Skip to main content

Panama Papers in Maltego

By now everyone knows about the Panama Papers and the Offshore Leaks. If you don't you should read about it [here]. We've downloaded the CSV files from them, imported into a SQL database, then wrote some transforms for Maltego. That's the context.


Disclaimers. You should really really read this!

First off - some disclaimers. I know nobody ever reads disclaimers but these are pretty important so you really need to read them.

Disclaimer 1: Not everyone in the database is 'bad'. Having an offshore account is not a crime. There are good reasons to have one. Like they say on the their site: "There are legitimate uses for offshore companies and trusts. We do not intend to suggest or imply that any persons, companies or other entities included in the ICIJ Offshore Leaks Database have broken the law or otherwise acted improperly."

Disclaimer 2: People have the same names. Who would have thought?! You find someone in the data and go 'oooh! Het jou katvis!' - but remember that it could be someone else with that same name. Manually verify results - always!

Disclaimer 3: The data is not very clean. There could be four entries for the same person and in Maltego these nodes will not merge (different node_IDs). You'll need to manually merge them if you feel like it. Of course, see 2 - e.g. they could be four different people. The same goes for addresses - the data was clearly captured by hand, so people write the same address in many different ways. Best thing here is to take the most significant part of the address and search for that - then manually verify.

Disclaimer 4: The transforms might break. I am not even a proper coder. It should be OK, but when a query does not return or stuff falls apart then remember this disclaimer. If we get a LOT of interest on this then we might rewrite the transforms properly. Also - there's a lot of improvements that can be made on the transforms. Display info etc. etc. Don't tell us - we know this.

This was hacked together on a Friday afternoon and a Saturday night and by the end of the day it seemed very useful and that's why we're releasing it now.

With that out the way, let's first see how to get the transforms and entities into Maltego. We thought about adding this into the Transform Hub but decided against it. It's cool, but it's not THAT cool. That means you need to install the transforms by hand. Luckily, it's pretty easy.

How to install

In the transform hub, click on the [+] sign. Fill in the fields as you wish. The only part that needs to be the same as our example is the seed URL. The seed URL is [https://bark.paterva.com:8081/iTDSRunner/runner/showseed/PanamaPapers]


 

Once you filled it in hit OK. You'll now see the item appears in the transforms hub:

Hover over it and click on 'Install'. It should look something like this when you're done (this is Maltego 4, but the other versions should look similar):

Woot! Now you're ready to start using the transforms.

How to use 

Before we start we want to quickly discuss the data. There are 4 tables. Officers (people), Entities (companies, trusts or other legal entities), Addresses (duh - addresses), Intermediaries (think agents or companies or people doing the work on behalf of the officers). Then there's a table that links all of these together. 

There are 4 entities in Maltego - Officers, Entities, Intermediaries, Addresses and Country. The transforms implement an almost fully meshed grid between these with a couple of spaces where it's not really applicable.

The starting point for all transforms is a Phrase. As the data is mostly linked by node IDs you cannot start with any of the 'PanamaP' entities as you don't know what the node ID is. You always start with a Phrase and search from there.

Let's see how this works. Let's assume we're looking for an officer called 'Hillary Clinton'. We suggest looking for just the word 'Clinton'. We drag a Phrase entity (in the Personal section) onto the graph, double click on the text and change it to 'Clinton'. Then we right click on the entity to bring up the context menu, navigate all the way to the top (right click on the menu) and select the Panama Papers transforms:
In that group we select the 'PP Search officer' transform:
This results in:
Let's assume we're interested in one of the nodes and want to see what entities and addresses are connected to that officer. We select one of the nodes, right click and run the 'PP Get details' transform:
We can do the same on the Entity that's returned from here:

And so the story goes on...

Another interesting way to look at the data is to start looking for the Addresses. This is sometimes useful to identify Officers from certain locations. For broader searches you can start from a country...

Let's see which officers stays in Beverly Hills. We start with a phrase 'Beverly Hills' and run the 'PP Search addresses':
We get 47 addresses in Beverly Hills that's in the database. Let's see what's going on there. We select all the nodes and run the transform 'PP To officers or entities here' transform:

...but wait...

Does 'Beverly Hills' exist in other countries too? Yes. In Australia. In Hong Kong. Probably in other countries too. So we need to remove them. Control F, type in 'Hong'. Hit find. Control shift down arrow (select children). Delete. Rinse and repeat for others. Hmmm.. perhaps Beverly Hills was a bad choice. There's even a Beverly Hills in Balito, South Africa. Really? REALLY?

Anyhow. Rinse. Repeat. And then:

Pretty please read the disclaimers at the start of this post. You probably scrolled to the end right away. But please read them.

And this time, for realsies -- use responsibly!
RT

Comments

Popular posts from this blog

Maltego 4 CE / Kali Linux release is ready for download!

Hi there,

We're happy to announce that Maltego 4 is now (finally) ready for the masses! We're releasing the community (free) edition today and the Kali distros have been updated by the kind people from Offensive Security (thanks Dookie/Muts!).  In other words - we're ready to roll on a major upgrade of your favorite information visualization tool.


(click on the image above to see our very grown-up/proper promotional video of Sandra the 15 year old Dachshund and Maltego/Kali Linux. !(We plan to screen this at our booth at a major conference.))

Our decision to make CaseFile free with the release of Maltego 4 had some interesting side-effects. In CaseFile importing data from CSV/XLS was enabled. So too printing. And reporting. So when we made CaseFile free it did not make sense to limit the Kali/CE releases - you'd simply open CaseFile, import the data and save the graph - then open in CE.

So - bottom line - reporting/printing/CSV import is now enabled in the free release…

Abracadabra! It's Sho(dan) time!

Shodan -- used by pentesters, stalkeˆWˆWˆWresearchers and data scientists everywhere to analyze information about computers on the Internet. From webcams to SCADA to looking at where various SSL information in certificates can tie organisations together. It is a common tool used by many different people. We really wanted to get some Maltego goodness on that!

TL;DR -- You can get the Shodan transforms in the transform hub right now. To use all of the different transform options (or you can stick with the free options) you can simply click on settings in the transform hub after installing to add your API key.

There have been transforms written for Shodan before, but we really felt like they needed refreshing. So we took it upon ourselves to look at the information provided by Shodan and decide how we could integrate it into the needs of Maltego users. We first started by looking at what information was readily and easily available and then if it was useful in an n-th order graph. This is…

Visualising the Bitcoin Blockchain in Maltego

This post will provide a quick overview of our new Maltego transforms for visualizing the Bitcoin blockchain. There are 11 new transforms in the seed which use Blockchain.info’s API to query data from the blockchain.

(Screenshot's in this post are taken with the Maltego 4 beta release.)
Before we begin, it is important to have an understanding of how Bitcoin and their transactions work so I will start with an overview of some of the main concepts:
Bitcoin Overview
Bitcoin address: Bitcoin addresses are transaction endpoints that are used to send Bitcoin to another person. A person can generate as many addresses as they want and people should (which they often don’t) use a new address for every transaction that is made. An address is represented with a 26-35 sequence of alphanumeric characters and looks like this: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2. For a more in-depth explanation of Bitcoin addresses you can have a look at the Bitcoin Wiki here.
Bitcoin wallet: A Bitcoin wallet is …