Research, develop, consult and educate




GPS Image Forensics for Maltego Documentation

Table of Contents

Installation

First ensure you have exited from Maltego. Next run the correct installer for the configured version of Maltego:

If prompted, then accept the UAC warning:

Installation Step 1 - UAC Warning

Then either accept the default path or select an alternate one and click 'Install':

Installation Step 2 - Path

Once completed click 'Close':

Installation Step 3 - Complete

You have successfully installed the product and are free to launch Maltego.

Return to Contents

First Use Walk Through

First launch Maltego and create a new graph. Next, on the entity palette, locate the new Recx entities.

Recx Maltego Entities

Select a 'File System Path' entity and drag-and-drop it onto the Maltego canvas. Once done either double click on the entity and supply a local file system path:

File System Path Properties

Or, navigate to the properties view and supply a local file system path containing images:

File System Path Properties

If you wish to search for only images which are in a certain physical location (e.g. London) then you should navigate to the properties view and complete the field called 'Optional Location' as shown below:

File System Path Properties - Location Specified

Next, from the Maltego canvas right-click on the 'File System Path' entity, and select Run Transform -> All Transforms and then either:

File System Path - Running the Transform

While running, the transform will provide details of which directory it is currently scanning for images, as follows:

Running Transform Status

Once complete a number of child entities of the type Image returned and associated with the 'File System Path'.

Results

From the child images there are now several options available:

Note: Care should be taken when using 'Get Image from File' as large images and/or a large number of images can consume significant amounts of memory.

Results

The entities that will be created by the 'Extract EXIF Data' transform if available are:

The reason for creating a number of different date and time entities is to facilitate easy relationship identification.

Results

You're now free to run existing Maltego transforms on the entities such as resolving the GPS coordinates to an address or town.

Return to Contents

Power User Features & Tips

Google map links in GPS entities

GPS entities have a Google maps links populated in their detail view. Once clicked it'll launch your default web browser and take you to the coordinates.

Power User Feature 1

Full size image links in image entities

Image entities have link to their full sized version populated in the detail view. Once clicked it'll launch your browser and show you the full size version.

Power User Feature 2

Using 'Get Image from File' sparingly

Images are not resized when rendered in the user interface. As a result we recommend you use the 'Get Image from File' transform sparingly when working with large image sets. There is the risk that substantial memory usage will occur with a larger number of high-resolution images.

Return to Contents

Troubleshooting

No entities appear

Please check that:

If all of these are correct then save your graph, re-start Maltego, re-load your graph and try again. If this does not resolve your problem please contact us for support.

No GPS resolution when using Location in the File System Path entity

Please check that:

If both of these are true please contact us for support.

Return to Contents

Uninstalling

First close all running instances of Maltego. Next, locate the directory you installed the product in. Then double click on the file named 'uninstall.exe'. If prompted accept the UAC prompt:

Uninstall Step 1 - UAC Warning

Next, when presented with the uninstall prompt click 'Uninstall':

Uninstall Step 2 - Uninstall Prompt

Once completed click 'Close' you have successfully uninstalled the product.

Uninstall Step 3 - Complete
Return to Contents