Maltego: Link Analysis and Relationship Mapping

Maltego tutorial for investigators: set up the client, run transforms, pivot entities, and export a defensible link-analysis graph for reports and court use.

Advanced digital

Maltego: Link Analysis and Relationship Mapping

Maltego turns OSINT work into a graph. Every entity — person, domain, email, phone, IP — is a node; every relationship is an edge, created by a "transform" that queries an external data source. Used well, it produces a visual argument that walks a reader from a single starting point to a defensible conclusion.

Who this is for

Advanced

Investigators who already understand the underlying data sources (WHOIS, DNS, breach data, social media APIs) and want a structured way to combine them. This is not a first-day tool.

What you'll need

  • Maltego Community Edition (free, limited transforms and graph size) or a commercial tier for production work.
  • A registered account on https://www.maltego.com/.
  • API keys for any paid transform hubs you plan to use (Shodan, Have I Been Pwned, social-media transforms, etc.).
  • A clear investigative question before you start. Maltego rewards planning and punishes aimless clicking.

How it works

The Maltego client renders a graph. You drop an entity of a given type (maltego.Domain, maltego.Person, maltego.EmailAddress, etc.). You run a transform, which is a server-side function that takes the entity as input and returns related entities. The graph grows. You prune, annotate, and export. The data itself comes from the transform providers — Maltego is the workspace.

Step-by-step walkthrough

  1. Install and authenticate. Download the Community Edition, register, and log in. Install the Transform Hub items you need: at minimum the standard "Maltego Standard Transforms", "Have I Been Pwned", and "Shodan".

  2. Create a new graph and set investigation metadata. File > New. Immediately fill in the graph properties with case name, investigator, and date. Maltego does not enforce chain of custody — you do.

  3. Drop your seed entity. For a corporate investigation, drag a Domain entity from the palette, double-click, and set its value (example.com). Rename the entity to a canonical label.

  4. Run your first transform. Right-click the entity and select a transform. For a domain, start with:

    • To Whois [IBM] or equivalent WHOIS transform.
    • To DNS Name [Other DNS records] for MX, NS, TXT.
    • To Website [Quick lookup] for the live site.

  5. Pivot systematically, not greedily. After each transform, read every new entity before running more. Delete obvious false positives immediately. Note which transform produced which edge — Maltego records this in the link properties; keep it there.

  6. Move across entity types.

    • Domain to IP to ASN to sibling domains.
    • Domain to email addresses to HIBP breach entries.
    • Email to social media handles (platform transforms).
    • Phone to person (commercial transforms — note their data provenance).

  7. Annotate findings. Use the "Notes" field on each node to record the timestamp, transform provider, and any human verification you did. A node without a note is not evidence.

  8. Prune and lay out. Apply the "Block", "Hierarchical", or "Organic" layout to reveal clusters. Remove entities that do not connect to the investigative question.

  9. Export. File > Export Graph. Use:

    • Image (PNG) for reports.
    • GraphML for archival and re-import.
    • CSV of entities for a structured evidence log. Hash the exports and store them alongside your case files.

Common pitfalls

  • Graph sprawl. Running every transform on every entity produces a hairball with no analytical value. Budget transforms per entity.
  • Trusting transform results blindly. Commercial "person" transforms aggregate from many sources of varying quality. Always verify a key claim against the original source.
  • Missing provenance. When you copy a finding into a report, it must carry the source transform and the date. Maltego stores this; reports often drop it.
  • Community Edition limits. The free tier caps results per transform. You can miss the most relevant entity because it was ranked 13th. Upgrade for any investigation that matters.
  • Confusing correlation with relationship. An edge in Maltego means "a transform returned B from A", not "A is related to B in the real world".

Verifying your findings

Before any Maltego graph leaves your workspace, every load-bearing edge should be independently confirmed: open the underlying source (WHOIS record, Shodan banner, breach entry) and attach the raw evidence to your case file. The analysis phase guide covers how to separate graph artifacts from verified facts.

Related tutorials

Apply this in practice

The tracking a disinformation network case study demonstrates a Maltego graph built from a single seed domain. For corporate investigations that use link analysis as a final-report deliverable, see Subthesis research tools.