Prerequisites
Method: Tracking aircraft with ADS-B and transponder records.
01
Relationships are evidence
In OSINT investigations, the connection between two entities is often more evidentially significant than either entity alone. Network mapping tools let you build, query and visualise those connections at a scale no spreadsheet can match.
Maltego and Gephi occupy different positions in the network analysis workflow. Maltego is an active data-gathering platform: it runs transforms, automated queries against data sources that return linked entities and populates a graph in real time. Gephi is a passive visualisation engine: you import data it has never seen, then apply layout algorithms, centrality measures and filtering to reveal structure. Used together, Maltego builds the graph and Gephi interrogates it.
The investigative value is in the combination. A Maltego graph shows you what connects to what. A Gephi betweenness centrality run tells you which nodes sit on the most shortest paths through the network, which is often where the operationally important actors are. A journalist reconstructing a disinformation campaign, a sanctions investigator tracing a beneficial ownership chain, or an OSINT analyst mapping a harassment network all need both the population step and the structural analysis step. This tutorial covers both.
In the field
In 2018, the New York Times investigation into the Internet Research Agency troll network used graph analysis to map the relationships between hundreds of fake accounts, their amplification clusters and coordinating infrastructure. Analysts identified high-betweenness nodes, which were accounts that bridged otherwise disconnected clusters, as the probable coordination points.
- Account network population. Researchers mapped follower, following and co-retweet relationships between several hundred suspected IRA accounts to build a full adjacency graph.
- Centrality analysis. Betweenness centrality runs identified six bridge accounts whose removal would have fragmented the network into isolated clusters, supporting attribution to a coordinated operation rather than organic activity.
- Infrastructure correlation. Graph edges connecting accounts to shared URLs and hashtags confirmed cross-cluster coordination that account-by-account analysis would not have surfaced.
New York Times · Internet Research Agency network analysis · October 2018
Learning outcomes
By the end of this tutorial you will be able to:
Configure Maltego with community transforms for OSINT investigation without exposing your identity to data sources
Build a populated entity graph by running transforms against a seed entity and resolving linked nodes
Export a Maltego graph to a format Gephi can ingest and apply standard layout algorithms to reveal structure
Run betweenness centrality and degree analysis in Gephi to identify operationally significant nodes
Document a network graph to evidentiary standard with reproducible methodology notes
This tutorial is for Signal subscribers.
Methods goes deep on a single technique each fortnight. The decision framework, the tools, the failure modes, and the evidentiary standard required to use the finding defensibly.
Join SignalA Signal subscription gives you:
- Full OSINT Reference Card library
- Methods, all tradecraft tutorials in full
- Shadow Analysis, all evidence-based reporting
- Forensic Dossiers, full access
- Discord access included
