Link analysis tools are increasingly used by law enforcement
The following are some of the most popular and dominant link analysis tools, which can vary tremendously in price and functionality, with some being nothing more than simple graphical organizing software, while others are very expensive high-end systems capable of incorporating audio and video streams in their
The Automated Tactical Analysis of Crime (ATAC) is a unique criminal information analysis tool designed to isolate, identify, track, and view crime patterns, trends, and series. Its Trend Hunter utility can find trends hidden in data using an artificial neural network; it can compare combinations and
The Analyst's Notebook includes two main software products for different types of criminal investigative analysis—the Link Notebook and the Case Notebook. This is one of the most popular link analysis tool on the market and is used by securities, investigative, intelligence, and law enforcement analysts. In fact, i2 Ltd., which developed the software, recently announced a multiyear contract to provide its software and training to the FBI.
tool supports various
Link analysis charts, also called association charts
Network or high-volume link charts
Commodity flow charts
The structure of the
Figure 3.3: The Link Notebook supports zoom in features.
The Case Notebook, on the other hand, supports a somewhat different method of organizing and viewing events. This includes the following graphs:
Case flow or transaction charts
Timeline or sequences-of-events charts
Combined charts showing events and flows
Figure 3.4: A timeline displaying time-
The Analyst's Notebook tool from i2 supports a wide range of analytical conventional graphical link standards, including the following methods of creating charts.
Solid lines are used where the analyst is confident about the information that
Figure 3.5: Confirmed links are shown as solid lines.
Dashed lines are used where the analyst believes further action is required to confirm the validity of a link, and so it is "Unconfirmed" (see Figure 3.6).
Figure 3.6: Unconfirmed associations are dashed lines.
Organizations shown inside boxes
The method for grouping entities on a chart is to draw a box around related entities. For example, those individuals who are principal players in the same organization, such as a gang, a cartel, or a terrorist
Where there are many organizations on a chart, a common convention is to simplify the graph by showing the less significant organizations as icons (see Figure 3.8).
Figure 3.8: An organization can be aggregated as an entity.
Another standard in link analysis is where possible to avoid
Figure 3.9: The central contact is unknown.
Figure 3.10: Here Entity 1 is ID.
However, it is
Link types A chart may be organized to use different link styles (single, directed, and multiple) in order that links actually represent multiple associations (see Figure 3.11).
Figure 3.11: The links are the intelligence.
This use of multiple the type of links can drastically reduce the
A chart may also
Figure 3.12: A sample of a chart with a legend.
Telephone toll analysis
For these types of unique diagrams, investigators and analysts commonly create link analysis charts directly from toll usage data or other billing structured data to discover
Figure 3.13: A telephone toll analysis chart.
High volume data In situations where there is a large number of instances, observations, contacts, or transactions, the limitations of this type of technology begins to become apparent, as the granularity of individual records begin to get lost (see Figure 3.14).
Figure 3.14: Voluminous amounts of data can lead to vague charts.
The i2 link analysis tool also supports Timeline Analysis, the conventions of which are several, including the following:
A time axis graph can be labeled to show the passage of time, be it in minutes, days, or
Figure 3.15: An analyst can move events and change the chart as needed.
Events. Although the precise graphical representation of events varies, a complete event usually includes a title, description, date, and information source (see Figures 3.16 and 3.17).
Figure 3.16: Events are placed on the theme they relate to.
Figure 3.17: Several events can also be combined.
Transaction flow analysis. Investigators also frequently analyze telephone-call and financial data to create transaction flow charts (see Figure 3.18).
Figure 3.18: Multiple events and transactions can be mapped.
As demonstrated by these charts, the i2 link analysis tool is a very robust and highly developed software system for investigators and analysts.
Crime Link is yet another link analysis tool designed specifically to assist the law enforcement investigator and counter-intelligence analyst in compiling data and
A unique feature of Crime Link is its ability to generate a two-dimensional association matrix that basically shows
Figure 3.19: The association matrix in Crime Link.
The link analysis diagrams are used in Crime Link to graphically represent complex relationships and to make
Figure 3.20: From the matrix Crime Link generates its diagrams.
Crime Workbench is a tool for intelligence management with the option of creating databases on virtually any entity type; this application is relevant to all types of criminal and fraud investigation. Crime Workbench offers enhanced searching capabilities by
The Action Management module allows users to task items and actions to other users on the system. For organization wide communications, there is a bulletin board option for disseminating findings via a department intranet. Differing intelligence records relating to the same topic can now be grouped together for ease of locating and searching with the Case Management module in Crime Workbench. The main Workbench tool has also incorporated a Link Management module for graphical analysis. A search that returns one record plus all other records linked to that original record, in a cluster diagram, highlights in an instant the major players and events in any investigation. Crime Workbench can integrate with the i2 Link Notebook version 5, one of the main link analysis products.
