3.11 Link Analysis Tools

Analyst's Notebook

http://www.i2.co.uk/home.html

The Analyst's Notebook includes two main software products for different types of criminal investigative analysis—the Link Notebook and the Case Notebook. This is one of the most popular link analysis tool on the market and is used by securities, investigative, intelligence, and law enforcement analysts. In fact, i2 Ltd., which developed the software, recently announced a multiyear contract to provide its software and training to the FBI.

The Link Notebook tool supports various methods of organizing and viewing entity relationships, including the following components :

• Link analysis charts, also called association charts

• Network or high-volume link charts

• Commodity flow charts

• Activity charts

The structure of the Link Notebook allows the user to control and select options from a sidebar menu, from which icons representing different entities can be dragged-and-dropped to construct the chart. It also allows users to select and arrange graphical elements into position (see Figure 3.3).

Figure 3.3: The Link Notebook supports zoom in features.

The Case Notebook, on the other hand, supports a somewhat different method of organizing and viewing events. This includes the following graphs:

• Case flow or transaction charts

• Timeline or sequences-of-events charts

• Combined charts showing events and flows

The Case Notebook is specifically designed to enable an investigator or analyst to organize and view the progressive state of an ongoing case. The Case Notebook can set events in a timeline, thereby enabling an investigator to quickly locate significant times and dates, such as special meeting or trips by suspects. Timeline charts can be used to show the significant events where information is inconsistent or where accounts diverge. The Case Notebook charts can be used in drug, terrorist, fraud and other criminal investigations where events with associated dates and times are significant (see Figure 3.4).

Figure 3.4: A timeline displaying time- related events.

The Analyst's Notebook tool from i2 supports a wide range of analytical conventional graphical link standards, including the following methods of creating charts.

Confirmed/unconfirmed lines Solid lines are used where the analyst is confident about the information that validates a link and wishes to indicate it is "Confirmed" (see Figure 3.5).

Figure 3.5: Confirmed links are shown as solid lines.

Dashed lines are used where the analyst believes further action is required to confirm the validity of a link, and so it is "Unconfirmed" (see Figure 3.6).

Figure 3.6: Unconfirmed associations are dashed lines.

Organizations shown inside boxes The method for grouping entities on a chart is to draw a box around related entities. For example, those individuals who are principal players in the same organization, such as a gang, a cartel, or a terrorist cell , are organized inside of a box (see Figure 3.7).

Figure 3.7: Members of an organization are grouped inside a box.

Where there are many organizations on a chart, a common convention is to simplify the graph by showing the less significant organizations as icons (see Figure 3.8).

Figure 3.8: An organization can be aggregated as an entity.

Chart clarity Another standard in link analysis is where possible to avoid crossing lines on a chart since it confuses the eye of the viewer (see Figures 3.9 and 3.10).

Figure 3.9: The central contact is unknown.

Figure 3.10: Here Entity 1 is ID.

However, it is impossible to avoid crossing lines completely in larger, more complex charts, and in these instances the link types used in a chart are deliberately different.

Link types A chart may be organized to use different link styles (single, directed, and multiple) in order that links actually represent multiple associations (see Figure 3.11).

Figure 3.11: The links are the intelligence.

This use of multiple the type of links can drastically reduce the size of a chart, while still avoiding crossed lines. However, they should not be used excessively because they are not as visually clear as straight lines.

Legend A chart may also incorporate a legend to indicate the meaning of visual items on the diagram, including link types and attributes (see Figure 3.12).

Figure 3.12: A sample of a chart with a legend.

Telephone toll analysis For these types of unique diagrams, investigators and analysts commonly create link analysis charts directly from toll usage data or other billing structured data to discover volumes of calls and common numbers called (see Figure 3.13).

Figure 3.13: A telephone toll analysis chart.

High volume data In situations where there is a large number of instances, observations, contacts, or transactions, the limitations of this type of technology begins to become apparent, as the granularity of individual records begin to get lost (see Figure 3.14).

Figure 3.14: Voluminous amounts of data can lead to vague charts.

The i2 link analysis tool also supports Timeline Analysis, the conventions of which are several, including the following:

• Time axis. A time axis graph can be labeled to show the passage of time, be it in minutes, days, or years . Time axes can grow or shrink to reflect a large volume of data on the chart, thereby reducing the length of the chart (see Figure 3.15).

