02 Data collection in detail
1 Collect the data of a target profile
In your usual browser, search for a profile whose data (friends, timeline, etc.) you would like collect with Maltego Evidence. Once you have found a profile, there are two ways to collect it in Maltego Evidence.
- Using Maltego Evidence without a browser - only with the URL of the target profile.
- The use of the Maltego Evidence Browser Extension
For variant 2., the Maltego Evidence Browser Extension must be installed for your browser beforehand. You can find this extension under the following links:
| Chrome | https://chrome.google.com/webstore/detail/snh-titan-browser-extensi/bhajampliglbihiecgcppjajijeechbl |
| Firefox | Coming soon |
| Edge | Coming soon |
1.1 Using the Maltego Evidence without a browser
After creating a new project, you will land on the dashboard page of the project. If you want to collect more data in an existing project, click on the Maltego Evidence logo (top left) to go to your projects and select the desired project. Alternatively, you can click on the project name and go directly to the corresponding project using the drop-down menu.
Click on "Collect" in the left column and you will be taken to the survey page. Here you work your way through the selection fields from left to right.
1.1.1 Enter target profile
First, enter your target profile in the input field. It does not matter which social network it is. You can simply copy the address line from your browser and paste it into the input field.
After entering the target profile, the program checks your input and automatically selects the corresponding network:
1.1.2 Select crawling profile
In order for Maltego Evidence to be able to correctly save the data in full, it must log into a so-called crawling profile. These are mostly profiles created specifically for this purpose on the corresponding social networks. Please note that these profiles can occasionally also be blocked. Therefore, never use your private profile for the collection of data to prevent the loss and blocking of your main profile.
To assign a crawling profile to a collection job, you can either select an account that has already been entered with one click or you can enter a new account.
1.1.2.1 Enter a new crawling profile
Click the "Add Crawling Profile" or "Create Crawling Profile" button.
A sidebar will open. Please fill in the following data there:
| Network | First, select which network the crawling profile is valid for. If you choose Telegram, the input mask will change to require a phone number instead of a username and password. |
| Name | You define this name yourself to be able to identify the profile later in the software. For example, "Max Mustermann". |
| Username / Vanity Name / E-Mail | This is the username or email address, or occasionally the phone number, that you would use to log into the network if you were also logging into the browser. For most networks, it is the value you would enter in the first field of the login screen. |
| Password | This is the password you use to log in. In special cases (e.g. Telegram or TikTok) the password can be left blank because other login methods are used. |
| Check login status | Here you can select whether Maltego Evidence should directly check and update the login status of the profile in the background. This is optional and offers you the possibility to find out in advance if the profile you have selected has possibly already been locked and if the specified data is valid. |
Click Save. You can now select the profile in the crawling profiles overview.
If you have executed a login status check, this happens in the background and can take a few seconds to minutes, depending on the Internet connection and network.
It may happen in individual cases that Maltego Evidence needs your help to authenticate the login profile. E.g. for TikTok scanning a QR code, or for other networks entering a confirmation code sent by SMS or email. This would be communicated to you by means of a non-closable popup.
1.1.3 Select survey options
Under the heading "What to crawl?" you must now select what exactly is to be saved.
Here you can customize in detail which data should be saved for the profile. This is particularly relevant to ensure data protection. Please only collect data that is relevant to your case or investigation. In particular, when backing up friends or friends of friends, make sure that the collection of this data is relevant. You can add or remove individual options by checking or unchecking the boxes.
Depending on the network, different sub-items can be activated by clicking on the box above. If the mouse pointer is moved over an information sign, there is more information about this item.
You can repeat the above steps as many times as you like to collect multiple target profiles in one go. Click on "Add URL" to define additional targets. For each of these targets, you can customize your collection options and used collection profiles individually. You can also add targets from different networks in one query.
1.1.4 Survey options in detail
The survey options are presented in detail below.
