Europe User Conference

How i2 Analyst's Notebook was used to catch a dangerous group of bank robbers in the Texas area that resulted in convictions for seven criminals totalling 2,945 years in prison.

Dallas Police Department Fusion Center

On July 2, 2007, the first of twenty-one bank robberies occurred in Dallas, Texas, starting the beginning of an eleven-month investigation.

The offenders were quickly dubbed the “Scarecrow Bandits” due to the clothing and face coverings they wore during their initial offenses. As the investigation opened, the only analytical tools available to the Dallas Police Department (DPD) were Microsoft Excel and Access which the DPD found to be burdensome and time-consuming. In October 2007, the Dallas Police Department acquired the use of i2's Analyst Notebook, which proved to be of great value in closing the string of robberies.


This series of robberies created a difficult and highly dangerous scenario for the Dallas Police Department and the pressure to solve the case was high. With the "Scarecrow Bandits" using
disguises that covered all exposed skin and facial features with plaid shirts and straw hats, the normal means of identification, such as fingerprint identification or the use of photo line ups, 
was near impossible.

During the first three months of the investigation a total of five offenses occurred in Dallas and the surrounding area. Investigators were unable to discover any leads in identifying the suspects, which had increased from two to four. The only common factor discovered during the investigation was the use of a cell phone during each offense. To try and garner new leads,
the DPD decided to acquire cell phone tower records from each location for a period of two hours before the offense occurred until one hour after. These records were then sorted to find common numbers used at each location. As a result of the request, the department received a total of 150,000 calls for analysis.

In August these records were supplied by five different service providers, and entered into Excel which created a time-consuming process of sorting and identifying possible links between
locations. During this time two additional offenses occurred and records from cell towers near the locations were also requested. This continued throughout September, producing a
possible 100 links between locations. However, it wasn't until the first week in October that the department got its biggest break in the case.

On October 7, 2007, the DPD received and loaded the newly acquired i2's Analyst Notebook. It was also at this time that the suspects expanded from four to five suspects entering the locations.


Upon deploying Analyst's Notebook the DPD entered all the phone records they had collected in Excel charts. As they worked through their analysis, unlinked calls were eliminated,
revealing a pattern of use by less than ten identifiable phones in use at several of the robbery locations. Using this information, the FBI and the DPD were able to subpoena specific phone
records for each phone identified.

Without i2’s visualization and sorting software  capabilities it would have taken several additional weeks to a month in order to sort through the initial 150,000 cell phone transactions, not even thinking about counting the additional 100,000 records that were yet to be subpoenaed..

 Donald E. Cooper, Senior Criminal Intelligence
Analyst, Strategic Deployment Bureau

As additional information was received through tips on the possible identity of the suspects, i2 Analyst's Notebook was used to establish link charts for each tip. By combining the charts, additional links could be established between persons that were not normally seen in official reporting standards, such as living in the same apartment complex or neighborhood. Links were also established indicating attendance at a specific school in the area.

Upon receiving the specific phone records, it was discovered that aliases and nicknames were used, along with addresses that appeared to be over several years old. Combining this information with results found on the link charts enabled the DPD to identify three possible suspects in mid-December.

By this time the suspects had committed a total of fourteen offenses and had expanded their area of operations. However, DPD were now also able to identify connected stolen vehicles recovered within three miles of the offense locations. Using the timeline feature in i2 Analyst's Notebook, it was quickly determined that the suspects were stealing a vehicle between two and three days before an offense. It was also discovered that the suspects preferred large sports utility models, which quickly became a focus of interest to the DPD. Region-wide departments were now requested to provide the DPD with daily information concerning the theft of vehicles matching these descriptions and were inserted into the timeline. Records for the previous six months were also searched for vehicles described in the offenses in the hope of identifying an area in which the vehicles were being stolen.

Forth Worth, Texas, USA

By March of 2008, the suspects had committed twenty robberies, though there was still not enough evidence to exclusively identify them. However, by using official records and
open source data, backgrounds on the initial possible suspects continued. Based on the information established using i2 Analyst's Notebook link and phone analysis, investigators were able to get approval to conduct surveillance on the possible suspects which provided a wealth of information that had not been found in normal records checks. Additional addresses 
and persons were identified and added to the previous data in i2 Analyst's Notebook and the possible suspect list quickly grew to six.

Unfortunately, as the DPD continued to try and identify the suspects, the violence increased during the robberies and at least one suspect was armed with an assault rifle during one of the
offenses. In light of this escalation, during the first week in Ma 2008, using the information derived from link, phone, and timeline analysis, the FBI prepared a wiretap subpoena for 
three of the phones identified during the investigation.

During the following three weeks, the federal wiretap finally provided a much-needed break in the case. Investigators quickly established the means by which the suspects planned and
executed their robberies. The DPD determined that suspects began by conducting surveillance at several locations, acquired a vehicle, and three or four suspects would enter the location,
while those remaining would watch for patrols in the area, and drive the stolen vehicle used for escape. Finally, on the evening of June 1, 2008, the wiretap provided a date and time for the
next robbery - a bank the next morning in Garland. The Task Force quickly planned to take the suspects into custody as they arrived at the location. 


Before the robbery, the DPD moved into place and arrested the suspects as they arrived at the bank. These arrests led to the conviction of six males and one female on several charges stemming from the aggravated robbery of twenty-one banks over a period of eleven months. 
During the resulting trials over the next two years, i2 Analyst's Notebook was used in defining the links between each suspect, the phone connections, and how their activities matched the timeline of the offenses.

They were able to show that during periods that some of the suspects were serving sentences for minor law infractions, no offenses occurred, thus helping to pinpoint their involvement better. However, phone link analysis was the major factor used during the resulting trials. The ability to graphically display each of the suspects' phone links to specific towers during the offenses was the closing factor which returned verdicts that totalled 2,945 years in prison for all seven individuals.

More information

Find out more about i2 Analyst's Notebook or contact us to see how we can help you with your law enforcement investigations.

Contact Us