Follow The Email
As you all know, I have been using Maltego for some time now but I thought that I would just drop a dime on how I do love the connections it can make for you when you are using it for intelligence gathering. With the new V3 Maltego (CE) you have a lot more latitude in data connections and in making ties between entities or in this case emails from entities, to make a more coherent patter emerge. In the case above, you are looking at the root address I started with. email@example.com is an old address for Samir Khan, the alleged “creative director” if you want to go all advertising speak, for the Inspire jihad magazine that came out in May/June.
By using Maltego and Google searches I was able to harvest not only the main email that he was using for his now defunct site “inshallahshaheed.wordpress.com” which is, “firstname.lastname@example.org” but also other interesting tidbits like a xanga account on which he mentions his AIM account as well. Though most of the data that is able to be gathered is older 2004-2008 area, it still can be useful in the context of mapping jihad, or at the very least, mapping out just what social connections he had before going underground (aka heading off to Yemmen to head up Al Malahem) Using the Maltego tailored to just look for email connections to and from, you can get a good idea of not only where he was posting online during that time, but also with whom he was talking to potentially.
Many of the email addresses that came up with this search were also posters to a muslim bulletin board islam.tc. So, they are good hits on my scale of probability that they had traffic with Samir. Now, it would be interesting to follow through further and spike out all the connections for each email. This would make for some HUGE maltego maps, but I would hazard a guess that you would begin to see a pattern in the traffic to specific sites and of course patterns of behavior between individuals. Quite interesting…
Reminds one of a certain Gibson novel doesn’t it?
Anyway, by using this tool you can get a sense of your targets behavior and analyze the traffic that can be found between sites and parties. By looking at the macro-verse view you can see just how these sites and people are connected and in the micro view, you can get details of site domains, users, and other pertinent data that you can use to get a quite full picture of the inner workings of online jihad. However, just on the macro side of gathering email addresses that have had connections between them, you can start to give law enforcement a picture that they can use to start connecting the dots.
In the case of ol’ Sammy, it seems that after his sites kept getting knocked offline (inshallahshaheed was one I reported to Google about 2 years ago) he finally wised up and stopped posting so openly. He then went off to Yemmen to head up their media department is what I am hearing. So just where he is online now is a mystery. It is likely though that he is still posting online to boards and working on sites like al-faloja or ansaaar.com, all of whom now are taking more care about being secure.
Another tact I took the other day was to use the “phrase” search of Maltego and put in the sig for Majahden 2.0, the encryption program that the jihadi’s have been using to encrypt email/comms. This turned up quite a bit of traffic between parties when using the “entities” search parameter.
This initial search has given me a group of users to target from there to get email addresses from and any and all data I can from this tool. Rather nice really. So at least if you can’t read what they are writing, you can at least see that they are using the program and who they are conversing with! Of course there is a lot of data to sift and this can be a rather manual process in tracking down leads, but, at least this is targeted research as opposed to trying to read all of their comm’s on the bulletin boards and make connections.
I just wish this program weren’t so dang expensive…