Conducting an investigation with Maltego can be instrumental in revealing hidden connections and sources related to criminal activities and the individuals involved. Your investigative work in Maltego, however accurate, represents only the initial step that requires refinement before presentation in court. Why is this so?
When presenting your findings to a prosecutor or in a legal context, it is crucial that the information is as clear and comprehensible to them as it is to you, enabling immediate and intuitive understanding.
This process involves more than just presenting your Maltego graph. You need to substantiate the data used, integrate it with other evidence gathered using different methods, and confidently support your findings in a legal setting.
In this content piece, we try to bring out some actionable practices for preparing information from your Maltego graph for your evidence report for prosecutors and explain how Maltego’s OSINT Profiler can assist you in establishing data lineage.
Table of Contents 🔗︎
How to Prepare Your Maltego Graph for Presenting the Case 🔗︎
We will look at immediate changes you can make in your Maltego graph, how to prepare cross-references for Maltego findings, and then focus on your delivery.
Cleaning Maltego Graph 🔗︎
The key lies in simplifying your Maltego graph and focusing on key data connections. For this reason, it is necessary that you retain only the Entities and Links that are directly relevant to the investigation’s objective.
Ask yourself: If someone inquiries about an Entity or Link and its relevance to the case, will you be able to provide an immediate answer? By avoiding overcrowding the graph with information of little relevance to the subject at hand, you will prevent confusing the audience and diluting the impact of the findings.
Next, try grouping related Entities using the collection feature. This organizes Entities with strong connections, making it easier to identify key relationships. For example, group company officers who are under sanctions and the organizations they are linked to.
Finding all the meaningful connections in a complex graph can be quite challenging. To emphasize important relationships between different Entities, you can utilize advanced functions like Add Path.
By clicking the Add Path button, you select all the Entities that connect the two chosen Entities, making it easier to present your findings effectively.
You may also facilitate understanding for yourself, the prosecutor, and others involved in legal proceedings by using visualization techniques. In Maltego, you have features like bookmarks, link sizing, or notes at your disposal to highlight critical data connections.
Last but not least, analyzing and understanding the content of your graphs can be simplified with Layouts or Search functions. These tools enable you to grasp some information and interpret your graph better.
However, when dealing with datasets too large for each Entity to be individually evaluated, it is best to rely on Views, which are an invaluable tool for discerning the data in your graph and demonstrate it in a visually clear and logical fashion.
We have dedicated an entire blog series on using Maltego Views effectively, so be sure to familiarize yourself with these features here. Read about Maltego Views now.
Evidence 🔗︎
While OSINT cannot be the sole source of evidence, to build a solid case, you will need to incorporate other sources, such as public records, interviews, or documents, to support and strengthen the findings from OSINT analysis. For example, matching information on the graph with witness statements.
Additionally, you will need to cross-reference findings. In other words, connect the evidence obtained through OSINT with other sources to demonstrate how the data from different avenues converge to form a comprehensive understanding of the investigation. Maltego can really help you with that as it provides links to the source, and if they’re no longer available, historical snapshots are also accessible.
INVESTIGATOR TIP When explaining data sources, focus on the methodology used, such as online searches or consulting public records, rather than specific Hub items or platforms. Emphasize steps taken to verify data accuracy and reliability, like cross-referencing multiple sources or conducting independent verification.
Delivery 🔗︎
For the narration and presentation, simplify the graph’s description by including a clear legend to clarify the meanings of various shapes, colors, and lines in the graph, especially for those unfamiliar with Maltego.
It is important to remember that your presentation should explain the significance of the graph and its implications in the broader context of the investigation. You can achieve this by providing background information and clearly articulating the relationships and connections depicted in the graph to help the audience understand the findings.
Finally, prepare for your presentation by anticipating questions from the prosecutor and readying additional information or clarifications. Before presenting the evidence, you can practice discussing the graph’s content to ensure a confident and clear delivery.
How to Verify the Legitimacy of Your Maltego Data 🔗︎
It is your responsibility to provide reliable evidence and to maintain transparency throughout the investigative process. This also means understanding the data you use and being able to reconstruct the connections identified in Maltego to present when requested in a legal setting.
For example, consider independently verifying your findings. Imagine a scenario where you trace a link from an email address to a username, and then to a Facebook profile, using search engines or email lookup tools for confirmation. This independent verification, when coupled with cross-referencing findings with other sources such as public records, news reports, and our internal databases improves the credibility of the data.
Let’s look at some more examples.
Social Media Data 🔗︎
In your graph, Entities and Links have traceable sources. For instance, the authenticity of usernames from Alias Entities are typically sourced from social media profile URLs and can be verified by visiting the actual profiles.
