02 Feb 2024

How to Store and Prepare OSINT and Maltego Evidence for Prosecutors

Daphnée Aguilar

Conducting an investigation with Maltego can be instrumental in revealing hidden connections and sources related to criminal activities and the individuals involved. Your investigative work in Maltego, however accurate, represents only the initial step that requires refinement before presentation in court. Why is this so?

When presenting your findings to a prosecutor or in a legal context, it is crucial that the information is as clear and comprehensible to them as it is to you, enabling immediate and intuitive understanding.

This process involves more than just presenting your Maltego graph. You need to substantiate the data used, integrate it with other evidence gathered using different methods, and confidently support your findings in a legal setting.

In this content piece, we try to bring out some actionable practices for preparing information from Maltego Graph for your evidence report for prosecutors and explain how Maltego Search can assist you in establishing data lineage.


How to Prepare Your Maltego Graph for Presenting the Case 🔗︎

We will look at immediate changes you can make in your Maltego graph, how to prepare cross-references for Maltego findings, and then focus on your delivery.

Cleaning Maltego Graph 🔗︎

The key lies in simplifying your Maltego graph and focusing on key data connections. For this reason, it is necessary that you retain only the Entities and Links that are directly relevant to the investigation’s objective.

Ask yourself: If someone inquiries about an Entity or Link and its relevance to the case, will you be able to provide an immediate answer? By avoiding overcrowding the graph with information of little relevance to the subject at hand, you will prevent confusing the audience and diluting the impact of the findings.

Next, try grouping related Entities using the collection feature. This organizes Entities with strong connections, making it easier to identify key relationships. For example, group company officers who are under sanctions and the organizations they are linked to.

Collection feature in Maltego

Finding all the meaningful connections in a complex graph can be quite challenging. To emphasize important relationships between different Entities, you can utilize advanced functions like Add Path.

By clicking the Add Path button, you select all the Entities that connect the two chosen Entities, making it easier to present your findings effectively.

Add Path function in Maltego

You may also facilitate understanding for yourself, the prosecutor, and others involved in legal proceedings by using visualization techniques. In Maltego, you have features like bookmarks, link sizing, or notes at your disposal to highlight critical data connections.

Bookmarks in Maltego

Last but not least, analyzing and understanding the content of your graphs can be simplified with Layouts or Search functions. These tools enable you to grasp some information and interpret your graph better.

However, when dealing with datasets too large for each Entity to be individually evaluated, it is best to rely on Views, which are an invaluable tool for discerning the data in your graph and demonstrate it in a visually clear and logical fashion.

We have dedicated an entire blog series on using Maltego Views effectively, so be sure to familiarize yourself with these features here. Read about Maltego Views now.

Maltego Views

Evidence 🔗︎

While OSINT cannot be the sole source of evidence, to build a solid case, you will need to incorporate other sources, such as public records, interviews, or documents, to support and strengthen the findings from OSINT analysis. For example, matching information on the graph with witness statements.

Additionally, you will need to cross-reference findings. In other words, connect the evidence obtained through OSINT with other sources to demonstrate how the data from different avenues converge to form a comprehensive understanding of the investigation. Maltego can really help you with that as it provides links to the source, and if they’re no longer available, historical snapshots are also accessible.

INVESTIGATOR TIP

When explaining data sources, focus on the methodology used, such as online searches or consulting public records, rather than specific Hub items or platforms. Emphasize steps taken to verify data accuracy and reliability, like cross-referencing multiple sources or conducting independent verification.


Delivery 🔗︎

For the narration and presentation, simplify the graph’s description by including a clear legend to clarify the meanings of various shapes, colors, and lines in the graph, especially for those unfamiliar with Maltego.

It is important to remember that your presentation should explain the significance of the graph and its implications in the broader context of the investigation. You can achieve this by providing background information and clearly articulating the relationships and connections depicted in the graph to help the audience understand the findings.

Finally, prepare for your presentation by anticipating questions from the prosecutor and readying additional information or clarifications. Before presenting the evidence, you can practice discussing the graph’s content to ensure a confident and clear delivery.

How to Verify the Legitimacy of Your Maltego Data 🔗︎

It is your responsibility to provide reliable evidence and to maintain transparency throughout the investigative process. This also means understanding the data you use and being able to reconstruct the connections identified in Maltego to present when requested in a legal setting.

For example, consider independently verifying your findings. Imagine a scenario where you trace a link from an email address to a username, and then to a Facebook profile, using search engines or email lookup tools for confirmation. This independent verification, when coupled with cross-referencing findings with other sources such as public records, news reports, and our internal databases improves the credibility of the data.

Let’s look at some more examples.

Social Media Data 🔗︎

In your graph, Entities and Links have traceable sources. For instance, the authenticity of usernames from Alias Entities are typically sourced from social media profile URLs and can be verified by visiting the actual profiles.

