Criminal Network Investigation - Rasmus Rosenqvist Petersen

Criminal Network Investigation: 

Processes, Tools, and Techniques 

Ph.D. dissertation (revised version) 

Author Supervisor 

Rasmus Rosenqvist Petersen Uffe Kock Wiil 

The Maersk Mc-Kinney Moller Institute The Maersk Mc-Kinney Moller Institute 

University of Southern Denmark University of Southern Denmark 

Campusvej 55, Odense, Denmark Campusvej 55, Odense, Denmark 

rrp@mmmi.sdu.dk ukwiil@mmmi.sdu.dk 

May 13, 2013 

Committee member Committee member Committee member 

Kasper Hallenborg Patricia L. Brantingham Kaj Grønbæk 

The Maersk Mc-Kinney Moller Institute School of Criminology Department of Computer Science 

University of Southern Denmark Simon Fraser University Aarhus University

Abstract 

Criminal network investigations such as police investigations, intelligence analysis, and investigative 

journalism involve a range of complex knowledge management processes and tasks. Criminal 

network investigators collect, process, and analyze information related to a specific target to create 

intelligence products that can be disseminated to their customers. Investigators deal with an 

increasing amount of information from a variety of sources, especially the Internet, all of which 

are important to their analysis and decision making process. But information abundance is far 

from the only or most important challenge for criminal network investigation, despite the massive 

attention it receives from research and media. Challenges such as the investigation process, the 

context of the investigation, human factors such as thinking and creativity, and political decisions 

and legal laws are all challenges that could mean the success or failure of criminal network 

investigations. 

Information, process, and human factors, are challenges we find to be addressable by software 

system support. Based on those three challenges we formulated our hypothesis for tool support, 

and analyzed problems related to each individual challenge. Our response to these problems 

is a list of research focus requirements, to guide our development of new processes, tools, and 

techniques that ultimately would reduce the impact of the challenges and support the hypothesis. 

We propose hypertext as the key technology to bridge human and tool related requirements to 

provide integrated support for both, resulting in increased capabilities, that ultimately will create 

a synergy effect useful for criminal network investigation. 

We create a target-centric process model (acquisition, synthesis, sense-making, dissemination, 

cooperation) encouraging and supporting an iterative and incremental evolution of the criminal 

network across all five investigation processes. The first priority of the process model is to address 

the problems of linear process models that introduce compartmentalization, reducing sense 

of responsibility and deterioration of information as it passes through compartments. We have developed 

a list of criminal network investigation tasks encapsulating the work within each process, 

selected based on their contributions to the success of investigations. 

Basic criminal network investigation concepts have been developed and tested using proof-ofconcept 

prototyping, resulting in generic software components for tool support of criminal network 

investigation. We have used these components to build CrimeFighter Investigator, iteration by 

iteration, embracing the concepts embedded in the components. We analyze, design, and demonstrate 

support of individual criminal network investigation tasks for each of the five processes, 

and we also describe the deployment of CrimeFighter Investigator in scenarios that span multiple 

processes and tasks. We have used three methods to evaluate CrimeFighter Investigator, capability 

comparisons, end user interviews, and measures of performance. We have found that our 

evaluation methods provide good coverage of the research focus requirements. When summarizing 

evaluation of the requirements, we found strong support of most and medium or weak support 

of few. In general, our evaluation showed that we had focused on the right challenges, and the 

interdependency of the requirements made it clear that a more narrow focus, leaving out one of 

the challenges, would have provided much less support. 

We can conclude that all indicators point toward support of the hypothesis: addressing the challenges 

of information, process, and human factors by providing tool support based on advanced 

software technologies is a useful tool for investigators, as it increases the capabilities of both 

human and tool, thereby reducing the impact of the challenges. Rather than focusing on the 

inner-workings of network analysis techniques, we have worked toward supporting end user interactions 

with techniques, to achieve better investigation results. We consider our results to represent 

guidelines for how to conduct research of tool support for criminal network investigation.

To my father 

for his insistent fight to live 

To my mother 

for fighting alongside her husband, my father

Preface to revised version 

This dissertation is the result of three years Ph.D. studies. The work was carried out from 

September 1 st 2009 to September 30 th 2012. The initial version was submitted October 1 st . 

This revised version is based on feedback from my Ph.D. committee members Patricia L. Brantingham, 

Kaj Grønbæk, and Kasper Hallenborg. Furthermore, working in the network visualization 

and analysis industry changed my views on the importance and power of visualization. But the 

foundation of my research is still the same: structure domains, agile processes, and human cognition. 

Finally, ideas have kept emerging and evolving after the initial version was submitted. 

Happy investigation . . . 

The Maersk Mc-Kinney Moller Institute 

University of Southern Denmark, Odense 

Rasmus Rosenqvist Petersen 

May 13, 2013 

v

Acknowledgments 

First of all thanks to everybody at the Maersk-McKinney Moller Institute (University of Southern 

Denmark), professors and lecturers, for their academic advice and encouragements to continue my 

research, secretaries, for helping me out on numerous occasions and without who no one at the 

institute would get anything done. To my fellow Ph.D. students, with whom I have spent countless 

hours at the foosball table or discussing foreign politics and cultural differences and similarities 

over a cup of chai, coffee, or beer: shukria, dhanyavaad, gracias, tak, . . . thank you! 

A special thanks goes to my supervisor, Professor Uffe Kock Wiil, who has guided and supported 

the basic ideas of my research over the past five years. He has always taken the time to provide 

constructive feedback whenever I was doubtful about which direction to take, even after becoming 

project manager for the largest grant in the history of our university. Thank you Uffe, for always 

supporting my ideas and guiding me if I was about to get lost in some case, theory, or book - I 

have learned a lot from your approach to research, and I hope to one day achieve your sense of 

information and structure. 

I have been fortunate to make two 1-month visits to international research institutions: at Imperial 

College in London, I worked closely with Dr. Christopher J. Rhodes, developing CrimeFighter 

Investigator support for inference-based prediction. Thank you Chris, and everybody else at Imperial 

College, for showing me around, introducing me to indian pale ale, and always being willing 

to help. Also thank you to the Research Councils United Kingdom, Institute for Security Science 

and Technology (Imperial College) and the United Kingdom Ministry of Defense for supporting 

the work and publication of a paper on node removal. At University of Hof in Bavaria, I worked 

closely with Dr Claus Atzenbeck, director of Institute for Information Systems (iisys), primarily 

focusing on domain analysis and discussions of how to design usability experiments. Thank you 

Claus, and everybody else at iisys, for welcoming me and showing me various aspects of Bavarian 

life. Also thank you to Claus for writing several knowledgeable papers related to criminal network 

investigation. 

The places that I have worked on my dissertation around the world, and the friends living in 

those places, deserve a special thanks; it has been incredibly motivating and inspiring for me. 

Unfortunately, the list is too long to mention everybody and everywhere here. To everyone not 

mentioned: thank you! 

My Ph.D. dissertation builds upon previous publications in hypertext and security informatics 

conference proceedings, one accepted security informatics journal paper, and one accepted computational 

approaches to counterterrorism handbook chapter. I am thankful to the numerous 

reviewers who have helped me improve my work by giving useful and insightful comments on 

submitted manuscripts. 

vii

Resumé 

Efterforskninger af kriminelle netværk udført af politi, efterretnings analytikere, og undersøgende 

journalister involverer en række komplekse processer og opgaver relateret til h˚andtering af viden. 

Efterforskere af kriminelle netværk indhenter, bearbejder, og analysere information relateret til 

et specifikt efterretningskrav, for at skabe efterretnings produkter der kan rapporteres til kunden 

der formulerede kravet. Efterforskere skal h˚andtere en stigende mængde informationer fra mange 

forskellige kilder, især internettet, og de kan alle sammen være vigtige for efterforskernes analyseog 

beslutnings-proces. Men en overflod af informationer er langt fra den eneste eller den vigtigste 

udfordring i forbindelse med efterforskning af kriminelle netværk, p˚a trods af den massive 

opmærksomhed “de mange informationer” bliver givet i forskningsverdenen og af medierne, m.fl. 

