Register for our next deep dive! Learn how to equip your team with strategies and tools to detect and dismantle organized crime on Thursday, July 25, 2024, at 16:00 CET.Register now! close
21 Feb 2024

Pattern of Life Analysis with Maltego

Carlos Fragoso

Are humans creatures of habit? When you observe the people around you, it becomes clear that each person develops a unique adult personality, characterized by distinctive habits and behaviors.

Viewed from a broader perspective, these behaviors often seem repetitive, highlighting our natural inclination toward certain activities, performed in specific ways. In the investigative world, these predictable patterns can be a valuable source of information and may be part of what is known as a pattern of life analysis.

In this blog, we will explore ways in which investigators can understand the habits or behaviors of their persons of interest, using the example of analyzing fitness-tracking device data in Maltego. For this investigation, we will focus on tracking data from the Strava application that have allegedly led to exposing the location of an assassinated Russian submarine commander, Stanislav Rzhitsky.


What Is Pattern of Life in OSINT? ๐Ÿ”—︎

Pattern of life analysis aids OSINT investigators in interpreting large quantities of data about a target to understand their habits and behaviors. This then helps discern patterns that help reach informed conclusions and complement person of interest investigations.

Alternatively, by noticing and then investigating unusual or curious behaviors, you can uncover the underlying causes that will lead to identifying the person involved in these actions.

If you want to know what data sources you can use for your pattern of life analysis, download the infographic below.

Why Use Pattern of Life in OSINT Investigations? ๐Ÿ”—︎

Regardless of the approach, there are several reasons why pattern of life analysis can be beneficial in investigative work.

1. Gaining insights into anonymized datasets: By applying open-source intelligence (OSINT) and signals intelligence (SIGINT) methodologies to metadata, investigators can generate intelligence from communications without needing access to the content of those communications.

INVESTIGATOR EXAMPLE

Imagine you have access to a database of an online delivery service like Uber Eats that was leaked, and you see there is a pizza order every second Tuesday of the month to an address of a government building. This might give you a hint that there is a scheduled monthly meeting of a team. Imagine all those orders were made by the same phone number, which you can find within an OSINT database linked to an analysis department.


2. Identifying suspicious activities: Pattern of life analysis enables investigators to establish a baseline of โ€œnormalโ€ or repeated activities. Once this baseline is set, it becomes easier to spot unusual activities.

INVESTIGATOR EXAMPLE

There is an increase in social media posts about luxury items and vacations from a suspect usually posting about a modest lifestyle. This change coincides with large, unexplained bank transfers. By correlating these posts with financial data, you identify potential financial fraud, using the suspectโ€™s deviation from normal behavior as a key indicator of suspicious activities.


3. Collecting predictive intelligence: If we know what the usual patterns of behavior of targets are, we can make pre-emptive operational decisions.

INVESTIGATOR EXAMPLE

For instance, consider the analysis of airline ticket purchases made by known drug traffickers. By identifying specific patterns in their travel habits, border surveillance investigators can strategically decide which flights to monitor more closely or intercept.


How OSINT Investigators Can Use Data from Fitness-tracking Devices? ๐Ÿ”—︎

One example of a database that can be utilized for a pattern of life analysis is fitness-tracking devices. By exploring data shared via these applications, you may be able to track commonly used running routes and identify the frequency of their use, as well as discover connections between people using the same application.

Strava heatmap

Source: Strava

Letโ€™s consider the example of the heatmap feature in the Strava application, which tracks running and cycling routes and displays them on an online global heatmap.

However, from an investigatorโ€™s perspective, what appears to be harmless and inquisitive behavior could actually help in uncovering patterns of user activity. Sometime after releasing this feature, press and social media commentators noted that Stravaโ€™s heatmap could have been used to identify military deployments.

News from Wired about patrol routes showing running soldiers

Source: Wired

This occurred because the routes and performance of soldiers stationed at certain locations were tracked in the fitness application. Consequently, this incident inadvertently compromised their operational security (OPSEC), a topic widely commented on across popular social media channels and news websites.

Comment on X about Strava 1

Comment on X about Strava 2

How to Conduct a Pattern of Life Analysis in Maltego? ๐Ÿ”—︎

Similarly, the media reported that data from a fitness application could have compromised the whereabouts of a Russian submarine commander, Stanislav Rzhitsky, who was assassinated in 2023 while running. Allegedly, his assailant tracked his daily routes in the fitness application.

We will focus on this case in more detail in our whitepaper to illustrate how shared fitness tracking data can be utilized in an investigation.

Target Information ๐Ÿ”—︎

Stanislav Rzhitsky is believed to have been targeted in retaliation for a Kalibr missile strike in Vinnytsia, Ukraine. His death is thought to be linked to his use of a jogging application that uploaded data to the popular fitness platform Strava. His profile, which was left open to public view, detailed some of his frequently taken routes. Authorities suspect that the assassin used his fitness tracking data to locate him.

Thumbnail from Kyiv Post illustrating Stanislav Rzhitzky

Source: Kyiv Post

Goal of the Analysis ๐Ÿ”—︎

The goal is to explore how the data shared by Stanislav Rzhitsky on his Strava app could have been leveraged by the assassin to locate him.

Comment on X about Stanislav Rzhitsky’s route on his Strava app

Source: Kyiv Post

Download Whitepaper ๐Ÿ”—︎

Our whitepaper will provide a demonstration of the initial discovery of our person of interest, followed by an illustration of a pattern of life analysis in Maltego.

With this guide, we aim to assist law enforcement agencies in their day-to-day investigations and raise awareness among other organizations about the importance of physically protecting their personnel by preventing the disclosure of sensitive information in public and enhancing their OPSEC. Such information could otherwise be used by individuals with illicit intentions to target them.

You can download the guide down below for a full pattern of life analysis in Maltego.

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

What Other Data Sources Can OSINT Investigators Use for Pattern of Life Analysis? ๐Ÿ”—︎

While fitness tracking data is one example you can use to complement your investigation of a person of interest with a pattern of life analysis, there are numerous other sources you should consider that may fit your use case.

Download the infographic to find out now.

Download Infographic ๐Ÿ”—︎

If you are interested in more guides on cybercrime investigations, you might want to explore our blog on person of interest investigations using OSINT and Maltego, which includes a ready-to-replicate workflow. Alternatively, you could watch a webinar on investigating FSB agents’ phone numbers to learn how to leverage breached data in your investigations.

Donโ€™t forget to follow us on Twitter, LinkedIn, and Mastodon, and sign up to our email newsletter to stay updated on the latest tutorials, use cases, and webinars!

Happy Investigating!

References ๐Ÿ”—︎

About the Author ๐Ÿ”—︎

Carlos Fragoso

Carlos is the Principal Subject Matter Expert and Lead Instructor at Maltego with over 20 years of professional experience in information security: Incident response, digital forensics, threat intelligence, and threat hunting. A curious and passionate investigator working with big companies and LEAs to tackle cybercrime around the world (Europe, Middle East, LATAM) SANS Institute Instructor.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.