  
  Figure 3.15: An analyst can move events and change the chart as needed.

• Events. Although the precise graphical representation of events varies, a complete event usually includes a title, description, date, and information source (see Figures 3.16 and 3.17).

  
  Figure 3.16: Events are placed on the theme they relate to.

  
  Figure 3.17: Several events can also be combined.

• {% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

  Transaction flow analysis. Investigators also frequently analyze telephone-call and financial data to create transaction flow charts (see Figure 3.18).

  
  Figure 3.18: Multiple events and transactions can be mapped.

As demonstrated by these charts, the i2 link analysis tool is a very robust and highly developed software system for investigators and analysts.

Crime Link

http://www.crimelink.com/

Crime Link is yet another link analysis tool designed specifically to assist the law enforcement investigator and counter-intelligence analyst in compiling data and putting case information into a graphical, cohesive, comprehensible, and actionable format. Crime Link also allows for the display of photos and the attachment of documents and audio and video files to entities on its graphs. Manipulation of links on the graph is easily done with Crime Link with individuals associated to organizations, gangs, terrorist cells , and any other group displayed inside rectangles.

A unique feature of Crime Link is its ability to generate a two-dimensional association matrix that basically shows who knows whom, who has done what, who has been where, etc. (see Figure 3.19). The association matrix is also the primary user interface for entering and maintaining information from an ongoing investigation case into Crime Link. The cells of the matrix contain and display the symbolic relationship types via columns and rows, so that, for example, a solid circle represents a known and confirmed association link, while a hollow circle signifies a suspected and unconfirmed association link. It is a very basic, yet effective, method of displaying and examining associations between entities and events. It is clearly an effective manner of providing a presentation to other investigators or for use in court or other judicial proceedings .

Figure 3.19: The association matrix in Crime Link.

The link analysis diagrams are used in Crime Link to graphically represent complex relationships and to make comprehension of associations easier. Because Crime Link generates its link association diagrams directly from the information entered into its association matrix, it ensures that the integrity of the diagrams is maintained at all times (see Figure 3.20).

Figure 3.20: From the matrix Crime Link generates its diagrams.

Crime Workbench

http://www.memex.com/cwbover.html

Crime Workbench is a tool for intelligence management with the option of creating databases on virtually any entity type; this application is relevant to all types of criminal and fraud investigation. Crime Workbench offers enhanced searching capabilities by utilizing the Memex Information Engine.

The Action Management module allows users to task items and actions to other users on the system. For organization wide communications, there is a bulletin board option for disseminating findings via a department intranet. Differing intelligence records relating to the same topic can now be grouped together for ease of locating and searching with the Case Management module in Crime Workbench. The main Workbench tool has also incorporated a Link Management module for graphical analysis. A search that returns one record plus all other records linked to that original record, in a cluster diagram, highlights in an instant the major players and events in any investigation. Crime Workbench can integrate with the i2 Link Notebook version 5, one of the main link analysis products.

Entering data into Crime Workbench is simple with the intuitive forms and forms builder. The Entity Manager allows administrator users to create new entities and forms on virtually any topic. Searching Crime Workbench databases can be carried out several different ways:

1. Query by form: useful for searching data in a specific field

2. Structured query: simultaneous searching over one or more database types

3. Free-text search: the easiest method of searching, utilizing query capabilities

Crime Workbench Web is a scaled down version of the main intelligence management product, which allows for the interaction of analysis via a Web browser. The requirement for this Web product stemmed from the number of end users who require only basic input and search functionality. With Crime Workbench Web, the end user can gain access from any location via an intranet or the Internet. Crime Workbench Web is aimed at the intelligence analyst and law enforcement investigator on the move who requires a tool to collect information and access to up-to-the-minute data from any location via a Web browser.

Daisy

http://www.daisy.co.uk/daisy.html

Daisy, which stands for Data AnalysIS InteractivelY is a very intuitive link analysis tool, which like i2 is also from the United Kingdom, available from Daisy Analysis. Daisy supports a circular layout of nodes that are interconnected with linkages to represent entity or event associations (see Figure 3.21). In addition, each node can be associated with histograms to display frequencies and intervals. The Daisy display can be manipulated by zooming, panning, and fitting it to the viewer screen, with any node capable of being profiled by simply clicking on it to get a summary of its content. A profile window displays the name of the node and its associated groupings, the number of records and links it represents, such as duration, distance, amount, and number of meeting.