Udfordringer s˚asom efterretningskredsløbet (processen), en efterforsknings kontekst, menneskelige 

faktorer som f.eks. problem løsning og kreativitet, og politiske beslutninger og deraf følgende 

lovgivning, er alle udfordringer der kan betyde succes eller fiasko for en efterforskning. 

Information, proces, og menneskelige faktorer er efterforsknings relaterede udfordringer som kan 

adresseres ved hjælp af software systemer. Baseret p˚a disse tre udfordringer formulerede vi vores 

hypotese for værktøjsunderstøttelse, og analyserede specifikke problemer relateret til hver enkelt 

udfordring. Vores modsvar i forhold til disse problemer er en liste med forsknings krav, der kan 

styre vores udvikling af nye processer, værktøjer, og teknikker der ultimativt vil reducere virkningen 

af udfordringerne og understøtte hypotesen. Vi foresl˚ar hypertekst som den kerneteknologi 

der kan bygge bro imellem de menneske- og værktøj relaterede krav vi har til vores forskning, 

for at tilbyde integreret understøttelse for begge, resulterende i øgede kapaciteter der vil skabe en 

synergi effekt i forbindelse med efterforskning af kriminelle netværk. 

Vi skaber en krav-centreret proces model der involverer indhentning og bearbejdning, syntese og 

forst˚aelse (tilsammen analyse), rapportering, og samarbejde. Det er en process model der tilskynder 

og støtter en iterativ og inkremental evolution af det kriminelle netværk p˚a tværs af alle fem 

efterforsknings processer. Førsteprioriteten for proces modellen er at adressere de problemer som 

lineære proces modeller introducerer i efterforskningsarbejdet, primært adskillelser i processen, 

der reducerer efterforskernes ansvarsfølelse for efterforskningen samt forringer oplysninger som de 

passere igennem proces adskillelserne (en adskillelse kan være mellem to afdelinger i en organisation, 

eller f.eks. mellem to efterretningstjenester). Vi har udviklet en liste med efterforsknings 

opgaver der indkapsler arbejdet inden for hver enkelt proces. Opgaverne er udvalgt baseret p˚a 

deres potentielle bidrag til veludført efterforskning. 

Grundlæggende koncepter for efterforskning af kriminelle netværk er blevet udviklet og testet 

ved hjælp af s˚akaldte proof-of-concept prototyper, hvilket har resulteret i generiske softwarekomponenter 

til værktøjs understøttelse af efterforskning. Vi har anvendt disse komponenter til at 

bygge CrimeFighter Investigator, iteration efter iteration, og derigennem omfavnet de begreber 

ix

der er indlejret i komponenterne. Vi analyserer, designer og demonstrerer understøttelse af individuelle 

efterforskning opgaver for hver af de fem omtalte processer, og vi beskriver ogs˚a anvendelse 

af CrimeFighter Investigator i scenarier, der involverer flere processer og opgaver. Vi 

har brugt tre metoder til at evaluere CrimeFighter Investigator: sammenligning af opgave- og 

model-understøttelse, slutbruger interviews, og forskellige metrikker der kan m˚ale effektiviteten af 

algoritme-baserede analyse teknikker p˚a flere omr˚ader. Ved hjælp af diagrammer har vi opsummeret 

relationerne mellem efterforsknings opgaver og vores opsatte forsknings krav, vi fandt at 

de tre evalueringsmetoder ydede god dækning af disse krav. N˚ar vi opsummerer vores evaluering 

af forsknings kravene finder vi at mange er godt understøttet, imens f˚a er nogenlunde eller svagt 

understøttet. Helt generelt viser vores evaluering at vi har fokuseret p˚a de rette udfordringer, 

og at den gensidige afhængighed imellem forskningskravene gjorde det klart, at havde vi valgt 

et mere snævert fokus, f.eks. udeladt en af udfordringerne, ville det have resulteret i d˚arligere 

understøttelse af de resterende krav. 

Vi kan konkludere at alle indikatorer peger imod understøttelse af den hypotese vi har stillet: 

hvis udfordringerne information, proces, og menneskelige faktorer adresseres ved værktøjs understøttelse 

baseret p˚a avancerede software teknologier, vil resultatet være et brugbart værktøj 

for efterforskere, da det øger kapaciteten for b˚ade mennesker og værktøj, og dermed reducerer 

den indflydelse som udfordringer ellers ville have. I stedet for at fokusere p˚a specifikke algoritmebaserede 

teknikker til netværks analyse har vi arbejdet hen imod understøttelse af slutbrugerens 

(efterforskerens) interaktion med og kontrol af s˚adanne analyse teknikker, med det form˚al at 

opn˚a bedre efterforskningsresultater. Vi betragter vores resultater som retningslinjer i forhold til 

forskning indenfor software værktøjer der understøtter efterforskning af kriminelle netværk.

