Maltego Part 6: Honey, where have you been? I run!

Hi, all! The goal of my article today is to give an overview of the combination of Maltego and Social Links when it comes to search by geolocation that plays a significant role in OSINT.

Let's start. The first method I know is to use the original Entities of Maltego: Circular Area and GPS Coordinate.

We should put the coordinates of Entities in the parameters by taking them from Google Maps without any feeling of remorse and set the radius of coverage if we use Circular Area. For Entities: the following is available in GPS Coordinate:

• [Censys] Search in IPv4 – request for all IP addresses from Censys database by these coordinates.
• [Facebook] Photos by Geo – find a picture by specific geolocation
• [Facebook] Search for Places – find a place by specific geolocation
• [Facebook] Videos by Geo – find all videos by specific geolocation
• [Instagram] Media by Geo – find all media files by specific geolocation
• [Snapchat] Snap by Geo – find all snaps by specific geolocation
• [Twitter] Search Tweets by Geo – find all tweets by specific geolocation
• [Vkontakte] Photos by Geo Popular – find popular photos by specific geolocation
• [Vkontakte] Photos by Geo Recent – find recently taken pictures by specific geolocation
• [Vkontakte] Stories by Geo – find all stories by specific geolocation
• [YouTube] Videos by Geo – find all videos by specific geolocation
• Also, there is an option to convert GPS Coordinate Entity into Circular Area.

For Entity: in Circular Area we have access to all the above, except for API Censys:

As a test case, I chose the very center of Palace Square in Saint Petersburg. Why? As always, without any particular reason.

The most interesting part is to know how 'Transform - [Facebook] Search for Places' works. With pictures, videos and media, I think it is pretty clear. If there is a geotag in social networks, then one of the above is given in the search results. If there is no tag, nothing will be found.

Let's convert GPS Coordinate into Circular Area, put the limits around the radius of 1,000 meters, and run transform. You will get 94 locations from Facebook search results.

Everything is quite relevant, with few exceptions. Two unknown elements were picked up among the sights, clubs, bars, and restaurants. This guy is offering to buy a yacht for a thousand Euro and another account under the name of 'St Petersburg' with an image of a random bloke.

Both decided for some reason that they are companies and registered on Facebook as commercial accounts with legal addresses in Palace Square. The rest is pretty accurate. All accounts have been tagged within 1,000 meters from Palace Square. These two got here rather by an oversight of Facebook in what comes to the accuracy of business accounts, not by mistake of Maltego. These accounts were tagged within 1,000 meters from Palace Square.

Now let's try out image search. Coordinates are in the center of Palace Square according to Google Maps (59.93901,30.315706), I intentionally narrowed my search results to 50 images only, otherwise, I would be swept over by the massive flood of all hits.

Now a certain model of how Facebook generates search results appears here. In the beginning, the algorithm finds the nearest target spot and shows all images which have been tagged there. Because our location was the very center of PalaceSquare, then the nearest geotag to be returned by Facebook will be Palace Square itself. As a result, we get all pictures that were tagged there.

And now, to prove that our hypothesis works, let's take the coordinates of the COCOCO restaurant (59.934991, 30.308709) and try to do the same trick with image search.

But wait! It's correct. This place is located in the same building as the COCOCO restaurant. This must have been a slip of my hand that my tag in Google Maps got shifted by half a degree.

You may ask, 'How about VKontakte then?' Things are not that good with our favourite VK. The spread is just crazy there. For example, below are the results returned for the same coordinates as in the previous case. But the images in the results show both spots that are 200-300 meters away from the target and even those with a geotag in Peterhof!

As to '[YouTube] Videos by Geo' transform, things are a little better here. Although not quite significantly. Search results returned videos with geotags of certain places in Saint Petersburg, including the COCOCO restaurant by the way, as well as plenty of videos with a tag RUSSIA.

'Entity: Search Person' can be also considered as one of the options to do searches by geolocation. This Entity is made to search for an individual on Facebook. It has several fields in the 'Properties' section. We can set our search criteria by filling in these fields.

Suppose we know the full name and the city of an individual. Fill them in and run the required Transform. Options you will get are given below:

[Facebook] Search Users – user search;
[Facebook] Search Users (Exact) – exact search with full matches of input data;
[Facebook] Search Users (Up to 60 mins) – deferred user search;
[Facebook] Search Users (Up to 60 mins) (Exact) – deferred exact search with all matching input data.

So, it is all good. My Facebook page is among the results, as expected. It is a proven method and on Facebook, it works without fail. Except that there are a whole bunch of hits with my namesakes to be dealt with in search of the required account.

We need a deferred search, in this case, to get around that Maltego feature of a two-minute response window. It is used for searches through a large volume of information. For example, when you need to find all accounts from one given city and put them in a graph.

Summary

Now let's get down to practical conclusions. This method cannot be used as a separate search element. But! As an additional channel of data checks or, for example, as an extra line of investigation, this tool can be very well used.

I used this search method twice when I needed a confirmation from social networks of the exact current location of an individual. Within the framework of one case, I retrieved pictures through Circular Area by certain coordinates, and then later I got pictures of the target's wife. Maltego, as it was meant to, has identified links between the matching pictures so that in the end, we got the result we needed.