Let’s take an example of Social Media Entities. When you open the Entity Property, you will be able to open and see social media account links that can be used for direct verification of data accuracy.
Geolocation Data 🔗︎
For geolocation data, you can rely on links to Google Maps in the Detail View, as well as location pins in social media posts that are often sourced from device GPS. However, these require cross-checking for potential alterations or spoofing.
If you rely on internal data, you can ensure that your graph indicates location accurately when importing your data by mapping location information to Entities in the initial mapping configuration.
Once you open your new graph, you will be able to select all the Location Entities and normalize them to retrieve their geolocation.
View prior to normalizing locations:
View after normalizing locations:
You will also be able to open their properties to see and present the full address, including city, country, street address, area code, and more.
This visualization and immediate insight into the properties will facilitate the clear and visual presentation of connections and location details in court.
Company Data 🔗︎
The company data retrieved on your graph during company investigations can be cross-referenced with official registries used by our Data Partners. These registries extensively cover officials, addresses, registration, and/or sanctions.
Breached Data 🔗︎
For data breaches, information coming from exposure data provided through our Data Partners can be corroborated with other breach notification sources or cybersecurity reports.
INVESTIGATOR TIP The key is to prepare documentation that includes the data source, the established connections, and any independent verification conducted. Among the data provided to the court are also the results of the subpoenas sent to online service providers to verify the data of the accounts or their activity and to ensure that variables such as time match with the crime committed. By preparing this documentation, you will provide a transparent and accountable record of the investigation’s trajectory, ensuring that the case is robust and legally sound.
How to Use Maltego’s OSINT Profiler for Presenting Data Lineage 🔗︎
Tracing back through a data’s lifecycle to its source helps understand its journey and identify information relevant to a given investigation. This is why data lineage is critical when it comes to managing digital evidence, as it establishes the origin of each data point.
While Maltego graphs and supplementary materials are useful for outlining data lineage, leveraging the browser-based Maltego OSINT Profiler offers another approach.
Each result from the OSINT Profiler comes with a clear data lineage, detailing how the original search input led to the specific result. This includes the types of data queried and the data sources used. If the same data connection is identified through multiple data sources, multiple lineages will be presented to indicate their relevance.
Let’s consider a sample search in the OSINT Profiler where we start by looking up an email address of our person of interest.
Similar to the Maltego Desktop Client, the OSINT Profiler maps the personal profile of the target by querying data from sources like social media, the dark web, breached databases, and identity databases integrated with the Maltego Transform Hub.
Instead of presenting the data query results in a graph view, the OSINT Profiler lists out the results in various categories, which helps users skim through the initial findings before pivoting further.
To discover the data lineage of each query result, we simply click on the returned piece of information to view its Entity Details, which stores information about its origin data source.
Sometimes, a piece of information has multiple data lineage, meaning that the same data connection is discovered in multiple data sources.
The Properties view also allows you to cross-check or verify the retrieved information outside the tool. For instance, a location Entity will include the URL to its specified location in Google Maps.
You can also click open an image of the target from their social media accounts discovered by the OSINT Profiler to verify whether the accounts are relevant.
It’s important to note that, while the OSINT Profiler is designed to protect your operational security, you must employ the necessary operational security measures when visiting these external links.
It is also possible to export your findings in the OSINT Profiler to visualize their data connections on a Maltego graph.
Here’s how the same information from OSINT Profiler is visualized inside of Maltego – an example of a graph that you can include in your report.
Conclusion 🔗︎
The effective use of Maltego and the OSINT Profiler in a legal setting requires not only identifying critical data but also being prepared to explain its relevance and reliability to the investigation.
In this article, we have provided a set of recommendations and key points to keep in mind when preparing your report for the prosecutor. If you have doubts about your findings in Maltego or the OSINT Profiler and would like to request expert advice, you can always reach out to us directly or through your Customer Success Manager.
For more information on OSINT Profiler, click below to access our demo and contact us.
Don’t forget to follow us on Twitter, LinkedIn, and Mastodon, or sign up to our email newsletter to stay updated on the industry insights and Maltego updates we regularly share with our community.
Happy investigating!
About the Author 🔗︎
Daphnée Aguilar 🔗︎
Daphnée is a Criminologist with more than 10 years of experience as an Intelligence Officer. She specialized in developing actionable intelligence for identifying, preventing, and neutralizing threats and risks from Transnational Organized Crime. Driven by the feminist movement, her last research was on the Effects of Gender and Racial Bias on Gender-Based Violence Policies. She considers herself a professional taco taster.