Contents 

Preface v 

Acknowledgements vii 

Resumé x 

I Introduction and method 1 

1 Introduction 3 

1.1 Myths and disclaimers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 

1.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 

1.2.1 Selecting challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 

1.2.2 Research focus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 

1.3 Theory and technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 

1.4 CrimeFighter toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 

1.4.1 CrimeFighter Investigator within this framework . . . . . . . . . . . . . . . 14 

1.5 Dissertation structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 

1.5.1 Reading directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 

2 Method 19 

2.1 General Ph.D. approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 

2.2 Software development methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

2.2.1 Prototyping reviewed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 

2.2.2 Proof-of-concept prototyping . . . . . . . . . . . . . . . . . . . . . . . . . . 23 

2.2.3 Software baseline and evolution . . . . . . . . . . . . . . . . . . . . . . . . . 24 

2.3 Empirical evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 

2.3.1 Case study research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 

2.4 Ph.D. study program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 

xi

II The domain 29 

3 Criminal network investigation 33 

3.1 Criminal network? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 

3.1.1 Criminal networks and other networks . . . . . . . . . . . . . . . . . . . . . 34 

3.1.2 The emergence and evolution of criminal networks . . . . . . . . . . . . . . 35 

3.1.3 The strengths and weaknesses of criminal networks . . . . . . . . . . . . . . 35 

3.1.4 Pre- and post-crime criminal networks . . . . . . . . . . . . . . . . . . . . . 36 

3.1.5 Ethical aspects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

3.2 Structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 

3.2.1 Basic entities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 

3.2.2 Organizational (meta) structures . . . . . . . . . . . . . . . . . . . . . . . . 37 

3.2.3 Smaller (sub) structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 

3.3 Linear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 

3.3.1 Intelligence failures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 

3.4 Target-centric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 

3.5 Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 

3.5.1 The Daniel Pearl investigation . . . . . . . . . . . . . . . . . . . . . . . . . 53 

3.5.2 The hunt for Khalid Sheikh Mohammed . . . . . . . . . . . . . . . . . . . . 55 

3.5.3 Homicide investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 

3.5.4 Organized drug crime investigation . . . . . . . . . . . . . . . . . . . . . . . 58 

3.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 

3.6.1 Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 

3.6.2 Counterterrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 

3.6.3 Investigative journalism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 

4 Related work 65 

4.1 Commercial tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 

4.1.1 Analyst’s Notebook 8.5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 

4.1.2 Palantir Government 3.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 

4.1.3 Xanalys Link Explorer 6.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 

4.1.4 COPLINK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 

4.2 Research prototypes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 

4.2.1 The Sandbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 

4.2.2 POLESTAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 

4.2.3 Aruvi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 

4.2.4 Dynalink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 

4.3 Investigative journalism tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 

4.3.1 Namebase.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 

4.3.2 Mindmeister . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

4.3.3 Simple tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 

5 Theory and technology 81

5.1 Hypertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 

5.1.1 Associative structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 

5.1.2 Spatial structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 

5.1.3 Taxonomic structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 

5.1.4 Issue-based structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 

5.1.5 Annotation and meta data structures . . . . . . . . . . . . . . . . . . . . . 89 

5.1.6 Structural computing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 

5.2 Semantic web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 

5.3 Information science . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 

5.4 Human cognition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 

5.4.1 Two types of creativity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 

5.4.2 Case: Besheer and Pellegrino . . . . . . . . . . . . . . . . . . . . . . . . . . 93 

5.4.3 Representational structures for human cognition . . . . . . . . . . . . . . . 94 

5.5 The creative process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 

5.5.1 History of creative process models . . . . . . . . . . . . . . . . . . . . . . . 95 

5.5.2 Are more heads better than one? . . . . . . . . . . . . . . . . . . . . . . . . 96 

5.5.3 The life cycle of creative endeavors . . . . . . . . . . . . . . . . . . . . . . . 97 

5.5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 

5.6 Simple tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 

5.6.1 Agile modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 

5.7 Case-studies of individuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 

5.7.1 Omar Saeed Sheikh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 

5.7.2 David Coleman Headley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 

5.7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 

5.8 Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 

5.8.1 Intelligence and information . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 

5.8.2 Open source intelligence and secret intelligence . . . . . . . . . . . . . . . . 107 

5.9 Mathematical models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 

5.9.1 Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 

5.9.2 Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 

5.9.3 Other mathematical models . . . . . . . . . . . . . . . . . . . . . . . . . . . 110 

5.10 Ethics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 

5.10.1 Ethical impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 

5.10.2 Denmark and terrorism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 

5.11 Trust and user acceptance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 

5.12 Interaction and visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 

5.12.1 Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 

5.12.2 Visualization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 

5.13 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 

6 Problem definition 119 

6.1 Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 

6.1.1 Research focus (requirements) . . . . . . . . . . . . . . . . . . . . . . . . . . 121 

6.2 Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121


6.3 Human factors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 


6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 

III The tool 127 

7 Process model and tasks 129 

7.1 Process model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 

7.2 Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 

7.2.1 Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 

7.2.2 Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 

7.2.3 Sense-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 

7.2.4 Dissemination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 

7.2.5 Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 

7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 

8 Software components 135 

8.1 Conceptual model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 

8.1.1 Entity layers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 

8.1.2 Information element designs . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 

8.1.3 Relation designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 

8.1.4 Composite designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 

8.2 Computational model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 

8.2.1 Entity association design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 

8.3 Concepts and components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 

8.4 Component requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 

8.4.1 Entity requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 

8.4.2 History requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 

8.4.3 Algorithm requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 

8.4.4 Datafile requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 

8.5 Component design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 

8.5.1 Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 

8.5.2 History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 

8.5.3 Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 

8.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 

9 Acquisition 153 

9.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 

9.1.1 CONCEPT: Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 

9.1.2 TASK: Acquisition methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 

9.1.3 TASK: Dynamic attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 

9.1.4 TASK: Attribute mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 

9.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155




9.3 CrimeFighter Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 




10 Synthesis 161 

10.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 

10.1.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 

10.1.2 CONCEPT: History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162 

10.1.3 TASK: Create, delete, and edit entities . . . . . . . . . . . . . . . . . . . . . 162 

10.1.4 TASK: Create, delete, and edit associations . . . . . . . . . . . . . . . . . . 164 

10.1.5 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 

10.1.6 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 

10.1.7 TASK: Collapsing and expanding . . . . . . . . . . . . . . . . . . . . . . . . 165 

10.1.8 TASK: Information types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 

10.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 

10.2.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 




10.3.1 CONCEPT: View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 



10.3.4 TASK: Restructuring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 

10.3.5 TASK: Grouping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169 

11 Sense-making 171 

11.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 

11.1.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 

11.1.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 175 


11.1.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 

11.1.5 TASK: Creating hypotheses . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 

11.1.6 TASK: Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 

11.1.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 

11.1.8 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 

11.1.9 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 179 

11.1.10 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 

11.1.11 TASK: Social network analysis . . . . . . . . . . . . . . . . . . . . . . . . . 180 

11.1.12 TASK: Terrorist network analysis . . . . . . . . . . . . . . . . . . . . . . . . 180 

11.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

11.2.1 CONCEPT: Algorithm (sense-making work flows) . . . . . . . . . . . . . . 181 



11.2.4 TASK: Alias detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 

11.2.5 TASK: Exploring perspectives . . . . . . . . . . . . . . . . . . . . . . . . . 188 



11.3.1 CONCEPT: Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 

11.3.2 CONCEPT: Structural parser . . . . . . . . . . . . . . . . . . . . . . . . . . 189 


11.3.4 TASK: Retracing the steps . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 



11.3.7 TASK: Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 

11.3.8 TASK: Decision-making . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 


12 Dissemination 201 

12.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 

12.1.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 

12.1.2 Report generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 

12.2 Designs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 

12.2.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 



12.3.1 Storytelling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 


13 Cooperation 205 

13.1 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 


14 Work flow support 207 

14.1 Adaptive modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 

14.1.1 Modeling jihadist terrorist cells in the UK and Europe . . . . . . . . . . . . 209 

14.1.2 CrimeFighter Investigator model and rules . . . . . . . . . . . . . . . . . . 210 

14.1.3 Demonstrating the need for rule-based model adaption . . . . . . . . . . . . 212 

14.1.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 

14.1.5 Conclusions and future work . . . . . . . . . . . . . . . . . . . . . . . . . . 214 

14.2 Node removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 


14.3 Investigating linkage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 

14.3.1 The work flow scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 

14.3.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225


14.4 Summary of deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 

IV Evaluation and conclusion 229 

15 Evaluation 231 

15.1 Post-crime data and information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 

15.1.1 Comparing post-crime and real-time data . . . . . . . . . . . . . . . . . . . 235 

15.2 End-user interviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 

15.2.1 Alex Strick van Linschoten (Trafalgar Square, London) . . . . . . . . . . . 236 

15.2.2 British home office . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 

15.2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 

15.3 Capability comparisons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 

15.3.1 Criminal network investigation task support . . . . . . . . . . . . . . . . . . 238 

15.3.2 Capability comparison of the computational model supported . . . . . . . . 240 

15.4 Measures of performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 

15.4.1 Extended centrality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 

15.4.2 Predict missing links algorithm . . . . . . . . . . . . . . . . . . . . . . . . . 243 

15.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 

15.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 

15.6.1 Visualization or visual filtering . . . . . . . . . . . . . . . . . . . . . . . . . 246 

15.6.2 End user involvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 

15.6.3 Discussing end user interviews . . . . . . . . . . . . . . . . . . . . . . . . . 248 

15.6.4 Discussing capability comparisons . . . . . . . . . . . . . . . . . . . . . . . 248 

15.6.5 Discussing measures of performance . . . . . . . . . . . . . . . . . . . . . . 250 

16 Conclusion 253 

16.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 

16.2 Requirements, challenges, and hypothesis . . . . . . . . . . . . . . . . . . . . . . . 254 

16.2.1 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 

16.2.2 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 

16.2.3 Hypothesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 

16.3 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256 

16.4 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 

16.4.1 Literature reviews . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 

16.4.2 Future software development . . . . . . . . . . . . . . . . . . . . . . . . . . 258 

16.4.3 Future evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 

A Publications and other work 279 

A.1 Published papers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 

A.2 Unpublished papers and manuscripts . . . . . . . . . . . . . . . . . . . . . . . . . . 279 

A.3 Presentations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280 

A.4 Previously published . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

B DDIS web documents 281 

B.1 Efterretningskredsløb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 

B.2 FE foretager omprioriteringer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

Part I 

Introduction and method 

1

CHAPTER 1 

Introduction 

First, the taking in of scattered particulars under one Idea so that 

everyone understands what is being talked about . . . Second, the 

separation of the Idea into parts, by dividing it at the joints, as 

nature directs, not breaking any limb in half as a bad carver might. 

