Maltego Data
- Maltego Data Pass and Connectors
  - Data Pass and Connectors for Maltego Community Edition (version 4.8.0)
- Maltego Standard Transforms
- Standard Transforms Add-on (CTAS) Server Transforms
  - Maltego Standard Transforms Add-on (CTAS) Server Transforms
- Data Hub Items

Maltego Evidence Transforms in Maltego Graph

Modified on: Mon, 17 Feb, 2025 at 3:57 PM

Overview

Maltego Evidence Transforms allow investigators to pull Facebook data directly from Maltego Evidence into Maltego Graph (Desktop). This integration marks a significant step toward a seamless, all-in-one investigation platform.

Key Benefits

Privacy-Focused

All data crawling happens on the customer’s premise, ensuring data privacy and security.

Pure UI-Based Collection

Maltego Evidence retrieves data by simulating user interactions with Facebook’s UI—without relying on APIs, caching, or backdoors. This ensures:

Access to the same data visible to a Facebook user.
Verifiable, live data.

Enhanced Access

Transforms work with user-created crawling profiles (sock puppet accounts), allowing access to private groups and friend networks through sock puppet accounts. Learn more about setting up crawling profiles in Maltego Evidence here.

Note: This integration works only with Facebook data.

Prerequisites

Before using the integration, complete the following setup:

1. Install Maltego Evidence Integration from the Data Hub

A dialog box will prompt you to enter a System ID, Client ID, and Symmetric Key (Sym-Key).
Retrieve these details from Maltego Evidence:
1. Click on the profile icon in the top-right corner.
2. Select Maltego from the menu.
3. In the Maltego Connection window, click Regenerate Connection Information if details are not visible.
4. Copy the System ID, Client ID, and Sym-Key.
5. Paste the values into the Maltego Graph (Desktop) dialog and proceed with installation.

2. Create Facebook Crawling Profiles

Set up crawling profiles within Maltego Evidence.
Connect these profiles to Maltego Evidence.

Using the Integration

Watch the video or follow the steps below to start using Maltego Evidence Transforms.

Once setup is complete, follow these steps to use the integration:

1. Open Maltego Graph (Desktop) and create a new graph.

2. Adding Entities to the Graph:

Drag the desired entity from the Entity Palette.
Alternatively, paste copied Facebook-related information into the graph using Ctrl+V (Windows) or Cmd+V (Mac). Maltego Graph (Desktop) will automatically recognize the data and assign it to the correct entity type.

Note: the integration works with Alias, Person, and URL starting Entities. You can further get Facebook profiles, comments, and posts by running relevant Transforms, but you cannot use them as starting Entities for your search.

3. Running Evidence Transforms:

Right-click the Entity in the graph.
Select Maltego Evidence from the Transform Menu.
Choose the Transform to run.
In the pop-up window you will be asked some additional information to run the Transform such as the priority of the task and security limits, to select the Crawling Profile to execute the Crawling Task, and the project where you would like to save your crawling task.
After you crawl the profile, you can save posts from the timeline by running "Save Timeline" Transform within the "To Posts" Transform set. When you run the Transform, you will need to select the time range you would like to save posts for. By default, it is set to the last two years. Please note that the larger the time range and the more posts there are, the longer it will take Graph to execute the Transform.
Once you crawl the posts, you can dig further and save comments and reactions to the post by running "Get Details" Transform.
After clicking on the Transform name, you will get an option to save only comments, only reactions, or both. Profiles that left a reaction to the post will be displayed as separate Affiliation Facebook Entities. Their reactions will be displayed as labels to the links connecting them to the original post.