Figure 3.21: A Daisy chart showing a date and time analysis.

Daisy provides the user a quick menu for setting up a new chart through the use of templates. The menu options are extensive , with options for allowing an inexperienced user to develop a link analysis chart quickly. The menu provides five general options for generating a chart, including standard, duplicate, circular, date/time, and summary. A submenu is provided for selecting the fields that will be used to generate the link analysis chart. Daisy is relatively inexpensive and is well suited for users with little to no experience in link analysis, working with a small case data set.

NETMAP

http://www.altaanalytics.com/

NETMAP is a very mature link analysis tool from ALTA Analytics that basically uses vectorization to map its displays; that is, everything is represented as a line, including all text and shapes. NetMap is an enterprise system that employs data marts to help organize information and that can query a wide range of databases using SQL. NetMap decomposes data, such as a name or bank account number, to its simplest form, called a node. Then, it seeks common links among nodes. The primary method of manipulating the NETMAP display is through a pair of node and link menus for filtering and displaying the data. The main shapes of NETMAP link charts are those of a wagon-wheel format, with color conveying very important factors; for example, bank accounts may be displayed in green, individuals in blue, and the links between them in red. NETMAP, however, also supports some additional layouts, including circular, column, row, row/column, bullseye, and Cartesian charts (see Figure 3.22).

Figure 3.22: The formats supported by NETMAP.

As previously mentioned, investigators can use link analysis tools such as NETMAP for identifying suspicious financial transactions and identifying hidden relationships between criminal and terrorists entities. All of these values can be assembled and represented as objects in sections of circular charts with the linking nodes used to identifying relationships. For example, in NETMAP a graph can be created using the column format, which is a fairly compact way of stacking data elements (e.g., addresses, phone numbers, vehicles, banks, wire transfers) and then exploring their relationships via a step-link format (see Figure 3.23).

Figure 3.23: This chart shows the link between the nodes at both ends.

NETMAP allows all data to be traced back to their original sources; data imported into the software can be tagged with such attributes as time-of-load and other user information.

NETMAP can also be configured to allow for multiple security levels to allow analysts to filter out the source of the data, agency, department, or classification level.

ORION

http://www.orionsci.com/productinfo/Magic.html

ORIONInvestigations is yet another tool for tracking and analyzing crimes based on case-related information compiled from different events, groups, entities, and associations. This tool is specifically an application for populating a database with details about known facts and leads relating to a crime scene; it is more of a criminal case data organizer. It uses a series of forms to interact with an investigator and is configured with three general levels—supervisor, clerk, and data entry—to control security data access within the system. Another feature of ORIONInvestigations is a filter wizard that looks for related records based on similar selection criteria. A reporter component generates various outputs related to a specific investigation.

ORIONInvestigations can be integrated with ORIONLink, the actual link analysis component from ORION. ORIONLink represents entities as circles connecting them via other circles, or squares, diamonds, and triangles (see Figure 3.24). This link analysis tool also uses colors to represent shared attributes for entities, such as event associations or group membership. Every individual who is a member of multiple groups or who has attended an event or a meeting will have several different colored pie-wedges on the ORIONLink chart display. Objects sharing the same color share the same value of an attribute.

Figure 3.24: An ORIONLink sample diagram.

ORIONLink can be used to draw boxes automatically around nodes to display specific terrorist cells, gangs, intragroups, or incident functions and relationships. The tool supports complete interactive displays so that objects can be moved and grouped in diagrams annotated with text and symbols. A special feature of ORIONLink is its what-if mode, which allows objects and their connections to be hidden or restored on the fly, allowing for the viewing of their impact on the total organization, such as a terrorist cell or criminal gang.

ORIONLink provides several interactive analytic features with the ability to change the data attributes and their impact on the diagram. This can be done by a pop-up dialog box associated with any node. All of the associations of a particular individual can also be highlighted interactively. A Show Articulations mode can automatically highlight all "keynodes" in a diagram, which, if removed, would cripple or severely damage the total group structure. This way individuals who are critical for organizational cohesiveness, strength, or communications can be easily identified for higher levels of attention.