Plato, Phaedrus, 265D, as quoted in [8]. 

A criminal network investigation is an investigation of a criminal network. Pardon the tautology, 

but this repetition is important, as it can be tempting to reduce criminal network investigation 

to simply networked information; but investigation is a process, and a criminal network is information 

from a particular network domain. A criminal network is a special kind of network, 

often emphasizing on both secrecy and efficiency, depending on the purpose of the network; it is 

a complex system of entities that are associated directly (e.g., using links) or semantically (e.g., 

using visual symbols or co-location). Basically, a criminal network is information entities and their 

associations from a specific network domain, forming information structures. 


journalism involve a range of complex knowledge management processes and tasks. Criminal 

network investigators collect, process, and analyze information related to a specific target to create 

products that can be disseminated to their customers. Investigators deal with an increasing 

amount of information from a variety of sources, especially the Internet, all of which are important 

to their analysis and decision making process. But information abundance is far from the only 

or most important challenge for criminal network investigation, notwithstanding the attention it 

receives in research and media. Challenges such as the investigation process, the context of the 

investigation, human factors such as thinking and creativity, and politics etc. can all decide the 

success or failure of criminal network investigations. 

Knowledge about the structure and organization of criminal networks is important for both investigation 

and the development of effective strategies to prevent terrorist attacks and organized 

crime. Theory from the knowledge management field plays an important role in dealing with 

criminal network information. Knowledge management processes, tools and techniques can help 

criminal network investigators in various ways, when trying to make sense of the vast amount of 

data being collected. The CrimeFighter toolbox is an initiative at The Maersk Mc-Kinney Moller 

Institute started in 2009. CrimeFighter provides advanced software tools and mathematical models 

to assist criminal network investigators in harvesting, filtering, storing, managing, analyzing, 

structuring, mining, interpreting, and visualizing terrorist information. 

3

1.1. MYTHS AND DISCLAIMERS CHAPTER 1. INTRODUCTION 

Criminal network investigators merge and organize pieces of information from different sources 

in order to reason about them and support their decision making process. The structure of 

the relationships between these pieces of information is fragile by nature, since new information 

may change it substantially. Besides supporting the emergent nature of incoming information, 

such structures should also be an appropriate medium for communicating with others. This 

includes keeping track of previous discussions, representing their evolution, and permitting various 

parallel versions that occur by following different directions of thought. Finally, their presentation 

should foster awareness and permit notification services that inform the analyst about potential 

unseen and non obvious connections beyond the borders of individual information sources [20]. 

When investigators work with this type of information, following a target-centric and iterative 

process would encourage and support the continuous restructuring of the information and the 

communication with other investigators by making everybody stakeholders of the investigation, 

building a network of information around their target, in a shared information space. Despite 

the many iterations over the information and structure, interpretations and decisions must be 

maintained. To solve the type of complex problem that a criminal network investigation can be, 

the investigator must cooperate with their tools during investigations. The investigator must be the 

decision maker (especially in low probability situations), while algorithms should be responsible for 

routine calculations. The investigator will fill in the gaps, either in the final intelligence product 

or in the tool, when the tool has a technique or work flow that is applicable in a particular 

circumstance [130]. 

This dissertation is the result of three years of Ph.D. studies (with 18 months allocated to research), 

toward the analysis, design and implementation of CrimeFighter Investigator, a criminal 

network investigation tool addressing information, process, and human factors challenges in criminal 

network investigation. The remainder of this chapter is organized as follows: we start out by 

debunking a number of myths about work focused on tool support for criminal network analysis; 

myths that we have encountered during our research. We would like to present our view on these 

myths to the reader, to sort out any confusion from the start (Section 1.1). Having introduced 

the domain criminal network investigation above, we move on to defining the challenges for this 

domain, and based on an analysis, we select those challenges that a software systems engineer can 

address, and we discuss why these challenges will benefit from software system support (Section 

1.2). We move on to present the theory and technology that has underpinned our work (Section 

1.3). We describe the CrimeFighter toolbox, and how CrimeFighter Investigator fits into that 

framework (Section 1.4) and provide our readers with and overview of dissertation structure (Section 

1.5). Finally, we provide reading directions based on the expected areas of interest in Section 

1.5.1. 

1.1 Myths and disclaimers 

We find it necessary to start by debunking a couple of myths, in order to explain what this 

work is not about 1 . After 9/11 (2001), having recognized that some important leads had been 

missed prior to the attacks, it was decided that all information was now important and had to 

be investigated [146]. In that situation, it was not only the Internet that caused the information 

overload, especially since a lot of the information was not open source intelligence, but secret 

intelligence, human intelligence, tips from citizens and interrogations of suspects, etc. The goal 

was to find out where the next attack would be, which was why the central intelligence agency 

(CIA) was put in charge of the terrorism related affairs. But this decision did not help the 

investigation to find those involved in the 9/11 (2001) attacks. 

This desire not to miss any (potential) lead created a demand for tools that could take all the 

(often unprocessed) information and tell the user who the key players are. For 11 years researchers 

have been trying to provide such a tool without success 2 . But why has this effort failed? Mainly 

because of a desire to simplify the world too much and in the wrong way, in order to create a single 

red emergency button for providing simple answers to complicated questions, such as “who did 

4

CHAPTER 1. INTRODUCTION 1.1. MYTHS AND DISCLAIMERS 

it‘” or “who are going to do it?”. That is simply a wrong approach undermining the very nature 

of criminal network investigation. That is the first myth, we would like to debunk, formulated as 

a question to us (and other researchers in the field): 

Myth #1 Isn’t your ultimate goal to create big red “who did it?” or “who are going to do it?” 

buttons, for world leaders and decision makers, to weed out the criminals? 

No, this has never been the objective of our work. We believe this myth is the result of one of 

two visions for artificial intelligence; the compelling vision, that “human intelligence can be 

so precisely described, that it can be matched by a machine” [202]; a machine that think and 

create new abstractions and concepts, just like living organisms [202]. But this vision has not 

yet been realized, the computer cannot detect complex patterns it has never seen [131]. The 

other vision for artificial intelligence focuses on the synergies between man and machine [131]. 

It has been called human-computer symbiosis, and was initially described by Licklider in 

1960 [130], and summarized in a 2012 TED talk: “Licklider wanted humans and machines to 

cooperate. The idea is that humans are great at certain things, like creativity and intuition. 

Computers are great at calculation, scale, and volume. The idea is [. . . ] to take a human and 

make [him or] her more capable” [131]. The hypertext research community has developed 

many technologies for the “augmentation of human intellect” [62]. We propose hypertext 

technology as a bridge between humans and computers to leverage the above mentioned 

synergies to solve the complex problems associated with criminal network investigation. 

Myth #2 Shouldn’t you consider the ethics of what you are doing before applying social network 

analysis algorithms to decide who are criminals and who aren’t? 

Well, it has never been our goal to perform rode black box calculations on data sets, and 

then think that any criminal network investigator would use that information as his sole 

evidence of charging someone with something. As described above, we aim for cooperation 

between humans and computers (with the human as the controlling entity), bridging human 

intellect and computational power using hypertext technologies to benefit from the resulting 

synergies. 

Myth #3 Information overload is the key challenge for criminal network investigation? 

Sure, information overload (or abundance) is one of several problems for the challenge that 

information poses to criminal network investigation. But there are many important challenges 

(and related problems) for criminal network investigation to consider. Whether or 

not information overload is a problem depends on the nature of the information: How is it 

stored, does it contain many different entity types, etc. 

All of the above are myths and assumptions. It has always been our intention to understand the 

processes involved in the work of criminal network investigators, the structures of the criminal 

network information that investigators collect, process and analyze, and the human factors that 

decides the successes and failures of criminal network investigations. Our work has always been 

about that, and this dissertation is about that. Before continuing, we encourage our readers to 

study the following disclaimers as well: 

Disclaimer #1 While we have studied visualizations and layouts to some extent, this work does 

not focus on visualization. This causes some problems, as one reviewer has pointed out to 

us, “it is unfair to compare the strengths of one tool with the weaknesses of another tool” - 

a situation that occurs in Chapter 15, when we present an capability comparison of various 

representative tools. We do, however, discuss visualization (also in Chapter 15). 

