We are often asked why unique results are returned during Maltego investigations when the exact same Transforms are run on the same Entities at different times. This article aims to address that question and illustrate the types of scenarios where this may occur in your investigations.
There are three types of scenarios where your output results may change:
- Data which changes over time (e.g., IP addresses associated with a DNS name)
- Load balancing (e.g., Distributed tasks which occur over a set of resources)
- Fuzzy results (e.g., Google/Bing search results)
1. Data which changes over time: In a real-life scenario, these changes occur most frequently when infrastructure is changed. A good example may be hosting provider exchanges for a website, in this example, "gnu.org". This could mean that a previously stored graph is "out of date". Typically, you would expect changes to these results to be in the order of weeks or months.
2. Load balancing: A nuanced version of the first scenario may also lead to changes in the results returned after a Transform run; load balancing.
For example, when you request an IP for a large, multi-tiered site (say, www.facebook.com for example), there are multiple servers and endpoints which exist to serve the website. Some of these switches might occur when you switch location (the IP that would be provided in Europe would be different to the one provided in China).
Another scenario could be that there is some kind of load balancing at play within the loop, which in turn provides a different answer for the DNS resolution to distribute the load to the servers.
The results we retrieve are based on running queries through Maltego's Transform server - meaning that the results are always based on that server's location.
3. Fuzzy results: e.g., Google/Bing search results.
In a basic search engine scenario, returned results are always probability based, i.e., the order of the results returned are based on the individual search scoring system for the input query.
For example, running a Transform query through Maltego using a Phrase Entity for current news that is actively changing would return different results.