Manual I2

Criminal Network Investigation:
Processes, Tools, and Techniques
Ph.D. dissertation (revised version)
Author Supervisor
Rasmus Rosenqvist Petersen Uffe Kock Wiil
The Maersk Mc-Kinney Moller Institute The Maersk Mc-Kinney Moller Institute
University of Southern Denmark University of Southern Denmark
Campusvej 55, Odense, Denmark Campusvej 55, Odense, Denmark
rrp@mmmi.sdu.dk ukwiil@mmmi.sdu.dk
May 13, 2013
Committee member Committee member Committee member

Kasper Hallenborg Patricia L. Brantingham Kaj Grønbæk
The Maersk Mc-Kinney Moller Institute School of Criminology Department of Computer Science
University of Southern Denmark Simon Fraser University Aarhus University
Abstract
Criminal network investigations such as police investigations, intelligence analysis, and investiga-
tive journalism involve a range of complex knowledge management processes and tasks. Criminal
network investigators collect, process, and analyze information related to a specific target to cre-
ate intelligence products that can be disseminated to their customers. Investigators deal with an
increasing amount of information from a variety of sources, especially the Internet, all of which
are important to their analysis and decision making process. But information abundance is far
from the only or most important challenge for criminal network investigation, despite the massive
attention it receives from research and media. Challenges such as the investigation process, the
context of the investigation, human factors such as thinking and creativity, and political deci-
sions and legal laws are all challenges that could mean the success or failure of criminal network
investigations.
Information, process, and human factors, are challenges we find to be addressable by software
system support. Based on those three challenges we formulated our hypothesis for tool support,
and analyzed problems related to each individual challenge. Our response to these problems
is a list of research focus requirements, to guide our development of new processes, tools, and
techniques that ultimately would reduce the impact of the challenges and support the hypothesis.
We propose hypertext as the key technology to bridge human and tool related requirements to
provide integrated support for both, resulting in increased capabilities, that ultimately will create
a synergy effect useful for criminal network investigation.
We create a target-centric process model (acquisition, synthesis, sense-making, dissemination,
cooperation) encouraging and supporting an iterative and incremental evolution of the criminal
network across all five investigation processes. The first priority of the process model is to ad-
dress the problems of linear process models that introduce compartmentalization, reducing sense
of responsibility and deterioration of information as it passes through compartments. We have de-
veloped a list of criminal network investigation tasks encapsulating the work within each process,
selected based on their contributions to the success of investigations.
Basic criminal network investigation concepts have been developed and tested using proof-of-
concept prototyping, resulting in generic software components for tool support of criminal network
investigation. We have used these components to build CrimeFighter Investigator, iteration by
iteration, embracing the concepts embedded in the components. We analyze, design, and demon-
strate support of individual criminal network investigation tasks for each of the five processes,
and we also describe the deployment of CrimeFighter Investigator in scenarios that span multiple
processes and tasks. We have used three methods to evaluate CrimeFighter Investigator, capa-
bility comparisons, end user interviews, and measures of performance. We have found that our
evaluation methods provide good coverage of the research focus requirements. When summarizing
evaluation of the requirements, we found strong support of most and medium or weak support
of few. In general, our evaluation showed that we had focused on the right challenges, and the
interdependency of the requirements made it clear that a more narrow focus, leaving out one of
the challenges, would have provided much less support.
We can conclude that all indicators point toward support of the hypothesis: addressing the chal-
lenges of information, process, and human factors by providing tool support based on advanced
software technologies is a useful tool for investigators, as it increases the capabilities of both
human and tool, thereby reducing the impact of the challenges. Rather than focusing on the
inner-workings of network analysis techniques, we have worked toward supporting end user inter-
actions with techniques, to achieve better investigation results. We consider our results to represent
guidelines for how to conduct research of tool support for criminal network investigation.
To my father
for his insistent fight to live
To my mother
for fighting alongside her husband, my father
Preface to revised version
This dissertation is the result of three years Ph.D. studies. The work was carried out from
September 1st 2009 to September 30th 2012. The initial version was submitted October 1st .
This revised version is based on feedback from my Ph.D. committee members Patricia L. Branting-
ham, Kaj Grønbæk, and Kasper Hallenborg. Furthermore, working in the network visualization
and analysis industry changed my views on the importance and power of visualization. But the
foundation of my research is still the same: structure domains, agile processes, and human cogni-
tion. Finally, ideas have kept emerging and evolving after the initial version was submitted.
Happy investigation . . .
The Maersk Mc-Kinney Moller Institute

University of Southern Denmark, Odense
Rasmus Rosenqvist Petersen

May 13, 2013
v
Acknowledgments
First of all thanks to everybody at the Maersk-McKinney Moller Institute (University of Southern
Denmark), professors and lecturers, for their academic advice and encouragements to continue my
research, secretaries, for helping me out on numerous occasions and without who no one at the
institute would get anything done. To my fellow Ph.D. students, with whom I have spent countless
hours at the foosball table or discussing foreign politics and cultural differences and similarities
over a cup of chai, coffee, or beer: shukria, dhanyavaad, gracias, tak, . . . thank you!
A special thanks goes to my supervisor, Professor Uffe Kock Wiil, who has guided and supported
the basic ideas of my research over the past five years. He has always taken the time to provide
constructive feedback whenever I was doubtful about which direction to take, even after becoming
project manager for the largest grant in the history of our university. Thank you Uffe, for always
supporting my ideas and guiding me if I was about to get lost in some case, theory, or book - I
have learned a lot from your approach to research, and I hope to one day achieve your sense of
information and structure.
I have been fortunate to make two 1-month visits to international research institutions: at Impe-
rial College in London, I worked closely with Dr. Christopher J. Rhodes, developing CrimeFighter
Investigator support for inference-based prediction. Thank you Chris, and everybody else at Im-
perial College, for showing me around, introducing me to indian pale ale, and always being willing
to help. Also thank you to the Research Councils United Kingdom, Institute for Security Science
and Technology (Imperial College) and the United Kingdom Ministry of Defense for supporting
the work and publication of a paper on node removal. At University of Hof in Bavaria, I worked
closely with Dr Claus Atzenbeck, director of Institute for Information Systems (iisys), primarily
focusing on domain analysis and discussions of how to design usability experiments. Thank you
Claus, and everybody else at iisys, for welcoming me and showing me various aspects of Bavarian
life. Also thank you to Claus for writing several knowledgeable papers related to criminal network
investigation.
The places that I have worked on my dissertation around the world, and the friends living in
those places, deserve a special thanks; it has been incredibly motivating and inspiring for me.
Unfortunately, the list is too long to mention everybody and everywhere here. To everyone not
mentioned: thank you!
My Ph.D. dissertation builds upon previous publications in hypertext and security informatics
conference proceedings, one accepted security informatics journal paper, and one accepted com-
putational approaches to counterterrorism handbook chapter. I am thankful to the numerous
reviewers who have helped me improve my work by giving useful and insightful comments on
submitted manuscripts.
vii
Resumé
Efterforskninger af kriminelle netværk udført af politi, efterretnings analytikere, og undersøgende

journalister involverer en række komplekse processer og opgaver relateret til håndtering af viden.
Efterforskere af kriminelle netværk indhenter, bearbejder, og analysere information relateret til
et specifikt efterretningskrav, for at skabe efterretnings produkter der kan rapporteres til kunden
der formulerede kravet. Efterforskere skal håndtere en stigende mængde informationer fra mange
forskellige kilder, især internettet, og de kan alle sammen være vigtige for efterforskernes analyse-
og beslutnings-proces. Men en overflod af informationer er langt fra den eneste eller den vigtig-
ste udfordring i forbindelse med efterforskning af kriminelle netværk, på trods af den massive
opmærksomhed “de mange informationer” bliver givet i forskningsverdenen og af medierne, m.fl.
Udfordringer såsom efterretningskredsløbet (processen), en efterforsknings kontekst, menneskelige
faktorer som f.eks. problem løsning og kreativitet, og politiske beslutninger og deraf følgende
lovgivning, er alle udfordringer der kan betyde succes eller fiasko for en efterforskning.
Information, proces, og menneskelige faktorer er efterforsknings relaterede udfordringer som kan
adresseres ved hjælp af software systemer. Baseret på disse tre udfordringer formulerede vi vores
hypotese for værktøjsunderstøttelse, og analyserede specifikke problemer relateret til hver enkelt
udfordring. Vores modsvar i forhold til disse problemer er en liste med forsknings krav, der kan
styre vores udvikling af nye processer, værktøjer, og teknikker der ultimativt vil reducere virknin-
gen af udfordringerne og understøtte hypotesen. Vi foreslår hypertekst som den kerneteknologi
der kan bygge bro imellem de menneske- og værktøj relaterede krav vi har til vores forskning,
for at tilbyde integreret understøttelse for begge, resulterende i øgede kapaciteter der vil skabe en
synergi effekt i forbindelse med efterforskning af kriminelle netværk.
Vi skaber en krav-centreret proces model der involverer indhentning og bearbejdning, syntese og
forståelse (tilsammen analyse), rapportering, og samarbejde. Det er en process model der tilskyn-
der og støtter en iterativ og inkremental evolution af det kriminelle netværk på tværs af alle fem
efterforsknings processer. Førsteprioriteten for proces modellen er at adressere de problemer som
lineære proces modeller introducerer i efterforskningsarbejdet, primært adskillelser i processen,
der reducerer efterforskernes ansvarsfølelse for efterforskningen samt forringer oplysninger som de
passere igennem proces adskillelserne (en adskillelse kan være mellem to afdelinger i en organi-
sation, eller f.eks. mellem to efterretningstjenester). Vi har udviklet en liste med efterforsknings
opgaver der indkapsler arbejdet inden for hver enkelt proces. Opgaverne er udvalgt baseret på
deres potentielle bidrag til veludført efterforskning.
Grundlæggende koncepter for efterforskning af kriminelle netværk er blevet udviklet og testet
ved hjælp af såkaldte proof-of-concept prototyper, hvilket har resulteret i generiske softwarekom-
ponenter til værktøjs understøttelse af efterforskning. Vi har anvendt disse komponenter til at
bygge CrimeFighter Investigator, iteration efter iteration, og derigennem omfavnet de begreber
ix
der er indlejret i komponenterne. Vi analyserer, designer og demonstrerer understøttelse af in-
dividuelle efterforskning opgaver for hver af de fem omtalte processer, og vi beskriver også an-
vendelse af CrimeFighter Investigator i scenarier, der involverer flere processer og opgaver. Vi
har brugt tre metoder til at evaluere CrimeFighter Investigator: sammenligning af opgave- og
model-understøttelse, slutbruger interviews, og forskellige metrikker der kan måle effektiviteten af
algoritme-baserede analyse teknikker på flere områder. Ved hjælp af diagrammer har vi opsum-
meret relationerne mellem efterforsknings opgaver og vores opsatte forsknings krav, vi fandt at
de tre evalueringsmetoder ydede god dækning af disse krav. Når vi opsummerer vores evaluering
af forsknings kravene finder vi at mange er godt understøttet, imens få er nogenlunde eller svagt
understøttet. Helt generelt viser vores evaluering at vi har fokuseret på de rette udfordringer,
og at den gensidige afhængighed imellem forskningskravene gjorde det klart, at havde vi valgt
et mere snævert fokus, f.eks. udeladt en af udfordringerne, ville det have resulteret i dårligere
understøttelse af de resterende krav.
Vi kan konkludere at alle indikatorer peger imod understøttelse af den hypotese vi har stillet:
hvis udfordringerne information, proces, og menneskelige faktorer adresseres ved værktøjs un-
derstøttelse baseret på avancerede software teknologier, vil resultatet være et brugbart værktøj
for efterforskere, da det øger kapaciteten for både mennesker og værktøj, og dermed reducerer
den indflydelse som udfordringer ellers ville have. I stedet for at fokusere på specifikke algoritme-
baserede teknikker til netværks analyse har vi arbejdet hen imod understøttelse af slutbrugerens
(efterforskerens) interaktion med og kontrol af sådanne analyse teknikker, med det formål at
opnå bedre efterforskningsresultater. Vi betragter vores resultater som retningslinjer i forhold til
forskning indenfor software værktøjer der understøtter efterforskning af kriminelle netværk.
Contents
Preface v
Acknowledgements vii
Resumé x
I Introduction and method 1
1 Introduction 3
1.1 Myths and disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2.1 Selecting challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.2 Research focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Theory and technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4 CrimeFighter toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.4.1 CrimeFighter Investigator within this framework . . . . . . . . . . . . . . . 14
1.5 Dissertation structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
1.5.1 Reading directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2 Method 19
2.1 General Ph.D. approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
2.2 Software development methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.1 Prototyping reviewed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.2 Proof-of-concept prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2.3 Software baseline and evolution . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3 Empirical evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1 Case study research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.4 Ph.D. study program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
xi
II The domain 29
3 Criminal network investigation 33

3.1 Criminal network? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
3.1.1 Criminal networks and other networks . . . . . . . . . . . . . . . . . . . . . 34
3.1.2 The emergence and evolution of criminal networks . . . . . . . . . . . . . . 35
3.1.3 The strengths and weaknesses of criminal networks . . . . . . . . . . . . . . 35
3.1.4 Pre- and post-crime criminal networks . . . . . . . . . . . . . . . . . . . . . 36
3.1.5 Ethical aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2 Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.2.1 Basic entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2.2 Organizational (meta) structures . . . . . . . . . . . . . . . . . . . . . . . . 37
3.2.3 Smaller (sub) structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3.3 Linear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.3.1 Intelligence failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.4 Target-centric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.5 Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.5.1 The Daniel Pearl investigation . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.5.2 The hunt for Khalid Sheikh Mohammed . . . . . . . . . . . . . . . . . . . . 55
3.5.3 Homicide investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.5.4 Organized drug crime investigation . . . . . . . . . . . . . . . . . . . . . . . 58
3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6.1 Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.6.2 Counterterrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.6.3 Investigative journalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4 Related work 65
4.1 Commercial tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.1.1 Analyst’s Notebook 8.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.1.2 Palantir Government 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.1.3 Xanalys Link Explorer 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.1.4 COPLINK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.2 Research prototypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.1 The Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.2 POLESTAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.3 Aruvi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.2.4 Dynalink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3 Investigative journalism tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.1 Namebase.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.3.2 Mindmeister . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.3.3 Simple tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
5 Theory and technology 81

5.1 Hypertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.1.1 Associative structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.1.2 Spatial structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.1.3 Taxonomic structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.1.4 Issue-based structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
5.1.5 Annotation and meta data structures . . . . . . . . . . . . . . . . . . . . . 89
5.1.6 Structural computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.2 Semantic web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.3 Information science . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.4 Human cognition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.4.1 Two types of creativity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
5.4.2 Case: Besheer and Pellegrino . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.4.3 Representational structures for human cognition . . . . . . . . . . . . . . . 94
5.5 The creative process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.5.1 History of creative process models . . . . . . . . . . . . . . . . . . . . . . . 95
5.5.2 Are more heads better than one? . . . . . . . . . . . . . . . . . . . . . . . . 96
5.5.3 The life cycle of creative endeavors . . . . . . . . . . . . . . . . . . . . . . . 97
5.5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.6 Simple tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.6.1 Agile modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.7 Case-studies of individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.7.1 Omar Saeed Sheikh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.7.2 David Coleman Headley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.8 Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.8.1 Intelligence and information . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.8.2 Open source intelligence and secret intelligence . . . . . . . . . . . . . . . . 107
5.9 Mathematical models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.9.1 Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.9.2 Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.9.3 Other mathematical models . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.10 Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.10.1 Ethical impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
5.10.2 Denmark and terrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.11 Trust and user acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5.12 Interaction and visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.12.1 Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.12.2 Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.13 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
6 Problem definition 119

6.1 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6.1.1 Research focus (requirements) . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.2 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.3 Human factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
III The tool 127
7 Process model and tasks 129

7.1 Process model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
7.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
7.2.1 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
7.2.2 Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
7.2.3 Sense-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
7.2.4 Dissemination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7.2.5 Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
8 Software components 135

8.1 Conceptual model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
8.1.1 Entity layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
8.1.2 Information element designs . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
8.1.3 Relation designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
8.1.4 Composite designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
8.2 Computational model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
8.2.1 Entity association design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
8.3 Concepts and components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
8.4 Component requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
8.4.1 Entity requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
8.4.2 History requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
8.4.3 Algorithm requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
8.4.4 Datafile requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
8.5 Component design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
8.5.1 Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
8.5.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
8.5.3 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
8.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
9 Acquisition 153
9.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.1.1 CONCEPT: Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
9.1.2 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
9.1.3 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
9.1.4 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
9.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
10 Synthesis 161
10.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.1.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.1.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.1.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 162
10.1.4 TASK: Create, delete, and edit associations . . . . . . . . . . . . . . . . . . 164
10.1.5 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
10.1.6 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
10.1.7 TASK: Collapsing and expanding . . . . . . . . . . . . . . . . . . . . . . . . 165
10.1.8 TASK: Information types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.2.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.2.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
10.3.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10.3.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
10.3.4 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
10.3.5 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
11 Sense-making 171
11.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
11.1.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
11.1.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.1.3 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.1.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
11.1.5 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
11.1.6 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
11.1.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
11.1.8 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
11.1.9 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 179
11.1.10 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
11.1.11 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 180
11.1.12 TASK: Terrorist network analysis . . . . . . . . . . . . . . . . . . . . . . . . 180
11.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
11.2.1 CONCEPT: Algorithm (sense-making work flows) . . . . . . . . . . . . . . 181
11.2.4 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
11.2.5 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 188
11.3.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
11.3.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 189
11.3.3 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
11.3.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
11.3.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
11.3.8 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
12 Dissemination 201
12.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.1.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.1.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
12.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.2.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
12.3.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
13 Cooperation 205
13.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
14 Work flow support 207

14.1 Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
14.1.1 Modeling jihadist terrorist cells in the UK and Europe . . . . . . . . . . . . 209
14.1.2 CrimeFighter Investigator model and rules . . . . . . . . . . . . . . . . . . 210
14.1.3 Demonstrating the need for rule-based model adaption . . . . . . . . . . . . 212
14.1.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
14.1.5 Conclusions and future work . . . . . . . . . . . . . . . . . . . . . . . . . . 214
14.2 Node removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
14.3 Investigating linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
14.3.1 The work flow scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
14.3.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
14.4 Summary of deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
IV Evaluation and conclusion 229
15 Evaluation 231
15.1 Post-crime data and information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
15.1.1 Comparing post-crime and real-time data . . . . . . . . . . . . . . . . . . . 235
15.2 End-user interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
15.2.1 Alex Strick van Linschoten (Trafalgar Square, London) . . . . . . . . . . . 236
15.2.2 British home office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
15.2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
15.3 Capability comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
15.3.1 Criminal network investigation task support . . . . . . . . . . . . . . . . . . 238
15.3.2 Capability comparison of the computational model supported . . . . . . . . 240
15.4 Measures of performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
15.4.1 Extended centrality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
15.4.2 Predict missing links algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 243
15.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
15.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
15.6.1 Visualization or visual filtering . . . . . . . . . . . . . . . . . . . . . . . . . 246
15.6.2 End user involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
15.6.3 Discussing end user interviews . . . . . . . . . . . . . . . . . . . . . . . . . 248
15.6.4 Discussing capability comparisons . . . . . . . . . . . . . . . . . . . . . . . 248
15.6.5 Discussing measures of performance . . . . . . . . . . . . . . . . . . . . . . 250
16 Conclusion 253
16.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
16.2 Requirements, challenges, and hypothesis . . . . . . . . . . . . . . . . . . . . . . . 254
16.2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
16.2.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
16.2.3 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
16.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
16.4 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
16.4.1 Literature reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
16.4.2 Future software development . . . . . . . . . . . . . . . . . . . . . . . . . . 258
16.4.3 Future evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
A Publications and other work 279

A.1 Published papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
A.2 Unpublished papers and manuscripts . . . . . . . . . . . . . . . . . . . . . . . . . . 279
A.3 Presentations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
A.4 Previously published . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
B DDIS web documents 281
B.1 Efterretningskredsløb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
B.2 FE foretager omprioriteringer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
Part I
Introduction and method
1
CHAPTER 1
Introduction
First, the taking in of scattered particulars under one Idea so that

everyone understands what is being talked about . . . Second, the
separation of the Idea into parts, by dividing it at the joints, as
nature directs, not breaking any limb in half as a bad carver might.
Plato, Phaedrus, 265D, as quoted in [8].
A criminal network investigation is an investigation of a criminal network. Pardon the tautology,

but this repetition is important, as it can be tempting to reduce criminal network investigation
to simply networked information; but investigation is a process, and a criminal network is in-
formation from a particular network domain. A criminal network is a special kind of network,
often emphasizing on both secrecy and efficiency, depending on the purpose of the network; it is
a complex system of entities that are associated directly (e.g., using links) or semantically (e.g.,
using visual symbols or co-location). Basically, a criminal network is information entities and their
associations from a specific network domain, forming information structures.
Criminal network investigations such as police investigations, intelligence analysis, and investiga-
tive journalism involve a range of complex knowledge management processes and tasks. Criminal
network investigators collect, process, and analyze information related to a specific target to cre-
ate products that can be disseminated to their customers. Investigators deal with an increasing
amount of information from a variety of sources, especially the Internet, all of which are important
to their analysis and decision making process. But information abundance is far from the only
or most important challenge for criminal network investigation, notwithstanding the attention it
receives in research and media. Challenges such as the investigation process, the context of the
investigation, human factors such as thinking and creativity, and politics etc. can all decide the
success or failure of criminal network investigations.
Knowledge about the structure and organization of criminal networks is important for both in-
vestigation and the development of effective strategies to prevent terrorist attacks and organized
crime. Theory from the knowledge management field plays an important role in dealing with
criminal network information. Knowledge management processes, tools and techniques can help
criminal network investigators in various ways, when trying to make sense of the vast amount of
data being collected. The CrimeFighter toolbox is an initiative at The Maersk Mc-Kinney Moller
Institute started in 2009. CrimeFighter provides advanced software tools and mathematical mod-
els to assist criminal network investigators in harvesting, filtering, storing, managing, analyzing,
structuring, mining, interpreting, and visualizing terrorist information.
3
1.1. MYTHS AND DISCLAIMERS CHAPTER 1. INTRODUCTION
Criminal network investigators merge and organize pieces of information from different sources
in order to reason about them and support their decision making process. The structure of
the relationships between these pieces of information is fragile by nature, since new information
may change it substantially. Besides supporting the emergent nature of incoming information,
such structures should also be an appropriate medium for communicating with others. This
includes keeping track of previous discussions, representing their evolution, and permitting various
parallel versions that occur by following different directions of thought. Finally, their presentation
should foster awareness and permit notification services that inform the analyst about potential
unseen and non obvious connections beyond the borders of individual information sources [20].
When investigators work with this type of information, following a target-centric and iterative
process would encourage and support the continuous restructuring of the information and the
communication with other investigators by making everybody stakeholders of the investigation,
building a network of information around their target, in a shared information space. Despite
the many iterations over the information and structure, interpretations and decisions must be
maintained. To solve the type of complex problem that a criminal network investigation can be,
the investigator must cooperate with their tools during investigations. The investigator must be the
decision maker (especially in low probability situations), while algorithms should be responsible for
routine calculations. The investigator will fill in the gaps, either in the final intelligence product
or in the tool, when the tool has a technique or work flow that is applicable in a particular
circumstance [130].
This dissertation is the result of three years of Ph.D. studies (with 18 months allocated to re-
search), toward the analysis, design and implementation of CrimeFighter Investigator, a criminal
network investigation tool addressing information, process, and human factors challenges in crim-
inal network investigation. The remainder of this chapter is organized as follows: we start out by
debunking a number of myths about work focused on tool support for criminal network analysis;
myths that we have encountered during our research. We would like to present our view on these
myths to the reader, to sort out any confusion from the start (Section 1.1). Having introduced
the domain criminal network investigation above, we move on to defining the challenges for this
domain, and based on an analysis, we select those challenges that a software systems engineer can
address, and we discuss why these challenges will benefit from software system support (Section
1.2). We move on to present the theory and technology that has underpinned our work (Section
1.3). We describe the CrimeFighter toolbox, and how CrimeFighter Investigator fits into that
framework (Section 1.4) and provide our readers with and overview of dissertation structure (Sec-
tion 1.5). Finally, we provide reading directions based on the expected areas of interest in Section
1.5.1.
1.1 Myths and disclaimers

We find it necessary to start by debunking a couple of myths, in order to explain what this
work is not about1 . After 9/11 (2001), having recognized that some important leads had been
missed prior to the attacks, it was decided that all information was now important and had to
be investigated [146]. In that situation, it was not only the Internet that caused the information
overload, especially since a lot of the information was not open source intelligence, but secret
intelligence, human intelligence, tips from citizens and interrogations of suspects, etc. The goal
was to find out where the next attack would be, which was why the central intelligence agency
(CIA) was put in charge of the terrorism related affairs. But this decision did not help the
investigation to find those involved in the 9/11 (2001) attacks.
This desire not to miss any (potential) lead created a demand for tools that could take all the
(often unprocessed) information and tell the user who the key players are. For 11 years researchers
have been trying to provide such a tool without success2 . But why has this effort failed? Mainly
because of a desire to simplify the world too much and in the wrong way, in order to create a single
red emergency button for providing simple answers to complicated questions, such as “who did
4
CHAPTER 1. INTRODUCTION 1.1. MYTHS AND DISCLAIMERS
it‘” or “who are going to do it?”. That is simply a wrong approach undermining the very nature
of criminal network investigation. That is the first myth, we would like to debunk, formulated as
a question to us (and other researchers in the field):
Myth #1 Isn’t your ultimate goal to create big red “who did it?” or “who are going to do it?”
buttons, for world leaders and decision makers, to weed out the criminals?
No, this has never been the objective of our work. We believe this myth is the result of one of
two visions for artificial intelligence; the compelling vision, that “human intelligence can be
so precisely described, that it can be matched by a machine” [202]; a machine that think and
create new abstractions and concepts, just like living organisms [202]. But this vision has not
yet been realized, the computer cannot detect complex patterns it has never seen [131]. The
other vision for artificial intelligence focuses on the synergies between man and machine [131].
It has been called human-computer symbiosis, and was initially described by Licklider in
1960 [130], and summarized in a 2012 TED talk: “Licklider wanted humans and machines to
cooperate. The idea is that humans are great at certain things, like creativity and intuition.
Computers are great at calculation, scale, and volume. The idea is [. . . ] to take a human and
make [him or] her more capable” [131]. The hypertext research community has developed
many technologies for the “augmentation of human intellect” [62]. We propose hypertext
technology as a bridge between humans and computers to leverage the above mentioned
synergies to solve the complex problems associated with criminal network investigation.
Myth #2 Shouldn’t you consider the ethics of what you are doing before applying social network
analysis algorithms to decide who are criminals and who aren’t?
Well, it has never been our goal to perform rode black box calculations on data sets, and
then think that any criminal network investigator would use that information as his sole
evidence of charging someone with something. As described above, we aim for cooperation
between humans and computers (with the human as the controlling entity), bridging human
intellect and computational power using hypertext technologies to benefit from the resulting
synergies.
Myth #3 Information overload is the key challenge for criminal network investigation?
Sure, information overload (or abundance) is one of several problems for the challenge that
information poses to criminal network investigation. But there are many important chal-
lenges (and related problems) for criminal network investigation to consider. Whether or
not information overload is a problem depends on the nature of the information: How is it
stored, does it contain many different entity types, etc.
All of the above are myths and assumptions. It has always been our intention to understand the
processes involved in the work of criminal network investigators, the structures of the criminal
network information that investigators collect, process and analyze, and the human factors that
decides the successes and failures of criminal network investigations. Our work has always been
about that, and this dissertation is about that. Before continuing, we encourage our readers to
study the following disclaimers as well:
Disclaimer #1 While we have studied visualizations and layouts to some extent, this work does
not focus on visualization. This causes some problems, as one reviewer has pointed out to
us, “it is unfair to compare the strengths of one tool with the weaknesses of another tool” -
a situation that occurs in Chapter 15, when we present an capability comparison of various
representative tools. We do, however, discuss visualization (also in Chapter 15).
Disclaimer #2 This is not a big data analytics project. While the aim might be the same, the
means are not. In a recent talk, Chen (2012) stated that a research aim of “leveraging big
data analytics [for] delivery of a patient-centric decision support and patient empowerment
solution”3 . The general approach of the research was first to understand the information
5
1.2. CHALLENGES CHAPTER 1. INTRODUCTION
structures in a certain domain (e.g., health or security informatics), then create database
tables to match these information structures before applying big data analytical methods.
The understanding of information structures had taken two years for the health informatics
domain. When asked after his talk, Chen admitted that this was indeed a somewhat static
approach, in that if changes were made to the structures, all the data would have to be
aggregated again before analytics could continue. Actually, Chen was facing a concrete
challenge of transitioning from version 9 to version 10 of the international classification of
diseases (ICD).
Disclaimer #3 I am first and foremost knowledgeable in the domain of software systems engi-
neering with a strong foundation in hypertext technologies. However, as it will be clear later
on, a prerequisite to successful software development is understanding the domain. Taking
a course on media and terrorism in the middle east and participating in and giving a talk
at an interdisciplinary conference on terrorism and new media has made it clear that I am
not an expert in global jihad or radicalization processes. But it has made it possible for
me to talk to people who are. Nor has reading books about organized crime or watching tv
shows about criminals selling drugs made me an expert in these matters. But participation
in the annual European international security informatics conference (EISIC) 2011 and 2012
has provided me with new ideas and a network of people who work within that domain.
And studying research areas such as human cognition, creativity, information science, social
science, and so on, has not made an expert on these areas either. But it has to some extent
made me knowledgeable about the different areas of research and made it possible for me to
talk with the real experts about it.
1.2 Criminal network investigation challenges

Criminal network investigations fail. The reasons for failure can be found in one or several chal-
lenges complicating criminal network investigation. The sciences have been developing solutions
to either dealing with the root causes of crime, others to develop tools and techniques to assist
criminal network investigators. Computer science offers many techniques and software systems en-
gineering has been building tools that assist investigators in applying those techniques to ongoing
criminal network investigations. However, many challenges are also associated with developing
support of a computer science technique and then have a criminal network investigator use it
(e.g., an agency intelligence agent, a homicide detective, or a reporter), often resulting in tools
and techniques that look good on paper but are actually not used during investigations:
I typically use Analyst’s Notebook to generate a report for the state attorney han-
dling the case in court. I do not use Analyst’s Notebook before I am done with my
analysis. Statement (translated from Danish) by an intelligence analyst from the
Danish security and intelligence service, who we met at an Analyst’s Notebook user
conference4 .
Analyst’s Notebook is good for making visualizations but it has a very static feeling
to it. Statement from Alexander Strick van Linschoten, a historian, investigative jour-
nalist, and an author of several books (e.g., [134]) at a meeting on Trafalgar Square,
London.
Based on cases and observations of criminal network investigation, contact with experienced end-
users from various communities (see Section 15.2), examination of existing process models (see
Sections 3.3 and 3.4) and existing tools for criminal network investigation (see Chapter 4) we
maintain a list of criminal network investigation challenges. The list of challenges can be seen as a
list of potential pitfalls that can cause criminal network investigation failure, either on their own,
or in combination with other challenges; the list serves as the basis for our problem definition and
research focus. The list is not exhaustive; we expect to uncover additional challenges over time.
6
CHAPTER 1. INTRODUCTION 1.2. CHALLENGES
We divide criminal network investigation challenges into the following groups: information, pro-
cess, context, human factors, tacit knowledge, management, and finally problems related to politics
and legal framework. Some of these challenges are more relevant than others in terms of developing
software tools supporting criminal network investigation. We therefore review them all here, but
do not make a detailed review of political and legal framework challenges - we merely recognize
that they are there.
Information. Criminal network investigation challenges related to information are many, e.g.,
the structure of the information is often emerging and evolving, i.e., no pre-defined structure
can be applied to guide the analysis work. Information abundance and scarcity are other central
problems. Finally, the information might be inconsistent and impartial, showing variation in types
of meta data or missing entities. The following quotes emphasize these problems:
“No, there was no shortage of information. There was too much – a blizzard of it,
a whiteout so complete investigators routinely lost their way in it.” - in the months
after 9/11 FBI and CIA analysts received an “overpowering” amount of unprocessed
intelligence, and the fear of the next attack made them “chase tens-of-thousands dead
end leads” [146].
We typically have much less data, or not so many attributes, as it was the case in
the November 17 case you used - comment from intelligence analyst after presenting
work on inference-based prediction at the British Home Office [167].
Process. It has certain consequences whether the criminal network investigation follows a linear
process model or a target-centric process-model. Research of linear intelligence cycles has shown
it to define an “antisocial series of steps that constrains the flow of information [. . . ] and too often
results in throwing information over the wall ” [40], causing compartmentalization5 [40, 113, 146].
For security reasons, compartmentalization can seem compelling, since it provides organizations
and departments complete control over the information they receive, and the information which
they disseminate to the next link(s) in the chain. But the approach has received bad reviews in
prominent commission reports [45, 110, 152, 153], which should weigh heavier than the desire for
complete control.
“With a better working methodology and a wider focus the Norwegian police security
service (PST) could have tracked down the offender prior to July 22. However, the
commission does not have the basis for arguing that PST thereby could have preempted
the attacks.” - One of six main conclusions in the July 22 Commissions report [153].6
“The police has for 10 years isolated themselves and rejected all criticism. Nor-
wegian police has been very closed and unwilling to change. The commission repeats
criticism that has been raised many times before, but this time they can not reject it.”
- translated comment by Professor Petter Gottschalk when interviewed about the 22
July Commissions report [78].7
Context. The location of a criminal network investigation (e.g., country or neighborhood) can
influence what technologies and tools are available for an investigation. If the country of the inves-
tigation has a high level of corruption, it can be hard to trust the information given by government
officials, because their affiliations are not known. The organization leading an investigation can
have a different approach to investigation, deeply rooted in their culture, making cooperation with
others complicated. Two competing intelligence agencies could also inhibit investigative progress
for one another. Simple things, like the control of surveillance cameras or the interception of cell
phone calls, could mean an important difference in available intelligence. If the investigators and
the criminals are at the same level in terms of technology and tools, the investigators are not likely
to gain an advantage based on that.
7
1.2. CHALLENGES CHAPTER 1. INTRODUCTION
“Societies where there are strong professional law enforcement and intelligence
forces are very different in their susceptibility to terrorist attack from societies where
the police and security services are weak, corrupt or compromised.” - Woo (2009)
comments on the difference in environments (or contexts) that criminal network inves-
tigations might have to navigate [252].
“Here on the ground in Karachi [. . . ] the people conducting the raids and brushing
off death threats do not have the most rudimentary printer, let alone computers, access
to databases, cell phones. They don’t even have decent cars.” - Mariane Pearl on
the technology available in Karachi, Pakistan, for the team investigating her husbands
kidnapping [162].
Human factors. Knowledge about how human cognition and creativity helps investigators solve
problems and is important for a better understanding of the human factors involved in criminal
network investigation. There are also a number of important aspects when investigators solve
crimes together: Because of the different professions, traditional ways of doing things, and their
personal knowledge (see below) of the members on the investigative team it can be challenging to
work with a shared target model, in a so called common information space. When investigators
use tools for criminal network investigation, the factors make them trust the information that
these tools are of course of high value (just as the factors that have the opposite effect).
“The human mind does not work that way. It operates by association. With one
item in its grasp, it snaps instantly to the next that is suggested by the association
of thoughts, in accordance with some intricate web of trails carried by the cells of
the brain.” - Bush (1945) denouncing that humans find information by traversing a
complex hierarchical structure of classes [33].
“One [type of creativity] is to be flexible and freely associating - the traditional un-
derstanding of creativity, and what might be called the artistic approach. The other type
of creativity is to be persistent and focused – a more rational and conscious creativity,
which we maybe could call the engineering approach” - interview with leading cogni-
tion researchers Carsten De Dreu and Bernard Nijstad about a model of two types of
creativity [210].
“Many researchers have attempted to explain the mass of evidence contradicting

[the] claim that real group creativity is more effective than nominal group creativity.
The three major explanations that have been explored thoroughly by the creativity com-
munity are the social influences of production blocking, evaluation apprehension and
free riding.” - Warr and O’Neill (2005) commenting on the well documented fact that
real groups (individuals working face-to-face) are actually less creative than nominal
groups (individuals working independently) [239].
Tacit knowledge. The kind of knowledge that investigators apply during investigations and
which is learned through experience. It might be possible to document this knowledge, but during
investigations is often applied in an ad-hoc manner and cannot be quantified and then be dissem-
inated to other investigators (and tool support is therefore also not possible). Interrogation is a
prominent example of such tacit knowledge: asking the right questions, tricking the suspect or
potential suspect by setting up traps that make them give up their secrets.
“This, too, is role playing, and it requires a seasoned actor. If a witness or suspect
is belligerent, you wear him down with greater belligerence. If the man shows fear, you
offer calm and comfort. When he looks weak, you appear strong. When he wants a
friend, you crack a joke and offer to buy him a soda. If he’s confident, you are more
so, assuring him that you are certain of his guilt and are curious only about a few select
details of the crime.” Simon (1991) on interrogation [204].
8
CHAPTER 1. INTRODUCTION 1.2. CHALLENGES
Management. The capabilities of the individual investigator will have different impact on the
decisions made by, i.e. the shift manager. The approach of the team manager can affect the
outcomes of investigations: If the leader is playing the statistics game and adhering to what
his superiors say, then maybe only a certain type of cases are being solved. And if higher level
management does not provide the investigative teams with the warrants, technology, tools, and
general resources they need, it is certain it will have an effect on the outcome of criminal network
investigations?
Politics and legal framework. What kind of resources does politicians make available for the
criminal network investigation units. What legal framework does the investigators have to follow
- is there even a framework of laws? Police and counterterrorism organizations are institutions of
power, existing in a forced and ever changing relationship with the media, the world of the inves-
tigative journalist and proliferation of terrorism, where the publication of a new lead as provided
by an anonymous source can send ripples through those organizations, relocating resources and
changing the focus from open investigations to current issues in order to protect the power of the
leadership.
1.2.1 Selecting challenges

In order to select the challenges to work on we have positioned them in the matrix of criminal
network investigation challenges as shown in Figure 1.1. The challenges are positioned on the
y-axis based on their coupling with criminal network investigation compared to an institution or
an environment. The challenges are positioned on the x-axis, based on an estimate of whether or
not the challenge is quantitative and can be modeled, or if it is more internal and qualitative, not
suitable for modeling.
Of the seven listed challenges we choose the three in the upper left quadrant (information, pro-
cess and human factors), as these are the challenge characteristics we find suitable for software
system support. And more importantly, they are the challenges we believe that a software system
would have the biggest impact on, in terms of criminal network investigation success. Proper
management of investigators could be an important way to successful investigations, and even
though it could be argued that resource management could be added to a software system, we
find management to be too tightly coupled with the organization (e.g., intelligence service). And
while the context of a criminal network investigation (as mentioned above) may be the reason for
an unsuccessful investigation, and it could be argued that for example the level of corruption in a
country where a crime is being investigated could be measured, we find context too tightly coupled
with environments and difficult to manage, that the effect of software system support would not
be beneficial or useful.
We state the following general hypothesis based on the three selected criminal network investiga-
tion challenges:
A software system addressing information, process, and human

factors challenges would be a useful tool for assisting criminal
network investigators in their work.
1.2.2 Research focus

We define a research focus for each of the problem areas we have decided to focus on, namely
information, process, and human factors, to guide our work:
1. Information: A basic understanding of criminal networks (types, cases, etc.) and criminal
network information (complexities, structures, etc.) is required to define an appropriate
conceptual model thereof. Related to that is a study of analytical techniques, to find those
techniques suitable for criminal network complexities and structures.
9
1.3. THEORY AND TECHNOLOGY CHAPTER 1. INTRODUCTION
Figure 1.1: Matrix of criminal network investigation challenges. Along the y-axis is the degree of
coupling to criminal network investigations vs. institutions or environments, and along the x-axis
is an estimate of whether or not the challenge is quantitative and can be modeled, or if it is more
internal and qualitative of nature, hence not suitable for modeling.
2. Process: A criminal network investigation process must support the mechanisms required
for successful investigation of criminal networks. The investigative process should not intro-
duce compartmentalization and bureaucracy to please management or organizations, thereby
inhibiting the natural flow and ultimately the success of the investigation.
3. Human factors: Knowledge about the human factors involved in criminal network investi-
gation is key to the development of a software system that truly supports criminal network
investigation processes. Both in terms of how investigators solve problems cognitively and
general consideration of interactions with information and algorithms required for criminal
network investigation.
In Section 6.1.1, 6.2.1 and 6.3.1 our research focus is outlined based on the challenges presented
here.
1.3 Theory and technology

At a 2010 conference on advances in social network analysis and mining8 , a trend was observed:
Network science is a multidisciplinary field of research at the intersection of the computing, statis-
tics, and the social and behavioral sciences. Keynote speaker of the conference, Stanley Wasser-
man, co-author of the often referred to book on social network analysis [240], based his talk on
the following statement: The invasion of network science by computer scientists has produced
much interesting, both good and bad research. Another keynote speaker, Chris Pallaris, director
and principal consultant of i-intelligence, had the conference participants come full circle stating
that the intelligence discipline is increasingly divided between analysts and technologists: the for-
mer struggle to grasp technology’s potential while the latter often fail to appreciate the human
challenges associated with intelligence collection and analysis.
Having established that network theory for criminal network investigation purposes is a interdis-
ciplinary field of research, we began to think about how to bridge the gab between social and
behavioral sciences, and computer science. We have divided software system support of criminal
network investigation into a number of pillars, each representing a high-level functional or non-
functional (sometimes it is a mix) software system requirement. The building blocks of the pillars
are theories or technologies from various research areas. We introduce those pillars of theory
and technology here (see Figure 1.2), and elaborate on them and present detailed reviews of each
building block in Chapter 5.
10
CHAPTER 1. INTRODUCTION 1.3. THEORY AND TECHNOLOGY
Figure 1.2: Criminal network investigation pillars of theory and technology. Each pillar represents
important aspects of engineering software tool support for criminal network investigation.
11
1.4. CRIMEFIGHTER TOOLBOX CHAPTER 1. INTRODUCTION
As indicated in Figure 1.2 the list of pillars is not exhaustive and the theories and technologies
are not limited to the ones shown inside each pillar; we expect to uncover additional theories and
technologies for all five pillars (and potentially new pillars) over time.
1.4 CrimeFighter toolbox

Several knowledge management processes are involved in the attempt to provide a toolbox that
can support intelligence analysts in their work with terrorist information as shown in Figure
1.3 [247]. As mentioned earlier, we focus on supporting the management of knowledge (last
column), primarily the analyzing knowledge management phase focused on support of the work
with emergent and evolving structure of terrorist networks to uncover new relationships between
people, places, events, etc. However, the interpreting and visualizing knowledge management
phases will also play a role.
Figure 1.3: Knowledge management processes for counterterrorism
To support the knowledge management processes described, CrimeFighter provides a number of

tools (Figure 1.4). The CrimeFighter toolbox philosophy is that the humans (criminal network
investigators) are in charge of the knowledge management processes and the tools are there to
assist the analysts. “The toolbox contains the following semi-automatic tools [. . . ] that need to
be configured by the intelligence analysts to perform the dedicated task. After configuration, the
tool will automatically perform the dedicated task” [247]:
Web harvesting tools make use of data acquisition agents (spiders) to harvest data from the
Web. The spiders are controlled by the data conversion tools.
Data conversion tools are responsible for both collecting (through spiders) and transforming
data.
Data mining tools provide selected data mining algorithms to discover new knowledge in
data based on defined patterns.
Social network analysis tools perform analysis to uncover new patterns and to gain deeper
knowledge about the structure of terrorist networks.
12
CHAPTER 1. INTRODUCTION 1.4. CRIMEFIGHTER TOOLBOX
Visualization tools use graph layout algorithms to visualize discovered knowledge regarding
terrorist networks. It can also be used as a graphics engine to support some of the tasks
performed by the other tools in the toolbox.
“The toolbox also contains the following [human-centric] tools”, supporting “the intelligence ana-
lysts in performing specific tasks by providing dedicated features that enhance the work efficiency
when performing manual intelligence analysis work” [247]:
Knowledge base tools help maintain the knowledge base by allowing intelligence analysts
to explore and revise the knowledge base content as well as to work with meta data.
Structure analysis tools focuses on supporting the manual work with emergent and evolv-
ing structure of terrorist networks to uncover new relationships between people, places,
events, etc.
Figure 1.4: Tools supporting the knowledge management processes
CrimeFighter Investigator is part of the CrimeFighter toolbox. The CrimeFighter toolbox for
counterterrorism is a novel approach to terrorism network analysis [245]. The goal is to provide
a number of desktop tools that are grouped into three overall software packages each containing
knowledge management tools and services relevant to counterterrorism [247]. These tools and
services are designed and implemented to enable them to inter operate and exchange information.
The CrimeFighter toolbox is depicted in Figure 1.5.
The Explorer and Investigator packages each support different knowledge management processes
that result in generation of terrorist networks consisting of nodes and links. These terrorist
networks are stored in the knowledge base. The Assistant package provides various features to
analyze and visualize networks - as generated by the Explorer and Investigator packages.
The research on CrimeFighter can be divided into four overall areas:
1. CrimeFighter Explorer is a software package with various services aimed at acquiring

data from open sources and extracting valuable information from the data by processing it
in various ways (filtering, mining, etc.).
2. CrimeFighter Investigator is a software package that provides various services that en-
ables an intelligence analyst to work with emergent and evolving structure of terrorist net-
works to uncover new relationships between people, places, events, etc.
13
1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION
Figure 1.5: The CrimeFighter toolbox for counterterrorism.
3. CrimeFighter Assistant is a software package with various services that supports anal-
ysis and visualization of terrorist networks. Terrorist network analysis is aimed at finding
new patterns and gaining a deeper knowledge and understanding about terrorist networks.
Terrorist network visualization deals with the complex task of visualizing the structure of
terrorist networks.
4. CrimeFighter toolbox architecture. In order for the developed tools and services to
be able to inter operate and exchange information, the overall software architecture of the
toolbox must enable a service in one package to use a service in another package. For
instance, the structure generated by the services of the Investigator package must be able to
use the analysis and visualization services available in the Assistant package.
1.4.1 CrimeFighter Investigator within this framework

The CrimeFighter toolbox describes a knowledge management angle for counterterrorism inves-
tigation tools, from the automatic harvesting of different data sources, over the processing and
mining of the information, to counterterrorism knowledge building. Within this framework, Crime-
Fighter Investigator covers the human-centric knowledge base and structure analysis tools. For
CrimeFighter Investigator seen in isolation, we have taken a hypertext approach to understanding
these knowledge management problems. It means, that we use hypertext technology to support
knowledge base, structure analysis, and other tasks, and we therefore do not consider the other as-
pects of the broader knowledge management perspective, nor do we review knowledge management
theory elsewhere in this dissertation.
We have extended the focus initially outlined for the CrimeFighter toolbox to cover criminal
network investigations in general, not only counterterrorism investigations. That means that we
cover a wider range of crime types (Figure 1.6) and investigation domains (Figure 1.7). When
studying crime literature, we came across different crime types and matching investigation domains
with the same underlying characteristics in terms of ill structured problems, investigative approach,
and generation of new leads based on analysis.
1.5 Dissertation structure

We outline the dissertation structure in this section and provide a few suggested reading directions
according to the expected primary interests of the reader (see Section 1.5.1). The dissertations
overall structure and individual chapters is shown in Figure 1.8.
The dissertation is divided into four parts. Part I introduces the dissertation and describes the
method we have used to develop a tool for criminal network investigation:
14
CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE
Figure 1.7: We have extended our focus from

counterterrorism to three specific investigation
Figure 1.6: A selection of different types of domains with similar characteristics: policing,
crime we have come across when analyzing intelligence analysis, and investigative journal-
criminal network investigation. ism.
Figure 1.8: Ph.d. dissertation structure.
Chapter 1 (Introduction) starts out by debunking some myths about our work which people
have confronted us with during the last three years, either when presenting at conferences,
having lunch with colleagues or discussions about work with family and friends. We also
present a number of disclaimers to provide an understanding of the boundaries for our
research in criminal network investigation, a subfield of security informatics 910 . Normally
it is discouraged to define something by what it is not, but we feel it is necessary here to
provide the reader with an opportunity to get an initial idea of what this Ph.D. dissertation
is about.
We outline a list of criminal network investigation challenges Chapter 1 (Section 1.2), and
argue our choice to focus on three of them (information, process, and human factors) for
software system support (Section 1.2.1). To guide our research we analyze problems related
to each of the challenges and formulate research focus requirements as a response to these
problems. Our research has been based on extensive literature reviews of related research
15
areas (theory) and studies of relevant technologies (see Section 1.3), together they constitute
our state-of-the-art on criminal network investigation11 . Section 1.4 describes the role of
CrimeFighter Investigator and the other tools in the CrimeFighter toolbox. The section also
discusses how we expanded our focus from counter terrorism to criminal network investiga-
tion. The introduction is concluded with this section on the structure of our dissertation
and provides reading directions for different categories of readers (see below).
Chapter 2 (Method) deals with both the general method applied throughout the entirety of
the Ph.D. project described in this dissertation, in terms of literature studies, software
development, how paper writing has been planned and done, conference participations etc.
This work was guided by Bardram’s (2007) so called fish model (see Section 2.1).
Our software development methodology has been an iterative approach to incrementally
implementing tool support for criminal network investigation tasks based on the research
focus requirements. Software increments have been proof-of-concept prototypes supporting a
specific criminal network investigation task or work flow and we therefore have both a general
review of prototyping and the (our) more specialized proof-of-concept prototyping in Section
2.2. Section 2.3 covers our approach to acquiring empirical evaluation of our developed
concepts, which has been a mix of the prototyping already described, case-studies, end-
user (usability) feedback and measures of performance. Finally, we describe the framework
provided to us by our employer, University of Southern Denmark (Technical Faculty), within
which we had to conduct our research (Section 2.4)
Part II describes various aspects of our domain criminal network investigation. First, we take a
closer look at criminal networks and investigation thereof: what is a network, what is a criminal
network, and how do investigators investigate networks? Then we study what existing knowledge
(theory) and technology that is useful, in terms of understanding and supporting criminal network
investigation. What are the existing tools and what can they do? In the final chapter of this part
of the dissertation we define the problem by describing a number of specific problems and give
detailed descriptions of research focus requirements as a response to these requirements.
Chapter 3 (Criminal network investigation) is a difficult research area to frame. The net-
work part indicates links to the field of network science comprising complex systems research.
Criminal tells about the nature of the information in the network. But unlike other domains,
deciding what is and what isn’t criminal network information is something rooted in our laws,
unlike the biologist’s classification of let’s say butterflies (see Section 3.1). Criminal network
investigations such as police investigations, intelligence analysis, and investigative journal-
ism share many characteristics, and we use example from each of these to define the type of
criminal network investigation we want to support (Section 3.6). Knowledge about the struc-
tures that criminal networks have formed in the past, is an important tool for investigators,
and we review both meta structures and sub structures in Section 3.2.
Investigation is a process with the aim of producing an intelligence product for the customer
(decision maker). Like any other process with a specific end goal, several types of processes
have been developed. We review the traditional linear investigation process (Section 3.3)
as well as a new target-centric approach (Section 3.4). Finally, we present four criminal
network investigation cases in Section 3.5, describing the aspects of each investigation, that
we find to be particularly interesting.
Chapter 4 (Related work) focuses on reviewing commercial tools (Section 4.1), research pro-
totypes (Section 4.2), and investigative journalism tools (Section 4.3. We try to emphasize
the areas where the tools are strong, i.e., their support of criminal network investigation
tasks that could help reduce the impact of criminal network investigation challenges. At
the same time we also highlight support of investigation tasks that would inhibit criminal
16
CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE
Chapter 5 (Theory and technology) is dedicated to presenting the theories and technologies
that are part of our state-of-the-art for criminal network investigation. Some theory and
technology is core to criminal network investigation, like: hypertext, semantic web, human
cognition, the creative process, intelligence, and mathematical models, and they receive more
attention i Chapter 5 because of that. But theory from information science and social
science, knowledge about simple tools for idea generation, case studies of sub groups and
individuals, ethics, trust and user acceptance, and interaction and visualization are also
important, and therefore introduced.
Chapter 6 (Problem definition and research focus) is a crucial chapter, as it binds our dis-
sertation together. The chapter takes the three challenges selected in Chapter 1, and based
on the domain knowledge acquired in Chapter 3, 4, and 5, problems associated with the
three challenges are analyzed, and four research focus requirements to guide the tool de-
velopment are formulated for each challenge. The research focus requirements are used
throughout the dissertation. The introduction to Part II (the domain) contains a map of
the interrelationships of chapters with Chapter 6 at the center.
Part III presents our model for criminal network investigation and outlines the boundaries for tool
support. Analysis, design and implementation is described for each of five investigation processes.
Chapter 7 (Process model and tasks) This chapter presents a target-centric and iterative
model for criminal network investigation, addressing the problems of linear process models.
The model has five main processes (acquisition, synthesis, sense-making, dissemination, and
cooperation), and the role of each process is described. A list of criminal network investi-
gation tasks for each of the five processes is also described. Further analysis, design, and
implementation of each individual task is presented in Chapter 9 to Chapter 13.
Chapter 8 (Concepts, models, and components for CrimeFighter Investigator) starts out
by presenting the foundation for our tool support: a conceptual model with first class enti-
ties is presented in Section 8.1. We separate mathematical and structural models, to provide
a computational model that can apply algorithms to the emerging and evolving structures
synthesized by investigators (see Section 8.2). Knowledge management and hypertext con-
cepts are introduced together with a list of software components (Section 8.3), requirements
for key components are presented in Section 8.4, and designs for three of these components
are presented in Section 8.5.
Chapter 9 (Acquisition) is a process assisting investigators in dealing with information arriv-

ing from various sources. As it will be mentioned later, the acquisition and dissemination
processes have received less attention compared to synthesis and sense-making. The chap-
ter presents analysis, design, and implementation of selected acquisition tasks for criminal
Chapter 10 (Synthesis) tasks assist investigators in enhancing the target model. The chapter
presents analysis, design, and implementation of selected synthesis tasks for criminal network
investigation.
Chapter 11 (Sense-making) tasks assist investigators in extracting useful information from

the synthesized target model. The chapter presents analysis, design, and implementation of
selected sense-making tasks for criminal network investigation.
Chapter 12 (Dissemination) tasks help the investigative team to formulate their accumulated
knowledge for the customer. The chapter presents analysis, design, and implementation of
selected dissemination tasks for criminal network investigation.
Chapter 13 (Cooperation) Cooperation has received little attention in our research, and this
chapter therefore contains a brief introduction to thoughts and analysis of support for the
17
cooperation tasks defined in Chapter 7, together with a short description of implemented

support for one cooperative task, sharing the common information space.
Part IV describes our evaluation approach and discusses the results, presents our final conclusions
and outlines future work.
Chapter 15 (Evaluation and discussion) evaluates our tool support for criminal network in-
vestigation using three methods: end user interviews (Section 15.2), capability comparisons
(Section 15.3), and measures of performance (Section 15.4). The evaluations are summa-
rized and discussed. The chapter also discusses the issues of visualization and end user
involvement in tool development and evaluation.
Chapter 16 (Conclusion and future work) concludes the Ph.D. dissertation by summariz-
ing our research. We make our conclusions about support for research focus requirements,
criminal network investigation challenges, and the hypothesis in Section 16.2. Our contribu-
tions are presented in Section 16.3 and future work in terms of literature studies, software
development, and software evaluations in Section 16.4
1.5.1 Reading directions

All readers should start with the introduction in Chapter 1, and our debunking of myths, and
project disclaimers, and then continue to the category below more suitable for them (we apologize
if any readers feel left out):
Academics in security informatics. We would of course like to say that the dissertation in
its whole is relevant for readers in this category. However, it might be relevant first to
skim through the myths and disclaimers in Chapter 1 and then, if it still sounds relevant
and interesting, turn to Chapter 3 to see if our focus areas within the domain of criminal
network investigation matches the reader’s expectations. After that, we suggest the reader
proceeds freely, to his or her liking.
Decision-makers (government and private). Readers in this category might have a primary
interest in the operational application of the concepts we have developed for criminal network
investigation and the evaluation and discussion thereof. For these readers we recommend
studying Chapter 3 on criminal network investigation first, and then quickly turning the
focus toward Chapter 9 to Chapter 13 to read about our implemented support for individual
criminal network investigations, or go straight to Chapter 14 for a description of criminal
network investigation work flows and our support thereof.
The media might find it interesting to start by reading the dissertation abstract, and then turn
to the final chapter of the dissertation, Chapter 16, for our general conclusions and lists of
contributions. If more information is required about a certain contribution, the reader may
return to this section (or the list of contents), to locate the chapter(s) with more information
related to the particular contribution.
18
CHAPTER 2
Method
Today functional problems are becoming less simple all the time. But
designers rarely confess their inability to solve them. Instead, when a
designer does not understand a problem clearly enough to find the
order it really calls for, he falls back on some arbitrary chosen formal
order. The problem, because of its complexity, remains unsolved.
Christopher Alexander (1964), in notes on the synthesis of form [8]
Iteration is a significant component of design activity that occurs

frequently throughout the design process; and measures of iterative
activity were significant indicators of design success . . . and greater
engineering experience.
Adams (2002), on constitution of designs [132].
This chapter presents our method. The development of suitable software system support for
criminal network investigation is a, by no means, simple problem. We have approached this
problem iteratively, to get an incremental understanding of the challenges involved, in the hope
that we would not “fall back on some arbitrary chosen formal order” [8], as Alexander (1964)
warns solution designers in general. We hope that our method will help others to understand and
create their own support for criminal network investigation as well. We find our method to be a
general method for solving ill structured problems.
We have followed Bardram’s (2007) fish model during the three years of research (see Figure 2.1):
first, a open-minded approach to the problem during the first year (the fish head), then a one
and a half year where the focus is continuously narrowed (the fish body) and then a short six
month period of writing the dissertation (the fish tail). This overall process is outlined in Section
2.1. Our software development methodology has been iterative and incremental, each increment
a proof-of-concept prototype, a manifestation of a design idea that concretize and externalize a
conceptual idea [132] (see Section 2.2). Our method for empirical evaluation is tightly coupled
with our prototyping approach, but also has other aspects, such as the use of case-studies, which
are described in Section 2.3. Finally, we take time to describe the study program we have followed
in Section 2.4, since the Danish model only leaves room for 18 months of actual research during
three years of Ph.D. studies. We feel it is necessary, that our work is evaluated accordingly, but
more importantly it is the framework within which we had to conduct our research, and hence
19
2.1. GENERAL PH.D. APPROACH CHAPTER 2. METHOD
relevant for our method.
2.1 General Ph.D. approach

Bardram’s (2007) fish model [22] shown in Figure 2.1 has provided the process framework for our
Ph.D. project and research.
Figure 2.1: Bardram’s (2007) fish model [22] describes a useful framework for a 3 year Ph.D.
project: the open minded phase (12 months), followed by an increasingly focused phase (18
months), and finally the writing up phase (6 months).
In the first year our overall goals were: (1) to conduct literature studies of the application domain
and the relevant supporting research fields. (2) to develop a first set of design concepts for the
software tool and to evaluate the concepts based on a first prototype. This was achieved using an
open-minded approach as described in Figure 2.1. The first year of our Ph.D. project included
activities such as attending courses & conferences, conducting literature studies (reading related
work etc.), prototype development (which includes making experiments) and participating in and
organizing various conferences and symposiums, such as the international workshop on countert-
errorism and open source intelligence (2009), the international conference on advances in social
networks analysis and mining (2010), the international symposium on open source intelligence ‘&
web mining (2010) and finally giving an invited presentation at the interdisciplinary terrorism and
new media conference (2009)12 .
The work in year one made it possible for us at the beginning of the second year to start writing and
publishing papers. The first one was for Hypertext 201113 describing a model of criminal network
investigation we had developed14 , indicating the responsibilities of tools for criminal network
investigation and humans (investigators) [174]. The year continued with further implementation
of the system requirements outlined in that paper. Half way through my second year I spent
a month in London at Imperial College, Institute for Security and Science Technology, where I
studied inference prediction methods under the supervision of Dr. Christopher J. Rhodes. At the
end of the year I went to Germany and visited University of Hof, Institute of Information Systems,
where I studied spatial hypertext and started the analysis and design of usability experiments
under the supervision of institute director Dr. Claus Atzenbeck.
20
CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY
The third year focused on continued increments of CrimeFighter Investigator, authoring of confer-
ence papers, a journal paper for the Springer security informatics journal (special issue on criminal
network investigation) [176], and a book chapter for the Springer handbook on computational ap-
proaches to counterterrorism [175]. The final months were focused on writing up the dissertation,
aggregating all published and unpublished work into one cohesive whole.
2.2 Software development methodology

During periods of software development, we have applied our own knowledge about best agile
practices [170–172] and concepts from agile development literature (e.g., [11, 43, 44, 125]). The
cycle shown in Figure 2.2 is representative of both the overall release as well as the intermediate
iterations15 . The client testing upon delivery of a release is of course the intended end user (i.e.
intelligence analyst), while the client testing the software after delivery of an iteration is most
likely to be the supervisor, co-supervisor or other lab members. In the beginning, feedback would
primarily be the result of discussions at supervisor meetings, and as the prototype grows it would
become more and more about specific requirements for the prototype.
Figure 2.2: A typical agile development loop of feedback, coding, delivery, and client testing. The
cycle can be a month, a week, or even a day on an agile project, whereas the traditional alternative,
sequential water fall methods, typically have cycles of several months to years, providing the
development team with less feedback to learn from and adapt to [43].
Prototyping will be based on relevant scenarios related to the criminal network investigation
domain. Selected scenarios are described in Section 3.5 and provide requirements and design
concepts for initial prototypes.
2.2.1 Prototyping reviewed
This is primarily a review of Floyd (1984) [70], which we find relevant because a prototypes have
formed the increments of our work. In this review, we focus on the term prototype in relation
to software development, the different steps that characterizes prototyping and the different ap-
proaches to prototyping. We have included reviews of specific parts of the article relevant for our
work.
21
2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD
A software development prototype: process not product
A “prototype” literally means “first of type”, a notion which makes sense in those
branches of engineering where the manufacturer’s aim is to mass-produce goods of the
same type.
Software development prototyping however takes place in the context of an overall system devel-
opment process. When we use the term “prototyping” in connection with software development it
indicates that we are primarily interested in the process rather than the “prototype” as a product.
Due to a number of working experiences a lot of software developers are motivated to employ an
approach that involves an early practical demonstration of relevant parts of the desired software
on a computer.
According to the iterative and incremental cycle of agile software development described above,
prototyping helps introduce the element of communication and feedback. The degree of this
depends on the chosen approach to prototyping.
The four steps of prototyping
Prototyping can be seen as consisting of four steps; functional selection, construction, evaluation
and further use:
1. Functional selection refers to the choice of functions which the prototype should exhibit.
The interesting part of this is that the selection should be based on work tasks relevant for
a later demonstration. The prototype is usually differentiated from the final product, by
selecting a few functions that are completely implemented (“vertical prototyping”, see figure
2.3) or a larger set of functions not implemented in detail (“horizontal prototyping”, see
figure 2.3). The two directions are often both used in a single prototype.
Figure 2.3: If you have a set of system requirements (functions) to prototype, then horizontal
prototyping means implementing a few of those functions completely and vertical prototyping
means implementing some part of many functions.
2. Construction refers to the effort required to make the prototype. When constructing the
prototype focus should be kept on the selected functions that are expected to be working at
the intended evaluation. This also means that “certain quality requirements pertaining to
the final product, such as reliability, data security or efficiency” [70] can be omitted, unless
these requirements are supposed to be part of the demonstration. Morale: You should only
do what is necessary in order to get the prototype ready for demonstration.
3. Evaluation is the step where it is decided how to proceed with the further development of
the prototype. Hence it is important that all necessary resources are made available during
22
CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY
the evaluation. The communication channels should be considered at the level of which the
evaluation takes place, e.g. problems arising from man-machine or man-man interactions
should be considered.
4. Further use of prototype. The prototype can be used “as a learning vehicle and be
thrown away after wards, or it may be used fully or partially as a component of the target
system” [70]. Creating the learning process involves the following aspects:
Early availability (e.g. rapid prototyping),
Demonstration, Evaluation and Modification (e.g. user feedback at evaluation
of demo results in a modification of the prototype),
Teaching and Training (preparing users for their work with the target system),
Commitment (users also become stakeholders for design and functionality demon-
strated by the prototype)
It must be kept in mind that if a prototype is demonstrated and there is a
discussion with the prospective users about its evaluation, the commitment to
the target system is very strong. Should essential changes of some features of
the prototype be made during implementation of the final product without the
explicit content of the user, serious problems regarding its acceptance must be
expected.
We find the most important points for our work to be those related to commitment (why we
had a complete quote).
Three approaches to prototyping
The purposes for creating a prototype can be many, and Floyd (1984) [70] distinguishes between
the following three broad classes of prototyping:
1. Exploratory prototyping. The emphasis is on clarifying requirements and desirable

features of the target system and where alternative possibilities for solutions are discussed.
2. Experimental prototyping. The emphasis is on determining the adequacy of a proposed
solution before investing in [a] large-scale implementation of the target system.
3. Evolutionary prototyping. The emphasis is on adapting the system gradually to chang-
ing requirements, which cannot reliably be determined in one early phase.
Summary
Since the initial prototypes of this Ph.D. project were based on architecture, design concepts and
specific components from previous research within the same field, as well as development of new
concepts and components all three approaches to prototyping will come into play. We specialize
our approach to prototyping below.
2.2.2 Proof-of-concept prototyping

The above review of prototyping by Floyd (1984) represents the “current approaches in software
[systems] engineering contexts where engineers use prototypes to identify and satisfy requirements”
[132]. A more recent view is that “designers communicates the rationales of their design decisions
through prototypes. Prototypes stimulate reflections, and designers use them to frame, refine, and
discover possibilities in a design space” [132]. Lichter et al. (1993) also mentions communication:
“prototyping provides a communication basis for discussions among all groups involved in the
development process” [129]. Prototypes help traverse design space by their incompleteness. “This
23
2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD
characteristic of a prototype - being an incomplete portrayal of a design idea - is the reason behind
[the] metaphorical description of prototypes as filters. [. . . ] When incomplete, a prototype reveals
certain aspects of a design idea - that is, it filters certain qualities” [132].
We have adopted aspects of both the traditional requirements approach, and the communication
of design rationale as well as functioning as a filter for a design space, to create our own proof-of-
concept prototyping approach:
Requirements: We adopt the horizontal prototyping, realizing that our prototypes may span
multiple requirements (criminal network investigation tasks). We adopt a mix of Floyd’s
(1984) three approaches to prototyping: exploratory prototyping; experimental prototyping;
evolutionary prototyping.
Communication and filter: We use proof-of-concept prototypes for communication with su-
pervisor, fellow lab colleagues, readers of scientific papers and of course potential end users.
We use proof-of-concepts prototypes for filtering the design space, focusing on particular
characteristics of prototypes (see Section 2.2.2).
Following Lichter et. al (1993) and the four kinds of prototypes presented there [129], we typically
develop presentation prototypes to present functionality to either our Ph.D. supervisor, other lab
members, potential end users (i.e., intelligence analysts at the British Home Office [167]), or to
explain functionality to the readers of our scientific papers. The presentation prototype then
becomes part of our pilot system (CrimeFighter Investigator), either after some refactorings, or
maybe the architecture is already suitable for the implemented extension. Figure 2.4 (below)
describes our prototyping approach (process in lower left corner), as well as how it relates to the
incremental growth of our pilot system, CrimeFighter Investigator.
Finally, starting with a proof-of-concept approach has been noted as a common characteristic of
successfully funded and high impact intelligence and security informatics projects [37].
How we have designed the prototypes
We have in general focused on interactive visual functionalities, when designing and implementing
our proof-of-concept prototypes (testing human-computer interaction). That means, that graphics
(visualizations) such as information about what is happening on the screen, or which algorithm
currently running, has not been implemented: “the designer screens out unnecessary aspects of
the design that a particular prototype does not need to explore” [132].
2.2.3 Software baseline and CrimeFighter Investigator - evolution from

prototype to tool
The software baseline for this Ph.D. project was the output of our master thesis, the ASAP
tool [170, 171]. The transition from the agile software planning domain to the criminal network
investigation domain is briefly described in [172], and to some extent in Chapter 8 which describes
our analysis of general software components for tool support of criminal network investigation.
ASAP was based on relevant parts of the Construct Spatial Service [246] (Construct from now
on), as illustrated in Figure 2.4. Construct is “a component-based open hypermedia environment
for supporting scholarly work processes such as associative storage and retrieval, information
analysis, and classification in digital libraries” [246]. The concept of digital libraries is highly
related to hypermedia structuring mechanisms. Many investigations within this area focus on
linking structures only, where the Construct environment also “provides support for [. . . ] work
settings such as spatial and taxonomic” [246].
The basic idea of Construct is to assist the user in gaining a clear overview and a fundamental
understanding of a problem domain. Organizing knowledge entities (e.g., research papers, web
24
CHAPTER 2. METHOD 2.3. EMPIRICAL EVIDENCE
pages, brainstorming ideas, scientific quotes, etc.) will reveal relationships between the entities
and their associated topics [246]. This basic idea made Construct very interesting and usable with
regards to ASAP. The following features of Construct were adopted (and refactored to a varying
extent) in by ASAP: a square 2D movable entity with changeable fields, various mouse events for
registering clicks, dragging etc. and the hierarchy feature. Construct had a feature for linking
entities, but it was not utilized in ASAP, and therefore had to be re-introduced when starting the
work on CrimeFighter Investigator. We refer to Chapter 8 for further details on the features and
concepts adopted from ASAP when starting the work on CrimeFighter Investigator.
Figure 2.4: The software baseline for this Ph.D. project was the output of our master thesis, the
ASAP tool. The ASAP tool has been refactored to support various versions of the CrimeFighter
Investigator, before the final version presented in this thesis.
To illustrate the changes (or increments) made between the different tools, we list basic software
metrics for each of the tools in Table 2.116 . CrimeFighter Investigator 1 (September 2010), 2
(September 2011), and 3 (September 2012) are the major releases of CrimeFighter investigator,
but metrics are only shown for the third and final release in the table.
Metric Construct ASAP CFI 1 CFI 2 CFI 3 (Final)

Packages 2 8 11 28 45
Classes 22 69 38 167 245
Methods 77 689 400 2385 3863
MLOC 731 4572 2133 14767 22342
LOC 1211 7398 3742 24129 37250
Table 2.1: Selected software metrics for Construct, ASAP, and CrimeFighter Investigator after
year 3 (CFI: CrimeFighter Investigator, MLOC: method lines of code, LOC: total lines of code).
2.3 Empirical evidence

When visiting the institute for information systems (iisys) at University of Hof, we talked with
Dr. Atzenbeck about the importance of empirical17 quantitative evidence in software systems
engineering research:
25
2.3. EMPIRICAL EVIDENCE CHAPTER 2. METHOD
“Many Ph.D. students do cool projects, but to have statistical evidence for the ef-
fect of your implemented software features, you need to design and report usability
experiments.” - Dr. Claus Atzenbeck, Director for Institute of Information Systems,
University of Hof.
However, as Dr. Atzenbeck also pointed out, designing and report usability experiments is a long
process not suitable for a 18 months research project. We started designing usability experiments
for CrimeFighter Investigator features under Dr. Atzenbeck’s supervision and following his for
the WildDocs spatial hypertext system [18], guided by Field and Hole (2003) [69]. We hope to
complete this work in the future.
We decided to gather empirical, quantitative and qualitative, evidence using other methods. Be-
cause of the wide range of criminal network investigation processes and tasks we cover, several
methods have been necessary to evaluate all aspects of our developed software system support:
post-crime data sets and investigations 18 , end-user interviews, capability comparisons, and mea-
sures of performance. These methods are described in detail and discussed in Chapter 15.
Before continuing to Section 2.3.1 on case study research, it is important to note that we have been
doing case study research in the context of software systems engineering, not case study research
of the effect of applied software systems engineering or criminal network investigation concepts.
2.3.1 Case study research

Prior to establishing whether or not we have been doing case study research, we need a definition
of what a case study is. According to Thomas (2011), “case studies are analyses of persons, events,
decisions, periods, projects, policies, institutions, or other systems that are studied holistically by
one or more methods. The case that is the subject of the inquiry will be an instance of a class
phenomena that provides an analytical frame - an object - within which the study is conducted
and which the case illuminates and explicates” [224]. Let us consider this definition of the case
study in the context of the criminal network investigation of the individuals who kidnapped and
murdered Daniel Pearl, a case we use throughout this dissertation and which we have studied
extensively (see Section 3.5.1):
Subject: The kidnapping and murder of Daniel Pearl.