Disclaimer #2 This is not a big data analytics project. While the aim might be the same, the 

means are not. In a recent talk, Chen (2012) stated that a research aim of “leveraging big 

data analytics [for] delivery of a patient-centric decision support and patient empowerment 

solution” 3 . The general approach of the research was first to understand the information 

5

1.2. CHALLENGES CHAPTER 1. INTRODUCTION 

structures in a certain domain (e.g., health or security informatics), then create database 

tables to match these information structures before applying big data analytical methods. 

The understanding of information structures had taken two years for the health informatics 

domain. When asked after his talk, Chen admitted that this was indeed a somewhat static 

approach, in that if changes were made to the structures, all the data would have to be 

aggregated again before analytics could continue. Actually, Chen was facing a concrete 

challenge of transitioning from version 9 to version 10 of the international classification of 

diseases (ICD). 

Disclaimer #3 I am first and foremost knowledgeable in the domain of software systems engineering 

with a strong foundation in hypertext technologies. However, as it will be clear later 

on, a prerequisite to successful software development is understanding the domain. Taking 

a course on media and terrorism in the middle east and participating in and giving a talk 

at an interdisciplinary conference on terrorism and new media has made it clear that I am 

not an expert in global jihad or radicalization processes. But it has made it possible for 

me to talk to people who are. Nor has reading books about organized crime or watching tv 

shows about criminals selling drugs made me an expert in these matters. But participation 

in the annual European international security informatics conference (EISIC) 2011 and 2012 

has provided me with new ideas and a network of people who work within that domain. 

And studying research areas such as human cognition, creativity, information science, social 

science, and so on, has not made an expert on these areas either. But it has to some extent 

made me knowledgeable about the different areas of research and made it possible for me to 

talk with the real experts about it. 

1.2 Criminal network investigation challenges 

Criminal network investigations fail. The reasons for failure can be found in one or several challenges 

complicating criminal network investigation. The sciences have been developing solutions 

to either dealing with the root causes of crime, others to develop tools and techniques to assist 

criminal network investigators. Computer science offers many techniques and software systems engineering 

has been building tools that assist investigators in applying those techniques to ongoing 

criminal network investigations. However, many challenges are also associated with developing 

support of a computer science technique and then have a criminal network investigator use it 

(e.g., an agency intelligence agent, a homicide detective, or a reporter), often resulting in tools 

and techniques that look good on paper but are actually not used during investigations: 

I typically use Analyst’s Notebook to generate a report for the state attorney handling 

the case in court. I do not use Analyst’s Notebook before I am done with my 

analysis. Statement (translated from Danish) by an intelligence analyst from the 

Danish security and intelligence service, who we met at an Analyst’s Notebook user 

conference 4 . 

Analyst’s Notebook is good for making visualizations but it has a very static feeling 

to it. Statement from Alexander Strick van Linschoten, a historian, investigative journalist, 

and an author of several books (e.g., [134]) at a meeting on Trafalgar Square, 

London. 

Based on cases and observations of criminal network investigation, contact with experienced endusers 

from various communities (see Section 15.2), examination of existing process models (see 

Sections 3.3 and 3.4) and existing tools for criminal network investigation (see Chapter 4) we 

maintain a list of criminal network investigation challenges. The list of challenges can be seen as a 

list of potential pitfalls that can cause criminal network investigation failure, either on their own, 

or in combination with other challenges; the list serves as the basis for our problem definition and 

research focus. The list is not exhaustive; we expect to uncover additional challenges over time. 

6

CHAPTER 1. INTRODUCTION 1.2. CHALLENGES 

We divide criminal network investigation challenges into the following groups: information, process, 

context, human factors, tacit knowledge, management, and finally problems related to politics 

and legal framework. Some of these challenges are more relevant than others in terms of developing 

software tools supporting criminal network investigation. We therefore review them all here, but 

do not make a detailed review of political and legal framework challenges - we merely recognize 

that they are there. 

Information. Criminal network investigation challenges related to information are many, e.g., 

the structure of the information is often emerging and evolving, i.e., no pre-defined structure 

can be applied to guide the analysis work. Information abundance and scarcity are other central 

problems. Finally, the information might be inconsistent and impartial, showing variation in types 

of meta data or missing entities. The following quotes emphasize these problems: 

“No, there was no shortage of information. There was too much – a blizzard of it, 

a whiteout so complete investigators routinely lost their way in it.” - in the months 

after 9/11 FBI and CIA analysts received an “overpowering” amount of unprocessed 

intelligence, and the fear of the next attack made them “chase tens-of-thousands dead 

end leads” [146]. 

We typically have much less data, or not so many attributes, as it was the case in 

the November 17 case you used - comment from intelligence analyst after presenting 

work on inference-based prediction at the British Home Office [167]. 

Process. It has certain consequences whether the criminal network investigation follows a linear 

process model or a target-centric process-model. Research of linear intelligence cycles has shown 

it to define an “antisocial series of steps that constrains the flow of information [. . . ] and too often 

results in throwing information over the wall” [40], causing compartmentalization 5 [40, 113, 146]. 

For security reasons, compartmentalization can seem compelling, since it provides organizations 

and departments complete control over the information they receive, and the information which 

they disseminate to the next link(s) in the chain. But the approach has received bad reviews in 

prominent commission reports [45, 110, 152, 153], which should weigh heavier than the desire for 

complete control. 

“With a better working methodology and a wider focus the Norwegian police security 

service (PST) could have tracked down the offender prior to July 22. However, the 

commission does not have the basis for arguing that PST thereby could have preempted 

the attacks.” - One of six main conclusions in the July 22 Commissions report [153]. 6 

“The police has for 10 years isolated themselves and rejected all criticism. Norwegian 

police has been very closed and unwilling to change. The commission repeats 

criticism that has been raised many times before, but this time they can not reject it.” 

- translated comment by Professor Petter Gottschalk when interviewed about the 22 

July Commissions report [78]. 7 

Context. The location of a criminal network investigation (e.g., country or neighborhood) can 

influence what technologies and tools are available for an investigation. If the country of the investigation 

has a high level of corruption, it can be hard to trust the information given by government 

officials, because their affiliations are not known. The organization leading an investigation can 

have a different approach to investigation, deeply rooted in their culture, making cooperation with 

others complicated. Two competing intelligence agencies could also inhibit investigative progress 

for one another. Simple things, like the control of surveillance cameras or the interception of cell 

phone calls, could mean an important difference in available intelligence. If the investigators and 

the criminals are at the same level in terms of technology and tools, the investigators are not likely 

to gain an advantage based on that. 

7

1.2. CHALLENGES CHAPTER 1. INTRODUCTION 

“Societies where there are strong professional law enforcement and intelligence 

forces are very different in their susceptibility to terrorist attack from societies where 

the police and security services are weak, corrupt or compromised.” - Woo (2009) 

comments on the difference in environments (or contexts) that criminal network investigations 

might have to navigate [252]. 

“Here on the ground in Karachi [. . . ] the people conducting the raids and brushing 

off death threats do not have the most rudimentary printer, let alone computers, access 

to databases, cell phones. They don’t even have decent cars.” - Mariane Pearl on 

the technology available in Karachi, Pakistan, for the team investigating her husbands 

kidnapping [162]. 

Human factors. Knowledge about how human cognition and creativity helps investigators solve 

problems and is important for a better understanding of the human factors involved in criminal 

network investigation. There are also a number of important aspects when investigators solve 

crimes together: Because of the different professions, traditional ways of doing things, and their 

personal knowledge (see below) of the members on the investigative team it can be challenging to 

work with a shared target model, in a so called common information space. When investigators 

use tools for criminal network investigation, the factors make them trust the information that 

these tools are of course of high value (just as the factors that have the opposite effect). 

