3.11 Link Analysis Tools
Link analysis tools are increasingly used by law enforcement investigators, insurance fraud specialists, telecommunications network researchers, counter-intelligence analysts, and a host of other detection and deterrence professionals. As we have seen, link analysis explores associations among large numbers of objects, commonly between different entities and events. Typically, a law enforcement application might examine relationships among suspects and victims, the addresses at which they reside, and the telephone numbers that they called during a specified period of time.
The following are some of the most popular and dominant link analysis tools, which can vary tremendously in price and functionality, with some being nothing more than simple graphical organizing software, while others are very expensive high-end systems capable of incorporating audio and video streams in their charts and graphs.
The Automated Tactical Analysis of Crime (ATAC) is a unique criminal information analysis tool designed to isolate, identify, track, and view crime patterns, trends, and series. Its Trend Hunter utility can find trends hidden in data using an artificial neural network; it can compare combinations and permutations of tens of thousands of crime records, finding hidden links and similarities, then generating a report of results. The use of a pattern-recognition component, such as a neural network, is a unique function for a link analysis tool. ATAC can export and interact with almost any other software program, such as desktop GIS products like ArcView or MapInfo, or statistical and data mining systems, such as SPSS, SAS, or MathSoft, and tactical analysis software, such as TimeScan, GeoGenie, AutoLog, and Trend Tracker.
The Analyst's Notebook includes two main software products for different types of criminal investigative analysis—the Link Notebook and the Case Notebook. This is one of the most popular link analysis tool on the market and is used by securities, investigative, intelligence, and law enforcement analysts. In fact, i2 Ltd., which developed the software, recently announced a multiyear contract to provide its software and training to the FBI.
The Link Notebook tool supports various methods of organizing and viewing entity relationships, including the following components:
Link analysis charts, also called association charts
Network or high-volume link charts
Commodity flow charts
The structure of the Link Notebook allows the user to control and select options from a sidebar menu, from which icons representing different entities can be dragged-and-dropped to construct the chart. It also allows users to select and arrange graphical elements into position (see Figure 3.3).
Figure 3.3: The Link Notebook supports zoom in features.
The Case Notebook, on the other hand, supports a somewhat different method of organizing and viewing events. This includes the following graphs:
Case flow or transaction charts
Timeline or sequences-of-events charts
Combined charts showing events and flows
The Case Notebook is specifically designed to enable an investigator or analyst to organize and view the progressive state of an ongoing case. The Case Notebook can set events in a timeline, thereby enabling an investigator to quickly locate significant times and dates, such as special meeting or trips by suspects. Timeline charts can be used to show the significant events where information is inconsistent or where accounts diverge. The Case Notebook charts can be used in drug, terrorist, fraud and other criminal investigations where events with associated dates and times are significant (see Figure 3.4).
Figure 3.4: A timeline displaying time-related events.
The Analyst's Notebook tool from i2 supports a wide range of analytical conventional graphical link standards, including the following methods of creating charts.
Confirmed/unconfirmed lines Solid lines are used where the analyst is confident about the information that validates a link and wishes to indicate it is "Confirmed" (see Figure 3.5).
Figure 3.5: Confirmed links are shown as solid lines.
Dashed lines are used where the analyst believes further action is required to confirm the validity of a link, and so it is "Unconfirmed" (see Figure 3.6).
Figure 3.6: Unconfirmed associations are dashed lines.
Organizations shown inside boxes The method for grouping entities on a chart is to draw a box around related entities. For example, those individuals who are principal players in the same organization, such as a gang, a cartel, or a terrorist cell, are organized inside of a box (see Figure 3.7).
Figure 3.7: Members of an organization are grouped inside a box.
Where there are many organizations on a chart, a common convention is to simplify the graph by showing the less significant organizations as icons (see Figure 3.8).
Figure 3.8: An organization can be aggregated as an entity.
Chart clarity Another standard in link analysis is where possible to avoid crossing lines on a chart since it confuses the eye of the viewer (see Figures 3.9 and 3.10).
Figure 3.9: The central contact is unknown.
Figure 3.10: Here Entity 1 is ID.
However, it is impossible to avoid crossing lines completely in larger, more complex charts, and in these instances the link types used in a chart are deliberately different.
Link types A chart may be organized to use different link styles (single, directed, and multiple) in order that links actually represent multiple associations (see Figure 3.11).
Figure 3.11: The links are the intelligence.
This use of multiple the type of links can drastically reduce the size of a chart, while still avoiding crossed lines. However, they should not be used excessively because they are not as visually clear as straight lines.
Legend A chart may also incorporate a legend to indicate the meaning of visual items on the diagram, including link types and attributes (see Figure 3.12).
Figure 3.12: A sample of a chart with a legend.
Telephone toll analysis For these types of unique diagrams, investigators and analysts commonly create link analysis charts directly from toll usage data or other billing structured data to discover volumes of calls and common numbers called (see Figure 3.13).
Figure 3.13: A telephone toll analysis chart.