Object: There has been several objects of study, in relation to the subject, namely our three
challenges:
1. Information What information structures are created in this investigation (complex
system, project)? How does the information evolve? What information configurations
causes what decisions? What events triggers information (i.e., about persons) being
recorded?
2. Process What are the policies for adding information? What persons are involved in
the investigation process? Recording a chronology of events (periods)
3. Human factors How do investigators (persons) interact with information? What
types of persons are involved in investigations or in the kidnapping and murder? What
is the policy of the investigation team?
But can we generalize our findings in case studies and use them as arguments for the software
requirements we generate? The strengths and weaknesses of case studies as compared to for
example formal experiments (e.g., usability experiments) are summarized in the following quote:
“Although [case studies] cannot achieve the scientific rigor of formal experiments,
[they] can provide sufficient information to help you judge if specific technologies will
benefit your own organization or project. Even when you cannot do a case study of
26
CHAPTER 2. METHOD 2.4. PH.D. STUDY PROGRAM
your own, the principles of good case-study analysis will help you determine if the
case-study results you read about are applicable to your situation” [118].
Flyvbjerg (2006) further advocates the use of case studies and their scientific value by explaining
and correcting five common misunderstandings about case studies: “(a) theoretical knowledge is
more valuable than practical knowledge; (b) one cannot generalize from a single case, therefore,
the single-case study cannot contribute to scientific development; (c) the case study is most useful
for generating hypotheses, whereas other methods are more suitable for hypotheses testing and
theory building; (d) the case study contains a bias toward verification; and (e) it is often difficult
to summarize specific case studies.” [71] (misunderstandings are also discussed in Flyvbjerg (2011)
[72]). An interesting conclusion on the strengths of case studies from the business management
domain comes from Gill (1995): “theory developed from case study research is likely to have
important strengths such as novelty, testability and empirical validity, which arise from its close
linkage with empirical linkage” [76].
2.4 Ph.D. study program

This Ph.D. project described in this dissertation, has been conducted according to the requirements
of the Ph.D. school’s research training program Software Engineering 1 at the Technical Faculty,
University of Southern Denmark. The program is three years (six semesters) of length, and
includes the following compulsory activities: 30 ECTS (1 semester) of Ph.D. courses, one semester
(1 semester) of work for the institute, environmental change ( 12 semester), 300 hours of knowledge
elicitation ( 21 semester), ideally leaving room for 18 months of research.
1 The research training program was previously known as Information and Communication Technology.
27
2.4. PH.D. STUDY PROGRAM CHAPTER 2. METHOD
28
Part II
The domain
29
The chapters in part II introduces the domain of tool support for criminal network
investigation, and then sharpens further our initial problem definition and hypoth-
esis from Chapter 1. Chapter 3 describes criminal network investigation. Chapter
4 describes existing tool support for criminal network investigation and explains
strengths and weaknesses of these state-of-the-art tools. Chapter 5 summarizes a
range of theories and technologies required for tool support for criminal network
investigation. These three chapters represents our domain knowledge. Chapter 6
expands our initial description of the three challenges information, process, and
human factors, which we chose to focus on in Chapter 1, and which formed the
foundation of our research hypothesis. For each challenge, a set of specific problems
are listed, based on our domain knowledge. We also define our research focus for
each of the three challenges, framed by a set of requirements. Each requirement
is viewed as a software feature, which, if supported in a suitable fashion, would
strengthen a software tool’s support of the related challenge.
Figure 2.5 provides an overview of the central role that Chapter 6 plays in terms
of previous and future chapters. Figure 2.5 shows that the research focus require-
ments relate to the criminal network investigation process model and tasks, and
subsequently how the processes relates to Chapter 9 to 13, each of these chapters
describing analysis, design, and CrimeFighter Investigator support for tasks asso-
ciated with a process. Chapter 8 is also part of the foundation for Chapter 9 to
13, and the concepts and components analyzed and designed in that chapter have
been developed to support the research focus requirements in Chapter 6. Chapter
9 to 13 leads to Chapter 14, describing criminal network investigation work flows
involving multiple criminal network investigation processes and tasks. Chapter 15
and Chapter 16 evaluates and concludes our dissertation.
Figure 2.5: How Part II links to Part I, III, and IV of this dissertation.
31
32
CHAPTER 3
Criminal network investigation
If we are to think seriously about the world, and act effectively in it,
some sort of simplified map of reality . . . is necessary.
Samuel P. Huntington (1996), in the clash of civilizations and the remaking of world order [102].
Network-based techniques are widely used in criminal investigations because patterns of association
are actionable and understandable, but a criminal network is a special kind of network and a
focused review of this domain is necessary. We start this chapter with our understanding of
what a criminal network is and is not (Section 3.1). This includes a comparison of criminal
networks with other networks such as social networks, biology networks, physics networks, and
other complex systems. Investigations of how criminal networks evolve over time is important to
understand the need for information structure support; a criminal network is not a static entity.
Equally important is an understanding of how criminal networks form (emerge) and what ties a
network together to sustain the required level of secrecy and efficiency necessary for the networks
survival, as mentioned above. We discuss the differences between pre- and post-crime criminal
networks, and again, how one becomes the other, e.g., through a radicalization process. Finally,
we discuss the implication that individuals and other entities (organizations, locations, etc.) in
criminal networks are criminals or part of criminal activity. Part of the explanation is given below,
that criminal networks are investigated for potential criminals or criminal activity in situations
where decision makers want to take proactive measures. But again, we need to be aware of the
difference between legal and illegal activity [87].
We start the chapter with an introduction to what a criminal network is Section 3.1, followed by a
review of criminal network structures. An investigator in any domain would benefit from a general
knowledge about the known basic information structures within that domain [8, 9, 90]. In Section
3.2, we present the building blocks of such structures. We divide the structures created with
those entities in two categories, organizational (meta) structures and smaller (sub) structures, and
discuss the structures in each category often appearing in criminal networks.
After this review of various structures, we review two different types of processes for criminal
network investigation; the linear approach and the target-centric approach. The analysis of these
two different approaches will also serve as input for our problem definition in Chapter 6. The
classic linear approach to investigation (see Section 3.3) is the “faulty” investigative process,
because it introduces compartmentalization which has a negative impact on information sharing
and shared responsibility, ultimately causing intelligence failure. The target-centric approach, on
the contrary, has all stakeholders (collectors and processors, analysts, and customers) working
33
3.1. CRIMINAL NETWORK? CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
on the same shared target-model removing compartmentalization from the equation and in stead
helps introduce concepts such as ownership and transparency. Read about the our preferred
investigative process in Section 3.4.
We present four case studies of criminal network investigations in Section 3.5. We discuss and
reference those cases throughout the dissertation. The cases are: the Daniel Pearl investigation, the
hunt for Khalid Sheikh Mohammed, the Latonya Wallace and John Scott homicide investigations,
and finally the Barksdale drug organization in Baltimore. For each of these case studies, we set the
scene for investigation, we describe the investigative team and the individuals that constitute it,
we discuss the investigative approach of the team, and the criminal network under investigation.
We conclude this chapter with a summary based on three distinct criminal network investigation
types 3.6. We give a short introduction to the the general characteristics of the criminal network
investigations we focus on, and then we present the three specific investigation domains of our
particular interest, namely policing, counterterrorism, and investigative journalism. We discuss
each investigation domain in terms of the three challenges information, process, and human factors
and present case-studies from each investigation domain.
3.1 What is a criminal network?

A criminal network is a special kind of social network with emphasis on both secrecy and effi-
ciency19 [244]. Network-based techniques are widely used in crime investigations, because patterns
of association are actionable and understandable. We later define the building blocks of criminal
networks as well as observed structures (i.e., their organizational and smaller sub structures) to
be three basic entity types (nodes, links, and groups) which are associated to form the network.
Following this definition, a criminal network could be something as different as the Enron email
dataset20 where a network could be Enron individuals as nodes, links represent email send be-
tween individuals, and groups the position of individuals in the Enron company hierarchy. A
criminal network could also be physical evidence (hair, bullets, knife, etc.), suspects and witnesses
associated with a homicide crime scene.
To get an initial understanding of what a criminal network more specifically is we discuss how they
are different from more well known networks such as social networks or real world networks from
e.g., biology like predator-prey networks (see Section 3.1.1). Since criminal networks emerge from
entities already in the real world, we review why (root causes) they emerge (ideology, financial gain,
radicalization, etc.) and how they then evolve (further radicalization) as described in Section 3.1.2.
The strengths and weaknesses of criminal networks provides us with further understanding, and
explains the proliferation of criminal networks as well as their demise (see Section 3.1.3). Criminal
networks of associations between entities prior to crime or criminal activity are very different from
criminal networks depicting the associations between entities after a crime or criminal activity
as we show in Section 3.1.4. This brings forth another dimension of criminal networks, when
compared to networks in other domains. There is an ethical aspect to criminal networks, since
individuals are made suspects of having associations with some criminal activity or crime before
it happens, at least when taking proactive measures. This issue is discussed in Section 3.1.5.
3.1.1 Criminal networks and other networks

“Many objects of interest in the physical, biological, and social sciences can be thought of as
networks” [155]. Criminal networks differentiate from other networks in a number of ways. Given
the popularity of social networks research, the differences between criminal and social networks
are often in focus. Morselli (2009) discusses the criminal network perspective and his first task is
therefore, according to him, “to establish why criminal networks are different from non-criminal
social networks. Crime, after all, is a social phenomenon, but criminal networks and general crim-
inal behavior do have distinctive features from noncriminal counterparts” [150]. As we mentioned
in the introduction to this chapter, a criminal network is a special kind of social network with
34
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.1. CRIMINAL NETWORK?
emphasis on both secrecy and efficiency [244], but as we will see criminal networks also have other
distinctive features.
While the emphasis is different in terrorist networks and social networks, the entities are often the
same, namely humans. In other network domains theory from physics is used to localize the source
of diffusion in complex networks (e.g., “the source of a contaminant or virus”) [177], where the
nodes might be houses or cities and links represent means of transportation between them, and
so on (see Section 5.9 for examples). In all these networks the entities are of the same type within
each individual network. But in criminal networks, as we will see in the investigations described in
Section 3.5.1 to 3.5.4, it will be clear that many different types of entities can be expected to occur
in the networks. And furthermore, the relations between entities are not of one type, but multiple
types. In general, we think of criminal networks as semantic webs (see Section 5.2 for detailed
review) of information entities. It is important to understand both the differences in emphasis
and entity types, when analyzing criminal networks. Consequently, this is also important when
developing tools support for criminal network investigation.
3.1.2 The emergence and evolution of criminal networks

Criminal networks often emerge as a consequence of radicalization, either of individuals or groups.
The violent Islamist radicalization of individuals toward forming or joining terrorist networks
is described in various studies of radicalization aspects such as radicalization phases [203], root
causes [234], and violent online radicalization [29, 48, 49, 236, 241].
What complicates the analysis of criminal networks of a certain complexity, is that the picture
constantly changes. “With every interaction, people change, group dynamics change, and social
dynamics change” [28]. Morselli (2009) comments on this flexible order, as he calls it: “These
ongoing interactions in criminal networks combine to create a context of flexible order. The idea
of flexible order begins with the assumption that there is common ground to be found in the
interaction between individual and collective interests. A second claim emphasizes the bottom-
up organizational force of individual interactions and that a central governing authority is not a
necessary condition for reaching social order. In brief, the network is a self-organizing structure
that is essentially driven by the emergent behavior of its parts” [150]. To summarize, associations
are created between network entities from these interactions, and the addition of new associations
evolve the criminal network and the structures within it.
3.1.3 The strengths and weaknesses of criminal networks

The emerging nature and strength of a criminal network can be the result of several aspects, such
as ideology, cultural or family bonds, or the very structure and powerful entities of the milieu
where people live. The success or failure of a criminal network has recently been found, not to
be because of top-down leadership: “In Krebs’ (2002) analysis of the hijacker operation behind
the September 2001 attack [122], it is the dense under-layer of prior trusted relationships that is
found to be at the base of the network’s stealth and resilience and not the commanding control of
a single or select few leader(s)” [150]. In urban organized crime, it is the different institutions of
the city that impacts or controls the criminal networks and criminal (police) investigations: “it is
the different institutions in the city that are the real powerful entities” [34, 127].
Node removal is a well known technique for destabilization of criminal networks [35, 36]. Deciding
which node or group of nodes to remove, i.e., finding the weak “spots” in the network, is dependent
on available intelligence and the topology of the criminal network (hierarchical, cellular, etc.), com-
plicating the prediction of secondary effects following a node removal. Inference-based prediction
and social network analysis provides different perspectives on criminal networks, thereby assisting
investigators in their decision making by answering the ’what if’ questions they inherently would
like to ask [169].
35
3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
3.1.4 Pre- and post-crime criminal networks

The criminal networks we see are normally organized in a classic nodes-and-links way before pre-
sentation. The typical organizational structures in these networks include hierarchical structures,
cellular structures comprised of subgroups connected by bridges, and flat (or fluid) structures
where individual entities are distributed in some (more or less) random manner, maybe based on
subgroups or their relationship with nearby nodes. The entities are simply organized in a certain
way, because it creates an easier to comprehend visualization of the criminal network. These
networks are organized after the crime and the investigation thereof has been concluded, and we
therefore refer to these networks as post-crime criminal networks.
But as described in the previous sections, criminal network structures are emergent and evolving
and the networks go through many iterations after a target is selected until the structure types
mentioned above emerge. When investigations start, criminal network entities are often associated
in other ways than through well established relationships to other entities. First, the entities are
randomly positioned in an information space and maybe only a few are directly linked (e.g.,
the known accomplishes of the target). Later, more entities are linked, groups are created, and
structures emerge. During the first iterations, spatial associations like entity co-location play an
important role. A spatial association with a specific semantic meaning could be entities placed
in close proximity of each other to indicate a subgroup in the network or snippets of information
about a certain individual. Or entities might be placed above and below each other to indicate
hierarchical importance [168]. In other words, “semantics happen” [197]. We refer to this type of
networks as pre-crime criminal networks.
The network visualizations we see in magazines, news papers and scientific journals and proceed-
ings (post-crime) are often created specifically for presentation purposes. But they tell very little
about the investigative efforts required to synthesize and making sense of the respective networks.
The networks therefore convey limited information to the reader about what processes, tasks and
techniques that a tool for criminal network investigation, working with pre-crime networks, should
support.
3.1.5 Ethical aspects

Studying criminal networks from the initial relations are forged (and the increasing radicalization of
each individual in the network) reveals that the individuals in the network are often not criminals,
before a certain level of radicalization and extremism is reached. And this is certainly the case
from a criminal network investigation perspective (see Section 3.6), in which a lot of individuals
and other entities will be part of an investigation and then later excluded from that investigation,
when it is realized that they are not criminals (part of the criminal network). [87]
3.2 Criminal network structures

Knowledge about the structures that criminal networks have formed in the past, is an important
tool for investigators, as highlighted by the following comment from Alexander (1964): “Today
functional problems are becoming less simple all the time. But designers rarely confess their
inability to solve them. Instead, when a designer does not understand a problem clearly enough
to find the order it really calls for, he falls back on some arbitrarily chosen formal order. The
problem, because of its complexity, remains unsolved.” [8]. If required to choose a structure
beforehand, then you would at least have to choose one that fits the nature of the criminal
network that you are trying to model. But preferably, one should let the structure (evolve) and
emerge as discussed in hypertext research [197,198], the right approach being to “seek, rather than
anticipate, structure” [150]. In Section 5.1 we review hypertext structure domains that support
emerging and evolving structures assisting analysts searching for structure.
Based on literature studies of a mathematical perspective (e.g., [195, 240]) and the investigation
36
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES
Figure 3.1: The three first class entities of criminal networks are information elements (nodes, left),
relations (links, middle), and composites (groups, right). The circles indicate connection points
for directly associating the entities, while the small light gray squares are for resizing entities.
perspective (e.g., [188]), interviews and presentations (e.g., [166, 167]), and informal talks with
criminal network investigators together with our own ideas, we present an outline of general
organizational (meta) structures and smaller (sub) structures. The organizational structures are
often used to describe the network as a whole21 . However, large networks may exhibit the outlines
of many such meta structures. The sub-structures are smaller structural components above the
abstraction level of the basic network building blocks, the first class entities node, link, and group.
3.2.1 Nodes, links, and groups: the basic entities of criminal network
structures
The building blocks of criminal networks are information entities. Our network model (Figure 3.1)
defines three such entities, namely information elements (nodes), relations (links), and composites
(groups). Nodes hold information about real-world objects. Investigators basically think in terms
of people, places, things, and their relationships. We use rectangles as visual abstractions here
for simplicity, but any symbol (circles, triangles, etc.) could have been used to illustrate different
types of real-world objects. Links of different types and weights can associate information entities
directly. Links have two endpoints, they can be both directed and undirected, and they have
different visual abstractions (see Figure 3.1, middle). Composites are used to associate entities
in sub groups. We work with three types of composites [174]: Reference composites are used to
group entities in the common information space. Inclusion composites can collapse and expand
information to let investigators work with subspaces. Relation composites can collapse and expand
multiple relations between two information elements. The circles in Figure 3.1 indicate connection
points for direct association of entities. The smaller light gray squares are for resizing entities.
Later, we will abstract the concepts of the circles and light gray squares to a single concept.
We formalize our criminal network model mathematically by stating that a criminal network (CN )
is a list of entities (E) and entities are lists of nodes (N ), links (L), and groups (G). Beyond this,
the organizational structures and smaller sub structures described below have not been formalized
mathematically. We leave this perspective for others and instead take a structural perspective,
allowing for some investigative flexibility, that strict mathematical formalization might inhibit.
3.2.2 Organizational (meta) structures

As mentioned above, we will take a structural and investigative (i.e., operational) perspective
on the presented structures. By an investigative perspective, we mean what information and
knowledge does the structure reveal to the investigators, e.g., about the functional or operational
nature of the criminal network. A mathematical description (or formalization) of a criminal
network structure will rarely, if ever, be utilized during criminal network investigation, and it
therefore makes more sense to focus on the investigative implications that the structure can have
37
on immediate operational decision-making.

We consider the structures to be independent of the information entities they structure. That
is, the links could represent flow of information between people nodes, or money flow between
geographic position nodes. Typical criminal network information entity structures that form
during investigation include hierarchical structures (Figure 3.2, left), cellular structures comprised
of cohesive subgroups (cliques) connected by bridges (Figure 3.2, middle), and flat (or fluid)
structures where individual entities are distributed in some (more or less) random manner (Figure
3.2, right), maybe based on factions or their relationship with nearby nodes, or simply because of
a more desirable visual layout.
It is important for us to point out here, that the structure examples from investigations that we
present below are often the results of laborious research and then incremental synthesis of a network
(see examples in Figure 3.2). Hence, it is not representative of the structures encountered during
the early phases of investigations (see Figure 3.3). However, the more structures an investigator
knows prior to investigation, the more likely it is that he/she will move toward the true nature
of a criminal network and not a biased choice of structure due to the limited knowledge of the
investigator.
Figure 3.2: An example of hierarchical (left), a Figure 3.3: Emerging structures in the early
cellular (middle), and flat structure (right). phases of criminal network investigations.
HIERARCHICAL
As previously mentioned, criminal network structures are emergent and evolving and the criminal
network is modeled incrementally, from the selection of a target is selected to some meaningful
structure emerges, that can provide insight and new potential leads for the investigators.
Sageman (2004) state that “terrorist networks are not static; they evolve over time” [188]. A
large organization like al-Qaeda has developed many “levels and concepts of organization” [155]
from it’s establishment to now. Sageman depicts al-Qaeda as four clusters with one leadership
cluster, the central staff. “After 1996, the central staff was no longer directly involved in terrorist
operations, but the other three major clusters were connected to their central staff contacts by
their lieutenants in the field” [188] (see Figure 3.5). Two of the al-Qaeda clusters are comprised
of several cohesive subgroups, while the southeast Asian cluster is more hierarchically structured,
with a leader and a consultative council at the top. When the cluster was created it was divided
into four geographical regions, and each region had several branches:
Building Jemaah Islamiyah was a remarkable achievement accomplished in very lit-

tle time. Hambali and his Chinese wife moved into a tiny wooden shack in a small
village [. . . ] south of Kuala Lumpur. [. . . ] Five years later he commanded a net-
work. [. . . ] Hambali sat in his tiny Malaysian village and meticulously planned, then
patiently built, Jemaah Islamiyah into an extraordinarily disciplined network. It had
more structure than anything bin Laden ever attempted, with strict geographic sectors
that covered all of Southeast Asia, an organizational chart in each of the sectors, and
command tables delineating clear lines of authority and responsibility up and down.
All the network information was gathered from public domain sources: “documents and tran-
scripts of legal proceedings [. . . ], government documents, press and scholarly articles, and Internet
38
Figure 3.5: (mock-up) “After 1996, the central

Figure 3.4: Sageman’s (2004) ‘global salafi net- staff was no longer directly involved in terrorist
work’, as depicted in [188]. At first, the net- operations, but the other three major clusters
work may seem rather cellular, but when con- were connected to their central staff contacts
sidering that one of the four clusters is central by their lieutenants in the field. [. . . ] Each of
staff, links from there to other clusters creates a these field lieutenant hubs was then connected
hiearchy. There are however also links between to the operational field commanders in charge
the clusters, flattening the structure. of specific operations” [188].
articles” [188]. Based on this information, an elaborate list of person attributes was synthesized.
Hierarchical criminal networks can emerge in both top-down (i.e., recruitment [188]) and bottom-
up (i.e., linkage [236]) ways.
CELLULAR
After 10 years of investigative journalism the Pearl Project published a report on the kidnapping
and murder of Daniel Pearl depicting five cells responsible for various tasks, with all cells connecting
to the mastermind behind the kidnapping [227] (see Figure 3.6). However, from the account of the
official investigation we know how fragmented and inconsistent information about the kidnappers
initially was [162], and from another account we get a vivid description of how investigations
faced “the eternal problem of any investigation into Islamist groups or Al-Qaeda in particular: the
extreme difficulty of identifying, just identifying, these masters of disguise, one of whose techniques
is to multiply names, false identities, and faces” [128].
FLAT
Krebs’s almost iconic network of 9/11 hijackers has been referenced widely [122] (see Figure 3.7).
It was aggregated based on open sources, but it is not possible to see the intermediate states of the
network prior to the published version, which would have been interesting from an investigation
point of view. Also, it is not clear what exact evidence that formed the individual links between
the hijackers. But the final relatively flat structure of the network is informative for investigators,
since it can be observed that each individual and cells on each of the flights have low connectivity.
SEMI-LATTICE
From an investigative point of view, it can be argued that the semi-lattice is a better structure
for modeling for example organized crime networks (like the drug selling organization described
in Section 3.5.4). And from a mathematical point of view we expect that the semi-lattice could
39
Figure 3.6: The network of individuals involved

in the kidnapping and murder of Daniel Pearl Figure 3.7: Krebs’ (2002) network of 9/11 hi-
[227]. jackers (rotated 90◦ counterclockwise) [122].
more precisely be used to model overlapping network entities, whatever they might be. Alexander
(1965) defines a semi-lattice based on sets: “A collection of sets forms a semi-lattice if and only if,
when two overlapping sets belong to the collection, then the sets of elements common to both also
belongs to the collection” [9] (see Figure 3.8). A semi-lattice can be used to represent overlaps
between different (groups of) entities. This is a very interesting feature, since an overlap indicates
some sort of association between entities, and that association can be key to solving the case. As
commented by Hirtle (1995), “a tree structure is one realization for a hierarchical structure for
the representation of space. It is easily constructed and understood, but it is also a rigid structure
that does not allow for overlap. Ordered trees provide an extension that allows for some degree
of overlap, whereas a semi-lattice is an even richer structure that appears to be consistent with
many aspects of cognitive space [9]” [89]. In some literature, the organized crime networks are
defined as hybrids [228]. We have observed that a hybrid of a flat tree (hierarchy) and the clique,
shaped by the environment in which it resides, is an often occurring structure.
The Wire is a television show about organized crime, based on yearlong embedded field work by
the authors, that has inspired our work in this domain. It has been argued that the The Wire is
actually a show about the city [10, 34, 163] and not the individual characters (e.g., criminals and
police officers). It is the different institutions in the city that are the real powerful entities (quote
from [127] as quoted in [34]):
The narrative first emerges out of the police investigation of the drug trade, as law
enforcement tries to capture Avon Barksdale by proving that he is the hub of a network
of linked corners and dealers. In order to succeed, the law enforcement side must
gain access to the dealers’ principles of interconnectedness, and they do so through the
wiretap, which itself both emerges from and exposes new links: it first brings together
the Baltimore police, the FBI, the District Attorney, and the courts, and it then allows
them to piece together the structure of the Barksdale drug dealing hierarchy, which
then links up to local politics and the real estate market; later, when the wire takes in
the evidence of dockworkers, it also reveals global economic trading patterns that link
urban poverty to unions and local politics to transnational criminal traffic. Thus the
networking technology of the wiretap is itself a point of contact among other networks.
The whole social world then emerges, in The Wire, not as a set of discrete hierarchies
and institutions, but as the sum of the sites where they intersect.
And it is exactly such intersections that the semi-lattice could be used to model. Taniguchi et al.
(2011) presents a study of open air drug markets and the gangs selling drugs there. These drug
markets are the street corners vividly described by Simon and Burns [204,205] and brought to life
in The Wire. Taniguchi et al. provides the following definition of a gang: “a group of five or more
people with (1) some type of structure, (2) a common identifier, (3) a goal or philosophy that binds
40
them and (4) whose members are individually or collectively involved in criminal activity” [221].
To model street corners and associate gangs with those individual corners, Thiessen polygons are
used to describe the corners, and census geography polygons are used to indicate individuals on
each of those corners (see Figure 3.9).
We find that specific structures often underpin or shape criminal networks. Krebs’ (2002) analysis
of the hijacker operation behind the September 2001 attack found that it is the dense under-
layer of prior trusted relationships that is found to be at the base of the network’s stealth and
resilience and not the commanding control of a single or select few leader(s)” [122]. For urban
organized crime “groups organize around criminal values and activities just as other groups would
converge around noncriminal activities” [150]. The city has a great influence on organized crime
networks: “[a network] can be, but does not have to be, a product of urban design and economic
conditions” [150]. If the city shapes urban organized crime, then it could be interesting to know
what the structure of a city is? Alexander (1965) argues that “a city is not a tree” but a semi-
lattice: “I believe that a natural city has the organization of a semi-lattice; but that when we
organize a city artificially, we organize it as a tree. [. . . ] Both the tree and the semi-lattice are
ways of thinking about how a large collection of many small systems goes to make up a large and
complex system.” [9].
Figure 3.8: The structure illustrated in a and Figure 3.9: The solid line polygons are Thiessen
b is a semi-lattice, since “wherever two units polygons, forming unique spatial regions, sys-
overlap, the area of overlap is itself a recogniz- tematically allocating crimes to the physically
able entity and hence a unit also” [9]. closest street corner. While the Thiessen poly-
gons do not overlap or have gaps between them,
other polygons could be added in a different
layer to represent overlaps with the Thiessen
polygons (in this case census geography for each
of the polygons) [221].
Criminal networks of a certain complexity will typically have the features of more than one orga-
nizational meta structure. And the criminal networks we have studied have featured more than
one of the smaller sub structures described below.
41
3.2.3 Smaller (sub) structures

As mentioned above, organizational meta structures will contain multiple smaller sub structures.
Most prominent examples include cliques, bridges, hubs, singletons, dyads, and triads. Only
the clique can be considered a criminal network within the larger network; a sub network. We
characterize the other sub structures, as structural features of either the clique or the larger
network.
The sub structures described below can have a certain behavior associated with them, which
could be formalized mathematically and used for pattern analysis together with the structural
characteristics. But as we have mentioned earlier, we do not take the mathematical perspective
here. We give examples of for example cliques (cohesive subgroups) where possible and also discuss
attempts at profiling different types of subgroups. The three main sub structures (clique, bridge,
and hub) are presented in Figure 3.10.
(a) Clique (b) Bridge (c) Hub
Figure 3.10: Examples of sub structures include cliques (left), bridges (middle), and hubs (right).
CLIQUE
A clique is a network structure where “every node is connected to every other node” [188], as
shown in Figure 3.10a. Wasserman and Faust (1994) classifies the clique as cohesive subgroup,
and gives the following definition of the clique: “a clique in a [network] is a maximal complete
sub[network] of three or more nodes. It consists of a subset of nodes, all of which are adjacent to
each other, and there are no other nodes that are also adjacent to all the members of the clique.
The restriction that the clique contain at least three nodes is included so that mutual dyads are not
considered to be cliques.” [240]. Scott (2000) suggests a distinction between strong cliques (cliques
in directed networks) and weak cliques (when the direction of links is disregarded). For criminal
network investigation (and perhaps sense-making algorithms in particular), the n-clique [195, 240]
is very interesting:
“In this concept n is the maximum path length at which members of the clique
will be regarded as connected. Thus, a 1-clique is the maximal complete sub-[network]
itself, the set in which all pairs of [nodes] are directly connected at distance 1. A
2-clique, on the other hand, is one in which the members are connected directly (at
distance 1) or indirectly through a common neighbor (distance 2)” [195].
In our deployment of a custom made node removal algorithm (outlined in Section 14.2) we setup
rules to detect a change in distance between nodes, changing from distance 2 prior to the node
removal to distance 1 after the node removal (followed by an inference-based prediction of missing
links in the network). In the deployment scenario, the investigators argue that links matching these
rules might be indication of tasks being shifted from the removed node, to the new destination
nodes of distance 1 from the source nodes. It could be interesting also to investigate a change in
n-cliques after a node removal.
“A clique is a very strict definition of cohesive subgroup. [. . . ] The absence of a single line, [. . . ]
will prevent a subgraph from being a clique” [240]. To present examples of cliques in criminal
networks, we have to take the mathematical (and textual) definition loosely, and think more of it as
42
a tight-knit group22 . A good example is provided by Sageman (2004) who references his discovery
that “people joined the jihad in small groups” (he later refers to them as bunches-of-guys), and
then states that:
“When one of the friends was able to find a bridge to the jihad, they often went
as a group to train in Afghanistan. Examples abound in [Sageman’s] sample: the
Montreal group, the Hamburg group, the Khamis Mushayt group, the Lackawanna
group. These are dense, small networks of friends who can vouch for each other. In
network terminology, they form cliques.” [188].
Omar Saeed Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl
(see Section 3.5.1 made an effort to keep his operational cells separate purposefully, as described
below. “Amjad Hussain Farooqi, Asim Ghafoor, and Asif Ramzi were all allegedly implicated in
helping Omar Sheikh plot Daniel Pearl’s kidnapping” [227]. Amjad Farooqi was a friend from
militant circles. Asim Ghafoor came with Omar to Karachi, a 28 year old deputy in a militant
group, “which would be instrumental in doing Sheik’s dirty work on the streets of Karachi” [227].
Salman Saqib met Omar and Asim at the airport to pick them up, but Omar kept introductions
short, and Saqib therefore only knew Asim Ghafoor as “the fat guy”. Upon arrival in Karachi,
Sheikh had only two days to setup his operation [227], another factor that surely helped keep the
operational cells secret.
BRIDGE
“A bridge is a line that is critical to the connectedness of the graph. A bridge is a line such that
the graph containing the line has fewer components than the subgraph that is obtained after the
line is removed” [240]. Applying this to criminal networks, we define a bridge to be an entity
or structure (several associated entities) who connects to distinct parts of the network. In more
structural terms, Scott (2000) references work on cycle analysis which “goes on to define a bridge
as a line that does not itself lie on a cycle but that may connect two or more cycles” [195]. This
is illustrated in Figure 3.11, the link between node B and E bridges the two cycles ABDC and
EFIH. In peak analysis a node is a peak if it is more central than any other point to which it is
connected and a bridge is then a central node that connects two or more peaks [195]. An example
of a bridge between peaks is shown in Figure 3.12 and the bridge was found to be an important
feature of the al-Qaeda network that Sageman (2004) investigated:
“In the case of global Salafi mujahedin [. . . ] there is one common element that is
specific to them and to no one else, and that is the fact that they made a link to the
jihad. These links are key to the dynamics of terror networks. How does one go about
joining the global Salafi jihad?” [188].
Questions similar to that asked in the quote above are equally important for other types of criminal
networks, such as “how does one go about joining organized crime groups?”, like for example a
group selling criminals selling drugs (see Section 3.5.4).
HUB
“A major topic of research in recent years has been the investigation of hubs on the performance
and behavior of network[s]. Results indicate that hubs can have a quite disproportionate effect,
playing a central role particularly in network transport phenomena and resilience, despite being
few in number” [155].
A hub in a criminal network is a well-connected (high degree) node [155], e.g. the entrepreneur of
a terrorist cell [154] (i.e., clique), receiving information from the outside and communicating it to
the other members of the cell.
43
Figure 3.11: An example of a bridge in cy- Figure 3.12: An example of a bridge in peak
cle analysis: the link between node B and E analysis: a node is a peak if it is more central
bridges the two cycles ABDC and EFIH (figure than any other point to which it is connected
adopted from [195]). and a bridge is then a central node that con-
nects two or more peaks [195] (figure adopted
from [195]).
Figure 3.13: The three isomorphism classes of dyads: null dyads (left), asymmetric dyads (middle),
and mutual dyads (right). (figure adopted from [240])
DYAD
Knowledge about triads, dyads, and singletons in criminal networks can be useful for pattern
searching (see sections and example below), and it is also primarily with this in mind that we
review these three structures.
“A dyad is an unordered pair of actors and the arcs that exist between the two actors in the
pair” [240]. There are three possible states or isomorphism classes for dyads as shown in Figure
3.13: null dyads (left), asymmetric dyads (middle two), and mutual dyads (right).
TRIAD
Three nodes (information elements) without the links that may exist between them is called a
triple; when we also consider the links between these nodes we have a triad [155, 240]. Following
our claim, that an understanding of basic network structures is advantageous when analyzing
complex criminal networks, Scott (2000) refers to sociology researchers who argue that “complex
social structures can be seen as built from simple structures” [195] and say specifically about
the triad: “simple triadic structures are the building blocks of larger social structures, and the
properties of complex networks of social relations can, they argue, be derived from an analysis of
these building blocks” [195].
For directed networks, “a triple of actors gives rise to sixty-four possible configurations of choices
and non-choices” [240]. Figure 3.14 shows the 16 triad isomorphism23 classes (types) encapsulating
these sixty-four configurations (adopted from [240]). The triad types in Figure 3.14 are organized
in seven columns, and within each column the types have the same number of links present, where
a mutually directed link counts as two links (i.e., mutual dyad ), from 0 in the first column to 6 in
the last column. Each triad class is labeled using standard MAN labeling24 , which consists of three
to four characters. The first character indicates number of mutual dyads, the second character is
44
Figure 3.14: A triple of nodes gives rise to sixty-four possible triad configurations, 16 isomorphism
classes of which are shown here with standard MAN labeling (see text). The classes are organized
in columns, according to number of links present. (figure adopted from [240])
asymmetric dyads, and the third character represents null dyads. Finally, the fourth character, if
present, is D for down, U for up, T for transitive, or C for cyclic [240].
SINGLETON
We define a criminal network singleton as a structure consisting of one node that has zero to
unlimited links or associations to other entities in the criminal network. In online social networks,
a singleton is described as the type of user that does not connect with any other users [124]. This is
an interesting structural concept for criminal network investigation, e.g., when investigating lone
wolf terrorism [153]. Maybe the singleton does not have any relations to other users in the online
social network, but could have relations to entities in the real world, like persons, activities etc. A
challenge here will of course be the mapping of the online social network avatar of the individual
and the persons identity in the real world [29]. In Section 14.1 and 14.3, we discuss analysis of
criminal networks where single entities (individuals) played key roles.
As with triads and dyads discussed above, the singleton is useful for building patterns, based on the
experience of investigators (their heuristics), which can be used for searching and (visual) filtering
purposes. We illustrate this with a short discussion of a technique using importance flooding to
identify networks of criminal activity [139]. The technique uses three kinds of importance rules
(activity-based group rules, multi-group membership rules, and path rules), as shown in Figure
3.15. “Weights are assigned to rules, nodes are evaluated for group membership based on the rule,
and nodes are assigned initial importances scores equal to the sum of the weights of groups to
which they belong” [139].
45
3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.15: Three types of initial importance rules. Examples of how singletons, dyads and triads
can form the foundations of rules and search patterns [139].
3.3 Linear process models

Intelligence has traditionally been described as following a series of steps called the intelligence
cycle. “The cycle defines an antisocial series of steps that constrains the flow of information. It
separates collectors from processors from analysts and too often results in throwing information
over the wall 25 to become the next person’s responsibility” [40], which makes it difficult to pinpoint
responsibility for intelligence failures. Bruce and George (2008) follows up, by stating in their
work, that “this definition of analysis conveys a mechanistic and also somewhat linear process.
The production-line metaphor conjures up an image of analysts writing, reviewing, editing, and
publishing an assessment, and then moving on to the next question or task” [32]. Figure 3.16 and
3.17 shows examples of linear processes). The flaw of this linear problem-solving approach is that
it obscures the real, underlying cognitive process: The mind does not work linearly - it jumps
around to different parts of the problem in the process of reaching a solution [40, 239].
Figure 3.16: The intelligence cycle: “adapted Figure 3.17: The intelligence cycle as “adapted
from factbook on intelligence, office of pub- from a briefing, the intelligence community,
lic affairs, central intelligence agency (October available at the director of national intelligence
1983), p. 14” [113]. website (www.dni.gov)” [32].
While the intelligence cycles presented in Figures 3.16 and 3.17 are linear and mechanistic in
their approach, the cycle or circular visualization actually illustrates an important point, which
should be included in future designs of intelligence analysis processes. Bruce and George (2008)
says about their process model: “despite its simplification of what is a very complex process, this
conceptualization does underline the analyst’s pivotal role in transforming information provided
46
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.3. LINEAR
by various collection systems into judgment and insight for the policy customer” [32]. Clark’s
linear intelligence process model (shown in Figure 3.18 captures the two linear models discussed
above, as well as others.
Figure 3.19: The intelligence cycle of the

Danish Defense Intelligence Service (DDIS) as
Figure 3.18: The linear intelligence process. adopted from a textual description on their web
“The dotted line represents the transition from site [52] (see original text in Appendix B.2).
one cycle to the next, during which the cus- The dotted line represents a feedback loop, in
tomer reviews the analysis product and formu- case new questions need to be asked, or a new
lates new requirements and needs” [40]. intelligence need in general arises.
The intelligence cycle of the danish defense intelligence service is described on their website [52] (in
Danish, see Appendix B.2 for original text). We have adopted the visual model shown in Figure
3.19 from the text version. The process is straightforward and individual steps resemble those
of the other linear processes discussed in this section: (1) the starting point is a prioritization,
considering the service’s tasks and resources, and the customers input; (2) next, it is outlined what
the service already knows, and what it wants to know, resulting in a formulation of the intelligence
need; (3) then follows intelligence gathering from open and closed sources; (4) intelligence gathering
is followed by analysis, and the hypothesis is tested with available information. If the information
doesn’t match the expectations, there might be a need to go back to (2), asking new questions
and formulating a new intelligence need; (5) finally a report is generated, preferably as precise as
possible, in which a special focus is put on the distinction between what is information and what
is an assessment made by analysts.
We make three interesting observations about the DDIS intelligence cycle: Although there is a
feedback loop from analysis to intelligence need, it is stated that it will only be needed if there are
new questions to be asked. From Figure 3.19 we can also see how the customer is actually “cut
out” of the loop: once the prioritization of the task is made, then DDIS takes over until analysis is
complete and a report can be generated for the customer. We find the recognition that analysis is
not something that one analyst can do alone positive; it is team work. However, it is stated that
it cannot be done by one person, which doesn’t recognize the negative impact that team work can
also have (see Section 5.5 on the creative process which discusses this aspect).
3.3.1 Intelligence failures

Bruce and George (2008) warns against the listing of intelligence failures without analyzing how
to improve on intelligence analysis, exemplified by the 9/11 Commission Report [152]: “The 9/11
Commission Report provides a brilliant recounting of the hijackers’ plot and copious recommen-
dations on how to improve intra governmental information sharing [. . . ]. However, there is scant
47
3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
attention at all devoted to understanding how analysis might have been better and to laying out
any game plan for improving intelligence analysis on terrorism” [32]. The general problem seems to
be a lack of focus on the analytical process it self, also in policing where “process models generally
include some form of feedback or evaluation; however, there is a widespread paucity of evaluation
of police tactics and the intelligence process” [180]. We have therefore decided not to list failed
criminal network investigation, and then try to sum up the failures of those investigations, knowing
it very likely would be “a linear criminal network investigation process or mechanistic approach
was the key reason for intelligence failure. Compartmentalization was introduced, inhibiting in-
formation sharing”. Instead we review the Curveball case, which is a very good example of how
a transnational intelligence operation increases compartmentalization and can potentially lead to
war. The case is reviewed below in Section 3.3.1.
CURVEBALL
In this section, we take the intelligence process perspective on the intelligence estimates of weapons
of mass destruction (WMD) in Iraq: “In addition to faulting collection efforts, fragmented intel-
ligence community operations, management, and other aspects of the intelligence system, the
Silberman-Robb WMD Commission [45] was explicit in critiquing the analytic record as well as
the analytic process” [32]. We discuss how intelligence traveled from the mouth of an Iraqi de-
fector to the German intelligence services, crossing the Atlantic to CIA Director George Tenet,
who briefed the president and U.S. secretary of state Colin Powell. On February 5 (2003) Colin
Powell presented to the United Nations (UN) council the evidence against Saddam Hussein and his
allegedly active WMD program. The intelligence was based on a single source, an Iraqi defector
who manufactured a story based on open source UN reports and his work as a chemical engineer.
CIA director George Tenet convinced Powell that the intelligence was solid and in March 2003 the
U.S. and their allies invaded Iraq (without UN mandate).
Every piece of available intelligence was used for the UN
presentation. Analysts created colored 3D versions of
Curveball’s sketches and descriptions of mobile chemi-
cal laboratories (Figure 3.20), recorded audio was tran-
scribed onto slides and played simultaneously and var-
ious satellite photos of mentioned locations were anno-
tated with indications of suspicious activity. Figure 3.20: 3D drawings used as evi-
The Curveball investigation mainly involved overall tasks dence in UN presentation.
concerned with translation, interpretation, and re-formulation of the contents of interrogation
reports crossing the Atlantic. Preparation of the evidence for the UN presentation involved linking
many different information types. Issues were information scarcity, versioning of information, and
most importantly compartmentalization between and within agencies: “Clandestine operatives are
trained to spread falsehoods. Intelligence agencies spin or hide the truth as a matter of policy and
law. And spy services, even close allies, routinely conceal information from each other” [59].
The channels through which the information traveled from Curveball to Colin Powell are depicted
in Figure 3.21 using pictures and in a schematic form in Figure 3.2226 . The Iraqi defector, ironically
codenamed Curveball, was interrogated by the German foreign intelligence agency BND. The
Germans normally interviewed Curveball in Arabic, using a translator, but the Iraqi spoke English
sometimes (and even started to use a few words in German). The BND sent German summaries
of their English and Arabic interview reports to the U.S. Defense Intelligence Agency (DIA) unit
in Germany (Munich House) as well as the British intelligence service (not in Figure 3.21).
The DIA team at Munich House translated the German back to English and prepared their own
summaries. The summaries were sent to DIA’s directorate for human intelligence in a high-rise
office building in Clarendon, Virginia. The directorate delivered 95 DIA reports to, among others,
the new CIA unit named weapons intelligence nonproliferation and arms control, also known as
WINPAC. WINPAC had been established to streamline CIA’s reporting and analysis of weapon
48
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC
Figure 3.21: Conceptual, structural, mathematical and computational models.
related threats, and reported to CIA’s analysis department. 700 analysts worked in WINPAC,
but only six analysts worked in the unit focused on biological warfare programs that handled the
Curveball reports. The biological warfare unit sent the reports up the CIA hierarchical ladder. At
some point they caught interest, and the CIA created new versions of the streamlined WINPAC
reports to put in the president’s daily brief, which George Tenet brought to the White House [242].
On February 5 (2003) Colin Powell presented to the United Nations (UN) council the evidence
against Saddam Hussein and his allegedly active WMD program.
We bring this lengthy account of the Curveball informations journey, because it illustrates how
many different compartments there was in the process, each compartment amending information
with their own interpretations and translations, based on the text given to them from the previous
compartment. The flow of intelligence reports and documents being sent between, assessed and
reformulated by different compartments, is shown in great detail in Figure 3.22.
3.4 Target-centric process models

A target centric approach is now being promoted in the intelligence analysis community [40], due to
the failure of previous investigations. We listed (sequential) investigation failures in Section 3.3.1.
An alternative to the traditional intelligence cycle is to make all stakeholders (including customers)
part of the intelligence process. Stakeholders in the intelligence community include collectors,
processors, analysts and the people who plan for and build systems to support them [40]27 :
“Here the goal is to construct a shared picture of the target, from which all participants
can extract the elements they need to do their jobs and to which all participants can
contribute from their resources or knowledge, so as to create a more accurate target
picture. [. . . ] It is important to note that the collaborative process is not a substitute
for competitive analysis - the process by which different analysts present alternative
49
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
50
3.4. TARGET-CENTRIC
Figure 3.22: Overview of the complete intelligence process from the interviews with Curveball to the Presidents Daily Brief and secretary of state
Colin Powells presentation at the UN. The figure shows the many cycles of interpretation, summarization, rewriting and analysis it went through
before reaching its destination [59].
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC
views of the target.”
Figure 3.23: A target-centric view of the intelligence process [40].
To create and evolve information technologies assisting criminal network investigators “requires
a deep understanding of the analytical processes that intelligence analysts carry out” [39]. Inves-
tigative teams from the terrorism and police fields are facing complex threat environments. As an
example experts across academia, business, and government sectors have indicated that terrorism
is becoming more amorphous, more complex, more sporadic, more amateurish, more difficult to
predict, more difficult to trace, and more difficult to observe and analyze [109]. This issue was
also outlined in the Home Office Strategic plan 2004-2008: “The growth of organized crime, fueled
by the ease of communication and travel, as well as the changing terrorist threat, have demanded
a significant shift in the way we operate”.
Figure 3.24: Gill’s cybernetic model [77], as reproduced with permission in Ratcliffe (2008) [180].
Within the investigative domain of policing, intelligence policing has produced many interesting
inputs toward a target-centric approach to criminal network investigation. As mentioned in Sec-
tion 3.3, the intelligence cycle “emphasizes the intelligence in intelligence-led policing, but not
necessarily the policing” [180]. Ratcliffe (2008) references Gill’s cybernetic model [77] (see Figure
3.24) as a positive development in that direction, because Gill (2000) in his process model has
embedded the assertion “that the reality of the intelligence cycle is that time and other constraints
play a limiting role on the ability of this ideal-type process to function as a cycle and that the
process in reality is more messy and complex, and that each stage is autonomous” [180]. Another
51
3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
interesting feature of Gill’s model is the concept of the filter (or power screen) to indicate that, in
generic terms, some entity has influence on the process in question [77, 180]. Similar model filters
could also be used to indicate responsibilities during criminal network investigation.
We believe that human factors are a significant part of these other constraints mentioned above.
Our target-centric model for criminal network investigation (see Chapter 7) is inspired by Clark’s
target-centric approach to intelligence analysis [40]. However, while Clark’s model puts focus on
the shared target-model (common information space) between all stakeholder of the intelligence
process, he lacks to describe the human factors involved, e.g. human cognition and creativity,
when modeling emerging and evolving information structures. In a review of Clark’s book, Wirtz
(2006) states that the human element of identifying appropriate analytic techniques “limits the
effectiveness of the techniques identified by Clark: their success and failure rest on analysts’ initial
definition of the problem they face. If this cognitive framework is incorrect or unsophisticated,
then it is unlikely that even the most advanced analytical techniques will yield useful results”
[251] and concludes: “after all, no one has yet linked failure of intelligence to the fact that the
opponent had better equations” [251]. To summarize, while the target-centric approach creates
the right foundation for criminal network investigation process, there is a need also to include an
understanding of human factors and information structures, to improve further on this approach.
An example of how to work successfully in a target centric manner was Deuce Martinez, a CIA
top analyst, who was assigned to temporary duty in Pakistan to help pinpoint the location of Abu
Zubaydah28 . Deuce Martinez “was regarded as one of the best targeters the agency had” [146].
In the following quote Martinez has been flown into Pakistan and is briefed about the target
and available (limited) intel (see Section 3.5.2 for more details on that investigation), quotation
from [146]:
Martinez went to work immediately. He put Zubaydah’s name in the center of an

analytical report, and then added lines radiating outward, representing NSA29 signals,
ground intel, emails, and whatever else he could – phone numbers of people Zubaydah
had called or who had called him, and a second layer of calls made by and to the people
he had talked to. He used a link-analysis computer program to build images of networks
from the raw data. He drew his own crude reconstruction of the analysis on a huge piece
of butcher paper pinned to a wall inside the CIA’s rooms in the Islamabad embassy. In
a few weeks, Martinez had narrowed the range to fourteen distinct addresses that stood
out as the most likely sites. Ten of the sites were in Faisalabad, four in Lahore.
That list was later shortened down to two Faisalabad prospects, they were attacked simultane-
ously, and Zubaydah and two accomplishes where shot, but Zubaydah survived long enough to be
interrogated [146].
The fact that Deuce Martinez did this targeting largely on his own (at least the analytical part,
he was given access to intel already processed by others) leads to another important point of the
target-centric approach: The target-centric approach is not an advocation for group work, albeit
being a human-centered process. Years of research show that group work does not create more
ideas or increase creativity [4]. We discuss human cognition and creativity in Section 5.4 and 5.5.
A target-centric approach is about having a common information space, the target model, as a
frame of reference for investigators on a team to refer to), so that no information is hidden from
other investigators at any time. As opposed to the traditional intelligence process reviewed in
Section 3.3, which introduces compartmentalization into investigations.
3.5 Criminal network investigation cases

In this section, we review four criminal network investigation cases that have inspired our work: the
kidnapping and murder of Daniel Pearl, the hunt for Khalid Sheikh Mohammed, two overlapping
homicide investigations, and an investigation of organized drug crime in Baltimore constructed
52
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES
from year-long observations and experiences in the domain. For each review we set the scene
for the investigation to get the reader situated, followed by a description of the criminal network
investigation team and the investigative approach they take. Each review is concluded with
summary of pre- and post-crime network structures, focusing on organizational meta structures,
building block sub structures, and complexities and emergent behaviors of the network information.
We will provide an overview of other criminal network investigation cases elsewhere (e.g., Section
5.7).
3.5.1 The Daniel Pearl investigation

On January 23, 2002 Daniel Pearl, a reporter for the Wall Street Journal (WSJ), was kidnapped in
Karachi, Pakistan [128, 162]. As a result, an elaborate investigation was started to figure out who
the kidnappers were and where they were keeping Daniel Pearl against his will. Eight days later
Daniel Pearl was beheaded. The execution was recorded on video and distributed world-wide.
SETTING THE SCENE
When The Wall Street Journal reporter Daniel Pearl was kidnapped on January 23 2002 in
Karachi, Pakistan, an elaborate investigation was started to figure out who the kidnappers were
and where they had taken Daniel Pearl. We have chosen this specific investigation for four main
reasons: First of all because of its complexity. It has been stated that societies where the police and
security services are weak, corrupt or compromised are more susceptible to terrorist attacks [252].
The leader of one cell involved in the kidnapping of Daniel Pearl and responsible for exterior rela-
tions, was in fact a police man part of an elite anti-terrorist unit but also an Afghan war veteran
and linked to Jaish e-Mohammad30 [128, 162]. Adding to the complexity of the investigation is
the city Karachi itself and its population that no one seems to know how to count: “there are
two million Afghans, Bengalis, Arabs, Sudanese, Somalis, Egyptians, Chechens, in short, foreign-
ers without papers forming an army of natural candidates for al-Qaida recruiting agents” [128].
Hence aliases play a key role because “you run up against the eternal problem of any investigation
into Islamist groups or al-Qaida in particular: the extreme difficulty of identifying, just identify-
ing, these masters of disguise, one of whose techniques is to multiply names31 , false identities, and
faces” [128].
THE TEAM
The investigative team (see Figure 3.25) consisted of Mariane Pearl (wife and French magazine
journalist) and Asra Nomani (Indian-born Muslim and reporter for the WSJ). After the Pakistani
authorities were involved, Captain (leader) and Dost (both representing a Pakistani counterter-
rorism unit) and Zahoor (also from Pakistan), joined the investigation. They are followed by four
Americans: Randall Bennett (regional security officer at the U.S. consulate in Karachi), two FBI
computer experts, and Maureen Platt. Finally, John Bussey (Daniel Pearl’s boss at the WSJ) and
Steve LeVine (fellow foreign correspondent at the WSJ normally posted in Kazakhstan) joins the
team.
THE INVESTIGATIVE APPROACH
Mariane and Asra start a link chart (target model) on a white board when they realize Daniel is
missing (Figure 3.26). They add information as they discover it going through Daniel’s calendar
and computer. They work asynchronously, taking turns adding text (mainly person names) and
directed links (relations) to the chart. As more and more information is added, the link chart
becomes increasingly complex. Attributes like phone numbers and pictures are added to the
existing text entities. As more relations between persons are discovered, their lines start crossing
each other and symbols like colored shapes are used to highlight and differentiate information.
53
Figure 3.25: The team investigating the kid- Figure 3.26: Link chart complexity has in-
napping of Daniel Pearl. creased significantly.
Figure 3.27: The network behind the kidnapping of Daniel Pearl as synthesized by The Pearl
Project [227] using Palantir software [5], a tool reviewed in Section 4.1.
When the team encounters a dead end, the link chart is used to go through missing information
that would potentially reveal something important. Team members joining the investigation late
(e.g., Steve LeVine) use the chart to get up to speed on things.
The type of information related to the Daniel Pearl investigation and the environment in which
it takes place is very complex. In Karachi there are two million foreigners without official papers
forming an army of potential candidates for Al-Qaeda kidnapping operations. The Daniel Pearl
investigation was “up against the eternal problem of any investigation into Islamist groups or
Al-Qaeda in particular: the extreme difficulty of identifying, just identifying, these masters of
disguise, one of whose techniques is to multiply names, false identities, and faces” [128].
THE NETWORK
The post-kidnapping network shows some well defined structures, that we review here. The pre-
kidnapping network (i.e., the investigation) faced information complexities and dynamics, which
we will also review here since it represents important knowledge about the early stages of criminal
network investigations.
The organizational meta structure of the Daniel Pearl kidnapping network was cellular with
6 distinct cells as shown in Figure 3.27. The prominent and interesting sub structures of the
network are the individual cells. Each cell in the kidnapping network were tightly nit cliques:
Khalid Sheikh Mohammad alledgly brought his nephews for the killing of Daniel Pearl; Fahad
54
Naseem and Salman Saqib, responsible for sending out ransom notes, where cousins. Omar Saeed
Shaikh was the mastermind bridging them together and transmitting orders around the network.
We find that several complexities and emergent behaviors were introduced into the Daniel
Pearl investigation. Aliases as mentioned above (multiple names, false identities, and faces), made
the identification of individuals involved in the investigation very difficult.The social and political
context the criminal network investigation team had to work and navigate in, was very complex
and hence an obstacle to progress. Omar Saeed Shaikh recruited individuals for the different cells
only a few days before the kidnapping, and this sudden emergence of the network helped keep
it secret and hence protected from detection. The fact that Daniel Pearl was meeting Shaikh
Gilani on the day of his kidnapping made him the obvious suspect in the team’s “who did it?”
hypothesis. Unfortunately, the hypothesis was wrong.
3.5.2 The hunt for Khalid Sheikh Mohammed

“Throughout the modern age of terror, Khalid Sheikh Mohammad has had the eerie
ability to be at its center yet glimpsed only in the margins. He’s been the ghost of our
times.” [146]
As we saw in the previous criminal network investigation case (and which we will see in later
investigations as well) Khalid Sheikh Mohammad (KSM) has an important role in many of them.
In the investigation of Daniel Pearl’s kidnapping (Section 3.5.1), KSM was later revealed to have
performed and video-recorded the murder of Daniel Pearl assisted by two of his nephews [146,227].
McDermott and Meyer (2012) describes how KSM had safe houses throughout Afghanistan, and an
elaborate logistics network, though his connections with high ranking Afghan Taliban individuals
are unclear - we summarize an interview with van Linschoten about the Afghan Taliban network
in Section 15.2.1 and have also studied his book on the subject [134]. KSM was a key figure in the
al-Qaeda organization (al-Qaeda and affiliated movements (AQAM) is reviewed in Section 14.3).
SETTING THE SCENE
KSM is the uncle of the worlds most famous Islamist terrorist before 9/11, Ramzi Yousef: “Yousef
had attempted to blow up the world trade center in 1993, killing six people, wounding scores of
others, and causing hundreds of millions of dollars in damage” [146]. KSM played a minor role
by wiring 660 dollars to an accomplish of Yousef (Basit), for the planning and execution of the
attack. Basit ended up using 3000 dollars on the building a bomb. KSM and Yousef then went to
the Philippines planning to assassinate “the Roman Catholic pope and the American President
Bill Clinton, and blow up a dozen American flagged jumbo jets in flight over the pacific” [146].
“KSM was secretly indicted in the US in 1996, thanks to [Pellegrino and his team]. When the
indictment was unsealed, no one noticed. If your target wasn’t al-Qaeda, it didn’t matter” [146].
Shortly after 9/11 Abu Zubaydah informs FBI agents hat KSM was the mastermind of 9/11 [146].
The hunt for KSM continued until one year after 9/11.
THE TEAM
After 9/11 (2001) many agencies and even more agents were assigned to the KSM case, but we
focus on the initial case officer Frank Pellegrino and his investigation partner, Michael Besheer.
Pellegrino is the personification of the artistic creative type [210]: “Pellegrino was the real deal
[. . . ]. Everybody wore by and large what might as well have been FBI issued dark suits. Their
desks were perpetually clean. Pellegrino’s was a mess. By outward appearances so was he. His
hair was long, at least by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ].
He was always busy, always late, always in a hurry” [146]. “Free association analytical work”
is Pellegrino’s basic approach. Michael Besheer on the other hand, is the focused, rational, and
conscious investigator. Besheer’s approach to collecting evidence was always the same, no matter
55
the size of the task, in the following example a plane: “Parts of the plane had to be disassembled,
examined, tagged as evidence and shipped to New York to be used as exhibits in a trial. His
attention to detail was perfectly suited for the task” [146]. See Section 5.4.2 for a more detailed
review of Pellegrino and Besheer’s collaboration and cognitive approach to investigation.
The hunt for KSM has been called the most fragmented investigation in U.S. history [146], spanning
multiple terrorist attacks prior to and after the 9/11 attacks (2001). As such, it is difficult to
categorize the investigation to catch KSM as following either a linear process or a target-centric
approach, since it actually comprises many investigations.
To avoid the pitfall of setting intelligence failure equal to information sharing [32], we list the
investigative efforts rooted in analytical process and tasks that inhibited the investigation progress:
First failure was the overly adherence to the complete analyst skill that says: “self-confidence to
admit and learn from analytical errors” [32]. Before 9/11 important leads had been missed, and
after 9/11 there was a “white-out” of information. The 9/11 attacks created so much information
that no one could make sense of it all: “there was no shortage of information. There was too
much – a blizzard of it, a white out so complete investigators routinely lost their way in it” [146].
The second failure was, that the two main agencies on the investigation (FBI and CIA) had very
different approaches: “the FBI, given its criminal investigation into the 9/11 attacks, was primarily
concerned with the past, with what had happened, with the crime that had been committed.
The CIA was interested in the future, what might happen tomorrow, or even today. The FBI
wanted evidence; the CIA needed intelligence” [146]. In our opinion, the third failure of the
KSM investigation was the removal of the case officer Frank Pellegrino from the investigation; the
investigator with the most subject matter knowledge.
THE NETWORK
The organizational meta structure of KSM’s criminal network is a flat structure. KSM was a
freelancer and an entrepreneur who over the years created his own network of contacts, however
tightly embedded it was (became) in the al-Qaeda organization and other (smaller) organizations
with allegiance to al-Qaeda, like Hambali’s Jemaah Islameyah [146]. Based on these observations
it would be fair to argue that KSM’s network had resemblance of a social network of business
contacts. He had relationships with individuals that had certain abilities that could help sort
different problems when needed, often logistical problems. Interesting sub structures in KSM’s
criminal network are the network cells that he deploys throughout the world to carry out terrorist
plans hatched somewhere else. An early example was his nephew Basit (also known as Ramzi
Yousef) and the people he recruited for the World Trade center bombing in 1993.
The complexities and emergent behaviors in the KSM investigation are similar to those
of other investigations into transnational terrorism or national security matters (e.g., see the
Curveball case in Section 3.3.1). KSM used up two dozen aliases but curiously also sometimes
traveled under his own name [146]. He was able to stay under the radar, not leaving any too
obvious evidence around, or his world wide network helped him, either by hiding him or warning
him before raids. Agency bureaucracy and inter-agency communication problems also inhibited
and stalled investigations and sharing of important information.
3.5.3 The Latonya Wallace and John Scott homicide investigations

A homicide investigation is a special kind of criminal network investigation. There is one or more
victims, there is a network of potential suspects together with a web of interrelated physical evi-
dence, such as statements from witnesses, and information in general linked to particular locations
at the crime scene. This section is primarily based on the account by Simon (1991), who spent
one year with the Baltimore Police Department’s homicide unit [204].
56
SETTING THE SCENE
The two homicide investigations that we use as an example here were investigated by detectives
from the Baltimore Police Department’s homicide unit during 1988. In 1988, there were 234
homicides in the city of Baltimore. “The vocabulary of the homicide unit recognizes two distinct
categories of homicides: whodunits and dunkers. Whodunits are genuine mysteries; dunkers
are cases accompanied by ample evidence and obvious suspect” [204]. Both the investigations
described here were of the genuine mystery kind, which is why we found them relevant for analysis.
Latonya Wallace’s body was found, 11 years old, in the alley behind a residential block in the city’s
midtown. She lived three and a half block away with her mother and stepfather. She went to the
library on a Tuesday, and was seen leaving the library, disappearing “into the daytime bustle of a
Baltimore street and vanished” [204] until her body was then found the following Thursday in the
morning. The John Scott homicide starts with John Scott stealing a car. A car chase is begun,
and when the police catches up with John Scott, he leaves the car and starts running. An officer
leaves starts pursuit by foot, but trips while releasing his gun from it’s holster and accidentally
fires a round in the direction of John Scott. Moments later he is found death by other police, face
down and with a bullet in his back. It seems to be a dunker, but it turns out that the bullet in
John Scott’s back was not from the police officers service weapon; a genuine mystery.
THE TEAM
Homicide detectives usually work in pairs, where one is the primary investigator. The primary
investigator owns the crime scene, and to a lesser degree the investigation. Two shifts, the night
shift and the day shift. Simon (1991) follows the shift led by lieutenant Gary D’Addario. The shift
has three squads of five detectives, each led by a squad supervisor (Detective Sergeant). When a
little girl is shot or a police officer is involved in a shooting, the whole shift takes on the task of
investigating those murders.
The investigator who answers the phone will become the primary investigator, and the secondary
investigator will depend on who’s turn is up, or simply who is nearby and free when the phone
is answered: “by that argument, the repetitive violence of the city’s drug markets betrayed the
weakness in the homicide unit, namely that investigations were individual, haphazard and reactive”
[204]. Sometimes investigators participate in more long-term, surveillance based (intelligence-led)
investigations: “Edgerton’s detachment from the rest of the unit was furthered by his partnership
with Ed Burns, with whom he had been detailed to the Drug Enforcement Administration for an
investigation that consumed two years. [. . . ] Unable to prove the murder, Burns and Edgerton
instead spent months on electronic and telephone surveillance, then took the dealer down for drug
distribution to the tune of thirty years, no parole.” [204].
THE NETWORK
The network structures of homicide investigations are not focused on social networks (i.e., mainly
with person entities) as in the investigations described earlier in this chapter. And the complexities
and dynamics are also somewhat different, as it is outlined below.
There isn’t much organizational meta structure to a dunker homicide investigation. Typically
there is the victim, the assailant still at the crime scene, admitting to committing the murder and
holding the weapon that was used to do it. The whodunit investigations also have a victim, and
then no, one or multiple suspects. The meta structure of a whodunit investigation can be seen as
a star network [240], with the victim at the center, and then each surrounding node represents the
a suspect (an individual or a group of individuals), who has their own network of home address,
friends, time lines, etc.
57
Again, the sub structures of homicide investigations are not focused on social networks, like
many of the other investigations discussed above, but focuses on other aspects (evidence). A lot
of reasoning structures exist in reactive policing. “A body in an alley leaves a detective with
questions: What was the dead man doing in that alley? Where did he come from? Who was
he with?” [204]. The time line mentioned below is also used for reasoning, e.g., in relation to
time of death. If time of death was at this particular hour, we create these hypotheses, but if
it was 10 hours later, then we can create these other hypotheses. Since it was suspected that a
cop had shot John Scott, all the radio communication from that night was transcribed, in order
to match it up with statements taken from police officers during interrogation. Time lines are
used extensively in the Latonya Wallace case to match the alibi’s of suspects with a chronology
of events as the investigators has them synthesized at the time of interview with the suspects.
The crime scene presents a network of physical evidence related to the scene and the victim.
Homicide detectives typically solve cases by the use of physical evidence, and not first establishing
the motive, as it is often portrayed in movies, tv shows, etc. When detective Edgerton realizes
that Latonya Wallace’s body may not have been carried into the alley from the ground, but could
also have been carried down from the fire stairs he draws a map. “Edgerton taped two sheets
of letter paper together and divided the space into sixteen long rectangles, each representing one
of the sixteen adjoining rowhouses on the north side of Newington Avenue. In the center of the
diagram, behind the rectangle marked 718, Edgerton crudely drew a small stick man to mark
the location of the body. The he indicated the location of the fire stairs at 718, extending from
the rear yard to a second-floor landing and then the roof, as well as other fire stairs and ladders
on other properties” [204]. Edgerton uses the drawing to narrow down the houses with roof top
access, which means a person could have could the body down from the roof and put in the alley.
Complexities and emergent behaviors are introduced in several ways. The location of the
crime scene can add many new complexities to an investigation. The crime scene could be on
the street, in an alley, or in a row house, each place associated with different challenges [204]. A
homicide detective has three open cases on his desk at all times. On top of that, the bosses may
decide that the homicide unit needs to focus on a particular series of murders for political reasons.
The shift commander assigns the investigations of detectives busy with other prominent cases to
new detectives, ruining their previous leg work and trust build up with informants etc. But the
shift commander is often under pressure to raise the clearance rate and may see no other way.
Information may change for homicide investigations in many different ways, e.g in the Latonya
Wallace investigation the autopsy showed two meals in her stomach: One nearly digested meal of
spaghetti and meat ball, and one only slightly digested meal of hot dogs with sauerkraut. This
information is used to give an estimate of time of death. But deep into the investigation the
criminal network investigation team learns that the menu at Latonya’s school did have those two
meals on the menu at two days following each other, but each was in fact a day earlier than
the police was initially informed, changing an important parameter in the estimate of time of
death, and hence also the basis of many hypotheses. Witness statements can change many times
during an investigation. The general thought is that suspects lie, often for no reason, and the
investigators use physical evidence from the crime scene to catch the witnesses lying and make
them tell the truth. A typical example is mentioning something that was or wasn’t at the crime
scene, formulating interrogation questions accordingly.
3.5.4 Organized drug crime investigation

The Wire is a tv series, renowned for its authentic depiction of urban life on each side of the law32 .
In the first season we follow drug dealers on one side and law enforcement officers on the other [163].
The Wire is interesting and relevant as a criminal network investigation case study for a number of
reasons. First of all, the target-centric, board-based approach33 chosen by the investigative team
maps well onto our criminal network investigation model [174]. Secondly, Analyst’s Notebook [2],
a commercial software tool for visualization and analysis of criminal networks, is used to narrow
down a list of suspects, based on a large number of intercepted phone calls. Finally, the shows
58
ability to describe investigative context is exceptional. By context, we mean factors such as power,
the pros and cons of law enforcement culture, distribution of resources, and the impact of politics
that ultimately can decide the success or failure of investigations [34].
SETTING THE SCENE
The organized crime investigation begins with narcotics lieutenant Cedric Daniels being ordered
“to organize a detail of narcotics and homicide cops to take down Avon Barksdale’s drug crew which
runs the distribution of heroin in several of Baltimore’s projects. Realizing that low-level buy-
and-busts are getting them nowhere34 , the detail of cops [. . . ] add visual and audio surveillance
to their law enforcement tools” [34]. The team is provided with office space in a basement, from
where they can work the case and monitor the many wires they set up in an attempt to map out
the network of individuals in the Barksdale organization.
THE TEAM
The criminal network investigation team has one narcotics lieutenant (Daniels) who is the team
leader, four detectives, three police officers, and one informant. The lieutenant manages the team
and is the final decision maker, the detectives take care of investigation and following leads, the
police officers bring people in, take pictures, and so on. The informant provides the team with
inside information from the streets, e.g., how to dress if a police detective is going undercover.
A senior police officer, recognizing that “all the pieces matter” is put in charge of information
collection and processing and he starts adding snippets of information on to the investigation
board shown in Figure 3.28a. The board functions as the team’s common information space.
Figure 3.28b shows some of the information entities used on the investigation board. There are
polaroid close-ups of individuals, and two types of text cards: one with meta information about
entities and one functioning as headers. In the middle, there is a surveillance photo and at the
bottom a newspaper clipping.
(a) investigation board (b) information entities
Figure 3.28: The Wire case - a shared information space, in this case a physical board (left), with
different types of information entities (right).
59
THE NETWORK
The organizational meta structure of the Barksdale organization is a hierarchical and somewhat
flat structure, that maintains a top-down chain of command as shown in Figure 3.29 [10,206,249].
The top consists of the leader Avon Barksdale, his second-in-command Stringer Bell who admin-
istrates and manages the organization, and, Avon’s sister Briana Barksdale, who is responsible
for the financial side together with Stringer. Maurice Levy is the organizations lawyer who offers
legal advice and acts as defense lawyer for members of the organization. At the bottom of the
organization are the drug selling crews: typically a crew is responsible for a high-rise building,
an area in the low-rises, or a street corner (so called open-air drug markets [221]). Each crew
has a chief, one or more high ranking lieutenants who control a number of dealers and runners,
responsible for arranging a buy, getting the money, retrieving the drugs from a nearby location
and handing it over to the buyer. For communicating strategies and commands to the crews,
the leadership (primarily Stringer) has lieutenants to enforce his commands (in season one Anton
Artis and Roland Brice work as the lieutenants), and they in turn have their enforcers who they
forward tasks to. But Stringer Bell also shows up in person to ask crew chiefs to solve specific
tasks or follow a new strategy.
Figure 3.29: The Barksdale organization in sea- Figure 3.30: The Barksdale organization in sea-
son one of The Wire, chart from [249]. son two of The Wire, , chart from [249].
Interesting network sub structures are the crews (or gangs), a group working their individual
corners. The lieutenants function both as bridges between the leadership/top and the crews,
while enforcing orders from the leadership, in terms of destabilizing other organizations, etc.
Complexities and emergent behaviors are (again) introduced in several ways. Complexity in
a surveillance-based investigation like that of the Barksdale organization, are a bit different than
the complexities related to counterterrorism investigations. Examples include communication
encryption used by the drug crews, e.g., applying a numerical encryption to phone numbers sent
via pagers, or taking pictures to designate where to meet [10, 206]. The legal framework is also
responsible for some complexity. To arrest someone for dealing drugs (of a street corner) you
typically have to catch the individual receiving money and then handing over the drugs. The
60
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY
crew running the street corner can circumvent this by having one person receive the money, a
runner to get the drugs from a stash, and then a third will deliver the drugs around a corner or at
the purchasers car. The police often make an undercover cop buy the drugs to be able to arrest
individuals on a street corner (buy and bust).
Dynamics are introduced by emergent and evolving information and political and management
decisions: When investigations start, criminal network entities are often associated in other ways
than through well established relationships to other entities. First, the entities are randomly
positioned in the information space and maybe only a few are directly linked (e.g., the known
accomplishes of the target). Later, more entities are linked, groups are created, and structures
emerge. During the first iterations, spatial associations like entity co-location play an important
role. A spatial association with certain semantics could be entities placed in close proximity of each
other to indicate a subgroup in the network or snippets of information about a certain individual.
Or entities might be placed above and below each other to indicate hierarchical importance. And
it may take many iterations before it is clear what attributes (entity meta data) are relevant as
input for analysis algorithms. In other words, “semantics happen” [197].
3.6 Summarizing criminal network investigation

In this chapter we have discussed the characteristics of criminal networks compared to other com-
plex networks. We have presented the building blocks of criminal networks and reviewed basic
(abstracted) criminal network structures found to be re-occurring across investigation cases. Then
we took a closer look at two very different processes for criminal network investigation, the linear
and target-centric process models. We presented four criminal network investigations comprising
three distinctive investigation domains (policing, intelligence analysis, and investigative journal-
ism). We conclude this chapter by summarizing our findings for each of the three investigation
domains. For each domain, we summarize work related to each of the three criminal network
investigation challenges on which our main hypothesis is pinned (information, process, and human
factors).
Investigations such as police investigations, intelligence analysis, and investigative journalism in-
volves a number of complex knowledge management tasks. Investigative teams collect, process,
and analyze information related to a specific target, to create products that can be disseminated
to their customers. We focus specifically on knowledge management situations where a lot of
information must be interpreted rapidly or where a group shares and restructures information
in order to coordinate or reach consensus [198] until now (see Figure 3.31). Collaboration and
communication are important aspects of such group oriented situations, and connecting pieces of
information that become known over time are a vital activity [20]. The described situations are
very creative and social influences on creativity such as production blocking, evaluation apprehen-
sion and free riding has to be considered [239]. Different process models have been proposed to
handle the complex tasks and issues involved in investigations (such as police investigations [53],
intelligence analysis [40], and investigative journalism [136]). The three investigation types are
briefly summarized below, in terms of process, information, and human factors.
3.6.1 Policing
Reactive policing is getting competition from intelligence-led policing, more information is being
gathered and used, but evidence from interrogations and other street human intelligence weighs
heavy; human factors play are large role for that aspect, less so for the analytical methods. We
describe process models, information, and human factors related to policing below.
Process (e.g., [7,53,83]). Many models have been developed over the years, ranging from reactive
community and problem-oriented policing models to the more proactive intelligence-led and
61
3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Figure 3.31: A criminal network investigation example illustrating the preferred approach to
analysis for policing, counterterrorism, and investigative journalism investigations. The screen
shot is from the Daniel Pearl investigation, where two investigators discussing the relevance of one
individual’s connection to the terrorist organization Jaish e-Mohammad.
terror-oriented (i.e., political) policing models. These models run in parallel to the tradi-
tional law enforcement model characterized by its paramilitary and bureaucratic “command
and control” structure, and focus on incident-driven response to calls for service. Police
investigations include a variety of tasks like criminal profiling, crime scene analysis, data
processing, and storing and sharing of information.
Information (e.g., [10, 53, 204]) Most information produced by police officers is difficult to rep-
resent and thus to access and communicate due to its nature. Police knowledge tends to be
implicit and experience-based. Human intelligence includes statements from witnesses and
informants living on the street. A whodunit homicide crime scene produces a lot of physical
evidence like crime scene photos, lifted fingerprints, hairs, etc., which gets examined and
cataloged. Surveillance is used on bigger investigations producing signal intelligence such as
audio (telephone calls), pager communication, and video.
Human Factors (e.g., [204, 210, 239]) As mentioned, police knowledge tends to be implicit and
experience-based, e.g., the questions an investigator asks himself or witnesses when con-
fronted with a complicated investigation. Or what approach to use when you have a certain
type of individual in the interrogation room. Other human factors relate to problem solving:
detectives must have an ability to “think out of box” and associate different items, facts,
and individuals from the crime scene and investigation to come up with new hypotheses
that could potentially solve a standstill case. The capacity of a detectives working memory
decides how many entities he or she can joggle when processing information.
3.6.2 Counterterrorism
Counterterrorism investigations are by far the investigation domain with most focus on keeping in-
formation classified, information is often signal and imagery intelligence, and human factors relate
more to creativity and cognition for analytical abilities. We describe process models, information,
and human factors related to counterterrorism below.
Process (e.g., [39, 40, 178]). Before 9/11 (2001), investigations were mainly handled by a nations
security services, but are now moving toward joint operations with police in what is often
62
CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY
referred to as the emerging policing-security nexus. Counterterrorism investigations are, like

many of their targets, covert operations. The goal is to transform intelligence from different
sources (humans, signals, images, open, etc.) into actionable intelligence products, typically
for governments to take proactive measures in order to thwart high risk plots. Due to the
complexity of terrorism and the people involved, some traditional crime-related investigative
tasks like profiling have not yet been transferred to this domain.
Information (e.g., [40, 146, 214]) Counterterrorism information mainly uses secret intelligence35
obtained from surveillance such as satellite imagery or phone calls. Open source intelligence
is information readily available for everyone and has been found to actually represent 80%
value whereas secret intelligence has been only to represent 20% of the value36 . Information
can vary from knowing whether it will be full moon and the fields have just been harvested
before inserting troops on the ground in a foreign country 37 to year long surveillance (video,
audio, infiltration, etc.) following a groups increasing radicalization and knowledge of bomb
making right up to the point prior to a terrorist attack.
Human factors (e.g., [146, 225]) Given the often proactive nature of counterterrorism efforts, a
lot of “free association” and “out of the box” thinking is often required to generate hypotheses
about potential outcomes.
3.6.3 Investigative journalism