“The human mind does not work that way. It operates by association. With one 

item in its grasp, it snaps instantly to the next that is suggested by the association 

of thoughts, in accordance with some intricate web of trails carried by the cells of 

the brain.” - Bush (1945) denouncing that humans find information by traversing a 

complex hierarchical structure of classes [33]. 

“One [type of creativity] is to be flexible and freely associating - the traditional understanding 

of creativity, and what might be called the artistic approach. The other type 

of creativity is to be persistent and focused – a more rational and conscious creativity, 

which we maybe could call the engineering approach” - interview with leading cognition 

researchers Carsten De Dreu and Bernard Nijstad about a model of two types of 

creativity [210]. 

“Many researchers have attempted to explain the mass of evidence contradicting 

[the] claim that real group creativity is more effective than nominal group creativity. 

The three major explanations that have been explored thoroughly by the creativity community 

are the social influences of production blocking, evaluation apprehension and 

free riding.” - Warr and O’Neill (2005) commenting on the well documented fact that 

real groups (individuals working face-to-face) are actually less creative than nominal 

groups (individuals working independently) [239]. 

Tacit knowledge. The kind of knowledge that investigators apply during investigations and 

which is learned through experience. It might be possible to document this knowledge, but during 

investigations is often applied in an ad-hoc manner and cannot be quantified and then be disseminated 

to other investigators (and tool support is therefore also not possible). Interrogation is a 

prominent example of such tacit knowledge: asking the right questions, tricking the suspect or 

potential suspect by setting up traps that make them give up their secrets. 

“This, too, is role playing, and it requires a seasoned actor. If a witness or suspect 

is belligerent, you wear him down with greater belligerence. If the man shows fear, you 

offer calm and comfort. When he looks weak, you appear strong. When he wants a 

friend, you crack a joke and offer to buy him a soda. If he’s confident, you are more 

so, assuring him that you are certain of his guilt and are curious only about a few select 

details of the crime.” Simon (1991) on interrogation [204]. 

8

CHAPTER 1. INTRODUCTION 1.2. CHALLENGES 

Management. The capabilities of the individual investigator will have different impact on the 

decisions made by, i.e. the shift manager. The approach of the team manager can affect the 

outcomes of investigations: If the leader is playing the statistics game and adhering to what 

his superiors say, then maybe only a certain type of cases are being solved. And if higher level 

management does not provide the investigative teams with the warrants, technology, tools, and 

general resources they need, it is certain it will have an effect on the outcome of criminal network 

investigations? 

Politics and legal framework. What kind of resources does politicians make available for the 

criminal network investigation units. What legal framework does the investigators have to follow 

- is there even a framework of laws? Police and counterterrorism organizations are institutions of 

power, existing in a forced and ever changing relationship with the media, the world of the investigative 

journalist and proliferation of terrorism, where the publication of a new lead as provided 

by an anonymous source can send ripples through those organizations, relocating resources and 

changing the focus from open investigations to current issues in order to protect the power of the 

leadership. 

1.2.1 Selecting challenges 

In order to select the challenges to work on we have positioned them in the matrix of criminal 

network investigation challenges as shown in Figure 1.1. The challenges are positioned on the 

y-axis based on their coupling with criminal network investigation compared to an institution or 

an environment. The challenges are positioned on the x-axis, based on an estimate of whether or 

not the challenge is quantitative and can be modeled, or if it is more internal and qualitative, not 

suitable for modeling. 

Of the seven listed challenges we choose the three in the upper left quadrant (information, process 

and human factors), as these are the challenge characteristics we find suitable for software 

system support. And more importantly, they are the challenges we believe that a software system 

would have the biggest impact on, in terms of criminal network investigation success. Proper 

management of investigators could be an important way to successful investigations, and even 

though it could be argued that resource management could be added to a software system, we 

find management to be too tightly coupled with the organization (e.g., intelligence service). And 

while the context of a criminal network investigation (as mentioned above) may be the reason for 

an unsuccessful investigation, and it could be argued that for example the level of corruption in a 

country where a crime is being investigated could be measured, we find context too tightly coupled 

with environments and difficult to manage, that the effect of software system support would not 

be beneficial or useful. 

We state the following general hypothesis based on the three selected criminal network investigation 

challenges: 

A software system addressing information, process, and human 

factors challenges would be a useful tool for assisting criminal 

network investigators in their work. 

1.2.2 Research focus 

We define a research focus for each of the problem areas we have decided to focus on, namely 

information, process, and human factors, to guide our work: 

1. Information: A basic understanding of criminal networks (types, cases, etc.) and criminal 

network information (complexities, structures, etc.) is required to define an appropriate 

conceptual model thereof. Related to that is a study of analytical techniques, to find those 

techniques suitable for criminal network complexities and structures. 

9

1.3. THEORY AND TECHNOLOGY CHAPTER 1. INTRODUCTION 

Figure 1.1: Matrix of criminal network investigation challenges. Along the y-axis is the degree of 

coupling to criminal network investigations vs. institutions or environments, and along the x-axis 

is an estimate of whether or not the challenge is quantitative and can be modeled, or if it is more 

internal and qualitative of nature, hence not suitable for modeling. 

2. Process: A criminal network investigation process must support the mechanisms required 

for successful investigation of criminal networks. The investigative process should not introduce 

compartmentalization and bureaucracy to please management or organizations, thereby 

inhibiting the natural flow and ultimately the success of the investigation. 

3. Human factors: Knowledge about the human factors involved in criminal network investigation 

is key to the development of a software system that truly supports criminal network 

investigation processes. Both in terms of how investigators solve problems cognitively and 

general consideration of interactions with information and algorithms required for criminal 

network investigation. 

In Section 6.1.1, 6.2.1 and 6.3.1 our research focus is outlined based on the challenges presented 

here. 

1.3 Theory and technology 

At a 2010 conference on advances in social network analysis and mining 8 , a trend was observed: 

Network science is a multidisciplinary field of research at the intersection of the computing, statistics, 

and the social and behavioral sciences. Keynote speaker of the conference, Stanley Wasserman, 

co-author of the often referred to book on social network analysis [240], based his talk on 

the following statement: The invasion of network science by computer scientists has produced 

much interesting, both good and bad research. Another keynote speaker, Chris Pallaris, director 

and principal consultant of i-intelligence, had the conference participants come full circle stating 

that the intelligence discipline is increasingly divided between analysts and technologists: the former 

struggle to grasp technology’s potential while the latter often fail to appreciate the human 

challenges associated with intelligence collection and analysis. 

Having established that network theory for criminal network investigation purposes is a interdisciplinary 

field of research, we began to think about how to bridge the gab between social and 

behavioral sciences, and computer science. We have divided software system support of criminal 

network investigation into a number of pillars, each representing a high-level functional or nonfunctional 

(sometimes it is a mix) software system requirement. The building blocks of the pillars 

are theories or technologies from various research areas. We introduce those pillars of theory 

and technology here (see Figure 1.2), and elaborate on them and present detailed reviews of each 

building block in Chapter 5. 

10

CHAPTER 1. INTRODUCTION 1.3. THEORY AND TECHNOLOGY 

Figure 1.2: Criminal network investigation pillars of theory and technology. Each pillar represents 

important aspects of engineering software tool support for criminal network investigation. 

11

1.4. CRIMEFIGHTER TOOLBOX CHAPTER 1. INTRODUCTION 

As indicated in Figure 1.2 the list of pillars is not exhaustive and the theories and technologies 

are not limited to the ones shown inside each pillar; we expect to uncover additional theories and 

technologies for all five pillars (and potentially new pillars) over time. 