Entering data into Crime Workbench is simple with the intuitive forms and forms builder. The Entity Manager allows administrator users to create new entities and forms on virtually any topic. Searching Crime Workbench databases can be carried out several different ways:
Query by form: useful for searching data in a specific field
Structured query: simultaneous searching over one or more database types
Crime Workbench Web is a scaled down version of the main intelligence management product, which allows for the interaction of analysis via a Web browser. The requirement for this Web product stemmed from the number of end users who require only basic input and search functionality. With Crime Workbench Web, the end user can gain access from any location via an intranet or the Internet. Crime Workbench Web is aimed at the intelligence analyst and law enforcement investigator on the move who requires a tool to collect information and access to up-to-the-minute data from any location via a Web browser.
Daisy, which stands for Data AnalysIS InteractivelY is a very intuitive link analysis tool, which like i2 is also from the United Kingdom, available from Daisy Analysis. Daisy supports a circular layout of nodes that are
Figure 3.21: A Daisy chart showing a date and time analysis.
Daisy provides the user a quick menu for setting up a new chart through the use of templates. The menu options are
NETMAP is a very mature link analysis tool from ALTA Analytics that basically uses vectorization to map its displays; that is, everything is represented as a line, including all text and shapes. NetMap is an enterprise system that employs data marts to help organize information and that can query a wide range of databases using SQL. NetMap decomposes data, such as a name or bank account number, to its simplest form, called a node. Then, it seeks common links among nodes. The primary method of manipulating the NETMAP display is through a pair of node and link
Figure 3.22: The formats supported by NETMAP.
As previously mentioned, investigators can use link analysis tools such as NETMAP for identifying suspicious financial transactions and identifying hidden relationships between criminal and terrorists entities. All of these values can be
Figure 3.23: This chart shows the link between the nodes at both ends.
NETMAP allows all data to be traced back to their original sources; data imported into the software can be tagged with such attributes as time-of-load and other user information.
NETMAP can also be configured to allow for multiple security levels to allow analysts to filter out the source of the data, agency, department, or classification level.
ORIONInvestigations is yet another tool for tracking and analyzing crimes based on case-related information compiled from different events, groups, entities, and associations. This tool is specifically an application for populating a database with details about known facts and leads relating to a crime scene; it is more of a criminal case data organizer. It uses a series of forms to interact with an investigator and is configured with three general levels—supervisor, clerk, and data entry—to control security data access within the system. Another feature of ORIONInvestigations is a filter wizard that looks for related records based on similar selection criteria. A reporter component generates various outputs related to a specific investigation.
ORIONInvestigations can be integrated with ORIONLink, the actual link analysis component from ORION. ORIONLink represents entities as circles connecting them via other circles, or squares, diamonds, and
Figure 3.24: An ORIONLink sample diagram.
ORIONLink can be used to draw boxes automatically around nodes to display specific terrorist cells, gangs, intragroups, or incident functions and relationships. The tool supports complete interactive displays so that objects can be moved and grouped in diagrams annotated with text and symbols. A special feature of ORIONLink is its what-if mode, which allows objects and their connections to be hidden or restored on the fly, allowing for the viewing of their impact on the total organization, such as a terrorist cell or criminal gang.
ORIONLink provides several interactive analytic features with the ability to change the data attributes and their impact on the diagram. This can be done by a pop-up dialog box associated with any node. All of the associations of a particular individual can also be highlighted interactively. A Show Articulations mode can automatically highlight all "keynodes" in a diagram, which, if removed, would cripple or severely damage the total group structure. This way individuals who are critical for organizational cohesiveness, strength, or communications can be easily identified for higher levels of attention.
VisuaLink is a high-end link analysis software suite with multiple data preparation components designed to assist investigators and analysts in the identification of terrorist threats, money laundering, insurance fraud, and other criminal activity. For example the suite can be used to track different types of "criteria" technologies used in international transactions, such as specific material components for manufacturing terrorist weapons.
As with other link analysis tools, VisuaLinks can be used to evaluate group behavior, funding resources, communication networks, recruiting methods, organization locations, etc. The software was designed specifically with the law enforcement user in mind and was not intended for the corporate world.
VisuaLinks can also be used to analyze and diagram systemic suspicious financial activity and filing compliance, including the analysis of the real assets of suspected money laundering
For drug investigation, VisuaLink can be used to examine subtle connections between individuals, organizations, vehicles, facilities, locations, accounts, and incidents, as well as transportation routes and communication lines. For insurance fraud investigations, the tool can be used to uncover connections between individuals, organizations, incidents, and claims.
Using a special software component it calls DIG, for example, an insurance investigator can retrieve and analyze data from both in-house and industry-wide claims databases to uncover suspicious activities. The program allows for the indexing, searching, and managing of large numbers of databases, text sources, and Web sites concurrently. VisuaLink can visually display the retrieved data and assist in identifying possible fraudulent claims activity with the frequency of connections displayed by varying link