High volume data In situations where there is a large number of instances, observations, contacts, or transactions, the limitations of this type of technology begins to become apparent, as the granularity of individual records begin to get lost (see Figure 3.14).
Figure 3.14: Voluminous amounts of data can lead to vague charts.
The i2 link analysis tool also supports Timeline Analysis, the conventions of which are several, including the following:
Time axis. A time axis graph can be labeled to show the passage of time, be it in minutes, days, or years. Time axes can grow or shrink to reflect a large volume of data on the chart, thereby reducing the length of the chart (see Figure 3.15).
Figure 3.15: An analyst can move events and change the chart as needed.
Events. Although the precise graphical representation of events varies, a complete event usually includes a title, description, date, and information source (see Figures 3.16 and 3.17).
Figure 3.16: Events are placed on the theme they relate to.
Figure 3.17: Several events can also be combined.
Transaction flow analysis. Investigators also frequently analyze telephone-call and financial data to create transaction flow charts (see Figure 3.18).
Figure 3.18: Multiple events and transactions can be mapped.
As demonstrated by these charts, the i2 link analysis tool is a very robust and highly developed software system for investigators and analysts.
Crime Link is yet another link analysis tool designed specifically to assist the law enforcement investigator and counter-intelligence analyst in compiling data and putting case information into a graphical, cohesive, comprehensible, and actionable format. Crime Link also allows for the display of photos and the attachment of documents and audio and video files to entities on its graphs. Manipulation of links on the graph is easily done with Crime Link with individuals associated to organizations, gangs, terrorist cells, and any other group displayed inside rectangles.
A unique feature of Crime Link is its ability to generate a two-dimensional association matrix that basically shows who knows whom, who has done what, who has been where, etc. (see Figure 3.19). The association matrix is also the primary user interface for entering and maintaining information from an ongoing investigation case into Crime Link. The cells of the matrix contain and display the symbolic relationship types via columns and rows, so that, for example, a solid circle represents a known and confirmed association link, while a hollow circle signifies a suspected and unconfirmed association link. It is a very basic, yet effective, method of displaying and examining associations between entities and events. It is clearly an effective manner of providing a presentation to other investigators or for use in court or other judicial proceedings.
Figure 3.19: The association matrix in Crime Link.
The link analysis diagrams are used in Crime Link to graphically represent complex relationships and to make comprehension of associations easier. Because Crime Link generates its link association diagrams directly from the information entered into its association matrix, it ensures that the integrity of the diagrams is maintained at all times (see Figure 3.20).
Figure 3.20: From the matrix Crime Link generates its diagrams.
Crime Workbench is a tool for intelligence management with the option of creating databases on virtually any entity type; this application is relevant to all types of criminal and fraud investigation. Crime Workbench offers enhanced searching capabilities by utilizing the Memex Information Engine.
The Action Management module allows users to task items and actions to other users on the system. For organization wide communications, there is a bulletin board option for disseminating findings via a department intranet. Differing intelligence records relating to the same topic can now be grouped together for ease of locating and searching with the Case Management module in Crime Workbench. The main Workbench tool has also incorporated a Link Management module for graphical analysis. A search that returns one record plus all other records linked to that original record, in a cluster diagram, highlights in an instant the major players and events in any investigation. Crime Workbench can integrate with the i2 Link Notebook version 5, one of the main link analysis products.
Entering data into Crime Workbench is simple with the intuitive forms and forms builder. The Entity Manager allows administrator users to create new entities and forms on virtually any topic. Searching Crime Workbench databases can be carried out several different ways:
Query by form: useful for searching data in a specific field
Structured query: simultaneous searching over one or more database types
Free-text search: the easiest method of searching, utilizing query capabilities
Crime Workbench Web is a scaled down version of the main intelligence management product, which allows for the interaction of analysis via a Web browser. The requirement for this Web product stemmed from the number of end users who require only basic input and search functionality. With Crime Workbench Web, the end user can gain access from any location via an intranet or the Internet. Crime Workbench Web is aimed at the intelligence analyst and law enforcement investigator on the move who requires a tool to collect information and access to up-to-the-minute data from any location via a Web browser.
Daisy, which stands for Data AnalysIS InteractivelY is a very intuitive link analysis tool, which like i2 is also from the United Kingdom, available from Daisy Analysis. Daisy supports a circular layout of nodes that are interconnected with linkages to represent entity or event associations (see Figure 3.21). In addition, each node can be associated with histograms to display frequencies and intervals. The Daisy display can be manipulated by zooming, panning, and fitting it to the viewer screen, with any node capable of being profiled by simply clicking on it to get a summary of its content. A profile window displays the name of the node and its associated groupings, the number of records and links it represents, such as duration, distance, amount, and number of meeting.
Figure 3.21: A Daisy chart showing a date and time analysis.
Daisy provides the user a quick menu for setting up a new chart through the use of templates. The menu options are extensive, with options for allowing an inexperienced user to develop a link analysis chart quickly. The menu provides five general options for generating a chart, including standard, duplicate, circular, date/time, and summary. A submenu is provided for selecting the fields that will be used to generate the link analysis chart. Daisy is relatively inexpensive and is well suited for users with little to no experience in link analysis, working with a small case data set.
