privacy Policy – Funicular Films.”

We want to explore the first one to find information on the company’s officers and the latter to obtain information about the company’s legal name. To do that, select both Entities and run the To Entities [IBM Watson] Transform.

We see that our targets are affiliated with the company they follow on social media, thereby confirming the accuracy of our investigation results.

Additionally, we have identified other officers linked to this company as well as its legal name – “FUNICULAR FILMS SL,” which seems to be based in Barcelona, Spain. This aligns with the location of the actors we discovered in Step 1.

If we wanted to delve deeper into the company or its officers, or if we wished to investigate another company in a similar manner, we could also make use of specific Transforms from OpenCorporates or Orbis – Bureau Van Dijk, which are designed specifically for conducting company investigations. However, for our current investigation, we want to primarily focus on exploring the online presence of our targets.

Step 5: Infrastructure Investigation 🔗︎

This part of our investigation will focus on a couple of domains discovered in Step 3. Our goal is to find associated email addresses and other domains that link to those email addresses.

In a new graph, we will paste the following website domains as Domain Entities onto the graph:

  • ainaclotet[.]com
  • marcclotet[.]com
  • marc-clotet[.]com
  • funicularfilms[.]com

We will now use the DomainTools data source, which contains domain registration records known as Whois information, to search for email addresses associated with those domains by running the dtDomain2HistoricEmail [DomainTools] Transform.

Next, we find other domains registered with the same email addresses with the dtEmail2HistoricDomains [DomainTools] Transform.

The reason why we use historic search is because it was a common practice in the past to set up websites using personal emails. Over time, the ownership of these domains may have changed, especially due to the increased popularity of our targets. While the current, up-to-date website registry information might not help our investigations, the historical data from DomainTools can still provide the insights we need.

Among the email addresses we find, two of them seem to be their personal Hotmail email addresses.

This information holds great value in person of interest investigations as it enables us to find out more about a person’s online footprint and uncover more specific identity intelligence.

Step 6: Personal Sphere 🔗︎

In the final step, we will take our recent finding, namely, the targets’ private email addresses, and pivot from them using the To Search Person [Pipl] Transform to find matching person profiles.

To narrow down our search and find an exact match, we can provide additional information in the wizard, such as the country code “ES” for Spain. Since we have already established a connection between the actors and Barcelona, Spain, including this data will help us refine our search.

Maltego retrieved the names of Marc and Aina, indicating that the email addresses likely belong to them. Interestingly, the search also yielded the most probable age for Marc, which is 43.

Let’s delve deeper into their profiles and discover more information by running the To Expand in Full [Pipl] Transform.

Our findings include Aina’s personal Gmail address, a collection of phone numbers, and locations associated with our targets.

In fact, we can also see the precise address of the location connected to Marc in the Detail View, which appears to be a private house when viewed on Google Maps.

We also managed to obtain a URL leading to a website that contains Aina’s profile, featuring additional personal information such as her photo, educational background, and the languages she speaks.

As the next step, we wanted to verify the retrieved phone numbers employing the To Look up phone number [OpenCNAM] Transform.

This led to discovering Entities associated with the numbers, revealing details such as the names of our targets, location indicators, and the name of their father.

What could also prove interesting are the Pipl Tag Entities (To Tags [Pipl] Transform). These Entities represent the hobbies, interests, and other notable information about the targets.

While these particular interests are harmless, little nuggets of information like these from a person’s past (or present) can help us to glean a complete picture of, and get closer to a person and his or her interests.

Enrich Your Person of Interest Investigations with More OSINT Data 🔗︎

You have reached the end of the example of a personal recon process that investigators can perform using Maltego.

To quickly recap, we started with two names to discover their personal websites, location, and family member names.

We further explored their online presence, uncovering associated websites and domains. Then, we identified their official and private social media accounts with profile pictures and delved into their network of social contacts.

Moving forward, we investigated a company affiliated with both targets and traced domains connected to our targets back to their personal email addresses. Finally, we used those email addresses to find more detailed personal information, including private phone numbers and a home address, which added another layer of understanding to our investigation.

Pivoting to Other OSINT Data 🔗︎

From the different Entities returned to our graph, we could of course investigate deeper and wider, such as pivoting into a reverse image search or conducting a network footprint using the targets’ email addresses. This would help us to map an even more extensive online and infrastructure network of the person of interest.

If we are conducting the person of interest investigation for fraud, we could also look at the target’s business relationships using the OpenCorporates and WhoisXML data integrations. We showed such a use case in our joint webinar with Pipl.

Download Your Cheat Sheet 🔗︎

If you would like to reproduce the steps in your Maltego or delve even further into your investigation, do not forget to download the workflow cheat sheet enriched with additional investigative points!

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +995
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

We hope you enjoyed this demonstration of a person of interest investigation. Don’t forget to follow us on Twitter and LinkedIn and sign up to our email newsletter to stay updated on the latest tutorials, use cases, and webinars!

Happy investigating!

About the Author 🔗︎

Carlos Fragoso

Carlos is the Principal Subject Matter Expert and Lead Instructor at Maltego with over 20 years of professional experience in information security: Incident response, digital forensics, threat intelligence, and threat hunting. A curious and passionate investigator working with big companies and LEAs to tackle cybercrime around the world (Europe, Middle East, LATAM) SANS Institute Instructor.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.