We have chosen investigative journalism as a third domain of criminal network investigation,
because of the many similarities it bears with counterterrorism and policing investigations, as
the following quote illustrates: “we soon learned that tracking the story of a ghost is not much
different than tracking the ghost itself” [146]. The Daniel Pearl investigation was an example
of a criminal network investigation team with journalists, police officers, and counterterrorism
experts working together to create a target-centric model with the goal of resolving a kidnapping
situation [174]. But also because the tools and techniques that investigative journalists apply
could benefit the domains of counterterrorism and policing. When Klerks (2001) joined a law
enforcement intelligence department as an academic criminologist he gained the appreciation he
had hoped for, “although it was gained mostly by displaying research skills [he] picked up in
journalism instead of university” [120].
Process (e.g., [101,128,136]). While police and counterterrorism units enforce the law, investiga-
tive journalism often results in the first rough draft of (new) legislation. It has helped bring
down governments, imprison politicians, reveal miscarriages of justice, and shame corpora-
tions. Classical investigative journalism was primarily about digging. It was done on the
street, talking to people, drinking in bars, while tracing down leads, all the time scribbling
notes on scraps of paper and stashing them away in files and boxes. The human factor is
still important (see below), but the availability of computer-assisted reporting tools to search
public databases and the online open source information overload has changed the game for
ever. Everything has become more complex, and the investigators are adapting to this new
situation.
Information (e.g., [120, 162, 204]). Investigative journalism is still to a certain degree based on
human intelligence (interviews with anonymous sources), especially in areas where a lot of
local information might not be available on line. Open source intelligence for background
checks or similar, database searches, interviews with relatives, colleagues, etc. Pictures by
photographers and own audio from interviews. Information could also be the investigative
journalists own observations, e.g., spending a year in a Baltimore police department homicide
unit. Maybe a journalist will gain access to otherwise classified information, government or
commercial, again based on interviews with anonymous sources.
63
3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION
Human factors (e.g., [128, 146]). Experience and tacit knowledge (ability to ask the right ques-
tions, personal network, etc.) are key tools for a successful investigative journalist. Mind
mapping abilities (linking together facts for correct understanding and coherent stories) are
important, just as when a homicide detective is trying to understand a complicated crime
scene. A journalist can sometimes have an advantage in gaining access to interviews and
information, since the journalist is the protector of civil liberties and the voice of the people,
while police officers and secret agents might have more trouble getting people to talk about
an incident.
64
CHAPTER 4
Related work
“We are good at modeling static networks,” he says, “but networks

like these change over time. And we don’t yet have a dynamic graph
theory.” When one terrorist is caught or killed, for example, “he is
replaced by a cousin” with different social links. “Changing a single
link can completely change the graph.”
Interview with March Sageman (2009) [26].
Existing work related to criminal network investigation falls into two categories. Related work
from various research fields has provided much inspiration in the design and development of
CrimeFighter Investigator. This type of related work is reviewed in Section 5.1. The other type of
related work is centralized around tools that support criminal network investigation tasks. This
chapter focuses on such tools. A comparison of our approach against existing work in that area is
described in Chapter 15.
A number of existing tools support criminal network investigation processes and tasks. The tools
have been selected to cover prominent commercial tools (Section 4.1), tools actually used by
investigators, as well as research prototypes (Section 4.2) and tools for investigative journalism
(Section 4.3) to get a comprehensive overview of the state-of-the-art tool support for criminal
network investigation tasks. We find the review of investigative journalism tasks relevant, due to
the supported tasks.
Our analysis of state-of-the-art tools is mainly based on open source material (tool websites,
reviews and blogs, academic papers, etc.), but for a few of the commercial tools, statements
from end users have also been included. Naturally, the commercial tools have lots of information
about their products on their website, but while there are many colorful screen shots and videos,
and statements generated by the marketing department, there isn’t much technical depth to that
material (with Palantir Government providing most technical explanations through the videos on
their site). The research prototypes on the other hand are described with a technical point of view
in academic papers, but other than that, not much material can be found (except if papers mention
research prototypes other than their own). Network analysis tools, frameworks, and libraries gets
perhaps the best open source coverage, since they are used by everyone when building their tools:
the technologies are detailed described in academic papers, journal papers and books; their usage
and examples thereof are provided by all the researchers, developers, and companies who utilize
the technologies; even the software itself is often open source.
65
4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK
For each of the reviewed tools, we focus on support of criminal network investigation tasks. Our
related work review is applied later, in Chapter 15, where we compare the capabilities of these
state-of-the-art tools from the policing, counterterrorism, and investigative journalism domains
against each other and CrimeFighter Investigator (see Section 15.3). The analysis of conceptual,
structural, and mathematical models is also used later for a capability comparison of the tools on
those parameters.
The remainder of this chapter is organized as follows: we start out with a review of commercial tools
in Section 4.1 covering Analyst’s Notebook 8.5, Palantir Government 3.0, Xanalys Link Explorer
6.0, and COPLINK. We indicate the tool versions to set the boundaries of our analysis. Next, we
look at research prototypes in Section 4.2, covering The Sandbox for Analysis, POLESTAR, Aruvi,
and the mentioning of a new research prototype Dynalink. Tools for investigative journalism are
reviewed in Section 4.3 and covers Namebase.org, Mindmeister, and a range of simple tools.
4.1 Commercial tools

The following commercial tools for policing and counterterrorism have been selected as particularly
related to our work: Analyst’s Notebook 8.5, Palantir Government 3.0, Xanalys Link Explorer 6.0,
and COPLINK. Our reviews of these tools is presented below, except for COPLINK since it is a
tool that takes a different approach compared with the other three. It is however included in our
capability comparisons in Section 15.3, given its relevance for criminal network investigation in
general.
4.1.1 Analyst’s Notebook 8.5

Analyst’s Notebook 8.5 (AN) is part of IBM i2’s analysis product line38 and “aims at supporting
a rich set of analysis and visualization capabilities to support analysts in quickly turning large
sets of disparate information into high-quality and actionable intelligence to prevent crime and
terrorism” [2]. In Section 15.3, where we compare the capabilities of all the related work it is
pointed out that Analyst’s Notebook is not strong on sense-making, except for their support of
visualization and various filtering views.
AN aims at supporting a broad spectrum of customers including national security, defense, law
enforcement, government and private sector organizations. The tool has diagrammatic visual
representations and is mainly used for visualizing connections (e.g., transactions, phone calls, ‘is-
related-to’ relations, etc) between various types of entities, social network analysis and different
interactive views such as histograms and heat matrices [2, 107]. AN hides the full content and
context of information (lack of transparency) and it seems better suited as a report tool than
a thinking tool since it does not encourage various alternative thinking [254]. This claim was
supported by end-users we met at an i2 user conference [106]: “I typically use Analyst’s Notebook to
generate a report for the state attorney handling the case in court. I do not use AN before I am done
with my analysis”. Furthermore, assumptions and evidence are not easily distinguishable [254],
making it impossible to back-track how reasoning was done and on what grounds decisions were
made.
SPECIFIC FEATURES
Analyst’s Notebook supports “flexible data acquisition via intuitive drag-and-drop, importing or
multiple database access capabilities” [108]. Another interesting import feature is, that “when
importing data into Analyst’s Notebook 8, users now have the ability to export transformed data
into a comma separated or tab separated file allowing them to save and reuse the transformed
version of their original file” [104]. Analyst’s Notebook supports column actions 39 on import [107],
such as Add Prefix (“Adds text or values immediately before the values imported from a data
66
CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS
column”) and Extract Portion of Text (“Extracts a specific portion of text or data from a data
column”).
AN supports information elements and relations, and visualization of groups in a network (see
Figure 4.1). A range of 3D icons are supported as visual abstractions for information elements,
e.g., ‘male person’, ‘telephone’, and ‘refugee center’ in Figure 4.1. Information elements are cre-
ated using drag and drop from a special pane, and attributes are added to information elements
also using drag and drop from a similar pane [104]. As mentioned, relations between information
elements are supported and Figure 4.1 (upper left corner) shows simple examples such as ‘asso-
ciate’, ‘address’, and ‘subscriber’. Three types of directed links are supported: multiple, directed,
and single. If information elements are phones, then the type multiple can be used to indicate
number of phone calls between the two phones at different times of day. The type directed can be
used to indicate phone calls from phone a to phone b and vice versa, and the type single could
have the total number of phone calls between the two phones. Group entities (composites) are not
supported, only indirectly using visualizations (see Figure 4.1). That also means that information
cannot be collapsed or expanded. All information found relevant for the investigation exists at the
same level in the information space, and then parts of it can be highlighted or emphasized using
various filters, histograms, etc. [2, 104, 107]. AN supports multiple information types, e.g., drag
and drop of pictures onto information elements to add the picture as a visual abstraction.
The focus of AN is on visual analysis. It has support for many perspectives on information such
as visual symbols in the information space, chronologies of events, heat matrices (e.g., indicating
during what time spans crimes occurred in the past), positioning of information entities onto maps
to do geographic analysis, etc. AN has strong support of social network analysis and visualization
thereof. Multiple centrality measures (eigenvector, betweenness, degree, and closeness) can be
selected to run simultaneously, the results of which are visualized using color and entity size in
the information space.
Finally, AN supports the generation of a wide range of reports for dissemination of analysis results.
Creating hypotheses in a collaborative manner is not supported, but in one product video [105]
there is an example of analysts that are asked to assemble a single target profile. While they are
working they can comment on and review each others work, and when finished they can assemble
their work into “a multi-dimensional report”.
4.1.2 Palantir Government 3.0

We analyze the tool with the most criminal network investigation capabilities of the state-of-the-
art in this section (see capability comparison in Section 15.3). Palantir Government 3.0 is a
platform for information analysis designed for environments where the fragments of data that an
analyst combines to tell the larger story are spread across a vast set of starting material. Palantir
is currently used in various domains such as intelligence, defense, and cyber security. According
to the company website of Palantir Technology, Palantir Government is increasingly “seen as the
platform of choice for the spectrum of hard problems that we face today. Palantir provides an
out-of-the box foundation for information management - full source tracking, fine grained access
control, flexible data modeling, structured and unstructured data ingest - with a powerful frontend
to explore all of this richness” [5].
A recent article in The Economist (2012) on big data analytics, stated that Palantir Technologies is
the company “that has perhaps gone furthest in finding useful connections in disparate databases.
[. . . ] Its specialty is building systems that pull together information from different places and try to
find connections” [229]. The article also comments on Palantir’s initial customers, the spy agencies:
“in America, the CIA and the FBI use it to connect individually innocuous activities such as taking
flying lessons and receiving money from abroad to spot potential terrorists” [229]. Interestingly,
Palantir Technology, is the producer of a commercial tool partially supporting criminal network
investigation, which has put most thought into civil liberties and other ethical issues. Privacy
and civil liberties are “embedded in Palantir’s DNA” [223], exemplified by technologies like access
67
CHAPTER 4. RELATED WORK
68
4.1. COMMERCIAL TOOLS
Figure 4.1: Augmented screen shot of Analyst’s Notebook illustrating supported entities and concepts: information elements and relations, various
visual symbols, a satellite view, tabbed panes with e.g., chart creation tasks and examples of visual filtering for different purposes. (source: [2])
control model, revisioning database and immutable audit logs. Palantir also used existing legislation
as guidelines on how to address ethical issues in implementation [223], e.g., the 9/11 commission
implementation act [152].
Our analysis of Palantir Government is based on open source material such as white-videos (e.g.,
[191,194,237], video demonstrations (e.g., [230]), white-papers (e.g., [222,223]), and academic and
other papers and articles (e.g., [26, 161]). For the intelligence community Palantir have described
an intelligence infrastructure, where visualization and link analysis is the “top of the iceberg”, in
a layered architecture comprising the four layers data integration, search & discovery, knowledge
management and collaboration [192], as shown in Figure 4.2.
Figure 4.2: Visualization and Link Analysis is the “top of the iceberg”, in a layered architecture
comprising the four layers Data Integration, Search & Discovery, Knowledge Management and
Collaboration (source: [192]).
SPECIFIC FEATURES
Palantir Government has a data integration platform, which is a framework for data integration
with “a powerful model that accommodates every kind of enterprise data source” [194], structured
and unstructured, such as online sources, databases, text files and spread sheets [192, 194]. To
get an understanding of what Palantir means by structured and unstructured data, we use an
example from a counterterrorism demonstration video [230]. In this video, a text file (document)
describing an investigation asset meeting three other individuals at an charity event. When the
document is viewed in a so called Browser, some entities such as names and email addresses, are
recognized and highlighted as if they were hyperlinks in a web browser. The entities were high
lighted using one of several entity extraction methods (automated or manual). If using automated
extraction, errors will occur and not all important entities are highlighted (e.g., the home address
of an individual). The user now has the option to manual extract entities such as phone numbers
and addresses, indicate their type and link them to the already recognized entities (individuals)
in the document. Furthermore, entities can be merged (i.e., they represent the same entity) using
drag and drop, and the data is becoming increasingly structured. [230]
In general, Palantir data integration focuses on the importance of supporting open formats and
application programming interfaces (api): “you need a platform that allows you to import informa-
tion, interact with that information, and then get it out of the system” [194]. A short, but precise,
description of the purpose of criminal network investigation tools. The object (entity) model of
Palantir Government is very impressive. It has its own separate architecture layer between the
data storage and the end user (analysts, developers, and administrators) as shown in Figure 4.3
69
(left). This separate layer for the data model leverages “lossless data abstractions” [237], making
it possible to “track every piece of information back to its source” [237] (see Figure 4.3, right).
Figure 4.3: The object model has its own separate architecture layer between storage and end
user (left). This approach secures lossless data abstractions, even with multiple sources forming
the basis for object properties, e.g., name or email (right). (source: [237])
Palantir Government supports nodes, links, and groups for synthesis and “users interact with
their data as first order conceptual objects” [237]. It is our impression that objects only cover
the nodes in criminal networks, not the relations between nodes nor the groupings of nodes, links,
and groups, especially since we are to think about objects “as empty containers or shells, within
which we fill attributes and other information about them. Examples of entities could be people,
places, computers, phones, events like meetings or phone calls, or documents like email or message
traffic” [237].
Figure 4.5: Expanded group object and other

Figure 4.4: Different kinds of relations are objects (individuals) are shown on the left,
shown (round icons), with the same visual re- and the result of collapsing the group object
lation (blue line). (source: [230]) is shown on the right. (source: [230])
“We haven’t encoded any semantics into the object model itself. The organization actually gets to
define their semantics using a tool called Dynamic ontology” [237]. Palantir Government supports
directed links, either representing single relationships or multiple as shown in Figure 4.4, where
there are multiple relations for each link (each one represented by a circle with an icon). The
technological support relationships as means for connecting objects is based on ontologies, as
shown in Figure 4.6. There is one ontology for objects, one for relationships, and one for object
properties (attributes).
Palantir Government supports group objects to which other objects can then connect (see Figure
70
Figure 4.6: Palantir Government supports an object model that is different from the ontology
describing relationships, objects, and properties (left). On the right is an example of an object
model with an ontology. (source: [237])
4.5, left). While expanded we notice that the group icon remains in the space. When the group
is collapsed all the connected objects are hidden (see Figure 4.5, right).
Palantir government also records a history of the users actions. This means that investigators
can return to a point in an investigation, i.e., a point where a certain action was done by the
investigator (e.g., a search). However, if the investigator makes a change now, a branch is created
in the investigation, visualized with a new icon in the history bar, indicating the number of old
slides (the old branch), as shown in Figure 4.7 [230]. This means that investigators can use
branches to represent different hypotheses, or maybe they are just alternate interpretations of
the same information: “Unlike a typical undo redo, Palantir maintains a fully branched history
of everywhere an investigation has been. This allows an analyst to explore hypotheses or see
where [some evidence] might lead an investigation, without fear of in anyway contaminating or
corrupting that investigation” [230]. Finally the history adds a learning perspective to Palantir
Government: “this investigation [history] provides an importing training aid, allowing analysts to
show other analysts how they reached their conclusions, which paths they take, and what they do
when they reach dead ends” [230].
Figure 4.8: How to search

for Mike Fikri in investi-
Figure 4.7: An example of Palantir history with a branch (the slide gations created by other
that says ‘3 old slides’). (source: [230]) analysts. (source: [230])
Palantir Government investigation summaries can be exported into Microsoft Powerpoint or HTML
formats [230]. The user can select the individual history slides that are to included in the sum-
mary using check boxes, additional information about each individual slide can be added, and the
summary can be given a title.
Real-time update of database indexes is supported, since Palantir Government found it was nec-
essary “in order to truly enable enterprise-wide real-time collaboration” [230]. The collaboration
focuses on sharing data as well as analyses, collaboration inside as well as across agencies, across
71
compartments and across classification. The collaboration concepts are based on how engineers
collaborate. Finally, Palantir Government is the “only system designed with civil liberties and
privacy protections” [192]. An example of how an investigator can search for a specific object in
other investigations is shown in Figure 4.8. In terms of human-computer interaction, the circular
object action menu in Figure 4.8 is interesting and an intuitive method for doing so; the object is
in the middle with available menus around, no matter where it is positioned in the investigation.
4.1.3 Xanalys Link Explorer 6.0

Xanalys Link Explorer 6.0 (previously Watson [7]) allows investigators to apply powerful query
and analysis techniques to their data, presenting the answers in a range of visualizations such as
link charts, time lines, maps, and reports [6].
Xanalys Link Explorer information spaces are referred to as charts. In the hierarchy chart in-
formation elements can be organized, with pre-defined icons or the users own pictures as visual
abstractions. Links can be placed between the information element to model relationships [6].
Link Explorer supports many different charts (perspectives) for information including “tabular,
hierarchy, link, timelines, maps, clocks etc.” [6]. The user is free to move data entities between
the charts.
Two interesting features of Xanalys Link Explorer is the support of exporting a chart to a Microsoft
Excel spreadsheet (Figure 4.9) and the ability to create search queries using drag and drop (Figure
4.10). We have not come across these features in any of the other related work40 . The drag and
drop query example presented in Figure 4.10, a person, a vehicle, and a location are all linked to
an incident report. We interpret this query as a desire to search for single individuals, who have
been involved in an incident, where a car was also involved, and it happened at a specific location.
Figure 4.9: Example of exporting a Link Ex- Figure 4.10: An example of to create search
plorer chart to Microsoft Excel spreadsheet. queries in Link Explorer by the use of drag and
(source: [6]) drop. (source: [6])
4.1.4 COPLINK
COPLINK is designed for both general policing and specialist use for detectives/crime analysis
[53]. The tool consists of three modules: “Connect” database, “Detect” criminal intelligence, and
“Collaboration” [84]. With the merger between Knowledge Corporate Computing and i2 in 2009,
COPLINK became a separate product line within i2 Limited. In 2011, i2 Limited was purchased
by IBM. We do not present our analysis of the COPLINK tool here, as we have chosen to focus
on the other three tools reviewed above (Analyst’s Notebook, Palantir Government, and Xanalys
Link Explorer), since they target a more complete investigation cycle.
72
CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES
4.2 Research prototypes

We analyze three research prototypes in this section: The Sandbox for analysis focuses on easy
drag-and-drop acquisition, expressive thinking, and implements interesting interaction gestures
[254] (Section 4.2.1). POLESTAR is an integrated suite of knowledge management and collabo-
ration tools for intelligence analysts [178] (Section 4.2.2), and Aruvi is the implementation of an
information visualization framework that supports the analytical reasoning process [201] (Section
4.2.3). Finally, we mention Dynalink, a recent prototype that demonstrates interesting features
(Section 4.2.4).
4.2.1 The Sandbox for Analysis

Sandbox is a flexible and expressive thinking environment that supports both ad-hoc and formal
analytical tasks [254]. Investigators can acquire “any relevant information, including documents,
snippets, images, tables, etc. by dragging them into the Sandbox from TRIST41 as well as MS
Word, MS Explorer, IE and other systems” [254]. The Sandbox and TRIST are integrated in the
same cognitive workspace (called nSpace), which means that information (e.g., text snippets or
pictures) can be dragged directly to an investigation in the Sandbox, and entities in the Sandbox
can be dragged to TRIST to function as a search query for additional information [254].
“Analysts need to be able to quickly and easily place, arrange, re-arrange, group, emphasize,
highlight and compare information” [254]. Information is arranged, linked and grouped according
to topics and issues. Based on Figure 4.11, associations are either made using simple unweighted
relations or visual associations by spatial arrangement of entities.
As shown in Figure 4.11 (d, b, and c), the conceptual model of the Sandbox has support for card-
like entities and groups (d), picture entities (b), and relations (c). The creation of hypotheses
(argumentation for topics and issues) has clearly been a key requirement and has resulted in
strong, intuitive, support. Hypothesis questions can be stated using ‘pin’ labels, and can be
branched out to several sub questions in the work space. In Figure 4.11, the question Who wants
to [. . . ]? is followed by the questions Who attacked [. . . ] in the past? and Who would benefit
from [. . . ] death? 42 . Assertion groups can be used to gather evidence proving a hypothesis true
or false. The assertion group has “Support and Refute Gates” along the sides. See Figure 4.11
(e) for an example of dragging evidence through the support gate to an assertion group.
Figure 4.12 shows some of the interesting information interaction gestures that the Sandbox sup-
ports: grouping of entities can be performed with a loop gesture (Figure 4.12a, entities not aligned
vertically or horizontally can be selected using a so called lasso selection Figure 4.12b, and entities
are delete with an x gesture (Figure 4.12c). Finally, the Sandbox supports direct manipulation,
providing a sense of writing on physical objects (e.g., white boards or paper cards): “direct ma-
nipulation and annotation are used to build and express meaning.” [254].
4.2.2 POLESTAR
POLESTAR (POLicy Explanation using STories and ARguments) is an integrated suite of knowl-
edge management and collaboration tools for intelligence analysts [178]. Pioch and Everett (2006)
points out the reasons for intelligence failure relating to current information systems that “inhibit
collaboration and stifle insight with antiquated processes that encode [. . . ] compartmentaliza-
tion” [178]. POLESTAR supports the end-to-end intelligence analysis process, covering the pro-
cesses search, read, collect, structure, write, review, and revise. The entities in POLESTAR are
so called Facts, which are basically text snippets collected from websites by first highlighting the
text and then dragging it into a portfolio browser. The user can augment the fact with various
meta data, such as the source of the information and their interpretation of it.
The portfolio browser has tools for knowledge structuring such as the wall of facts (see Figure
4.13) that includes a time line view (Figure 4.14). The wall of facts “is a blank workspace onto
73
CHAPTER 4. RELATED WORK
74
4.2. RESEARCH PROTOTYPES
Figure 4.11: An augmented screen shot from the Sandbox for analysis, illustrating basic entities and features. ‘Pin’ labels are used to ask questions
and start hypotheses (a). The conceptual model supports card-like entities and groups (d), picture entities (b), and relations (c). An assertion
group are used gather evidence proving a statement true or false and the assertion group has “Support and Refute Gates” along the sides - (e) is an
example of dragging evidence through the support gate to an assertion group. (source: [254])
CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES
(a) Loop-to-group (b) Lasso-selection (c) X-to-delete
Figure 4.12: The Sandbox interaction gestures includes loop-to-group gestures, lasso-selection
gestures, and x-to-delete gestures.
which the analyst can drag and drop snippets of information that they have collected” [178].
Snippets placed at the edge of the wall of facts is shrunk, while snippets at the center are full
size. Investigators can add claim text boxes around which snippet arguments can be positioned,
or snippets can be grouped hierarchically using sub-workspaces. The wall of facts time line view
shows the chronology of snippets according to the dates that investigators have added: “seeing this
arrangement can clarify relationships that are hard to detect when looking at a series of textual
dates” [178]. Interestingly, the time line view supports also sub-time lines.
Figure 4.13: POLESTAR Wall of Facts. Figure 4.14: POLESTAR Timeline.
POLESTAR has strong support for creating hypothesis (like the Sandbox, see Section 4.2.1), and
mentions the importance of having an explicit structure to easier locate weak arguments. As with
any argumentative structure, the basis in POLESTAR is a hypothesis. The hypothesis can be
supported or rebutted by claims (i.e., the claim box mentioned above) and assumptions. Claims
and assumptions are typically based on interpretation of a fact, which the investigator has entered
meta data about, such as info type, reliability, classification, and source. The fact originates from
a source document.
4.2.3 Aruvi
Aruvi is the prototype implementation of an information visualization framework that supports
the analytical reasoning process [200,201]. As mentioned, analysis is focused on what can be done
using visualizations, but has some structure in terms of the argumentative reasoning support and
the navigation history. Shrinivasan and Wijk (2008) formulate five requirements for the analytical
reasoning process in information visualization [201], which are summarized to the challenge of
providing the user with an overview of what has been done and found: “to keep track of the
exploration process and insights, a history tracking mechanism and a knowledge externalization
75
4.2. RESEARCH PROTOTYPES CHAPTER 4. RELATED WORK
mechanism respectively are essential” [201]. Figure 4.15a, 4.15b, and 4.15c explain the Aruvi
support of history tracking. Initially, Shrinivasan and Wijk (2008) . . .
“. . . use a history tree representation to show the structure of the exploration pro-
cess. A node represents a visualization state. An edge between the adjacent nodes is
labeled with the user action (see Figure 4.15a). [. . . ] Figure 4.15a shows the structure
of the navigation. A branch represents a revisit and reuse of an already existing visu-
alization state. To understand the temporal context, it is important to see the sequence
of visualization states along with the structure of the navigation. Figure 4.15b shows
the structure of the navigation ordered by time in the horizontal direction. The user
can toggle between the two representations during the analysis via the settings interface
(see Figure 4.15c-1). The user can revisit the visualization states sequentially in the
order of creation using the back and forward arrow keys. This action is similar to the
undo-redo mechanism. Also, the user can hover over a node to get information about
the visualization state (see Figure 4.15c-3) and jump to any visualization state in the
navigation view. An overview window is used for panning over the history tree (see Fig-
ure 4.15c-4). When a visualization state is linked to objects in the knowledge view, it is
marked with a star in the navigation view (see Figure 4.15a, 4.15b and Figure 4.15c-2).
The current visualization state in the navigation is highlighted in yellow.” [201]
(a) History tree showing navigation structure.
(b) History tree with navigation structure ordered by

time.
(c) Aruvi navigation view implementation.
Figure 4.15: History trees and navigation view. Figure 4.16: Aruvi knowledge view.
For knowledge externalization, Shrinivasan and Wijk (2008) decided to design a knowledge view
as a basic graphics editor, because “it helps the users to construct diagrams to externalize their
mental models and structure arguments” [201]. Figure 10.8 shows the Aruvi knowledge view,
where:
“A note is the basic entity to record findings. A note is either rectangular (see
Figure 10.8a) or elliptical (see Figure 10.8b) in shape. Notes can be organized into a
76
CHAPTER 4. RELATED WORK 4.3. INVESTIGATIVE JOURNALISM TOOLS
group with a title (see Figure 10.8c). The tool supports multiple group levels (see Figure
10.8d). A connector line can be drawn between notes, groups, and a note and a group
([with or without direction], see Figure 10.8e). When an entity in the knowledge view is
linked to a visualization state it is marked with a star” [201] (see Figure 10.8f ).” [201]
4.2.4 Dynalink
Dynalink is a framework for visualizing dynamic criminal networks. “The interactive and visual
features of Dynalink can be useful in discovering and analyzing both relational patterns of criminal
networks” [160]. A primary strength of Dynalink “is that it can process huge datasets” [160], the
system has been tested against a crime dataset consisting of 125.558 criminals.
4.3 Investigative journalism tools

Tools for investigative journalism are not nearly as elaborate as the above commercial tools for
policing and counterterrorism. The market for policing and counterterrorism tools are much bigger
than the market for watchdog journalism tools. Tools for computer-assisted reporting (CAR)
spans from simple tools to more advanced mapping, statistical, and social network analysis tools.
Compared to normal journalism, CAR tools are highly relevant for the amount of digging that
investigative journalism requires while other tools are used for thinking tasks. The following tools
have been selected for the comparison:
4.3.1 Namebase.org
Namebase.org43 is a database of books and clippings where users can search for names and
individuals, groups, and corporations [136]. The search finds books and clippings that cite the
name searched. It also has an option to draw a social network diagram (see Figure 4.17). Searching
can be performed in the following ways: ‘name search’, ‘proximity search’, ‘country search’ and
‘document scan’, but only in the existing databases; no ingestion of additional data is possible.
The before mentioned social network diagram can be used to draw relations between the search
results, providing an alternative perspective to listed results. The user can click entities in the
social network diagram, to focus on that entity.
Figure 4.17: Namebase.org social network diagram based on a database search.
77
4.4. SUMMARY CHAPTER 4. RELATED WORK
4.3.2 Mindmeister
Mindmeister is a collaborative tool for online mind mapping [3] (see screen shot in Figure 4.18).
Mindmeister supports the following formats for import of mind map data: original Mindmeister-
TM TM
files, FreeMind 44 , Mindjet MindManager 45 , and finally text files where entities are simply
separated using spaces or tabs and the first line is the title of the mind map.
Figure 4.18: Augmented Mindmeister screen shot, high lighting various concepts that the tool
supports: entity types, groups, visual symbols, multimedia, and hypotheses.
Entities are for example topics and ideas, or relations as shown in Figure 4.18. All entities support
grouping. If one entity is dropped on another entity, it becomes a sub-entity of the entity it is
dropped on (a group is started or expanded). Sub-entities can be collapsed by clicking the circle
with a minus (see Figure 4.18). The minus becomes a plus which could be used for expanding that
information again. Mindmeister supports real-time brainstorming: “simultaneously work with
colleagues on the same map and see changes as they happen” [3]. Finally, like any mind mapping
tool, Mindmeister is strong on generation of hypotheses and alternate interpretations.
4.3.3 Simple tools

Simple tools include applications for database searching, Microsoft Word, Excel, and Powerpoint
for information overview, physical tools like paper, maps, calendars, etc. As we assume our readers
will have a basic understanding of what can be done with these tools we do not review them here.
4.4 Summary of related work

The commercial tools (Analyst’s Notebook, Palantir Government, and Xanalys Link Explorer)
all had a strong focus on visualization, together with their own particular feature support: Ana-
lyst’s Notebook has strong support of perspectives such as the heat matrix, Palantir Government
has strong synthesis support through their expandable and collapsible information features (i.e.,
groups), and Xanalys Link Explorer supports drag and drop search queries.
The research prototypes have a strong focus on the creation of hypotheses and argumentative
structures in general. However, the Aruvi prototype is based on an extended understanding and
analysis of reasoning theory: model construction, revision, and falsification. Furthermore, decisions
78
CHAPTER 4. RELATED WORK 4.4. SUMMARY
made in the Aruvi knowledge view are also indicated in the workspace (using the same color).
This sort of decision-making support was not found in the other research prototypes.
Each individual simple tool for investigative journalism solve the task they are intended for, but if
more than one simple tool is required to solve task, it becomes a problem, since they do not exist
in an integrated environment. And simple import and export tasks might be more complicated
than for example solving (some of) the tasks by hand.
In summary, the reviewed commercial tools and research prototypes supporting a cards-on-table
metaphor, have some basic features in common. They support information elements and rela-
tions, the basic building blocks for creating networks. The support of composites (groups) is
more sporadic, with Palantir having better support. For further comparison of criminal network
investigation task and model support we refer to Section 15.3.
79
4.4. SUMMARY CHAPTER 4. RELATED WORK
80
CHAPTER 5
Theory and technology
Stick with simple tools, like pencil, paper, and whiteboard.

Communication is more important than whizzbang.
Kent Beck and Martin Fowler, Agile modeling by Ambler (2002) [11].
This chapter presents state-of-art on core theories and technologies relevant to the development
of tool support for criminal network investigation, addressing the challenges associated therewith
(see Section 1.2 and Chapter 6). We will elaborate our initial discussion of the theory and technol-
ogy pillars introduced in Chapter 1. The pillars represent high level functional and non-functional
aspects of developing criminal network investigation tools. Lower level (functional) software re-
quirements are the research focus requirements presented in Chapter 6. The theories (sciences)
and technologies listed for each pillar have provided us with the knowledge and understanding
necessary to develop tool support of that particular aspect. The pillars are shown in Figure 5.1,
and colors are used to indicate how well the different theories and technologies are covered in this
chapter or in a fragmented manner throughout the dissertation (see the coverage legend at the
bottom of Figure 5.1). The theories and technologies have been selected based on their relation
to the overall hypothesis and the three criminal network investigation challenges, information,
process, and human factors.
We will present each theory and technology from the perspective of criminal network investigation.
The pillars and their theory and technology building blocks are briefly described below, with
references to the respective sections reviewing them in greater detail.
Emerging and evolving pillar. A complex software systems engineering problem is the sup-
port of emergent and evolving information structures [172]. The complexity arises because
the premise for such support is that you don’t know what structures will emerge as end
users synthesize and organize their domain information: they might end up with spatial, hi-
erarchical, or argumentation structures, and most often the result will be a mix of multiple
structure types. In general terms, structure is an abstraction used to describe the form of
some object, whether it is a house [8], a city [9], a software development plan [165, 170] or
criminal network information entities pieced together, forming network structures [174]. We
have presented basic sub structures and organizational meta structures of criminal networks
in Section 3.2.
Hypertext is a technology that provides methods for supporting various structure domains.
Research of these structure domains is helpful in understanding how structures are formed
81
CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.1: Criminal network investigation pillars of theory and technology. The colors indicate
how well each individual research area or technology has been covered, e.g., green building blocks
are covered in great detail while red building blocks are not covered.
82
CHAPTER 5. THEORY AND TECHNOLOGY
and to learn general ways of implementing software support of similar structures, that can
then be mapped to the other information domains (see Section 5.1). Semantic web is a
technology aiming at adding semantics to web pages, to make them understandable by
machines, through the description of knowledge domains using ontologies to describe the
objects on web pages and their interrelationship. This has been extremely helpful in terms
of supporting networks, where information elements can be of different types, where relations
can be weighted and of different kinds (we cover basic semantic web technology relevant for
our work in Section 5.2). Information science has helped find the appropriate trade-off
between having a completely generic system that the end user can customize to suit any
particular information domain and adding some domain knowledge into the system prior to
providing the user with access (see Section 5.3).
Problem solving pillar. This pillar deals with cognitive processes, creativity, and tools support-
ing a human-centered, target-centric team approach to criminal network investigation. We
think of criminal network investigation as a process (or processes) for crime related problem
solving. Section 5.4 deals with human cognition in terms of the mind’s approach to solving
problems. More specifically, what are the strengths, weaknesses, and limitations of human
cognition, so that we know how not to inhibit the strengths in any way and to decrease the
impact of weaknesses and limitations. Software systems engineering has different processes
describing approaches to software development, one of which, the agile approach, we find
useful for our target-centric approach to criminal network investigation. Agile modeling is
described in the section of software systems engineering and Section 5.6, covering a range of
modeling techniques, very different from traditional approaches to problem solving. Many
different tools - both physical and software - could be used for and are good for different
kinds of problem solving. Such tools are described in Section 5.6. Finally, we have conducted
a review of the creative process, which talks about creativity in general, and discusses the
benefits of creativity in real versus nominal groups (Section 5.5).
Suspects and criminals pillar. Domain knowledge has provided us with many functional and
non-functional aspects of tool support for criminal network investigation. The functional
aspects comes from experiences and literature that tells us about the individuals that form
the type of criminal networks we want to investigate, and how and why these individuals
became part of those networks; for example radicalization tendencies and processes. It can
be argued, that such knowledge is more important than knowledge about individuals who
have already committed a crime, in terms of the ability to take proactive (de-radicalizing)
measures. But it is not the focus we have chosen in this Ph.D. dissertation, and would
require very detailed modeling capabilities, but we hope our approach will evolve in that
direction in the future. The field of Social Science is a large provider of such knowledge,
and we used it and described in fragments throughout the dissertation. Also, studies from
social science about criminals, i.e., the profile characteristics of individuals (Case-studies of
individuals is covered in Section 5.7). For similar studies of groups we refer to Section 3.5.
Investigation pillar. We reviewed two different approaches to criminal network investigation
(linear and target-centric) in Chapter 3 and we will cover our process model and tasks for
criminal network investigation in Chapter 7. Here we will focus on studies of technologies that
can help investigators make sense of criminal networks together with a review of intelligence
and the ethical issues involved in dealing with and making decisions based on criminal
We review the concept of intelligence, by focusing on open source intelligence and what role
it has played for our work in Section 5.8. Section 5.9 on mathematical models covers different
types of computational network analysis (also referred to as techniques or algorithms), and
how these mathematical models can be useful in terms of supporting various analysis needs
when investigating criminal networks. Ethical issues such as privacy and civil liberties is
discussed in Section 5.10, an aspect of security informatics often neglected by academic
software system engineers.
83
5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY
Tool usage pillar. In terms of tool usage aspects, this pillar focuses mainly on trust and user ac-
ceptance (see Section 5.11). Models for assessing the acceptance of new technology are many,
e.g., the technology acceptance model (TAM) for information technology [51]. And technol-
ogy assessment researchers have given their suggestions for the “fundamental determinants
of user acceptance” [51], e.g. Davis (1989) suggests perceived usefulness and perceived ease
of use. In the criminal network investigation domain we find trust to be the fundamental
determinant for tool user acceptance. Because of the security nature of the information and
the importance of decision being made based on that information, it is highly relevant that
investigators and decision-makers (intelligence customers) trust the information, knowledge,
and ultimately intelligence products that tools for criminal network investigation produce.
We have a brief introductory review of interaction and visualization in Section 5.12. Computer-
supported collaborative work (CSCW) or simply groupware is not covered in this dissertation,
but we have studied important work in the field (e.g., [60]), and a substantial part of the
course advanced software technologies for knowledge management focused on groupware46 .
As indicated in Figure 5.1, software systems engineering is the foundation, on which all the theory
and technology pillars stand. The color indicates that we do not have a separate section or
chapter on the software system engineering concepts we have applied in this project, it is covered
throughout the dissertation.
5.1 Hypertext
Organizing and making sense of information has been the main focus of hypertext research from
its very beginning. Hypertext systems aim at augmenting human intellect, i.e. increasing the ca-
pability of man to approach a complex problem situation, to gain comprehension to suit particular
needs, and to derive solutions to problems [62]. The most widely used structure abstractions in
hypertext are nodes and links. Nodes are informational units that can be connected through links.
Users can traverse links and thereby navigate through a hypertext (graph). Nodes and links, how-
ever, have been criticized for a lack of support for emergent and evolving structures [199]. Spatial
hypertext was designed for dealing with these shifting structures, and is found to be well suited
for the purpose, e.g., the ease of changing a visual property or moving an object [198].
”Hypertext, in its most general sense, allows content to appear in different contexts”47 [141].
That is, a person who is about to encounter a diverse amount of knowledge (or data) can aug-
ment that knowledge with different hypertext structures, making it more intuitive and easier to
comprehend. All the structuring domains reviewed below “contain basic notions, although each
also has its own specialized and tailored abstractions” [159]. Over the years, various hypertext
structuring mechanisms have been proposed to support different types of information structuring,
organization, and sense-making tasks. Several of these structuring mechanisms (or structuring
domains) play a vital role in the design and development of tool support for criminal network
investigation.
5.1.1 Associative structures

Associative structures allow arbitrary pieces of information (nodes) to be associated (linked).
Bush (1945) [33] reasoned that since people use associations to store and retrieve information in
and from their own minds, a machine-supported mechanism that provided this ability would be
useful for organizing information stored in external memory.
Halasz (1988) [82] argued that the basic associative hypermedia model lacks a composition mech-
anism, i.e., a way of representing and dealing with groups of nodes and links as first class entities.
The term composites was coined for this type of grouping mechanism. Composites group other
first class entities (nodes, links, and composites) either by inclusion or by reference. The Device
84
CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT
Hypermedia System (DHM) [115] is a prominent hypermedia system that provides a rich set of
composite types.
For criminal network investigation purposes, associative structures (including composites) are use-
ful for synthesis tasks such as manipulating entities and relations, re-structuring, and grouping.
Relations can be unidirectional or bidirectional and either weak (suspected but unconfirmed re-
lationship) or strong (known close relationship such as family or friendship ties). Bush (1945)
summarizes how information is usually found by traversing a complex hierarchical structure of
classes and then claims that: “The human mind does not work that way. It operates by associa-
tion. With one item in its grasp, it snaps instantly to the next that is suggested by the association
of thoughts, in accordance with some intricate web of trails carried by the cells of the brain” [33].
NoteCards is an example of a navigational hypertext system that allows the user to create such a
“intricate web of trails” [73].
NoteCards
We have selected NoteCards for analysis because the basic entities are cards: “The basic construct
in NoteCards is a semantic network composed of note cards connected by typed links. NoteCards
provides two specialized types of cards, Browsers and FileBoxes that help the user to manage
networks of cards and links” [170]. Figure 5.2 illustrates some notecard examples, where “each
notecard contains an editable [content] such as a piece of text, a structured drawing, or a bitmap
image. Each card also has a title” [73]. Figure 5.3 illustrates examples of Browser cards and
FileBox cards.
Figure 5.2: Example Notecards with embedded link icons. [73]
The purpose of the NoteCards environment is “to help people formulate, structure, compare, and
manage ideas”. NoteCards intends to support the nature of idea processing, something that is very
important to our work as described in Section 5.4. Halasz et al. (1987) considered idea processing
to be “a convolution of several different activities that can be roughly divided into three phases:
acquisition, analysis, and exposition” [73]. These phases are very similar to the three phases of
the generic creative process model: problem preparation, idea generation and idea evaluation (see
Section 5.5). Furthermore, the goal of idea processing is described as a way of moving “from
a chaotic collection of unrelated ideas to an integrated, orderly interpretation of the ideas and
their interconnections”. It comes as little surprise that the most common use of the NoteCards
environment “is as database for storing personal information such as notes to oneself, clippings
from electronic mail messages, quick ideas jotted down, sections of a paper in progress, etc”.
Halasz et al. (1987) assess NoteCards according to the subjects information management and
idea processing [73]. It is concluded that information management is appropriately supported,
especially when it comes to organizing information “into arbitrary (e.g., non-hierarchical) network
85
Figure 5.3: Example Browser Card (large) and FileBox Card (small). [73]
structures tailored to their specific applications”. Idea processing was found to be “relatively
difficult” by many users. This is mainly because “representing and manipulating ideas in Note-
Cards is a task that requires considerable strategic planning”. In other words, it is not intuitive
for the users how to make a structure that can clarify their “unorganized and poorly understood
collection[s] of ideas” [73].48
5.1.2 Spatial structures

Spatial structures were designed to deal with emergent and evolving structures of information
which is a central task in information analysis. Marshall and Shipman [141] note that information
analysts faced with the task of organizing and understanding large amounts of information de-
velop structures over this information over time. As their understanding of the information space
changes, the structures they use to characterize the space also change. Systems designed for such
analysts are required to support emerging, dynamic structures that avoid the problems associated
with premature organization and formalization, as discussed by Halasz [73, 82].
In the context of criminal network investigation, spatial structures (including spatial parsing and
navigable history) are useful in various analysis and dissemination tasks such as re-structuring,
brainstorming, retracing the steps, creating alternative interpretations, and story-telling.
According to [20], the relevance and importance of spatial structures for intelligence analysis is
documented by the fact that CIA’s Office of Research and Development funded early development
and associated studies related to the first spatial hypertext systems (Aquanet [140] and VIKI [142]),
as well as one of their earlier relatives (NoteCards [82], described above).
Systems
A spatial hypertext system allows its users to represent information elements as visual “icons”.
Analysts can represent relationships among objects implicitly by varying certain visual attributes
(e.g., color, size, and shape) of the icons and by arranging the icons in arbitrary ways in a large 2D
space (spatial proximity). Information elements can be grouped in collections. A spatial parser
can then recognize the spatial patterns formed by these icons. First generation spatial hypertexts
primarily focus on research-related information analysis [142] and general idea-processing. Sec-
ond generation spatial hypertexts have been used in tasks such as “note taking, writing, project
management, and conference organization” [198] and scholarly work processes [246]. But first and
86
CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT
second generation spatial hypertexts are considered to be general-purpose as described in [199] due
to their purely spatial hypertext concepts implementations [121] and non-formalized information
elements. We do not consider them to be usage-oriented like the following tools (some of which
have multiple usage-orientations). Over the years several strains of spatial hypertext systems
have been developed and evolved, e.g. from NoteCards [73] over Aquanet [140] and VIKI [142]
to VKB [198] and VITE [95] and from the Construct Space Tool [246] to ASAP [170–172]. A
prominent example of a spatial hypertext system is the Visual Knowledge Builder (VKB) [198].
Aquanet (1991) started the strain and facilitates spatial manipulations and visually indicated
links, using a browser-based approach [121, 140, 141]. Experiences with use showed that users
created linkless spaces of nodes arranged in regular graphical patterns that indicated relationships
among nodes spatially and visually [199]. Figure 5.4 shows an excerpt of an analysis of machine
translation systems and technologies. The distinct patterns of graphical objects indicates the
composites build by the users to represent a single machine translation system or technology (i.e.,
the red/pink, blue, green and white with gray border rectangles).
Figure 5.4: Aquanet information element mock-ups. [140]
VIKI (1994) was developed next to explore spatial hypertext as a geometric and visual struc-
turing paradigm [142]. VIKI’s emphasis is on flexibility, informality and change. VIKI’s spatial
hypertext model is based on information elements, visual symbols, collections and composites.
The information elements in VIKI are semi-structured content-holding entities that may have no
internal structure, or may have a number of fields added to them in order create user-specified
structure. Visual symbols are manipulable references to an information element. The symbol size
can be used to limit the amount of content revealed. Users can also specify which field’s contents
are shown and they can scroll through content to focus attention on a specific segment. VKB
extends on VIKI in a number of ways, but the focus is primarily on more advanced visual cues
and support of collaborative tasks [198]. VKB kept the notion of information elements, collections,
and subspaces (see Figure 5.5). VITE is a system developed to explore the design and reuse of
systems incorporating two-way mappings, again following the cards-on-table metaphor [95, 97].
The attribute/value mapping pairs are the primary content rather than meta data attached to
a larger plain text or image information element, which is likely to be the case in a structural
computing environment (see Section 5.1.6).
The Socs application “permits the intuitive connecting of information on a space. It supports
emergent and dynamic knowledge structures, fosters communication, awareness, and notification
services, enables multiple trails of thought in parallel (i.e., thought experiments), as well as ver-
sioning with easy access to previous states” [20]. The tool is targeted at criminal profiling or crime
scene analysis supporting small teams of officers, following the cards on table metaphor. Atzen-
beck (2008) presents the Socs social space on which information elements represent collaborators,
87
using a graphical icon and a label as visual abstraction [19]. The space could be divided into
separate areas, indicating the role of the persons in that specific setting.
Figure 5.5: VKB information elements and menu options.
The ASAP tool49 uses spatial and taxonomic hypertext structuring mechanisms to provide sup-
port for project planning [170]. “Project planning in agile teams is a collaborative process relying
on face-to-face communication and shared information to succeed” [171, 172]. The ASAP tool
implements a bi-directional mapping between the interactive areas of the task card and the un-
derlying data. Based on the tool’s usage-orientation, the separator was implemented as a novel
structuring mechanism, allowing the user to create a temporal separation of grouped cards, en-
abling auto generation of views and reports. ASAP lets the user interact with an information
element’s underlying content.
To summarize, the majority of the reviewed tools implement a cards-on-table metaphor, and hence
the geometric shapes representing pieces of information has not evolved considerably. The focus
has been on developing powerful general purpose structuring mechanisms and support of long
term collaboration, as the primary means for the users to reach their ends [198].
5.1.3 Taxonomic structures

Taxonomic structures can support various classification tasks. Parunak (1991) argued that
taxonomic reasoning is a particular kind of reasoning task that deals with the comparison and
classification of highly similar nodes, in which an analyst viewing one node thinks not in terms of
linking it to another node, but of including it in or excluding it from a set of related nodes [232].
Taxonomic structures are in essence hierarchical (tree) structures. Hierarchical structures are also
known from other structuring domains (such as composites from the associative domain and col-
lections from the spatial domain). In the context of criminal network investigation, taxonomic
structures can provide a different visual (hierarchical) perspective of associative and spatial struc-
tures - hence supporting the exploring of perspectives on information.
5.1.4 Issue-based structures

Issue-based structures support argumentation and reasoning. McCall et al. (1992) describe
community argumentation support systems in the context of capturing design rationale [145]. The
88
CHAPTER 5. THEORY AND TECHNOLOGY 5.2. SEMANTIC WEB
focus is on a unified community understanding of an information space. Argumentation support

systems designed to support participants in a joint decision process or an argument must support
simultaneous structure and information creation operations. Argumentation spaces consist of
typed entities that represent issues to be discussed, positions with respect to issues, and evidence
that argues for or against a position. Conklin and Begeman (1988) have produced issue-based
hypertext tools during the last two decades [47]. For investigative purposes, issue-based structures
can be used to support the creation of hypotheses and decision-making.
5.1.5 Annotation and meta data structures

Annotation and meta data structures. Finally, two other types of hypertext structuring is
relevant for investigation purposes. Annotation structures can be used to add arbitrary comments
in relation to entities and structural elements in the shared information space (i.e., to make a note
about having to find additional evidence that supports the existence of a weak relation between
two entities). Meta data structures can be used to add meta data to entities and structural
elements in the shared information space (i.e., details about a person such as address, work,
education, terrorist training, etc. or details about a relation such as weight, type, time, place,
etc.). Adding annotation and meta data structures enrich the shared information space, hence
these structures are created as part of synthesis tasks. However, the existence of annotation and
meta data structures are for analysis.
5.1.6 Structural computing

The term structural computing was coined to describe the unification of various hypertext structur-
ing mechanisms [158]. Hence, structural computing is in its own right an approach to knowledge
management, being a generalization of hypertext [157]. Structural computing focuses on sepa-
ration of structure and data, making it suitable for construction and management of meta data,
especially in situations where the user does not have write access to data [243]. “Part of this struc-
tural focus is the understanding that all abstractions (data or structure) may stand in relation to
other abstractions” [157] and “different users can manage their own personal structure over the
same set of data” [243].
5.2 Semantic web

The drastic increase of information on world wide web has made it impossible for humans to
manage. Semantic web technology is a vision about using the full potential of the world wide
web with its many documents which refer to each other. The vision was originally formulated by
the inventor of semantic web Tim Berners-Lee in 199450 : “The web is a set of nodes and links
(Figure 5.6). To a computer, then, the web is a flat, boring world devoid of meaning (Figure 5.7).
This is a pity, as in fact documents on the web describe real objects and imaginary concepts, and
give particular relationships between them (Figure 5.8). Adding semantics to the web involves two
things: allowing documents which have information in machine-readable forms, and allowing links
to be created with relationship values (Figure 5.9)” [23]. A semantic web would make it possible
to use the computers processing power to gain an advantage of this information to a much larger
degree than it is possible through human reading and interpretation.
It is widely recognized that automatic interpretation requires a prior systematic structuring of the
information. Basically, a formulation of concepts, terms and relations within a limited knowledge
area is required. This is typically done using an ontology, which describes information classifica-
tions, the properties of each classification, and statements about interrelationships, together with
rules that define these properties and relations [75]. Let us, as an example, use an ontology de-
scribing families. A family consists of persons, men and women, who individually could be either
parent or child, which makes it possible to represent hierarchies of families using this ontology. An
89
5.2. SEMANTIC WEB CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.6: The World Wide Web in 1994 as Figure 5.7: A flat world, devoid of meaning [23].
presented by Tim Berners-Lee [23].
Figure 5.8: “A document might describe a per- Figure 5.9: Semantics have been added to web
son, the title document to a house describes a documents [23].
house and also the ownership relation with a
person”, etc. [23].
example of a relation rule for a family could be that a hasMum property can only exist between
two persons if the hasParent property exists.
Figure 5.10 presents these concepts and the technology used to realize the semantic part of semantic
web. Each individual layer in Figure 5.10 is dependent on technology in underlying layers. The
red layers represent technology that functions as the basis for the semantic technology: an URI is
a web identification that can point to a specific semantic web resource. XML is an element-based
syntax making it possible to create documents with structured data. Semantic web provides these
structured data with meaning.
The blue layers represent standardized semantic web technology: RDF is a simple language
for description of data models referring to resources (using URI web identifications) and their
relations [75]. An RDF based model could for example be written using XML syntax and consist
of so called triples using the following formatting < subject, property, object >. A simple example
of a web page sentence is shown in Figure 5.11, where the RDF triples for that sentence is explained.
Where RDF adds meta data to documents, RDFS and OWL are used to annotate RDF data
with semantic meta data [75]. Semantic meta data could be object properties such as how objects
are related to each other hierarchically (taxonomies) as shown in Figure 5.12 where t-shirt and
pants are subclasses in relation to the classification clothesType. An ontology, which only contains
subclass-relations is also called a taxonomy. Another type of semantic meta data is data type
properties, e.g., which brand a single piece of clothes belongs to.
Even though semantic web projects have shown the advantages of using this technology within
specific information domains parts of the technology has not yet been realized and standardized.
90
CHAPTER 5. THEORY AND TECHNOLOGY 5.3. INFORMATION SCIENCE
Figure 5.10: Semantic Web technology architecture - the blue layers is the semantics technology
while the red layers are basic World Wide Web technology.
Figure 5.11: RDF t-shirt example - graph visu- Figure 5.12: A hierarchical taxonomy with
alization and matching RDF triples. classes and subclasses.
A list of primary security related layers are left out in Figure 5.10: A vertical encryption layer for
securing and verifying the authenticity of data from the semantic web. This could be achieved by
using suitable digital signatures for RDF statements. Related to this layer are layers for creating
trust in semantic web information. The user interface is the final layer making it possible for
humans to use semantic web applications. [75]
5.3 Information science

As a consequence of the central role that information has in criminal network investigation, infor-
mation science has provided many important ideas and answers. Information science is considered
an unclassified discipline, albeit a discipline with a central theme [187]: “It is evident, perhaps
self-evident, to note that all of the variant definitions and explanations of the information science
discipline have centered on the idea of information”. Hjørland and Albrechtsen (1995) talk about
the importance of focusing on information objects: “the path to understanding how information
should be organized is to analyze the nature of common information objects themselves” [91].
91
5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY
Hjørland and Albrechtsen (1995) are particular concerned with a theoretical background from
which to make priorities between all possible information connections and relations [91]. The
domain-approach to information science is argued to be able to provide such a theoretical frame-
work. Putting this in a system context, “it is probably useful to specify some conceptual rela-
tionships to provide the system with at least a rudimentary domain knowledge facility prior to
any interaction with users” [91]. Hjørland and Albrechtsen (1995) also present an user-centered
paradigm in information science: “By a user-centered paradigm, we refer to information access
driven not by the structure of the database in the system, but rather by views of the databases
needed to satisfy an information need as perceived by the user. Thus, the user defines dynamically
the type, amount, and structure of the data required to satisfy an information need. This implies
not just the user definition of the view, but the user selection of the model in which the view is
framed.” [91]
Some positive synergies exist between the information science discipline and hypertext (described
in Section 5.1). Hjørland and Albrechtsen (1995) argue that “hypertext is a fascinating research
area and a promising technology. It is however only a technology, and as such cannot substitute
for a theoretical approach such as domain analysis. But a theoretical approach can illuminate a
technology and its possibilities” [91]. And follow up by stating that, “hypertext is a technology,
which is fertile soil for remedies to classical problems in information science” [91].
5.4 Human cognition and problem solving

We found in Chapter 3, that a linear problem-solving approach obscures the real, underlying
cognitive process of criminal network investigation: the mind does not work linearly - it jumps
around to different parts of the problem in the process of reaching a solution [40, 239] (Figure
5.13 left). When a computer solves a problem it is typically done based on a series of pre-defined
steps (Figure 5.13 right), taking a linear approach to problem solving [130]. But what if software
systems supported criminal network investigation in a way consistent with the internal cognitive
map of the investigators?: “The ability to present and interpret spatial data in a method that is
consistent with the internal cognitive map of the user would lead to systems that are more flexible
and will provide greater functionality in terms of cognitive spatial tasks” [89]. Bush (1945) [33]
reasoned that since people use associations to store and retrieve information in and from their own
minds, a machine-supported mechanism that provided this ability would be useful for organizing
information stored in external memory. Augmenting human intellect, i.e. increasing the capability
of man to approach a complex problem situation, to gain comprehension to suit particular needs,
and to derive solutions to problems [62].
Humans are in control of software tools and they are to be the ultimate decision-making body (and
thereby be responsible for the majority of the ethical impact). Therefore, we review research on
human cognition, with a particular focus on creativity, to understand it’s influence on the success
and failure of criminal network investigation. We will attempt to learn what role creativity,
and hence human cognition, plays for individual criminal network investigation processes (i.e.,
information collection, processing, and analysis). “Creativity is a general capacity of our brain,
which we all possess, and which we use every day” [210].
The goal of this section is ultimately to find out whether or not we can define the cognitive
“characteristics” of criminal network investigation tasks. A map of such characteristics would
serve as important arguments for the challenges related to human factors during criminal network
investigation. Human factors is one of three challenges we have chosen to focus our research on,
as described in Section 1.2.
5.4.1 Two types of creativity

In an interview with leading cognition researchers, De Dreu and Nijstad, their hypothesis about
two basic types of creativity is outlined (translated from danish): “one is to be flexible and freely
92
CHAPTER 5. THEORY AND TECHNOLOGY 5.4. HUMAN COGNITION
Figure 5.13: Human and computer approaches to problem solving.
associating - the traditional understanding of creativity, and what might be called the artistic
approach. The other type of creativity is to be persistent and focused – a more rational and
conscious creativity, which we maybe could call the engineering approach” [210]. “The two ways of
being creative does not exclude each other Bernard Nijstad explains in the interview and continues:
the majority of us switch between the methods based on needs and switch back and forth several
times during a task ” [210]. We call the rational and conscious approach to creativity problem
solving because it exists in a less free domain, where goals and means are defined beforehand [210].
Human working memory and long term memory is described by De Dreu and Nijstad:
The working memory was initially described as our ability to remember seven dif-
ferent things, such as names or numbers. Today, we have a more complex picture of
working memory as a sort of central arena, where you put the things that are part of
your conscious thinking - it still only has room for a rather limited number of elements,
normally five to nine. But the elements should rather be seen as a sort of focus points
into your collective pool of knowledge and associations. Think about a super advanced
3D version of Wikipedia (see Figure 5.14), where all words and images has dozens of
associations to other places. A memory element is a piece of this spider web, that you
have lifted up to look at. [210]
5.4.2 Besheer and Pellegrino - a case in point of rational and free asso-
ciation creativity
FBI case officer Frank Pellegrino hunting Khalid Sheikh Mohammed and Matthew Besheer [146]
serve as an example of the two types of creativity described above from the domain of criminal net-
work investigation. Their background is outlined in Section 3.5.2. Pellegrino is the personification
of the artistic, creative, and free-association type described in [210]. Michel Besheer (see below)
makes the following observations about him: “Pellegrino was the real deal [. . . ]. Everybody wore
by and large what might as well have been FBI issued dark suits. Their desks were perpetually
clean. Pellegrino’s was a mess. By outward appearances so was he. His hair was long, at least
by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ]. He was always busy,
always late, always in a hurry” [146]. When Pellegrino asks Besheer if he wants to join in the hunt
for an international target to the Philippines and Malaysia, he offers the following arguments: “If
this guy is going, [. . . ] I’ll be happy to go with him. Maybe even protect him; free him up to do
his free-association analytical work” [146].
93
5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.14: When a person thinks about something the memory element (green cube) related to
that is brought from the long term memory (left) into the working memory (right).
Michael Besheer is the focused, rational, and conscious creative type. Detective Besheer had
written a report about the security at the World Trade Center in 1992, stating that the Trade
Center garage was vulnerable to truck bombs. Nobody listened to that report, but when the
attack happened in 1993, his expertise was suddenly needed: “Even with high security clearance,
he ended up digging through stacks of parking tickets, any record that somebody wanted chased.
It was pure grunt work. He did it all tirelessly and without complaint”. His approach to collecting
evidence was always the same, no matter the size of the task, in this case a crashed plane: “Parts
of the plane had to be disassembled, examined, tagged as evidence and shipped to New York to
be used as exhibits in a trial. His attention to detail was perfectly suited for the task” [146].
5.4.3 Representational structures for human cognition
Given our focus on hypertext structure domains, we are interested in learning what structures
are better suited for representation of human cognition: “a tree structure is one realization for a
hierarchical structure for the representation of space. It is easily constructed and understood, but
it is also a rigid structure that does not allow for overlap. Ordered trees provide an extension that
allows for some degree of overlap, whereas a semi-lattice is an even richer structure that appears
to be consistent with many aspects of cognitive space [9]” [89]. We discussed the semi-lattice in
Section 3.2.
Hypertext research found that the premature decisions of structure was inhibiting human informa-
tion organization capabilities (see review of NoteCards [73], Section 5.1.1). New approaches that
avoid this early commitment to structure were therefore researched, developed, and formalized.
Researchers on creativity have written about how the personal need for structure can have both
a negative and a positive impact on creativity depending on that persons level of personal fear of
invalidity [239].
94
CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS
5.5 The creative process

When researching the human factor aspects of agile software development planning in our master
thesis [165], we reviewed the creative process. And given the relevance for criminal network
investigation, we bring that review here, almost in its entirety. Warr and O’Neil (2005) and
Gabora (2002) discuss what creativity is, how the mind actually conceives creative ideas, why
real groups ought to produce more creative ideas than nominal groups and finally the articles
review the phases of some existing creative process models [74, 239]. Moore (1997) presents nine
possible phases in the life cycle of creative endeavors and uses the geometric shape of an irregular
enneagram51 surrounded by a circle to visualize this [149]. This model is appealing since it allows
for relevant “jumps” between phases which shows support of iterative and incremental behavior.
Another interesting fact is that the work is based on experiences from the computer software
industry, e.g. participation in “countless innovative projects” [149].
The discussion of what being creative really means is interesting, but we keep our focus on the
phases that the creative process includes and how groups compared to individuals may affect
the level of creativity (Figure 5.15). The ‘Product’ in Figure 5.15 is considered to be the ideas
generated during the ‘Creative Process’ [239].
Figure 5.15: The components of creativity [239] are an individual or a group going through a
creative process to develop a product.
At the end of this chapter we hope to have gained enough knowledge to conclude where creativity
ends and planning starts, what skills (creative, systematic, analytic) are important when planning
or managing and the phases included in these very different processes. We begin the review, by
looking at relevant creative process models.
5.5.1 History of creative process models

We will present a number of creative process models that all apply to the generic stages in Figure
5.16. It should be noted that the models presented are not step-wise linear models, “but rather
models which show various phases of the intertwined and iterative nature of creativity” [239]
(Figure 5.16).
Figure 5.16: Generic creative process model [239].
95
5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY
One of the first models was given by Wallas [74, 239] in 1926. Wallas describes creativity as
involving four phases: preparation, incubation, illumination and verification. In the preparation
phase “the creator becomes obsessed with the problem, collects relevant data and traditional
approaches to it, and perhaps attempts, unsuccessfully, to solve it” [74]. During incubation the
creator unconsciously continues to work on the problem without actively attempting to solve it. In
the illumination phase “a possible [solution] surfaces to consciousness in a vague and unpolished
form” [74], i.e. a creative insight has occurred. Finally verification of the idea is performed by
proof and communication to others.
Later models by Osborn (1963), Amabile (1983), and Scheiderman (2000) all “moved away from
proposing unconscious stages of incubation and illumination, toward a more conscious process
of deliberately coming up with ideas” [239]. Table 5.1 summarizes the phases included in their
individual models.
Table 5.1: Generic creative process model as described by Warr and O’Neil (2005) [239].
Summary and discussion
All the creative process models presented in Table 5.1 have an analytical phase of preparation,
where relevant information is collected to understand the problem and its domain. Then there
is “the more specifically creative phase” where ideas are generated based on the gathered and
reviewed information. Finally all the models have an idea evaluation phase, where it is evaluated
if the goal of producing truly creative ideas is achieved.
We believe that the generic problem preparation phase (analysis of problem in Table 5.1) would
be difficult to support by a computer system, since it is a head-on approach where traditional
solutions are applied and not much time is spend on creative thinking. The idea generation phase
however has a brainstorming feel to it which is very interesting because it seems to map into
initial phases of a criminal network investigation process, just as it does the planning process.
Idea evaluation using for example communication to or response from others would benefit from
an electronic version of the generated ideas, because they could easily be altered, deleted and
moved around. And it would be easy to distribute the ideas to people at other locations.
5.5.2 Are more heads better than one?