| Save Profile | Backs up the profile information. If you deselect this option, all other selected collection options will also be deselected. The reason for this is that each of the subsequent collection options necessarily backs up the profile as well. |
| Take Full Page Screenshot | By activating this option, a survey job is sent in which scrolls over the target profile. This will take several screenshots and stitch them together at the end to get a total screenshot of the timeline. You will find this in the detail bar of the target profile after completion and you can export this as PNG or PDF. |
| Save Friends | This save option creates a collection job where the friends of the target profile are saved. Depending on Save Friends / Save Followers, either friends and followers, or only one of the two will be backed up. Please make sure that a survey of friends is necessary for your purposes before selecting this option to ensure privacy. |
| Save Friends | If this option is selected, all visible friends of the target profile will be saved. |
| Save Followers | If you select this option, the followers of the target profile will be saved. |
| Save Timeline | Backing up a timeline has the effect of backing up all content published by the user on the timeline. This includes all users associated with it (e.g. authors of shared content and, depending on the options, also reacting and commenting users |
| Date Range | You can limit the collection of data to a certain period of time. Especially when backing up very large and active profiles, pages or groups, this is necessary to avoid blocking the collection profiles. We recommend to choose one day before the desired first posting and one day after the desired last posting. Depending on time and time zones in the network, it can lead to unsaved postings in rare cases, since time information is transmitted differently depending on the network. |
| Override Security Limit | Within some networks we have added a maximum default collection limit to avoid blocking of collection profiles. This value varies depending on the network. If you want to secure very distant postings by means of a time limit or simply secure a lot of postings in general, then you can override this security limit at your own risk. However, we do not recommend this. You may want to consider using single-posting collections instead. |
| Save Comments | Comments and their authors are only collected if you activate this option. Otherwise, only the number of comments is collected. |
| Save Reactions | This option is essential to collect reactions and related users. This option is useful when the friends list is not public, but you may want to identify connected / potentially friended users of the target profile. |
| Save Stories | In some networks, users can publish so-called "stories". These are usually only visible for 24 hours and then disappear automatically. With the "Save Stories" option, this content is also saved. However, we cannot save past Stories unless they are permanently visible as highlights (on Instagram, for example). |
| Download Videos | The postings to videos are saved even without enabling this option. However, in SNH Titan you will then only see the preview of these videos. If you would like to be able to download the actual video content and also view it later, you must activate this option. However, it is important to mention that depending on the video length and quality, this will significantly increase the duration of the collection(s). |
| Save Media | In some cases, not all media are saved with the timeline collection. For example, on Facebook, not every media item necessarily has to have been shared beforehand. When you collect media, you also collect the media items that have not been shared, including the album structure of the target profiles. |
| Save Reactions | Depending on the network, media elements can also have reactions. In order for them to be saved, it is necessary to enable this option. |
| Save Comments | Depending on the network, media items may also have comments. In order for these to be saved, it is necessary to enable this option. |
| Save Friends of Friends | By activating this option, you will collect the friends of the target profile, as well as all visible friends of these friends. Please note that in most cases this collection will take several hours and it is not uncommon to collect more than 50,000 or 100,000 profiles. Use this collection only if it is absolutely necessary for your investigation and, if necessary, clarify the necessity of this collection with your supervisor or data protection officer beforehand. |
| Distribute to multiple runners | This option will appear in the following releases and allows you to distribute the workload of the many surveys among all runners. If you have multiple runners, this can speed up the collection by a factor of 3. However, it is important to mention that you will then not be able to continue running a survey in parallel until the collection job is completed or canceled. |
| Save Single Posting | You can also specify a single posting as the destination URL. Depending on the network, the query for the URL of a single posting is different. If you have specified a posting URL, you must deselect all other options and select this option instead. The SNH does not automatically recognize that it is a posting URL! |
| Save Comments | Saves the comments of the posting, including their authors. |
| Save Reactions | Saves the reactions of the posting, including the reacting users. |
| Download Videos | If the post contains one or more videos, they will be downloaded only if this option is enabled. |
1.1.5 Sending the survey request
Click on the "Send tasks to runner" button to start the collection. The page will now refresh and after a few seconds you will see the currently running collection tasks in the top right menu bar.
By clicking on the tasks you can view the current status.
1.2 Using the Browser Extension
If you have installed the Maltego Evidence Browser Extension, you should already see a sidebar on the right side of the identified target profile.
When collapsed, you will see a small preview of the identified profile. Click on this preview box to display the collection options. In the resulting expanded sidebar, you will see the possible collection options. For an initial "quick start", we recommend keeping the default values for now, unless your profile contains extreme amounts of data. For example, backing up a newspaper's Facebook page might be an inconvenient way to start, due to the enormous number of posts that need to be backed up.
Click on "Send to Maltego Evidence" to send the collection job to Maltego Evidence. Important: Allow the browser to access the Maltego Evidence!
The Maltego Evidence desktop application will then open and offer you a few more collection options. You will be asked to select a project. Here, the project you just created should be selected by default. You will also be asked to select a collection profile. More about this in step 1.1.2.
Details and screenshots of this process can be seen in the Browser Extension submenu.