North America User Conference

Info and Registration

Contact Us
Back to all articles

What is link analysis and link visualization?

Link analysis graph

In the world of investigations, uncovering links between people, organizations, and events is a primary method to reveal new insights. This process, known as link analysis, has become a powerful tool for a variety of users, from law enforcement agencies and military intelligence, to banking and not-for-profits.

By examining relationships and connections, link analysis aids in understanding complex networks, identifies patterns, and facilitates informed decision-making.

Cold War intelligence

Link analysis is not a new idea. In the 1940s sociologist Jacob Moreno introduced sociograms as a visual representation of social relationships. Later, during the Cold War, intelligence agencies adopted link analysis to map out connections between individuals involved in espionage and criminal activities.

In fact, many of today’s data science approaches date back even further, incorporating techniques from graph theory that have their foundation in Leonhard Euler’s mathematical solution to the Seven Bridges of Königsberg problem in 1736.

With the advancement of computer technology and the exponential growth of data, link analysis has become more sophisticated, allowing investigators and analysts to uncover hidden relationships and better understand complex networks.

An i2 chart showing a link analysis graph
Figure 1: A link analysis graph in i2 Analyst's Notebook

What is link analysis?

Link analysis is a methodology used to examine and visualize the relationships between entities, such as People, Objects, Locations, and Events - often referred to as the POLE data method.

The aim is to uncover patterns, dependencies, and associations within a network of entities to gain an understanding of the underlying relationships. There are three core applications for which link analysis is used:

  1. Identifying known patterns that validate a hypothesis
  2. Identifying patterns that disprove a hypothesis
  3. Discovery of new patterns of interest for further investigation

What is an entity?

An entity is a distinct object or subject such as a person, organization, location, or event. They are represented as nodes in a link analysis graph and are connected with links (see below) that represent relationships between them.

What is a link?

A link is a connection between two entities and indicates some form of relationship, association, or interaction between different entities. For example, this may be an attribution between a person and an event, or a call between two phones.

Link analysis graphs

When first describing link analysis there is often a heavy focus on how the data is visualized.

Commonly referred to as either a link, graph, or network visualization, this is an extremely powerful way to represent how entities are connected by their links.

Analyzing data in this visual format enables rapid identification of interesting patterns in both the positive and negative space, such as high-density clusters of entities, a high volume of interconnectivity between pairs of entities, or even the absence of links where they may be expected.

In the example below, four distinct clusters are revealed. Within the positive space, there are interconnecting entities between pairs of clusters (blue triangles), or three or more clusters (blue diamonds). There are no interconnecting entities between clusters 1 & 2 (negative space).

Link analysis graph showing clusters of entities.

Figure 2: A link analysis graph showing clusters of entities

Such links and patterns within the data are not always apparent when simply presented in a tabular format (see below). These visualizations, or graphs, are the basis of link analysis.

Table versus link analysis graph

Not all links are created equally

As the name suggests, link analysis has a heavy reliance on how entities are connected.

However, there is a key assumption to avoid when interpreting a link analysis graph. Entities and their connections should not necessarily be treated equally. Giving the same weight to one link versus another, or not considering underlying data points, can lead the analyst to make incorrect inferences.

Whilst knowing that entities are linked, the nature of the links enables greater knowledge and understanding of their importance for further analysis. For some data sets, such as communication or financial data for example, the analyst’s understanding of a link analysis graph will consider the communication/transaction type, directionality, frequency of the connections, temporal considerations, or a combination of all. In other words, not all links are equal!

In the example below, financial transactions are shown that present information dependent upon the level of detail required. The first very simple link (top) serves to just show there is a connection between two accounts, the next link adds the number of transactions, then the total value is included, and finally (bottom) the links show individual transactions with various data points (i.e. method, date, value).

Link analysis showing financial transactions.Figure 3: Link analysis graph showing different levels of detail

What analysis can be performed?

Creating a link visualization is the foundation to combine analytical methodologies in one place to obtain further insights into the data. Some common tools and techniques used to draw out insights are:

  • Clustering to establish more tightly bound areas within the network including common entities that may exist between two or more clusters.
  • Pathway discovery across two or more entities of interest to identify non-obvious connections or entities. Visualizations can be enhanced by applying conditions to these pathways such as direction, timeframes of interest, or a commodity being transferred to help isolate certain patterns.
  • Graph analytics such as Social Network Analysis (SNA) to highlight the importance in a network based upon centrality measures. These include potential gatekeepers of information, influencers, and hubs of authority. Weightings can be placed on specific link types and data points to tailor the results.
  • Quantitative analysis features aggregate and group data points to establish commonality across similar characteristics. Subgrouping this information can often lead to non-obvious traits that may have formed the network, such as exploitation of vulnerabilities.
  • Temporal analysis indicates the sequence of events that may have formed a network, periods of inactivity, or times of convergence and overlapping factors.
  • Analytical layout algorithms can be used to alter the visual appearance based on multiple factors, such as organization or hierarchical dependencies.

Why is link analysis useful?

Link analysis is an essential tool for data analysts. By examining connections between suspects, victims, witnesses, and evidence, they can establish links and associations that help establish motives, identify accomplices, and gather critical intelligence.

It provides a comprehensive overview of the relationships within a case, leading to actionable insights and informed decision-making for a range of use cases:

  • Law enforcement investigations in communications data, such as call data records, digital forensics, and Internet Intelligence & Investigations (III) - often referred to as Open Source Intelligence (OSINT).
  • Mapping relationships between people, such as those involved in Organised Crime Groups, data obtained from social networks, peer mapping for child protection (Contextual Safeguarding), or genograms (family trees).
  • Analysis of financial data transactions between accounts and corporations, corporate structures, and cryptocurrency, money laundering, insurance fraud, and mapping the flow of commodities.
  • Understanding unstructured data, via natural language processing of text or networks of extracted data from video, image and audio media.
  • Process mapping for project management, product development, and supply chain use cases, including product development to enable organizations to understand bottlenecks, vulnerabilities and integrity issues, and opportunities for transformation.
  • As a foundational technology underpinning the Internet, enabling analysis IP and WiFi traffic, websites, and how knowledge is stored and accessed by technologies such as Google.

As criminal networks become increasingly sophisticated, the continued development and application of link analysis techniques will remain crucial in the pursuit of justice.

Link analysis with i2

i2's product range, including the flagship i2 Analyst's Notebook, has revolutionized the way investigators and analysts approach complex cases.

All our tools offer data integration and advanced analytical capabilities to aid data analysts in understanding relationships and uncovering hidden connections.

To find out more, view of product range or contact us.

Product Range