Social Media Data in Maltego

Let’s take an example of Social Media Entities. When you open the Entity Property, you will be able to open and see social media account links that can be used for direct verification of data accuracy.

Geolocation Data 🔗︎

For geolocation data, you can rely on links to Google Maps in the Detail View, as well as location pins in social media posts that are often sourced from device GPS. However, these require cross-checking for potential alterations or spoofing.

Maltego Google Maps

If you rely on internal data, you can ensure that your graph indicates location accurately when importing your data by mapping location information to Entities in the initial mapping configuration.

Once you open your new graph, you will be able to select all the Location Entities and normalize them to retrieve their geolocation.

View prior to normalizing locations:

View after normalizing locations:

You will also be able to open their properties to see and present the full address, including city, country, street address, area code, and more.

This visualization and immediate insight into the properties will facilitate the clear and visual presentation of connections and location details in court.

Company Data 🔗︎

The company data retrieved on your graph during company investigations can be cross-referenced with official registries used by our Data Partners. These registries extensively cover officials, addresses, registration, and/or sanctions.

Find out how to equip your team with the essential intelligence all in one place, and within your budget and needs with Maltego Data Pass.

Breached Data 🔗︎

For data breaches, information coming from exposure data provided through our Data Partners can be corroborated with other breach notification sources or cybersecurity reports.

INVESTIGATOR TIP

The key is to prepare documentation that includes the data source, the established connections, and any independent verification conducted. Among the data provided to the court are also the results of the subpoenas sent to online service providers to verify the data of the accounts or their activity and to ensure that variables such as time match with the crime committed. By preparing this documentation, you will provide a transparent and accountable record of the investigation’s trajectory, ensuring that the case is robust and legally sound.


How to Use Maltego Search for Presenting Data Lineage 🔗︎

Tracing back through a data’s lifecycle to its source helps understand its journey and identify information relevant to a given investigation. This is why data lineage is critical when it comes to managing digital evidence, as it establishes the origin of each data point.

While Maltego graphs and supplementary materials are useful for outlining data lineage, leveraging the browser-based Maltego Search offers another approach.

Each result from Maltego Search comes with a clear data lineage, detailing how the original search input led to the specific result. This includes the types of data queried and the data sources used. If the same data connection is identified through multiple data sources, multiple lineages will be presented to indicate their relevance.

Let’s consider a sample search in Maltego Search where we start by looking up an email address of our person of interest.

View of Maltego Search

Similar to the Maltego Graph, Maltego Search maps the personal profile of the target by querying data from sources like social media, the dark web, breached databases, and identity databases integrated with the Maltego Data Hub.

Instead of presenting the data query results in a graph view, Maltego Search lists out the results in various categories, which helps users skim through the initial findings before pivoting further.

View of Maltego Search

To discover the data lineage of each query result, we simply click on the returned piece of information to view its Entity Details, which stores information about its origin data source.

Sometimes, a piece of information has multiple data lineage, meaning that the same data connection is discovered in multiple data sources.

View of Maltego Search

The Properties view also allows you to cross-check or verify the retrieved information outside the tool. You can also click open an image of the target from their social media accounts discovered by Maltego Search to verify whether the accounts are relevant.

It’s important to note that, while Maltego Search is designed to protect your operational security, you must employ the necessary operational security measures when visiting these external links.

View of Maltego Search

It is also possible to export your findings in Maltego Search to visualize their data connections in your Maltego Graph or display the information using the web viewer option in your browser.

Here’s how the same information from Maltego Search is visualized on a graph in the web viewer – an example that you can include in your report.

View of Maltego Search

Conclusion 🔗︎

The effective use of the Maltego platform, which comprises Maltego Graph, Maltego Search, and other capabilities, requires not only identifying critical data but also being prepared to explain its relevance and reliability to the investigation in a legal setting.

In this article, we have provided a set of recommendations and key points to keep in mind when preparing your report for the prosecutor. If you have doubts about your findings in Maltego and would like to request expert advice, you can always reach out to us directly or through your Customer Success Manager.

For more information on the Maltego Search or other Maltego capabilities, click below to access our demo and contact us.

Don’t forget to follow us on Twitter, LinkedIn, and Mastodon, or sign up to our email newsletter to stay updated on the industry insights and Maltego updates we regularly share with our community.

Happy investigating!

About the Author 🔗︎

Daphnée Aguilar

Daphnée Aguilar 🔗︎

Daphnée is a Criminologist with more than 10 years of experience as an Intelligence Officer. She specialized in developing actionable intelligence for identifying, preventing, and neutralizing threats and risks from Transnational Organized Crime. Driven by the feminist movement, her last research was on the Effects of Gender and Racial Bias on Gender-Based Violence Policies. She considers herself a professional taco taster.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.