When going through the creative process, what is better: real or nominal groups?52 The question is
essential to our work because we believe that using a real group for criminal network investigation
will increase that groups effectiveness. Theoretical proof exists that a real group produces more
creative ideas than a nominal group [239] and by intuition this should also be true in practical
situations. However, research comparing the production of novel ideas in real groups compared to
nominal groups, shows that the real groups actually produce less ideas. According to [239] this is
mainly due to a number of social influences on creativity:
96
Production blocking. Production blocking has the highest negative effect when ideas are ex-
pressed verbally within a group. Only one person can speak at a time and hence communicate
his/her ideas. People “may subsequently forget their ideas or suppress them because they
may feel their ideas less relevant as time passes”. Or they rehearse their ideas internally not
paying attention to other group members. Usually, however, ideas are not only communi-
cated verbally but also jotted down on notepads, white boards or flip charts. A number of
synchronous interaction techniques have been applied to solve the production blocking prob-
lem. Examples relevant to our work are: writing ideas down on cards and using electronic
brainstorming systems. This also helps the influence of evaluation apprehension discussed
next, because such methods make ideas anonymous by allowing the group members to use
writing as a communication channel.
Evaluation apprehension “Members of a group may [. . . ] fear criticism from other group
members, preventing them from expressing ideas” [239] and thoughts which results in a
reduced number of ideas produced by the group. This usually happens when someone
believes that another group member has expert knowledge within the domain and then
expects some sort of negative evaluation from that person (This is the primary reason for
separating Idea Evaluation from Idea Generation in Table 5.1). To overcome the negative
effects it has been suggested [239]:
[. . . ] that anonymous means of expressing ideas remove an individual’s identifi-
cation with an idea and therefore help encourage people to express their ideas as
the fear of criticism is removed. This anonymous communication has been a key
feature of electronic brainstorming systems.
Free riding. “Free riding [. . . ] is the result of group members becoming lazy, relying on other
members in the group and not contributing as many ideas as they could”. This usually
happens when contributors to some work are evaluated as a group, compared to when their
individual performance is evaluated.
Two solutions that could reduce the effect of free riding are: Highlighting identifiability in
groups and increasing the accountability for individual performance. However a balance has
to be kept between evaluation comprehension and free riding, e.g. exposing everybody’s
work in the weekly company newsletter to avoid free riding will most likely make people
more comprehensive to evaluation.
5.5.3 The life cycle of creative endeavors

Figure 5.17 presents a simplified version of the life cycle of creative endeavors as it is depicted
in [149]. We have removed the indication of the two mental forces reason and intuition, and their
role (active, responsive or passive) in each phase. The arrows indicate subtle relationships between
phases: Some arrows function as feedback paths, some skip one or more phases and some reminds
us to reflect on the purpose of another phase than the one we are currently in53 . In the following
tour of the enneagram we are looking for phases that are part of the creative process, the planning
process or phases that usually are related to management of information.
9: Encountering events. The solid arrows indicate what typically happens when some sort of
event is encountered: “notice is taken of the event (9), a competent response is chosen (3),
and that response is carried out (6)”. An example could be that somebody realizes they need
milk, they decide to go to the grocery store and then they go get the milk. But sometimes
a response doesn’t emerge right away and instead the event sparks an idea54 . And that is
when the complete tour around the life cycle of creative endeavors begins. Analysis: This
phase is obviously part of what we defined as the ‘Creative Process’ in the introduction. In
terms of software development the initiating event could be the investigation leader passing
a task to an investigator. At this point nothing tangible (to others) has been produced; only
the urge of the creator to pursue the idea exists.
97
5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY
1: Formulating a goal. Formulating a goal is about transforming an idea into a description

of future reality, a description that is appropriately abstract. The arrow pointing to the
problems associated with the idea reminds us we can think of those problems in order to
refine the imagined scenario. Analysis: It can be hard to define how abstract appropriately
abstract actually is, but we believe it means that no specific details should be added, because
it might prevent certain ways of obtaining the goal at this point. This is a creative phase
where you start jotting down problems and imagine a scenario that could fulfill our idea.
The scenario spans a conceptual “space of potential future outcomes” in our mind.
2: Exploring options. This phase deals with exploring the conceptual space defined by the
formulated goal in search of the optimal objective. It is important that all of the space
is visited in order to be sure that the most promising options are not missed. One way
of boosting this exploration could be to “arrange for a group of people to join in a formal
brainstorming process” [149]. Other suggested techniques are simulation and prototyping
because they envision the future in a systematic way which can be illuminating. Analysis:
We consider this phase both creative and analytical. Creative because we are requested
to come up with ideas for unexplored conceptual space. And analytical when investigating
those “discovered” conceptual spaces.
3: Making a choice. At this point one of the objectives defined in earlier phases is selected or it
is simply decided to do nothing and abort the endeavor. Analysis: This decision phase is not
creative but a matter of making a systematic and analytic assessment of how to continue the
endeavor, if any of the explored options seems promising enough. To make such a decision
requires an overview of all possible objectives.
4: Identifying the problems to be solved. Obstacles and problems are systematically visual-
ized in this phase when imagining how the endeavor will unfold in the selected environment.
It is important in this phase not to be tempted to start planning just yet. Premature plan-
ning might result in major problems being undiscovered. Related to this [149] suggests that
all aspects of the creative endeavor (funding, staff, machinery etc.) should be considered
in this phase. Analysis: We note that this is the first phase that suggests writing things
on paper: “[...] list the classes of problems in a circle around the center. [...] list sub-
problems adjacent to each major category, and thus systematically generate a map of the
difficulties” [149]. The identification of problems is a creative process, not an analytical one.
The point that all aspects should be considered in this phase before continuing doesn’t seem
very agile (target-centric) since too much thinking could actually delay or stop the endeavor.
A solution to this could be setting a time limit for the phase, or using the arrow back to the
exploring options phase creating an iterative cycle.
5: Making a plan to deal with the problems. Now it is time to take all the identified prob-
lems and make a plan that will help achieve the objective. The purpose of the plan is to
realize the formulated goal (the arrow), it is not enough just to create a plan that solves all
goals. A way to achieve this is planning according to the customer needs by creating a feed-
back channel facilitating this. Strong analytical skills are needed to transform the thinking
about a project (earlier phases) “into a plan of action to accomplish the objective”. If the
plan is not complete, accurate and orderly it might result in “delays, confusion, extra costs,
duplicate work and an unsatisfactory result” [149]. Analysis: The focus on the need of a
perfect plan to avoid defects goes against our studies of agile literature, that highlights the
need to acknowledge human error and change in our cognitive understanding of the problem
domain and hence the appearance of new problems to be solved. The phase is obviously a
planning phase and creativity has done its main part. Too much creativity when combining
the defined units of work into releases and iterations would result in unrealistic plans.
6: Doing the work. After the plan is finished its time to do the work. All earlier phases have
been aimed at setting things up so that work can proceed. Analysis: We consider this phase
to be analysis and all the activities this includes.
98
7: Reorienting ones perspective / realizing the goal. The first product is finished which is
something that needs to be acknowledged and a response to this new situation is necessary.
The arrow back to ‘Formulating a goal’ is a sort of reflection arrow: Did things turn out
as expected? What can be said about the goal set up in the first place? Etc. Analysis:
Creativity plays a part in this phase, when trying to imagine how to maximize the outcome
of the newly released product. The reflection on how the result is compared to initial
formulation of the goal is considered to be an important learning process for future products.
8: Using the result. Launching the product as imagined in phase 7 when the goal was realized.
It “is the most spontaneous and unpredictable phase of the endeavor, and for the right
people, the most exciting.” [149]. It is also the phase were it is possible to reflect on all
the phases leading to the launched product, by looking at the plan as indicated by the
arrow. After a while the new product is merged into the general understanding of status
quo and new events are encountered because of this, i.e. the cycle is complete. Analysis:
The reflective learning nature of this phase is interesting.
Figure 5.17: The life cycle of creative endeavors showing steps 9 to 8 [149].
Summary
The phases of the lifecycle of creative endeavors are summarized in [149]:
Out of routine life arises desire for change. A raw idea is refined into a goal, which
is further refined into a concrete objective. A decision is then made, the consequent
implementation problems identified, and a plan made which takes them into account.
The work is then carried out, bringing the innovator (or team) to the realization of the
goal. The result is then exploited, and eventually becomes part of the everyday routine.
In Table 5.2 we consider if each phase applies to the creative process discussed in this section:
(Y)es or (N)o. It is also indicated whether or not each phase is considered supportable or not by
a software tool. The reasoning behind these indications are given in the analysis of each phase of
the life cycle of creative endeavors above, and summarized below in the table.
99
5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY
4: Identifying the prob-
5: Making a plan to deal
7: Reorienting ones per-

spective / Realizing the
9: Encountering events
1: Formulating a goal
2: Exploring options
3: Making a choice
8: Using the result

6: Doing the work
with the problems
lems to be solved
goal
The Creative Process Y Y Y Y Y N N Y N
Supportable N N Y N Y Y Y N N
Table 5.2: Phases vs. the creative process
We find that ‘encountering events’, ‘formulating a goal’, and ‘exploring options’ are part of the
generic problem preparation phase in creative process models. ‘identifying the problems to be
solved’ is similar to the generic idea generation phase and ‘making a choice’ and ‘reorienting ones
perspective’ is part of the generic idea evaluation phase.
The suggested tools for ‘exploring options’ like a team brainstorming process, simulation and
prototyping indicates to us, that the phase is supportable by a software tool. ‘Identifying the
problems to be solved’ by listing them in classes around a circle and then putting subproblems
adjacent to each problem is very well suited for computational support, just like the phase ‘making
a plan to deal with the problems’. When ‘reorienting ones perspective’ it would be convenient to
have an electronic version of the old plan to alter according to the new perspective.
5.5.4 Summary
We have reviewed the creative process by analyzing relevant models (their nature and phases) and
have gained important insight into this, to us, previously unknown domain. Furthermore, we have
looked at some human factors that might influence the outcome of the creative process and finally
we reviewed and analyzed the phases comprised in an entire creative endeavor.
5.6 Simple tools for criminal network investigation

We reviewed a range of tools support criminal network investigation processes in Chapter 4. And
when studying criminal network investigation cases, we often found that simple tools, such as large
pieces of paper on the wall (Daniel Pearl, Section 3.5.1), a pin board, with wheels, in the team
common room (organized drug organization, Section 3.5.3), are central to the kind of criminal
network investigation approach we aim to support. This preferred way of working and the simple
tools used is very similar to those tools promoted by agile software development methodologies.
Criminal network investigation can benefit from agile modeling and we therefore bring excerpts of
an agile modeling review as well a look into the agile modeling toolbox, as described in our master
thesis [165]. For our master thesis project, we developed tool support for a specific agile planning
method (blitz planning), intended to run on a large interactive surface in a so called creative room,
much like the “war rooms” setups that criminal network investigation teams work in (see Figure
5.18).
5.6.1 Agile modeling and simple tools

Ambler (2002) addresses the fundamental question of how to model in an effective and agile
manner in his book on agile modeling (AM) [11]. Ambler (2002) suggests tailoring AM with a
100
CHAPTER 5. THEORY AND TECHNOLOGY 5.6. SIMPLE TOOLS
Figure 5.18: A sketch of the creative room we designed for agile planning sessions during our
master thesis. [165]
base process like eXtreme Programming [165] (often referred to as XP) or Crystal Clear [42],
or “alternatively, you may decide to pick the best features from a collection of existing software
processes, to form your own process” [11] (see Figure 5.19). This alternative matched well with
our purpose of building a creativity enhancing tool that could form software processes as well as
the many different approaches to criminal network investigation.
Figure 5.19: AM enhances other software processes [11], and criminal network investigation pro-
cesses could also benefit.
AM is not prescriptive but a collection of practices, “guided by principles and values, for software
professionals to apply on a day-to-day basis” [11]. The following points describing the scope of AM
are important to us: “AM is not an attack on documentation”, “AM is not an attack on CASE55
tools” and “AM is a way to work together effectively to meet the needs of project stakeholders”
(which is also what the collaborative Blitz Planning56 session is all about).
We were also interested in AM’s views on tools for modeling and agile work areas (e.g., criminal
network investigation work areas, or war rooms, as they are often called). These views would
support the decisions made when developing the Blitz Planning prototype and creating the vision
for the Creative Room. These are reviewed next. One of AM’s core practices dictates using the
simplest tools. AM distinguishes between two types of modeling tools; simple tools and CASE
tools where simple tools are “manual items you use to model systems” [11]. These simple tools
can however also be supported with different technology which will be explained later. CASE
tools (defined as “software packages”) can also be applied since the AM core practice on tools is:
101
5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY
“use the simplest tools” and not “use simple tools”.
Agile modeling with simple tools
Ambler (2002) lists a number of simple tool advantages [11]. We find that the following advantages
are relevant to apply, and comments on the direct relation whenever it is found necessary. Simple
tools are inclusive (we decided that our software version of Blitz Planning would have to be as
similar as possible compared to the paper card version of Blitz Planning), provide tactile feedback,
are flexible, are non-threatening to users, are quick to use, can be used in combination with complex
ones and promote iterative and incremental development.
As mentioned earlier, simple AM tools can be supported with technology. One important point
here is that electronic white boards are mentioned. We limit ourselves to presenting some rele-
vant examples here. The examples are mainly taken from [41] which presents “a survey of agile
teams for tools they say help produce better software quicker”. The survey is conducted Cock-
burn (2004), “an internationally respected expert on object-oriented design, software development
methodologies, use cases, and project management” [41].
Cockburn categorizes simple tools by purpose (hiring, collaboration, communication and manage-
ment) and form (environmental, social, physical devices, process and thinking). We select tools
that are relevant to our work and comment when necessary. In the next section we list simple,
but computerized, tools such as WIKIs and Spreadsheets.
Purpose: Communication. Active communication using shared workspace technology to look

at the same screen. Passive communication using information radiators, e.g. a flat monitor
hung over the cubicle wall, a real traffic light in the development area or the build status
maintained on a Web page expressing minute-to-minute changes. Management. Cockburn
notes that project management tools like VersionOne and XPlanner (see Cockburns (2004)
[41]) don’t report status with respect to planning.
Form: Environmental. Again lots of wall space for posting information radiators and convex
or straight desks so people can cluster around the monitor. Social. Collocated teams for
fast communication, personal interaction, retrospectives and reflection activities, pair pro-
gramming and posting information radiators in unusual places to attract communication
(e.g., in the bathroom). Physical. Index cards and Post-it notes, butcher lining walls and
halls, white boards (standard or movable, printing, recording, or with a camera) and poster
sheets (plain paper, 3M sticky, or plastic cling sheets e.g. LegaMaster Magic-Charts). We
note the wall-to-wall writable and movable surface concept for expressing ideas. Process.
Project planning jam session (XP’s planning game [125], Crystal Clear’s blitz planning [42],
or Scrum’s sprint planning [125]), reflection or retrospective workshops, pair programming
sessions, refactoring, growing the system functional bit by bit, time boxing, spike prototyp-
ing57 and frequent delivery.
Agile modeling with simple, yet computerized, tools
As agile development moved into distributed development, people started to find and invent on-
line collaboration tools [41]: “WikiWiki and thread-based discussion group technologies, instant
messaging technologies with group and recording variants, and distributed brainstorming tech-
nologies”, e.g. CardMeeting (see www.cardmeeting.com and [165]). The Wiki Web technology
discussed next was created by Ward Cunningham, one of the XP founders [125].
Our own experiences with project Wikis are few, but they have proved useful during previous
master courses, where it was used for fast accumulation of knowledge on the project subject.
Larman elaborates further on the concept in [125]: “Like blogs, Wiki Webs (or Wikis) allow people
to edit Web pages using only their browser, but they go farther: they allow one to easily create
new pages. and hyperlinks between Wiki pages, using only a browser and special WikiWords.
102
CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS
Of course, these capabilities are available with myriad tools, but Wikis make the tasks especially
simple and fast. Thus, Wikis are a popular tool on agile projects to capture project information,
and as a simple knowledge management tool”.
The need for, and how to make, agile planning software has been discussed by many [11, 44]. On
his website www.xprogramming.com Ron Jeffries comments on planning software claiming that:
“There’s something very right about a team working together with whiteboard[s], cards, things
posted on the wall. Everyone can be engaged, involved, equal”. We note that the important
point is not that physical items (or tools, as described in section 4.3.3) are at play, but more what
these items make the users feel and do. This is highly related to the social approach to software
development and management described in Peopleware [54] by DeMarco and Lister: “The major
problems of our work are not so much technological as sociological in nature”.
Ron Jeffries claims that making the switch to software results in “someone own[ing] the keyboard,
and everyone else [being] an observer”. We interpret this as being a problem of cramping the
whole team together in front of a single work station. A solution could be to move everybody in
front of a larger media with which everybody can interact. Cohn (2004) [44] discusses the main
advantages of paper over software and lists: “Their low tech nature is a constant reminder that
stories are imprecise”, “The typical note card can hold a limited amount of writing. This gives it
a natural upper limit on the amount of text.” and “note cards [. . . ] are very easy to sort and can
be sorted in a variety of ways. A collection of stories can be sorted into high, medium and low
priority piles”. We consider all the findings in this section so far to be requirements for any agile
piece of planning software.
Agile work areas
AM recognizes that “the physical environment in which you work has a significant impact on how
effective you are as an agile modeler”. It states a number of factors that are considered critical
when creating an effective work area, like the creative room scenario envisioned in our master
thesis [165] (see Figure 5.18):
Dedicated space is important if the project teams are to be most effective. The team should
not have to “find an available meeting room to get some modeling done”. And the team
should not have to worry about other people erasing the white board sketches and other
notes.
Significant white board space. The working area can never have too much white board space:
“My preference is white boards floor to ceiling, wherever empty wall exists” [11].
A computer in the modeling area can be an advantage, if the team wants to research something
on the Internet or “access previous models that have been placed under version control”.
This relates to the wanted prototype feature: project methodology history database. If a
computer is placed in the modeling area, we have to make sure it is not counterproductive
for the team as a whole, e.g. complicated software can introduce a barrier to communication.
Wall space to attach paper. Space for attaching information on paper is also important: “It’s
good to have some non-white board wall space” [11].
To make the concept of a creative modeling area work, it is important that private areas are also
provided to team members. Everybody needs private time during the day.
5.7 Case-studies of individuals in criminal networks

Case-studies of individuals in criminal networks are important in terms of criminal network in-
vestigation and the development of assisting software therefore, for a number of reasons. First of
103
5.7. CASE-STUDIES OF INDIVIDUALS CHAPTER 5. THEORY AND TECHNOLOGY
all, we have observed that in many of the criminal network investigations we have reviewed and
studied, a single individual has made plans and carried them out on his own, or an individual
has been the main reason in terms of driving a network subgroup toward a crime (i.e., the en-
trepreneur in Nesser’s (2006) model of jihadist terrorist cells in the UK and Europe [154]). Having
established the relevance of studying a single individual in criminal network (as well as the life of
the person prior to joining that particular network), what should such study focus on? We list
our first priority choices here:
“Open source world” associations: The individual’s links (associations) to the “open
source world”, particularly prior to and during a crime. By “open source world” we mean
associations that could have been picked up on through open source intelligence channels.
Knowledge about these associations is required, in order to analyze how that particular
individual could have been found prior to the crime. Again, such associations would have to
be abstracted as much as possible, in order to be found applicable to future cases. Examples
of a persons associations with the “open source world” are very different in nature, but for
the sake of argument we list a subset of those here: re occurring locations, other individuals,
money transfers, phone calls, emails, etc.
Meta data: Case-studies of individuals will reveal patterns in attribute (meta data) that
are available about criminals, as well as differences in meta data. This is important in
terms of establishing what attributes are typically static and which are typically dynamic.
We divide attributes into biographical (year of birth, marital status, children, parents) and
characteristics (employment, education, skills, etc.).
The individuals we discuss below have already been subject to a lot of research, and therefore
discuss the potential of looking at these individuals once more, taking an even more structural (or
network) approach. Khalid Sheikh Mohammed is mentioned throughout this dissertation, but is
not covered in this section. Omar Saeed Sheikh, the mastermind of the Daniel Pearl kidnapping,
is reviewed in Section 5.7.1. David Headley, who was in Copenhagen to scout the locations of
future Mohammed caricature attacks, is reviewed in Section 5.7.2.
5.7.1 Omar Saeed Sheikh

Our knowledge about Omar Saeed Sheikh is mainly based on the case study of the kidnapping
plot against Wall Street Journal reporter Daniel Pearl [128, 162] (see Section 3.5.1). But Sageman
(2008) [189] and Levy (2003) [128] also contain lengthier biographies (profiles) which have inspired
this case study.
Omar Saeed Shaikh was born in London on December 23, 1973. Omar, as he was called, grew
up in a upper-middle-class environment and attended expensive elite private schools. He did well
in school and gained acceptance at the London School of Economics and began his studies there
in October 1992. Every version of Omar’s life agrees that his commitment to Islam deepened
dramatically at the London School of Economics, where he immediately joined the school Islamic
society. He became involved in the situation for Bosnian Muslims at the end of 1992 and his
involvement become more and more serious during the following months. In April 1993 he ac-
companied a convoy taking relief material to Bosnia, which also provided clandestine support for
Muslim fighters there. And it was on that trip he had first contact with the jihadist infrastructure,
after which a number of trips to Pakistani and Afghan training camps ensued. In June 1994, some
leaders of Harakut-ul Mujahedin58 (HUM) had been captured in India and Omar was asked to
help free them. He accepted the mission and arrived in New Delhi on July 26, 1994, where he
gained his first experiences in kidnapping westerners. But the mission in New Delhi failed and
Omar was taken prisoner. [189]
What is interesting about Omar, is not so much his life story as a whole (interesting as it may
be), but his historical track record as a terrorist. Much like Khalid Sheikh Mohammed (see his
104
CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS
case in Section 3.5.2), but at a much smaller scale and less successful, he was the entrepreneur
and mastermind in the 1994 kidnappings of tourists in India and the 2002 kidnapping of Daniel
Pearl. It would be interesting to look at the individuals involved in the failed 1994 kidnappings,
the 1999 hijacking that set Omar free after the 1999 failure, the 2002 kidnapping of Daniel Pearl,
and finally how it came to be, that when he was arrested, he had stayed with a retired ISI general
for one week, living near a Pakistani military base. It would be relevant to search for links between
the different attacks and kidnappings, and if it would be reasonable to say something about how,
if possible, those links could have been discovered during the investigations of the events.
5.7.2 David Coleman Headley

Until his arrest October 3rd 2009 in Chicago O’Hare International Airport David Coleman Headley
was the locus of activity in a terrorism plan named the ’Mickey Mouse Project’59 (MMP) by himself
and his alleged accomplishes. Although the US official complaints does not contain any information
about why that name was selected [56–58], it may have been meant as a direct reference to the
Muhammad caricature cartoons60 ?
Nevertheless, the plans where obscured by cooperation of FBI and the Danish secret intellingence
service PET, and after 24 days of further investigations and interrogations, the news of the arrest
and the alleged plans were announced to the Danish press by PET manager Jacob Scharf on
October 27th 2009. Jacob Scharf elaborated that the initial target was the danish newspaper
JyllandsPosten as a whole, while later the target set was focused on cultural editor Flemming
Rose and Prophet caricature cartoonist Kurt Westergaard, resembling assassination plans.
On October 3rd 2009 David Coleman Headley entered Chicago O’Hare International Airport,
unaware that his recent movements and communication had been under surveillance. “Before
boarding a flight to Philadelphia, intending to travel to Pakistan” [181], he is arrested by the FBI
Joint Terrorism Task Force (JTTF) [181]. In his bag they find a front page of JyllandsPosten, a
map over Copenhagen, a memory stick with video sequences from Kings Square in Copenhagen
where JyllandsPosten’s offices and the main train station were located61 . Headley “was charged
with one count of conspiracy to commit terrorist acts involving murder and maiming outside the
United States and one count of conspiracy to provide material support to that overseas terrorism
conspiracy” [181].
Headley was apparently a functioning citizen back home in Chicago and not a bewildered young net
surfer, complaining about lack of day centers or life content [103]. His neighbors and people from
the Indian-Pakistani community in Chicago found him and his family to be somewhat introverted:
“David Headley kept to himself. I have rarely seen him and his wife”, says an Islamic bookstore
owner in the neighborhood [226]. Daood Saleem Gilani (changed his name to David Coleman
Headley in 2006 [57]) “was born in 1960 in Washington to a couple” of very different origins: “His
mother, Serrill Headley, was a 19-year-old [. . . ] woman with a memorable laugh and a taste for
adventure. His father, Syed Saleem Gilani, “had a traditional Islamic view of a woman’s place
in the home”. They both worked at the Pakistani Embassy, but left for Pakistan soon after the
marriage. She left Pakistan in 1968 and returned to Philadelphia, where she attended bar tending
school and later bought a pub which she named Khyber Pass. In 1977 she persuaded Daood to
leave his military school in Pakistan and he came to Philadelphia as a teenager. [220]
The military school which Headley and Rana (see below) attended from age 14 (starting 1974) [123]
is located in “the Pakistani town of Hasan Abdal” [181], named Cadet College Hasan Abdal and
considered to be the oldest military boarding school in Pakistan [123]. The cadets are trained to
become religious elite soldiers in the Pakistani army. The daily schedule consisted of five times
prayer to Allah, Koran recitals and outdoor military skills [123].
On line postings in the Yahoo group named “abdalians”62 “reflect that both Rana and Headley
have participated in the group and referred to their attendance at that school” [181]. On October
29th 2008 Headley made a posting63 central to the FBI complaints, where he among other things
mentioned his anger toward the Danish caricatures of Muhammad [31, 57].
105
5.8. INTELLIGENCE CHAPTER 5. THEORY AND TECHNOLOGY
Tahawwur Hussain Rana usually arranged Headley’s travels, taking the role as organizer and
financier. Headley was an employee of Rana’s company, First World Immigration Services, and
has claimed to travel as part of his employment, however never bringing much evidence in his
luggage [57]. Both Headley and Rana traveled extensively between United States, Asia and Europe:
On two occasions (January and July 2009) prior to his arrest October 3rd 2009 Headley was in
Denmark, visiting JyllandsPosten in both Copenhagen and Aarhus. He also met with high ranking
representatives of fundamental islamist organizations, including Lashkar-e-Taiba, Harkat-ul Jihad
Islami and their leader and front figure Muhammad Ilyas Kashmiri, who supported Headley’s
continued focus on Denmark, when asked by LeT to change their focus to target Indian interests.
Kashmiri is a well connected man in terms of terrorism contacts: He has worked with the Afghan
Taleban leader Mullah Omar and is one of the leaders in Al-Qaeda’s Brigade 313. Furthermore he
has experience with guerrilla warfare and terrorism from his participation in the Kashmir conflict.
In summary, Headley’s role was primarily that of a minion and planner, traveling the world,
meeting people and gathering information [220], which was then communicated to other parts of
the MMP network.
5.7.3 Summary
While Omar Saeed Sheikh was an example of the entrepreneurial terrorist, the mastermind who
plans and plays minor roles, David Coleman Headley and the Mickey Mouse project was an
example of a new strategy implemented by Al-Qaeda. Terror cells now have their base in a different
country, using their foreign passport, plus a business visa in Headley’s case which he used to avoid
questioning from immigration authorities (e.g., India, Mumbai 2008). After the announcement on
October 27th PET added this threat from “outside” to their threat level assessment [16], since the
general opinion in Denmark previously was that the threat mainly was from persons already in
the country. Also there has been added a new role of planner to the terrorism cell, separated from
the person who actual carries out the attack. Before the attacks in India, Mumbai 2008, this was
usually the same person.
5.8 Intelligence
The following anecdote from 2009 describes the authors first encounter with intelligence (prior to
that the focus had been on information):
After a successful opening ceremony for the research lab at city hall only 1 month
into my Ph.D. studies, another student and I was chatting with Jarret Brachman and
Arno Reuser. Little did I know who I was talking to at the time. The opening ceremony
had been attended by local police brass, the mayor, the United States and Pakistan am-
bassadors, and so on, and I had decided that paying attention to the titles of individuals
was not important. At one point, Reuser shares some of his experience on open source
intelligence: “Let us say that the Netherlands wanted to deploy ground troops in an
African country. The most valuable actionable intelligence for securing the success of
such an operation would be information about whether or not the crops in the area had
recently been harvested and if it had, is it going to be a full moon on the night of the
operation, and if so, will it be cloudy?”.
The anecdote makes it clear that the nature of actionable intelligence can be many things, and
that simple information such as the weather and local harvest season could be more important
to success than, let’s say, information about the target of Arno Reuser’s operation scenario. Hitz
(2009) presents a somewhat different perspective on intelligence and intelligence gathering today:
When all is said and done, counter-terrorism and counter-proliferation intelligence

gathering follows a new paradigm. It is less about classic espionage than persistent
106
CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS
tracking of terrorists and their potential weapons by good detective work and perceptive
mining of reams of open sources. This is no longer back-alley skulking in a trench coat.
It is down-and-dirty police investigative work, tracing radicals and their bomb-making
materials, and recruiting informants to watch mosques and radical meeting sites.
Since we have discussed the intelligence process and its elements (activities) in Chapter 3 (more
precisely Section 3.3 and 3.4), we will focus here on intelligence in general, and two different types
of intelligence, open source intelligence and secret intelligence. We will discuss the value of open
source intelligence against secret intelligence, and outline their role in a bigger intelligence picture
(see Section 5.8.2). But first we take a look at the differences and similarities between intelligence
and information (Section 5.8.1).
5.8.1 Intelligence and information

What exactly are the differences between information, which we have primarily talked about until
now, and intelligence, which we discuss in this chapter? Of course intelligence is ultimately infor-
mation, and it is our understanding that the difference is more in purpose of the two: information
is for synthesis and sense-making, and then the thing you actual disseminate to your customer
(intelligence customer) is information turned into intelligence. It is something concrete for the
customer to make informed decisions upon, so-called actionable intelligence [40]. In general, in-
telligence has a more operational feel to it (as described in the introduction). It is either gathered
in an operational setting, or it is product of intelligence analysis, an aggregate of what is known,
for decision makers to base operational decisions on: “intelligence is information that has been
collected, processed, analyzed, and presented in order to support a decision that increases security
or profit, or reduces risk or cost. Intelligence is decision-support” [215].
5.8.2 Open source intelligence and secret intelligence

Steele (2009b) defines open source intelligence (osint) as “unclassified information that has been
deliberately discovered, discriminated, distilled and disseminated to a select audience in order to
address a specific question” [215]. Secret intelligence is typically gathered from classified sources
(i.e., satellites or spies), only available to intelligence staffs, whereas open source intelligence is
available to everyone [113, 214]. As shown in Figure 8.1, open source intelligence is found to
produce 80% of the valuable information at 5% of the cost, while secret intelligence only provides
20% of value at 95% of the cost. Steele (2009) quotes the “hard-earned and practical observations”
of General Tony Zinni as the basis for 80-20 rule of thumb: 80% of what I needed to know as
CINCENT64 I got from open sources rather than classified reporting. And within the remaining
20%, if I knew what to look for, I found another 16%. At the end of it all, classified intelligence
provided me, at best, with 4% of my command knowledge.
5.9 Mathematical models (techniques)

Researchers study complex systems within different disciplines such as physics, biology, sociology,
etc., and develop mathematical models to analyze the networks within their particular domain.
However, these model are often generic, and can be applied to analysis of criminal networks. This
type of research is often referred to as computational, i.e., computational physics, computational
biology, and computational social science. And it is also scientists from physics, biology, and social
science that created the foundations for network science (see Newman (2010) for more details and
references). Network-based techniques are widely used in crime investigations, because patterns
of association are actionable and understandable. As mentioned above, this makes network-based
mathematical models applicable to the criminal network domain, e.g. the recent publication of
a technique for locating the source of an epidemic, using relatively little information. The same
107
5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY
Figure 5.20: Secret Intelligence Misses 80 percent of the Relevant Information [source: OSS.NET].
method has also been used to locate leaders in terrorist networks, by traversing a network of phone
calls, locating sources [177]65 .
Specific techniques for terrorist network analysis often take the mentioned centrality measures as
input to their computations. Examples include measures of link importance based on secrecy
and efficiency [245], the prediction of covert network structure [184], missing links [183], and
missing key players [182], and custom-made techniques developed by investigators to target
network-specific analysis tasks, such as the node removal technique described in [169]. In this
section we discuss various mathematical models (techniques) relevant for criminal network inves-
tigation. We look at social network analysis for criminal network investigation in Section 5.9.1
and prediction techniques in Section 11.1.7.
5.9.1 Social network analysis

Many of the well known techniques for criminal network analysis are adopted from sociology: “the
field of sociology has perhaps the longest and best developed tradition of the empirical study of
networks as they occur in the real world, and many of the mathematical and statistical tools that
are used in the study of networks are borrowed, directly or indirectly, from sociologists” [155]. We
review the centrality measures for networks of entities and the semantic web (see Section 5.2 for
more on semantic web technology).
Centrality measures for entities in criminal networks
Techniques from social network analysis and graph theory can be used to identify key entities
in criminal networks [240]. Information about key entities (individuals, places, things, etc.) is
helpful for network destabilization purposes [35], or as input for other criminal network analysis
108
CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS
algorithms. Relevant social network analysis measures include [111, 240]:

Measures of centrality have been developed for different types of networks. Most prominent are
social network analysis techniques (see [111,150,195]) that can measure the centrality of entities in
criminal networks based on their direct and indirect associations to other entities in the network.
But “although the premise that centrality is an indication of importance, influence, or control in a
network may appear valid, it is also contestable, particular in criminal contexts. [. . . ] What does
it mean to be central in a criminal network?” [150]. We argue that centrality is dependent on the
specific criminal network being investigated. It depends on the associations between entities that
investigators deem important, and it depends on the weights of those associations. Furthermore,
the accuracy of centrality measures depends on the investigator’s ability to embed their tacit
knowledge and novel associations into centrality algorithms. We review a selection of techniques
below, which we find to be relevant for criminal network analysis on the above mentioned premises.
Entity degree centrality. An entity is central when it has many links (associations) to
other entities in the network. This kind of centrality is measured by the degree of the entity,
the higher the degree, the more central the entity. Degree centrality can be divided into in-
degree centrality and out-degree centrality, referring to the number of incoming and outgoing
links an entity has. A social network with high degrees of both is a highly cohesive network.
Entity closeness centrality. Closeness centrality indicates that an entity is central when
it has easy access to other entities in the network. This means that the average distance
(calculated as the shortest path) to other entities in the network is small.
Entity betweenness centrality. Usually not all entities are connected to each other in
a network. Therefore, a path from one entity to another may go through one or more
intermediate entities. Betweenness centrality is measured as the frequency of occurrence
of an entity on the geodesic connecting other pairs of entities. A high frequency indicates
a central entity. These entities bridge networks, clusters, and subgroups: “betweenness
centrality fleshes out the intermediaries or the brokers within a network” [150].
Entity eigenvector centrality is like a recursive version of entity degree centrality. An
entity is central to the extent that the entity is connected to other entities that are central. An
entity that is high on eigenvector centrality is connected to many entities that are themselves
connected to many entities.
Centrality measures for semantic web
Semantic web concepts have many characteristics in common with our understanding of criminal
network entities and their associations. Similar to centrality measures for criminal networks (see
Section 5.9.1 above), semantic web concepts have been developed to measure the centrality of
entities in online social networks. We are interested in analysis of complex systems in which nodes
could be any object, relations (links) could be of any nature, and structures are generated by
the users (investigators). Semantic web technology can explicitly model the interactions between
individuals, places and things in complex systems of information entities, but classical social
network analysis methods are typically applied to “these semantic representations without fully
exploiting their rich expressiveness” [64]. A short summary of semantic web technology and a
social network analysis example is given in [63]:
Semantic web [technologies] provide a graph model, a query language and type and
definition systems to represent and exchange knowledge online. These [technologies]
provide a [. . . ] way of capturing social networks in much richer structures than raw
graphs. Several ontologies can be used to represent social networks. The most pop-
ular is FOAF1 , used for describing people, their relationships and their activity. A
1 http://www.foaf-project.org/
109
5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY
large set of properties is dedicated to the definition of a user profile: “family name”,
“nick”, “interest”, etc. The “knows” property is used to connect people and to build a
social network. [. . . ] The properties in the RELATIONSHIP2 ontology specialize the
“knows” property of FOAF to type relationships in a social network more precisely (fa-
milial, friendship, or professional relationships). For instance the relation “livesWith”
specializes the relation “knows”.
Figure 5.21: “Queries that extract the degree centrality of [individuals] linked by the property
foaf:knows and its specialization relationship:worksWith” [63].
5.9.2 Prediction
Prediction techniques include extrapolation, projection, and forecasting based on past and current
states of a criminal network. These three predictive techniques follow the approach of assessing
forces that act on an entity [40]. The value of prediction lies in the assessment of the forces that
will shape future events and the state of the criminal network. An extrapolation assumes that
those forces do not change between the present and future states; a projection assumes that they
do change; and a forecast assumes that they change and that new forces are added.
Bayesian inference is a (forecasting) prediction technique based on meta data about individuals
in criminal networks. A statistical procedure that is based on Bayes’ theorem can be used to infer
the presence of missing links in networks. The process of inferring is based on a comparison of
the evidence gathered by investigators against a known sample of positive (and negative) links in
the network, where positive links are those links that connect any two individuals in the network
whereas negative links are simply the absence of a link. The objective is often to assess where
links may be present that have not been captured in the collected and processed criminal network
information.
Prediction techniques
Prediction of covert network structure [184] is useful when you have a list of individuals suspected
to be part of your current criminal network investigation. The algorithm indicates probable covert
members on the list and how they are linked to the existing structure. The predict missing links
algorithm [183] starts prediction based on the current criminal network structure. The likelihood of
a link being present between all node pairs in the network is calculated based on the attribute data
of the remaining individuals. Links that have a missing likelihood higher than a pre-determined
value (calculated from the product of individual attribute likelihoods) are predicted as new links
in the network. Links are predicted in the same way by the covert network structure algorithm,
using a Bayesian inference method.
5.9.3 Other mathematical models

As mentioned, there are many mathematical models for criminal network analysis, such as terrorist
network analysis models: Recent work has proposed link importance as a new metric for destabi-
2 http://vocab.org/relationship/
110
CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS
lizing terrorist networks. This novel method is inspired by research on transportation networks,
and the fact that the links between nodes provide at least as much relevant information about the
work as the nodes themselves. The measure of link importance offers new insights into terrorist
networks by pointing out links that are important to the performance of the network. A terrorism
domain model with both nodes and links as first class objects will allow additional features to be
built into the terrorist network and visualization tools [80, 244]. we
5.10 Ethical impact and issues

Ethics are concerned in many ways with software systems that manage information about people,
like tool support for criminal network investigation, involving multiple processes such as infor-
mation collection, gathering, and dissemination. In this section we review how the magnitude of
ethical impact and types of ethical issues are different from process to process. Criminal network
investigations benefit from tool support to various degrees, depending on the processes covered
and the tasks carried out. Assigning ethical responsibilities is therefore a prerequisite to assessing
the ethical impact of criminal network investigation tools. But the typical black box approach does
not separate end-user and tool responsibilities nor considers the ethical impact of individual crim-
inal network investigation processes and tasks. To address tool related ethical issues we propose
ethical principals and values and demonstrate what main design concepts can be implemented in
tools to support these principles and values.
5.10.1 Ethical impact

criminal network investigations can benefit from varying degrees of tool support depending on
the processes covered and the tasks carried out. The ethical impact of tools supporting criminal
network investigation processes is difficult to assess, and the development of methodologies for such
assessments are still in its infancy. Important reasons for this underdevelopment of a methodology
for morally evaluating technology development are related to its complex, uncertain, dynamic,
and large-scale character that seems to resist human control [253]. As an example, when a new
criminal network investigation tool is explained in the media, there is a tendency to view the tool
as a kind of black box. While this simplification is justified by the before mentioned complexity, it
creates the misunderstanding that criminal network investigation tools take huge amounts of data
as input and analyzes it using complex mathematical models, only requiring a few mouse clicks
from the user. When conducting an ethical impact assessment of a new technology, one should
not treat the technology as a black box. Since technologies potentially shape human actions and
interpretations on the basis of which moral decisions are made, we are obligated to try and give
this influence a desirable and morally justifiable form. In this section we will try to open the black
box that criminal network investigation tools often implement, to facilitate the development of
ethical impact assessment of new technologies for our particular domain. We identify a number
of problematic tasks followed by an assessment of the ethical responsibilities as shared by end
users and tools. Based on these observations a list of ethical principles and associated values for
criminal network investigation tool developers are suggested. A selection of design concepts using
these ethical principles and values as guidelines have been developed.
Assigning ethical responsibilities
Criminal network investigation involves collection, processing and analysis of information related
to a specific target creating products that can be disseminated to customers. A number of complex
task are associated with these processes [174]. When supported by tools these tasks have signifi-
cant ethical impact because their usage is more or less controlled. One example is profiling, both
personal and especially group profiling by means of data mining [50] or manually inferred rules
based on observations of reoccurring relationships or characteristics of persons and groups [154].
111
5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY
The transparency of social network analysis (SNA) measures like betweenness and closeness cen-
trality [240] and prediction algorithms decreases, when applied to an increasing number of nodes
and links. Lack of evidence source linking might result in situations where it is unclear who created
the link to the source, when was the link created, who collected and processed the information
in the first place etc. [222]. Inferential judgments are based on pros and cons about positions
and issues. But if the pros and cons are not saved these decisions cannot be audited by a third
person [46].
Figure 5.22: Determinism continuum, from open-ended to closed, indicating the degree to which
technology predetermines usages [119].
During analysis, especially when applying automated features such as social network analysis and
prediction, the tool has more ethical impact and power of influence. The determinism continuum
in Figure 5.22 illustrates this perfectly. The analyst cannot help to have his or her actions and
interpretations influenced by the output of a complex analysis. When information is disseminated
to the customer, the customer has the power of influence to interpret and use the disseminated
information as he or she finds convenient.
Addressing ethical issues on the tool side
To investigate the ethical issues on the tool side, we have studied existing literature on ethical is-
sues (e.g., [143]) and methodologies for ethical impact assessment of new (information) technology
(e.g., [233, 253]). However, identification of ethical issues and the development of methodologies
for impact assessments are still in its infancy [179, 253]. Important reasons for this underdevelop-
ment of a methodology for morally evaluating technology development are related to its complex,
uncertain, dynamic, and large-scale character that seems to resist human control [253]. And while
identified ethical issues like ‘dissemination and use of information’, ‘control, influence and power’
and ‘impact on social contact patterns’ are relevant for criminal network investigation tools they
are not process specific, making it difficult to assign ethical responsibilities.
We believe that human control of criminal network investigation tools is possible [247]. If we
combine this understanding with our findings that ethical impact at the task level is higher for
criminal network investigation tasks that dictate predetermined usage (i.e. automated tasks),
we have identified the core problem: The choices that analysts, collectors and customers prefers
to make are never fully predictable and tool support should therefore be dynamic and open-
ended [119] (Figure 5.22).
This suggests a human-centered approach where the humans (end users) are in charge of the
criminal network investigation processes and tasks and the tools are there to support them. If
the end users loose control (i.e. the tool predetermines usage) the ethical impact of the criminal
network investigation processes and tasks will increase. The challenge is to overcome the high
level of controllability that is inherent in the security and risk burdened world of criminal network
investigation.
112
CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS
Ethical principles and values for criminal network investigation tools
We now have an initial understanding of the ethical responsibilities of end users and tools, as well
as the remedy for the ethical impact on the tool side: a human-centered approach. Based on these
observations we have designed the following list of ethical principles and values. The values can
apply to more than one principle in various ways as seen below. Not all combinations of principles
and values have been described.
Transparent. Tool transparency is a precondition to human trust. A lack of transparency
undermines the use of tool supported tasks.
(Customizable) Entities. Using an entity-based approach in which all entities are first class
is a precondition for several ethical values e.g. dynamic structuring.
(Dynamic) Reasoning. Being able to record and review reasoning sessions would clarify how
inferential judgments are made.
(Interactive) History. Creating, updating and deleting content related to entities should
be recorded for later reference. Storytelling using history events adds transparency to the
progress of an investigation.
Related work
Two approaches to addressing the ethical impact of criminal network investigation processes have
been reviewed. The following commercial tool supporting criminal network investigation work
flows represents the point of view that the protection of privacy and civil liberties should be
embedded in tools 66 . This is the approach we would like to adopt. Palantir Government 3.0 is a
platform for information analysis designed for environments where the fragments of data that an
analyst combines to tell the larger story are spread across a vast set of starting material [5]. Privacy
and civil liberties are “embedded in Palantir’s DNA”, exemplified by technologies like Access
Control Model, Revisioning Database and Immutable Audit Logs. Palantir used existing legislation
as guidelines on how to address ethical issues in implementation, e.g. the 9/11 Commission
Implementation Act [223]. More importantly, Palantir Government 3.0 has separated their entity
model from the domain ontology, making the representation of entities and their relationships
customizable. Furthermore, an interactive and navigable history of events is logged and finally
various hypertext structures are, unintentionally, facilitated. This suggests an open-ended and
dynamic approach to criminal network investigation tool support.
Another approach is presented in [179]: “the solution lies in developing and integrating advanced
information technologies for counterterrorism along with privacy-protection technologies to safe-
guard civil liberties. Coordinated policies can help bind the two to their intended use”. Examples
of privacy-protection technologies are: privacy appliance involving the use of a separate tamper-
resistant, cryptographically protected device on top of databases. Making information anonymous
is a technique used within the privacy appliance: it generalizes or obfuscates data, providing the
system with a guarantee that any personally identifiable information in the released data can’t be
determined, yet the data still remains useful from an analytical viewpoint.
5.10.2 Denmark and terrorism (The Muhammad caricatures, legislation

and civil liberties)
Denmark and Danish interests have been the target of terrorism plans and attacks on numerous
occasions from 2005 to 2010. It seems Denmark is getting a lot of attention compared to the
relatively small population and the fact that Denmark, before the engagement in Afghanistan
in 2002 and the invasion of Iraq in March 2003, had our international focus on peacekeeping
missions67 . Especially the reprinting of the Danish caricatures in February 2008 in multiple
113
5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY
newspapers has given Denmark a high ranking on terrorism target lists around the world. Despite
this Denmark is a nation facing actual terrorism plans only intermittently, resulting in the media
intensifying their coverage when such events occur.
The fact that the danish politicians did not hesitate to announce they were ready to evaluate
and tighten the Danish counter terrorism legislation enacted in 2002 and 2006 after the Mickey
Mouse project (MMP) had been revealed, is another interesting aspect of the influence of media
in “preparing” the public to support such statements. The controversy is that tightening the
laws conflicts with citizen liberties. Also, if “terrorism is as much about the threat of violence as
the violent act itself” [92], did David Headley (Mickey Mouse project surveillance, etc.), and his
accomplishes achieve their goal? Or is it acceptable to disregard the civil liberties of the public
for increased safety through more and stricter legislation?
Time line (Muhammad caricatures)
The first serious response to the initial printing of the Muhammad caricatures September 30th
2005 from within Denmark, was the postulated plans and intend to murder caricature cartoonist
Kurt Westergaard by the use of strangulation [15]. On February 12th 2008 three men were arrested
facing these complaints, one Danish citizen was released while two Tunisians were administratively
expelled [15] and controversially imprisoned without trial [151]. The final verdict in the Tunisian
case is still not given, and on December 4th 2009 it was decided to try the case at the Danish
Supreme Court [138].
The more recent incidents have had some interesting characteristics in common with the Mickey
Mouse project (see Section 5.7.2). First of all the cases described below all had links to the training
camps in north Waziristan, more specifically the Federally Administered Tribal Areas (FATA) on
the border to Afghanistan. Especially the main person involved in the Glasvej case, who used
some of the same codewords as in the Mickey Mouse project.
On October 21st 2008 an unanimous jury declared Hammad Khürshid (Danish-Pakistan) and
Abdoulghani Tohki (Afghan) guilty of planning terrorism intending to use bombs [85, 209]. The
men had experimented with producing the very unstable explosive TATP68 in their common
apartment in Copenhagen [209]. The wire-puller Hammad Kürshid was sentenced 12 years in jail
at the court in Glostrup, while Abdoulghani Tohki was punished with a seven year sentence and
expelled from Denmark for life because of his Afghan citizenship [209]. After the sentencing new
information was revealed69 , which showed that Hammad Khürshid had been recruited and trained
by one of Osama bin Ladens most important lieutenants, the Egyptian Abu Ubaidah al-Masri,
in the northern Pakistani province Waziristan [213]. The first arrests associated with the Glasvej
case were made on April 2007 [209].
On June 2nd 2008 followed an incident not similar to the previous cases, primarily because it took
place in Pakistan: “A car bomb exploded outside the Danish Embassy in an upscale area of the
Pakistani capital” [164] Islamabad “killing eight persons and injuring up to 30” [185]. Al-Qaeda
later claimed to be responsible for the attack, stating it was “revenge for the publishing of the
Muhammad cartoons” [133]. The Mickey Mouse project followed this incident as the next case
with links to Pakistan.
On January 1st 2010, a 28 year old Somali man attacked cartoonist Kurt Westergaard in his home,
threatening him with a knife and an ax [186]. Westergaard successfully escaped to his custom made
panic room, and later the Somali man was pacified by the police using gun shots [186]. According
to PET the offender had close contact with the militant group al-Shabaab in Somalia [88].
The political climate in Denmark in October 2009 and Danish counterterrorism leg-
islation
“During the last decade the Danish political system has undergone a polarization. Where the polit-
ical scene earlier has been characterized by minority governments that have sought parliamentary
114
CHAPTER 5. THEORY AND TECHNOLOGY 5.11. TRUST AND USER ACCEPTANCE
support across the middle, Danish policy today is dominated by two political blocs, respectively,
a center-left block and a right block” [90], a change that started with the election of a right wing
government in 2001. On June 8th 2002 the first Danish counter terrorism law was enacted as a
direct impact of 9/11 (2001)70 . The extension of the law grants the Danish secret intelligence
service PET a number of extended powers concerning surveillance of private individuals and the
right to perform multiple searches with a single court order [14].
Denmark has been involved in the international NATO mission in Afghanistan since 2002. On
January 11th 2002 the Danish parliament unanimously decides that Danish military forces should
be available for an international security force in Afghanistan [17]. A status report from October
22nd 2009 shows that Denmark has 690 soldiers in Afghanistan, and that 28 soldiers has been
killed. “Denmark is one of the countries that measured per citizen has most soldiers killed in the
NATO led operation in Afghanistan, consisting of 43 countries” [98]. During March 2003 Denmark
also decided to join the US and British led coalition forces, although there was disagreement in
government. The majority of the population was against the decision since there was no mandate
from the UN [156].
On June 10th 2006 the second counter terrorism law was enacted71 following the 7/7 bombings
2005 in London72 . The 2006 law raised concerns of Civil Libertarians, although strong support
existed in the general public for the further tightening of the counter terrorism laws from 2002 [218]:
“The mood has shifted in Europe more toward security than it was before the London bombings,”
said Daniel Keohane, senior research fellow at the Center for European Reform in London. “The
Europeans have always been very nervous about infringing on civil liberties. But when you
experience terrorism, it changes your views.”
However, arguments regarding whether or not these laws are too strict is beyond the scope of this
Ph.D. dissertation. One comment is however describing the medias influence on Danish policy
makers:
In a 1987 speech at Hebrew University in Jerusalem, Associate U.S. Supreme Court

Justice William J. Brennan Jr. reviewed what he called the “shabby treatment” that
America’s vaunted freedoms have received in times of war and threats to national se-
curity [...]73 . He attributed these lapses to the crisis mentality that Americans develop
when faced with danger intermittently, rather than living with it constantly. America’s
decision-makers have been inexperienced in assessing the severity of security threats
and in devising measures to cope with them in ways that respect conflicting rights and
liberties. [81]
Given the relatively short list of terrorist events related to Denmark directly, the same can be said
of the Danish governments experience with enacting and enforcing such counter terrorism laws.
And the Danish populations propensity to support them immediately after the revelation of plans
to strike against Denmark and Danish interests.
5.11 Trust and user acceptance

In this section we review user acceptance of information technology for criminal network investi-
gation, and we discuss how trust is a prerequisite to such acceptance, and tightly coupled with
transparency and ownership [175].
Taking a computational approach to criminal network sense-making, claiming that investigators
will benefit from the information provided, raises concerns about user acceptance of this com-
puted information74 . Experienced investigators with the skills to manually derive the computed
information (given more time) might question how exactly the information has been automati-
cally computed and they might be inclined not to trust this computed information enough to base
their decisions on it [193]. For computational sense-making to be effective, decision makers must
consider the information provided by such systems to be trustworthy, reliable [144], and credible.
115
5.12. INTERACTION AND VISUALIZATIONCHAPTER 5. THEORY AND TECHNOLOGY
See Chapter 11 for more on criminal network sense-making and Section 5.10 for a look at ethical
issues and in trust in terms of tool support for criminal network investigation.
5.12 Interaction and visualization

We give a brief introduction to interaction and visualization in this section.
5.12.1 Interaction
We mention and discuss interaction theory and concepts throughout this dissertation. How we
use interactive “proof-of-concept” prototypes [132] to develop tool support for criminal network
investigation. What we would like to discuss in this section is human-tool synergies which better
describes our goals with the aforementioned tool support development. Investigators are the
decision-makers in criminal network investigations (e.g. low probability situations [130]), while
algorithms do routine calculations: “Men will fill in the gaps, either in the problem solution or
in the computer program, when the computer has no mode or routine that is applicable in a
particular circumstance” [130].
5.12.2 Visualization
Information visualization technologies have proved indispensable tools for making sense of complex
data [86]. Visualization techniques use both retinal properties and spatial arrangement for the
presentation of structured information, taking advantage of the human perceptual system. How-
ever, most visualization systems do not support the visual editing of structured information. The
lack of direct manipulation of structured information in visualization systems means that there is
no expression in such an environment, and expression is part of a real decision making process [97].
Another problem is that “information visualization applications do not lend themselves to “one
size fits all” solutions; while successful visualizations often reuse established techniques, they are
also uniquely tailored to their application domain, requiring customization” [86].
Although visualization libraries primarily offer advanced unidirectional mappings, a lot can be
learned from them in terms of requirements for a graphical-oriented framework design. The
prefuse toolkit [86] for interactive information visualization is presented as an interesting case.
Our interest is mainly due to the set of finer-grained building blocks that prefuse provides for con-
structing tailored visualizations. The template-modeled design process of “representing abstract
data, mapping data into an intermediate, visualizable form, and then using these visual analogues
to provide interactive displays” is very interesting.
5.13 Summary
This chapter started with an introduction to five pillars of theory and technology, describing the
relevance of each pillar for developing tool support for criminal network investigation, followed
by a summary of the theory and technologies within each pillar. A color legend was used to
indicate whether or not each theory or technology was covered in this chapter and to what degree,
or if it was covered in a fragmented manner throughout the dissertation. Then followed reviews
and summaries of individual theories and technologies, covered to a certain extent, matching
their role for this Ph.D. project. Hypertext, semantic web, human cognition, the creative process,
intelligence, and mathematical models therefore received the most attention. But theory from
information science, knowledge about simple tools for idea generation, case studies of individuals,
ethics, trust and user acceptance, and interaction and visualization have also played a role and
will play a role for future developments in criminal network investigation. This chapter illustrates
116
CHAPTER 5. THEORY AND TECHNOLOGY 5.13. SUMMARY
the many perspectives that a software systems engineer in criminal network investigation must
have, when developing tool support for criminal network investigation.
117
5.13. SUMMARY CHAPTER 5. THEORY AND TECHNOLOGY
118
CHAPTER 6
Problem definition and research focus
In Chapter 1 we reviewed criminal network investigation challenges, and selected to focus on three
of them (information, process, and human factors), arguing that investigator centric challenges
of a quantitative nature (i.e., suitable for modeling) would be addressable by software system
support. Based on the three selected challenges, we stated the following research hypothesis:

In this chapter we specialize our hypothesis and conduct a more detailed analysis of specific
problems associated with each challenge. Based on these problems (and our own knowledge and
ideas) we also formulate a research focus for each challenge, resulting in a list of requirements to
guide and evaluate our work (see Section 6.4 for more details on how we propose to do this). The
list of research focus requirements are considered software development requirements for developing
software tool support for criminal network investigation, while the criminal network investigation
tasks presented in Chapter 7 are considered criminal network investigation requirements, i.e.,
a list of tasks that investigators perform (for the majority) whether or not they use dedicated
tool support or not. Our review of criminal network investigation (criminal networks, structures,
processes, cognitive bases, and cases75 ), related work (commercial tools and research prototypes),
and relevant theories and technologies for tool support of criminal network investigation revealed
the following problems related to information (Section 6.1), process (Section 6.2), and human
factors (Section 6.3).
6.1 Information problems and research focus

Based on criminal network investigation cases, analysis of criminal network structures, etc. (Chap-
ter 3), reviews of commercial tools and research prototypes (Chapter 4), literature studies (Chapter
5), and other analysis work we state information amount, incompleteness, and general complexity
as information problems for criminal network investigation.
1. Information amount (e.g., [59,110,116]) includes information abundance and information

scarcity problems. If information is abundant and resources required to process the informa-
119
6.1. INFORMATION CHAPTER 6. PROBLEM DEFINITION
tion are limited, potential suspects might not be discovered. On the other hand, if information
is scarce, decisions might be based on uncorroborated intelligence later proved to be false.
Many techniques have been developed that can analyze large amounts of networked informa-
tion and applied during criminal network investigations. Most prominent is social network
analysis, the study of human relationship networks, or the application of statistical tech-
niques to the field of sociology (we review social network analysis in Section 5.9.1). Since
its beginning, the field has become more mathematical and rigorous, and has widened in
scope to encompass networks arising in other contexts. Today the field has become known
as network science [68].
The introduction of network science did not add to the network theory for detecting and
exposing hidden terrorist networks. Time-consuming manual tasks for synthesis of criminal
networks are still applied by law enforcement and intelligence services (e.g., [68, 139]). On
a concrete case, it took an experienced crime analyst six weeks to manually extract a fraud
link chart with 110 people, “even though most of the information in the chart came from
computerized records. [. . . ] The base network extracted for the [fraud] evaluation (all links
between all nodes connected within two associational hops of the targets) included 4,877
nodes and 38,781 reported associations” [139]. This example also illustrates why it has been
“estimated that police officers spend up to 40% of their time handling information, making
it one of the most extensive police activities” [20].
2. Information incompleteness (e.g., [39, 168, 183]) like variation in available meta data
(attributes) for entities or missing attribute values. Other incompleteness includes missing
links and missing network structure (nodes and links). It can be difficult to automatically
detect associations between entities when information is incomplete.
Once a criminal network is synthesized, its characteristics can be studied using standard
network measures such as centrality. However, the well-established techniques are not well
suited for the fragmented networks that organized crime and terrorism networks often are.
An intelligence analyst at the British Home Office, pointed this out, during a presentation
and talk there [167]. Researchers have started developing techniques take into account
incomplete information (e.g., [177, 183]). We have developed measures of performance for
transformative prediction algorithms, to see how they reacted when attributes where missing
from the data or the accuracy of information was not complete [176].
3. Information complexity (e.g., [20,116,128]) is typically caused by the emerging and evolv-
ing nature of information, especially within the counterterrorism domain. Information abun-
dance or scarcity on its own does not necessarily make the relations between entities in the
information more complex. The use of aliases, social complexity (e.g., culture and language)
and the mix of different information types (e.g., audio, images, signals, video) are all factors
that will increase the complexity of information.
Criminals prefer to remain covert, balancing secrecy and efficiency [244], e.g., by encrypting
their communication or keeping individuals and groups isolated from each other and on a
need-to-know basis in terms of communication. Or information is complex simply because
it is fragmented, as mentioned above. The use of deliberate (semantic) aliases, i.e. using
different names in different contexts, is a well known technique to remain covert. Omar Saeed
Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl, was
known to have used at least 17 aliases [128], and Khalid Sheikh Mohammad, who murdered
Daniel Pearl, and was the mastermind behind i.a., 9/11 (2001), used two dozen aliases [146].
Simon and Burns share their experiences from organized drug crime environments, where
the drug dealers are out in the open, but use for example encryptions of phone numbers
when paging each other, to setup business, schedule meetings, etc. [10, 206].
120
CHAPTER 6. PROBLEM DEFINITION 6.2. PROCESS
6.1.1 Research focus (requirements)

Criminal network investigators deal with information from a variety of sources, all of which are
important to their decision making process. As pointed out by the 9/11 report [152], linking and
communicating those pieces of information is a critically important issue. In order to deal with
the increasing amount of information available, especially through the Internet, automatic tools
are used to harvest relevant information [148] and compute relationships that implicitly exist in
the acquired data [55]. The output is a pre-selection that helps analysts to focus on the most
relevant parts. Those tools, however, focus on a predefined repository and are limited in their
structural representation. Due to their focus on computation, most of them model relationships
as graphs. Graphs have been well researched and thus permit the application and use of a variety
of mathematical models and algorithms. Even though machines are necessary to deal with the
vast amount of information, final decisions, however, are taken by humans. Analysts need support
for their decision making process, of which criminal network analysis tools play an important role.
Dedicated software tools targeted at supporting criminal network investigators in their knowledge
management work should fulfill the following overall requirements related to information [20]:
1. Supporting the emergent and fragile nature of the created structure and fostering its com-
munication among investigators.
2. Integrating with the information sources used by the investigators, permitting them to be
represented and structured in a common information space.
3. Supporting awareness of, and notification based on, linked information across information
source boundaries.
4. Permitting multiple directions of thought through versioning support. Supporting emer-
gent structure as a means for knowledge representation, communication, integration, and
awareness/notification has been and still is discussed in depth in hypertext research.
6.2 Process problems and research focus

Compartmentalization is the source of several process related problems, such as responsibility and
(non optimal) information sharing. By compartmentalization, we mean the restrictions on the nat-
ural flow of information and problem solving, inhibiting criminal network investigations. Based
on analysis of criminal network investigation cases and processes (see Chapter 3), literature stud-
ies (Chapter 5), and other analysis work we summarize incremental deterioration, responsibility,
overlapping processes, and information sharing problems for criminal network investigation.
1. Incremental deterioration (e.g., [5,52,59,242]) often happens when following a linear pro-
cess, where investigators receive a mix of information (evidence) and interpretations of that
information, in the form of reports. Especially, if the institution is collaborating with other
institutions, information is exchanged in reports. Some law enforcement institutions and
intelligence services have as part of their intelligence process, to make clear the distinction
between information and interpretation. But that doesn’t stop the intelligence customer from
further interpretations of the analysts interpretations. And typically not all information is
included in reports for the customer, or collaborators.
The degree of incremental deterioration of information is different if the investigation is
solely within a single organization compared to (transnational) collaboration between agen-
cies, services, and law enforcement. However, while the problem is smaller, it is still there
and important to address. The most significant example we have come across is Curveball, in
which interrogation reports traveled from Germany through several compartments in agen-
cies and national security organizations in different nations, being translated from Arabic,
to German to English, before reaching CIA analysts and ultimately decision makers in the
121
6.2. PROCESS CHAPTER 6. PROBLEM DEFINITION
White House. Commercial tools for criminal network investigations recognizes this problem
and promotes their support of loss less data abstractions in commercial material [5].
2. Responsibility (e.g., [40,54,59]) often depends on whether a person has something personal
at risk, the esteem of colleagues or the consequences of bad or rushed decisions. When
following a process with many compartments, it becomes easier to push the work requiring
responsibility on to the people responsible in the next compartment. And the individuals in
that department might be reluctant to “ask back” into the compartment from where they got
the information, and instead forward it to someone else.
An example of responsibility, again from the Curveball case, is Alex Steiner76 , the United
States defense intelligence agency’s (DIA) liaison to the German federal intelligence service
(BND), receiving the incoming intelligence reports from BND. The Germans refused Steiner
or anyone else access to Curveball. Steiner didn’t mind, the case was very complex, and he
was looking forward to retirement. The case was as a “hot potato”, but he let other people
care about the details, his role was “to oversee things” [59]. The 22/7 (2011) commission
report points out that the Norwegian police security service (PST), had received information
about individuals suspicious purchases of chemicals in Poland, from the customs directorate
to which other authorities such as the national postal service had raised their concerns. PST
received this information on 6/12 (2010), but the lead had not been followed up on when
the attacks happened 22/7 (2011), because the different sections within the police security
service had spent five months deciding whose domain it was, and later when the case was
assigned to a section, the responsible case officer had to go on vacation for 10 weeks [153].
3. Overlapping processes (e.g., [170, 175]) becomes a software development problem, when
choosing a target-centric approach. The target-centric alternative to a linear process means
that criminal network investigation processes will be overlapping, i.e., the structuring of
information and algorithm-based computations has to be performed on the same model. With
a linear process, with process compartments, one compartment have one model to solve their
task, and another compartment uses a different approach to solve theirs.
Investigators move pieces of information around, they stop to look for patterns that can help
them relate the information pieces, they add new pieces of information and iteration after
iteration the information becomes increasingly structured and valuable. Synthesizing emerg-
ing and evolving information structures is a creative and cognitive process best performed
by humans. Making sense of synthesized information structures (i.e., searching for patterns)
is a more logic-based process where computers (tools) outperform humans as information
volume and complexity increases [175].
4. Information sharing (e.g., [40, 152, 242]) problems are often a consequence of the chosen
intelligence process, the culture of intelligence agencies and the trade craft of secret intelli-
gence. Several reports have concluded that information sharing between intelligence agencies
was the root cause of intelligence failure. The main objective of criminal network investiga-
tion research should be to understand the problems, processes, and tasks involved and then
develop tools assisting the people working with these processes and tasks every day to help
minimize the impact of the problems faced.
The wall between FBI and CIA before and after the investigations into 9/11 was high and
thick, and destructing for investigations: “The wall, as it was called, was often misunder-
stood and frequently interpreted too broadly. The agents assigned to collecting intelligence
sometimes couldn’t, or wouldn’t, talk to their colleagues who were working the criminal side
of the same cases. Big things – like leads and plots and potential sources – fell through
the cracks” [146]. On Baltimore police department’s homicide shifts, the numbers game of
open and closed investigations, readily available for everyone to see in the coffee room took
a toll on the investigators willingness to talk and discuss cases with detectives from other
shifts: “For the last several years, detectives from one shift had interacted with those from
the other only at the half-hour shift changes or on rare occasions when a detective pulling
122
CHAPTER 6. PROBLEM DEFINITION 6.3. HUMAN FACTORS
overtime on a case needed an extra body from the working shift to witness an interrogation
or help kick down a door” [204].

A target centric and iterative approach to criminal network investigation is preferred to a linear
approach, due to the failure of investigations following a linear process model that introduces com-
partmentalization. An alternative to the traditional intelligence cycle is to make all stakeholders
(including customers) part of the intelligence process. Stakeholders in the intelligence community
include collectors, processors, analysts and the people who plan for and build systems to support
them: “Here the goal is to construct a shared picture of the target, from which all participants
can extract the elements they need to do their jobs and to which all participants can contribute
from their resources or knowledge, so as to create a more accurate target picture” [40]. To ensure
shared responsibility throughout a criminal network investigation, and given the many iterations
over the information and its structure, the source of network changes, interpretations, and deci-
sions must be maintained, whether made by investigators or the tool (e.g., algorithms). Developing
a common data model for both investigators restructuring and organizing information and tools
analyzing the same information is necessary to support target-centric and iterative investigation.
In summary, dedicated software tools targeted at supporting target-centric and iterative criminal
network investigation should fulfill the following overall requirements:
1. Permitting a target-centric and iterative approach to criminal network investigation is essen-

tial, thereby creating a shared information space for investigators, functioning as a common
reference point.
2. Supporting loss-less data abstractions, so that all investigators can see what has happened,
if information has to be shared between compartments.
3. Ensuring that all collectors, analysts, and customers become stakeholders in the success of
the criminal network investigation, whether working alone or as a team.
4. Integration of conceptual and computational models to support the target-centric, iterative

approach with overlapping criminal network investigation processes.
6.3 Human factors problems and research focus

Human factors are inherently a challenge for criminal network investigations and often have great
influence on the impact of the other problems discussed. Contextual pressures such as time
constraints, dynamism, and changing goals are interrelated to required resources (see for exam-
ple [110, 183, 252]). Existing evidence suggests that decision-making and information processing
abilities are often not optimal because the informational complexity of the world overwhelms
human cognitive abilities and creates bias:
1. Human cognition and creativity (e.g., [9, 89, 165, 201, 239]) complicated tasks to support
and leverage for a software system. The human mind solves problems in certain ways and
creating new ideas is essential for problem solving, not similar to how a computer solves
problems. And there are different approaches to creativity, such as “free association” cre-
ativity and rational creativity produced by persistent, hard work. It is not enough to support
collaboration and group work, since real groups do not necessarily create more ideas than
nominal groups. Certain representational structures for cognitive space must be embedded in
tools supporting criminal network investigation.
Understanding the boundaries of human cognition is necessary for tool support of criminal
network investigation: “it is difficult for the human working memory to keep track of all
123
6.3. HUMAN FACTORS CHAPTER 6. PROBLEM DEFINITION
findings. Hence, synthesis of many different findings and relations between those findings
increase the cognitive overload and thereby hinders the reasoning process” [201]. Because
of this, humans often use simple physical tools when generating new ideas, but existing
software tools used for criminal network investigation usually don’t have the necessary ease-
of-use compared to scribbling ideas on a whiteboard or paper cards.
2. Making humans more capable (e.g., [33,62,130]) is the intended purpose of most software
systems, but when humans and tools have to cooperate, it becomes a difficult task. The
problem is how to make a software system augment human intellect, instead of trying to
mimic it, trying to make the computer think, which it cannot. It is necessary to understanding
what humans do well and what computers do well, to solve this problem.
“The human eye is enormously gifted at picking out patterns, and visualizations allow is to
put this gift to work on our network problems. On the other hand, direct visualization of
networks is only really useful for networks up to a few hundreds or thousands of vertices
[and] the number of edges is quite small” [155]. Visualizations on their own, whatever
layouts are applied, are not enough for. Bush (1945) [33] reasoned that since people use
associations to store and retrieve information in and from their own minds, a machine-
supported mechanism that provided this ability would be useful for organizing information
stored in external memory. Augmenting human intellect, i.e. increasing the capability of
man to approach a complex problem situation, to gain comprehension to suit particular
needs, and to derive solutions to problems [62].
3. Habitual and biased thinking (e.g., [8, 116]) Contextual pressures such as time con-
straints, dynamism, and changing goals affects criminal network investigators. Existing
evidence suggests that decision-making and information processing abilities are often not op-
timal because the informational complexity of the world overwhelms human cognitive abilities
and creates bias. The result being that known solutions are chosen and the problems remain
unsolved.
“Today functional problems are becoming less simple all the time. But designers rarely
confess their inability to solve them. Instead, when a designer does not understand a problem
clearly enough to find the order it really calls for, he falls back on some arbitrary chosen
formal order. The problem, because of its complexity, remains unsolved” [8]. Humans have
a tendency to rely on hierarchical tree structures, when faced with complex problems [9, 89].
Pressure could also make investigators fall back on often applied methods, e.g., homicide
detectives who are assigned to new crime scenes, having three open cases on their desks, and
continuously pressured to turn red cases into black by the public display of their stats in the
office [204].
4. Trust (e.g., [144, 175]) in information generated by software tools can be difficult to attain,
if it is not clear how that information was derived. For computational sense-making to
be effective, decision makers must consider the information provided by such systems to be
trustworthy, reliable, and credible. Trust is important for the adoption of software tools for
criminal network investigation.
Simply by turning to the computer when confronted with a problem, we limit our ability
to understand other solutions. The tendency to ignore such limitations undermines the
ability of non-experts to trust computing techniques and applications [193] and experienced
investigators would be reluctant to adopt them.

Investigators are the decision-makers in criminal network investigations (especially in low proba-
bility situations [130]), while algorithms do routine calculations: “men will fill in the gaps, either
in the problem solution or in the computer program, when the computer has no mode or routine
124
CHAPTER 6. PROBLEM DEFINITION 6.4. SUMMARY
that is applicable in a particular circumstance” [130]. In software system development humans

seem to work better with board-based approaches (e.g., paper cards on a board) compared to
the traditional form-based approach, where structure is predetermined and the humans have to
adapt [171, 172]. It is often a good approach to use well known metaphors (e.g., desktop and file
explorer in Windows) or the way that people interact with each other or physical tools like white
boards, etc. [174]: “simple gestures help interactions with ideas” [254]. Humans can contribute
with creativity, but while group work is often promoted as the way to more creativity, “the last 50
years of empirical studies overwhelmingly suggest that real group creativity is not as effective as
nominal group creativity.” [239]. Dedicated software tools targeted at supporting human factors
problems in criminal network investigation should fulfill the following overall requirements:
1. Augmenting human intellect through knowledge about human cognition, creativity, and
problem solving theory and practice is essential.
2. Leveraging transparency and ownership through tailorable models to ensure the end user’s
trust in calculated information is an important step toward tool usage and output used for
decision-making.
3. Software tools used for analysis of criminal network investigation entities must have an ease-
of-use as close as possible to that of scribbling ideas on a whiteboard or paper cards.
4. Bridging the gap between conceptual and computational models to support cooperation
between man and software system tool, where humans think, make decisions, and fill the
gaps, while tools do routine calculations.
6.4 Summary
We started this chapter by repeating our hypothesis as formulated in Chapter 1. It was based
on the three criminal network investigation challenges, which we had chosen to focus on. In this
chapter, we have provided a more detailed analysis of those challenges and presented specific
problems related to each challenge. The problems have been used to create a set of research focus
requirements to guide our development of software tool support for criminal network investigation,
to address the problems and ultimately reduce the impact of the challenges significantly, supporting
our hypothesis. We will base our evaluation of whether or not the challenges are met and the
hypothesis supported, on the research focus requirements formulated for each challenge. In the
next part of our dissertation (Part III) we use the research focus requirements during analysis
and design, to ensure that our support of the criminal network investigation tasks will address the
challenges information, process and human factors. In Chapter 15, we present a mapping between
criminal network investigation tasks and research focus requirements.
From now on we will refer to information research requirements as information #1 (emerg-
ing and fragile structure), information #2 (integrating information sources), information #3
(awareness and notification), and information #4 (versioning support). We will refer to process
research requirements as process #1 (target-centric and iterative), process #2 (loss less data
abstractions), process #3 (make everybody stakeholders), and process #4 (integrate concep-
tual and computational models). Finally, we will refer to human factors requirements as human
factors #1 (augment human intellect), human factors #2 (transparency and ownership), hu-
man factors #3 (simple tools ease-of-use), and human factors #4 (human-tool synergy).
125
6.4. SUMMARY CHAPTER 6. PROBLEM DEFINITION
126
Part III
The tool
127
CHAPTER 7
Process model and tasks
That’s the trouble with the red-ball treatment, Pellegrini tells himself,
scanning one typewritten page after another. By virtue of their
importance, red balls have the potential to become [. . . ] four-star
departmental clusterfucks beyond the control of any single
investigator.
Homicide detective, in [204].
Criminal network investigations such as police investigations, intelligence analysis, and inves-
tigative journalism involves a number of complex knowledge management tasks such as collection,
processing, and analysis of information [173,174]. This chapter presents a human-centered, target-
centric process model for criminal network investigations that divides the investigative tasks into
five overall processes: acquisition, synthesis, sense-making, dissemination, and cooperation. Based
on case studies and observations of criminal network investigation teams, contact with experienced
investigators from various communities, examination of existing process models and existing tools
for investigation, as well as our own ideas for investigative tool support, we have generated a list
of tasks that a tool for criminal network investigation should support.
The process model first of all addresses the process challenge that we described in Chapter 6.
Specifically, the model fulfills process #1 (target-centric and iterative”) and process #3 (make
everybody stakeholders). We start out by presenting the process model in Section 7.1 and a list
of criminal network investigation tasks for each of the five overall processes in Section 7.2. We
conclude the chapter in Section 7.3 by summarizing the model and the tasks, we explain their role
for the remainder of the dissertation and explain how we intend to evaluate the process model and
the list of criminal network investigation tasks.
7.1 Process model

Criminal network investigation involves the collection, processing, and analysis of information re-
lated to a specific target to create products that can be disseminated to the customers. Different
process models have been proposed to handle the complex tasks and issues involved in criminal
network investigations (such as police investigations [53], intelligence analysis [40], and investiga-
tive journalism [136]). The three investigation types and related process models are described in
Section 3.6.
129
7.1. PROCESS MODEL CHAPTER 7. PROCESS MODEL AND TASKS
Figure 7.1: Human-centered, target-centric criminal network investigation.
Criminal network investigation models include the following overall knowledge management pro-
cesses77 : acquiring the needed information (collection and processing), creating a model of the
target (synthesis), extracting useful information from that model (sense-making), and finally cre-
ating a representation of the results (dissemination). Based on a specific target-centric model for
intelligence analysis [40], we propose a generic model for target-centric criminal network investi-
gation to embrace police investigations, intelligence analysis, and investigative journalism (Figure
7.1).
The customer requests information about a specific target. The investigators request information
from the collectors (that may also be investigators). Information related to the target is acquired
in disparate pieces over time. The investigators use the acquired information to build a model
of the target (synthesis) and extract useful information from the model (sense-making). The
extracted information results in changes to the model (synthesis). The sense-making - synthesis
cycle is continued throughout the investigation as new information is acquired and extracted from
the model. The investigators both work individually and cooperatively as a team. The results of
the investigation are disseminated to the customer at the end of the investigation or at certain
intervals (or deadlines).
Investigation is a human-centered knowledge management process. Investigators (and collectors)
rely heavily on their past experience (tacit knowledge) when conducting investigations. Hence,
these processes cannot be fully automated and taken over by software tools. The philosophy is
that the humans (in this case the investigators) are in charge of the criminal network investigation
tasks and the software tools are there to support them [248]. The tools should be controlled by the
investigators and should support the complex intellectual work (e.g., synthesis and sense-making)
to allow the investigators to reach better results faster.
CrimeFighter Investigator focuses on providing human-centered, target-centric support for crimi-
nal network investigation (acquisition, synthesis, sense-making, cooperation, and dissemination).
Tool support for collection and processing is beyond the scope of this Ph.D. dissertation. The
CrimeFighter Explorer tool focuses on this type of tool support (see Section 1.4). Tool support
for advanced structural analysis and visualization of the generated target model is also beyond
the scope of this Ph.D. dissertation. The CrimeFighter Assistant tool focuses on this type of tool
support (see Section 1.4).
130
CHAPTER 7. PROCESS MODEL AND TASKS 7.2. TASKS
7.2 Tasks
Based on cases and observations of investigative teams, contact with experienced end-users (inves-
tigators) from various communities, examination of existing process models and existing tools sup-
porting criminal network investigation tasks (e.g., [2,5,7,19–21,25,39,40,53,83,84,101,136,178,254]
and [6,201,212,252]), and our own ideas for investigative tool support, we maintain a list of inves-
tigation tasks divided into five processes: acquisition, synthesis, sense-making, dissemination, and
cooperation. The list of tasks can be seen as a wish list of requirements for what an investigative
tool should support; the list serves as the basis for our tool development efforts. So far our require-
ment generation and development efforts have primarily focused on tasks related to acquisition,
synthesis, sense-making, and dissemination, while cooperation will be addressed in more detail in
future work. The list is not exhaustive; we expect to uncover additional requirements for all five
processes over time.
7.2.1 Acquisition
Acquisition. Some information may be available at the beginning of an investigation, but new
information tends to dribble in over time in disparate pieces. Information arrives from various
sources and should be easy to insert (import, drag-and-drop, cut-and-paste, etc.) into the in-
vestigation tool in a manner that is transparent to the investigator in order to keep trust in the
information.
Acquisition methods. Information arrives from various sources and should be easy to
insert into the investigation tool using methods such as import, drag-and-drop, and cut-and-
paste.
Dynamic attributes are required to support acquisition of various data sets formatted
using graph markup language (GraphML) or comma separated values (CSV).
Attribute mapping. To support dynamic attributes it is necessary to map attributes in

the acquired information to the investigation data model. For example mapping attributes
to information element labels.
7.2.2 Synthesis
Synthesis tasks assist investigators in enhancing the target model:
Creating, editing, and deleting entities. Investigators basically think in terms of people,
places, things, and their relationships.
Creating, editing, and deleting associations. The impact of association analysis on inves-
tigative tasks is crucial to the creation of the target model. Descriptive associations between
entities helps discover similarities and ultimately solve investigation cases.
Re-structuring. During an investigation, information structures are typically emerging

and evolving, requiring continuous re-structuring of entities and their relations.
Grouping. Investigators often group entities using symbols like color and co-location
(weak), or they use labeled boxes (strong). Groupings can be used to highlight and em-
phasize particular entities and their relations.
Collapsing and expanding information is essential since the space available for manipu-
lating information is limited physically, perceptually, and cognitively. Zooming is a way to
visually collapse or expand information in the space; however, depending on the zooming
degree, it facilitates information overview at the expense of information clarity.
131
7.2. TASKS CHAPTER 7. PROCESS MODEL AND TASKS
Brainstorming is often used in the early phases of an investigation to get an initial overview
of the target and the investigation at hand. Brainstorming is an example of a task that
involves both synthesis and sense-making activities. Brainstorming is often supported by
different types of mind mapping tools that allows the generated information elements to be
organized in a hierarchical manner.
Information types. Multimedia support is helpful when investigators want to add known
positions of persons to a map or link persons to different segments within an audio file. This
would support for example more intuitive storytelling.
Emerging attributes are needed to support import of data sets and emerging attributes
in investigations as well as imported algorithms.
7.2.3 Sense-making
Sense-making tasks assist investigators in extracting useful information from the synthesized
target model:
Retracing the steps. Criminal network investigators often retrace the steps of their inves-
tigation to see what might have been missed and where to direct resources in the continued
investigation. Walking through an existing recorded investigation is used by new team mem-
bers to understand the current status of the investigation and for training purposes.
Creating hypotheses. Generating hypotheses and possibly competing hypotheses is a core

task of investigation that involves making claims and finding supporting and opposing evi-
dence. Investigators use both fact- and inference-based reasoning to rationalize about their
beliefs either in a top-down or bottom up manner. This results in different interpretations of
the information at hand (sequences of information, thought experiments, alternative stories,
etc.).
Adaptive modeling. Representing the expected structure of networks for pattern and
missing link detection is a proactive sense-making task. Adaptive modeling embeds the tacit
knowledge of investigators in network models for prediction and analysis.
Prediction. The ability to determine the presence or absence of relationships between and
groupings of people, places, and other entity types is invaluable when investigating a case.
Alias detection. Network structures may contain duplicate or nearly duplicate entities.
Alias detection can be used to identify multiple overlapping representations of the same real
world object.
Exploring perspectives. To reduce the cognitive biases associated with a particular mind
set, exploring different perspectives (views) of the information is a key investigative task.
Decision-making. During an investigation, decisions have to be made such as selecting

among competing hypotheses and selecting among alternative interpretations of the infor-
mation.
Social network analysis. Network centrality measures such as degree, betweenness, close-
ness, and eigenvector can provide important investigation insights.
Terrorist network analysis. A terrorist network is a special kind of social network with
emphasis on both secrecy and efficiency (especially covert terrorist networks. Operational
focus is on destabilization, and techniques include inference-based prediction, measures of
link efficiency and secrecy to determine link importance, and community and key players
detection.
132
CHAPTER 7. PROCESS MODEL AND TASKS 7.3. SUMMARY
7.2.4 Dissemination
Dissemination tasks help the criminal network investigators to formulate their accumulated
knowledge for the customer:
Storytelling. Investigators ultimately “tell stories” in their presentations when disseminat-

ing their results. Organizing evidence by events and source documents are important tasks,
so that the story behind the evidence can be represented.
Report generation involves graphics, complete reports, subspaces, etc. Being able to
produce reports fast is important in relation to time-critical environments and frequent
briefing summaries.
7.2.5 Cooperation
Cooperation is a natural part of investigations. Cooperation leads to better synthesis and
sense-making that is informed by more perspectives. In addition, more advanced communication,
collaboration, and coordination support is necessary to support asynchronous and synchronous
cooperation among team members, situations where investigators are distributed in time and
space, as well as advanced investigation work flows.
Shared information space. Sharing of the target model among team members is the
starting point of cooperation.
Discover emergent collaboration. The discovery of emergent collaboration, would help
the coordination of resources by putting investigators analyzing similar or the same entities
in touch with each other.
Shared work flows. Sharing work flows, like sense-making work flows and custom algo-
rithms or mining work flow patterns from the previous use of intelligence information.
7.3 Summary of process model and tasks