NETMAP is a very mature link analysis tool from ALTA Analytics that basically uses vectorization to map its displays; that is, everything is represented as a line, including all text and shapes. NetMap is an enterprise system that employs data marts to help organize information and that can query a wide range of databases using SQL. NetMap decomposes data, such as a name or bank account number, to its simplest form, called a node. Then, it seeks common links among nodes. The primary method of manipulating the NETMAP display is through a pair of node and link menus for filtering and displaying the data. The main shapes of NETMAP link charts are those of a wagon-wheel format, with color conveying very important factors; for example, bank accounts may be displayed in green, individuals in blue, and the links between them in red. NETMAP, however, also supports some additional layouts, including circular, column, row, row/column, bullseye, and Cartesian charts (see Figure 3.22).
Figure 3.22: The formats supported by NETMAP.
As previously mentioned, investigators can use link analysis tools such as NETMAP for identifying suspicious financial transactions and identifying hidden relationships between criminal and terrorists entities. All of these values can be assembled and represented as objects in sections of circular charts with the linking nodes used to identifying relationships. For example, in NETMAP a graph can be created using the column format, which is a fairly compact way of stacking data elements (e.g., addresses, phone numbers, vehicles, banks, wire transfers) and then exploring their relationships via a step-link format (see Figure 3.23).
Figure 3.23: This chart shows the link between the nodes at both ends.
NETMAP allows all data to be traced back to their original sources; data imported into the software can be tagged with such attributes as time-of-load and other user information.
NETMAP can also be configured to allow for multiple security levels to allow analysts to filter out the source of the data, agency, department, or classification level.
ORIONInvestigations is yet another tool for tracking and analyzing crimes based on case-related information compiled from different events, groups, entities, and associations. This tool is specifically an application for populating a database with details about known facts and leads relating to a crime scene; it is more of a criminal case data organizer. It uses a series of forms to interact with an investigator and is configured with three general levels—supervisor, clerk, and data entry—to control security data access within the system. Another feature of ORIONInvestigations is a filter wizard that looks for related records based on similar selection criteria. A reporter component generates various outputs related to a specific investigation.
ORIONInvestigations can be integrated with ORIONLink, the actual link analysis component from ORION. ORIONLink represents entities as circles connecting them via other circles, or squares, diamonds, and triangles (see Figure 3.24). This link analysis tool also uses colors to represent shared attributes for entities, such as event associations or group membership. Every individual who is a member of multiple groups or who has attended an event or a meeting will have several different colored pie-wedges on the ORIONLink chart display. Objects sharing the same color share the same value of an attribute.
Figure 3.24: An ORIONLink sample diagram.
ORIONLink can be used to draw boxes automatically around nodes to display specific terrorist cells, gangs, intragroups, or incident functions and relationships. The tool supports complete interactive displays so that objects can be moved and grouped in diagrams annotated with text and symbols. A special feature of ORIONLink is its what-if mode, which allows objects and their connections to be hidden or restored on the fly, allowing for the viewing of their impact on the total organization, such as a terrorist cell or criminal gang.
ORIONLink provides several interactive analytic features with the ability to change the data attributes and their impact on the diagram. This can be done by a pop-up dialog box associated with any node. All of the associations of a particular individual can also be highlighted interactively. A Show Articulations mode can automatically highlight all "keynodes" in a diagram, which, if removed, would cripple or severely damage the total group structure. This way individuals who are critical for organizational cohesiveness, strength, or communications can be easily identified for higher levels of attention.
VisuaLink is a high-end link analysis software suite with multiple data preparation components designed to assist investigators and analysts in the identification of terrorist threats, money laundering, insurance fraud, and other criminal activity. For example the suite can be used to track different types of "criteria" technologies used in international transactions, such as specific material components for manufacturing terrorist weapons.
As with other link analysis tools, VisuaLinks can be used to evaluate group behavior, funding resources, communication networks, recruiting methods, organization locations, etc. The software was designed specifically with the law enforcement user in mind and was not intended for the corporate world.
VisuaLinks can also be used to analyze and diagram systemic suspicious financial activity and filing compliance, including the analysis of the real assets of suspected money laundering enterprises. The tool allows the investigating agency or task force to uncover different types of transactions (deposits, withdrawals, wire transfers, and currency conversions) used by suspected money launderers.
For drug investigation, VisuaLink can be used to examine subtle connections between individuals, organizations, vehicles, facilities, locations, accounts, and incidents, as well as transportation routes and communication lines. For insurance fraud investigations, the tool can be used to uncover connections between individuals, organizations, incidents, and claims.
Using a special software component it calls DIG, for example, an insurance investigator can retrieve and analyze data from both in-house and industry-wide claims databases to uncover suspicious activities. The program allows for the indexing, searching, and managing of large numbers of databases, text sources, and Web sites concurrently. VisuaLink can visually display the retrieved data and assist in identifying possible fraudulent claims activity with the frequency of connections displayed by varying link thickness.