1.4 CrimeFighter toolbox 

Several knowledge management processes are involved in the attempt to provide a toolbox that 

can support intelligence analysts in their work with terrorist information as shown in Figure 

1.3 [247]. As mentioned earlier, we focus on supporting the management of knowledge (last 

column), primarily the analyzing knowledge management phase focused on support of the work 

with emergent and evolving structure of terrorist networks to uncover new relationships between 

people, places, events, etc. However, the interpreting and visualizing knowledge management 

phases will also play a role. 

Figure 1.3: Knowledge management processes for counterterrorism 

To support the knowledge management processes described, CrimeFighter provides a number of 

tools (Figure 1.4). The CrimeFighter toolbox philosophy is that the humans (criminal network 

investigators) are in charge of the knowledge management processes and the tools are there to 

assist the analysts. “The toolbox contains the following semi-automatic tools [. . . ] that need to 

be configured by the intelligence analysts to perform the dedicated task. After configuration, the 

tool will automatically perform the dedicated task” [247]: 

Web harvesting tools make use of data acquisition agents (spiders) to harvest data from the 

Web. The spiders are controlled by the data conversion tools. 

Data conversion tools are responsible for both collecting (through spiders) and transforming 

data. 

Data mining tools provide selected data mining algorithms to discover new knowledge in 

data based on defined patterns. 

Social network analysis tools perform analysis to uncover new patterns and to gain deeper 

knowledge about the structure of terrorist networks. 

12

CHAPTER 1. INTRODUCTION 1.4. CRIMEFIGHTER TOOLBOX 

Visualization tools use graph layout algorithms to visualize discovered knowledge regarding 

terrorist networks. It can also be used as a graphics engine to support some of the tasks 

performed by the other tools in the toolbox. 

“The toolbox also contains the following [human-centric] tools”, supporting “the intelligence analysts 

in performing specific tasks by providing dedicated features that enhance the work efficiency 

when performing manual intelligence analysis work” [247]: 

Knowledge base tools help maintain the knowledge base by allowing intelligence analysts 

to explore and revise the knowledge base content as well as to work with meta data. 

Structure analysis tools focuses on supporting the manual work with emergent and evolving 

structure of terrorist networks to uncover new relationships between people, places, 

events, etc. 

Figure 1.4: Tools supporting the knowledge management processes 

CrimeFighter Investigator is part of the CrimeFighter toolbox. The CrimeFighter toolbox for 

counterterrorism is a novel approach to terrorism network analysis [245]. The goal is to provide 

a number of desktop tools that are grouped into three overall software packages each containing 

knowledge management tools and services relevant to counterterrorism [247]. These tools and 

services are designed and implemented to enable them to inter operate and exchange information. 

The CrimeFighter toolbox is depicted in Figure 1.5. 

The Explorer and Investigator packages each support different knowledge management processes 

that result in generation of terrorist networks consisting of nodes and links. These terrorist 

networks are stored in the knowledge base. The Assistant package provides various features to 

analyze and visualize networks - as generated by the Explorer and Investigator packages. 

The research on CrimeFighter can be divided into four overall areas: 

1. CrimeFighter Explorer is a software package with various services aimed at acquiring 

data from open sources and extracting valuable information from the data by processing it 

in various ways (filtering, mining, etc.). 

2. CrimeFighter Investigator is a software package that provides various services that enables 

an intelligence analyst to work with emergent and evolving structure of terrorist networks 

to uncover new relationships between people, places, events, etc. 

13

1.5. DISSERTATION STRUCTURE CHAPTER 1. INTRODUCTION 

Figure 1.5: The CrimeFighter toolbox for counterterrorism. 

3. CrimeFighter Assistant is a software package with various services that supports analysis 

and visualization of terrorist networks. Terrorist network analysis is aimed at finding 

new patterns and gaining a deeper knowledge and understanding about terrorist networks. 

Terrorist network visualization deals with the complex task of visualizing the structure of 

terrorist networks. 

4. CrimeFighter toolbox architecture. In order for the developed tools and services to 

be able to inter operate and exchange information, the overall software architecture of the 

toolbox must enable a service in one package to use a service in another package. For 

instance, the structure generated by the services of the Investigator package must be able to 

use the analysis and visualization services available in the Assistant package. 

1.4.1 CrimeFighter Investigator within this framework 

The CrimeFighter toolbox describes a knowledge management angle for counterterrorism investigation 

tools, from the automatic harvesting of different data sources, over the processing and 

mining of the information, to counterterrorism knowledge building. Within this framework, Crime- 

Fighter Investigator covers the human-centric knowledge base and structure analysis tools. For 

CrimeFighter Investigator seen in isolation, we have taken a hypertext approach to understanding 

these knowledge management problems. It means, that we use hypertext technology to support 

knowledge base, structure analysis, and other tasks, and we therefore do not consider the other aspects 

of the broader knowledge management perspective, nor do we review knowledge management 

theory elsewhere in this dissertation. 

We have extended the focus initially outlined for the CrimeFighter toolbox to cover criminal 

network investigations in general, not only counterterrorism investigations. That means that we 

cover a wider range of crime types (Figure 1.6) and investigation domains (Figure 1.7). When 

studying crime literature, we came across different crime types and matching investigation domains 

with the same underlying characteristics in terms of ill structured problems, investigative approach, 

and generation of new leads based on analysis. 

1.5 Dissertation structure 

We outline the dissertation structure in this section and provide a few suggested reading directions 

according to the expected primary interests of the reader (see Section 1.5.1). The dissertations 

overall structure and individual chapters is shown in Figure 1.8. 

The dissertation is divided into four parts. Part I introduces the dissertation and describes the 

method we have used to develop a tool for criminal network investigation: 

14

CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE 

Figure 1.6: A selection of different types of 

crime we have come across when analyzing 

criminal network investigation. 

Figure 1.8: Ph.d. dissertation structure. 

Figure 1.7: We have extended our focus from 

counterterrorism to three specific investigation 

domains with similar characteristics: policing, 

intelligence analysis, and investigative journalism. 

Chapter 1 (Introduction) starts out by debunking some myths about our work which people 

have confronted us with during the last three years, either when presenting at conferences, 

having lunch with colleagues or discussions about work with family and friends. We also 

present a number of disclaimers to provide an understanding of the boundaries for our 

research in criminal network investigation, a subfield of security informatics 910 . Normally 

it is discouraged to define something by what it is not, but we feel it is necessary here to 

provide the reader with an opportunity to get an initial idea of what this Ph.D. dissertation 

is about. 

We outline a list of criminal network investigation challenges Chapter 1 (Section 1.2), and 

argue our choice to focus on three of them (information, process, and human factors) for 

software system support (Section 1.2.1). To guide our research we analyze problems related 

to each of the challenges and formulate research focus requirements as a response to these 

problems. Our research has been based on extensive literature reviews of related research 

15


areas (theory) and studies of relevant technologies (see Section 1.3), together they constitute 

our state-of-the-art on criminal network investigation 11 . Section 1.4 describes the role of 

CrimeFighter Investigator and the other tools in the CrimeFighter toolbox. The section also 

discusses how we expanded our focus from counter terrorism to criminal network investigation. 

The introduction is concluded with this section on the structure of our dissertation 

and provides reading directions for different categories of readers (see below). 

Chapter 2 (Method) deals with both the general method applied throughout the entirety of 

the Ph.D. project described in this dissertation, in terms of literature studies, software 

development, how paper writing has been planned and done, conference participations etc. 

This work was guided by Bardram’s (2007) so called fish model (see Section 2.1). 

Our software development methodology has been an iterative approach to incrementally 

implementing tool support for criminal network investigation tasks based on the research 

focus requirements. Software increments have been proof-of-concept prototypes supporting a 

specific criminal network investigation task or work flow and we therefore have both a general 

review of prototyping and the (our) more specialized proof-of-concept prototyping in Section 

2.2. Section 2.3 covers our approach to acquiring empirical evaluation of our developed 

concepts, which has been a mix of the prototyping already described, case-studies, enduser 

(usability) feedback and measures of performance. Finally, we describe the framework 

provided to us by our employer, University of Southern Denmark (Technical Faculty), within 

which we had to conduct our research (Section 2.4) 

Part II describes various aspects of our domain criminal network investigation. First, we take a 

closer look at criminal networks and investigation thereof: what is a network, what is a criminal 

network, and how do investigators investigate networks? Then we study what existing knowledge 

(theory) and technology that is useful, in terms of understanding and supporting criminal network 

investigation. What are the existing tools and what can they do? In the final chapter of this part 

of the dissertation we define the problem by describing a number of specific problems and give 

detailed descriptions of research focus requirements as a response to these requirements. 