We have developed and presented a target-centric process model for criminal network investigation.
We have also defined a list of investigation tasks based on our aggregated domain knowledge,
for each of five processes in the model (acquisition, synthesis, sense-making, dissemination, and
cooperation). The process model was developed as a response to the challenge that process poses
to criminal network investigation, but it will also be used as a framework for our development of
software tool support for criminal network investigation. Each process has a dedicated chapter
(Chapters 9 to 13) where tasks for that process are further analyzed, designs for the implementation
of each task are presented, and finally CrimeFighter support of those tasks is reviewed.
We have primarily focused on synthesis and sense-making processes as they were found to be most
central to our hypothesis and research focus requirements. Less focus has been on acquisition and
dissemination, while cooperation has received only limited attention, and will be part of our future
work. We will evaluate the process model and tasks by comparing the implemented support
in CrimeFighter Investigator against the capabilities of similar commercial tools and research
prototypes (see Section 15.3).
133
7.3. SUMMARY CHAPTER 7. PROCESS MODEL AND TASKS
134
CHAPTER 8
Concepts, models, and components for CrimeFighter Investigator
That which is over designed, too highly specific, anticipates outcome;

the anticipation of outcome guarantees, if not failure, the absence of
grace.
[William Gibson]
Perfection is reached not when there is no longer anything to add, but

when there is no longer anything to take away.
[Saint-Exupéry]
Initially, we wanted to present an elaborate analysis, design, and implementation of a domain-

independent framework for knowledge management, based on our research of and experience with
criminal network investigation and other ill-structured problems, such as software development
planning. However, we realized that it would be of much more importance and relevance to present
the basic concepts we developed for criminal network investigation and the software components
we built to support them. As Sifakis (2011) mentions in his review of computer science: “we
should study principles in building correct systems from components” [202].
In this chapter, we describe our developed conceptual and computational models (see Figure 8.1).
An overview of mathematical models (or techniques) was given in Section 5.9, and examples
of computational models for some of these techniques that CrimeFighter Investigator supports
are explained in Chapter 11 covering criminal network sense-making. We have separated struc-
tural concerns from the default mathematical models78 , since the mathematical models should be
able to process or adapt to any structural model they are faced with and not only the traditional
navigational structures. Frequently used structural models are reviewed in Section 5.1, and Crime-
Fighter Investigator designs and support using these structural models are covered in Chapter 10
on criminal network synthesis. In summary, we have, like others, weighed the trade offs between
“representations designed for human perception and use, and those designed for computer manipu-
lation” [95], and the result was an improved understanding of separated structural, mathematical,
and computational models that supports both synthesis and sense-making, separately but more
importantly combined for criminal network analysis (synthesis and sense-making), as shown in
Figure 8.1.
The remainder of this chapter is organized as follows: In Section 8.1 we describe our conceptual
criminal network investigation model and how it was developed, followed by different aspects of our
computational model in Section 8.2. Section 8.3 outlines basic concepts for information, process,
135
8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
Figure 8.1: Conceptual, structural, mathematical and computational models for support of in-
dividual synthesis and sense-making processes, but more importantly also for criminal network
analysis (both synthesis and sense-making).
and human factors research focus requirements, and relates these to specific software components.
Requirements for a selection of these components is given in Section 8.4 and their designs are
presented in Section 8.5. Finally, we give a short introduction to the basic concepts supported by
CrimeFighter Investigator in Section 8.6.
8.1 Conceptual model

The building blocks of criminal networks are information entities. The CrimeFighter Investigator
conceptual model (Figure 3.1) defines three such entities, namely information elements (nodes),
relations (links), and composites (groups), as shown in Figure 8.2 (and Figure 8.1). Information
elements hold information about real-world objects. Investigators basically think in terms of
people, places, things, and their relationships. For visual abstractions of the information element
we use rectangular visual symbols for simplicity, but they could have any form (circles, triangles,
etc.) to illustrate different types of real-world objects. Relations represent links of different types
and weights that can associate information entities directly. We refer to the connecting ends
of relations as endpoints. Links have two endpoints, they can be both directed and undirected,
and they have different visual abstractions (see Figure 8.2, middle). Composites are used to
organize entities in sub groups. We work with three types of composites: reference composites
are used to group entities in the common information space, inclusion composites can collapse
and expand information to let investigators work with subspaces, and relation composites, though
technically an inclusion composite for relations instead of information elements (see also Chapter
10 for analysis, design, and support of composites). The circles in Figure 8.2 indicate connection
endpoints for each entity type.
Previous research on criminal networks has to a large degree focused on making sense of nodes.
Links are seldom first class objects in the terrorism domain models with the same properties as
nodes. This is in contrast to the fact that the links between the nodes provide at least as much
relevant information about the network as the nodes themselves [79]. The nodes and links of
criminal networks are often laid out at the same level in the information space. Composites are first
136
CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL
Figure 8.2: Abstract conceptual model.
Figure 8.3: CrimeFighter Investigator conceptual model - software components.
class entities that add depth to the information space. Navigable structures and entities (including
composites) are useful for investigative synthesis tasks such as manipulating, re-structuring, and
grouping entities [174]. The way a criminal network breaks down into subgroups can reveal levels
and concepts of organization and help us to understand how the network is structured [155].
An information entity comprises several components. Each entity has a set of dynamic attribute(s)
(meta data). Currently three types of attributes are supported: strings (single line of text), text
areas (multiple lines of text), and enumerations (a defined set of allowed values). The visual
abstraction of an entity is computed from it’s visual content and menu button(s). The visual
content is used to create the default information elements available in CrimeFighter Investigator,
which are all composed using geometric shapes (circles, lines, rectangles and polygons). A number
of menu buttons can be added to entities to create a link to a specific functionality. The examples
shown in Figure 8.3 are the delete button (X symbol) and the attributes button (A symbol).
Below, we summarize information elements, relations, and composites we have come across in our
studies of criminal networks, investigations thereof, and tool support therefor. See Chapter 3 on
criminal network investigation, our review of theory and technology in Chapter 5, and related
work on commercial tools and research prototypes for criminal network investigation in Chapter
4. We focus on the functional and visual parts of entities that are consistently there, but might
be positioned differently in relation to other elements/parts of the entities. Figure 8.5 shows some
examples of the different kind of entities we came across in our analysis and will be used as the
basis for our design below. But first a review of and our perspective on entity layers.
8.1.1 Entity layers

As previously mentioned, the basic entities of CrimeFighter Investigator are information elements,
relations, and composites. These are placed in the information layer of the architecture for in-
stantiations of the conceptual model, as shown in Figure 8.4. Instances of information elements,
137
8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
Figure 8.4: CrimeFighter Investigator conceptual model entity layers.
relations, and composites can be created to serve the domain-specific information analysis tasks,
e.g. for criminal network analysis a person would be an obvious and often used information
element.
Information elements and relations are both associated with a set of entity specific attributes and
rules. Information elements are also associated with an adaptive graphical abstraction. In Figure
8.4 it is a stick man figure, but we also imagine a more detailed abstraction showing physical
characteristics of a group of people or maybe a photograph of the specific person. Relations are
associated with less adaptive graphical abstractions, only visual symbols such as color and line
thickness can be edited. Composites can be outlined, and either have a solid background of some
color, be transparent, or empty. Examples of visual abstractions can be seen in Figure 8.5.
The associative semantics of information elements, relations, and composites are embedded in
the structure layer. The structure layer is divided into two sub layers, the spatial and network
layers. The semantics of the spatial layer is based on the physical co-location of information
elements in the information analysis space. The semantics of the network layer is based on the
relations connecting information elements. The presentation layer facilitates visualization of and
the user’s interactions with the underlying layers. Interactions based on drag and drop gestures
and direct manipulation of information element and relation content are key to mimicking physical
cards-on-table information analysis.
8.1.2 Information element designs

We use the information element examples in Figure 8.5 as a point of reference. We summarize
the ideas presented below (as well as for relations and composites), when we define requirements
for the entity component in Section 8.4.1. Information elements represent different types of in-
formation about investigation entities such as persons, locations, organizations, etc. and about
138
CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL
Figure 8.5: Examples of entities that we have come across in our reviews and analyses.
information entities such as emails, articles, notes, reports, etc. (see Figure 8.5). A number of
default information elements should be default (i.e., some degree of domain-orientation assists the
user [91]). If a criminal network investigation team needs additional types of information elements
to better depict their case, new information elements should be easy to create and add to the
default list. Information elements must be component-based to make them dynamic and flexible.
A separation of content and human-computer interaction areas is preferred, as they have different
functional purposes. A content space contains the visual abstraction (i.e., a combination of graph-
ics and interactive areas with or without text). The menu space holds a number of menu buttons
that can access specific interactions (e.g., delete), or the content of the information element (e.g.,
attributes used for meta data). If we base the graphical abstractions of information elements are
on geometric shapes such as circles, rectangles, and triangles, it will be possible to make human
perception easier and faster, compared to more textual representations.
8.1.3 Relation designs

Again, we use the relation examples in Figure 8.5 as a point of reference. CrimeFighter Investigator
relations must capture relationships between information elements [33]. A relation can hold textual
information about the nature of the relation (e.g., “leader-of”, “lives-at”, etc.) as well as the
direction of the relation (unidirectional or bidirectional), see Figure 8.5 for examples. Relations
must be first class entities, just like information elements; this means that they will have attributes
for holding meta data, investigators can interact with relations in the same manner as information
elements, and finally, the visual semantics must be the same. If an information element linked with
a relation is deleted, the relation itself cannot be deleted; the action performed on the information
element was independent from the relation, and the relation should therefore not be affected,
except for the fact that it can no longer be connected to that information element, obviously.
If both endpoints are deleted, the relation should be movable in a fashion similar to that of
information elements and composites. Functionally for reconnecting relations to other entities
139
8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
must be supported, preferably using drag and drop.
8.1.4 Composite designs

As above, we use the composite examples in Figure 8.5 as a point of reference. CrimeFighter
Investigator support of composites would be useful in terms of grouping information elements and
relations in the information space [82]. Composites must be first class entities, just like information
elements and relations. As an example, if two persons are considered to belong to either of two
groups, but it is unclear which one, overlapping composites could be used to indicate that they
are in both composites. It would be a way of representing what is known at that time in the
investigation, which is what criminal network investigators often ask themselves: what do we
know? [52]. Relation composite is another type of composite that would allow investigators to
group multiple relations between two entities (such as multiple emails or phone calls between two
persons) into a single visible entity (composite). Relation composites group relations by inclusion.
A third type of composite could be useful for support of collapsing and expanding information.
This type of composite would group all information elements by inclusion. It must be considered
what to do with relations that are internal to the composite (i.e., have both endpoints inside),
should be included or not, and whether or not external relations (one endpoint outside) are
referenced or included. This type of composite would support the concept of a subspace, allowing
the investigators to work in detail with a portion of the overall network. Ideally, a subspace would
provide the same functionality as the space.
8.2 Computational model

Associations between entities is the basic input for computations. Here, we further enhance the
computational model for criminal networks proposed in [244] to assist criminal network investi-
gators searching for specific patterns in their gathered information. We furthermore propose the
need to describe the nature of links and nodes, and thereby extend traditional social network
analysis model: “without accounting for the content of communication, social network analysis
runs into the pizza guy delivery problem: confusing regular contact with significant contact” [26].
A person A can be related to a person B in a number of ways, and any subset of these relations
can mean something within a certain context, and hence would be weighted differently according
to their importance. The complete set of relations would constitute what is known about the
relationship at that place in time.
During target-centric criminal network investigations, the investigative team adds information
pieces as they are discovered and step-by-step information structures emerge as entities are as-
sociated. We have observed that initially the information entities are placed randomly in an
information space. If a new entity is somehow associated with an entity already in the shared
information space, then it is positioned next to that entity (co-located). Later, some co-located en-
tities are directly associated using link entities, because the investigators have learned the nature of
the relationship between the entities. Depending on the level of time criticality (e.g., high security
risk), a decision has to be made at some point. When the network is fragmented and incomplete
such decision-making can be a challenging task due to the uncertainty. Sense-making algorithms
are often applied to assist investigators in making these decisions and we discuss measures of
centrality for individual network entities below.
Information entity associations form information structures and centralities are computed based
on these associations. Subsequently, associations impact the measures of centrality we want to
calculate. Criminal network investigation has to a large degree so far focused on the direct associ-
ation of nodes. Links are seldom first class objects in the terrorism domain models with the same
properties as nodes. This is in contrast to the fact that the links between the nodes provide at least
as much relevant information about the network as the nodes themselves [79]. The nodes and links
of criminal networks are often laid out at the same level in the information space when the network
140
CHAPTER 8. SOFTWARE COMPONENTS 8.2. COMPUTATIONAL MODEL
is visualized. Composites (groups) are first class entities that add depth to the information space.
For investigative purposes navigable structures and entities (including composites) are useful for
synthesis tasks such as manipulating, re-structuring, and grouping entities. Our understanding of
information links (relations) and groups (composites) is based on hypertext research [174].
CrimeFighter Investigator supports two structure algorithm types: measures (e.g., entity central-
ity), transformative algorithms (e.g., prediction of entities). Combinations of these are referred
to as custom algorithm types. Custom algorithms are templates of specific criminal network in-
vestigation work flows, e.g., understanding the secondary effects of entity removal or insertion.
All algorithms implement the report interface, where an algorithms report elements and design is
defined. Rules are used to describe entity-to-entity relations, attribute cross products etc. Each
algorithm has a set of general settings and specific settings. Specific settings includes algorithm
hooks, i.e., the entity attributes that algorithms base their computations on, and customizable
algorithm parameters.
8.2.1 Entity association design

Based on the concepts of centrality and association, we outline a topology of associations between
criminal network entities which impact the centrality of individual entities with varying degree.
Our topology is divided into direct and semantic associations (see Figure 8.6 and 8.7). Direct
associations are expressed using link entities. The link may be weak by weight (low value), by
type (rumor, acquaintance, one-visit-to, etc.), or by evidence (uncorroborated, questionable news
paper, etc.), but it is nonetheless interpreted as a direct association by sense-making algorithms
and in visualizations. Semantic associations between criminal network entities are build incre-
mentally based on the tacit knowledge of investigators and the investigation domain their target
operates within. Initially, investigators express information “via visual or textual means and later
formalize that [information] in the form of attributes, values, types, and relations” [197].
The visual symbol for direct associations is a thick solid line, and thin solid circles indicate entity
connection points in Figure 8.6 and 8.7. The visual symbol for semantic associations is a dashed
line and dashed circles indicate connection points. We realize that some of these associations
are more relevant than others, and it is exactly this relevance of alternative associations that we
are investigating in this section. In Figure 8.6a to 8.6c, we show three classic associations: the
node-link-node association is the most frequently used (8.6a), together with the less frequently
used node-link-group (8.6b) and group-link-group (8.6c) associations.
(a) node-node (b) node-group (c) group-group
(d) link-link (e) empty endpoint I (f) node-sub node (g) empty endpoint II
Figure 8.6: Direct associations in our topology includes classic associations (a-c) and novel asso-
ciations in terms of centrality measures (d-g).
141
8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS
(a) clique I (b) clique II (c) meta data (d) sequential
(e) group-subgroup (f) node-subnode (g) node below
Figure 8.7: Semantic associations in our topology include spatial associations (a-d) and hierarchical
associations (e-g).
Figure 8.6d to 8.6g shows four examples of direct associations that occur in criminal network
investigations, but are not included when entity centrality is computed. A link could be the
target of an investigation, e.g., Daniel Pearl was investigating whether or not there was a link
between Richard Reid (the shoe bomber) and the leader of a local radical Islamist group [162].
Other examples include knowledge about the money transfer between two individuals or that
one individual had seen them talk at the same location on numerous occasions (Figure 8.6d).
The empty endpoint is another example of a direct association that occurs in criminal network
investigations, but is not (directly) addressed by traditional centrality algorithms. The need to
include empty endpoints in centrality is straightforward: if investigators know that someone is
distributing drugs to three individuals, e.g., based on wire taps, but they don’t know who those
individuals are, then an empty endpoint can be used until it is clear. This could be the case for
both nodes and groups (see Figure 8.6e and 8.6g). Finally, direct associations between entities
outside groups to entities inside groups are needed (both for reference and inclusion composites,
see Figure 8.6f). When criminal network investigators start grouping entities, structures where
entities outside the group are linked to entities inside the group might emerge. But the relation
still has association to that entity in the subgroup.
The semantic co-location association should be used carefully by investigators. If the investigators
position entities near each other spatially because they are assumed to be related somehow, then
it will make sense to use spatially based associations. But if not, then it will simply clutter the
network with non-relevant relations. If entities are placed near each other or as overlapping entities
it could mean that they are forming a sort of clique (Figure 8.7a and 8.7b). Also, as it is the case
in the analyzed organized drug crime investigation board, position entities next to or around a
(centered) entity could mean that the information entities are meta data about the centered entity
(Figure 8.7c). Entities positioned next to each other horizontally or vertically, could mean that
the entities represent a sequence (Figure 8.7d).
Semantic hierarchical associations can occur either when composites are used or when information
entities are positioned spatially in a manner that resembles that of a hierarchy. If a group contains
single information entities and subgroups, the single entities must have some sort of relationship
to the entities in the subgroups since their overall classification is the same (Figure 8.7e). Also
it could be that a single entity is associated with a composite (group) and therefore might have
142
CHAPTER 8. SOFTWARE COMPONENTS 8.3. CONCEPTS AND COMPONENTS
some sort of relation with entities within that composite (Figure 8.7f). Finally, positioning entities
in spatial hierarchies as shown in Figure 8.7g indicates entities below other entities represent sub
entities.
The topology of associations can be seen as a wish list of requirements for what a computational
model for criminal network investigation should support in this regard. The topology is not exhaus-
tive; we expect to uncover additional associations over time. Especially new semantic associations
based on temporal distance (when individuals appear on an investigation time line together with
other individuals and events etc.), distance between entities in the real world, distance in family
ties, and so on.
8.3 Concepts and components

Based on the research focus requirements we listed in Chapter 6 for each of three criminal net-
work investigation challenges (information, process, and human factors), we propose a list of
generic knowledge management system and hypertext concepts and explain how they can support
these research focus requirements. Based on the generic knowledge management requirements,
we decompose these knowledge management system and hypertext concepts into actual software
components (see Figure 8.8). Some concepts are supported by multiple components, while others
have been directly mapped to an equivalent component.
Figure 8.8: Concepts and components from research focus requirements.
Below is a selection of the concepts in Figure 8.8, and what we mean by each one, and what
individual research focus requirements they relate to (refer to Figure 8.8 for the name of research
focus requirements). The list contains concepts mentioned when presenting the CrimeFighter
toolbox, when reviewing hypertext structures,
143
8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS
1. Information A tool for criminal network investigation must encapsulate (pieces of) informa-
tion, making it available for interaction and manipulation. The information concept relates
to information #1 (emergent and fragile structures) and information #2 (integrating
information sources).
2. Structure domains To support different structuring domains and to be able to separate

the structural models from the mathematical models, the structure domains have to be well
defined. Hypertext provides us with such well defined structures. The structure domains
concepts relates to information #1 (emergent and fragile structures) and process #4
(integrating conceptual and computational models).
3. Versioning. Supporting different versions of a criminal network investigation is essential,

and the concept of versioning offers different approaches to such support. The versioning
concepts relates to information #1, #2, and #4.
4. Storage The information and knowledge generated during investigations has to be saved
for later retrieval and continued investigation. Storage is a different kind of versioning, not
having the same conceptual meanings as the versioning concept above. With a knowledge
base in place, storage becomes a matter of being able to externalize or share (parts of)
a criminal network investigation. We do not consider storage to be related to any of the
research focus requirements.
5. Interpretation The investigator interpretation of events, open questions, or other parts

of an ongoing criminal network investigation. This concepts relates particularly to human
factors #1 and human factors #4.
6. Analysis refers to either the investigator organizing the available evidence in ways to make
associations between information pieces more clear, or the use of algorithm-based tools for
semi-automated analysis. The concept of analysis primarily relates to the research focus
requirements information #3 and human factors #1, #2, and #4.
It is tempting to start drawing lines between concepts and components in Figure 8.8, but it defeats
the purpose of focusing on individual components instead of a complete framework; as long as the
component interface is clearly defined (i.e., abstracted to a suitable level), there should be so
many possible combinations of these components, that drawing lines becomes pointless. Instead,
we present each mentioned software component and the knowledge management and hypertext
system concepts these components are intended to support in a software tool for criminal network
investigation. The components are listed according to their importance and focus for our Ph.D.
project (see the next section for component requirements).
1. Entity is the basic information component, a prerequisite for support of all concepts.
2. History is a component for support of versioning.
3. The algorithm component will support analysis.
4. Datafile is a component for storage of criminal network investigations.
8.4 Component requirements

For each of the software concepts presented in Section 8.3, we define a list of component require-
ments, for each of the four components we chose to focus on in the previous section. First in
Section 8.4.1, for the most basic concept Entity we list design requirements, followed by History
(see Section 8.4.2), Algorithm (see Section 8.4.3) and Datafile (see Section 8.4.4).
144
CHAPTER 8. SOFTWARE COMPONENTS 8.4. COMPONENT REQUIREMENTS
8.4.1 Entity requirements

First, for the most basic concept, we have created information entity requirements based on analy-
sis done in this Ph.D. dissertation together with our previous work [165, 170]. These requirements
are presented below and will primarily support the research focus requirements information #1
(emerging and fragile strucure), process #3 (simple tools ease-of-use), and process #4 (human-
tool synergy), but in general the entity will be the basic supporting element of all research focus
requirements.
1. Graphical abstractions. 2D graphical composites constructed using geometric shapes

should be supported. Each geometric shape must be placed relatively to the information
element’s (0,0) position, i.e. the position of the information elements upper left corner on
the space.
Our motivation is to provide a proper but easy comprehensible visual abstraction for usage-
oriented information elements. This would provide the spatial hypertext developer with an
opportunity to setup some conceptual relationships, prior to the user getting system access.
2. Interactive abstractions. All geometric shapes (e.g., circles and polygons) should be
interactive in the sense that clicking them creates an event, on which the spatial hypertext
can act. This also covers simple textual visualizations such as rectangular labels.
This is partly due to our positive experience with a board-based approach using direct-
manipulation techniques, as opposed to the more obstructive form-based approach where all
available fields has to be edited through a pop-up dialog box. Also it supports the creation
of yet-to-be imagined visual abstractions representing information elements.
3. Editable abstractions. The visual abstractions of pre-defined usage-oriented information

elements should not be locked. They should be editable through an embedded abstraction
editor (see next requirement). And also stored in a format which would allow them to be
edited in a third party structural drawing application or used by other spatial hypertexts.
4. Typed abstractions. To support automated and meaningful (i.e., usage-related) view-

generation, all visual abstractions must allow type assignment.
5. Visual cues. Textual cues like text alignment, font, font size, number of lines of text, text
width. Graphic cues like background image, background/border color, transparency.
6. Bidirectional mappings. The framework should support a graphical approach to bi-

directional (two-way) mappings between visual representations and their underlying data
stores. We propose to embed an information element editor within spatial hypertexts, of-
fering drag-and-drop ‘entity attribute to visual abstraction’ mapping options. We propose
a drag and drop approach where a data field is grabbed and dropped onto one shape in the
drawing area. The mapping between the data field and the geometric shape is automatically
generated.
8.4.2 History requirements

The aim of the history component is to provide support beyond traditional undo-redo, and we will
list requirements that reflects this. Undo-redo can be realized using a linear history which records
criminal network investigation delta’s, and we use this as a starting point. But should also support
branched history, navigation of branched history, story telling etc. Our requirements are based
on our own criminal network investigation domain knowledge and previous work on history and
branched history [96,117,198]. A history component would support the requirements information
#4 (versioning support) and to a certain degree process #2 (loss less data abstractions) and
process #3 (make everybody stakeholders).
145
8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS
1. Event. The basic entities of criminal network investigation history are events. Events must
encapsulate the investigators interaction with information in the common information space,
as well as the tools interactions with that information (see algorithm requirements in Sec-
tion 8.4.3). Examples of criminal network investigator interactions are creating, deleting,
and updating entities, and moving entities. It would be relevant to record sense-making
interactions as well: the investigator requested betweenness centrality measures, the user
made the following updates in the time line view. Such information might be relevant for fu-
ture retracing the steps. Examples of tool interactions with information includes algorithms
transforming the criminal network.
2. Type of event. There are many type of basic history events, such as create, delete, move,
update, etc. Sense-making event types might include applied measure algorithm or applied
transformative algorithm. Such basic event types are required, to know what to do, when
navigating the history event, whether it is navigation of a linear or branched history.
3. Content of event. Some network content is associated with history events. If the type is
create, then the content might be a single information element, relation, or composite. If
the event is applied transformative algorithm, the content of the event might be a network
structure of information elements, relations, and composites all together. Again, information
about the content is required for navigating history.
4. Visual symbols. The type of event and content of event would benefit from visual sym-
bols, to be able to differentiate between them. Supporting user choice of symbol would be
preferred.
5. Editable. History must be editable. A fine grained history is often required to capture all
events, but this is not suitable for dissemination to intelligence customers or fellow investi-
gators. Grouping and annotation of events is therefore required.
6. Parser. A parser that search for patterns in history, e.g., these three events where created
within seconds of each other, and we therefore assume they are part of the same synthesis
action. The history parser should ask the user to approve history editing patterns before
applying them automatically to series of history events.
7. Structure. The history should support structure domains. We imagine that taxonomic
structure will be necessary to support a branched history [96, 117]. Navigational structures
would be necessary to present jumps between events in different branches of history. This
could be used for story telling, i.e. comparison of decisions made in different branches of
investigation history.
One particular parameter to consider related, is the amount of memory required to store the history
supporting the requirements we have described above79 , i.e., a fine grained, branched history,
supporting the investigator’s interactions with information in a common information space.
8.4.3 Algorithm requirements

To ensure that algorithms do not become black box components in tools supporting criminal
network investigation, we suggest to focus on providing the users with options for interaction with
algorithms. The algorithm component requirements will primarily support the research focus
requirements human factors #1, #2, and #4, focusing on augmentation of human intellect,
transparency and ownership, and leveraging human-tool synergies.
1. Types of algorithms. During analysis we have found a need to support three basic al-
gorithm types, namely measuring algorithms, transformative algorithms, and custom algo-
rithms. The measuring algorithms simply provide different measures for (parts of) criminal
146
CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN
network structures of entities. Transformative algorithms suggest an alteration of the net-

work, either by adding or removing entities, changing attribute information, or visually
updating (some selection of) entities somehow.
2. Algorithm steps. Controlling the steps of an algorithm, requiring a separation of algorithm

into steps, where each step has inputs and outputs. Guide the user through steps once they
have been tailored, and the user have customized them.
3. Input and output. Algorithms for criminal network investigation take criminal networks
as input and outputs the same criminal network with the results of the algorithm augmented.
Algorithms must in other words be able to parse the conceptual model (i.e., traverse hierar-
chies and follow associations) prior to or during computation.
4. Customizable. Algorithms must have an interface for customization to the extent it is

possible for individual algorithms. Typically customization would involve adjusting input
and output variables, loading specific information for the algorithm etc. Visual customization
is preferred to traditional graphical user interface input fields.
5. Tailorable. Both individual algorithms and custom algorithms should be tailorable. In-
dividual algorithms, in the sense that controlling the computational steps of the algorithm
could become useful in some situations. An example could be, letting the investigator sort
shortest paths between all vertice pairs, before running the remainder of the algorithm. For
custom algorithms, comprising more than one algorithm, it must be possible to tailor in
terms of the order of algorithms, as well as what to do with the output from one algorithm,
before forwarding it to the next.
8.4.4 Datafile requirements

A datafile component will deal with mapping information to and from our conceptual model (infor-
mation elements, relations, and composites). It needs to encapsulate both the proprietary saving
and loading of criminal network investigation in CrimeFighter Investigator (serialized XML), as
well as general data formats such as comma separated values (CSV), XML, and other formats
used by other tools like social network analysis tools. The datafile component primarily supports
the research focus requirements information #2 (integrating information sources) and to some
extent information #4 (versioning support).
1. Mapping to conceptual model. A datafile component must be able to map data to the
conceptual model of a tool. In relation to criminal network investigation, this is entities
(information elements, relations, composites).
2. Import data formats. The datafile component must have an abstract interface for im-
port of various data formats. This should ensure that the tool support remains open and
extensible, in order to be able to accommodate new data formats.
3. Export data types. The datafile component must also have an abstract interface for
exporting to various data formats.
8.5 Component design

Here we present component designs of three of the four previously chosen components entity,
history and algorithm. The datafile component was found to be sufficiently described by the
component requirements in the previous section.
147
8.5. COMPONENT DESIGN CHAPTER 8. SOFTWARE COMPONENTS
8.5.1 Entity
The design of the entity component is essential as the success or failure of all other components
and hence features relies on it. The design is presented in Figure 8.9.
Figure 8.9: Entity component design includes the component’s relations to the common informa-
tion space (left), the interrelationship of basic component elements (middle), and other elements
related to the component, but not directly part of it (right).
Figure 8.9 reflects how all entities should have a fixed absolute position in the common information
space. An entity has a number of visual elements, all positioned relatively to the absolute position.
A visual abstraction is at the center. This is a symbol informing the user in an intuitive what
the contents of the entity is. It will be encouraged to build the visual abstraction using geometric
shapes such as rectangles, circles, and triangles, since that would make possible later association
of specific semantics with individual areas of the visual abstraction. However, for criminal network
investigations, it would also be useful to use a picture as visual abstraction. Our analysis showed
that simple entity actions such as delete and edit should be visual elements positioned relatively
to the entity. These sort of manipulations concerns the entity as a whole.
Direct manipulation of content (or meta data, described below) is essential to keep interaction
simple. Important meta data that are often edited for a specific entity should be available for
direct manipulation as an visual element. Finally, an element that will allow both the resizing
of an entity and provide connection points between entities is necessary. For a relation, for
example, this element would be at either end of the relation. Initially empty, since the relation is
not connected to any other entities, but then grabbing and dragging the element (endpoint) would
resize the length of the relation (just as if an information element was connected to that end of
the relation).
Furthermore, the entity component must as a minimum include the following non visual elements:
Meta data are essential, and will be formatted according to a type (text, number), name (what
is this meta data called) and finally the actual value of the meta data. Some meta data will
be static for an entity and others will be dynamic. It should be possible to add new meta data
through out the life time of the entity. Included entities (or encapsulated entities) are required
to represent hierarchical structures in investigations. These entities will be grouped or classified
according to some parameters selected by the end user and they also have an entity to represent
them at a higher level, the entity that encapsulates them. It will be necessary to denote the type
of individual entities, in order to let the developers add functionality particularly developed for
a specific type of entity, e.g., relation or composite. The set of entity types should of course be
extensible.
148
CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN
8.5.2 History
Our history component is designed with the intend to support versioning, which in turn will
provide support for important criminal network investigation tasks based on versioning. The
history component design is shown in Figure 8.10.
Figure 8.10: History component design includes the component’s relations to the common informa-
tion space (left), the interrelationship of basic component elements (middle), and other elements
related to the component, but not directly part of it (right).
A criminal network investigation event is the basic element of the history component. The event
is created by some action in the common information space, either by the user (synthesis actions)
or by the tool (on behalf of the user, an algorithm based sense-making action). An event can
be of a specific type (create, delete, move, transform, etc.) and will have some information
content. Visual abstractions for event types and content must be supported, illustrated by the
link to geometrical shapes in Figure 8.10. Finally, events are to be stored either following an
associative structure, a hierarchical structure, or a combination of these. Provided that
storage is implemented in a suitable way, an editor can interact with the stored history events, to
group events, annotate events, or interact and present the events in ways required for the specific
criminal network investigation, intelligence customers, etc.
8.5.3 Algorithm
Our algorithm component is designed with the intend to support analysis (synthesis, sense-making,
and synthesis and sense-making), which in turn will provide support for important criminal net-
work investigation tasks depending on analysis support. The algorithm component design is shown
in Figure 8.11.
An algorithm is the central algorithm component element. This might be confusing, and requires
further explanation. The terminology is used to encapsulate our intended support for single, yet
customizable and tailorable, criminal network investigation techniques (e.g., see mathematical
models in Section 5.9) and custom algorithms which might refer to a combination of multiple
techniques or one or more techniques together with one or more custom algorithms. We will
also refer to the latter as sense-making work flows. As mentioned, an algorithm is the central
element, receiving its input from the common information space (i.e., criminal network entities
or structures), and returning output to the common information space as well. An algorithm,
whether custom or a single technique, will have a number of computational steps that must be
tailorable by humans (investigators). There will also be some general settings for all algorithms
149
8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS
Figure 8.11: Algorithm component design includes the component’s relations to the common
information space (left), the interrelationship of basic component elements (middle), and other
elements related to the component, but not directly part of it (right).
and some specific settings for the particular instantiation of the algorithm component, which
must be customizable by investigators. Finally, all algorithms must implement a report interface
to allow for the generation of reports based on the computational steps, customizations, inputs
and outputs, etc., of algorithms. Letting the user tailor what to put in these reports using a
report editor would be preferable.
8.6 CrimeFighter Investigator concepts

To summarize our work presented in this chapter, and as an introduction to Chapters 9 to 13,
covering implemented support for criminal network investigation tasks based on the concepts and
components discussed, we describe the basic concepts supported by CrimeFighter Investigator.
CrimeFighter Investigator [169,173–176] is based on a number of concepts, adopted primarily from
knowledge management and hypertext research and systems. Figure 8.12 shows an augmented
screen shot of CrimeFighter Investigator, with the most basic and important concepts emphasized
and labeled. At the center is a shared information space. Spatial hypertext research has inspired
the features of the shared information space including the support of investigation history [174]
(emphasized in the tool bar). The view concept provides investigators with different perspectives
on the information in the space and provides alternative interaction options with information
(hierarchical view to the left (top); satellite view to the left (bottom); spatial view at the center;
algorithm output view to the right). Finally, a structural parser assists the investigators by relating
otherwise unrelated information in different ways, either based on the entities themselves or by
applying algorithms to analyze them (see the algorithm output view to the right).
In the following chapters, central CrimeFighter Investigator concepts are designed and analyzed
together with specific criminal network investigation tasks, before implementing support of these
tasks based on the concepts.
150
CHAPTER 8. SOFTWARE COMPONENTS 8.6. SUMMARY
Figure 8.12: CrimeFighter Investigator screen shot with concept overlays.
151
8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS
152
CHAPTER 9
Acquisition
Intelligence gathering in the twenty first century is now less about

James Bond and George Smiley than it is a Frankenstein composite
of law enforcement, spies, and forensics.
Hitz (2009) concluding on how “counter-terrorism and counter-proliferation intelligence gathering is
following a new paradigm” [113]
Some information may be available at the beginning of a criminal network investigation, but new
information tends to dribble in over time in disparate pieces. Information arrives from various
sources and should be easy to insert into the investigation tool in a manner that is transparent
to the investigator. The remainder of this chapter is organized as follows: in Section 9.1 we
will analyze the acquisition tasks outlined in Section 7.2.1 and related CrimeFighter Investigator
concepts. In Section 9.2 we present the designs we have created for those tasks and concepts.
Finally, Section 9.3 describes implementations of tasks and concepts in CrimeFighter Investigator,
using tool and feature screen shots. Not all designs are implemented, and in general it should
be noted that acquisition has received less attention, compared to synthesis and sense-making.
We started out focusing on synthesis and sense-making, and later, following an agile and iterative
approach to software development, we found a need to also focus on acquisition, to be able to
ingest information.
9.1 Analysis
Based on cases and observations of criminal network acquisition, contact with experienced end-
users from various investigation communities, examination of existing tools that support acquisi-
tion of criminal network entities and structures (see Chapter 4), and our own ideas for acquisition
support, we maintain a list of acquisition tasks. Acquisition tasks primarily support the research
focus requirements information #1 (emerging and fragile structure) and information #2 (in-
tegrating information sources).
9.1.1 CONCEPT: Storage

In order for investigations to be saved, they need to be stored somehow, preferably in a data
base like structure. And when acquiring information, either to append it to an existing criminal
153
9.1. ANALYSIS CHAPTER 9. ACQUISITION
network investigation or to start a completely new investigation. See Chapter 8 for a requirements
list (Section 8.4) for the datafile component.
9.1.2 TASK: Acquisition methods

Information arrives from various sources and should be easy to insert into the investigation tool
using methods such as import, drag-and-drop, and copy-and-paste (see Figure 9.1).
Figure 9.1: Methods for acquiring information includes import (left), drag-and-drop (middle), and
copy-and-paste (right).
Direct integration with other tools like for example CrimeFighter Explorer or Assistant would be
a fast way to import already processed data and information into CrimeFighter Investigator [245].
The research prototype POLESTAR supports direct import of text snippets using drag and drop
from web sites into the application [178]. Methods such as drag-and-drop and copy-and-paste are
especially relevant when working with open source intelligence (web sites, data bases, online news
papers, etc.), especially considering that open source intelligence have been found to provide 80%
of the value to criminal network investigations (see Section 5.8).
9.1.3 TASK: Dynamic attributes

Dynamic attributes are required to support acquisition of various data sets formatted using graph
markup language (GraphML) or comma separated values (CSV) (see also mapping attributes
below). The attributes are also relevant for synthesis, as new attributes will be added and the
names of existing ones will be changed, as new information continue to dribble in over time (see
Figure 9.2).
Figure 9.2: Dynamic attributes.
Having to match the newly acquired information (intelligence) into an existing data model (con-
ceptual model) could potentially inhibit creativity and the desire to use software tools for criminal
154
CHAPTER 9. ACQUISITION 9.2. DESIGNS
network investigation. Supporting dynamic attributes is one step on the way, but then intuitive
interaction with attributes for easier restructuring is necessary. In the Daniel Pearl investigation
we saw how there are initially only the names of individuals, but then gradually new meta data
(attributes) are added, such as telephone numbers and pictures [162]. See Section 3.5.1 for a
review of the Daniel Pearl kidnapping and murder.
9.1.4 TASK: Attribute mapping

To support dynamic attributes it is necessary to map attributes in the acquired information to
the investigation data model. For example mapping attributes to information element labels (see
Figure 9.3).
Figure 9.3: Attribute to data model mapping (left) and attribute to algorithm mapping (right).
There are many examples where the attributes of imported entities do not match the entities in
the investigation’s conceptual model. In Sageman’s 2003 al-Qaeda data set80 , there are only short-
Name and fullName attributes (see the al-Qaeda related deployment of CrimeFighter Investigator
in Section 14.3 and development of measures of performance in Section 15.4, for more information
about the data set).
9.2 Designs
In this section we present designs for some of the acquisition tasks analyzed in the previous section.

As the purpose of this task is to ensure that tools for criminal network investigation have multiple
methods for acquiring data and information, it is difficult to frame a design. What we can do is to
present designs for what should happen once the data and information has re-entered the system,
and needs to be mapped to the conceptual model, like support of dynamic attributes through
mapping of attributes. The designs of these two acquisition tasks are described below.

We design a drag-and-drop approach to editing the attributes of entities. Figure 9.4 shows our
design for visual abstractions and attribute editor. The attribute related parts has options for
adding new attributes and mapping available attributes to visual abstraction labels.
155
9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION
Figure 9.4: Entity visual abstractions and attribute editor - Options for editing the visual graphics
abstractions of entities, adding new attributes, mapping available attributes to visual abstraction
labels and deciding the order and positioning of menu buttons.

Our design for attribute mapping is simply to arrange all the attributes for entities in the acquired
information and then support the users mapping of these attributes to the current attributes of
entities in CrimeFighter Investigator.
9.3 CrimeFighter Investigator

Support of acquisition tasks is limited. However, to enable our development of measures of per-
formance we have implemented support of import of various file types. Also, the option of saving
investigations in the CrimeFighter Investigator format permits sharing the common information
space for collaborative purposes.

As mentioned above, we have implemented support for file import. CrimeFighter Investigator sup-
ports import of network information formatted as comma separated values (CSV files). Relations
are imported as either an adjancy matrix or a list of information element pairs (large criminal
networks).
An import dialog (see Figure 9.5) is available from the Session menu. The import feature has
options for importing either information element entities, or all three types of entities (information
elements, relations, and composites). When importing all three types of entities from one file, the
import dialog has the option of importing relations as an adjancy matrix or as a list of < id, id >
indicating from and to id ’s of the entities that each relation connects. Using lists of from and to
id ’s becomes the preferred solution, when a data set has more relations than it is the case for the
samples shown in Figure 9.5 (right). When the data are imported, the user is prompted to map
attributes of imported entities to the conceptual and computational models of the investigation
156
CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR
Figure 9.5: The CrimeFighter Investigator import dialog with options for importing just informa-
tion elements, or information elements, relations and composites.
(see below, Section 9.3.3)
The CrimeFighter Investigator information element editor has partial support of the design de-
scribed in Section 9.2.2. A screen shot of the current implementation of the information element
editor is shown in Figure 9.6: The drop down box at the top (A) lets the user select the entity
for editing. Possible visible settings are selecting which visual abstraction is to be shown when
creating new entities of the given type (B). Four categories have been created; maybe when there
are not many entities in the space, it is nice to use the a large visual abstraction, because it is
more descriptive, and then when the number of entities increases it could be beneficial to sac-
rifice some description for a small visual abstraction. Two other visual abstraction types that
can be useful depending on the investigation are the circle and label abstractions. Typically, if a
single attribute has been selected to represent the entity, then these abstractions can be useful.
Information about the currently selected visual abstraction is shown in the view to the left (C).
It indicates how the entity will appear in the common information space, and the placement of
different internal components. Refer to Section 8.4.1 and 8.5.1 for a more detailed description of
the entity component. Support for editing the visual abstraction is not implemented (D), but a
design of the intended feature is shown in Figure 9.2.2 (acquisition design, Section 9.2.2). At the
bottom the entity’s current attributes are shown in a table (E) and the input fields for adding new
attributes are just below the table (F). Attributes are deleted by deleting them from the table,
which is of course a cumbersome way to do it, and also not according to the intended design.
157
Figure 9.6: CrimeFighter Investigator information element editor - options for adding new at-
tributes and deleting existing ones, as well as selecting between pre-defined visual abstractions for
entities.

We have implemented support of the attribute mapping task for data file import and sense-making
work flows (see Section 11.3). Here we focus attribute mapping for import. When importing
criminal network information into investigations, it is necessary to map all network dependent
variables of the existing data model to attributes of the imported entities. Figure 9.7 shows the
entity attributes for a data set containing person information elements. The visual abstraction of
person information elements has a label that links to one specific attribute and is displayed below
the graphical abstraction. When importing data, the user is requested to select the attribute to
link to that label by dragging the desired attribute to the label reference area.
158
CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR
Figure 9.7: (semi mock-up) Mapping information attribute to data person information element
label.
159
160
CHAPTER 10
Synthesis
By gathering the myriad of information that is available I hoped to

each a portrait of that which is unknown, the way negative space can
define an object.
Bernard-Henry Lévy in [128].
Criminal network investigators move pieces of information around, they stop to look for patterns
that can help them relate the information pieces, they add new pieces of information and itera-
tion after iteration the information becomes increasingly structured and valuable. Synthesizing
emerging and evolving information structures is a creative and cognitive process best performed
by humans. The nature of modeling something as complex and diverse as crime is an ongoing and
potentially open-ended process that demands for an interactive modeling approach [30]. What
complicates everything is that the picture constantly changes. With every interaction, people
change, group dynamics change, and social dynamics change [28]. If we are to think seriously
about this sort of complexity, and reason effectively about it, some sort of simplified map of
reality, some theory, concept, model, paradigm, is necessary [102]. The CrimeFighter Investiga-
tor approach to synthesis is based on three first class entities, which, combined with hypertext
structure domains (see Section 5.1) are used to support a set of synthesis tasks.
Criminal network investigators working in teams merge and organize pieces of information from
different sources in order to reason about them and support their decision making process. The
structure of the relationships between these pieces of information is fragile by nature, since new
information may change it substantially. Besides supporting the emergent nature of incoming
information, such structures should also be an appropriate medium for communicating with others
(see our introduction to dissemination in Chapter 12). Their presentation should foster awareness
and permit notification services that inform the investigator about potential unseen and non
obvious connections beyond the borders of individual information sources [20] (the synthesized
information should support sense-making, see Chapter 11).
The remainder of this chapter is organized as follows: analysis (Section 10.1) and design (Section
10.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 10.3) is
explained below.
161
10.1. ANALYSIS CHAPTER 10. SYNTHESIS
10.1 Analysis
Based on cases and observations of criminal network synthesis, contact with experienced end-users
from various investigation communities, examination of existing tools for synthesis of criminal net-
works, and our own ideas for synthesis support, we maintain a list of synthesis tasks. Synthesis
tasks assist criminal network investigators in enhancing the target model. The concepts of per-
spectives and versioning and their related component view and history support synthesis tasks
and are therefore analyzed first, followed by the synthesis tasks. Our analysis of synthesis tasks
is primarily based on criminal network investigation cases where simple physical tools (human
factors #3) are used such as the whiteboard in the Daniel Pearl investigations, and the boards
used in many investigations with paper based evidence, such as paper clippings, Polaroids, and
text cards etc. together with related work tools or prototypes who support the synthesis task in
a manner addressing our research focus requirements.
10.1.1 CONCEPT: View

The view concept plays an important role for synthesis, in terms of providing more perspectives
on the synthesized criminal network information. As long as the entities are laid out at the same
level in the common information space (spatial view ), then no other views are required. However,
once groups are being added, entities associated to groups by inclusion, and the groups are then
collapsed, it becomes important with for example a hierarchical view (taxonomic view ) of the
information since it is now being organized into hierarchies.
Taxonomic view
A taxonomic view for criminal network investigation has two main objectives. First of all, the
taxonomic view must visualize the created hierarchical structure as synthesized by the user using
composites with reference relations to information elements, or traditional sub-spaces attached
to single information elements accessed using expand and collapse functionality. Secondly, a
taxonomic view must support manipulation of the existing hierarchical structure, allowing for the
user to move information elements between composites, i.e. the spaces and sub-spaces that the
composites represent.
10.1.2 CONCEPT: History

The recording of synthesis tasks is essential for later sense-making (see Chapter 11 and dissemi-
nation (see Chapter 12). Navigable history (inspired by the feature in VKB [96,117]), can provide
a new time dimension for an investigation, that of its construction. Investigators can navigate
through the history, perceiving the constructive events of the space, by moving between current
and prior states. Navigable history supports learning and interpreting investigators work practices,
recognizing patterns of activity in the space, and disambiguating specific actions and content. Fur-
thermore, it allows the criminal network investigation team to review the path or progress of their
investigation or to reclaim information that previously had been deemed irrelevant or deleted, but
then found to have greater significance due to new incoming information.
10.1.3 TASK: Create, delete, and edit entities

Here we focus on the abstraction over these three entities, the entity. Investigators basically think
in terms of people, places, things, and their relationships. All these different types of information
can be encapsulated by criminal network investigation entities, which can be created in a number
of different ways as shown in Figure 10.1.
162
CHAPTER 10. SYNTHESIS 10.1. ANALYSIS
Figure 10.1: Creating entities can be done in multiple ways: information entities are created using
dragging gestures in the tool, drag-and-drop from other applications, clicks, import (all left), links
based on entity selection (middle), or grouping (right).
Creating entities can be done in multiple ways: information entities are created using dragging
gestures, drag-and-drop from other applications, clicks, or import of information from files. Linking
entities could happen using a dragging gesture, or selecting the two entities that are going to linked
and then activating linking functionality. Creating groups can be done by collapsing information
or using visual symbols (see Section 10.1.6 for analysis of grouping). Creating entities in the space
using a drag gesture or a click requires the user to first select the entity to create (if not already
selected), while drag and drop from another application would create the entity immediately, at
least with some initial entity encapsulation.
In the Daniel Pearl investigation new information pieces (entities) are added to a whiteboard by
drawing on it (see Section 3.5.1, resembling a dragging gesture. Police detectives often use boards
on which they pin evidence, typically written or printed on paper (see Section 3.5.4). In that case
new information pieces are created away from the board, resembling a drag-and-drop gesture from
somewhere else or a simple import of a few entities.
Figure 10.2: Delete entities - .
In the Daniel Pearl investigation, entities are deleted from the board by wiping (gesture) and in
the board-based police investigations pieces of paper with evidence are simply removed from the
board and thrown to the trash can (drag-and-drop).
There are typically two ways to editing entities, either in terms of using a form-based approach
such as a object inspector, listing the attributes and other adjustable meta data of the entity in
a tabular way, or alternative some meta data might be editable through direct manipulation in
the common information space. On a white board, like in the Daniel Pearl investigation, person
names are easily updated, a telephone number added, or a picture used as visual abstraction, in
a direct manipulation fashion.
163
10.1. ANALYSIS CHAPTER 10. SYNTHESIS
10.1.4 TASK: Create, delete, and edit associations

The impact of association analysis on investigative tasks is crucial to the creation of the target
model. Descriptive relations between entities helps discover similarities and ultimately solve inves-
tigation cases. Associations between entities can be created, deleted, and edited using for example
the link entity, visual symbols, co-location or based on the value of specific attributes (see Figure
10.3).
Figure 10.3: Associations between entities can be created, deleted, and edited using links, visual
symbols, co-location or attribute similarities.
Using spatial hypertext technology for information analysis, one can define relationships between
information elements, simply through the proximity and location of information elements. But
since relations within terrorist networks are much more complex than the simple indication of
belonging to a certain group, these relations must be weighted to match that complexity appropri-
ately. We suggest that providing a structured language to describe the inner complexity of these
weights, a language that is interpretable by both humans and computer algorithms.
There is a need to describe the nature of links and nodes, since “Without accounting for the
content of communication, social network analysis runs into the “pizza guy delivery problem”:
confusing regular contact with significant contact” [26]. A person A can be related to a person
B in a number of ways, and any subset of these relations can mean something within a certain
context, and hence would be weighted differently according to their importance. The complete set
of relations would constitute what is known about the relationship at that place in time.
10.1.5 TASK: Restructuring

During an investigation, information structures are typically emerging and evolving, requiring
continuous re-structuring of entities and their relations. Besides creating and deleting entities,
restructuring involves tasks such as move entity, reconnect link, merge entities, and group entities,
etc. (see Figure 10.4).
Figure 10.4: Restructuring involves synthesis actions such as move entity, reconnect link, merge
entities, and group entities.
164
CHAPTER 10. SYNTHESIS 10.1. ANALYSIS
Restructuring of information structures happens during all criminal network investigations, except
maybe for the simplest of cases (e.g., the homicide dunkers described by Simon (1991) [204]).
10.1.6 TASK: Grouping

Investigators often group entities using symbols like color and co-location (weak), or they use
labeled boxes (strong). Groupings can be used to highlight and emphasize particular entities and
their relations (see Figure 10.5 and also Section 10.1.4 that analyzes associations).
Figure 10.5: Entities are often grouped either semantically by reference (left), or hierarchically by
inclusion of either nodes (middle) or links (right).
Often reference grouping is used, when the affiliations of entities with a certain group is not certain.
Then later when (maybe) more evidence backs up the grouping, the entities (nodes and/or links)
are grouped by inclusion.
10.1.7 TASK: Collapsing and expanding

Collapsing and expanding information is essential since the space available for manipulating infor-
mation is limited physically, perceptually, and cognitively. Zooming is a way to visually collapse
or expand information in the space; however, depending on the zooming degree, it facilitates
information overview at the expense of information clarity.
For collapsed information it is necessary to consider what the abstraction should be. Maybe it
makes to represent with graphical abstraction indicating that the underlying entities are all related
to a specific group, a company, or a meeting. Alternatively, it just be label or some of the other
abstractions for information entities that we discussed in Chapter 8. Another requirement would
be to support an intelligent expansion of collapsed information in the space. Other entities might
have been added to the space that the collapsed information was located in before, and more
entities have been added to the new sub space that the collapsed entities are synthesized within,
meaning that they will take up more space once they are expanded.
Typically collapsing information is used if a set of information entities becomes of second priority,
because of new leads, or if the set of entities can be abstracted to a single entity, which makes
mores sense, but the investigators would still like to keep the information that the abstraction was
based on in the investigation. On a white board it is impossible to collapse information without
loosing it; only the entity abstracted from the collapsed information remains. On a board that
information is pinned to, multiple pieces of paper could be pinned together, only the piece of paper
at the top being visible. The same would be the case with arranging documents on a table, where
they can be stacked according to some classification (see Atzenbeck (2006) [18]).
165
10.2. DESIGNS CHAPTER 10. SYNTHESIS
10.1.8 TASK: Information types

Multimedia support is helpful when investigators want to add known positions of persons to a
map or link persons to different segments within an audio file. This would support for example
more intuitive storytelling. Information types includes text, maps, images, audio, and video (see
Figure 10.6.
Figure 10.6: Information types includes text, maps, images, audio, and video.
When previous Secretary of State Colin Powell presented the United States case on Saddam
Hussein’s alleged weapons of mass destruction to the United Nations in 2003 the evidence in-
cluded intercepted phone calls, augmented satellite photos, 3D sketches, etc. Tools and research
prototypes reviewed in Chapter 4 supports many different kinds information, e.g., Mindmeister,
an investigative journalism tool that supports embedding pictures and video in mind maps (see
Section 4.3.2).
10.2 Designs
We present our designs of key synthesis concepts and tasks. The designs that have not been
implemented support for are considered important areas of future work.

A tool for criminal network investigation requires two types of support for hierarchical structuring:
creating groups in the same space and hierarchies using sub spaces. Example is given in Figure
10.7. Sub spaces are expanded or collapsed into the shared information space.

A design of history support is presented in Chapter 8 on concepts, models, and components for
criminal network investigation.

We do not discuss the actual design of individual entities here, elaborate designs of the information
element, relation and composite entities are given in Section 8.1. We focus on how those designs
can be utilized to create, delete, and edit entities. Later we will demonstrate how these designs
have been implemented in CrimeFighter investigator.
In general, we want entities to be created using a drag gesture, this way the user can create an
entity and position it in the space, in the same way. The dragging gesture can then also be used
166
CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR
Figure 10.7: Hierarchical structuring types.
to decide the size of the relation and composite entities. For editing, we want to support direct
manipulation of often accessed meta data, alternatively editing using a form which is accessed by
a menu icon attached to the entity positioned at its outline. Deletion should be possible using
direct manipulation, i.e. direct interaction with therefore designated areas.

In this section, we present our implemented tool support for criminal network investigation syn-
thesis tasks, which we analyzed in Section 10.1 and created designs for in Section 10.2.

View is a well-known concept for providing different perspectives on information.
Taxonomic view
The taxonomic view (left hand in Figure 8.12) provides a hierarchical overview of the organization
of entities. The tree root reflects the name of the investigation, nodes in the tree are composites
and leafs in the tree are information elements. The taxonomic view and the spatial view are
synchronized in the sense that changes made in one view are instantly reflected in the other view.
There are no limitations to the number of nested hierarchies. The two views are separated by
a divider that can be moved left or right to expand/minimize the views depending on the users’
preference. Icons reflecting their space equivalents are used to make it easier for the investigators
to recognize the entities from the space in the taxonomic view. It is still the same information,
although offering a different perspective. A spatial parser algorithm is used to parse the entities
in the space and then create the structure shown in the taxonomic view.
An example of reference composite support is shown in Figure 10.9. In Figure 10.9a, Mr. X is
part of both Composite 1 (C1) and Composite 2 (C2). In Figure 10.9b, C2 is moved away and
now Mr. X is no longer part of C2, and this change is reflected in the taxonomic view to the left.

The user interface of the navigable history feature is embedded in the tool bar (see Figure 8.12).
It records everything that happens in the space. It has back and forth buttons for navigating
the recorded events, and the current event displayed in the space is visualized using a slider as
well as a label showing both the current event and the total number of events (e.g., 48/48). The
167
10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS
(a) Reference composite example - non-overlapping reference composites.
Figure 10.8: Screen shot (b) Reference composite example - non-overlapping reference composites.
of taxonomic view from the
Daniel Pearl investigation. Figure 10.9: History trees and navigation view.
history feature records all the interactions that investigators have with entities in the space as
events, e.g., “create information element”, “resize composite”, “move information element”, and
so on. Each event is given a time stamp and added to the sequential history. If the history bar is
not positioned at the end of the history when an investigator causes an event, the investigator is
prompted whether or not to delete all events after the current event, or canceling whatever action
that caused the event to happen.

Creating, editing and deleting entities is done using well-known interaction metaphors. Infor-
mation elements are created using a simple mouse drag gesture within the investigation space.
Once created, delete and edit functionalities are available from a menu attached to the information
element as shown in Figure 8.12. Connected relations are created by selection of two information
elements (using the ctrl-button). Subsequently, the direction and the label of the relation can
be edited by clicking the relation label. Relations are, like information elements, deleted using
a menu button positioned relatively to the relation label. Composites are created, edited and
deleted in the same way as information elements. They have an interactive label and the color of
the composite can be set before and after its creation (Figure 8.12, top).
10.3.4 TASK: Restructuring

Restructuring is supported by the concept that all entities are first class. When an information
element with several relations is deleted, the relation endpoints are considered empty and can be
moved freely in the space and the investigator can connect them to other entities if desired using a
drag and drop gesture. The hierarchical view (Figure 8.12, left) is used for classification by moving
168
CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR
information elements in the hierarchically displayed structure (see example in Figure 10.10).
Figure 10.10: An example of supported restructuring where a relation is reconnected to a new

information element, after the previous one was deleted.
10.3.5 TASK: Grouping

Different types of composites can be used to group information. The inclusion composite is one
example, and CrimeFighter Investigator support of another was discussed in an example using a
reference composite (Section 10.3.1). The relation composite allows investigators to group multiple
relations between two entities (such as multiple emails or phone calls between two persons) into a
single visible entity (composite). Relation composites group relations by inclusion. Another type
of composite supports collapsing and expanding.
169
10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS
170
CHAPTER 11
Sense-making
Analysis is the key to successful use of information; it transforms

raw data into intelligence. Without the ability to perform effective
and useful analysis, the intelligence process is reduced to a simple
storage and retrieval system for effectively unrelated data.
Intelligence analysts training manual of the metropolitan police (Scotland Yard, London)
After all, no one has yet linked failure of intelligence to the fact that
the opponent had better equations.
Wirtz (2006) in his review [251] of Robert M. Clark’s book intelligence analysis: a target-centric
approach [40]
Criminal network sense-making is tightly coupled with criminal network synthesis as described in
the previous chapter; synthesis and sense-making are core analysis tasks. Synthesizing emerging
and evolving information structures is a creative and cognitive process best performed by hu-
mans. Making sense of synthesized information structures (i.e., searching for patterns) is a more
logic-based process where computers outperform humans as information volume and complex-
ity increases. CrimeFighter Investigator supports sense-making tasks through the application of
advanced software technologies such as hypertext, semantic web, well-known human-computer in-
teraction metaphors, and a tailorable computational model rooted in a conceptual model defining
first class entities that enable separation of structural and mathematical models (see Chapter 8).
Therefore, our modeling approach must embrace frequent customization and extension through
robustness and scalability of the underlying mathematical framework [30]. At the beginning of
an investigation it is not clear what sense-making approach will be required to understand and
reason about a certain criminal network. Sometimes more than one measure has to be calculated
for the criminal network or maybe some measures are used as input for an algorithm providing yet
another measure. It is impossible to know beforehand what information attributes (meta data)
will be the deciding factors for a criminal network investigation. First of all, information attributes
are emerging over time, just like the information entities. Second, investigators have to decide
if they will try to predict missing information entities in the network based on for example an
individual’s record of supplying weapons or a measure of each individual’s centrality in a criminal
network.
Taking a computational approach to criminal network sense-making, claiming that investigators
will benefit from the information provided, raises concerns about user acceptance of this com-
171
11.1. ANALYSIS CHAPTER 11. SENSE-MAKING
puted information81 . Experienced investigators with the skills to manually derive the computed
information (given more time) might question how exactly the information has been automati-
cally computed and they might be inclined not to trust this computed information enough to base
their decisions on it [193]. For computational sense-making to be effective, decision makers must
consider the information provided by such systems to be trustworthy, reliable [144], and credible.
The calculations are not the hard part; the challenge is to find a good way to use the data and
understand them. This is very well described by the following story by Stoll (1995) [217]:
Computer security expert Clifford Stoll spent a year studying at a Chinese observatory
with Professor Li Fang. Li studied star observations and used a Fourier transform, the
standard tool of astronomers everywhere, to hunt for periodic motions. Li, however, did
the Fourier transform completely by hand! Stoll decided to show Li how his new Hewlett
Packard HP-85 could be used to calculate some 50 coefficients for the polar wandering
in under a minute. The task had taken Professor Li 5 months. When presented to the
computer’s results, Li smiled and said: “When I compare the computer’s results to my
own, I see that an error has crept in. I suspect it is from the computers assumption
that our data is perfectly sampled throughout history. Such is not the case and it may
be that we need to analyze the data in a slightly different manner”. Stoll realized that Li
had not spent 5 months doing rote mechanical calculations. Instead, he had developed a
complex method for analyzing the data that took into account the accuracy of different
observers and ambiguities in the historical record.
Simply by turning to the computer when confronted with a problem, we limit our ability to
understand other solutions. The tendency to ignore such limitations undermines the ability of
non-experts to trust computing techniques and applications [193] and experienced investigators
would be reluctant to adopt them.
In this chapter, we focus on criminal network sense-making and how tailoring can leverage trans-
parency and ownership, increasing trust in information provided by sense-making algorithms.
CrimeFighter Investigator [169, 173, 174] is based on a number of sense-making related concepts
(see Figure 11.1). At the center is a shared information space. Spatial hypertext research has
inspired the features of the shared information space including the support of investigation his-
tory [174]. The view concept provides investigators with different perspectives on the information
in the space and provides alternative interaction options with information (hierarchical view to
the left (top); satellite view to the left (bottom); spatial view at the center; algorithm output view
to the right). Finally, a structural parser assists the investigators by relating otherwise unrelated
information in different ways, either based on the entities themselves or by applying algorithms to
analyze them (see the algorithm output view to the right). In the following, central CrimeFighter
Investigator sense-making concepts and tasks are presented.
11.1 Analysis
Based on cases and observations of criminal network sense-making, contact with experienced end-
users from various investigation communities (intelligence, police, and journalism), examination
of existing process models and existing tools for making sense of criminal networks (e.g., [7,20, 21,
25, 35, 40, 53, 59, 110, 116, 128, 152, 162, 212, 244]), and our own ideas for sense-making support, we
maintain a list of sense-making tasks. The list of tasks can be seen as a wish list of requirements
which the sense-making part of a tool for criminal network investigation should support; the list
serves as the basis for our tool development efforts. The list is not exhaustive; we expect to uncover
additional sense-making requirements over time. We provide examples for each sense-making task
to emphasize the many different applications. Sense-making tasks assist investigators in extracting
useful information from the synthesized target model [175].
172
CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS
Figure 11.1: CrimeFighter Investigator screen shot with sense-making overlays.
11.1.1 CONCEPT: Algorithm

The algorithm plays an important role for criminal network sense-making. At the same time,
supporting algorithms for sense-making is a great challenge, which our analysis in the beginning
of this chapter emphasized: an algorithms computational approach to analysis is a rather rigid
contraption, taking an input and producing an output, representing a sort of black box magic
to the inexperienced investigator. But criminal network investigation is an open ended creative
process requiring different sense-making for different investigations. The tailoring of algorithms
would be a way to bridge the rigidness and black box feeling of algorithms with the cognitive
sense-making tasks that criminal network investigators perform. We define three distinct types
of algorithms: structural measure algorithms, structural transformation algorithms, and custom-
made algorithms (often a mix of the two other types, see Figure 11.2).
Figure 11.2: Algorithm types for sense-making, includes measure algorithms providing metrics for
entities such as links and nodes (left); transformation algorithms alter the structure of criminal
networks by either adding or removing entities (middle); custom-made algorithms encapsulate
multiple measure and transformation algorithms (right).
Measure algorithms provide metrics for entities such as links and nodes, and examples includes
centrality measures from social network analysis [155, 195, 240] and link importance from terrorist
network analysis [80, 245]. Transformation algorithms alter the structure of criminal networks by
173
either adding or removing entities. Prediction techniques [183, 184] transform criminal networks
by predicting missing links or covert structure (nodes and links). Finally, custom-made algorithms
encapsulate multiple measure and transformation algorithms to represent tailored algorithms for
more complex sense-making tasks, such as node removal in criminal networks [169] (see analysis
of sense-making work flows below).
Sense-making work flows
We outline the typical work flow of applying algorithm-based sense-making to a criminal network
as described below. The steps are at the same time the requirements for software support of such
work flows:
1. Work flow input. The input for a sense-making work flow is a criminal network of entities
(information elements, relations, and composites) forming structures through associations.
2. Need for sense-making. (e.g., [168,169,175]) The investigator wants to ask some question
about the criminal network, such as ‘what if’ questions or questions related to a network
measure, i.e. ‘measure’ questions. An example of a ‘what if’ question could be: What will
happen if we remove these two nodes from the network? Followup questions could be are any
new relations between remaining nodes forming? or are other information elements going
to take the place of the removed ones? Questions related to measures could be: who control
communication in this network? or what individuals in the network are connecting to the
key individuals in the network?. The purpose of such questions is typically to determine
weak points in a network, where infiltration would be feasible.
3. Tailoring desired sense-making work flow. Tailoring a desired work flow for a specific
sense-making task has many steps: (a) involves selecting what algorithms to run to match
the desired questions. (b) When running multiple algorithms in a work flow it should be
possible to decide the order they run if sequential. If the algorithms on the other hand are
set to run parallel then order does not matter. (c) Customizing each individual algorithm
according to visual symbols, associations, reports, etc. (d) Deciding the input and output
of each individual algorithm. The output of the final algorithm will be the output of the
sense-making work flow.
4. Run the sense-making work flow Starting the sense-making work flow must also be a
user controlled process. If the work flow produces one or several network measures as output,
the measure can be computed on every event that occurs in the common information space.
But the system should also consider another type of algorithm, which changes the structure
of entities (editing, adding, or removing).
5. Results. Deciding what to do with the results, should they be discarded from or appended
to the investigation. Typically a lot of sense-making synthesis are required to reach a cer-
tain point of clarity. The importance of keeping a record (history) of such discard and
append actions (events) is illustrated by investigators often needing to retrace the steps of
investigations to see if something was missed [128, 162, 204].
6. Retrieve a report. If interesting results are yielded, the end user can decide to retrieve a
report with the information, analysis, and results aggregated.
7. Save sense-making work flow. Finally, the user could want to save a work flow, if it
might be useful for future investigations, or if it is to be shared with other investigators.
The application of standardized sense-making algorithms (such as measures of centrality) and

custom-made algorithms (e.g., node removal), requires a great deal of abstraction and interpreta-
tion by the user. When an algorithm anticipates certain information element and relation types, it
will be up to the user to map the results back into the domain of their criminal network. If, on the
174
other hand, the user can tailor the algorithm to the available data and customize the generation of
a specific output structure for results, then the user is controlling the algorithm, and the algorithm
is merely assisting the investigator, functioning as a tool. The algorithm is not in control of the
sense-making work flow, forcing the investigator to do additional conversions of the output to be
useful for an intended analysis.
11.1.2 CONCEPT: Structural parser

A separate tool is required to tailor and customize the three algorithm types (and their many
instantiations) discussed above and control the creation and execution of sense-making work flows
according to investigator’s intended application. The structural parser is such a tool. The parser
is a concept we have adopted from hypertext, generally used for particular structure domains, i.e.,
spatial parser, taxonomic parser, etc. We have decided to use the more generic term structural,
to decouple the structural parser from knowing what structure domain the algorithms it supports
will require parsing of (see Figure 11.3).
Figure 11.3: A structural parser must be able to: tailor algorithms of different types (e.g., the
order of algorithms - see left); customize the settings and inputs for algorithms (middle); and
create new algorithms by combining the existing ones (right).
Examples of parsers responsible for specific tasks within a certain structure domain, includes
the spatial parsers in VKB [198] and ASAP [170]. The social network analysis tabbed pane in
Analyst’s Notebook [2] (see Section 4.1.1) has an ‘Options’ tab for customization, where the user
can tick off the centrality measures they want to include, together with other options such as
normalization of results and whether or not to use the directions of links [107].

