[cairo_x]

What is the main value of link analysis? As far as cause and effect and the larger picture (especially WRT the time domain), a lot of it seems like reading signs in chicken gizzards. The more you put in, the less sense they make.

There's only so much useful information to be gleaned from this kind of geometry. Fingering out and tracing cause and effect is just about impossible.

I wish someone would come up with a half decent top-down timeline creation and analysis tool.

[heipei]

The way I've seen Maltego-like tools being used is in one of two modes: Documentation-mode and exploratory mode.

Documentation mode is "just" recording relationships between assets so they are readily understood and visually obvious. This can be used to break new analysts into cases and to publish reports. These also serve as good starting points to pick an investigation back up. This is arguably the "easier" mode to implement since it just requires a visual graph with different entity types.

Exploratory mode means populating the graph through "transforms" (in Maltego-lingo). Going from one node to more nodes and relationships by attempting to "pivot" from a node using a certain datasource. As an example from infrastructure analysis you'd say "here's an IP, now do a transform which creates vertices for all hostnames that point to that IP". This mode is harder to get right since there's always explosion of edges and also since it's just mind-numbing work to implement transforms for all the data-sources.

[xs]

The bigger the map the better! When you have a ton of data points all mapped out Maltego has tools for you to analyze this data in amazing ways. You can sort of twist and turn the data to look at it in different ways to discover the meaning of it. Say you have a dataset of 1000 different hacks that have been attempted or conducted on your network. And you populated Maltego with tons of data. Source IP of the attacker, attack method used, port attacked on, country of origin of attack, time of day of attack, duration of attack etc etc. With Maltego you can identify patterns that you can't with other tools. Like you might see that 300 of the attacks all happened on port 337. So you can isolate just for that, then look for commonalities. Time of day? Tools used? Country of origin? In just seconds you can drill down to find some of these and start making a picture on who might be attacking you. I've used it and it's amazing for showing you graphs in ways you never thought to look which can help tremendously when doing research on certain things.

[bane]

They aren't really meant for finding cause and effect, but for capturing relationships. They're basically user centered ontology tools and act like a memory of things that you've learned about that are complexly connected. They also act also tools for inductive analysis and thinking -- keep adding data points and connections and you might start to be able to find a pattern.

Some of the best tools also let you construct timelines of various types to try to induce cause and effect as well. Analyst Notebook (a competitor to Maltego) has an excellent piano-roll like timeline tool.

[NickNameNick]

I saw a really cool demonstration at an old Kiwicon event.

The presenter had a tool that would find similar social graphs across multiple bulletin boards and other social sites.

Eg: You'd feed in the profile of your user-of-interest on one bulletin board, and it would map their social graph on that site, then it would search for similar profiles from the entire graph on other boards. Reconstruct the graphs on the new boards, attempting to match dissimilar accounts for the same underlying persons across sites.

[meowface]

I don't generally see it used for timeline creation purposes. The way I and others have used it is basically to investigate/research certain entities or organizations and pivot from different attributes related to them.

You might just be looking for a different sort of tool entirely. I don't think Maltego is a "cause and effect" type thing. It has no notion of time.

[PenguinCoder]

There's a lot more that goes into "Link Analysis" as you say, other than the URL itself.