Maltego saves graphs with the extension MTGX. The file format has never been properly documented. The reason for this is that we did not want developers to use the format because we did not want to have to commit to a specific format – meaning we can never change the format without causing considerable headache for these developers.
Regardless of this we’ll give a quick glimpse into the file format. Here be dragons – this section is by no means a specification and should your code stop working because we’ve decided to extend or change the specification you have been warned!
MTGX files are really just compressed files. In fact, you can rename your graph file from a .MTGX to a .ZIP extension and open it up in your favourite ZIP viewer. Let’s look at a quick example. Consider the following simple graph:
We save the graph and rename it to be a ZIP file – then open it up in WinRAR:
From here you can see that there are a few section in the file.
The ‘Entities’ section holds the definition of all the entities used in the graph in XML. This means that when you save a graph the actual entities that you use in the graph is saved as well. When someone loads the graph and he/she does not have the entities defined a pop-up will appear asking the user if he/she wants to import them into Maltego:
The same happens when sharing a graph with someone (in collaboration).
The ‘Graphs’ section contains the actual graph. Here are 2 files – the graphML file and the properties file. The properties file contains the meta information of the graph.
The graphML file following the format of a standard graphML file – with some extensions. It basically contains two sections – the nodes and the edges.
It is beyond the scope of this document to discuss every element of the graphML – but it should be pretty straightforward (if you are reading this document from the ‘Advanced’ section of the Maltego developer portal).
The icons section contains the PNGs of 16/24/32/48 px sizes of each entity type. These are referred to from the entity definitions.
The Files section (not shown in the screenshot) contains a list of the attached files. These are referred to from the graphML files (hereby an example):