History is not just an important concept for synthesis; it is equally important, if not more, for
sense-making tasks. Just like history must keep track of synthesis events, it should also keep a
record of sense-making events, such as ‘calculate centrality measure’, ‘predicted 2 new entities’,
etc. And the recorded history events themselves can be used for sense-making, e.g., retracing the
steps (see Section 11.3.4 below).
11.1.4 TASK: Retracing the steps

Criminal network investigators often retrace the steps of their investigation to see what might
have been missed and where to direct resources in the continued investigation. Walking through
an existing recorded investigation is used by new team members to understand the current status
of the investigation and for training purposes.
Homicide detectives retrace through all the evidence on their unsolved genuine mystery inves-
tigations: “It is a bastard of a case, and again Landsman asks himself: what are we missing?
175
Figure 11.4: To be able to utilize history for sense-making purposes, the history of user actions
must be recorded (left), it should be possible to navigate the history (middle), and editing the
history is essential (right).
Figure 11.5: Retracing the steps of investigations is often used when an investigation has stalled
(i.e., no new leads are generated) or for training or explanatory purposes (see Section 12.1.1 in
the chapter on dissemination).
Maneuvering through the evening traffic on Liberty Road, he runs two weeks of investigation
through his mind” [204].
11.1.5 TASK: Creating hypotheses

Generating hypotheses and competing hypotheses is a core task of investigation that involves
making claims and finding supporting and opposing evidence. Investigators often retrace the
steps of their investigation to see what might have been missed to evolve an existing hypothesis
or start a new one (see Figure 11.6).
Figure 11.6: Creating new hypotheses using argumentation and alternatives, or retracing the steps
of existing hypotheses.
Journalist Daniel Pearl was kidnapped in Karachi in early 2002 and the criminal network in-
vestigators followed the hypothesis that the leader of a radical islamist group, Shaikh Gilani,
masterminded the kidnapping, since Pearl was scheduled to meet him on the day of his disappear-
ance. One day the investigative team receives an email, profiling a shadowy character suspected
176
of having bankrolled the 9/11 attacks, Omar Saeed Sheikh: “Omar has a particular specialty: he
kidnaps Westerners”. But the team finds nothing linking Omar to Daniel’s disappearance (be-
sides this specialty), and the current state of their hypothesis has a lot more supporting arguments
pointing towards Gilani. [128, 162, 227]
On February 5, 2003, secretary of state (Colin Powell) presented to the United Nations council the
US hypothesis on Saddam Hussein’s weapons of mass destruction program. The supporting argu-
ments were primarily based on one human intelligence source, an Iraqi defector who manufactured
a story based on open source United Nations reports and his work as a chemical engineer. [59,242]
11.1.6 TASK: Adaptive modeling

Representing the expected structure of networks for pattern and missing information entity de-
tection is a proactive sense-making task. Adaptive modeling embeds the tacit knowledge of inves-
tigators in network models for prediction and analysis (see Figure 11.7).
Figure 11.7: Extracting a model from a criminal network investigation, adapting the model to a
new situation, and then applying the model to the same or another criminal network.
Several studies have described the structural evolution of terrorist networks and cells related to al-
Qaeda and affiliated movements (AQAM), and plotting to hit targets in Europe. This structural
evolution has gone through four phases. Vidino 2011 outlines the evolution of these European
networks during the first three phases, and provides a detailed description of the fourth phase
including characteristics in terrorism related to AQAM [236] and resembling a model. Sageman
(2004) found in his work on structural patterns in “terror networks” [188] that people had joined
the jihad in small groups (called cliques, where every node is connected to every other node).
Several individuals lived together for a while and had intense discussions about the jihad. When
one of the friends were able to find a bridge to the jihad, they often went as a group to train
in Afghanistan. Nesser (2006) models the structures of jihadist terrorist cells in the UK and
Europe [154]. Nesser identified a distinct set of profiles: a typical cell includes an entrepreneur,
his protege, misfits and drifters which also explains the Sageman 2004 concepts of cliques (network
cells), bridges and hubs (the entrepreneur). The relations among cell profiles as well as meta data
characteristics for each profile (e.g., education, marital status, children, age) are described.
11.1.7 TASK: Prediction

The ability to determine the presence or absence of relationships between and groupings of people,
places, and other entity types is invaluable when investigating a case. Prediction based on differ-
ent information entities, i.e., information elements, relations, composites, and their attributes is
preferable (see Figure 11.8).
“The value of a prediction lies in the assessment of the forces that will shape future events and the
state of the target model” [40]. “Determining the pattern of links within a large social network
is often problematic due to the labor-intensive nature of the data collection and analysis process”
[183]. After Operation Crevice a list with 55 suspects linked to the case was created, but MI5
did not have enough resources for surveillance of everybody on the list. They selected (predicted)
177
Figure 11.8: Predicting missing information entities: links, structures, key players, and subgroups.
the 15 individuals they thought were a threat to national security, missing key individuals behind
the July 7th bombings [110]. The links between Operation Crevice and the July 7th bombings is
something that is still investigated by the British Home Office [167].
In an 2011 interview, Alex Strick van Linschoten [134] suggested prediction of missing links between
Afghan Taliban members based on knowledge about their andiwali1 system, “where groups tend
to gather based on prior connections. Young men from the same village could group together in
one cell; madrassas also allow young men to form ties. Some groups may have blood relations that
bring them together in a group of andiwali” [137, 166].
11.1.8 TASK: Alias detection

Network structures may contain duplicate or nearly duplicate entities. Alias detection can be
used to identify multiple overlapping representations of the same real world object. Semantic
and orthographic aliases are two types of aliases that relevant for criminal network investigation.
Semantic aliases could be intentional (using different names in different contexts) or overlapping
(two persons use the same alias in the same context). Orthographic aliases typically refers to
different spellings of the same name because the language (writing system) is different, but it
could also mean simple mis-spellings such as typos, etc. (see Figure 11.9).
Figure 11.9: Detecting semantic and orthographic aliases to analyze if two entities are in fact the
same, or if a single entity was in fact two different entities.
An extreme example is the mastermind behind the kidnapping of journalist Daniel Pearl, Omar
Saeed Sheikh, who used up to 17 aliases [128]: “You run up against the eternal problem of any
investigation into Islamist groups or al-Qaeda in particular: the extreme difficulty of identifying,
just identifying, these masters of disguise, one of whose techniques is to multiply names, false
identities, and faces”. Khalid Sheikh Muhammad used more than two dozen aliases [146]. In
the UK investigation of whether or not the July 7th bombings in London 2005 could have been
prevented based on information from the prior Operation Crevice, MI5 had come across different
variations of the name “S. KHAN” (the name of the plot ringleader, Mohammed Siddique Khan).
They consequently believed the name could have been an alias “due to a combination of both the
multiple spellings and lack of traces on databases” [110]. Aliases are inherently also a problem
when analyzing on line violent radical milieu’s: “the Internet allows for the virtual construction
1 “Andiwal” is the Pashto (Afghani language) word for “friend”.
178
and projection of personalities that may or may not be accurate reflections of the physical lives
controlling those avatars” [29].
11.1.9 TASK: Exploring perspectives

To reduce the cognitive biases associated with a particular mind set, the exploration of different
perspectives (views) of the information is a key criminal network investigation task (see Figure
11.10).
Figure 11.10: Alternatives to the often used navigational (link) perspective are the spatial, taxo-
nomic, time line, map, and audio perspectives.
During the Daniel Pearl investigation a chronology of events (time line) is created simultaneously
with the criminal network (link chart) of involved individuals who were potentially linked to the
crime [162]. A time line perspective could also be used for temporal organization of previous
investigations, e.g. terrorism plots in the European Union [236] (see also Figure 14.10).
When Colin Powell presented United States’ hypothesis on Saddam Hussein’s weapons of mass
destruction program, he used both augmented satellite photos (images/maps) and recordings of
intercepted phone calls (audio) with subtitles [238, 257].
11.1.10 TASK: Decision-making

During an investigation, decisions have to be made such as selecting among competing hypotheses.
Auto-generated reports and storytelling can also be used for higher-level decision-making (see
Figure 11.11).
Figure 11.11: Decision-making is typically done by selecting arguments and alternatives, or it is

based on reports and storytelling.
As mentioned, a list with 55 individuals was created after Operation Crevice, and it had to be
decided how to focus limited resources [110, 252]. In the case of CIA’s investigation into possible
weapons of mass destruction in Iraq, the CIA based their decision on uncorroborated evidence
(arguments) [59, 242]. The team investigating the kidnapping of Daniel Pearl decides to focus
resources on the alleged mastermind Sheikh Gilani, the man who Pearl was scheduled to interview
on the day of his disappearance [128, 162, 227].
179
11.1.11 TASK: Social network analysis

Social network analysis measures such as degree, betweenness, closeness, and eigenvector can
provide important criminal network insights (see Figure 11.12). These and similar measures are
often used as input for other more advanced and specialized sense-making algorithms, either
producing new measures or transforming the network.
Figure 11.12: Degree, betweenness, closeness, and eigenvector measures of centrality.
Slate reporter Chris Wilson has described how the US military used social network analysis to
capture Saddam Hussein [250]: “In Tikrit, players were captured, killed, and replaced at a low
enough rate that the network was able to cohere. The churn rate is likely much higher in an
extremist group like al-Qaeda”. In one assessment of destabilization tactics for dynamic covert
criminal networks, it is pointed out that in standard social network analysis node changes are the
standard approach to network destabilization [35].
“MI5 [. . . ] decided not to continue surveillance of Khan and Tanweer because the quantity of
Khan and Tanweer’s links to the fertilizer bomb plotters targeted in Operation Crevice were less
than 0.1 percent of the total links. Their argument failed to take into account the betweenness
centrality of Khyam. Betweenness centrality refers to relationships where one individual provides
the most direct connection between two or more groups. These individuals bridge networks, or
subnetworks. In the case of Khan and Tanweer, Khyam was likely serving a liaison role rather
than a broker role, meaning his betweenness was not likely critical to their plot but was indicative
of Khan and Tanweer’s intelligence value” [111].
11.1.12 TASK: Terrorist network analysis

Sense-making measures specifically developed for terrorist networks such as level of secrecy (covert-
ness) and efficiency can provide more focused insights due to their domain focus. Terrorist network
measures are used to understand and subsequently destabilize networks (e.g., to reduce the flow
of information through the network or to diminish the network’s ability to reach consensus as
a decision-making body) or to search for specific entities or patterns in the network (e.g., key
players). Examples are shown in Figure 11.13.
Figure 11.13: Terrorist network measures includes secrecy and efficiency for measuring link impor-
tance, and detection of key players and communities (subgroups). Terrorist network destabilization
criteria are often used to determine the success or failure of such measures.
180
CHAPTER 11. SENSE-MAKING 11.2. DESIGNS
The link importance measure has been shown to offer new insights into the 9/11 and Bali bombing
terrorist networks by pointing out links that are important to the network [244]. Community
(subgroup) detection has been applied to a network of 60 criminals dealing with drugs [255] and
prediction of missing key players has been tested on the Greek terrorist network November 17 [182].
11.2 Designs
In this section, we present designs for criminal network sense-making tasks supported by Crime-
Fighter Investigator but also ideas that remained ideas, yet found useful by criminal network
investigators we have discussed them with or through investigations of our own.
11.2.1 CONCEPT: Algorithm (sense-making work flows)

Custom-made algorithm design is exemplified by the design of our node removal algorithm below,
followed by designs of our sense-making work flows. Please refer to Section 11.2.6 on social network
analysis for designs of measure algorithms such as traditional and extended entity centralities.
CUSTOM-MADE ALGORITHM (NODE REMOVAL)
Based on literature reviews (e.g., [35, 36, 40, 174, 183]), feedback from intelligence analysts and our
own ideas, we propose a node removal algorithm involving the following eight steps. The two
perspectives (steps 5 and 6) are exchangeable and adaptive by adjustment of their settings:
1. Define ‘what if’ question(s), thereby focusing on specific secondary effects of node removal.
Investigators typically frame these ‘what if’ questions that they want to ask using natural
language, for example: “what network paths with a change in distance from 2 to 1 will
emerge when the node is removed”. This could point out individuals gaining direct access
to key individuals after node removal, if the investigators have prior knowledge about who
these key individuals are. The ‘what if’ questions are framed by the investigators.
2. Select nodes of interest. All nodes are not necessarily relevant for the defined ‘what if’
question(s). The investigators will decide which individuals it would make sense to include
based on their tacit knowledge and other preconceived notions or experience.
3. Select node to remove. Although the algorithm lets the investigator see the probable effect
of removing any node from the criminal network, network information such as social network
measures, predicted future states, and destabilization criteria are considered when selecting
which node to remove.
4. Remove selected node and all associated links. Removing a node with more than a few links
can be a cumbersome synthesis task to perform manually, i.e., removing the links one by
one without accidentally deleting other individuals’ links.
5. Perspective 1: predict new links. Prediction of new probable links between the remaining
individuals in the network based on for example open source information and the tacit
knowledge of the investigators. The predicted links are input data for the processing of
‘what if’ questions.
6. Perspective 2: changing degree centrality. Displaying the changing degree centrality of each
node will disclose changes in node importance to the investigator.
7. Discard or append new links. The investigator might want to follow some leads based on
the links predicted after the node removal. Or maybe some settings need to be adjusted,
and the investigator will discard the results.
181
11.2. DESIGNS CHAPTER 11. SENSE-MAKING
8. Dissemination of secondary effects. Before the algorithm results are appended or discarded,
a report which outlines the secondary effects of the node removal, listing the current setting
and how the algorithm reached its conclusions would be helpful for (easy) dissemination to
intelligence customers or other investigative team members who did not participate in the
reasoning session.
We present a node removal scenario in Section 14.2 describing how the CrimeFighter Investigator
supports the above defined algorithm steps.
SENSE-MAKING WORK FLOW
The list below outlines our design for how we believe criminal network investigators should be
able to work with algorithms, to define so-called work flows. The design of the CrimeFighter
Investigator Algorithm component is described in greater detail in Section 8.5.3. Here we describe
the design for each of the steps for creating sense-making work flows, as outlined in Section 11.1.1
(analysis):
1. Work flow input. Input is either based on a series of synthesis and sense-making iterations
or imported from a previous investigation. A design is therefore not created for this step.
2. Need for sense-making. This is a decision made by the investigator based in the current
state of the criminal network in the common information space. The need for sense-making
cannot be decided by software.
3. Run the sense-making work flow. There is a need to differentiate between transforma-
tive algorithms and measures. The created work flow(s) should be added to a list that is
available from the common information space. That is, (parts of) the network must be visi-
ble, simultaneously with the list of created sense-making work flows. We suggest to embed
a view for algorithms in the common information space.
4. Results. As described in the analysis, there is only a need for deciding what to do with
results produced by algorithms that transform the network. A pop-up should ask the user
whether or not to deal with all results at once or each individual result (i.e., each predicted
link or information element). If all results is selected, then all entities related to the trans-
formation are highlighted, to inform the user what entities precisely the decision to discard
or append those results concerns. If possible, display additional information about the re-
sults, e.g., number of information elements, relations, and composites, or perhaps the link
importance measure for all relations should be displayed. Whether the results are appended
or discarded, the action (event) should be appended to the criminal network investigation
history.
Alternatively, if individual results is selected, iterate through each result action and perform
the following for each one: highlight the entity related to the transformation, to inform
the user what precisely the decision to discard or append that entity concerns. If possible,
display additional information about the entity, e.g., what caused the entity to be predicted,
what is the centrality of the entity, or general meta data information about the entity such
as attributes or the entity’s visual abstraction. This could be displayed in a so-called object
inspector, or in the specialized sense-making view. Again, the append or discard action
(event) should be appended to the criminal network investigation history.
5. Retrieving a report. When a sense-making work flow has been executed, this should be
indicated somehow in the specialized sense-making view. It should also be indicated whether
or not the execution produced any results. If a sense-making work flow is marked as executed
and the work flow produced results, then a selection of that button should make available a
button that the user can push to extract the report (if multiple reports are available, then
the user should be given the choice between these options). The analysis and design of the
actual report generation process is described in Section 12.1.2 and Section 12.2.2.
182
6. Save sense-making work flow. Option to save the sense-making work flow must be
available through the specialized sense-making view. Another option could have been the
spatial parser, but since it is unclear at the point of customization of the algorithm, this
could potentially inhibit the creativity involved in tailoring an algorithm. The process of
saving the work flow will be controlled by a dialog, asking for various information about the
work flow. Minimally a name, but a description of the type of criminal network sense-making
that the work flow is suitable for could also be relevant.
We divide our design of the creating hypothesis task into reasoning using issue-based argumenta-
tion and reasoning by creation of alternated interpretations using structural capabilities to create
e.g., branched information structures (lines of reasoning or thinking).
TASK: Issue-based argumentation
Investigators use evidence (i.e., facts) or inferential judgments to reason about the issues they
come across in their work. Inferential judgments typically require detailed reasoning involving
several positions and even more “pro” and “con” arguments, while fact-based reasoning typically
is done by creating relations to pieces of evidence in the space. Algorithms for machine inferential
judgments exist; such functionality would be helpful for investigators.
Besides creating the link chart and a chronology of events, the Daniel Pearl investigative team also
continuously updates the thoughts and evidence about “Who kidnapped Daniel Pearl?” (i.e., who
are the master mind(s) behind the kidnapping). The most wicked problem of an investigation is
always “Who did it?” or “Who are going to do it?” - and part of that problem is the acknowledg-
ment of “Who didn’t do it.”, as a result of listing pros and cons regarding the suspects. A sketch
of the intended issue-based argumentation interface is shown in Figure 11.14.
Figure 11.14: A design sketch of our intended issue-based argumentation interface.
183

The goal of adaptive modeling is to enhance criminal network synthesis tasks with the option to
build adaptive rule-based models of re-occurring criminal network structures. We have reviewed
literature on terrorist profiling that provides arguments for focusing on the modeling of relational
and biographical profile characteristics. The entities of the models (information elements, relations,
and composites) are related to each other based on their individual attributes. This allows the
investigators to embed their skill, expertise and experience into the system, facilitating a team-
oriented criminal network investigation. We propose the following design for adaptive modeling:
1. Synthesis of models. It is necessary to build models of criminal network structures based

on profiles of persons and other information entities, who are related to each other by specific
attributes (e.g. age, home country, education, family ties, sub group, etc.).
If rules can be created based on natural language instead of mathematical models (but
still representing the same semantics), it will provide criminal network investigation teams
with a more intuitive approach to describe the world in a more detailed way than simply
using node and relation weights. Modeling profile characteristics (a): selecting profile
characteristics suitable for rule-based modeling is a complex task, although the psychological
parts of profiles are being disregarded. And not all biographical or relational characteristics
are straightforward to model using language based rules. Rule format and parameters
(b). It is important to keep the rule format simple in order to follow the natural language
strategy. Relational and biographical characteristics (c) can be modeled using natural
languages, and computational rules can be defined to encapsulate them.
2. Adaptable models. These models of criminal network structures must be adaptable to

changes in the associations between entities, or parts of existing models can be used to create
new models.
We believe that the following interaction requirements will provide investigators with a
way to embed their personal knowledge and experience into adaptive rule-based models of
criminal network structures. All stakeholders of the intelligence cycle followed by a criminal
network investigation team should be able to use these tools. Each of the following design
requirements are deducted from these paradigms, and desired functional requirements are
listed to underpin each one.
Team-orientation through adaptation is essential for criminal network investigation team,
i.e., adapting the data model of their investigation tool to match the team member’s view of
the world. Attribute adaption (a), includes editing (renaming, adding, deleting etc.) the
attributes of information elements such as persons, city, organizations and their relations.
Rule adaption (b) as the world changes or new information about profile characteristics
emerges is essential. If a set of rules are locked and cannot be altered it would prevent the
improvement and sophistication of models.
Intuitive gesture-based interactions: this applies to information analysis but also the creation
of rules between the individual attributes of information elements. Drag-and-drop features
would facilitate a more visual approach to rule building and hence aid the user. Clear and
simple graphical user interfaces combined with gesture guided interactions to access the
information on which rules are based would also be a benefit in building rules.
3. Models as input for sense-making. Profiles of individuals based only on relational and
biographical data (that is disregarding the psychological part of their profile), can be connected
together in networks representing expected cell structures (like Nesser did in [154]), and then
re-used for sense-making in other criminal network investigations.
Our design for support of computations over adaptive network structure is as follows: a
parser must be implemented to handle the processing of rules, running against the complete
network structure. The network structure analyzer and parser must be able to cooperate
184
with a parser analyzing spatial structures in order to create a combined presentation and
analysis within the criminal network investigation tool.
Rule design
Since rules are the conditional logic of adaptive models, we will focus the design in this section
on those rules. It is important to distinguish semantically between information element, relation,
and composite rules. Information element rules are used to described attributes that applies to
profiles of individual persons, locations or organizations etc. Relation rules associate information
elements, forming the criminal network structure of the model. In this section, we will discuss
some observed general characteristics of the intended CrimeFighter Investigator rules and then
give examples of both information element and relation rules.
The general rule format used for both information element and relation rules is given in Figure
11.15. Attribute name indicates which information element or relation attribute (Figure 11.16)
this rule is targeted at. Attribute type is information about the type of the attribute content,
i.e. is it an integer number, a text string or an array of text strings. The rule operators function
is to provide the conditional logic that will decide if a rule is evaluated true or false based on
the rule attribute name and the provided rule parameters if any. A criminal network investigator
must offer a number of both boolean operators (SmallerThan, BiggerThan, EqualTo etc.) and text
string operators (EqualsIgnoreCase, SubStringOf, MinimumOccurences(#) etc.). Rule parameters
is an option to add some additional parameters to be included in the rule evaluation. It could
be an integer number, text string or an array of text strings. It could also another attribute of
the information element that this rule is attached to. And finally, it could be a classification
(or taxonomy) on a certain topic as described by the criminal network investigation team or an
individual team member. As an example, if the team builds a taxonomy of militant religious
groups, it would be possible to use classes of that taxonomy as a parameter for rules.
Figure 11.15: Design of general rule characteristics.
Before giving rule examples, we would like to discuss the attributes associated with person in-
formation elements and person-to-person relations by the Investigator tool (Figure 11.16). The
list of attributes is partly based on (Gniadek 2010) [80] and partly our own experiences gained
from studying Nesser’s 2006 model (see Section 14.1.1) together with our analysis of the crimi-
nal network involved in Daniel Pearls kidnapping (see Section 3.5.1 and Section 14.1). General
attributes like ‘Source of information’, ‘Time of entering data’, ‘Source reliability’ and ‘Date of
relation creation’ etc. have been disregarded for the sake of simplicity, but are of course important
steps of the intelligence gathering process.
As described in Section 14.1.1, it was part of the profile of jihadist terrorist cell leaders in the
UK and Europe that they typically have participated in jihad in their original home country (or
Afghanistan, Pakistan, Chechnya, Bosnia). A prerequisite of participating in jihad in a country
must be to have visited that country, and it could also be useful information even though the ‘par-
ticipation in jihad’ might not show any matches. Aiming at analyzing large amounts of data, we
cannot know if a persons home country is part of the list {Af ghanistan, P akistan, Chechnya, Bosnia}
and we have to make two rules in order to be sure (shown below).
1: <HomeCountry, Text Strings, minimumOccurences(1), VisitedCountries>

2: <VisitedCountries, Text Strings, minimumOccurences(1),
185
Figure 11.16: Information element and relation attributes.
{Afghanistan, Pakistan, Chechnya, Bosnia}>
Figure 11.17 shows an example of a person-to-person relation rule, where the aim is to determine
whether or not the person on the left is older than the person on the right. The direction of
a relation plays a key role when defining relation rules, since it indicates how the comparison-
operator is applied. The algorithm parsing this rule simply takes the age of the person attached
to the left side of the relation. If one end of the relation is not connected to an information
element, (or if the information element does have the requested attribute) that specific rule should
be disregarded during analysis, but will be invoked immediately when relation endpoints become
connected again. Please note that in the example given in Figure 11.17, the rule parameters are
not used and therefore set to null.
Figure 11.17: Relation rule example.
11.2.4 TASK: Alias detection

If a person deliberately uses different names in different contexts it can be very confusing for crim-
inal network investigators because it complicates the sense-making process. Algorithms that can
detect the relations between aliases, and then indicate the probability that these two individuals
are actually the same person could solve this problem (see example shown in Figure 11.19a). If,
at the same time, the inferences made by such a detection technique is made available, it would
be a helpful decision-making tool for criminal network investigators (see Figure 11.18). The in-
vestigator should be offered the option to merge the two entities representing the individuals, the
result of which is shown in Figure 11.19b.
Levy (2003) describes how confusing it can be if two persons use the same alias, using an example
of individuals involved in Daniel Pearls kidnapping and murder (see Section 3.5.1 for more details):
“Sometimes you think you’re dealing with two men when, in reality, there are two using one name.
Asif Ramzi for example, is also the pseudonym of another terrorist, a resident of Muhammad Nagar
186
(a) An example where a person is using his real name in

one context and an alias in another.
Figure 11.18: Imagined visualization of de-

(b) A person who appeared twice in a network has been
tected aliases, either deliberate aliases (one per- merged to one entity.
son) or same alias (two persons). An indication
of the probability that the two linked individu- Figure 11.19: Example of how the detection
als are in fact the same person or two different of an alias can help reduce the complexity of
persons is also shown. criminal networks, by merging two entities.
in Karachi, who is also known as Hafiz or Chotto, Chotto being one of the pseudonyms of Mazhurul
Islam as well, the latter also known as Dhobi.” (see Figure 11.20).
Figure 11.20: It can also complicate an investigation significantly, if two persons are using the
same alias. In this case Muhammad Nagar and Mazhurul Islam both use the alias Chotto.
187
11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING
11.2.5 TASK: Exploring perspectives

The hierarchical (taxonomic) view is essential for both synthesis and sense-making, as some crim-
inal network investigations might make more sense looking at the network ordered hierarchically
(see design in the chapter on synthesis Section 10.2.1). Issue-based argumentation is designed to
exist in a separate view (see Section 11.2.2).

The classic centrality algorithms have been extended by adding some analysis prior to the exist-
ing steps, which alter the criminal network depending on entity associations added by the user.
Our implemented betweenness algorithm (described in [169]) with the extra step for the selected
centrality extension(s) works as follows:
1. Pre-analysis; In this step the algorithm analyzes whether or not the included association
types appear in the criminal network. If they do then changes are temporarily made to the
network accordingly.
2. List all entity pairs; This step creates a list of all entity pairs that exists in the network,
again based on the included associations. This means that if the direct node-group asso-
ciation is included, then all entities that are directly or indirectly (by association through
intermediary entities) associated to the group with links are added to the list of entity pairs.
3. List all shortest path(s) for each entity pair; We calculate the shortest path(s) for all
entity pairs without considering the cost-efficiency of our algorithm: we take a breadth first,
brute-force approach [207], visiting all nodes at depth d before visiting nodes at depth d +
1, removing all loops and all paths to the destination node longer than the shortest path(s)
in the set, until only the shortest path(s) remain.
4. Node occurrence; We calculate the ratio by which each node in the network appear in the
accumulated set of shortest path(s).
5. Bubble sort; The results are sorted according to the user’s choice, usually descending with
the highest centrality first.
6. Generate report; If the user requests it, a pdf report is generated for easy dissemination of
the results of the centrality measure. The user can decide what report elements to include.
Pre-analysis is the algorithm step of primary interest to the work presented here. For the di-
rect empty endpoint association, pre-analysis involves adding temporary information elements as
placeholders of empty endpoints. For the semantic co-location association, we create a temporary
relation between two entities if they are not already related and they are within the user-defined
boundaries of each other (see Figure 11.21).

In this section we present our implemented support of software tool concepts and criminal network
investigation tasks, which we analyzed in Section 11.1 and created designs for in Section 11.2.
11.3.1 CONCEPT: Algorithm

CrimeFighter Investigator supports three structure algorithm types: measures (e.g., entity cen-
trality), transformative algorithms (e.g., entity prediction), and combinations of these. Custom
algorithms are templates of specific criminal network investigation work flow, e.g., understanding
188
CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR
the secondary effects of entity removal or insertion. All algorithms implement the report interface,
where an algorithms’ report elements and design is defined. Rules are used to describe entity-to-
entity relations, attribute cross products, etc. Each algorithm has a set of general settings and
specific settings. Specific settings include algorithm hooks, i.e., the entity attributes that algorithms
base their computations on, and customizable algorithm parameters.
We refer to Section 11.3.2 (structural parser) for the descriptions of how to use different algorithms,
since it is the role of the structural parser to tailor, customize, and run sense-making algorithms.
Furthermore, Chapter 14 describes three different deployments of CrimeFighter Investigator where
a variety of the discussed algorithms are used.
11.3.2 CONCEPT: Structural parser

CrimeFighter Investigator algorithms are managed by a structural parser (Figure 11.22), where
investigators can select different algorithms to run and control the order in which they are applied,
for example either simultaneously or sequentially.
Figure 11.22 (left, top-frame) shows tabs for different algorithm types. The SNA tab covers social
network analysis measures such as degree, closeness, and betweenness [111, 240]. The terrorist
network analysis measures on the TNA tab are part of our future work, supporting integration
with the CrimeFighter Assistant [244, 245]. The default prediction algorithms include predict
covert network structure and predict missing links [183, 184]. Figure 11.22 (left, bottom-frame)
shows the algorithms selected by the investigators to run. The structural parser will indicate if
there is a potential conflict between the selected algorithms. If a prediction algorithm is selected
to run on every network event, it could create a loop (since it is transformative). Similarly, if
algorithms are running sequentially the position of an entity centrality measure before or after a
transformative algorithm is quite important.
Algorithm settings, both general and specific, are accessed by clicking on the options button shown
in Figure 11.22 (left, top-frame). The predict missing links customization window is also shown in
Figure 11.22 (on the right). Algorithms can run on every system event or when the investigator
requests it (Figure 11.22, top right).
Tailoring prediction of missing links
The user can customize when and how often a prediction algorithm should compute (Figure
11.22a). One option is to automatically run the algorithm every time a change is made to the
criminal network. But the predict missing links algorithm is a transformative algorithm, and
would continue to predict missing links, since each transformation of the network would start the
(a) without (b) with (c) without (d) with
Figure 11.21: The two implemented algorithm extensions, the empty endpoint association and
the co-location association are explained. Without the empty endpoint association, the link from
the empty endpoint to the connected entity is not included in measures of betweenness centrality
and degree centrality is not calculated for the empty endpoint (a) and with that association the
link is included (b). Without the co-location association entities positioned near each other in
the information space are not included in measures of centrality (c), but if entities fall within the
boundaries defined by the investigators and the association is included, then those entities are
included in measures of centrality (d).
189
Figure 11.22: The structural parser (left) and the predict missing links algorithm customization
window (right).
algorithm again. Therefore, an option to run algorithms when clicking a button has been added
(see Figure 11.1, right side).
Next is the selection of algorithm hooks (Figure 11.22c). A special drag and drop view is used
for this task (Figure 11.23). Both entity attributes and centrality measures can be selected as
algorithm hooks.
Numerical algorithm variables are customized using standard input fields such as text fields (any
number or text), sliders (bounded numbers), and drop down boxes (enumerated values) as shown
in Figure 11.22d. Network information (evidence) is what the prediction algorithms base their
inferences on (Figure 11.22e). For predict missing links, it will be all entities currently in the
network.
The network layout drop down box (Figure 11.22f) can be used to select one of several default
layout algorithms that will be applied after the prediction. Finally, the investigators can customize
what visual symbols (color, thickness, etc.) to apply to the predicted links (Figure 11.22g).
Tailoring measure of betweenness centrality
The interface for customizing measures of centrality is structured in the same way as the inter-
face for transformative algorithms described above (Figure 11.24). There are however a couple
of important differences which we would like to emphasize, using betweenness centrality as an
example:
Entities? The investigator should decide which entities to include for the calculation of
betweenness centrality, all or only selected entities (e.g., persons)? If not all entities are
included, what should the algorithm do if it encounters a non-included entity when tracing
shortest paths? Should it skip the entity and then continue on the other side if the path
190
Figure 11.23: Selecting algorithm hooks for the predict missing links algorithm.
continues, or simply not count the path?

Associations? The investigator has to decide how to deal with for example empty relation
endpoints in terms of calculating betweenness centrality. If a relation endpoint is expected
to contain a person-entity, but it is not yet known who, then it might be relevant to include
that empty endpoint in the measure of centrality anyway.
Results? Often it is an advantage to normalize the measure of betweenness centrality for
all entities for comparison purposes, but not always. Also, in some situations it might be
relevant to only list the first 10 or 20 results and in other situations all measures are required
for further sense-making. Finally, it could be useful to emphasize the entity (or entities) with
the highest degree centrality, using color, relative size, or other forms of visual symbols in
the information space.
Figure 11.24 shows the interface for customizing SNA measures of centrality (left) and the sub-
interface for setting up visual symbols for visualization of results in the information space (right).
Tailoring extended centrality work flows
CrimeFighter Investigator algorithms are managed using a structural parser, where investigators
can select different algorithms to run and control the order in which they are executed, for ex-
ample either simultaneously or sequentially. Figure 11.25 (left) shows how individual centrality
algorithms can be customized by the user. The user must decide how to run an algorithm (Figure
11.25a) and what entities to include for the respective centrality algorithm (Figure 11.25b). This
is done using drag and drop between two defined areas as shown in Figure 11.25 (right, top frame).
For included entities the user can set a weight (maybe a location counts less than a person for a
measure of betweenness centrality) and for excluded entities the user how the algorithm should
deal with it, e.g., when tracing a shortest path. Should it not include the shortest path or simply
ignore this entity and continue along the path? Direct and semantic associations are included
or excluded using the same drag and drop approach as for entities (see Figure 11.25c and 11.25d).
Again, weights can be setup for included associations and the algorithms action(s) for excluded
associations. Finally, we imagine many settings for how to format and list results (Figure 11.25e).
Typically, normalization is important for comparison of results. If an investigation has many of the
included entities it can be useful only to display for example 10 results based on some parameter,
e.g., highest centrality.
191
Figure 11.24: The user can customize which entities and associations to include, how to display
results, and the visual symbols for betweenness centrality.
192
Figure 11.25: Setting up centrality algorithms using structural parser windows: the centrality
algorithm settings window is shown on the left, and the window for inclusion and exclusion of
entities together with specific settings for each of those entities is shown on the right.
It is currently possible to set the visual symbols for the information space and the algorithm view
(see Figure 11.25f). For the information space the user can decide whether or not to overlay
entities with a geometric shape (circle, square, or rectangle) containing the calculated centrality
(instead of just showing the results in the algorithm view). The color, size and outline of the shape
can be decided together with the font and font size of the printed centrality. For the algorithm
view it can be decided how to display the results textually in a list. Maybe a certain attribute
should be printed (e.g., person ’name’ or email ’date’). And the font (type, size and color) can be
set.
Tailoring node removal work flows
CrimeFighter Investigator supports a node removal approach with two perspectives: an inference-
based prediction of new probable links and changes in standard social network degree centrality.
In this section we demonstrate how to tailor node removal work flows. In Chapter 14 we go
through such a node removal work flow and test the tailored algorithm on a criminal network
aggregated from open source reports, creating hypotheses based on path distance and degree
193
Figure 11.26: Structural parser settings and information.
Figure 11.27: Node removal algorithm settings.
centrality changes. Figure 11.26 (right) shows the algorithms selected by the investigators to run,
in this case ‘CustomNodeRemoval’ and ‘DegreeCentrality’. As mentioned above, the structural
parser will indicate if there is a potential conflict between the selected algorithms. Algorithm
settings, both general and specific, are accessed by clicking on the ’options’ button shown in
Figure 11.26 (left). Selected parts of the node removal window are shown in Figure 11.27. Specific
visual symbols can be added and edited, in the case of node removal visual symbols are associated
with the different ‘what if’ questions.
The ‘what if’ question editor is shown in Figure 14.7, with the settings for the following ques-
tion: “what if individuals who didn’t interact directly before the node removal start to interact
afterwards?”. In order to visualize the links that match the ‘what if’ question constraints, the
question has been setup as follows: the question is focused on Relation entities (links), and will
run computations between all combinations of connected nodes (individuals) in the given criminal
network. The before constraint that has to be fulfilled, is that path distances between individuals
should be of length greater than 1 and the post prediction constraint is that path-length should
now be exactly 1. If these conditions are fulfilled, then those links will be colored red.

The history editor provides the investigative team with an option to edit the history and basic
space-level events, typically simplifying it or making it more intuitive/descriptive. The sequential
list of history events is presented in a tree view, where nodes are events grouped by the investigator
(explained below) and leafs are basic events raised by the users interactions with the common
information space. The investigative team can use the history editor to group, annotate, delete,
and move events up or down in the history. Storytelling is an example of how editing history
events can be used for information sharing. Creating stories based on events is a matter of
194
Figure 11.28: The ‘what if’ question editor.
grouping the space-level events into the steps telling the story. This will allow the investigator to
disseminate only the most important points to the customer (see Chapter 12 on dissemination).
Simply replaying all the space-level events could be very confusing to the customer, if there are
many.
11.3.4 TASK: Retracing the steps

Retracing the steps of criminal network investigations is facilitated by a history feature. Record-
ing investigation history allows the investigative team to review the path or progress of their in-
vestigation or to reclaim information that previously had been deemed irrelevant or deleted, but
then found to have greater significance due to new incoming information. The user interface of the
navigable investigation history feature is embedded in the tool bar (see Figure 11.1, at the top).
It has buttons for navigating the recorded events, and the current event displayed in the space is
visualized using a slider as well as a label showing the total number of events (e.g., 59/59). The
history feature records all the interactions that investigators have with entities in the space as
events, e.g., “create information element”, “resize composite”, “move information element”, and
so on. Each event is given a time stamp and added to the sequential history.

CrimeFighter Investigator supports two types of hypotheses supported by issue-based argumenta-
tion technology and the option to create branched information structures.
TASK: Issue-based argumentation
Reasoning can be done using the issue-based argumentation feature of CrimeFighter Investigator.
The example presented in Figure 11.29 is based on what is known 60 hours into the Daniel Pearl
investigation, when the team receives an email from a colleague at the Wall Street Journal London
bureau, which the bureau received from Andrea Gerlin of the Philadelphia Inquirer. Attached to
the email is an article from the January 24 Independent, profiling a shadowy character suspected
of having bankrolled the 9/11 attacks, Omar Saeed Sheikh. But what disturbs Andrea is that
“Omar has a particular specialty: he kidnaps Westerners”. However, the team finds nothing
linking Omar to Daniel’s disappearance (besides this specialty), and given the current state of the
issue chart where a lot more ‘Pro’-arrows (i.e., supporting arguments) are pointing towards Gilani
(the person that Daniel was supposed to meet on the evening of his kidnapping).
Reasoning can be attached to any entity in the criminal network. A small hexagon icon with the
195
text “IPA” is used to show that reasoning is attached, and clicking the icon opens the issue-based
argumentation view. Reasoning can be used for several purposes: (1) to capture and visualize
disagreement in an analysis situation, ensuring that all positions and arguments are heard; (2) to
reason argumentatively during storytelling (e.g., a senior police officer is creating a briefing based
on an investigation); and (3) to create and explore (competing) hypotheses. According to the IBIS
model [47], we have adopted the following predefined relations: is-suggested-by (←), responds-to
(→), supports (+), objects-to (−), questions (?), and generalizes or specializes ( ). The relation
direction can be both ways in all cases. These predefined relations aids the investigative team in
controlling the mapping of their dialog about issues, positions, and arguments.
Figure 11.29: CrimeFighter Investigator - Issue-based argumentation view from the Daniel Pearl
investigation.

The developed rule editor for adding, deleting and updating rules is shown in Figure 11.30. The
editor is divided into three panels, from top to bottom they are: Information panel, rule editing
panel and existing rules panel. The information panel shows information about the information
element or one relation and two information elements depending on the type of rule being edited.
The rule editing panel handles update and creation of individual rule parameters, and the existing
rules panel provides an overview of the rules association with the information element or relation.
11.3.7 TASK: Prediction

CrimeFighter Investigator has support implemented for two Bayesian inference algorithms. Pre-
diction of covert network structure and prediction of missing links are both described below.
Predict covert network structure
The predict covert network structure algorithm works computationally like the predict missing
links algorithm, the main difference being the inclusion of individuals in the (Bayesian) evidence,
not already in the criminal network.
196
Figure 11.30: CrimeFighter Investigator rule editor for creating and updating rules.
Predict missing links
In the following example, we describe CrimeFighter Investigator support of the Bayesian inference
method described in [183]. As discussed in analysis, the network nodes and attributes used in
this example are inspired by the Greek criminal network November 17 (see [183] for more details).
The major steps involved in the calculation are shown in Algorithm 1 and the network we predict
missing links for, is shown in Figure 11.31. The network has six nodes and seven (positive) links.
Part of the customization of this algorithm (see Section 11.3.2) is to select the entity attributes
(algorithm hooks) for the prediction algorithm. Only enumerated attributes are accepted as
algorithm hooks, i.e., name is not eligible since it can have basically any value.
The first step of the algorithm (line 1), is to calculate the contingency table for each of the selected
algorithm hooks. We will explain how to calculate the contingency table for a role hook which
can have one of two enumerated values: leader (L) or operational (O). The faction can have one
of three enumerated values (G, S, or K), each named after an individual within that respective
faction. The contingency table records the relation between positive and negative links in the gold
standard (purple nodes in Figure 11.31).
197
Figure 11.31: A predict missing links example.
Algorithm 1: Predict missing links

input : A criminal network investigation (gold standard)
output: A list of missing links
hookRules ← InitHookRules();
hookProductRules ← InitHookProductRules();
bayesianEvidence ← GetAlgorithmSettings().GetBayesianEvidence();
1 foreach Hook h in Hooks do CalcContingencyTable(h);
;
2 productRuleResults ← CalcHookProducts();
3 predictedLinks ← PredictLinks(productRuleResults, bayesianEvidence);
4 missingLinks ← GetMissingLinks();
The second step is to calculate the products of different hook relations if more than one hook is
added to the inference. Only the products above a cut-off value of 2,14 are included. The cut-off
value is calculated as the total possible links in the gold standard divided by the existing links
(see line 2):
L − L × G − S = 3, 00 × 1, 14 = 3, 42
L − L × S − K = 3, 00 × 3, 43 = 10, 29
O − L × S − K = 0, 75 × 3, 43 = 2, 57
O − O × S − K = 0, 75 × 3, 43 = 2, 57
The third step is the actual prediction of missing links based on the likelihood products calculated
above together with the likelihoods for individual algorithm hooks (line 3). The second input to
the prediction of links is the evidence, that is the attributes and their values for all individuals
in the network. If we chose to apply the predict covert network structure algorithm then the
evidence could also be information about individuals not in the network. These individuals would
be added if a link (relation) to them is predicted from within the gold standard network. From
the likelihoods we see that L − L and S − K relations are above the cut-off value, together with
the products mentioned under the second step above. We see that entities sharing both L − L and
S − K relations are especially likely to be connected, hence the thicker red line between C and H
in Figure 11.31.
198
The fourth step is a simple clean-up function which will remove those links already in the network
prior to the prediction, leaving only new (missing) links (line 4).
The result of a missing links prediction on a sampled version of 20 individuals from the al-Qaeda
network is shown in Figure 11.32. The investigator can decide to append the predictions to the
network or simply discard them.
Figure 11.32: The result of a missing links predic- Figure 11.33: Betweenness centrality for the indi-
tion on a sampled version of 20 individuals from viduals in Figure 11.32, with 4 added links (thick
al-Qaeda central staff [188]. Blue solid lines are blue).
true positives while green dashed lines indicate
false positives.
11.3.8 TASK: Decision-making

Decision-making is currently supported in the issue-based argumentation view (see Section 11.3.5).
A decision is one position, the issue it responds to and associated arguments.

CrimeFighter Investigator supports dangling endpoints during synthesis (empty relation end-
points), and the social network analysis algorithms are therefore extended to include this aspect
in calculations if it is found necessary for the investigation. We focus on betweenness centrality
and describe how this centrality measure is implemented (see Algorithm 2). How the algorithm is
customized to suit different needs is also described.
Algorithm 2: Betweenness centrality
input : A criminal network investigation
output: A measure of betweenness centrality for individual entities
1 allEntityPairs ← GetAllEntityPairs();
2 foreach entityPair in allEntityPairs do shortestPaths;
← GetShortestPaths(entityPair, relations);
3 foreach shortestPath in shortestPaths do snaResults;
← GetNodesOccurenceFraction(shortestPath);
4 snaResults ← BubbleSort(snaResults);
The betweenness algorithm starts by creating a set of all entity pairs in the criminal network (line
1). Then the shortest path between each pair of entities is calculated (line 2). For each entity pair,
199
we determine the fraction of shortest paths that pass through each entity on those paths (line 3).
The betweenness of each entity is the sum of all these fractions across the entire network. The
results are bubble sorted with for example highest centrality first before it is presented to the user
(line 4).
The betweenness centralities of a sampled version of 20 individuals from Sagemans al-Qaeda
network [188] are shown in Figure 11.33. The investigator has decided to append the predicted
links shown in Figure 11.32 to the network before calculating the centralities.
200
CHAPTER 12
Dissemination
Dissemination tasks help the criminal network investigators to formulate their accumulated knowl-
edge for the customer. As previously mentioned, dissemination has not received the same amount
of attention as synthesis and sense-making.
The remainder of this chapter is organized as follows: analysis (Section 12.1) and design (Section
12.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 12.3) is
explained below.
12.1 Analysis
Based on cases and observations of criminal network dissemination, contact with experienced
end-users from various investigation communities, examination of existing tools supporting dis-
semination of criminal network investigations or parts thereof, and our own ideas for dissemination
support, we maintain a list of dissemination tasks.
12.1.1 Storytelling
Investigators ultimately “tell stories” in their presentations when disseminating their results. Or-
ganizing evidence by events and source documents are important tasks, so that the story behind
the evidence can be represented. Storytelling can be useful for different purposes such as briefings,
learning, and training.
12.1.2 Report generation
Report generation involves graphics, complete reports, subspaces, etc. Being able to produce
reports fast is important in relation to time-critical environments and frequent briefing summaries.
It will be necessary to support the generation of reports for complete investigations, algorithms,
and sense-making work flows.
201
12.2. DESIGNS CHAPTER 12. DISSEMINATION
Figure 12.1: Mock-up showing algorithm report elements, that can be dragged to report template
(right).
12.2 Designs
Our designs for story telling and report generation are outlined below.
12.2.1 Storytelling
Storytelling is based on versioning concepts and the history component, which we presented a
design for in Chapter 8. The intended support for storytelling is an editor of history events inspired
by the one supported by visual knowledge builder (VKB) [198], a spatial hypertext system. Once
the history events have been edited, the story can be told using navigable history.

Report generation should be based basic report elements, that can be added and removed from
report templates, as the user prefers. The intended support for adding and removing report
elements to and from reports is shown in Figure 12.1. The report elements in the example are
based on an predict missing links technique, illustrating that report elements will be different from
algorithm to algorithm.

In this section, we present our implemented tool support for criminal network investigation dis-
semination tasks.
12.3.1 Storytelling
Storytelling is done using the History Editor (Figure 12.2). The granularity of system level history
events is often too fine grained for telling a story. The history editor allows the investigators to
group history events that are relevant for the story individually, but when grouped together they
explain one important step of the investigation. The investigators can delete events (if an entity
was created by mistake and then deleted), they can annotate events or groups of events if they feel
that the system generated description is not sufficient, and finally events can be moved up and
down in order to match a time line of events (a person’s association with a group in a criminal
network investigation can easily be different from when that person became associated with the
group in real time).
202
CHAPTER 12. DISSEMINATION 12.3. CRIMEFIGHTER INVESTIGATOR
Figure 12.2: History editor, annotating a grouping of four events.

Report generation is not only available for complete criminal network investigations. All Crime-
Fighter Investigator features implement a report-interface that facilitates the addition or removal
of individual report elements. The order in which elements are added to the report is also dynamic.
This makes it easier to create reports targeting specific usages (briefing on specific subject). For
example, after a prediction is done, a pdf report with the detailed calculations is available and
can be retrieved using the algorithm view (see Figure 8.12, right hand side).
203
12.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 12. DISSEMINATION
204
CHAPTER 13
Cooperation
They begin to order the network. They have stepped out of normality
and into the exciting world of counterterrorism.
Television and terror: conflicting times and the crisis of news discourse [94]
Cooperation is a natural part of investigations. Cooperation leads to better synthesis and sense-
making that is informed by more perspectives. Sharing of the target model among criminal network
investigators is the starting point for such cooperation, and is possible with the current setup. But
for further support, the CrimeFighter toolbox knowledge base mentioned in Section 1.4 will be key
to cooperation support. Assuming that such a knowledge base is in place, we will analyze the
cooperation tasks defined in Chapter 7.
13.1 Analysis
Sharing of the target model among collaborating criminal network investigators or colleagues
in other organizations, who might be interested in the particular target or entities related to
it, is the starting point of cooperation. Sharing work flows, like sense-making work flows and
custom algorithms, or mining work flow patterns from the previous use of intelligence information
(history), would lead to shared knowledge and potentially also cooperation. The discovery of
emergent collaboration, would help the coordination of resources by putting investigators analyzing
similar or the same entities in touch with each other. Such cooperation requires support of a
common knowledge base (see Figure 13.1).
Investigators often share their findings with colleagues or other organizations (agencies, services, or
departments), who might have an interest in the findings. Prior to the terrorist attacks on Norway
22/7 (2011), the Norwegian customs directorate and the postal service had shared findings related
to, what they found to be, suspicious purchases of chemicals in Poland. They forwarded their email
correspondence to the liaison at the Norwegian police security service (PST), who unfortunately
took a long time to assign that particular lead to a specific section [153]. Based on the interroga-
tions of the Iraqi defector Curveball, information was shared between many agencies, services, and
departments, but the original information was not shared, only selected parts, translations, and
interpretations [59]. Finally, in criminal network investigation environments, work flow sharing of-
ten occurs in the sense that experienced investigators might educate less experiences investigators
how to do certain work [204].
205
13.2. CRIMEFIGHTER INVESTIGATOR CHAPTER 13. COOPERATION
Figure 13.1: Supporting cooperation by sharing the information space (criminal network) (left) or
sharing work flows, e.g. sense-making work flows such as node removal (right), and discovery of
emerging collaboration based on a common knowledge base (middle).
We did not find specific examples of emerging collaboration notifications within the same organi-
zation (agency, service, or department), places where it would be reasonable to have established
a common knowledge base, like the one described for the CrimeFighter toolbox in Section 1.4.
The examples described above for sharing of findings and work, could to a certain degree be con-
sidered emerging collaboration. To establish tool support, it would be necessary to define the
levels of awareness and notifications, i.e. how fine grained notifications do we want to send to the
investigators. If too many notifications are sent out, it might become an annoying feature for the
investigators and there could be a risk they would turn it off. If too few notifications are sent im-
portant emergent collaborations could be missed. Emergent collaboration notifications might be
a way to break down the wall of secrecy discussed throughout this dissertation. If an investigator
he receives a notification that a colleague in a different section of the secret service is actually
investigating the same individuals, but has some other information as well, the investigator might
be more willing to approach the colleague to start a collaboration, rather than asking around at
meeting or conferences, if anybody else are looking at the same things.

CrimeFighter Investigator supports sharing of the information space, in the sense that investigators
can save their complete investigation in the original CrimeFighter Investigator format and then
send it to other investigators, who can load it into their CrimeFighter Investigator tool.
206
CHAPTER 14
Testing the hypothesis:

support of criminal network investigation work flows
A history in which every particular incident may be true may on the

whole be false.
Thomas Babington Macaulay [134]
In this chapter, we demonstrate that the premise for testing (evaluating) our main hypothesis (i.e.,
a software tool “that is useful for criminal network investigators in their work”) is in place. In
Chapters 9 to 13 we focused on support of individual criminal network investigation tasks. Here
we describe three deployments of CrimeFighter Investigator supporting a specific work flow. We
define a work flow to be a process that involves multiple criminal network investigation tasks,
processes, and techniques (but not all of them). Our descriptions of work flow support are based
on relevant criminal network investigation scenarios, sometimes using mock-up figures indicating
how we suggest the implementation of the intended feature. This could indicate a need to place it
in design sections of previous process chapters. However, we find it is necessary to first describe
the intended work flow, to be able to find out how to design experiments that could be used to
evaluate the individual tasks within each work flow.
We have deployed CrimeFighter Investigator in the following work flow settings: An example of
adaptive modeling of Omar Saeed Sheikh and his kidnapping network is given in Section 14.1. A
complete work flow for how to apply the implemented node removal algorithm to a criminal network
is given in Section 14.2. Finally, we demonstrate the deployment of CrimeFighter Investigator
in a setting where a team of investigators are interested to know whether domestic (Danish)
fundamental Islamists are linked up with global al-Qaeda and affiliated movements (see Section
14.3). Section 14.4 summarizes the conclusions and suggestions of future work that the deployment
sections have introduced.
14.1 Adapting existing model of Omar Saeed Shaikh and

his kidnapping network
A typical work flow for adapting an existing model to a new usage involves the following steps:
(1) acquiring the model, either (a) through several synthesis and sense-making iterations or (b)
by importing a work flow from a previous investigation; (2) adapting the model to the new inves-
tigation and the change in tendencies observed there; (3) apply the model to the criminal network
207
14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT
investigation, for customized sense-making controlled by a structural parser. Refer to Section

11.1.6 for an analysis of adaptive modeling.
In this section, we will test if the relational and biographical characteristics of text-based profiles
can be modeled and used for criminal network analysis. We will use a model of jihadist terrorist
cells in the UK and Europe by Nesser (2006) [154] as our starting point. Later, we will compare
a specific profile of this model with the characteristics of Omar Saeed Shaikh (see Section 5.7)
the mastermind behind the kidnapping of The Wall Street Journal reporter Daniel Pearl case we
described in Section 3.5.1.
Based on the comparison of characteristics we will adapt the rules used to describe Nesser’s profile,
to evaluate how easy it is to adapt these rule-based models to changes in the profile characteristics.
We adapt parts of the entrepreneur profile to match with the profile of Omar Saeed Shaikh and
his role in the kidnapping plot. We find that the adapted model, as well as Nesser’s original
model, are examples that could be used for criminal network analysis to alert investigators of e.g.
potential terrorist cells forming.
For the kidnapping of Daniel Pearl on January 23, 2002, Omar used four cells as depicted in
Figure 14.1 (not counting the cells responsible for distributing the murder video and baiting
Daniel Pearl [227]). Besides being the mastermind of the plot he was himself member of the
initially established cell, the contact cell. The assignment of the contact cell, was to arouse the
journalist’s professional curiosity and, on the pretext of leading him to a person linked to a case
he was investigating, persuade him to come to the place of the kidnapping. The second cell was
responsible for external relations, e.g. sending emails to the media with demands etc. The third
cell (the jailers) was at the kidnapping rendezvous and stayed with Danny right up until his
execution. And finally, the (initially) mysterious fourth cell (the executioners), later known to be
Khalid Sheikh Mohammed and his two nephews, who decapitated Daniel Pearl and recorded a
video of the murder later circulated to the media [128, 146, 162, 227].
Figure 14.1: Omar Saeed Shaikh and four of the cells involved in the kidnapping and murder of
Daniel Pearl Nomani et al. (2011) describes two more cells, responsible for distributing the murder
video and baiting Pearl [227].
208
CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING
14.1.1 Modeling jihadist terrorist cells in the UK and Europe

As mentioned earlier, a criminal network model is sometimes evolved from scratch, and some times
a model from a previous investigation can be adapted and reused. We use Nesser’s (2006) model of
jihadist terrorist cells in the UK and Europe as our starting point. The model is based on a survey
of “a number of al-Qaida associated or al-Qaida inspired terrorist cells that planned, prepared, and
in three instances managed to launch attacks in European countries in the period 1998 until the
present” [154]. Firstly, Nesser’s survey points to a crucial role for socially and politically motivated
activists and idealists, defying stereotypical perceptions of Islamist extremists. Secondly, there are
different roads into, and different motivations for joining terrorist networks. Finally, the activists
need to connect to and interact with the jihadist infrastructure (local jihadists, training camps
and media influence) in order to translate activism and grievances into terrorist acts82 .
A distinct set of profiles among those involved that recurred across the cases was also identified.
A typical cell included an entrepreneur, his protégé, misfits and drifters as visualized in Figure
14.2. The profiles are explained in more detail below, and selected relational and biographical
characteristics of the three main profiles are listed in Table 14.1, 14.2 and 14.3. In Section 14.1.2
we present parts of a CrimeFighter Investigator model of these profiles and their relations, as well
as the rules used to model the profiles.
Figure 14.2: Outline of Nessers Model.
The entrepreneur is the crucial profile; he is the person who makes things happen. No jihadist
cell forms without him. The entrepreneur has an “activist mindset”, being driven by ideas rather
than personal grievances. He is interested in and committed to social issues and politics, he
demands respect from his surroundings and he has a strong sense of justice. Table 14.1 shows
biographical and relational characteristics of the entrepreneur profile that we have found most
suitable for modeling. As our understanding of the modeling technique is further developed we
believe more complex relational and biographical characteristics could be added.
The ‘Links to’ column indicates where information about this characteristic could be found, e.g.
deciding whether or not a person is a senior compared to the other operatives of a terrorist cell
would be based on a comparison of age. The ‘Bio/rel’ column indicates the nature of the profile
characteristic: Is it relational, biographical or a combination? This classification can be quite dis
ambiguous, since, e.g., a persons record of failed ambitions (characteristic #3) would be related
to projects he or she failed to succeed with, but in terms of an ongoing investigation it would be
background information, hence biographical information (e.g., “the individual had the role of [role]
in project [project], back in [year ]”). That being said, considering our network approach, other
persons associated with those past projects could very well be playing a key role in the current
investigation as well, but if the link charts of those projects does not exist83 , the incident reports
209
would be of a biographical nature. Finally, the ‘Rule input’ column indicates the type of the rule
parameters used to search for the information indicated in the ‘Links To’ column (see Section
14.1.2 for rule examples). When the profile characteristic is of a relational nature, we could argue
that the rule parameter type would be an information element (e.g., a person or a group) to allow
for more sophisticated rules. But to keep things simple we have decided to use text strings as the
most advanced input parameter type for rules.
# Characteristic Links to Bio/rel Rule input

1 Typically a senior in the cell. Age Bio Integer
2 NGO Activity Organizations Rel Text Strings
3 A record of failed ambitions Projects Bio Text Strings
4 Becomes affiliated with militant groups Organizations, Per- Rel Text Strings
and individuals sons
5 In charge of the cells external relations Organizations, Per- Rel Text Strings
with the jihadist infrastructure sons
6 Maybe educated and employed or on Education, Job(s) Bio/Rel Text Strings
welfare
7 Inspired, supported and guided by his Persons Rel Text Strings
mentors
8 Married Marital Status Bio/Rel Text Strings
9 Children Children Bio/Rel Text Strings
10 Participation in jihad in original home Visited Countries Rel/Bio Text Strings
country (or Afghanistan, Pakistan,
Chechnya, Bosnia)
Table 14.1: Selected characteristics of the entrepreneur Profile.
The protégé profile appears to hold a special position vis-á-vis the cell leader (i.e. the en-
trepreneur). The protégé is someone the leader respects and trusts with important tasks. He
admires and looks up to the leader. The presence of such a character in the cell tells us something
about the sophistication of the entrepreneur and the ideology that he offers his young accom-
plices. It means that jihadism appeals to highly intelligent, socially skilled and well-off people,
social segments that, according to rational choice arguments, would have much to lose by engag-
ing in terrorist activity. The misfit is someone who performs less well socially, and often has
a troubled background as well as a criminal record. He differs from the entrepreneur and the
protégé because he is not an idealist, appearing to have a somehow “weaker” and more hesitant
personality. The drifter is not a clear-cut profile. He tends to be someone who is ‘going with the
flow’ rather unconsciously. He does not appear to be very ideologically committed when he joins
the jihadist group. He becomes part of the cell by being in the wrong place at the wrong time, or
having social ties with the wrong people. Since drifter characteristics are not easy to define, we
have decided to exclude this profile from further modeling considerations, except for the possible
relation with the misfit profile.
As mentioned above, it is relation rules that glue together the information elements (and each
information element’s rules) to form criminal network structures. The rules representing Nesser’s
structure of profiles as modeled using CrimeFighter Investigator are reviewed in the next sec-
tion. Our rule design is described in Section 11.2.3 and the CrimeFighter Investigator rule editor
approach to creating the rules is discussed in Section 11.3.6.
14.1.2 CrimeFighter Investigator model and rules

A CrimeFighter Investigator model and selected adaptive rules based on Nesser’s model are the
results of the first deployment. A visualization of the model is shown in 14.3. Only information
about the relations between the profiles can be deducted from this presentation, i.e. the stronger
210
# Characteristic Links To Bio/Rel Rule Input

1 Holds a special position vis-á-vis the Persons Rel Text Strings
cell leader.
2 Most gifted and intelligent of the young Education, Skills Bio Text Strings
terrorists
3 Excels professionally Employment Bio/Rel Text Strings
4 Excels academically Education Bio/Rel Text Strings
5 Excels socially Friends Rel Text Strings
6 Provides the cell with needed expertise Education, Internet Bio/Rel Text Strings
(bomb making skills, IT skills) Activities, Skills
7 Young and inexperienced Age Bio Number
8 Well-off Family, Finances Rel/Bio Text Strings,
Number
Table 14.2: The protégé profile.
# Characteristic Links To Bio/Rel Rule Input

1 Troubled background Education, Family, Bio/Rel Text Strings
Crimininal record
2 Criminal record Criminal record Bio Text Strings
3 Recruited in prison Persons, Meetings Rel Text Strings
4 Might meet militants in the criminal Criminal record Rel Text Strings
underworld
5 Seldom educated Education Bio Text Strings
6 Physically fit Organizations Rel Text Strings
7 Into sports, some very talented Organizations, Rel/Bio Text Strings
Prizes
8 Age varies, but younger than en- Age Bio Integer
trepreneur
9 Might be a friend or acquaintance of the Persons, Friends Rel Text Strings
cell leader or one of the other members.
10 Some have violent tendencies, and some Criminal Record Bio Text Strings
have been convicted for acts of violence
in the past
11 In charge of acquiring weapons and Purchases, Crimi- Rel Text Strings
bomb making materials nal Record, Persons
Table 14.3: The misfit profile.
relation between the entrepreneur and the protégé is symbolized by a thicker line. Based on the
number of relations it is actually not possible to say who is the cell leader and who are the foot
soldiers, it can however be deducted based on the profile names.
We have listed the relations found suitable, in terms of the abstractions embedded in our current
rule design (see Section 11.2.3), to be described using relation rules in Figure 14.4 (disregarding
relation 4 between the misfit and the drifter). We found seven relations to be suitable for modeling.
And only the ‘recruited’ relations would have the potential to distinguish any average group of
friends from the jihadist terrorist cells described by Nesser.
In order to make such a differentiation it is clear that the relation rules must be combined with
information element rules describing the individual profiles of the model. A set of information
element rules, corresponding to the 10 characteristics of the entrepreneur listed in Table 14.1 are
shown in Figure 14.5.
211
Figure 14.3: Nesser’s jihadist cell structure modeled using CrimeFighter Investigator (screen shot
from early version of tool).
Figure 14.4: (semi-mockup) CrimeFighter Investigator with Nesser model relation rules.
Figure 14.5: The list of entrepreneur profile rules.
14.1.3 Demonstrating the need for rule-based model adaption

In this section, we focus on adopting the entrepreneur profile to that of Omar Saeed Shaikh, and
the entrepreneurial role he played in the kidnapping of Daniel Pearl, ignoring that the events
took place ten years ago (and four years prior to Nesser’s model). By comparing part of Nesser’s
entrepreneur profile with the relational and biographical characteristics of Omar Saeed Shaikh we
have noticed a number of differences as shown in Figure 14.6.
The entrepreneur profile characteristics ‘Senior to other operatives’, ‘Central to the recruitment
of other cell members’, ‘Central to the radicalization of other cell members’, and ‘In charge of the
cells external relations with the jihadist infrastructure’ do not match with characteristics of Omar
Saeed Shaikh, while the remaining characteristics are found to match. Adapting the model of the
212
Figure 14.6: Mapping part of the entrepreneur profile to Omar Saaed Shaikh.
entrepreneur profile in this case would be a matter of deleting the rules associated with these four
characteristics, and potentially add new ones. But again, during a real investigation these changes
would not have been made before this “new trend” had occurred in more cases.
14.1.4 Discussion
Our first deployment demonstrated difficulties with modeling some characteristics, initially thought
to be suitable for modeling. It became clear that a lot the rule complexity was embedded in the
operator part of rules, when attempting to describe more complex relational or biographical char-
acteristics. However the complexity could be decreased by dividing profile characteristics into a
number of sub-characteristics and then describe each of these using the rules. Another option
would be to allow for a combination of multiple boolean and text string operators within one
single rule. But that would go against the system requirement stating that the building blocks of
rules should be based on natural language, as we expect more math-based rules would be created,
if multiple operators are supported for rules. The rules would over time become interpretable only
by the investigator who initially created them not adhering to the principles of simplicity and
transparency (human factors #2 and human factors #3).
Since rules are associated with specific characteristics and relations they can be adapted indepen-
dently without affecting the remaining part of a model. The separation of rules and target-model
synthesis is convenient as they can then be developed independent, but in the shared information
space. A single rule (or a set of rules) can be updated or deleted using the CrimeFighter Investi-
gator rule editor (see Section 11.3.6). And new rules can be added using the same rule editor, if
new profile characteristics or relations are discovered.
213
14.1.5 Conclusions and future work

We have presented support of a work flow, a novel rule-based criminal network analysis technique,
adaptive modeling, involving synthesis tasks to create input for sense-making tasks. This technique
was implemented in CrimeFighter Investigator, in order to assist criminal network investigators in
embedding their experience and knowledge in models, thereby customizing them for their partic-
ular domains. We focused on modeling the relational and biographical characteristics of terrorist
profiles organized in cell structures, and found this to be a rather complex task. To summarize,
our demonstration of this work flow has presented the following contributions to criminal network
investigation tools:
1. We have described first results with converting textual descriptions of terrorist profiles into
computerized models based on relational and biographical characteristics. We have visual-
ized how relation rules can be used to glue the terrorist profiles together to form network
structures which can be processed by computer algorithms.
2. We have demonstrated support of 2 steps out of 3, for an adaptive modeling work flow:
(1) acquiring a model and (2) adapting the model. Application of the model to a criminal
network for analysis (step 3), is still not implemented, and will be the subject of future work.
We plan to investigate the following topics in relation to the further development of CrimeFighter
Investigator support for adaptive modeling work flows:
1. Proper test data. In order to appropriately evaluate the usefulness of rule-based criminal
network analysis, we need proper test data. It would be highly relevant to follow ongoing
investigations, and create models of expected targets and emerging cells based on previous
cases as well as the investigation teams experience and ideas.
2. Extending rule-based criminal network analysis with weights. The concept of rule-
based terrorist network analysis could be improved on a number of parameters. First of
all, in order to determine more accurately whether or not a relation exists, it is necessary
to have individual rule weights. When editing and creating rules in the relation rule editor
visual weights should be applied (similar to adjusting the thickness of relations, depending
on how important, specific, verified the relation is). A semantic weight could also be added
in terms of a number (e.g. 1-10). Rule weights should be used to indicate the importance
of each individual rule in terms of deciding whether or not the relation (as described by the
rules) exists or not.
3. Coupling with CrimeFighter Assistant. We would like to connect CrimeFighter Inves-

tigator with CrimeFighter Assistant in the future, working toward the CrimeFighter toolbox
architecture. It would be essential in order to provide a second criminal network analysis
technique (link importance [244]), which would strengthen the reliability of analysis results
if applied as intended by the investigators.
4. Missing model structure detection. The described rule format can be used to model
relational and biographical characteristics of profiles. CrimeFighter Investigator implements
a structural parser that can handle the comparison of the rules with a criminal network,
but the options are many. If for example 75% of a criminal network cell model is matched
with some criminal network information by the structural parser, then it could be useful to
inform the investigator about this. We imagine using a visual approach, where the already
confirmed information elements and relations are shown in their normal colors, and the
missing parts would be shown using for example a gray color. It would then be possible for
the investigator to determine whether or not this could be a forming criminal network cell,
and if it is, what individuals (according to profiles) are still missing from cell.
214
CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL
14.2 Node removal in the November 17 criminal network

A criminal network is a special kind of social network with emphasis on both secrecy and efficiency.
Such networks are intentionally structured to ensure efficient communication between members
without being detected. A criminal network can be modeled as a generalized network (graph)
consisting of nodes and links. Nodes are entities (people, places, events, etc.) and links are rela-
tionships between the entities [245]. Node removal is a well known technique for destabilization
of criminal networks [35, 36]. Deciding which node or group of nodes to remove is dependent on
available intelligence and the topology of the criminal network (hierarchical, cellular, etc.), compli-
cating the prediction of secondary effects following a node removal. Inference-based prediction and
social network analysis provides different perspectives on criminal networks, thereby assisting in-
vestigators in their decision making by answering the ‘what if’ questions they inherently would like
to ask. We consider prediction to be one of many investigative work flows that criminal network
investigation teams use to analyze criminal networks; a work flow involving both synthesis and
sense-making tasks. The ability to determine the presence or absence of relationships between
groupings of people, places, and other entity types is invaluable when investigating a criminal
case. Standard social network analysis is another investigative task, providing investigators with
information about the centrality of individual nodes in criminal networks.
CrimeFighter Investigator supports a custom made node removal algorithm assisting criminal
network investigators with two perspectives on the changes following node removal: an inference-
based prediction of new probable links and changes in standard social network degree centrality.
Many interventions against criminal (and other covert) networks often take place in the context
of a multi-agency effects-based operations doctrine [211]. Consequently, it is imperative that tools
are developed to assist analysts and investigators in assessing the likely impact and consequences
of interventions against proposed targets in complex socio-technical systems.
In an assessment of destabilization tactics for dynamic covert criminal networks, Carley (2003)
points out that from an adaptation perspective node changes (e.g., node removal or insertion) can
be more devastating than relationship changes and of the node changes those involving change
in personnel are the most devastating. Carley further argues “that the removal or isolation of
personnel is more practical, in the short term, than adding personnel, as the latter, particularly
in covert networks, requires infiltration” and notes that in standard social network analysis node
changes are also the preferred approach to network destabilization [35].
Measures and techniques for analysis of secondary effects
We review this theory here, as it is important for understanding the aspects involved in the work
flow. As a consequence of the complexity of criminal networks, investigators need more than one
perspective to assist them when asking ’what if’ questions about the probable secondary effects
of removing a node from a criminal network. Many analysis measures and techniques can provide
such relevant perspectives, including:
Network node and link measures [240,245,248] are used to analyze and make sense of criminal
networks. Standard social network centrality measures are useful for node analysis of complete
static social networks and can indicate the importance of individual nodes in the network. Social
network measures include degree, closeness, betweenness, and eigenvector centrality (see Section
5.9 for more details). Eigenvector centrality is particular interesting in the context of this work
flow, since a node is considered central to the extent that the node is connected to other nodes
that are central (i.e., high degree centrality). For link analysis, measures such as link betweenness
and link importance have been suggested. Link importance measures how important a particular
link is in a criminal network by measuring how the removal of the link will affect the performance
of the network.
Prediction techniques [40, 182–184] include extrapolation, projection, and forecasting based
on past and current states of a criminal network. These three predictive techniques follow the
215
14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT
approach of assessing forces that act on an entity. The value of prediction lies in the assessment
of the forces that will shape future events and the state of the criminal network. An extrapolation
assumes that those forces do not change between the present and future states; a projection
assumes that they do change; and a forecast assumes that they change and that new forces
are added. Bayesian inference is a (forecasting) prediction technique based on meta data about
individuals in criminal networks. A statistical procedure that is based on Bayes’ theorem can be
used to infer the presence of missing links in networks (see Section 11.3.7 for more details). The
process of inferring is based on a comparison of the evidence gathered by investigators against a
known sample of positive (and negative) links in the network, where positive links are those links
that connect any two individuals in the network whereas negative links are simply the absence of
a link. The objective is often to assess where links may be present that have not been captured
in the collected and processed criminal network information.
Destabilization criteria [35,36] are established by investigators to have a measure of the success
or failure of an operation involving destabilization. Criteria includes ’the rate of information flow
through the network has been reduced (perhaps to zero)’, ’the network, as a decision making
body, cannot reach a consensus’, and ’the ability of the network to accomplish tasks is impaired’.
These destabilization criteria could provide useful perspectives on the secondary effects of node
removal. Although they seem eligible for framing as ’what if’ questions, we have focused on
analysis measures and prediction techniques in this work.
Scenario: custom-made node removal
In this section, we describe a CrimeFighter Investigator usage-scenario following the steps pre-
sented in Section 11.2.1. The ‘what if’-question the investigators want to follow in this scenario is:
“what if individuals who didn’t interact directly before the node removal start to interact after-
wards?” (step 1 ). The ‘what if’ question editor setting for this question is shown in Figure 14.7. In
order to visualize the links matching the ‘what if’ question constraints described above, we setup
the question as follows: the question is focused on relation entities (links), and will run compu-
tations between all combinations of connected nodes (individuals) in the given criminal network.
The before constraint that has to be fulfilled is that path distances between individuals should
be of length greater than 1 and the post prediction constraint is that path-length should now be
exactly 1. If these conditions are fulfilled then those links will be colored red. For testing purposes
we have inserted a second ‘what if’ question asking the algorithm to color the true-positive links
green, i.e., links occurring in the full N17 network but not in the sampled N17 network currently
being investigated.
The investigators are prompted to select which nodes (individuals) they find relevant for the node
removal (step 2 ). They have three choices: include all nodes, select the nodes individually by
clicking on individuals, or drag a square to select a subset of nodes (useful if the criminal network
is large with many nodes). Then the investigator is requested to select the node to remove (step
3 ). We base this decision solely on degree centrality within the partially observed N17 network
as shown in Figure 14.9; we choose Pavlos Serifis, since he is observed to have the highest degree
centrality (Table 14.4, second column). In reality, more analytical techniques are needed to make
a decision about a networks’ vulnerabilities [35, 36]. After the removal of Pavlos Serifis and his
links (step 4 ) the updated degree centralities are as described in Table 14.4 (third column).
The node removal algorithm starts predicting missing links [183] based on the new network struc-
ture following the node removal (step 5 ). The likelihood of a link being present between all pairs
in the network is calculated based on the attribute data of the remaining individuals. Links that
are higher than a pre-determined likelihood level (calculated from the product of individual at-
tribute likelihoods) are accepted as representing predictions of new links [183]. Constraints on how
to visualize the predicted links are used to emphasize paths, previously reaching the leadership
figures through Pavlos Serifis and predicted links not directly related to the removal of Pavlos
Serifis. The evidence that the inferences are based on includes all the individuals in the sampled
network as well as other individuals that the investigators might think could be related to N17,
216
Figure 14.7: The ‘what if’ question editor.
but are not sure how and who specifically are related to.
When the predicted links are shown, the investigators will evaluate whether or not this was a
useful result. The evaluations is based on the change in degree centralities (step 6 ) and their
general observation of changes. The investigators are prompted to either append the predicted
links to the network or simply discard the results as shown in Figure 14.8 (step 7 ). If satisfied
with the result, the investigators can retrieve a pdf report from system, as documentation of their
work and as background for dissemination of the results (step 8 ).
The Greek terrorist group November 17
To demonstrate the implementation of the developed algorithm, we use a criminal network of the
(believed defunct) Greek terrorist group November 17 (N17) that was derived from open source
reporting [112]. The N17 group was a small close knit organization of 22 individuals with 63
links out of a potential 231 links. There were three main factions within the organization; 1st
Generation Founders faction, the Sardanopoulos faction, and the Koufontinas faction. The links
of the dataset indicate that open source reporting has demonstrated some connection between the
two individuals at some point in the past, but no specific weightings of the links are indicated.
We use a sampled version of the N17 network in which 50 percent of the links are removed (Figure
14.9). Relevant hindsight about N17 is that Nikitas, Alexandros Giotopoulos, and Anna were
leaders and key individuals within the 1st Generation Founders faction. We want to test if indi-
viduals connected to key individuals through one or more go-betweens will be directly connected
after removal of the go-between node(s). Figure 14.9 shows three individuals indirectly connected
with the three key leaders.
The attribute data for each individual is presented in [184]; the missing links algorithm [183] has
been extended by the addition of a degree centrality attribute. This additional attribute is a
measure of how many links each individual node in the network has. Individuals are classified
according to their level of degree centrality (high, medium, or low).
Results
The removal of Pavlos Serifis from the partially observed N17 network resulted in the criminal
network shown in Figure 14.8. Red lines indicate predicted links that previously were indirect
(length 2), with Pavlos Serifis as the go-between. In this case only two of them are present in
the complete N17 network (see [184]) and could indicate a change in the network structure where
Anna plays a more important role: Anna is now directly connected with five additional individuals
(L = leader, O = operational): Nikitas (L), Dimitris Koufontinas (L), Christodoulos Xiros (L),
217
Figure 14.8: Secondary effects and new degree centralities caused by the removal of Pavlos Serifis
from the N17 network.
Figure 14.9: Annotated, partially observed N17 network [183].
218
Constantinos Karatsolis (O) and Sardanopoulos (L). Constantinos Karatsolis is connected to three
more individuals: Sardanopoulos (L), Patroclos Tselentis (O), and Anna (L). Green links are true
positives according to the full N17 network and we therefore consider these links unrelated to the
removal of Pavlos Serifis. However, the true positives have an impact on the degree centrality of
the nodes they connect and they could be valuable as potential new leads.
The degree centrality of each node is displayed in the algorithm view on the right in Figure 14.8 -
initially to decide which node to remove and later to show the change in degree centrality of each
node after node removal. The evolution of degree centrality for each node is shown in Table 14.4.
The red square indicates the individual with the highest degree centrality at network changing
steps of the node removal algorithm, including that of the full N17 network, from which the
sampled version used in this paper, was created.
Table 14.4: Degree centrality of each node after network changing steps of the node removal
algorithm.
Creating hypothesis based on interpretation of results (secondary effects)
Generating hypotheses and possibly competing hypotheses is a core task of criminal network in-
vestigation that involves making claims and finding supporting and opposing evidence [174]. In
the presented scenario, we were interested in individuals who utilized one go-between to connect to
leadership individuals, but after removal of the go-between node they would be directly connected.
Without considering the hindsight information about the leadership individuals, we create a hy-
pothesis based on our interpretation of the centralities presented in Table 14.4 and the probable
new links in Figure 14.8.
Constantinos Karatsolis achieves the third highest centrality, and inherits three of Pavlos Serifis’
previous links significantly increasing his importance within the network and he could potentially
be upgraded from an operational member of N17 (his original role) to leadership member (maybe
inherited after Pavlos Serifis). Anna’s degree centrality changes from the second lowest (2) to the
second highest (7), and she apparently inherits four of Pavlos Serifis’ previous leadership links
as well as one inferred link to an operational individual. We conclude that Anna is part of the
highest ranking leadership individuals as compared to the partially observed N17 network where
she might be considered a simple operational person, if no other information than the criminal
network is available.
219
To summarize, Anna and Constantinos Karatsolis are two individuals we would subject to further
surveillance after removing Pavlos Serifis. As mentioned earlier, decision-making with the severity
and impact of removing an individual will not be made based on for example a single centrality
measure. However, the purpose of this work was to demonstrate CrimeFighter Investigator support
of investigators asking ‘what if’ questions about node removal in criminal networks.
Discussion
A number of problems related to the current approach need to be discussed. First of all, the
N17 criminal network data is more or less complete (only three attribute values are missing).
Feedback from intelligence analysts working with ongoing investigations informs us that attribute
information is typically much sparser (see end user interviews in Section 15.2) and the overall
number of attributes is lower than for the N17 criminal network. We are making a prediction
that we currently cannot test or validate against any (open source) ground truth data. Currently,
we have no assessment of the performance of the custom node removal algorithm84 . Whilst the
results are plausible, and the prediction part of the algorithm has produced good results in other
contexts [183,184], a direct measure of the veracity of the node removal predictions is lacking. The
issue of scalability is particularly relevant for the open source intelligence community where larger
networks are often the consequence of web harvested data sets. Larger networks present different
challenges. The number of individuals, links between them and attributes are much larger. The
prediction algorithm is scalable, but there will be additional difficulties arising from visualizing
the results of computations on larger networks than the example in this work flow.
This work on node removal is based on bits and pieces of other work and it would be fair to ask
the following question: “What are the benefits of a node removal algorithm versus predicting new
links when analyzing criminal networks?” The main difference is the specification and management
of criminal network investigation work flows using the question editor. The custom made node
removal algorithm represents a more specialized work flow compared to the prediction algorithms.
The option to select the specific nodes that the investigator wants to include in the analysis of
secondary effects is an example of this. Furthermore, we consider the work with node removal
the first steps toward combining existing algorithms into new custom made algorithms, which is
an important criminal network investigation task assisting criminal network investigators to build
support for more specialized work flows themselves.

