OsintOps Blog

OsintOps is the blog dedicated to all news concerning OSINT (and more)

How to use Google for OSINT on Maltego

It’s quite common to run Google searches for OSINT purposes, so we need to find a way to make it fast, simple and easy. Moreover, we want (need) to spend our time focusing on the actual analysis rather than just grabbing data to analyze.

As a matter of fact, having a good way to grab data is a good starting point, but not enough. We also need to deal with it avoiding possible troubles, integrating it with our databases and/or analysis tools.

In this article I’ll show you my personal way to run Google searches (including dorks) on Maltego, which is one of the most known and popular graphical link analysis tools used by Law Enforcement Officers/Agents, researchers, journalists and OSINT practitioners in general.

 

Setup

The first step is to have Maltego up and running, the community edition is enough. The set of remote transforms I’ll share you is completely free and un-metered. At this point all you have to do is to add the set of transforms with this link as seedhttps://cetas.paterva.com/TDS/runner/showseed/fastCSEs as shown in the screenshots below:

 

Click on the “+” icon to open the “Add Transform Seed” form.
“ID” and “Name” fields’ values are up to you.

After clicking “OK” you should have a new entry in your “Internal Hub Items” tab:

The final step is to click on “Install” to actually add the transforms to your Maltego instance.

Even if the client-side of the transforms doesn’t change quite often, remember to click on “Refresh” from time to time, to have the latest updates.

At this point the setup is completed, now we can play with it.

Usage

All that you have to know is that each transform accepts “Phrase” entities.
It’s as simple as:

  • grab the Phrase item from the Entity Palette (Person tab)
  • fill the “Text” property with your search query
  • right click on the entity and execute the transform
Example of search with one of my handles, “pielco11”

At the time of writing only the following social networks are supported:

  • 4Chan
  • 8Chan
  • Dailymotion
  • Facebook
  • Gab
  • Instagram
  • LinkedIn
  • Reddit
  • Telegram
  • Twitter
  • VKontakte
  • YouTube


What if we want to restrict our search for a given context and thus return intelligence of a higher quality? Google Dorks!
(I’d like to recall you that intelligence can simply be defined as information in a given context.)

Real World Usage

In the next example I’ll use myself as a target and specifically I’m going to search for my previous Twitter handle. So what I have to do is to search for my full name as keyword and remove my current Twitter handle, then the query looks like this "Francesco Poldi" -noneprivacy

 

Results of a Google DORK
Results of a DORK querying myself

Usually we don’t get such a few results, so a finer DORK might be required. Fortunately we can just stop here and start looking at the results.

Final step is to look at each of those and see which one may provide helpful information.
At first glance you may conclude that only one of those tweets is useful because the first one of the thread contains the mention @Pielco11.

Link of the key tweet that needs to be checked
Link to the key tweet
Screenshot of the tweet mentioning my old handle
Screenshot of the key tweet

Going Deeper

So what about the others? Is Google wrong? Is the transform wrong? Are we actually missing something?
Fortunately, or not, we are actually missing something. Why? There are two answers:

  1. we are looking for mentions and text in the tweet, but that’s not how Google works
  2. we still need to justify the other returned results

 

As you may guess, those two answers are different but connected somehow. The crucial point is that on Twitter users send tweets, but also “like” tweets and re-tweet contents. Google returns you tweets matching the query for the text field, and tweets liked and/or retweeted by users.

Those tweets were liked/retweeted by me before and after changing my handle, and this is gold when you have to chrono-locate the association of an user to a given handle (thus enriching the context). For example, we can use the timestamp of the tweet which contains my previous Twitter handle and use it to restrict searches within Twitter and outside of it.

Tweet liked by me
Screenshot of the tweet (the “heart” is not red and this is weird)
Evidence that I actually “liked” the tweet

What’s for sure is that I did also “like” other tweets and not all of those appear, but remember that knowing who liked what and which tweets were liked by who is quite challenging, especially if you are not logged in.

 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

OsintOps News Channel

Latest Posts

  • The difficult detection in Art: between Osint, Music and (anti)censorship
    The difficult detection in Art: between Osint, Music and (anti)censorship. Journey through the hidden meanings of words, both in art and anti-censorship, and on the difficulties of making OSINT in languages and cultures other than one’s own.
  • La difficile detection nell’Arte: tra Osint, Musica e (anti)censura
    La difficile detection nell’Arte: tra Osint, Musica e (anti)censura. Viaggio tra i significati nascosti delle parole, sia nell’arte che nella lotta alla censura e sulle difficoltà di fare OSINT in lingue e culture diverse dalla propria.
  • Enterprise Incident Response with Velociraptor: when tempo is all
    On the occasion of Matera DigiSec 2024, I decided to illustrate a tool that is still little known (unfortunately!) but instead is part of the tools of many Incident Response teams and perhaps deserves more prominence. I am talking about the opensource tool Velociraptor, on which I based my short talk, entitled “Enterprise Incident Response with Velociraptor: when time is all.”
  • Enterprise Incident Response with Velociraptor: when tempo is all
    In occasione del Matera DigiSec 2024 ho deciso di illustrare un tool ancora poco conosciuto (purtroppo!) ma che invece fa parte degli strumenti di molti team di Incident Response e che forse meriterebbe maggior rilievo. Sto parlando del tool opensource Velociraptor, sul quale ho basato il mio breve intervento, dal titolo “Enterprise Incident Response with Velociraptor: when tempo is all”.
  • First Presentation of the Anu₿itux Project
    Anubitux Project presented for the absolute first time the open-source distribution Anubitux, during the Cyber forensics IISFA Forum 2024, in Rome

Popular Categories