We have presented a knowledge management and hypertext based approach to visualization of
probable secondary effects after node removal by providing investigators with an option to ask
‘what if’ questions about criminal networks. We consider this work a first step toward support
of custom made algorithms for criminal network analysis. A node removal algorithm has been
proposed together with partial support of the algorithm based on the following building blocks:
A ‘what if’ question editor lets investigators manage the constraints (e.g., specific changes in
path distance), visual symbols (e.g., color and link thickness) and other question settings. The
automation of criminal network synthesis tasks, facilitating intuitive and fast removal of a node
and associated links, and two perspectives: inference-based prediction to detect new probable links
between nodes and social network centrality measures to observe changes in node importance.
Currently the node removal algorithm steps 1, 3, 4, and 7 are fully supported. Furthermore, we
provide 2 perspectives supporting the exchangeable part of the algorithm (step 5 and 6). Selection
of the nodes of interest (step 2) and dissemination of results (step 8) are not supported. In our
future work, we will address the following functional requirements to achieve full support of the
proposed node removal algorithm:
Link weights. All links are not equally important and with weights investigators could
discuss “broader theories as to the impact of culture on social relationships, and narrow
220
CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE
theories concerning the definitions of specific relationship indicators, like what should be
weighted more; relations based on common economy between two actors or common blood”,
as one reviewer of our node removal support noted.
Missing key players. An algorithm, to predict the presence of missing key players has
been proposed by Rhodes (2011) [182]. It is planned to include this in a future version of
CrimeFighter Investigator.
Removing multiple nodes. Supporting the removal of node groups would be an inter-
esting and relevant feature. In larger networks it may be desirable to focus attention on a
larger number of specified individuals in sub-networks or communities.
Report generation. Generation of a report with all node removal results and calculations
is required to support step 8 of the proposed node removal algorithm (dissemination of
results).
Furthermore, requirements for evaluation of the node removal algorithm will also be addressed in
future:
Scalability. In order to evaluate the relevance of this work for the open source intelligence
community, we have to test scalability of the proposed method. With its 22 nodes, the N17
network is far from the sizes that are to be expected.
Datasets. We will test node removal on more realistic versions of the N17 dataset as well as
other open-source datasets with varying attributes, size (in terms of nodes and links), and
other complexity (such as aliases, etc.
Human-computer interface. CrimeFighter toolbox philosophy [14] and our research focus
requirements dictate that humans (investigators) must control the tools. Adhering to this
philosophy, we will improve the interface of the ‘what if’ question editor by adopting the
spatial drag-and-drop approach normally utilized by CrimeFighter Investigator.
14.3 Combining prediction and social network analysis for

investigation of linkage between DNRI and AQAM
The purpose of this work flow scenario, besides testing our main hypothesis, is to demonstrate how
the calculations are not the hard part of criminal network analysis; the challenge is to find a good
way to use the data and understand it. The scenario is inspired by previous criminal network sense-
making work (e.g., see [169]) and describes a proactive investigation into potential linkage between
aspiring extremists in a fabricated Danish network of radical Islamists (DNRI) and al-Qaeda and
affiliated movements (AQAM). The scenario is centered around AQAM’s role in plots in Europe
[65–67,92,111,154,188,189,219,235,236], and various aspects of violent Islamist radicalization such
as radicalization phases, root causes, and violent online radicalization [29,48,49,203,234,236,241].
The DNRI network is based on open sources about violent radical Islamists in Denmark and
especially the younger individuals aspiring to join their cause, and in some cases were very close
to do so [208]. Another source of information were newspaper articles about the recently thwarted
terrorism plots in London [126, 231] (September 2010), Norway [12, 135] (December 2010), and
Denmark [196] (December 2010). The DNRI network is based on the assumption that the Danish
intelligence services (both foreign and domestic) are monitoring individuals inside Denmark who fit
this description, or Danish citizens traveling to other parts of the world participating in activities
that could lead to further radicalization. A total of 52 individuals and 170 relations have been
fabricated. The fabricated part of the DNRI network is divided into three bridges, while a fourth
bridge with the personal relations of violent radical Islamists (family, friends, colleagues, etc.) is
left empty.
221
14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT
The AQAM data set contains elaborate meta data information on 366 individuals. It is a 2003
snap shot of AQAM and is not updated according to the time of the scenario (January 2011). The
network information was gathered from public domain sources: “documents and transcripts of legal
proceedings involving global Salafi mujahedin and their organizations, government documents,
press and scholarly articles, and Internet articles” [188]. We have included acquaintance, friend,
and post joining jihad relations, all with the same weight. In total, the AQAM network used has
999 links.
It is important to note that the vast majority of EU-wide terrorist attacks in 2010 were carried
out by traditional separatist terrorists and not violent radical Islamists [49]. More precisely, three
Islamist terrorist attacks were carried out within the European Union. However, 249 terrorist
attacks in total were reported, and of 611 arrests for terrorism-related offenses, 89 individuals
were arrested for the preparation of attacks. Islamist terrorists continue to undertake attack
planning against member states, as Europol concludes in their EU Terrorism Situation and Trend
Report 2011 [67].
14.3.1 The work flow scenario

It is January 2011, and Mark enters the office as usual. He has been working for the al-Qaeda
section of the Danish counterterrorism unit (Danish CTU)85 since late 2000. The section is daily
assessing the risk that al-Qaeda associated or affiliated movements (AQAM) will strike the Danish
homeland and they use CrimeFighter Investigator for different work tasks.
Mark and his fellow investigators have been synthesizing a chronology of AQAM related terrorism
plots in selected European countries. The time line provides them with an interactive overview of
all the plots (entities). Clicking one entity will open the corresponding CrimeFighter Investigator
information space, showing the networked information related to the case. They can organize
the entities spatially, and filtering is applied to only show the desired information (date, name,
country, and type) and highlight Danish plots with a red color. The time line is shown in Figure
14.10.
Mark’s area of expertise is terrorism information structures and how they evolve over time. He
has studied existing literature on AQAM structure and organization primarily in Europe. From
Sageman (2004) describing the global violent radical Islamism (phase 1-2) [188] and how European
terrorist networks are radicalized and associated with AQAM, over Nesser’s profile of AQAM
terrorist networks in Europe [154] to the most recent fourth phase of plots and attacks [236].
The fourth phase of terrorism plots in Europe (from about 2006 to present) is characterized by a
bottom-up approach defined as linkage, in which terrorist networks get associated with AQAM in
different ways. They are not recruited by AQAM or other transnational networks. However, in
the majority of plots (about 75%) the plotters worked independently (and amateurishly), while
about one third were hybrid plots connecting to AQAM. But the hybrid plots pose a higher
security risk and they represent about 50% of the most lethal plots. Other characteristics of
the homegrown fourth phase jihadist networks and individuals include: a much higher degree of
violent online radicalization (e.g., YouTube, Facebook, and Twitter, forums, and blogs) or printed
media (e.g., Inspire magazine published by al-Qaeda), and lack of uniformity in the attributes of
the networks operating on the ground. The novelty of the fourth phase is the increased linkage
from European terrorist networks to AQAM. Finally, these characteristics of terrorist networks
also differ significantly from country to country and, in many cases, within each country from
region to region and from city to city. Marks analysis of the evolution of terrorist network cells in
Europe is outlined in Figure 14.11.
The recent arrests in September and December 2010 just confirmed Mark’s analysis of 4th phase
plots: the London Stock Exchange plot, the Oslo plot, and the Denmark/Sweden Jyllands-Posten
plot. Mark believes strongly in the bridging concept (connecting two network clusters) and the
novel observation of bottom-up linkage in European terrorist networks as opposed to top-down
recruitment. Mark is certain that if a radicalized individual has a large network of close and
222
Figure 14.10: (mock-up) CrimeFighter Investigator timeline view with all plots against targets
inside Denmark, Sweden, Norway, United Kingdom, and Germany from January 1, 2006, to
December 31, 2010 [236].
Figure 14.11: Evolution of terrorist networks in Europe from 1990 to 2011.
223
likely-minded friends and relatives, other members for a future network cell could come from that
group of people. Mark decides to use a measure of betweenness centrality as an extra condition
for predicting links between two individuals in adjacent bridges. He thinks that if an individual
is peripheral to a network in terms of betweenness centrality, the probability of linkage from this
individual to an individual in the bridge above is low.
Mark starts creating his prediction model by first dividing the violent radical part of the DNRI
network under surveillance into three bridges. He places the relations (who are not known to be
violent radicals) of these individuals in a fourth bridge. Mark thinks there is a potential for top-
down recruitment, where violent radical Islamists could radicalize family, friends, or colleagues in
Bridge 4 because of their close ties. Mark’s classification of individuals in Bridge 1 to 3 is shown
below.
Bridge 1 contains individuals that can provide ideological approval of violent radical Is-
lamism and linkage to AQAM. Mark places known radical Islamic scholars in this bridge.
Retired violent radicals and other individuals who received operational training could provide
linkage to AQAM because of their skills or knowledge about previous operations. Established
al-Qaeda media individuals are also placed in Bridge 1.
Bridge 2 is the radical violent milieu in Denmark - self-proclaimed imams, online “celebrity
shayks” who preach violent radical Islamism, and individuals who sell radical Islamist propa-
ganda like books, magazines, CDs, and DVDs etc. Finally, self-established online recruiters
are also made members of this bridge.
Bridge 3 is by volume the largest. Individuals aspiring to become violent radical Islamists
are placed here. This aspiration may have been externalized through online expression of
desire to contribute violently. It could be individuals somehow alienated from society or
otherwise non-integrated (e.g., a group of young individuals living together or meeting in
an apartment). Bridge 3 individuals are often rather entrepreneurial in their approach.
They might be consumers of violent radical online and printed propaganda, or they might
be creating such propaganda themselves, pretending to be an established al-Qaeda media
organization.
AQAM and the four bridges in the DNRI network constitute four sub-networks each containing two
bridges: the ‘Bridge 1 → AQAM’, ‘Bridge 2 → Bridge 1’, ‘Bridge 3 → Bridge 2’, and ‘Bridge 3 →
Bridge 4’ networks. The four networks are encapsulated in collapsed composites. For each of these
sub-networks Mark defines a set of attributes he believes could enable linkage from individuals in
the lower bridge to individuals in the upper bridge:
Bridge 1 → AQAM: Information about previous operations is a relevant linkage attribute

for this bridge, since Bridge 1 individuals might have participated in the same militant
operations in the past. Information about operational training may very well overlap with
the previous operations, but also covers training camps and similar. A school attribute could
indicate that the same madrassas, universities, or other schools have been attended at the
same time. A weapons attribute would cover similar skills in use of weapons; guns, explosives
etc. andiwaal group, albeit an Afghan concept [137, 166], it applies to many societies (tribal,
western, asian, etc.) that if you were part of a group in your teens, you will have strong
relations to those individuals the rest of your life.
Bridge 2 → Bridge 1: Mark decides that family, friend, and school information are linkage
attributes from Bridge 2 to Bridge 1.
Bridge 3 → Bridge 2: Key linkage attributes from Bridge 3 to Bridge 2 are: Local area
in which random meetings could happen, online violent radical milieu meaning what forum,
chat room or social network site the Bridge 3 individual reads and posts comments to, and
who reads it from Bridge 2. Mosque and Sunday school could be other places for random
meetings or radicalizing preachings.
224
Figure 14.12: Mark’s prediction model: the DNRI bridges with linkage and recruitment attributes
in between adjacent bridges.
Bridge 3 → Bridge 4: Mark defines key recruitment attributes from Bridge 3 to Bridge
4 to be: school, hobby, workplace, mosque, and current residence. Mark’s argument is that
the aspiring violent radical Islamists might meet and influence individuals at these places.
Mark decides to use the Oslo, London, and Denmark/Sweden networks, whose plots were thwarted
in late 2010, as the gold standard for his predictions. After feeding these networks to his predic-
tion model, he predicts missing links for each of the four sub networks, and asks CrimeFighter
Investigator to merge individuals with the same names to see if there is probable linkage which
forms networks spanning all bridges. A mock-up of predicted links between the four collapsed
bridges is shown in Figure 14.13.
Mark’s prediction model computes four cells (the second cell is shown in Figure 14.14) to have
linkage potential with AQAM. Before retrieving a pdf report with the information he has requested,
he marks the second cell as being of particular interest, since the predicted links here have the
highest likelihoods of linkage. Plus, the individuals in the network seem to have skills necessary to
carry out a small scale attack. Mark summarizes his findings in an email to his decision-making
superiors and attaches the computed pdf report.
14.3.2 Summary
Mark used his knowledge about terrorist networks in Europe to design a prediction model that
could solve the specific problem at hand. Later, he tailored existing CrimeFighter Investigator
functionality to actually apply his sense-making approach to a network of established and aspiring
violent radical Islamists living in Denmark from which future (terrorist) networks could form and
pose a threat to Danish society.
Mark’s first step towards applying his understanding of these networks was to use CrimeFighter
Investigator synthesis functionality to divide the DNRI network and related individuals into four
bridges, that he believed were actually functioning as linkage bridges. The CrimeFighter Investi-
gator tool helped Mark apply prediction to two bridges at a time, and then compare a centrality
measure of betweenness for each individual in the (possibly) transformed network and in the
original DNRI network.
To disseminate his findings according to his prediction mode, Mark used the CrimeFighter Inves-
tigator report generation feature to create documentation of relevant parts of the sense-making
process and the computed information.
225
Figure 14.13: (semi mock-up) CrimeFighter Investigator showing the AQAM and DNRI bridges
and predicted links between them.
Figure 14.14: (mock-up) One of the predicted network structures as shown in the report generated
based on the prediction model.
226
CHAPTER 14. WORK FLOW SUPPORT 14.4. SUMMARY OF DEPLOYMENTS

Based on the presented work flow scenario and our previous work on criminal network synthesis
and sense-making ( [168, 169, 174–176], we found that:
1. The sense-making algorithms supported by CrimeFighter Investigator are applicable to crim-

inal networks that are synthesized using multiple structure domains. In other words, our
developed computational model, that separates structural models from mathematical models
and is based on a conceptual model of first class entities, works.
2. CrimeFighter Investigator supports both transformative and measuring sense-making algo-

rithms. To achieve this, a structural parser was implemented to provide an interface to these
algorithms.
The novelty of the CrimeFighter Investigator approach to criminal network analysis (synthesis
and sense-making) is the underlying tailorable computational model. Tailorability was (partially)
achieved with a structural parser that provides the user with an interface to customize and com-
bine sense-making algorithms. The approach introduces transparency of the sense-making process
and ownership of the computed information. In our comparison of state-of-the-art commercial
tools and research prototypes and the models they support in Section 15.3, we find that Crime-
Fighter Investigator has better support of first class entities (conceptual model), structure domains
(structural models), and transformative and measuring algorithms (mathematical models).
14.4 Summary of deployments

To test our main hypothesis, we presented three different criminal network investigation work
flows involving multiple acquisition, synthesis, sense-making, and cooperation tasks. We found
that CrimeFighter Investigator, and the concepts, models, and components on which the tool is
based, provides supports for such work flows, and hence support for the premise of our hypothesis.
227
14.4. SUMMARY OF DEPLOYMENTS CHAPTER 14. WORK FLOW SUPPORT
228
Part IV
Evaluation and conclusion
229
CHAPTER 15
Evaluation and discussion
Dr. John McKittrick: “I think we ought to take the men out of loop.”
General Beringer: “Mr. McKittrick, you are out of line Sir!”
WarGames (1983)
Look after the customer and the business will take care of itself.
Ray Kroc, founder of McDonald’s.
We have used three methods for our evaluation: first method is capability comparisons of criminal
network investigation task support and support of conceptual, structural, and mathematical mod-
els. The second method is interviews with potential end users providing feedback on relevance of
tasks (usability for their particular work), and the third method is measures of performance for
our developed techniques.
To understand how we have evaluated our developed processes, tools, and techniques for criminal
network investigation, it is necessary to first understand the relations between criminal network in-
vestigation challenges, our main hypothesis, the research focus requirements, the criminal network
investigation tasks, and the evaluation methods. The relation between challenges, hypothesis, and
requirements is straight forward: we chose three criminal network investigation challenges, based
on which we framed our hypothesis. For each of the three challenges we defined a set of require-
ments to guide our research - if those requirements are met, the problems associated with each
individual challenge would be met, and ultimately the impact of the related challenge on criminal
network investigation would be reduced. Now, some of our evaluation methods evaluate support
of criminal network investigation tasks and others evaluate support of research focus requirements
(explained below). We therefore need a mapping between the tasks and the requirements, since we
would like to summarize all three evaluation methods according to their support of the research
focus requirements. Our task to requirement mapping is presented in Figure 15.1, where a line
between a task and a requirement indicates that support of the task is equal to support of the
requirement. It should be noted, that support from more than one task is typically required to
achieve the desired support of the research focus requirement.
As mentioned, the evaluation methods evaluate either criminal network investigation tasks or
research focus requirements. One capability comparison focuses on support of criminal network
investigation tasks (see Section 15.3.1), and we interpret support across tasks as support of the
hypothesis (which we tested in Chapter 14). A second capability comparison evaluates support
of conceptual, structural, and mathematical models (see Section 15.3.2). The mapping between
231
CHAPTER 15. EVALUATION
232
Figure 15.1: Mapping research focus requirements to criminal network investigation tasks: a line between a task and a requirement indicates that
support of the task is support of the requirement.
Figure 15.2: Mapping research focus requirements to conceptual, structural, and mathematical
models: a line indicates that support of the model is support of the requirement.
each model and our research focus requirements is shown in Figure 15.2, where a line indicates
that support of the model is equal to support of the requirement.
End user interviews provided us with an initial qualitative evaluation of criminal network investi-
gation tasks (see Section 15.2). Measures of performance for our extension of centrality algorithms
and the transformative predict missing links algorithm evaluate research focus requirements, and
the mapping between requirements and measures of performance can be seen in Figure 15.3, where
a line indicates, that if a measure of performance is good, then it is supporting the requirement.
Our research has focused on developing new concepts for criminal network investigation, and
our methods for evaluation have been designed to evaluate those concepts. Consequently, our
software development approach has been based on “proof-of-concept” prototyping, and involved
the integration of criminal network investigation processes (primarily synthesis and sense-making)
by applying a variety of technologies, such as software systems engineering, hypertext and various
mathematical models for computational support. Because of this integration of processes, we
apply the three mentioned evaluation methods (end-user interviews, capability comparisons, and
measures of performance). But we also review the importance post-crime data sets because they
have been our main source of evaluation data (both for synthesis and sense-making evaluation)
and we therefore found it necessary to describe their relevance as opposed to pre-crime or real-time
crime criminal networks (see Section 15.1). We present usability feedback gathered from semi-
structured interviews with a number of end-users from various criminal network investigation fields
(see Section 15.2). We have compared the capabilities of CrimeFighter Investigator with other
leading commercial tools and research prototypes for criminal network investigation (see Section
15.3). Finally, we have evaluated the sense-making algorithms using measures of performance
found relevant for the intended use of CrimeFighter Investigator (see Section 15.4).
233
15.1. POST-CRIME DATA AND INFORMATION CHAPTER 15. EVALUATION
Figure 15.3: Mapping research focus requirements to measures of performance. A line indicates,
that if a measure of performance is good, then it is supporting the requirement at the other end
of the line.
15.1 Post-crime data and information about criminal net-

work investigations
Obtaining data for testing criminal network investigation tools is an obstacle for much security
informatics research, especially when focusing on synthesis, sense-making and dissemination86 .
One option would be to have access to first-hand evidence, but “it is very difficult to get first-
hand evidence of crimes while they are being perpetrated - an observer would most likely be
legally required to try to prevent the crime rather than letting it take place” [30]. It is however
often preferred to take proactive measures, (e.g., be able to act before a bomb explodes), and we
would benefit more from a first-hand witness account of all the steps leading up to a crime being
perpetrated, but it is often not possible for researchers to follow such investigations (according to
our experience).
A secondary option would be to gain access to classified information (secret intelligence such
as human intelligence and technical intelligence, see Section 5.8) directly from the intelligence
agencies - some of which might be real-time and other from for example human sources, who
might have infiltrated criminal groups to follow their planning of crimes. But as we will discuss in
Section 15.6.2, such cooperation between the Danish intelligence services and academia does not
exist to our knowledge.
That leaves researchers in the field of criminal network investigation with the option typically
resorted to: building their own data sets based on publicly available sources of information (open
source intelligence)87 or using already existing data sets of past crimes and attacks. And open
source intelligence has actually been quoted to provide 80% of the relevant information in all-
source analysis [214] (with secret intelligence providing the gold nuggets connecting that relevant
information). Collecting and processing open source intelligence can however be a very time
consuming task, which is why researchers are developing tools that can automatically harvest
and pre-process information to assist criminal network investigators in their work. But automatic
harvesting and processing cannot be applied to all open information sources, and investigators are
almost always required as part of the process.
But why do criminal network investigation researchers want synthesized criminal networks in
234
CHAPTER 15. EVALUATION 15.1. POST-CRIME DATA AND INFORMATION
Figure 15.4: How post crime data and information can be used for two very different types of
evaluation, either directly for computational evaluation, or indirectly for usability testing through
the synthesis of the post crime data and information as the data and information emerged and
evolved in the criminal network investigation.
the first place? Because we use post-crime data, often referred to as data sets, for evaluation of
acquisition and algorithm based sense-making investigation tasks. These data sets are, to a certain
extent, synthesized, complete data sets. We use post-crime information about how information
structures emerged and evolved throughout the criminal network investigation for testing the
synthesis functionality of our tool. Finally, we use post-crime information about investigations for
requirement generation (i.e., criminal network investigation tasks) as well as validation (evaluation)
of requirements.
To be able to say that a tool can be used for usability testing through the synthesis of the post
crime data and information as the data and information emerged and evolved in the criminal
network investigation, we would first have to establish that synthesis is equivalent to a certain
degree to the actual real-time synthesis of criminal networks (illustrated in Figure 15.4). We
describe our first steps toward establishing this below, in Section 15.1.1.
15.1.1 Comparing post-crime data set creation and real-time investiga-

tion
Synthesizing criminal networks post crime based on multiple sources resembles, to a certain degree,
the process of initially synthesizing the actual criminal network during real-time investigation. You
gradually learn more and more about the criminal network under investigation - structures emerge
and evolve. It would therefore be relevant to task some one with synthesizing a post crime network,
e.g., the Daniel Pearl network (see Section 3.5.1), based on open sources. The hypothesis for this
work would be to test whether or not a tool for real-time criminal network investigation is also
suitable for synthesizing networks after the investigation is concluded, since it is essentially the
same task only with different type of input and output. We would expect to learn two things from
researching such a hypothesis: First, we would know if CrimeFighter Investigator is suitable for
criminal network synthesis of the information in the post crime data, and if the result of this would
be suitable for sense-making and visualization. Secondly, if our first research focus would fail, we
would know what kind of support was missing from CrimeFighter Investigator. Two specific tasks
have been formulated for the synthesis of the Daniel Pearl network:
1. Outline the chronology of events as they were revealed to the investigation team (for each
source independently).
2. Synthesize the networks as presented by each source, together with a network based on all
three sources.
235
15.2. END-USER INTERVIEWS CHAPTER 15. EVALUATION
Secret Public Both

Investigative journalists 0 1 1
Intelligence analysts 1 5 6
Police officers 3 0 3
Research community 0 7 7
TOTAL 4 14 24
Table 15.1: An overview of end users that have been interviewed.
We have done much of this work ourselves and using CrimeFighter Investigator, but doing it in a
more structured way, would allow us to make conclusions about synthesis of post crime criminal
networks and tool support therefore.
15.2 End-user interviews

We have received usability feedback from a number of people investigating criminal networks from
various fields such as investigative journalism, counterterrorism, and policing (see Table 15.1). For
each of the unstructured usability feedback interviews (individuals or groups) we followed three
steps (not always in the listed order): first, we gave a general introduction to and demonstration
of CrimeFighter Investigator. Second, the criminal network investigators were asked to describe
their background and ongoing network investigations. Third, we discussed which CrimeFighter
Investigator features would be useful for the criminal network investigators in their work.
15.2.1 Alex Strick van Linschoten (Trafalgar Square, London)

To exemplify our interview approach we provide extracts of an interview held with historian and
investigative journalist Alex Strick van Linschoten (author of [134]). The example demonstrates
the value of CrimeFighter Investigator usability feedback for both development of future features
and evaluation of existing features. Alex is investigating the alleged links between al-Qaeda and
the Afghan Taliban and he has observed several network characteristics.
Alex’s data set on the Afghan Taliban spans the time-period 1970-2011. As of 2011 the data
set has 500-600 individuals, a network he claims to have memorized. The data set is based
on interviews with Taliban members who were asked who they fought with in the ’80s, their
andiwaal groups (friend groups formed by Afghans when teenagers) and other relations. Reports
on Afghanistan by the International Security Assistance Force (ISAF) are also contributing to
the data set. 70 percent of the relations in the network are based on rumors, which is indicated
using relation weights. When Alex interviews Taliban members he notes down attributes such
as ‘name’, ‘date of birth’, ‘place of birth’, ‘tribe’, ‘ethnicity’ and ‘andiwaal group’. Alex uses
Tinderbox [24], a spatial hypertext tool, to record and structure his collected and processed
network information. A snap shot from a Tinderbox investigation is shown in Figure 15.5, showing
“Taliban fronts, commanders and fighters in Panjwayi/Zheray during the 1980s” [134].
Alex works with the network information in a number of different ways and has in general many
ideas for how it could be used. Alex studies the evolution of the network from one time period to
the other (a historical evolution perspective). He believes that knowledge about an individual’s
andiwaal group could be used to predict who that person might be fighting side by side with
in future operations. Alex is searching for different tendencies in the data set like for example
changes in age or gender.
Alex has encountered a number of problems for which he requires specialized tool support, for
instance a social network analysis tool that also supports an actual time line (Tinderbox only
supports snapshots of the network). At the time of interview he is analyzing the network data
236
CHAPTER 15. EVALUATION 15.2. END-USER INTERVIEWS
Figure 15.5: A snapshot of Linschoten’s investigation in Tinderbox [24]: “Taliban fronts, com-
manders and fighters in Panjwayi/Zheray during the 1980s” [134].
to see if there are any important observations that he has missed. Alex mentions that different
layout functionality would be useful for this, e.g., laying out nodes according to betweenness
centrality. Finally, if Alex exports information from Tinderbox [24] to import it into Analyst’s
Notebook [2] to create a special visualization, it is not possible to get that visualization back into
Tinderbox. The interchange of information is not facilitated both ways.
15.2.2 British home office

During a stay as a visiting researcher at Imperial College in London, we presented CrimeFighter
Investigator at the British Home Office [167], followed by a discussion of particular tool features
and current and previously undertaken intelligence analysis work by the British Home Office. Six
intelligence analysts participated in the meeting and to protect their identities we refer to them
as IA1, IA2, etc.
During the demonstration of CrimeFighter Investigator I walked the meeting participants through
a couple of sense-making work flows, applying predict missing links and predict covert network
structure algorithms to the November 17 network. Based on the responses, we found that a higher
degree of work flow transparency would be required, to have the participants ask questions for
particular steps in the work flows, basically to understand what is going on. The questions and
statements from the meeting participants were of a much more general nature, and some of them
referred to tasks not within my focus areas such as web harvesting (see below). The questions and
statements included:
IA1: “We typically have much less data, or not so many attributes, as it was the case in
the November 17 network you presented”.
IA2: “Would it be possible to do predictions on hierarchical links (i.e., links from a space
237
15.3. CAPABILITY COMPARISONS CHAPTER 15. EVALUATION
to a sub space)? And would it be possible to represent such structures in CrimeFighter

Investigator?”.
IA3: “We would really like to be able to process large amounts of data and generate networks
based on that.”
IA3: “What I have seen the last five to six months, was a tool where you could link a person
to a location and say, okay this person participated in a meeting here, and this other person
was on the location in this and that time span; what is it the chance that they have spoken?”
IA3: “It is a bit mischievous, but it could be interesting to import the information about 7/7
which we had back then about individuals in the milieu to see if the algorithms could predict
what would happen, that is, what individuals where involved in the planning”.
IA4: “Is it possible to collect network information from youtube and other accounts?”.
Based on this, we found it interesting that, given the current focus areas of the British Home
Office, they seemed very interested in the adaptive modeling approach, rather than the prediction
techniques presented at the meeting.
15.2.3 Summary
Besides the two usability feedback interviews described in Section 15.2.1 and 15.2.2, we also had
unstructured interviews with Danish law enforcement police detectives, intelligence analysts, and
a financial fraud expert at the i2 end user conference in Brussels 2010. Finally, we had discussions
and talks with high-level researchers at security informatics and hypertext conferences. The end
user interviews are summarized in Figure 15.2, where it is indicated whether or not each individual
criminal network investigation task was found to be relevant for support in a tool for criminal
network investigation. The end user interviews are discussed and further summarized in Section
15.6.3.
15.3 Capability comparisons

We have carried out two capability comparisons, one based on the criminal network investigation
tasks presented in Section 7.2 and the other is based on support of first class entities, selected
hypertext structures, and transformative and measure algorithms (see Section 8.1, 5.1, and 8.2).
In both cases, CrimeFighter Investigator is compared to the tools and prototypes reviewed in
Chapter 4.
15.3.1 Criminal network investigation task support

The evaluation and comparison of the selected tools was made based on the identified tasks for
criminal network investigation. A thorough examination of each tool has been made by the
authors based on the available research literature, books, manuals, and other publicly available
information. The results can be seen in Table 15.2.
Each tool is rated against each task in the list. A judgment has been made whether the tool
provides full support, partial support, or no support for the task. This is indicated by different
icons in the table. Based on the support for individual tasks, each tool has been given a score
for each process based on a judgment of how many of the tasks that they support. This score
is between 0 (no support), 1 (fragmentary support), 2-4 partial support, and 5 (full support).
Fragmentary support means that the core task is in theory supported by the tool through the
combination of various features, but it is found to be too time-consuming to be really useful. We
discuss the capability comparison of tasks in Section 15.6.4.
238
ACQUISITION
Acquisition methods
Dynamic attributes
Attribute mapping
SYNTHESIS
Entities
Associations
Re-structuring
Grouping
Collapsing & expanding
Brainstorming
Information types
Emerging attributes
SENSE-MAKING
Retracing the steps
Creating hypotheses
Adaptive modeling
Prediction
Alias detection
Exploring perspectives
Decision-making
Social network analysis
Terrorist network analysis
DISSEMINATION
Storytelling
Report generation
COOPERATION
Shared information space
Emergent collaboration
Shared work flows
CAPABILITY COMPARISON
Analyst’s Notebook 8.5 3 2 1 3 2 ◦ ◦ ◦
Palantir Government 3.0 4 3 3 4 4 ◦ ◦ ◦

Xanalys Link Explorer 6.0 4 2 1 2 3 ◦ ◦ ◦
COPLINKa 4 2 1 2 2 ◦ ◦ ◦
Namebase.org 0 1 1 1 0 ◦ ◦ ◦
Mindmeister 2 4 1
2 4 ◦ ◦ ◦
Simple tools 1 3 1 1 2 ◦ ◦ ◦
Aruvi 2 1 2 3 2 ◦ ◦ ◦
239
Sandbox 2 3 2 2 3 ◦ ◦ ◦
POLESTAR 3 2 2 1 3 ◦ ◦ ◦
CrimeFighter Investigator 2 4 4 3 2 ◦ ◦ ◦
END USER INTERVIEWS
Investigative journalism + + + − + + − − + − − − + − + − − − + ◦ + − ◦ ◦ ◦
Counterterrorism + + + + + + − + − + + + + + + + + − + ◦ − − ◦ ◦ ◦
Policing + + + + + − − − − + − + + − − − + + + ◦ + + ◦ ◦ ◦
Researchers & Industry + + + + + + + + + + + − − − + − − − − ◦ − − ◦ ◦ ◦
Capability Comparison legend - investigative processes (0: no support, 1: fragmentary support, 5: full support) investigative tasks (: supported, :
partially supported, : not supported). ◦ indicates that specific cooperation tasks were added after the capability comparison was complete.
End user interview legend indicates criminal network investigation tasks not relevant for the evaluation method. + indicates the relevance of supporting
the task for the given profession and a − indicates the opposite. ◦ means that the task was added after the interviews
Table 15.2: An overview of the capability comparison of CrimeFighter Investigator, the end user interviews, and the criminal network investigation
processes and tasks the tool was evaluated against.
a Based on a combined evaluation of the three modules COPLINK Connect, Detect, and Collaboration as well as the COPLINK criminal network analysis tool CrimeNet
Explorer (previously CrimeLink Explorer).

15.3. CAPABILITY COMPARISONS
15.4. MEASURES OF PERFORMANCE CHAPTER 15. EVALUATION
Figure 15.6: Proposed computational modeling concepts and their interrelationship.
15.3.2 Capability comparison of the computational model supported

For this capability comparison we will assess state-of-the-art according to tailorability of the com-
putational model. We have previously defined ownership of information and transparency of
process to be direct results of tailorability, meaning the ability to extend and customize exist-
ing functionality for a specific purpose. In our chosen approach, we claimed that the level of
tailorability depends on the computational model. We proposed a computational model that sep-
arated structural and mathematical models, both utilizing a conceptual model offering three first
class entities.
The evaluation and comparison of the selected tools was made based on the concepts developed
for our approach to criminal network sense-making. These concepts are summarized in Figure
15.6. At the center is tailoring, a concept that facilitates extension and customization of struc-
tural and mathematical models. Tailoring leads to transparency of the sense-making process and
ownership of sense-making computed information. Transparency and ownership increases trust
in the provided information, which will increase the likelihood of that information being used for
operational or other decision-making.
A thorough examination of each tool has been made by the authors based on the available research
literature, books, manuals, and other publicly available information. The results can be seen in
Table 15.3.
Each tool is rated against each concept (model) and sub-concept in the list. A judgment has been
made whether the tool provides full support (), partial support (), or no support () for this
concept, indicated using the shown icons in the table. Based on the support for individual sub-
concepts, each tool has been given a score for each concept (conceptual model, structural models,
and mathematical models) based on a judgment of how many of the sub-concepts that they
support. This score is between 0 (no support), 1-2 (fragmentary support), 3-7 (partial support),
and 8-9 (full support). Fragmentary support means that the core concept is in theory supported
by the tool through the combination of various features (not the listed sub-tasks), but it is found
to be too complicated to be really useful in terms of tailorability. We discuss our comparison of
model capabilities in Section 15.6.4.
15.4 Measures of performance

We have developed measures of performance (MOPs) for the algorithm-based techniques that
CrimeFighter Investigator supports, also referred to as criminal network sense-making. We first
calculate measures of performance for our extended centralities, and then we describe the de-
velopment and subsequent test of three MOPs for the transformative predict missing links work
240
CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE
POLESTAR
COPLINK
XLE 6.0*
CFI 1.0*
Sandbox
AN 8.5*
PG 3.0*
Aruvi
Conceptual model 5 7 5 2 5 7 7 8
First class information elements
First class relations
First class composites
Structural models 4 7 5 2 5 6 7 8
Navigational structure
Spatial structure
Taxonomic structure
Mathematical models 5 5 5 0 2 0 0 7
Transformative**
Measuring
Table 15.3: The authors’ assessment of computational modeling concepts *(AN = Analyst’s Note-
book, PG = Palantir Government, XLE = Xanalys Link Explorer, CFI = CrimeFighter Investi-
gator), **(Filtering is not included).
flow.
15.4.1 Social network analysis: extending centrality measures

Based on an organized drug crime network and other reviewed cases88 , we define three tool re-
quirements describing investigative needs that we aim to support:
1. When node-link-node associations are not dominant, then semantic associations will reduce
investigation uncertainty by computation of extended centrality measures.
2. Centrality measures for criminal network entities, must support empty endpoint associations
for more accurate results.
3. A combination of several direct and semantic associations can be necessary to support when
computing centrality measures for criminal network entities.
Method
We have tested CrimeFighter Investigator’s support of three tool requirements on a filtered version
of the investigation of an organized drug crime network [10], and a semi-altered version of the same
investigation. We calculate two centrality measures, degree and betweenness, for two conditions,
with and without two designed and implemented associations.
We test the co-location association on an investigation inspired by an organized drug crime network
to evaluate the requirement for support of semantic associations. The investigation had no direct
associations between entities prior to the test. We have filtered out all entities except the close-
up photos (i.e., the blue rectangles) and created an investigation using CrimeFighter Investigator
where individuals are positioned with the same relative distance. All individuals are given numbers
or letters as name, except for the two lieutenants Anton Artis (A.A.) and Roland Brice (R.B.).
The network with the semantic co-location association included is shown in Figure 15.7a and the
calculated centralities are shown in Figure 15.7b.
We have defined the following four information entities used on the investigation board and use
colored rectangles to represent them in Figure 15.8: portrait pictures are blue, large surveillance
241
photos are orange, text cards with meta data about individuals are green, and header text cards
with red text are dark red. Based on this augmentation of the investigation board we observe a
number of semantics. Most obviously all portrait Polaroid pictures are placed below a meta data
text card. Sometimes a surveillance photo is placed next to the portraits. Finally, the investigation
board is divided horizontally into areas by the header text cards placed at the top.
Prior to testing the empty endpoint association we found that empty endpoints rarely occurred
in the investigation we analyzed. Links are used to connect two entities, and even if the contents
of one entity is unknown it is still created as a placeholder. It is unclear whether this is simply
because it does not make sense to work with empty endpoints or if it is because of a structural bias
toward links as simple entity connectors. To test the influence of the empty endpoint association
we have used some of the links from the previous test to create a new test case (see Figure 11.1).
We assume that a number of subgroups have been detected (the four colored composites) and that
the investigators know there is some connection from the main network to each of these subgroups
but it is unclear how and therefore an empty endpoint is positioned next to each subgroup.
To test the requirement for centrality measures to consider multiple associations, we use the same
network as for the empty endpoint requirement (see Figure 11.1). However, this time we test
both the empty endpoint association and the co-location association together. The with condition
therefore means that the algorithm replaces empty endpoints with actual nodes (placeholders) and
creates links between co-located nodes that are not already directly associated.
Summary of results
Testing the requirement for semantic associations illustrated how centrality measures can be ap-
plied to spatial network structures using a co-location association. It is evident that when no
relations exist in an investigation prior to analysis, there is a need to define associations between
entities in a different way if the investigators want to calculate node centrality to deal with the
uncertainty of an ongoing investigation. We see that degree centrality indicates the individuals
on the right hand side in Figure 15.7b as central to the network (e.g., 9, 6, 8, and 10), but they
are of little importance, when considering betweenness. At the same time degree doesn’t point
to the two lieutenants A.A. or R.B. as key players like we expected. We therefore find that one
should be careful with considering spatial co-location as a measure for network degree centrality.
Betweenness centrality clearly points to A.A. and R.B. as key players in the network together
with individual 2. Given the results of our two other tests it is also interesting that individual 5
is placed in top four in terms of betweenness.
When we tested the empty endpoints requirement we found that the measure of degree centrality
provides investigators with no clear tendencies, although it more strongly indicates individual F, D,
A.A., and 3 as central to the network. The betweenness results more distinctly point to A.A. and
R.B. when including the empty-endpoints association. We also observe that individual 2 is ranked
as fourth instead of seventh which is a more realistic depiction of this individual’s betweenness in
the network. Individual 5 has the highest change in betweenness when including empty endpoints,
making him an interesting subject for further investigation. As mentioned earlier, it would be
possible to model empty endpoints using information element placeholders until the content of the
empty endpoint is known. This also means that traditional social network analysis measures of
centrality could be applied. We therefore recommend to test if empty endpoints have higher value
for restructuring tasks during synthesis than for centrality algorithms.
Our test of the requirement for support of multiple associations was successful in terms of extending
two measures of centrality with more than one association from our topology. But for the test
investigation the test results did not add much investigative value. The inclusion of both empty
endpoint and co-location associations connects all entities in the criminal network through the
empty endpoints (individual 5 is connected to individual 6 and 12, individual F to individual H,
and individual A.A. to individual M). This makes the degree and betweenness centrality of key
nodes without the associations less distinctive. The numbers are flattened because the information
242
CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE
al-Qaeda November 17
version → full full id 1-20 full full
sampling → 100% 25% 50% 100% 50%
Nodes 366 256 15 22 17
Attributes 17 17 17 11 11
Complexity* 9.53 9.53 9.53 2.09 2.09
Links 999 249 18 63 32
Link density 0.015 0.008 0.17 0.27 0.24
*Complexity indicates the average number of
enumerated values for each entity attribute.
Table 15.4: The November 17 and al-Qaeda datasets.
elements in the subgroups achieve higher measures of betweenness centrality with the associations
included. The most interesting result for this final test was that the degree and betweenness
centrality of individual 5 is increased considerably when the associations are added. Together,
our three requirement tests have shown that measures of centrality extended with novel types of
associations provided new insights into two organized crime networks that traditional centrality
measures could not provide. Most important result was that the centrality of individual 5 was
increased in all three tests. Individual 5 was not known to be a central entity in the network
before the tests.
15.4.2 Predict missing links algorithm

Our measures of performance (MoPs) for the predict missing links algorithm focus on the internal
structure, characteristics, and behavior of the CrimeFighter Investigator sense-making sub-system.
We have developed three measures that helped us answer questions about how the CrimeFighter
Investigator predict missing links algorithm performs in terms of information volume, attribute
completeness, and attribute accuracy. In the longer term, these MoPs will help us build a process
that criminal network investigators can have confidence in, going before a decision maker [216].
We need to make sure that algorithm supported sense-making tasks can perform on the criminal
networks that investigators are dealing with on a daily basis. More specifically, we want to evaluate
if the integration of synthesis and sense-making tasks is feasible.
To test the developed algorithm, we use two criminal networks: November 17 and al-Qaeda. The
data set of the (believed defunct) Greek terrorist group November 17 (N17) was derived from open
source reporting [112]. The N17 group was a small close knit organization of 22 individuals with
63 links out of a potential 231 links. The links of the dataset indicate that open source reporting
has demonstrated some connection between the two individuals at some point in the past, but no
specific weightings of the links are indicated [184].
The second dataset is the al-Qaeda network (2003). All the network information was gathered
from public domain sources: “documents and transcripts of legal proceedings involving global
Salafi mujahedin and their organizations, government documents, press and scholarly articles, and
Internet articles” [188]. We have included acquaintance, friend, and post joining jihad relations,
but the algorithm does not differentiate between them. Nuclear family, relatives, religious leader,
and ties not in sample links are excluded from our version of the data set.
We use sampled versions of the full networks for our evaluations and the topology of all networks
are presented in Table 15.4. The sampled networks are created by removing either 50 or 25
percent of the links in the network and then see what is left. The number of nodes and links
are inherently an issue for performance. The number of attributes that each node has does not
impact the performance of the ‘missing links’ algorithm since tests are run with four attributes
every time. We define the complexity of node attributes as the average of valid enumerated values
243
Data set → November 17 al-Qaeda

L Cutoff 2.5 2.5
Attribute 1 Role Children
Attribute 2 Faction Clump
Attribute 3 Resources Fate
Attribute 4 Degree centrality Degree centrality
Table 15.5: Algorithm setup for the November 17 and al-Qaeda data sets.
Data set Version Sampling Time (s) TP*# TP% FP*# FP%
“Original” data set
November 17 (full) (50%) 0.219 9 42.9 12 57.1
100% al-Qaeda (id 1-20) (50%) 0.078 7 35.0 13 65.0
al-Qaeda (full) (25%) 63.093 288 4.9 5547 95.1
Attribute accuracy
November 17 (full) (50%) 0.235 5 35.7 9 64.3
90% al-Qaeda (id 1-20) (50%) 0.79 6 46.2 7 53.8
al-Qaeda (full) (25%) 37.562 165 5.1 3052 94.9
November 17 (full) (50%) 0.124 1 16.7 5 83.3
70% al-Qaeda (id 1-20) (50%) 0.62 5 45.5 6 54.5
al-Qaeda (full) (25%) 24.656 167 5.0 3171 95.0
Attribute completeness
November 17 (full) (50%) 0.282 5 45.5 6 54.5
90% al-Qaeda (id 1-20) (50%) 0.094 7 41.2 10 58.8
al-Qaeda (full) (25%) 41.344 197 4.8 3939 95.2
November 17 (full) (50%) 0.531 5 45.5 6 54.5
70% al-Qaeda (id 1-20) (50%) 0.079 5 41.7 7 58.3
al-Qaeda (full) (25%) 24.328 146 4.4 3167 95.6
* TP = true positives, FP = false positives.
Table 15.6: Measures of performance for the ’predict missing links’ algorithm. This algorithm is
at the core of the predict ’covert network structure’ and ’custom node removal’ algorithms.
per attribute. Link density is the ratio between the number of links and the number of potential
links and indicates for example how connected and covert the given network is.
We logged three variables for each test. Time is the seconds it takes to predict missing links.
True positives are predicted links that exist in the non-sampled version of the data set. False
positives are predicted links that do not exist in the non-sampled version of the data set. The
’predict missing links’ algorithm was customized in the same way for each sampled data set before
each test as described in Table 15.5. The al-Qaeda attributes are selected to match the number
of enum values for each November 17 attribute.
We evaluate the ’predict missing links’ algorithm against all the data sets using the three measures
of performance. The results listed in Table 15.6.
Information volume. This measure of performance is based on an evaluation of the change in
processing time and true and false positive ratios when the number of nodes and links increases
across the three sampled data sets.
We observe that the sampled al-Qaeda data set increases the time required to process the prediction
significantly (as expected). However, in the worst case the logged time is only 63 seconds and it
does not raise any operational concerns for most criminal network investigations. We realize that
the network can be much larger, and expect the required time to increase also for the tested data
set if attributes with more enumerated values were selected. But it is our experience that for very
244
CHAPTER 15. EVALUATION 15.5. SUMMARY
large networks, criminal network investigators will request predictions within subgroups mostly
and not the whole network.
Attribute accuracy. The ‘missing links’ prediction algorithm is based on that attribute val-
ues are machine-recognizable, i.e., the value should be one of a list of predefined enumeration
values (e.g., Role [leadership, operational] or Degree centrality [high, middle, low]). We
have decreased the attribute accuracy of the sampled data set by scrambling a percentage of the
enumeration values.
The decreasing accuracy of enumeration values clearly impacts on the number of predicted links,
but the ratio between them does not change indicating some robustness of the ‘missing links’
algorithm. The time actually decreases together with the decreasing accuracy of attribute values;
a decrease in predicted links can more easily be processed by the algorithm. One interesting
observation here is that the ratio of true positives dropped significantly for the November 17 data
set at 70% accuracy to 1 (from 5 at 90%). We expect this is caused by the less attributes compared
to the al-Qaeda data set, making it more vulnerable to the random scrambling of attribute values.
Attribute completeness. End user requirements and usability feedback have indicated a need
to support dynamic and emerging entity attributes, since limited information is typically available
about the individuals in criminal networks. To simulate this we delete attribute values from the
data sets by replacement with empty values.
Like attribute accuracy the total number of predicted links decreases as the number of non-empty
attribute values increases but the ratios stay more or less the same. We anticipated this similarity
between the accuracy and completeness MoPs as the CrimeFighter Investigator does not support
technology that could improve the attribute accuracy by correcting for example typographical
spelling errors.
15.5 Summary
To summarize our evaluations, we have used three different methods for evaluating our developed
tool support for criminal network investigation: capability comparisons, end user interviews, and
measures of performance. The use of multiple of multiple evaluation methods was necessitated by
the different nature of different criminal network processes embedded in our target-centric model.
Our three methods gave us good evaluation coverage across all of them, from acquisition to coop-
eration. Acquisition and synthesis tasks maps to evaluation of information #1 (emerging and
fragile structure). Acquisition tasks, information types, and emerging attributes maps to evalua-
tion of information #2 (integrating information sources). Sense-making tasks maps to human
factors #1 (augment human intellect) and human factors #4 (human-computer synergies).
Dissemination tasks maps to evaluation of human factors #2 (transparency and ownership),
and so forth.
A couple of requirements were found not to be covered by the selected evaluation methods, this was
however expected. Observing the mapping figures for requirements to tasks (Figure 15.1), measures
of performance to requirements (Figure 15.3), and models to requirements (Figure 15.2), we see
that Process #1 (target-centric and iterative) and Process #3 (make everybody stakeholders)
are not covered by our evaluation methods. Only argument for coverage would be that support of
the retracing the steps task, and hence information #4 (versioning support), would reveal who
take e.g., early decisions in an investigation and hence their responsibility for the final outcome
would stay throughout the investigation and they would be stakeholders. But we find that to be
a rather weak argument for coverage. As mentioned, this was expected. Our process model was
developed to address these two research focus requirements, and our arguments for designing the
process model in this particular way based on literature studies, expert end users, and our ideas
for how to design such a process.
In summary, for the evaluations presented in this chapter of a tool for criminal network investiga-
tion, CrimeFighter Investigator, we find it has strong support for information #1, information
245
15.6. DISCUSSION CHAPTER 15. EVALUATION
#3, process #4, human factors #1, and human factors #4, medium support of infor-
mation #1, human factors #2, and human factors #3, and weak support of information
#1 and process #2. This summary is visualized in Table 15.7. Comparison of CrimeFighter
Investigator with other tools was covered in Section 15.3.
Information Process Human factors

Requirement #1 #2 #3 #4 #1 #2 #3 #4 #1 #2 #3 #4
Measures of performance 3 1 1 1 - 1 - 2 2 1 - 1
Models 2 1 2 2 - 2 - 3 3 3 1 3
Capability comparisons 6 1 3 1 - 1 - 2 3 2 3 3
Support - -
Table 15.7: Summary of evaluation according to requirements. A large black square indicates
strong support of a requirement, a medium sized black square means medium support, and a
small black square is a symbol for weak support of the requirement. We have used values of 1 to
6, to indicate the support of individual evaluation methods for each research focus requirements,
primarily based on the mappings between the methods and the requirements (see Figure 15.1,
15.2, and 15.3).
15.6 Discussion
We will discuss the implications of the evaluation results for CrimeFighter Investigator above in
Section 15.2, 15.3, and Section 15.4. But first we discuss visualization as a lead-in to discussing
who are treated as the customer, when it comes to tool support for criminal network investigation,
and who really are the customer(s). A second discussion before that of the evaluation results, is
about end user involvement in evaluation of criminal network investigation tools, the problems we
faced in relation to this and our suggestions for how to get the end users from the security domains
and law enforcement (police officers, detectives, intelligence analysts) involved in the evaluation,
but also development, of tool support for criminal network investigation.
15.6.1 Visualization or visual filtering

Even with the carefully placed disclaimer in the introduction, we feel a need to discuss the issue
of visualization here, based on who we think the customer for tool support of criminal network
investigation is. The general critical reader (or perhaps a PhD committee member) could question
our lacking coverage of visualization, and rightfully so. All we have done in terms of visualization
is to mention (with certain amounts of sarcasm) how beautiful pictures it can make. And we have
presented much criticism: on how static visualization tools often seem [166] and how users often
only use the tools to draw the final networks of their investigation to present to their higher level
managers (see Section 15.2). We have described, maybe not in so many words, how we have sat
at the back of an IBM i2 end user conference and chuckled when the CEO mentioned the new
3D icons, how cool they were (he used the word cool), and then looked up at them and paused.
One would have expected, when looking around the room, to see other people smiling and shaking
their heads; but no, everybody were looking mesmerized at the CEO and the icons; 3D icons are
mesmerizing.
We didn’t do structured literature reviews of information visualization and related fields, so who
are we to offer an opinion on the subject? Clearly, we have no idea of the depth of this field and the
246
CHAPTER 15. EVALUATION 15.6. DISCUSSION
many important applications in relation to security informatics and criminal network investigation.
Nonetheless, we discuss it, and we use Ray Kroc’s quote from the beginning of this chapter, as a
basis of our discussion, and to indicate the non-scientific nature of the discussion. When Ray Kroc
talks about “looking after the customer”, he is most likely referring to customer service: smiling
service; fast service; and a nice, clean, and well kept establishment. In the documentary SuperSize
Me, the implication is that McDonald’s is looking after the customer by providing them with well
tasting food that to some extend makes them addicted to that same food; or the amount of sugar
it contains. In combination, looking after the customer, becomes excellent service, a nice, clean,
and (might we add) colorful restaurant, together with selling the customer something that tastes
very good, but ultimately is not good for the customer.
For companies that sell criminal network visualization software, the customer is first of all the
individuals who pay the large license fees, typically managers in companies and organizations
requiring such software. We believe that the true customer of criminal network investigation tools
are the investigators who are going to use the tools. The questions is now, how best to look after
this customer? We should surely not inhibit the investigator in any way, not inhibit the sense for a
specific emerging structure, the investigator’s imaginativeness and creativity, when an idea makes
the investigator draw a row of two story houses, before asking a tool which of those houses have
roof access to a certain back alley. When the investigator thinks of new and innovative ways to
fill the negative (void) space in a criminal network investigation, producing new leads and solving
cases. That is our point of view, and it is the point of view we have had throughout this work and
which we have been developing tool support for.
Naturally, when all that is said, visualization is important in a tool box for fighting crime (e.g.,
criminal network investigation). And there is a tool in the CrimeFighter toolbox which focuses
on visualization (see Section 1.4 in the introduction). Maybe, if we could call it something like
visual filtering, indicating a more active involvement on the part of the investigator, rather than
just selecting between a variation of layouts and color schemes, it would be a better match, and
also become useful for the tasks of the criminal network investigator.
15.6.2 End user involvement

Evaluation of new processes, tools, and techniques for criminal network investigation is a challeng-
ing task, at best. Especially when humans are given such a central role as we have given them,
and because our intended end users are from a part of society where it is not custom to talk freely
and openly about your work and methods. Initially, when security informatics researchers start
their work, they turn to the institutions of their homeland for inspiration, advice, and guidance.
These institutions includes intelligence services and agencies, police and special units. In Denmark
this would be either the danish security and intelligence service (DSIS89 ) or the danish defense
intelligence service (DDIS90 ). Our supervisor, Professor Uffe Kock Wiil, has held several meetings
with representatives from the Danish intelligence services prior to the beginning of our research,
and the author has met representatives as well, on a number of occasions during the past three
years. The feedback received by the author can be summarized to “you are using all the right
words”, but “we do not adopt or test software within the organization before it reaches a certain
level of maturity”. While that seems like a reasonable strategy for institutions whose work and
information from outside sources depends on a certain level of secrecy [27], all software engineers
know what happens when you leave the customer out of the development process loop: the risk
for project failure (i.e., not delivering the desired product or any product at all) is significantly in-
creased [43,54,165]. But there is a trade off between secrecy and openness that has to be carefully
balanced 91 . During the nineties the media suspected DSIS to be a ‘state within the state’, and
the previous director of operations for DSIS says that his sources within the media have noticed a
return close to that level of secrecy [27]. As the 22 July commission report [153] states, ‘extreme
secrecy’ might have contributed to not stopping (parts of) the terrorist attacks on 22 July (2011)
in Norway [27, 153].
As mentioned above, the development of complex software systems requires the involvement of the
247
customer as a stakeholder together with the developers and their managers, in order to produce
a product with the required level of maturity, suitable for testing on classified data. We suggest
that collaboration is established between the Danish intelligence services or the less secretive parts
of law enforcement, such as police, with domestic research institutions. Such collaborations exists
in other countries: at Simon Fraser University the Institute for Canadian Urban Research Studies
(ICURS) based in the School of Criminology has a secure crime lab, where researchers can test
their algorithms on police data. At Arizona University’s AI lab, 300 police officers participated
in a survey-based evaluation of the COPLINK software92 . Naturally, it takes time to build the
required level of trust between academia and law enforcement, once your software tool is mature
enough. Our three years in the security informatics research community helped us reach a point
where we now find ourselves knowledgeable enough to ask these questions. But if was not required
to experience the classical “oops, I tripped and spilled your wine on you (to test if you are wearing
a wire)” before gaining access to knowledge from intelligence service agents, we might have been
able to ask these questions earlier.
15.6.3 Discussing end user interviews

Unstructured and informal interviews, where the interviewer asks questions about individual crim-
inal network investigation tasks and demonstrates some tool features, and the interviewee talks
about their work and answers questions, have proved useful for an initial establishment of whether
or not the research is on the right tracks. However, the aggregation of the interviews often becomes
a difficult task for the interviewer. It is the interviewer who decides how to map responses and
statements, and the evaluation naturally becomes subjective to a certain degree, and is qualitative
in the sense that it is based on the opinions of interviewers. We found it to be a good approach,
to keep separate the interviewees from different investigation domains, also because certain termi-
nologies exist within those domains, making it easier to decide if a statement was for or against
the support of a certain criminal network investigation task.
15.6.4 Discussing capability comparisons

We discuss our capability comparison of tasks in Section 15.6.4 and models in Section 15.6.4.
Capability comparison of tasks
Before discussing the results in Table 15.2, it makes sense to ask the question whether the tasks
used for evaluation and comparison are the right tasks to support by software tools? The goal
should be that the investigators can use the tools to reach better results faster. We have interacted
with investigators when compiling the task list. The task list has subsequently been confirmed
by investigators as important tasks to support in a software tool. The investigators also noted
the absence of details regarding tasks in the acquisition and cooperation processes. We intend to
address this in future work and constantly expand and revise our list of tasks to be supported
based on interactions with end-users.
The results in Table 15.2 are not surprising. Our focus on synthesis, sense-making, and dissemi-
nation have resulted in relatively good support for these processes ranging from 3 (dissemination)
over 4 (sense-making) to 4 (synthesis). On the other hand, our tool scores somewhat low on
acquisition (2) and cooperation (2) as expected.
Compared to the other tools, CrimeFighter Investigator is the only tool that supports the majority
of the envisioned synthesis tasks. Other tools support the synthesis tasks to a varying degree.
Regarding sense-making, our tool scores higher than the other tools except for Palantir that
received the same score. Our plans for future work (see Section 6) will result in a tool that
fully supports the envisioned tasks related to synthesis, sense-making, and dissemination. Our
conclusion is that our tool currently provides the most comprehensive support for synthesis and
248
CHAPTER 15. EVALUATION 15.6. DISCUSSION
sense-making.
It can be observed from Table 15.2 that the tools used in watchdog journalism are not as elaborate
as the commercial tools for policing and counterterrorism. The market for policing and countert-
errorism tools are much bigger than the market for watchdog journalism tools. We envision that
our tool can be useful to investigative journalists due to the supported tasks.
It can also be observed from Table 15.2 that the commercial tools provide good support for
acquisition and dissemination. Acquisition is essential for a commercial tool, since many of their
customers have enormous amounts of data that needs to be made available to the investigations.
Dissemination is also essential for a commercial tool, since the investigation results needs to be
communicated to the customer in a comprehensive manner. In the longer term, our future work
will also address the acquisition and dissemination issues, but not to the extent of what commercial
tools do. Our long term research goal is to provide the most comprehensive support for synthesis,
sense-making, and cooperation.
Commercial tools provide many powerful features for the synthesis tasks that they support, while
there seems to be an increased focus on supporting sense-making tasks in research prototypes
like Sandbox, POLESTAR, and CrimeFighter Investigator. For example, Analyst’s Notebook is
very strong on visualization as part of its synthesis support, but lacks many of the features for
sense-making. Wright et al. states that Analyst’s Notebook seems better suited as a report tool
than a thinking tool since it does not encourage various alternative thinking [254]. This claim was
supported by end-users we met at an i2 user conference93 : “I typically use Analyst’s Notebook
to generate a report for the state attorney handling the case in court. I do not use Analyst’s
Notebook before I am done with my analysis”.
The comparison of supported tasks is made based on whether a particular feature is supported
or not - not how well it is supported. Commercial tools are by nature more mature and typically
provides qualitatively better features than research prototypes (which often aim at providing proof-
of-concept implementations of features). CrimeFighter Investigator has so far only been evaluated
based on the existence of support for tasks, not how well end-users feel they are supported in
practice. This type of evaluation involving investigators from the three overall areas is planned to
start, when the envisioned list of tasks have been implemented.
CrimeFighter Investigator uses well-known (and tested) hypertext concepts and structuring mech-
anisms that have proved useful to solve similar knowledge management tasks. In fact, the tool
builds on previous work by the authors on the use of multiple hypertext structures to support
knowledge management tasks related to agile planning [170]. Thus, we are confident that the
provided support to a large degree will be conceived as useful by the end-users in supporting the
investigative tasks. Further evaluation results will help fine-tune the usability of the provided
features.
Capability comparison of tasks
We observe two tendencies in our assessment of computational modeling concepts in commercial

tools and research prototypes for criminal network investigation. Separating commercial tools from
research prototypes, we see that the research prototypes are slightly more diverse in their support
of first class entities. Tools and research prototypes are equally strong in terms of structure do-
mains supported; the commercial tools are strong on navigational structures, where the research
prototypes have better support for spatial structures. Finally, the commercial tools outperform the
research prototypes in terms of mathematical models (measures) supported. CrimeFighter Inves-
tigator has better support of first class entities (conceptual model), structure domains (structural
models), and transformative and measuring algorithms (mathematical models) than the state-of-
the-art tools and research prototypes analyzed for this comparison.
In our “invented” work flow scenario described in Section 14.3, Mark used sense-making tailoring
to be able to understand and reason about the network information he was asked to analyze. More
specifically he customized a prediction algorithm to base its inferences on different information
249
element attributes for different parts of the network. He also extended the actual prediction of
links to be conditioned by the betweenness centrality of the individuals between who links where
predicted, prior to that prediction. The tailoring in CrimeFighter Investigator made the process
transparent and helped Mark to gain a feeling of ownership toward the information provided. In
other words, he trusted the sense-making provided information enough to forward his findings to
his decision-making superiors.
15.6.5 Discussing measures of performance

We have developed and calculated measures of performance (MoP) for two extended centrality
algorithms (degree and betweenness) and one transformative algorithm (predict missing links).
In the longer term, these MoPs will help us build a process that criminal network investigators
can have confidence in, going before a decision maker. MoPs are therefore also related to our
discussion of involving end users in the evaluation of new tools for criminal network investigation
(see Section 15.6.2). We expect that good MoPs will also be required to convince individuals in law
enforcement institutions in order for them to decide whether or not to start a collaboration with
the purpose of further development of the tool, or bringing it in-house to test on some up-to-date
data.
It is interesting that the information volume MoP does not have strong relations to our research
focus requirements as it was illustrated in Figure 15.3. In fact, we only found it to have limited
relations to support of the augmentation of human intellect requirement (human factors #1).
But it is not surprising, as we have never thought of information volume on its own to be a
complicated information problem, as it will be a matter of computing power and resources to
solve it (as previously mentioned). However, if other information problems such as accuracy
and completeness are introduced, information volume could become an issue, since computations
becomes more complicated and time consuming.
250
(a) test scenario 1 (b) colocation results
251
(c) empty endpoint results (d) two associations results
Figure 15.7: The organized drug crime investigation with links representing co-location associations (a). The degree and betweenness centralities for
15.6. DISCUSSION
each of three tests: co-location association (b), empty endpoints association (c), and both co-location and empty endpoints associations (d).
Figure 15.8: Augmented version of an organized crime investigation showing a shared information
space and various content. Close-up pictures are blue, surveillance photos are orange, text cards
with meta information about individuals are green and text cards functioning as headers are dark
red.
252
CHAPTER 16
Conclusion and future work
The art of investigation is in part the art of seeing, of finding a place

to stand so that you can see. To see a ghost presents a special kind of
problem.
McDermott and Meyer (2012), in the hunt for Khalid Sheikh Mohammed [146]
Criminal network investigation involves a number of complex knowledge management tasks such
as collection, processing, and analysis of information. Synthesis and sense-making are core analysis
tasks; analysts move pieces of information around, they stop to look for patterns that can help them
relate the information pieces, they add new pieces of information and iteration after iteration the
information becomes increasingly structured and valuable. Synthesizing emerging and evolving
information structures is a creative and cognitive process best performed by humans. Making
sense of synthesized information structures (i.e., searching for patterns) is a more logic-based
process where computers outperform humans as information volume and complexity increases.
CrimeFighter Investigator is a novel tool that supports a target-centric and iterative criminal
network investigation process and related tasks through the application of advanced software
technologies such as hypertext structure domains, semantic web concepts, known human-computer
interaction metaphors, and a tailorable computational model rooted in a conceptual model defining
first class entities that enable separation of structural and mathematical models.
As a result of numerous commission reports evaluating the efforts of counterterrorism and police
(e.g., [110, 152, 153]), there is a growing request for more openness in intelligence agencies and law
enforcement in general, especially close to home (e.g., Norway [153] and Denmark [27]). As we have
mentioned, these Commission Reports often presents how the information was there, available and
linkable, and therefore resorts remedies such as information sharing, joint intelligence units, merged
databases etc, but does little to improve on the intelligence process [32] (analytical methods). The
22 July Commission Report concluded, among other things, that following a different methodology
could have changed if not the final outcome, then the outcome of sub-parts of the Norwegian
tragedy. Intelligence services in Denmark, such as the danish defense intelligence service have
made organizational changes and talked about more openness94 , and the author has through
interviews and meetings learned that new technologies such as semantic web technology, and ideas
such as intelligence in the cloud, readily retrievable by phones and tablets in the field1 . We believe
that the Danish intelligence services are moving in the right direction, with an increased focus
on utilizing available information and communication technologies. But in terms of tool support
1 This information is based on classified interviews and meetings, held between the author and the anonymous.
253
16.1. SUMMARY CHAPTER 16. CONCLUSION
based on an increased understanding of the interrelationship between information, process, and

human factors, much knowledge has still to be acquired, new concepts and models developed, and
software designed, implemented, and tested. In our opinion, the research that we present in this
Ph.D. dissertation makes important contributions to further developments in that direction.
This chapter concludes our work by presenting our final conclusions. Section 16.1 summarizes our
work. Section 16.2 summarizes our results related to criminal network investigation challenges
and associated problems. Finally, Section 16.3 outlines the major contributions of our work, and
Section 16.4 presents suggested future work and evaluation.
16.1 Summary
We started out as engineers, with the goal to engineer a software system for criminal network
investigation. We studied our domain, we talked with the end users, we analyzed related work,
theory and technology, and generated requirements. We created designs for those requirements,
and implemented software prototypes as proof of the concepts we had developed. We did so,
following an agile methodology, iteration by iteration, release by release. We incrementally built
Crimefighter Investigator one proof-of-concept prototype at the time, from a pilot system to an
actual criminal network investigation tool, assisting investigators when investigating their genuine
mysteries and hunts for ghosts. As software systems engineers, we succeeded early.
But as we got further into the research, we discovered a need to develop a new criminal network
investigation process, new concepts and models as the foundation for tools and techniques. Three
criminal network investigation challenges that had been found to result in (tool supported) crimi-
nal network investigation failure, either separately or together, where being addressed in a manner
suitable for the tasks of the criminal network investigator. We noticed that existing software sys-
tems were only in part guided by requirements addressing problems related to information, process,
and human factors challenges. We identified these problems, formulated such requirements, and
adopted some concepts from knowledge management and hypertext theory and technology. Based
on those concepts we developed models and software components for support of criminal network
investigation. We found, that no matter what ill-structured problem an individual or a group of
individuals are trying to solve, there are some basic concepts, structures, and components that
can be applied. Some basic building blocks from which to build software systems.
In summary, we first took in the scattered particulars related to criminal network investigation
under one idea, so that everyone understood what we were talking about. Second, we separated our
idea into parts, by dividing it at the joints (information, process, and human factors), as nature
directs, not breaking any limb in half as a bad software systems engineer might Phaedrus (265D).
16.2 Requirements, challenges, and hypothesis

In our introduction, we listed challenges associated with criminal network investigation. We chose
to focus our work on three of those challenges (information, process, and human factors), based
on an estimation of the bigger impact that software technologies could make on meeting these
three challenges through the assistance of a software tool (compared to the other challenges).
General problems within each of the three challenge domains were listed in Chapter 6. To guide
our research we created a number of research focus requirements to resolve the problems and
ultimately meet the challenges of information, process, and human factors in criminal network
investigations by assisting the investigators through the implementation of a novel software tool,
CrimeFighter Investigator. We present our conclusions with regard to research focus requirements
in Section 16.2.1, challenges in Section 16.2.2, and finally our hypothesis in Section 16.2.3.
254
CHAPTER 16. CONCLUSION16.2. REQUIREMENTS, CHALLENGES, AND HYPOTHESIS
16.2.1 Requirements
The research focus requirements we listed in Chapter 6 were evaluated using three different meth-
ods in Chapter 15. A summary of the evaluation is shown in Table 16.1, indicated whether
evaluations found that we had strong, medium, or weak support of each research requirement,
through our developed processes, tools, and techniques. Our evaluation methods were found to
provide good coverage of the research focus requirements, except for process #1 (target-centric
and iterative) and process #3 (make everybody stakeholders). However, this was expected, and
our process model was found to cover those two requirements.
Information Process Human factors

Requirement #1 #2 #3 #4 #1 #2 #3 #4 #1 #2 #3 #4
Support
Table 16.1: Summary of evaluation according to requirements. A large black square indicates
strong support of a requirement, a medium sized black square means medium support, and a
small black square is a symbol for weak support of the requirement.
The results in Table 16.1 shows that we have provided strong to medium support of all require-
ments, and we can therefore conclude that we have addressed the problems associated with each
individual criminal network challenge. Furthermore, the strong to medium support of the require-
ments also leads us to conclude that we chose the right challenges to focus on, as our developed
processes, tools, and techniques were found to address and have an impact on those challenges.
16.2.2 Challenges
Following the conclusions on research focus requirements above, we conclude on the degree to
which we have addressed each challenge in more detail. Below we present our conclusions on each
of the three criminal network investigation challenges:
Information. We conclude that the weak support of information #2 (integrating information
sources) is because this requirement has not been prioritized. We focused on the development of
a conceptual model with first class entities, then it would later have been easier to provide e.g.,
images as visual abstractions for information elements. The same is the case for information #4
(versioning support), which development was dependent on strong support of information #1
(emergent and fragile structure), and as a consequence a well developed conceptual model. We
can conclude that key information challenge requirements have strong support, and that the less
supported information challenge requirements still require further development to be finished.
Process. Our developed process model provides the strong support of process #1 (emergent and
fragile structure), while support of process #3 (make everybody stakeholders) is considered weak,
although closely related to the choice of process model. However, limited support of cooperation
tasks has inhibited the development of support for process #3. Process #2 (loss-less data
abstractions) is supported by the design of our entity software component, but due to the lack of
support for the information types task, process #2 support is not strong. Finally, the process
#4 (integration of conceptual and computational models) has strong support, and given the
amount of attention, this is not surprising to us. Again, process challenge requirements have
strong support, and those less supported requirements still require further development to be
supported (or are related to investigation tasks, which require further development).
Human factors. The research focus requirements human factors #1 (augment human intel-
lect) and human factors #4 (human-tool synergy) were evaluated to have strong support by
the developed processes, tools, and techniques. They are also closely related, as human intellect is
255
16.3. CONTRIBUTIONS CHAPTER 16. CONCLUSION
augmented using advanced software technologies, thereby increasing the capabilities of man (i.e., a
synergy effect). Human factors #3 (simple tools ease-of-use) has medium support, mainly due
to the common information space where entities can be organized in different structures, like paper
cards or similar on a table. Human factors #4 (transparency and ownership) receives support
from our dissemination tasks, as well as the investigators options for tailoring sense-making work
flows for their particular needs. It seems that human factors are often not considered when tool
support is developed for criminal network investigation. Our human factors requirements have
been evaluated with a positive outcome, and the decision to also focus on the human factors
challenges, has proved to have a positive impact on criminal network investigation.
Based on the conclusions for the individual criminal network investigation challenges, we will make
our final conclusions about support of our hypothesis below.
16.2.3 Hypothesis
Our hypothesis was formulated based on three criminal network investigation challenges:

Support of the hypothesis therefore depends on whether or not the problems associated with these
challenges are dealt with. Based on our conclusions for research focus requirement support, and
the importance of individual requirement support address each individual criminal network inves-
tigation challenge, we can conclude that all indicators points toward support of our hypothesis.
Our approach to criminal network investigation results in tool support for criminal network in-
vestigation which assists the investigator throughout the individual processes, ensuring powerful
collaboration between human and tool with a focus on addressing information, process, and human
factors challenges integrated in the same software system.
16.3 Contributions
The CrimeFighter Investigator approach for criminal network investigation has been developed
based on different types of analysis work:
Involving end users. We have interacted with investigators from various communities to
get their input on what kind of tool support is needed.
Exploring methods. We have explored analytical practices, processes, and techniques
related to policing, counterterrorism, and watchdog journalism.
Studying related work. We have found inspiration from existing tools supporting criminal
network investigation as well as from various existing hypertext systems.
Together, this analysis work resulted in a list of tasks that guided our development. Currently,
most of the envisioned tasks are supported. In general, our work has resulted in the following
contributions:
Challenges. Based on analysis of criminal network investigation cases, criminal network

information, structures, and investigation domains, we have presented a list of key challenges
for criminal network investigation. These challenges can all mean the failure or success of
criminal network investigations. We selected to focus on three of these challenges, for which
tool support was estimated to be applicable and useful. We further analyzed those three
challenges for specific problems, and subsequently set out a list of research requirements that
help us (and other software system engineers) to address the problems.
256
CHAPTER 16. CONCLUSION 16.4. FUTURE WORK
Process model. We have developed a target-centric and iterative criminal network investi-
gation process model to address problems associated with a linear approach to investigation,
with a particular focus on the compartment problem. More specifically, the model provides
support of process #1 (target-centric and iterative) and process #3 (make everybody
stakeholders).
Task list. To support the acquisition, synthesis, sense-making, dissemination, and coop-
eration processes of our model we developed a list of criminal network investigation tasks,
based on the three types of analysis work described above.
Tool support for criminal network investigation. We have developed a tool to support
criminal network investigation and assist investigators in creating target-centric models for
their customers. The tool provides more comprehensive support for synthesis and sense-
making tasks than existing tools. Furthermore, evaluation has shown that we are on the
right path to integrate a broad range of investigative synthesis and sense-making tasks in
one tool to support target-centric criminal network investigation. We have observed that
existing tools typically are strong on either synthesis or sense-making tasks.
Novel approach to tool support. We have demonstrated how a combination of theory

and technology can be used to develop tool support for the criminal network investigation
processes. Other researchers have discussed the importance of human-machine coopera-
tion. We chose hypertext technologies to bridge human and machine capabilities to resolve
challenges and problems in criminal network investigation, separating structural and math-
ematical models.
Components for tool support. We have developed generic software components for
support of criminal network investigation. The components have helped develop support
research focus requirements such as human factors #2 (transparency and ownership)
and process #4 (integration of conceptual and computational models). Furthermore, the
software components are applicable to similar knowledge management problems.
Publications. Our work has been published in peer-reviewed international conference pro-
ceedings published by ACM, Springer, and IEEE. Parts of our work is accepted for publi-
cation in Springer handbook of computational approaches to counterterrorism and Springer
journal on security informatics (special issue on criminal network investigation). See Ap-
pendix A for further details.
While these are individual and important contributions to the field of criminal network investiga-
tion, proof-of-concept prototypes are not proof in the generic sense, further evaluation is required
in order to advance the research both academically and commercially. It is important that we
have implemented proof-of-concept prototypes to further enhance our understanding of analyzed
and design conceptual ideas (concepts), but quantitative empirical evidence for effect to measure
the impact of our conceptual ideas on criminal network investigation, together with the measures
of performance we have developed and tested on some algorithms in CrimeFighter Investigator
would be crucial. In essence, our work presents the guidelines for how to start a research project
on criminal network investigation. We will discuss future research and other perspectives in future
work (section 16.4).
16.4 Future work

Our future work focuses mainly on three ares: literature studies, further implementation of crim-
inal network investigation concepts and tasks in CrimeFighter Investigator, and evaluation of
CrimeFighter Investigator. The main objective of our future work is to develop a version of
CrimeFighter Investigator that intelligence agencies or police think is mature enough that they
257
16.4. FUTURE WORK CHAPTER 16. CONCLUSION
would be willing to test it within their organization95 , using it on a real investigations and the
(often) classified information related to these investigations. The future work described in this
chapter is our suggestion of how to reach that point of maturity.
The literature studies will focus on topics primarily related to technology adaptation, human cog-
nition, and creativity, like for example “how does ‘trust’ affect the adaptation of new technology?”
(see Section 16.4.1). In terms of future software development, it would be important to test for
example the extensibility of our developed framework, by the addition of new synthesis structures
such as the semi-lattice (discussed in Section 3.2). We outline that and other relevant future
software development tasks in Section 16.4.2. As described in Chapter 15, we have evaluated our
approach with a number of different methods. Future evaluations and methods are described in
Section 16.4.3.
16.4.1 Literature reviews

We have studied various literature throughout this Ph.D. project to solve independent problems
and we have studied literature guiding the understanding of all these problems under a cohesive
whole. Just like with the software development (although with longer iterations), we have also
iterated through our literature studies, and the literature listed below has come to our attention
at the end of the Ph.D. project and will be necessary to study before moving forward (starting
the next iteration).
1. Technology adaptation. It should be investigated what factors decide the adoption of

new technologies, to improve the chances of having new technologies evaluated and then
later adopted by the intended end users. E.g., how does trust affect the adaptation of new
criminal network investigation technology? A good starting point would be the technology
acceptance model (TAM) [51].
16.4.2 Future software development

In this section, we list future software development work, according to criminal network investi-
gation processes and tasks:
Besides better acquisition support through integration with CrimeFighter Explorer, we propose
the following future work for acquisition support:
1. Drag and drop. Acquiring information using drag and drop from other applications is
essential for fast and easy synthesis of information in the common information space. It
would also mean that support for information #2 (integrating information sources) would
be significantly improved.
2. Import. Providing support for import of basic network formats beyond comma separated
values would increase the options for integrations with other tools, and increase support of
information #2 (integrating information sources).
CrimeFighter Investigator currently has strong support for synthesis tasks, but increased focus
on the following tasks would make the support more complete, and make the tool more ready for,
e.g., usability experiments:
1. Branched history. It will be necessary to extend the navigable history feature to also
support branched history [96,117]. In terms of synthesis, this means development of methods
for recording and navigating branched history. This would result in stronger support of
versioning (information #4).
2. Information types. Extend support of information types beyond text snippets and meta
data information to also include pictures, maps, audio, etc. (information #2).
258
CHAPTER 16. CONCLUSION 16.4. FUTURE WORK
Although CrimeFighter Investigator has good support for sense-making, there are some criminal
network investigation tasks that should get more attention in the future, and new concepts would
have to be developed accordingly:
1. Branched history. Overlaps with branched history support for synthesis (above). Branched
history would leverage creating hypotheses using information structures (as opposed to us-
ing argumentative structures). The Visual Knowledge Builder (VKB) [198] introduced the
concept of navigable history [96, 117].
2. Visualization. It would be important to support the integration with visualization libraries,

to import basic layouts, that can then be applied to CrimeFighter Investigator networks.
Integration could also be with other tools, e.g. CrimeFighter Assistant [80, 147, 245], for
advanced structural analysis and visualization integration. See also filtering below.
3. Filtering. We have found that once networks grow to a certain size in CrimeFighter In-
vestigator, filtering becomes a key sense-making task. We can think filtering features in
two categories: visual filtering, using colors, size, and positioning, and actual filtering, i.e.,
taking a subpart of network into a separate space to work with it there or alternatively
the removal of entities from the space, in both cases based on entity attributes or patterns.
Commercial state-of-the-art tools (reviewed in Section 4.1) such as Analyst’s Notebook and
Palantir Government are very strong on visual filtering, and we therefore suggest to focus
on actual filtering to think some of the challenges associated with such an approach. As an
example, what if a sub-part of network is filtered out and placed in a new space to work on
it there, and then later after the work is complete, the analyst wants to merge the results
back into the original network?
4. Custom algorithms and sense-making work flows. Future work for custom algorithms,
includes saving sense-making work flows and later application of saved work flows together
with a dedicated editor for building these work flows in a more intuitive manner, rather than
having to use list boxes, sliders, and check boxes to tailor the work flows.
5. Prediction. When developing the support for the transformative inference-based prediction
algorithms at Imperial College in London, a range of interesting future work was discussed
with Dr. Christopher J. Rhodes, e.g., how would variations in the gold standard impact the
measures of performance for the covert network structure and missing links algorithms. It
was also discussed to add support for analyzing the secondary effects of agent insertion into
a criminal network (i.e., the opposite of the already supported node removal algorithm).
Dissemination has received some attention in this Ph.D. dissertation and interesting further
development for both story telling and report generation is mentioned below:
1. Story telling. To further enhance story telling beyond simple navigation of history, e.g.,
by letting the user attach specific views to the history to show how the betweenness between
entities at that particular point or maybe an animation of the evolution of the criminal
network so far.
2. Report generation. The transparency and ownership of investigations (human factors

#2) would be significantly improved, if the end user had access to a report template editor.
The user could then add the specific building blocks (visualizations, results, etc.) to reports
they want to generate for their particular investigation, in order to highlight certain aspects
of the information.
Finally, providing better support for cooperation, human-computer interaction, and visualization,
is part of our longer term goals.
259
16.4. FUTURE WORK CHAPTER 16. CONCLUSION
16.4.3 Future evaluation of tool support

We propose the following future evaluations of CrimeFighter Investigator tool support for criminal
network investigation:
1. Usability experiments would involve finishing up experiment designs and then actually
executing the experiments to get quantitative evaluation of our approach, i.e. our approach
to synthesis. We plan to involve researchers and end-users in these capability comparisons
in the future. We are currently designing structured usability experiments following [18, 69]
for evaluation of specific CrimeFighter Investigator features.
2. Capability comparisons. A logical next step for our capability comparisons of both
criminal network investigation tasks and conceptual, structural, and mathematical models
would be to provide professional end users of the commercial tools and research prototypes
with surveys where they could indicate the support of individual tasks or models.
3. Software components. It would be important to test the extensibility of our developed

software components. We propose to evaluate the entity component, by testing the addition
of new synthesis structures such as the semi-lattice. Evaluation criteria could be whether
or not sense-making algorithms would still run as expected, given this (and other) new
abstractions for the entity concept. Taniguchi (2011) mentions that the use of Thiessen
polygons “to understanding the relationship between gang drug activity and crime is not
without limitations” [221], since they “may be both over inclusive (encompassing areas not
used for drug distribution) and under inclusive (missing areas used for drug distribution)”
[221]. We believe this to be a strength in terms of criminal network investigation; being
able to represent entities in a non-final manner, whether they overlap (semi-lattice) or not
(Thiessen polygon) makes it possible to iterate toward a solution for an ill-structured problem
without requiring predefined structures.
4. Ethical responsibility and impact. We propose to use the developed process model to
first of all assign ethical responsibilities for investigators and tool (CrimeFighter Investigator)
according to each of the five processes (acquisition, synthesis, sense-making, dissemination,
and cooperation. Once ethical responsibilities have been assign, the impact of each of those
could be assessed and evaluated. See Figure 16.1, for our initial thoughts on how to as-
sign ethical responsibility and our expected impact of that responsibility for the different
stakeholders as well as the tool.
Figure 16.1: Assessing ethical impact responsibilities.
260
Notes
1 We find reconciliation in the fact that even a multi million dollar company like Palantir Technologies have found
it necessary to start with disclaimers in some of their presentations. One presentation, Palantir as Intelligence
Infrastructure [191, 192], has a slide with the header ‘What Palantir ISN’T!’, and then lists (1) A Visualization
Tool, (2) A closed environment, and (3) One database to rule them all.
2 We recognize that some investigations can be solved using e.g., social network analysis, if the investigators
have a hairball of 100.000 phone calls and 10.000 people and you want to learn if these guys are calling the same
group of people. This was an example given at the i2 EMEA user conference 2010 in Brussels, Belgium. But, when
investigating Operation Crevice and the 7/7 (2005) bombings in London, there was a lot of registered phone calls,
but one individual appearing in Operation Crevice, was missed because of slight variations in his name.
3 Professor Hsinchun Chen (AI lab, University of Arizona) gave a talk about his health informatics research at a
workshop on information and knowledge management for welfare technology. Chen has given keynote talks on the
big data analytics topic in the security informatics domain (dark web), e.g. at EISIC 2011 and EISIC 2012. EISIC
stands for European International Security Informatics Conference.
4 The user conference mentioned, was the 2010 i2 EMEA user conference held in Brussels, Belgium.
5 Sometimes the term ‘compartmentation’ is used instead of compartmentalization.
6 The July 22nd Commissions report was made public and presented on August 13th 2012. The original text of
our translation is (PST the Norwegian Police Security Service: Med en bedre arbeidsmetodikk og et bredere fokus
kunne [Politiets sikkerhetstjeneste] PST ha kommet på sporet av gjerningsmannen før 22/7. Kommisjonen har
likevel ikke grunnlag for å si at PST dermed kunne og burde ha avverget angrepene.
7 Petter Gottschalk has done police research for years and written several books on the subject, e.g. [53]. His
comment as it was printed in Information on August 13 is [78]: Politiet har i 10 år isoleret sig og afvist al kritik.
Norsk politi har været meget lukket og ikke villet forandre sig. Kommissionen gentager kritik, som har været rejst
mange gange før, men denne gang kan de ikke afvise det
8 The 2010 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2010), held
9-11 of August 2010 in Odense, Denmark, jointly with the International Symposium on Open Source Intelligence
and Web Mining 2010 (OSINT-WM 2010).
9 The work to make criminal network investigation a separate area within security informatics has begun, e.g.,
with the call for papers for a special issue of the security informatics journal on criminal network investigation
(see http://www.springer.com). We hope that by presenting our own boundaries for the field of criminal network
investigation, we can help shape and position the area even better within the field of security informatics research
10 The term security informatics was coined by Hsinchun Chen (2006) initially as Intelligence and Security In-
formatics (ISI): “development of advanced information technologies, systems, algorithms, and databases for inter-
national, national and homeland security related applications, through an integrated technological, organizational,
and policy-based approach” [37]. Terrorism informatics is another related field that was also coined by Hsinchun
Chen (2008): “application of advanced methodologies and information fusion and analysis techniques to acquire,
integrate, process, analyze, and manage the diversity of terrorism-related information for national/international
and homeland security-related applications” [1, 38]
11 Our analysis of commercial tools and research prototypes used for policing, intelligence analysis, and investiga-
tive journalism in Chapter 4 is naturally also part of state-of-the-art.

12 The invitation to give a talk at the terrorism and new media conference (2009), was based on a submitted
paper, adaptive counterterrorism tools over silver bullets (see Appendix A).
13 See Appendix A for further information on our published papers and other work.
14 Our model for criminal network investigation published at Hypertext 2011 is described in Chapter 7.
15 Figure adopted from the following url: http://www.mikesmart.com/application_development/agile_development.
htm.
16 The metrics have been calculated using the Metrics plugin (version 1.3.6) for Eclipse [source: http://metrics.
261
NOTES NOTES
sourceforge.net/update].
17 Information acquired by means of observation or experimentation [61].
18 By post-crime data sets and investigations we mean simply data sets and investigations that have been aggre-
gated and described after a criminal offense has been committed, and typically also prosecuted in court. This is
explained in greater detail in Section 15.1
19 This statement was initially made in relation to terrorist networks in [244], but we believe that the same applies
to different types of criminal networks, such as organized crime networks.

20 The Enron email dataset was collected and prepared by the CALO project (Cognitive Assistant that Learns
and Organizes) [http://www.ai.sri.com/project/CALO].

21 Newman (2010) discusses general large-scale structures of networks [155]. Authors have studied general struc-
tures in particular criminal network domains such as terrorist networks (e.g., [92, 122, 188, 189]), many of which are
focused on the organization of al-Qaeda (e.g., see the discussion between Hoffman and Sageman (2008) [93, 190]).
22 The term cell is also often used about cliques and tight-knit groups [128, 188, 227].
23 Two
triad configurations are considered isomorphic, if they share dyadic features (i.e., the number of null dyads,
asymmetric dyads, and mutual dyads).
24 Standard MAN labeling is described by Wasserman and Faust (1994) [240].
25 This compartmentalization problem has also been recognized by software development experts [43, 54]
26 Our account of the assessment processes of Curveball reports is primarily based on Drogin (2008) [59].
27 Similar observations have been made for software development processes [43].
28 AbuZubaydah was one in a group of global jihadists believed to have “holed up” in Punjab (Pakistan). Abu
Zubaydah “had long-standing and close ties to [al-Qaeda’s] inner circle of leadership” [146], and CIA therefore
thought he could have information about the next attack.
29 National Security Agency.
30 Jaishe-Mohammad (JEM), “Army of the Prophet”. The police man, Adil Mohammad Sheikh, claimed in court
that he did not know the purpose of the operation he was involved in [162].
31 Omar Saeed Shaikh, the mastermind of the plot, used at least seventeen aliases himself: Mustafa Ahmad,
Mustafa Ahmed al-Hawsawi, Mustafa Sheikh Saeed, Omar Saiid Sheikh, Shaykh Saiid, Chaudry Bashir, Rohit
Sharma, Amir Sohail, Arvindam, Ajay Grupra, Raj Kumar, R. Verma, Khalid, P. Singh and Wasim! [128]
32 The primary writers are David Simon and Ed Burns. Burns has worked as a Baltimore police detective for
the homicide and narcotics divisions. Simon is an author and journalist who worked for the Baltimore Sun city
desk for twelve years. He authored homicide: a year on the killing streets and co-authored the corner: a year
in the life of an inner-city neighborhood with Burns [10, 204–206]. We have previously focused on policing and
investigative journalism as two investigation types that could benefit from the concepts we develop and implement
in CrimeFighter Investigator [174].
33 We have previously described the advantages of a board-based approach for the planning domain, where infor-
mation structures are also emergent and evolving (see [172]).

34 “After years of random buy-and-bust interventions, law-enforcement controls of serious crime networks have
gradually come to follow the key player strategy” [150]. Morselli follows up by stating that “a more accurate
appraisal of the social organization of drug-trafficking [. . . ] would follow a resource-sharing model in which collab-
oration among resourceful individuals would be at the base of coordination in such operations” [150]. We find that
this is also the approach taken by the investigators in The Wire by targeting not only Avon Barksdale but a range
of important individuals in and around the decision-making body of the organization.
35 Secret intelligence includes human intelligence (humint), signal intelligence (sigint), imagery intelligence (imint),
and measurement and signature intelligence (masint).

36 A copy of the manuscript draft documenting this [214] is on file with the author.
37 As mentioned by Arno H. P. Reuser, Chief of Open Source Intelligence, Defense Intelligence and Security
Service, the Netherlands.
38 We are aware that the IBM i2 analysis product line has products covering aspects of criminal network investi-
gation not covered by Analyst’s Notebook.

39 Analyst’s Notebook supports the following column actions on import: Add Prefix, Add Suffix, Change Cap-
italization, Compress Repeated Characters, Copy Value from Previous Row, Extract Portion of Text, Find and
Replace Text, Prefix with Another Column, Remove Characters, Remove Prefix. The source of this information is
hands on lab handouts [107], on file with the author.
40 After submission of the dissertation, we have become aware that IBM i2 iBase also has support for creation of
search queries using drag and drop http://www-142.ibm.com/software/products/us/en/ibase/.

41 TRIST stands for “The Rapid Information Scanning Tool” [114].
42 Apparently, the information in the Sandbox has been cleaned for names and similar.
43 Namebase.org website at http://www.namebase.org/, last visited 2012.
44 FreeMind is a free mind-mapping software written in Java. See http://freemind.sourceforge.net/wiki/
262
NOTES NOTES
index.php/Main_Page for more details.

45 See http://www.mindjet.com/ for more details on Mindjet Manager.
46 The
author and supervisor shared the lecturing for the course advanced software technologies for knowledge
management.
47 It is important to note that this quote uses “the term hypertext broadly, to cover both textual and multimedia
content”.
48 The review of NoteCards was to some extent also part of our master thesis [165].
49 ASAP is an acronym for advanced support for agile planning. See Section 2.2.3 for more information on this
tool, or refer to [165, 170, 171]
50 Tim Berners-Lee gave a “talk a[t] the very first International World Wide Web Conference, at CERN, Geneva,
Switzerland, in September 1994. This was the conference at which the formation of W3C was announced” [23]
51 We would like to point out that the link to the ‘Enneagram of Personality’ for deciding peoples personality has
not affected our work.

52 In a nominal group each individual works separated from the rest of the when generating ideas
53 “Wisdom indicators” [149].
54 The event that starts the life cycle of creative endeavors could be a dream: “The classic example is Kekule’s
discovery of the ring-shaped structure of the benzene molecule via a dream about a serpent biting its tail.” [74]
55 CASE stands for Computer-aided Software Engineering.
56 Blitz
Planning is the planning method promoted by Crystal Clear [42], which we were developing support for
during our master thesis.
57 Throwaway prototyping lasting not more than a day or two [41].
58 Harakut-ul
Mujahedin (HUM) was one of the many small Islamic guerrilla groups that proliferated in Pakistan
and Afghanistan around the time when Omar went the Convoy of Mercy to Bosnia, but ended up in Split, Croatia
[189].
59 The project was also mentioned as ‘the Northern Project’ in various correspondence.
60 More often referred to in international media simply as the “Danish Cartoons”
61 When Headley’s home was searched on October 18th , a plane ticket to Copenhagen for October 29th with
departure from Atlanta was found
62 Persons graduated from Cadet College Hasan Abdal.
63 “Everything is not a joke [. . . ]. We are not rehearsing a skit on Saturday Night Live. Making fun of Islam
is making fun of Rasoosallah SAW [Messenger of Allah, Peace be on Him], [. . . ] call me old-fashioned but I feel
disposed toward violence for the offending parties, be they cartoonists from Denmark or Sherry Jones (Author of
Jewel of Medina) or Irshad Manji (Liberal Muslim trying to make lesbianism acceptable in Islam, among other
things) [. . . ] They never started debates with folks who slandered our Prophet, they took violent action. Even if
God does not give us the opportunity to bring our intentions to fruition, we will claim ajr (a religious award) for
it [. . . ]”. [57]
64 CINCENT: Commander-in-Chief, U.S. Central Command.
65 See also APS Physics news at http://physics.aps.org/articles/v5/89.
66 Another commercial tool is Analyst’s Notebook 8.5, stating to have protection of civil liberties ‘baked in’ [2].
67 Before Afghanistan and Iraq, Denmark had an international focus on peacekeeping missions, when it came to
inserting soldiers on the ground.
68 An primary high explosive, known as “Satans Mom” because of its unstable nature [209].
69 Morten Skjoldager, a Politiken journalist, has authored a book on Danish terrorism cases entitled “Truslen
indefra - De danske terrorister” (translated: “The threat from within - The Danish terrorists”), published by
‘Lindhardt og Ringhof’ in 2009.
70 More specifically the addition of §114 to the existing Danish Penal Code
71 Referto [13] for a description of the extensions of existing Danish Penal Code provided in the second counter
terrorism law.
72 Following the most recent incident, where an intruder threatened cartoonist Kurt Westergaard in his own home
on January 1st 2010, the right wing parties, has suggested that further tightening of law might be necessary. [88]
73 For Brennans complete speech, please refer to [William J. Brennan Jr., 1987. ‘The Quest to Develop a Ju-
risprudence of Civil Liberties in Times of Security Crisis.’ Speech, December 22, 1987, at the Law School of Hebrew
University, Jerusalem, Israel.]
74 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK
[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However,
none of these studies ask the users to what degree they trust the information provided by the systems and how
that affects their acceptance of the technology.
75 Criminal network investigation cases other than those presented in Section 3.5 have been analyzed, e.g., the
263
NOTES NOTES
intelligence used for the United States case against Iraq concerning their (alleged) weapons of mass destruction
program [59,242], and the links between Operation Crevice and the 7/7 bombings in the United Kingdom [110,252].
Studies of the Afghan Taliban network (based on literature (e.g., [134]) and an interview (Section 15.2.1)) and al-
Qaeda and affiliated movements (AQAM) (Section 14.3).
76 Alex Steiner is a pseudonym for a DIA (defense intelligence agency) officer [59].
77 Many abbreviations are used in the literature for the described criminal network investigation steps. Processing
is also referred to as triage [7]. Synthesis [40] was chosen over foraging [25,254], collation [83], and textualization [20].
Sense-making over analysis [40]. Dissemination over presentation [25].
78 Structural models are typically embedded in mathematical models (e.g., see Brantingham (2009) [30]).
79 Theamount of memory required to store branched history is an important concern that was raised by Dr.
Atzenbeck during the authors visit to institute for information systems (iisys) at University of Hof.
80 The Sageman (2003) data set was provided by a classified source and is on file with the author.
81 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK
[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However,
none of these studies ask the users to what degree they trust the information provided by the systems and how
that affects their acceptance of the technology.
82 Sageman (2004) discusses the concept of a bridge to jihad [188], Veldhuis and Staun (2009) reviews the root
causes for radicalization of European minorities [234], and many researchers have studied online radicalization
[29, 48, 49, 236, 241]
83 The link charts could of course be automatically generated based on these incident reports, as it has been
suggested for organized crime using a so called importance flooding technique [139].
84 However, we have developed and tested measures of performance for the predict missing links algorithm in
Section 15.4. The predict missing links algorithm plays an important role in the custom node removal algorithm.
85 The Danish CTU is “invented” for this scenario and is not related to the Danish Security and Intelligence
Service’s Center for Terror Analysis or other Danish counterterrorism units.

86 We know that for entity extraction from text there exists data sets (corpus’s), which researchers can test the
efficiency of their algorithms on and then compare it to the efficiency of other researcher’s algorithms (e.g., see [55])
87 We have built our own data sets and investigation information from the Daniel Pearl investigation [128,162,227].
Sageman (2004) aggregated his al-Qaeda network from open sources [188], as was the November 17 data set [184].
88 Several criminal network investigations have inspired our work. The investigation of Daniel Pearl’s kidnapping
and murder was target-centric and used large pieces of paper on a wall to synthesize information entities as they were
discovered [128, 162, 227]. The investigation to locate and arrest the 9/11 mastermind Khalid Sheikh Mohammed
(both before and after the attacks), was, by the Federal Bureau of Investigation, conducted in a target-centric
manner and always with a focus on gathering evidence both for later potential trials but also to map and understand
the network of individuals, events, and places that was emerging [146]. Researchers and writers Strick van Linschoten
and Kuehn have been mapping a network of Afghan Talibans to investigate their associations with the Afghan Arabs
from 1970 to 2010 [134]. They use Tinderbox for their mapping efforts [166]. Tinderbox is a software tool that
takes a board-based approach to synthesis of networks and supports multiple structures [24].
89 In Danish ‘Politiets efterretningstjeneste’, PET in short.
90 In Danish ‘Forsvarets efterretningstjeneste’, FE in short.
91 See
Steele (2009) discussing secret intelligence vs. open source intelligence [214], and a recent article by
Bonnichsen (2012), previous DSIS director of operations [27].
92 Professor Hsinchun Chen (AI lab, University of Arizona) told author this during an informal conversation,
August 2012. Professor Chen also mentioned that it had taken about two years to establish the required trust with
law enforcement, before law enforcement let the 300 police officers participate in the survey.
93 The 2010 i2 EMEA user conference held in Brussels, Belgium.
94 During the spring of 2011 DDIS restructured their organization in order to shape and streamline the service,
to be better equipped to manage future tasks (see [52] and Appendix B.2 (danish text).
95 A classified source has told the author during an informal conversation that maturity was a key criteria within
the source’s organization, that has to fulfilled before they would take a look at any new technology.
264
Bibliography
[1] Terrorism informatics - knowledge management and data mining for homeland security.
Springer (2008)
[2] Ibm i2 analyst’s notebook (2012). URL http://www.i2group.com/
[3] Mindmeister (2012). URL http://www.mindmeister.com
[4] Npr: Ted radio hour podcast - where ideas come from (2012)
[5] Palantir government (2012). URL http://palantir.com/government
[6] Xanalys (2012). URL http://www.xanalys.com/
[7] Adderly, R., Musgrove, P.: Police crime recording and investigation systems - a user’s view.
International journal of police strategies and management 24(1), 100–114 (2001)
[8] Alexander, C.: Notes on the Synthesis of Form. Harvard University Press (1964)
[9] Alexander, C.: A city is not a tree. Architectural Forum 122(1), 58–62 (1965)
[10] Alvarez, R., Simon, D.: The Wire: Truth Be Told. Pocket Books (2004)
[11] Ambler, S.: Agile Modeling. John Wiley & Sons inc (2002)
[12] Amland, B.H.: 2 convicted in al-Qaida terror plot in Norway. Associated Press (2012)
[13] Anonymous: Den nye anti-terrorpakke (danish)
[14] Anonymous: The legal framework of pets workspaces: The penal code chapter 12 and
13 (danish) URL http://www.pet.dk/Arbejdsomraader/Lovgrundlaget/Straffeloven.
aspx
[15] Anonymous: Fakta: Tuneser-sagen (2008). August 29
[16] Anonymous: Assesment of the terror threat against denmark (2009). October 27
[17] Anonymous: Tidslinje: Danmark i krig i afghanistan (2009). January 1
[18] Atzenbeck, C.: Wilddocs - investigating construction of metaphors in office work. Ph.D.
thesis, Aalborg University (2006)
265
BIBLIOGRAPHY BIBLIOGRAPHY
[19] Atzenbeck, C., Hicks, D.L., Memon, N.: Emergent structure and awareness support for
intelligence analysis. In: Proceedings of the conference on information visualization, pp.
326–332. IEEE Press (2008)
[20] Atzenbeck, C., Hicks, D.L., Memon, N.: Supporting reasoning and communication for intel-
ligence officers. International journal of networking and virtual organisations 8(1/2), 15–36
(2011)
[21] Badalamente, R.V., Greitzer, F.L.: Top ten needs for intelligence analysis tool development.
In: proceedings of the 2005 international conference on intelligence analysis (2005)
[22] Bardram, J.E.: The art of doing a phd. online (2007). URL http://www.itu.dk/people/
bardram/pmwiki/pmwiki.php?n=Main.ArtPhD. Last consulted: Jan 28th 2010
[23] Berners-Lee, T.: W3 future directions. Plenary at International World Wide Web Confer-
ence, CERN, Geneva, Switzerland (1994)
[24] Bernstein, M.: The Tinderbox Way. Eastgate Systems (2006)
[25] Bier, E.A., Card, S.K., W, B.J.: Principles and tools for collaborative entity-based intelli-
gence analysis. IEEE transactions on visualization and computer graphics 16(2), 178–191
(2010)
[26] Bohannon, J.: Counterterrorism’s New Tool: ’Metanetwork’ Analysis. Science 325(5939),
409–411 (2009). DOI 10.1126/science.325\ 409. URL http://dx.doi.org/10.1126/
science.325_409
[27] Bonnichsen, H.J.: Man skal kunne være sine hemmeligheder bekendt (2012). September 20
[28] Brachman, J.M.: Global Jihadism: Theory and Practice. Routledge (2009)
[29] Brachman, J.M., Levine, A.: You too can be awlaki! Fletcher Forum of World Affairs 35,
25–46 (2011)
[30] Brantingham, P., Glässer, U., Jackson, P., Vajihollahi, M.: Modeling criminal activity in
urban landscapes. In: N. Memon, J.D. Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical
methods in counterterrorism, pp. 9–31. Springer, Wien (2009)
[31] Børsting, M., Østergaard, M.: Politikere er klar til at stramme terrorloven (2009). October
28
[32] Bruce, J.B., George, R.Z.: Introduction: intelligence analysis - the emergence of a discipline.
In: R.Z. George, J.B. Bruce (eds.) Analyzing intelligence - origins, obstacles, and innovations,
pp. 1–15. Georgetown University Press (2008)
[33] Bush, V.: As we may think. Atlantic Monthly 176(1), 101–108 (1945)
[34] Capers, B.: Crime, legimaticy, our criminal network, and the wire. Ohio state journal of
criminal law 8, 459–471 (2011)
[35] Carley, K.M.: Destabilizing dynamic covert networks. In: Proceedings of the 8th interna-
tional command and control research and technology symposium. Evidence Based research
(2003)
[36] Carley, K.M., Lee, J.S., Krackhardt, D.: Destabilizing networks. Connections 24, 31–34
(2001)
[37] Chen, H.: Intelligence and Security Informatics for International Security - Information
Sharing and Data Mining. Springer (2006)
266
[38] Chen, H.: Terrorism informatics. In: Dark Web, Integrated Series in Information Systems,
vol. 30, pp. 31–41. Springer New York (2012)
[39] Chin, G., Kuchar, O.A., Wolf, K.E.: Exploring the analytical processes of intelligence ana-
lysts. In: proceedings of the international conference on human factors in computing systems,
pp. 11–22. ACM Press (2005)
[40] Clark, R.: Intelligence analysis: a target-centric approach. CQ Press (2007)
[41] Cockburn, A.: What the agile toolbox contains (2004)
[42] Cockburn, A.: Crystal Clear - A human-powered methodology for small teams. Addison
Wesley (2005)
[43] Cockburn, A.: Agile Software Development: The Cooperative Game (2nd Edition) (Agile
Software Development Series). Addison-Wesley Professional (2006)
[44] Cohn, M.: User stories applied - for agile software development. Addison Wesley (2004)
[45] Commission on the Intelligence Capabilities of the United States Regarding Weapons of
Mass Destruction, Washington DC: Report to the President of the United States (2005)
[46] Conklin, J.: Dialogue Mapping. John Wiley and Sons Ltd (2006)
[47] Conklin, J., Begeman, M.L.: gibis: a hypertext tool for exploratory policy discussion. ACM
Trans. Inf. Syst. 6(4), 303–331 (1988)
[48] Conway, M.: Jihadi video and auto-radicalisation: evidence from an exploratory youtube
study. In: Intelligence and Security Informatics. Lecture Notes in Computer Science (LNCS),
pp. 108–118. Springer, Wien (2008)
[49] Conway, M.: From al-zarqawi to al-awlaki: The emergence of the internet as a new form of
violent radical milieu (2012)
[50] Custers, B.: Effects of unreliable group profiling by means of data mining. In: Discovery
Science, pp. 291–296 (2003)
[51] Davis, F.: Perceived usefulness, perceived ease of use and user acceptance of information
technology. MIS Quarterly 13, 319–340 (1989)
[52] DDIS: Danish defense intelligence service website (2012). [url:http://fe-ddis.dk/Pages/
Default.aspx, last visited September 2012]
[53] Dean, G., Gottschalk, P.: Knowledge management in policing and law enforcement. Oxford
University Press (2007)
[54] DeMarco, T., Lister, T.: Peopleware: Productive Projects and Teams (Second Edition).
Dorset House Publishing Company, Incorporated (1999)
[55] DeRosa, M.: Data Mining and Data Analysis for Counterterrorism. Center for Strategic
and International Studies (CSIS) (2004)
[56] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. abdur rehman hashim syed’,
also known as “pasha,” “major,” and “abdur rahman” (2009)
[57] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. david c. headley, also known
as “daood gilani”’ (2009)
[58] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. tahawwur hussain rana’ (2009)
[59] Drogin, B.: Curveball. Ebury Press (2008)
267
[60] Ellis, C.A., Gibbs, S.J., Rein, G.: Groupware: some issues and experiences. Commun.
ACM 34(1), 39–58 (1991). DOI 10.1145/99977.99987. URL http://doi.acm.org/10.
1145/99977.99987
[61] Empirical: The american heritage dictionary of the english language (4th ed.) (2000)
[62] Engelbart, D.C.: A conceptual framework for the augmentation of man’s intellect. In:
Computer-supported cooperative work, pp. 35–65. Kaufmann (1988)
[63] Erétéo, G., Buffa, M., Gandon, F., Grohan, P., Leitzelman, M., Sander, P.: A state of the
art on social network analysis and its applications on a semantic web (2008)
[64] Erétéo, G., Limpens, F., Gandon L., F., Corby, O., Buffa, M., Leitzelman, M., Sander, P.:
Semantic social network analysis: a concrete case. In: Handbook of Research on Methods
and Techniques for Studying Virtual Communities: Paradigms and Phenomena, pp. 122–
156. IGI Global (2011)
[65] Europol: TE-SAT 2009: EU Terrorism Situation and Trend Report 2009 (2009)
[68] Ferry, J.P., Lo, D., Ahearn, S.T., Phillips, A.M.: Network detection theory. In: N. Memon,
J. David Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical Methods in Counterterrorism,
pp. 161–181. Springer Vienna (2009)
[69] Field, A., Hole, G.: How to Design and Report Experiments. Sage Publications Ltd (2003)
[70] Floyd, C.: A systematic look at prototyping. In: B. et al. (ed.) Approaches to Prototyping,
pp. 105–122. Springer-Verlag (1984)
[71] Flyvbjerg, B.: Five misunderstandings about case-study research. Qualitative Inquiry pp.
219–245 (2006)
[72] Flyvbjerg, B.: Case study. In: N.K. Denzin, Y.S. Lincoln (eds.) The Sage Handbook of
Qualitative Research, pp. 301–316. Sage (2011)
[73] Frank G. Halasz, T.P.M..R.H.T.: Notecards in a nutshell (1987)
[74] Gabora, L.: Cognitive mechanisms underlying the creative process. In: Proceedings of the
4th conference on Creativity & cognition, C&C ’02, pp. 126–133. ACM, New York, NY, USA
(2002). DOI 10.1145/581710.581730. URL http://doi.acm.org/10.1145/581710.581730
[75] Gerber, A.J., Barnard, A., var der Merwe, A.J.: A semantic web status model (2006)
[76] Gill, J.: Building theory from case studies. Small business and enterprise development 2,
71–75 (1995)
[77] Gill, P.: Rounding up the usual suspects? Developments in contemporary law enforcement
intelligence. Ashgate Pub Ltd (2000)
[78] Gjerding, S., Toft, S.B.: Ansvarlige for utøya-svigt er for længst gået af (2012). August 13
[79] Gloor, P.A., Zhao, Y.: Analyzing actors and their discussion topics by semantic social
network analysis. In: Proceedings of Information Visualization (IV 2006), pp. 130–135
(2006)
[80] Gniadek, J.: Destabilizing terrorist networks through link importance analysis. Master’s
thesis (2010)
268
[81] Graber, D.A.: Terrorism, censorship and the 1st amendment: In search of policy guidelines.
In: P. Norris, M. Kern, M. Just (eds.) Framing Terrorism - The News Media, the Government
and the Public, pp. 27–42. Routledge (2003)
[82] Halasz, F.G.: Reflections on notecards: seven issues for the next generation of hypermedia
systems. Commun. ACM 31(7), 836–852 (1988)
[83] Harper, W.R., Harris, D.H.: The application of link analysis to police intelligence. Human
Factors 17(2), 157–164 (1975)
[84] Hauck, R.V., Chau, M., Chen, H.: Coplink: arming law enforcement with new knowledge
management technologies. In: Advances in digital government: technology, human factors,
and policy, pp. 163–179. Kluwer Academic Publishers (2002)
[85] Havaleschka, L.: Tidslinje: Glasvej-sagen dag for dag (2008). October 28
[86] Heer, J., Card, S.K., Landay, J.A.: prefuse: a toolkit for interactive information visualiza-
tion. In: Proceedings of the SIGCHI conference on Human factors in computing systems,
CHI ’05, pp. 421–430. ACM, New York, NY, USA (2005). DOI 10.1145/1054972.1055031.
URL http://doi.acm.org/10.1145/1054972.1055031
[87] Hemmingsen, A.S.: Anti-demokratiske og voldsfremmende miljøer i danmark, som bekender
sig til islamistisk ideologi - hvad ved vi? Research report for the danish ministry of social
affairs and integration, DIIS - Danish Institute for International Studies (2012)
[88] Henriksen, M.: Venstre åbner for terrorstramninger (2010). URL http://www.berlingske.
dk/danmark/venstre-aabner-terrorstramninger. January 3
[89] Hirtle, S.: Representational structures for cognitive space: Trees, ordered trees and semi-
lattices. In: A. Frank, W. Kuhn (eds.) Spatial Information Theory A Theoretical Basis for
GIS, Lecture Notes in Computer Science, vol. 988, pp. 327–340. Springer Berlin / Heidelberg
(1995)
[90] Hjarvard, S.: Den politiske presse - en analyse af danske avisers politiske orientering. Jour-
nalistica (2007)
[91] Hjørland, B., Albrechtsen, H.: Toward a new horizon in information science: Domain-
analysis. Journal of the American Society for Information Science 46(6), 400–425 (1995)
[92] Hoffman, B.: Inside Terrorism. Columbia University Press (2006)
[93] Hoffman, B.: The myth of grass-roots terrorism. Foreign Affairs 87 (2008)
[94] Hoskins, A., O’Loughlin, B.: Television and Terror: Conflicting Times and the Crisis of
News Discourse. New Security Challenges. Palgrave MacMillan, Basingstoke, Hampshire,
U.K. (2007). [Chapter 7: ‘Drama and Documentary: The Power of Nightmares’]
[95] wei Hsieh, H., III, F.M.S.: Supporting visual problem solving in spatial hypertext. J. Digit.
Inf. 10(3) (2009)
[96] Hsieh, H., Shipman, F.: Activity links: supporting communication and reflection about
action. In: Proceedings of the sixteenth ACM conference on Hypertext and hypermedia,
HYPERTEXT ’05, pp. 161–170. ACM, New York, NY, USA (2005)
[97] Hsieh, H., Shipman, F.M.: Manipulating structured information in a visual workspace. In:
Proceedings of the 15th annual ACM symposium on User interface software and technology,
UIST ’02, pp. 217–226. ACM, New York, NY, USA (2002)
[98] Hüttemeier Christian og Børsting, M.: Afghanerne skal selv overtage ansvaret om 2 år
(2009). URL http://politiken.dk/politik/article844927.ece. November 26
269
[99] Hu, P.J.H., Chen, H., Hu, H., Larson, C., Butierez, C.: Law enforcement officers’ accep-
tance of advanced e-government technology: A survey study of coplink mobile. Electronic
Commerce Research and Applications 10, 6–16 (2011)
[100] Hu, P.J.H., Lin, C., Chen, H.: User acceptance of intelligence and security informatics tech-
nology: A study of coplink. The American Society for Information Science and Technology
56, 235–244 (2005)
[101] Hunter, M.L., Hanson, N., Sabbagh, R., Sengers, L., Sullivan, D., Thordsen, P.: Story-based
inquiry: a manual for investigative journalists. UNESCO (2009)
[102] Huntington, S.P.: The Clash of Civilizations and the Remaking of World Order. Simon &
Schuster (1996)
[103] Ib, H.: Ledende artikel: Fjenden på besøg (2009). October 28
[104] IBMi2: i2 analyst’s notebook 8. What’s New (technical report) (2009). [issue 1, downloaded
from company website]
[105] IBMi2: i2 analyst’s notebook product video. i2 EMEA user conference (2010). [on file with
author]
[106] IBMi2: i2 emea user conference (2010). [http://www.i2group.com/emeauc/index.asp,

last visited 2011]
[107] IBMi2: Training team: hands on lab handouts. i2 EMEA end user conference (2010). [on
file with author]
[108] IBMi2: Ibm i2 analyst’s notebook premium. Handout at IBM i2 intelligence analysis seminar
(2012). [on file with author]
[109] III, J.O.E.: Countering terrorism with knowledge. In: H. Chen, E. Reid, J. Sinai, A. Silke,
B. Ganor (eds.) Terrorism Informatics - Knowledge Management and Data Mining for Home-
land Security. Springer (2008)
[110] Intelligence and Security Committee, United Kingdom: Could 7/7 have been prevented?
Review of the intelligence on the London terrorist attacks on 7 July 2005 (2009)
[111] Irons, L.R.: Recent patterns of terrorism prevention in the united kingdom. Homeland
Security Affairs 4 (2008)
[112] Irwin, C., Roberts, C., Mee, N.: Counter terrorism overseas. Defence Science and Technology
Laboratory (Dstl/CD053271/1.1), UK (2002)
[113] Johnson, L.K. (ed.): Handbook of intelligence studies. Routledge (2009)
[114] Jonker, D., Wright, W., Schroh, D., Proulx, P., Cort, B.: Information triage with trist. In:
Proceedings of the International Conference on Intelligence Analysis, (2005)
[115] Grø nbæk, K.: Composites in a dexter-based hypermedia framework. In: Proceedings of the
1994 ACM European conference on Hypermedia technology, ECHT ’94, pp. 59–69. ACM,
New York, NY, USA (1994)
[116] Kebbell, M.R., Muller, D.A., Martin, K.: Understanding and managing bias. Dealing with
uncertainties in policing serious crime pp. 87–97 (2010)
[117] Kim, D., Shipman, F.M.: Interpretation and visualization of user history in a spatial hyper-
text system. In: Proceedings of the 21st ACM conference on Hypertext and hypermedia,
HT ’10, pp. 255–264. ACM, New York, NY, USA (2010)
270
[118] Kitchenham, B., Pickard, L., Pfleeger, S.L.: Case studies for method and tool evaluation.
IEEE Software pp. 52–62 (1995)
[119] Kleine, D.: The capability approach and the ‘medium of choice’: steps towards conceptual-
ising information and communication technologies for development. Ethics and Inf. Technol.
13(2), 119–130 (2011)
[120] Klerks, P.: The network paradigm applied to criminal organizations: Theoretical nitpicking
or a relevant doctrine for investigators? Connections 24(3), 53–65 (2001)
[121] Kolb, D.: Other spaces for spatial hypertext. Journal of Digital Information 10(3) (2009)
[122] Krebs, V.: Mapping networks of terrorist cells. CONNECTIONS 24(3), 43–52 (2002)
[123] Krog, T.N.: Her trænede terroristerne (2009). October 29
[124] Kumar, R., Novak, J., Tomkins, A.: Structure and evolution of online social networks. In:
Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery
and data mining, KDD ’06, pp. 611–617. ACM, New York, NY, USA (2006). DOI 10.1145/
1150402.1150476. URL http://doi.acm.org/10.1145/1150402.1150476
[125] Larman, C.: Agile & Iterative Development - A Managers Guide. Addison Wesley (2004)
[126] Laville, S.: Al-Qaida-inspired plotters planned attacks on high-profile London targets. The
Guardian (2012)
[127] Levine, C.: Artful accuracy and the problem of form: Why the wire feels real Unpublished
manuscript
[128] Levy, B.H.: Who killed Daniel Pearl? Melville House Publishing (2003)
[129] Lichter, H., Schneider-Hufschmidt, M., Züllighoven, H.: Prototyping in industrial software
projects - bridging the gap between theory and practice. In: Proceedings of the 15th in-
ternational conference on Software Engineering, ICSE ’93, pp. 221–229. IEEE Computer
Society Press, Los Alamitos, CA, USA (1993). URL http://dl.acm.org/citation.cfm?
id=257572.257623
[130] Licklider, J.C.R.: Man-computer symbiosis. IRE transactions on human factors in electronics
pp. 4–11 (1960)
[131] Lillie, B.: Human-machine synergy: Shyam sankar at tedglobal 2012. TED (2012). [blog,
http://blog.ted.com/, last visited September 2012]
[132] Lim, Y.K., Stolterman, E., Tenenberg, J.: The anatomy of prototypes: Prototypes as fil-
ters, prototypes as manifestations of design ideas. ACM Trans. Comput.-Hum. Interact.
15(2), 7:1–7:27 (2008). DOI 10.1145/1375761.1375762. URL http://doi.acm.org/10.
1145/1375761.1375762
[133] Lindhardt, C.: Al-qaeda står bag ambassadebombe (2008). URL http://politiken.dk/
udland/article518880.ece. June 5
[134] Linschoten, A.S., Kuehn, F.: An enemy we created: the myth of the Taliban/Al-Qaeda
merger in Afghanistan, 1970-2010. Hurst (2012)
[135] MacDougall, I.: Norway ’bomb plot’ highlights al-Qaida problems. Associated Press (2012)
[136] MacFadyen, G.: The practices of investigative journalism. In: H. De Burgh, P. Bradshaw
(eds.) Investigative journalism, pp. 138–156 (2008)
[137] MacKensie, J.: The battle for aghanistan: Militancy and conflict in helmand (2010)
271
[138] Maltesen, B.: Tunesersag skal for højesteret (2009). URL http://politiken.dk/indland/
article852324.ece. December 4
[139] Marshall, B., Chen, H., Kaza, S.: Using importance flooding to identify interesting networks
of criminal activity. J. Am. Soc. Inf. Sci. Technol. 59(13), 2099–2114 (2008). DOI 10.1002/
asi.v59:13. URL http://dx.doi.org/10.1002/asi.v59:13
[140] Marshall, C.C., Halasz, F.G., Rogers, R.A., Janssen Jr., W.C.: Aquanet: a hypertext tool
to hold your knowledge in place. In: Proceedings of the third annual ACM conference on
Hypertext, HYPERTEXT ’91, pp. 261–275. ACM, New York, NY, USA (1991)
[141] Marshall, C.C., Shipman III, F.M.: Spatial hypertext: designing for change. Commun. ACM
38(8), 88–97 (1995)
[142] Marshall, C.C., Shipman III, F.M., Coombs, J.H.: Viki: spatial hypertext supporting emer-
gent structure. In: Proceedings of the 1994 ACM European conference on Hypermedia
technology, ECHT ’94, pp. 13–23. ACM, New York, NY, USA (1994)
[143] Mason, R.O.: Four ethical issues of the information age. MIS Q. 10(1), 5–12 (1986)
[144] McBride, M., Morgan, S.: Trust calibration for automated decision aids (2010)
[145] McCall, R.J., Bennett, P.R., D’Oronzio, P.S., Oswald, J.L., Shipman III, F.M., Wallace,
N.F.: Hypertext: concepts, systems and applications. chap. PHIDIAS: integrating CAD
graphics into dynamic hypertext, pp. 152–165. Cambridge University Press, New York, NY,
USA (1992)
[146] McDermott, T., Meyer, J.: The Hunt for KSM - Inside the Pursuit and Takedown of the
Real 9/11 Mastermind, Khalid Sheikh Mohammad. Little, Brown and Company (2012)
[147] Memon, B.: Identifying important nodes in weighted covert networks using generalized
centrality measures. In: European Intelligence and Security Informatics Conference 2012,
Odense, Denmark. Odense, Denmark (2012)
[148] Memon, N., Wiil, U.K., Alhajj, R., Atzenbeck, C., Harkiolakis, N.: Harvesting covert net-
works: a case study of the iminer database. Int. J. Netw. Virtual Organ. 8(1/2), 52–74
(2011)
[149] Moore, R.K.: The life cycle of creative endeavors. Enneagram Monthly (1997)
[150] Morselli, C.: The criminal network perspective. In: Inside criminal networks, Studies of
organized crime, vol. 8, pp. 1–21. Springer New York (2009)
[151] Mortensen, M.N., Bangsgaard, J.: Tidligere pet-chef: Uværdig tuneser-sag (2008). URL
http://www.berlingske.dk/danmark/tidligere-pet-chef-uvaerdig-tuneser-sag.
November 15
[152] National commission on terrorist attacks upon the United States, United States: The 9/11
Commission Report (Executive Summary) (2004). URL http://www.9-11commission.
gov/report/911Report_Exec.pdf.
[153] National commission on terrorist attacks upon the United States, Norway: The 22/7 Com-
mission Report (2012). URL http://22julikommisjonen.no/Rapport
[154] Nesser, P.: Structures of jihadist terrorist cells in the uk and europe. In: Proceedings of the
Joint FFI/King’s College Conference on “The Changing Faces of Jihadism” (2006)
[155] Newman, M.E.J.: Networks - an introduction. Oxford University Press (2010)
272
[156] Nørgaard Kristensen, N., Ørsten, M.: Danish media at war - the danish media coverage of
the invasion of iraq 2003. Journalism : theory, practice and criticism 8, 323–343 (2007)
[157] Nürnberg, P.: Structural computing and metadata management. In: Proceedings of the 2nd
Conference on Knowledge Management and Knowledge Technology (2002)
[158] Nürnberg, P.J., Leggett, J.J., Schneider, E.R.: As we should have thought. In: Proceedings
of the eighth ACM conference on Hypertext, HYPERTEXT ’97, pp. 96–101. ACM, New
York, NY, USA (1997). DOI 10.1145/267437.267448. URL http://doi.acm.org/10.1145/
267437.267448
[159] Nürnberg, P.J., Wiil, U.K., Leggett, J.J.: Structuring facilities in digital libraries. In:
Proceedings of the Second European Conference on Research and Advanced Technology for
Digital Libraries, ECDL ’98, pp. 295–313. Springer-Verlag, London, UK, UK (1998)
[160] Park, A.J., Tsang, H.H., Brantingham, P.L.: Dynalink: A framework for dynamic criminal
network visualization. In: Proceedings of European Intelligence and Security Informatics
Conference, pp. 217–224. IEEE (2012)
[161] Payne, J., Solomon, J., Sankar, R., McGrew, B.: Grand challenge award: Interactive vi-
sual analytics - palantir: The future of analysis. In: Proceedings of Symposium on Visual
Analytics Science and Technology, pp. 201–202. IEEE (2008)
[162] Pearl, M.: A mighty heart. Virago Press (2004)
[163] Penfold-Mounce, R., Beer, D., Burrows, R.: The wire as social science-fiction? Sociology
45(1), 152–167 (2011)
[164] Perlez, J., Shah, P.Z.: Embassy attack in pakistan kills at least 6 (2008). URL http:
//www.nytimes.com/2008/06/03/world/asia/03pakistan.html. June 3
[165] Petersen, R.R.: Asap: Agile planning in future creative room. Master’s thesis, University of
Southern Denmark (2008)
[166] Petersen, R.R.: Interview with alex strick van linschoten. A discussion of CrimeFighter
Investigator, Tinderbox, Gephi, Analyst’s Notebook in relation to Alex’s work with mapping
the temporal evolution of Afghan Taliban., Trafalgar Square, London, United Kingdom
(2011)
[167] Petersen, R.R.: Presentation of crimefighter investigator. Presented and demonstrated work
on prediction of covert network structure and missing links to a group of British intelligence
analysts, British Home Office, London, United Kingdom (2011)
[168] Petersen, R.R.: Association and centrality in criminal networks. In: Proceedings of European
Intelligence and Security Informatics Conference. IEEE (2012)
[169] Petersen, R.R., Rhodes, C.J., Wiil, U.K.: Node removal in criminal networks. In: Pro-
ceedings of European Intelligence and Security Informatics Conference, pp. 360–365. IEEE
(2011)
[170] Petersen, R.R., Wiil, U.K.: Asap: a planning tool for agile software development. In:
Proceedings of the nineteenth ACM conference on Hypertext and hypermedia, HT ’08, pp.
27–32. ACM, New York, NY, USA (2008)
[171] Petersen, R.R., Wiil, U.K.: Asap: A lightweight tool for agile planning. In: Proceedings of
the 4th International Conference on Software and Data Technologies (ICSOFT), pp. 265–272
(2009)
273
[172] Petersen, R.R., Wiil, U.K.: Analysis of emergent and evolving information: the agile plan-
ning case. In: J. Cordeiro, K. Ranchordas Alpesh, B. Shishkov (eds.) Software and data
technologies, Communications in computer and information science, vol. 50, pp. 263–276.
Springer Berlin Heidelberg (2011)
[173] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: A novel tool for criminal network
investigation. In: Proceedings of European Intelligence and Security Informatics Conference,
pp. 360–365. IEEE (2011)
[174] Petersen, R.R., Wiil, U.K.: Hypertext structures for investigative teams. In: proceedings of
the 22nd ACM conference on hypertext, pp. 123–132. ACM Press (2011)
[175] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: Criminal network sense-making. In:
V.S. Subrahmanian (ed.) Computational Approaches to Counterterrorism (2012). Accepted
for publication
[176] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: Integrating synthesis and sense-
making for criminal network investigation. Security Informatics (special issues on criminal
network investigation) (2012). [Accepted for publication]
[177] Pinto, P.C., Thiran, P., Vetterli, M.: Locating the source of diffusion in large-scale networks.
Phys. Rev. Lett. 109, 068,702 (2012). DOI 10.1103/PhysRevLett.109.068702. URL http:
//link.aps.org/doi/10.1103/PhysRevLett.109.068702
[178] Pioch, N.J., Everett, J.O.: Polestar: collaborative knowledge management and sensemaking
tools for intelligence analysts. In: proceedings of the international conference on information
and knowledge management, pp. 513–521. ACM Press (2006)
[179] Popp, R., Poindexter, J.: Countering terrorism through information and privacy protection
technologies. IEEE Security and Privacy 4(6), 18–27 (2006)
[180] Ratcliffe, J.: Intelligence-Led Policing. Willan Publishing (2008)
[181] Reuters: Two chicago men charged in connection with alledged roles in foreign terror plot
that focused on targets in denmark (2009). October 27
[182] Rhodes, C.: The use of open source intelligence in the construction of covert social networks.
In: U.K. Wiil (ed.) Counterterrorism and Open Source Intelligence. Lecture Notes in Social
Networks (LNSN 2), pp. 159–170. Springer, Wien (2011)
[183] Rhodes, C.J., Jones, P.: Inferring missing links in partially observed social networks. Journal
of the operational research society 60(10), 1373–1383 (2009)
[184] Rhodes, C.J., Keefe, C.M.J.: Social network topology: a bayesian approach. Journal of the
operational research society 58(12), 1605–1611 (2007)
[185] ritzau: Fængslet for terror mod dansk ambassade (2009). URL http://politiken.dk/
udland/article763350.ece. August 5
[186] ritzau: Pet: Attentatmanden handlede alene (2010). URL (http://politiken.dk/

indland/article871831.ece. January 2
[187] Robinson, L.: Information science: communication chain and domain analysis. Journal of
Documentation 65(4), 578–591 (2009)
[188] Sageman, M.: Understanding Terrorist Networks. University of Pennsylvania Press (PENN),
Philadelphia, Pensylvania (2004)
[189] Sageman, M.: Leaderless Jihad. University of Pennsylvania Press (2008)
274
[190] Sageman, M.: The reality of grassroots terrorism. Foreign Affairs 87 (2008)
[191] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [video, http://youtu.
be/jTnDyLndIqI, last visited September 2012]
[192] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [Powerpoint Presenta-
tion, on file with author]
[193] Saunders-Newton, D., Scott, H.: “but the computer said!”: Credible uses of computational
modeling in public sector decision making. Social Science Computer Review 19, 47–65 (2001)
[194] Schimpf, B.: Data integration platform. Palantir Technologies (2011). [online video, http:
//www.palantirtech.com/government/videos/whitevideos, last visited 2011]
[195] Scott, J.: Social network analysis, a handbook (second edition). Sage (2000)
[196] Security, D., (PET), I.S.: Terror arrests in Copenhagen (undated). URL http://www.pet.
dk/Nyheder/morkhoj-uk.aspx
[197] Shipman, F., Moore, J.M., Maloor, P., Hsieh, H., Akkapeddi, R.: Semantics happen: knowl-
edge building in spatial hypertext. In: Proceedings of the thirteenth ACM conference on
Hypertext and hypermedia, HYPERTEXT ’02, pp. 25–34. ACM (2002)
[198] Shipman III, F.M., Hsieh, H., Maloor, P., Moore, J.M.: The visual knowledge builder:
a second generation spatial hypertext. In: Proceedings of the 12th ACM conference on
Hypertext and Hypermedia, HYPERTEXT ’01, pp. 113–122. ACM, New York, NY, USA
(2001)
[199] Shipman III, F.M., Marshall, C.C.: Formality considered harmful: Experiences, emerg-
ingthemes, and directions on the use of formal representations ininteractive systems. Com-
put. Supported Coop. Work 8(4), 333–352 (1999). DOI 10.1023/A:1008716330212. URL
http://dx.doi.org/10.1023/A:1008716330212
[200] Shrinivasan, Y., van Wijk, J.: Supporting exploration awareness for visual analytics. In:
Visual Analytics Science and Technology, 2008. VAST ’08. IEEE Symposium on, pp. 185
–186 (2008). DOI 10.1109/VAST.2008.4677378
[201] Shrinivasan, Y.B., Wijk, J.J.: Supporting the analytical reasoning process in information
visualization. In: proceedings of the 26th conference on human factors in computing systems.
ACM Press (2008)
[202] Sifakis, J.: A vision for computer science - the system perspective. Central European Journal
of Computer Science 1, 108–116 (2011)
[203] Silber, M.D., Bhatt, A.: Radicalisation in the West: The Homegrown Threat (2007)
[204] Simon, D.: Homicide - a year on the killing streets. Picador (1991)
[205] Simon, D., Burns, E.: The corner - a year in the life of an inner-city neighbourhood. Broad-
way Books (1997)
[206] Simon, D., Burns, E.: The wire (the complete first season) (2002)
[207] Sipser, M.: Introduction to the theory of computation. PWS Publishing Company (1997)
[208] Skjoldager, M.: Truslen indefra: De danske terrorister. Lindhardt & Ringhof (2009)
[209] Skjoldager, M., Holst, N.: Landsretten dømmer to for terror (2009). June 26
275
[210] Skøt, J.: At løse et svært ingeniørproblem er som at spille på et instrument. Ingeniøren pp.
14–15 (2012). Translated title: “Solving a difficult engineering problem is like playing an
instrument
[211] Smith, E.A.: Complexity, networking, & effects-based approaches to operations. CCRP
(2006)
[212] Sparrow, M.K.: The application of network analysis to criminal intelligence: An assessment
of the prospects. Social Networks 13, 251–274 (1991)
[213] Sørensen, L.M.: Al-qaeda-leder trænede dansk terrorist (2009). URL http://politiken.
dk/indland/article807742.ece. October 11
[214] Steele, R.D.: Human intelligence (humint): All humans, all minds, all the time (2009).
[Draft 3.7 Article 11 Jul 09 APPROVED By DoD and CIA PRB. On file with author.]
[215] Steele, R.D.: Open source intelligence. In: L.K. Johnson (ed.) Handbook of intelligence
studies, pp. 129–147. Routledge (2009)
[216] Stenbit, J.P., L, W.I., Alberts, D.S.: NATO code of best practice for C2 assessment, [Chapter
5: Measures of Merit]. CCRP (2002)
[217] Stoll, C.: Silicon snake oil: Second thoughts on the information highway (1995)
[218] Sullivan, K.: Denmark tries to act against terrorism as mood in europe shifts (2005). August
29
[219] Taarnby, M.: Jihad in Denmark: am overview and analysis of jihadi activity in denmark
1990-2006. Danish Institute for International Studies (2006)
[220] Tanfani, J., Shiffman, J., Shea, K.B.: American suspect in mumbai attack was dea informant
(2009). December 14
[221] Taniguchi, T.A., Ratcliffe, J.H., Taylor, R.B.: Gang set space, drug markets, and crime
around drug corners in camden. Journal of research in crime and delinquency 48, 327–363
(2011)
[222] Technologies, P.: Hard technical problems in civil liberties protection. Tech. rep. (2011).
Whitepaper
[223] Technologies, P.: Privacy and civil liberties are in palantir’s dna. Tech. rep. (2011). Whitepa-
per
[224] Thomas, G.: A typology for the case study in social science following a review of definition,
discourse, and structure. Qualitative Inquiry 17(6), 511–521 (2011)
[225] Thompson, J., Hopf-Weichel, R., Geiselman, R.E.: The cognitive bases of intelligence anal-
ysis. Tech. rep., U.S. Army, Research Institute for the Behavioral and Social Sciences (1984)
[226] Thomsen, C.B.: På sporet af to terrormistænkte (2009). November 15
[227] Todd, B.F., Nomani, A.: The Truth Left Behind: Inside the Kidnapping and Murder of
Daniel Pearl (2011)
[228] Tusikov, N.: The godfather is dead: A hybrid model of organized crime. Aprehendiendo al
delincuente: crimen y medios en América del Norte pp. 143–160 (2010)
[229] Unavailable: Big data: crunching the numbers. The Economist (2012)
[230] Unknown: Palantir counterterrorism demonstration. Palantir Technologies (2009). [video,
http://www.palantir.com/2009/03/fullct/, last visited September 2012]
276
[231] Unknown: London terror bomb plot: the four terrorists. The Telegraph (2012)
[232] Van Dyke Parunak, H.: Don’t link me in: set based hypermedia for taxonomic reasoning.
In: Proceedings of the third annual ACM conference on Hypertext, HYPERTEXT ’91, pp.
233–242. ACM, New York, NY, USA (1991)
[233] Vedder, A., Custers, B.: Whose responsibility is it anyway? dealing with the consequences
of new technologies. In: P. Sollie, M. Düwell, A.M. Cutter, B. Gordijn, G.E. Marchant,
A. Pompidou (eds.) Evaluating New Technologies, The International Library of Ethics, Law
and Technology, vol. 3, pp. 21–34. Springer Netherlands (2009)
[234] Veldhuis, T., Staun, J.: Islamist Radicalisation: A Root Cause Model (2009)
[235] Vidino, L.: Al Qaeda in Europe: The New Battleground of International Jihad. Prometheus
Books (2005)
[236] Vidino, L.: Radicalization, linkage, and diversity: Current trends in terrorism in europe
(2011)
[237] Vijaykumar, S.: Object model. Palantir Technologies (2011). [online video, http://www.
palantirtech.com/government/videos/whitevideos, last visited 2011]
[238] Vogel, K.M.: ‘iraqi winnebagosT M of death’: Imagined and realized futures of us bioweapons
threat assessment. Science and Public Policy 35, 561–573 (2008)
[239] Warr, A., O’Neill, E.: Understanding design as a social creative process. In: Proceedings of
the 5th conference on Creativity & cognition, C&C ’05, pp. 118–127. ACM, New York, NY,
USA (2005)
[240] Wasserman, S., Faust, K.: Social Network Analysis: Methods and Applications. Cambridge
University Press (1994)
[241] Weiman, G.: Terror on facebook, twitter, and youtube. Brown Journal of World Affairs 16,
45–54 (2010)
[242] Weiner, T.: Legacy of Ashes: The History of the CIA. Anchor Books (2008)
[243] Wiil, U., Hicks, D., P., S.: Vision and progress towards structural computing support for
knowledge management. UCS 9 (2003)
[244] Wiil, U.K., Gniadek, J., Memon, N.: Measuring link importance in terrorist networks. In:
Proceedings of the international conference on advances in social networks analysis and
mining, pp. 225–232. IEEE (2010)
[245] Wiil, U.K., Gniadek, J., Memon, N., Petersen, R.R.: Knowledge management tools for
terrorist network analysis. In: Knowledge Discovery, Knowledge Engineering and Knowl-
edge Management. Lecture Notes in Communications in Computer and Information Science
(LNCCIS). Springer, Wien (2011)
[246] Wiil, U.K., Hicks, D.L.: Tools and services for knowledge discovery, management and struc-
turing in digital libraries. In: Proc. 8th Conf. Concurrent Engineering, pp. 580–589 (2001)
[247] Wiil, U.K., Memon, N., Gniadek, J.: Knowledge management processes, tools and techniques
for counterterrorism. In: K. Liu (ed.) KMIS, pp. 29–36. INSTICC Press (2009)
[248] Wiil, U.K., Memon, N., Gniadek, J.: Crimefighter: A toolbox for counterterrorism. Lec-
ture notes in communications in computer and information science (Knowledge discovery,
knowledge engineering and knowledge management) 128, 337–350 (2011)
277
[249] anonymous Wikipedia: Avon barksdale. URL http://en.wikipedia.org/wiki/Avon_

Barksdale. [last visited on August 5, 2012]
[250] Wilson, C.: Searching for saddam: A five-part series on how the u.s. mili-
tary used social networking to capture the iraqi dictator (updated 2010). URL
http://www.slate.com/articles/news_and_politics/searching_for_saddam/2010/
02/searching_for_saddam_5.single.html
[251] Wirtz, J.J.: Targeting intelligence. International Journal of Intelligence and CounterIntelli-
gence (2006)
[252] Woo, G.: Intelligence constraints on terrorist network plots. In: N. Memon, J.D. Farley,
D.L. Hicks, T. Rosenorn (eds.) Mathematical methods in counterterrorism, pp. 205–214.
Springer, Wien (2009)
[253] Wright, D.: A framework for the ethical impact assessment of information technology. Ethics
and Inf. Technol. 13(3), 199–226 (2011)
[254] Wright, W., Schroh, D., Proulx, P., Skaburskis, A., Cort, B.: The sandbox for analysis:
concepts and methods. In: Proceedings of the conference on human factors in computing
systems, pp. 801–810. ACM Press (2006)
[255] Xu, J., Chen, H.: Criminal network analysis and visualization. Commun. ACM 48(6),
100–107 (2005)
[256] Yalcinkaya, R.: Police officers’ adoption of information technology: A case study of the
turkish polnet system. Ph.D. thesis, University of North Texas (2007)
[257] Youtube: General colin powell un speech on iraq part 1of5 (2012). URL http://www.
youtube.com/watch?v=Nt5RZ6ukbNc. Last visited on February 19th 2012
278
APPENDIX A
Published papers and other written work
This appendix lists all our published work (Section A.1) together with unpublished papers and
manuscripts (Section A.2).
A.1 Published papers

Published papers with most recent papers first.
1. Petersen, R.R. “Association and Centrality in Criminal Networks”, paper submitted to

EISIC conference, IEEE, 2012. Published.
2. Petersen, R.R., and Wiil, U.K., “CrimeFighter Investigator: Integrating Synthesis and Sense-
making for Criminal Network Investigation”, paper submitted to Security Informatics jour-
nal, Springer, 2012. Accepted.
3. Petersen, R.R., and Wiil, U.K., “CrimeFighter Investigator: Criminal Network Sense-making”,
Computational Approaches to Counterterrorism book, Springer, 2012. Accepted.
4. Wiil, U.K., Gniadek, J., Memon, N., and Petersen, R.R., “Knowledge Management Tools
for Terrorist Network Analysis”, In LNCCIS, Vol. 272, pp. 322-337, Springer, 2012.
5. Petersen, R.R. and Wiil, U.K., “CrimeFighter Investigator: A novel tool for criminal network
investigation”, In Proc. EISIC, pp. 197-202, IEEE, 2011.
6. Petersen, R.R., Rhodes, C.J., and Wiil, U.K., “Node removal in criminal networks”, In Proc.
EISIC, pp. 360-365, IEEE, 2011.
7. Petersen, R.R. and Wiil, U.K., “Hypertext Structures for Investigative Teams”, In Proc.
Hypertext, pp. 123-132, ACM, 2011.
8. Petersen, R.R. and Wiil, U.K., “Analysis of Emergent and Evolving Information: The Agile
Planning Case”, In LNCCIS, Vol. 50, pp. 263-276, Springer, 2011.
A.2 Unpublished papers and manuscripts

1. Petersen, R.R. and Wiil, U.K., “A Framework Design for Information Analysis”, Submitted
to I-KNOW 2010, 2010.
279
A.3. PRESENTATIONS APPENDIX A. PUBLICATIONS AND OTHER WORK
2. Petersen, R.R., “Towards a Framework Design for Usage-Oriented Spatial Hypertexts”,

Written for PhD course on Scientific Writing, 2010.
3. Terrorism and new media essay. “Danish Newspapers and the Mickey Mouse Project”, Exam
essay written for PhD course on Media and Terrorism in the Middle East, 2010.
A.3 Presentations
1. Petersen, R.R., and Wiil, U.K., “Adaptive Counterterrorism Tools over Silver Bullets”, at the
International and Interdisciplinary Terrorism and New Media Conference, Dublin, Ireland,
2010.
A.4 Previously published

1. Petersen, R.R. and Wiil, U.K., “ASAP: A Lightweight Tool for Agile Planning”, In Proceed-
ings of the International ICSOFT Conference, pp. 265-272, 2009.
2. Petersen, R.R. and Wiil, U.K., “ASAP: A Planning Tool for Agile Software Development”,
In Proceedings of the International Hypertext Conference, pp. 27-35, ACM, 2008.
280
APPENDIX B
Danish Defense Intelligence Service (DDIS) web documents
The Danish Defense Intelligence Service intelligence cycle in Danish text is repeated below [52].
B.1 Efterretningskredsløb
Sammenhængen mellem indhentning, bearbejdning og analyse samt rapportering er central for
efterretningsarbejdet. Vi beskriver det ved den såkaldte efterretningskredsløb. Kredsløbet beskriver
en sammenhængende arbejdsproces, som gentages løbende.
Udgangspunktet er en prioritering. Den fastsættes med udgangspunkt i tjenestens opgaver og
ressourcer samt efter drøftelse med vores kunder - både i og udenfor forsvaret. Styrende er hensynet
til Danmark og danske militære styrkers sikkerhed.
Dernæst gør vi os klart, hvad vi allerede ved, og hvad vi gerne vil vide. Det sker ved, at vi
formulerer et såkaldt efterretningsbehov - en liste over de spørgsmål, som vi gerne vil have besvaret,
og de oplysninger, som vi mangler. De er udgangspunkt for indhentningen.
Indhentningen søger at besvare de stillede spørgsmål ved at skaffe oplysninger fra kilder - det
kan være både lukkede og åbne kilder. Åbne kilder er kilder, som alle kan skaffe sig adgang til,
som f.eks. Internet, aviser og andre publikationer. Lukkede kilder kræver en efterretningsmæssig
indsats. Det er adgangen til lukkede kilder, som er et særkende for den efterretningsmæssige
vurdering. Oplysninger fra både åbne og lukkede kilder skal vurderes og analyseres. Er oplysningen
og/eller kilden troværdig? I den forbindelse er det en styrke i analysen at kunne sammenholde
oplysninger fra åbne og fra lukkede kilder.
I analysen tager man udgangspunkt i en forestilling om, hvordan situationen er - en såkaldt
hypotese - som man afprøver mod de oplysninger, man har. Det, som er interessant, er om der er
oplysninger, som ikke passer med ens forestilling. Så er der måske en anden hypotese, som passer
bedre på de oplysninger, man har. Dette er ikke et arbejde, som én medarbejder kan gøre alene.
Det er i høj grad et holdarbejde, hvor man afprøver sine hypoteser og analyser med sine kolleger.
I den forbindelse kan analytikeren støde på nye spørgsmål, som vedkommende ønsker besvaret,
eller oplysninger, som er mangelfulde. Så formulerer analytikeren et nyt efterretningsbehov.
Når en analyse er færdig, skal den omsættes til en rapport. I den forbindelse er det vigtigt
at videregive vurderingen så præcist som muligt. I rapporteringen skelner vi normalt skarpt
mellem oplysninger og vurdering. Vi gengiver oplysninger, så det ikke fremgår, præcist, hvorfra
de stammer. Det er nødvendigt for at beskytte kilderne og FE’s indhentningskapacitet. Af samme
281
B.2. FE FORETAGER OMPRIORITERINGER APPENDIX B. DDIS WEB DOCUMENTS
årsag er FE’s rapporter normalt klassificeret. Det gælder også de rapporter, som FE modtager
fra udenlandske samarbejdspartnere.
B.2 FE foretager omprioriteringer

FE omprioriteter sine ressourcer for fortsat at kunne leve op til de udfordringer, som
en moderne efterretningstjeneste står over for, og samtidig kunne imødekomme krav
om besparelser.
06-01-2012 - kl. 14:50
FE ser behov for at foretage en række omprioriteringer. Dette indebærer nedlæggelse af nogle af
tjenestens nuværende indhentningskapaciteter og samtidig en styrkelse af andre. Konsekvensen
er, at FE’s station ved Dueodde på Bornholm lukkes, ligesom der sker ændringer på FE’s indhent-
ningsstationer i Nordjylland og på Amager. Det er forventningen, at der vil skulle afskediges 27
medarbejdere, heraf 17 på Bornholm. Samtidig er det hensigten at ansætte ca. 20 nye medarbe-
jdere med andre kompetencer.
Årsagen til disse omprioriteringer er behovet for at tilpasse FE til den teknologiske udvikling
kombineret med udviklingen i det samlede trusselsbillede, holdt op imod de samlede økonomiske
rammer.
FE gennemfører således omprioriteringerne med henblik på at styrke indhentningen inden for de
områder, der vurderes at være mest relevante for Danmarks sikkerhed. Det kræver en fortsat
tilpasning af kapaciteter og kompetencer.
I foråret 2011 gennemgik FE en større reorganisering for at målrette og effektivisere tjenesten, så
den er rustet til at håndtere fremtidens opgaver. Den nye organisation udspringer af kravet om,
at organisationen til enhver tid skal understøtte og afspejle FE’s prioriteter og opgaveløsning. Det
samme krav gælder for FE’s indhentningskapaciteter.
Trusselsbilledet rettet mod Danmark samt behovet for støtte til forsvarets udsendte styrker,
kræver, at vi hele tiden har en tidssvarende indhentning, der kan agere fleksibelt.
282

Manual I2

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Manual I2

Caricato da

Copyright:

Formati disponibili

Criminal Network Investigation:

Processes, Tools, and Techniques

Ph.D. dissertation (revised version)

May 13, 2013

Committee member Committee member Committee member

The Maersk Mc-Kinney Moller Institute

Rasmus Rosenqvist Petersen

Efterforskninger af kriminelle netværk udført af politi, efterretnings analytikere, og undersøgende

I Introduction and method 1

3 Criminal network investigation 33

5 Theory and technology 81

6 Problem definition 119

III The tool 127

7 Process model and tasks 129

8 Software components 135

14 Work flow support 207

IV Evaluation and conclusion 229

A Publications and other work 279

Introduction and method

First, the taking in of scattered particulars under one Idea so that

A criminal network investigation is an investigation of a criminal network. Pardon the tautology,

1.1 Myths and disclaimers

1.2 Criminal network investigation challenges

“Many researchers have attempted to explain the mass of evidence contradicting

1.2.1 Selecting challenges

A software system addressing information, process, and human

1.2.2 Research focus

1.3 Theory and technology

1.4 CrimeFighter toolbox

Figure 1.3: Knowledge management processes for counterterrorism

To support the knowledge management processes described, CrimeFighter provides a number of

Figure 1.4: Tools supporting the knowledge management processes

1. CrimeFighter Explorer is a software package with various services aimed at acquiring

Figure 1.5: The CrimeFighter toolbox for counterterrorism.

1.4.1 CrimeFighter Investigator within this framework

1.5 Dissertation structure

Figure 1.7: We have extended our focus from

Figure 1.8: Ph.d. dissertation structure.

Chapter 9 (Acquisition) is a process assisting investigators in dealing with information arriv-

Chapter 11 (Sense-making) tasks assist investigators in extracting useful information from

cooperation tasks defined in Chapter 7, together with a short description of implemented

1.5.1 Reading directions

Iteration is a significant component of design activity that occurs

relevant for our method.

2.1 General Ph.D. approach

2.2 Software development methodology

2.2.1 Prototyping reviewed

A software development prototype: process not product

The four steps of prototyping

Three approaches to prototyping

1. Exploratory prototyping. The emphasis is on clarifying requirements and desirable

2.2.2 Proof-of-concept prototyping

How we have designed the prototypes

2.2.3 Software baseline and CrimeFighter Investigator - evolution from

Metric Construct ASAP CFI 1 CFI 2 CFI 3 (Final)

2.3 Empirical evidence

2.3.1 Case study research

Subject: The kidnapping and murder of Daniel Pearl.

2.4 Ph.D. study program

Criminal network investigation

3.1 What is a criminal network?

3.1.1 Criminal networks and other networks