Chapter 3 (Criminal network investigation) is a difficult research area to frame. The network 

part indicates links to the field of network science comprising complex systems research. 

Criminal tells about the nature of the information in the network. But unlike other domains, 

deciding what is and what isn’t criminal network information is something rooted in our laws, 

unlike the biologist’s classification of let’s say butterflies (see Section 3.1). Criminal network 

investigations such as police investigations, intelligence analysis, and investigative journalism 

share many characteristics, and we use example from each of these to define the type of 

criminal network investigation we want to support (Section 3.6). Knowledge about the structures 

that criminal networks have formed in the past, is an important tool for investigators, 

and we review both meta structures and sub structures in Section 3.2. 

Investigation is a process with the aim of producing an intelligence product for the customer 

(decision maker). Like any other process with a specific end goal, several types of processes 

have been developed. We review the traditional linear investigation process (Section 3.3) 

as well as a new target-centric approach (Section 3.4). Finally, we present four criminal 

network investigation cases in Section 3.5, describing the aspects of each investigation, that 

we find to be particularly interesting. 

Chapter 4 (Related work) focuses on reviewing commercial tools (Section 4.1), research prototypes 

(Section 4.2), and investigative journalism tools (Section 4.3. We try to emphasize 

the areas where the tools are strong, i.e., their support of criminal network investigation 

tasks that could help reduce the impact of criminal network investigation challenges. At 

the same time we also highlight support of investigation tasks that would inhibit criminal 


16

CHAPTER 1. INTRODUCTION 1.5. DISSERTATION STRUCTURE 

Chapter 5 (Theory and technology) is dedicated to presenting the theories and technologies 

that are part of our state-of-the-art for criminal network investigation. Some theory and 

technology is core to criminal network investigation, like: hypertext, semantic web, human 

cognition, the creative process, intelligence, and mathematical models, and they receive more 

attention i Chapter 5 because of that. But theory from information science and social 

science, knowledge about simple tools for idea generation, case studies of sub groups and 

individuals, ethics, trust and user acceptance, and interaction and visualization are also 

important, and therefore introduced. 

Chapter 6 (Problem definition and research focus) is a crucial chapter, as it binds our dissertation 

together. The chapter takes the three challenges selected in Chapter 1, and based 

on the domain knowledge acquired in Chapter 3, 4, and 5, problems associated with the 

three challenges are analyzed, and four research focus requirements to guide the tool development 

are formulated for each challenge. The research focus requirements are used 

throughout the dissertation. The introduction to Part II (the domain) contains a map of 

the interrelationships of chapters with Chapter 6 at the center. 

Part III presents our model for criminal network investigation and outlines the boundaries for tool 

support. Analysis, design and implementation is described for each of five investigation processes. 

Chapter 7 (Process model and tasks) This chapter presents a target-centric and iterative 

model for criminal network investigation, addressing the problems of linear process models. 

The model has five main processes (acquisition, synthesis, sense-making, dissemination, and 

cooperation), and the role of each process is described. A list of criminal network investigation 

tasks for each of the five processes is also described. Further analysis, design, and 

implementation of each individual task is presented in Chapter 9 to Chapter 13. 

Chapter 8 (Concepts, models, and components for CrimeFighter Investigator) starts out 

by presenting the foundation for our tool support: a conceptual model with first class entities 

is presented in Section 8.1. We separate mathematical and structural models, to provide 

a computational model that can apply algorithms to the emerging and evolving structures 

synthesized by investigators (see Section 8.2). Knowledge management and hypertext concepts 

are introduced together with a list of software components (Section 8.3), requirements 

for key components are presented in Section 8.4, and designs for three of these components 

are presented in Section 8.5. 

Chapter 9 (Acquisition) is a process assisting investigators in dealing with information arriving 

from various sources. As it will be mentioned later, the acquisition and dissemination 

processes have received less attention compared to synthesis and sense-making. The chapter 

presents analysis, design, and implementation of selected acquisition tasks for criminal 


Chapter 10 (Synthesis) tasks assist investigators in enhancing the target model. The chapter 

presents analysis, design, and implementation of selected synthesis tasks for criminal network 


Chapter 11 (Sense-making) tasks assist investigators in extracting useful information from 

the synthesized target model. The chapter presents analysis, design, and implementation of 

selected sense-making tasks for criminal network investigation. 

Chapter 12 (Dissemination) tasks help the investigative team to formulate their accumulated 

knowledge for the customer. The chapter presents analysis, design, and implementation of 

selected dissemination tasks for criminal network investigation. 

Chapter 13 (Cooperation) Cooperation has received little attention in our research, and this 

chapter therefore contains a brief introduction to thoughts and analysis of support for the 

17


cooperation tasks defined in Chapter 7, together with a short description of implemented 

support for one cooperative task, sharing the common information space. 

Part IV describes our evaluation approach and discusses the results, presents our final conclusions 

and outlines future work. 

Chapter 15 (Evaluation and discussion) evaluates our tool support for criminal network investigation 

using three methods: end user interviews (Section 15.2), capability comparisons 

(Section 15.3), and measures of performance (Section 15.4). The evaluations are summarized 

and discussed. The chapter also discusses the issues of visualization and end user 

involvement in tool development and evaluation. 

Chapter 16 (Conclusion and future work) concludes the Ph.D. dissertation by summarizing 

our research. We make our conclusions about support for research focus requirements, 

criminal network investigation challenges, and the hypothesis in Section 16.2. Our contributions 

are presented in Section 16.3 and future work in terms of literature studies, software 

development, and software evaluations in Section 16.4 

1.5.1 Reading directions 

All readers should start with the introduction in Chapter 1, and our debunking of myths, and 

project disclaimers, and then continue to the category below more suitable for them (we apologize 

if any readers feel left out): 

Academics in security informatics. We would of course like to say that the dissertation in 

its whole is relevant for readers in this category. However, it might be relevant first to 

skim through the myths and disclaimers in Chapter 1 and then, if it still sounds relevant 

and interesting, turn to Chapter 3 to see if our focus areas within the domain of criminal 

network investigation matches the reader’s expectations. After that, we suggest the reader 

proceeds freely, to his or her liking. 

Decision-makers (government and private). Readers in this category might have a primary 

interest in the operational application of the concepts we have developed for criminal network 

investigation and the evaluation and discussion thereof. For these readers we recommend 

studying Chapter 3 on criminal network investigation first, and then quickly turning the 

focus toward Chapter 9 to Chapter 13 to read about our implemented support for individual 

criminal network investigations, or go straight to Chapter 14 for a description of criminal 

network investigation work flows and our support thereof. 

The media might find it interesting to start by reading the dissertation abstract, and then turn 

to the final chapter of the dissertation, Chapter 16, for our general conclusions and lists of 

contributions. If more information is required about a certain contribution, the reader may 

return to this section (or the list of contents), to locate the chapter(s) with more information 

related to the particular contribution. 

18

CHAPTER 2 

Method 

Today functional problems are becoming less simple all the time. But 

designers rarely confess their inability to solve them. Instead, when a 

designer does not understand a problem clearly enough to find the 

order it really calls for, he falls back on some arbitrary chosen formal 

order. The problem, because of its complexity, remains unsolved. 

Christopher Alexander (1964), in notes on the synthesis of form [8] 

Iteration is a significant component of design activity that occurs 

frequently throughout the design process; and measures of iterative 

activity were significant indicators of design success . . . and greater 

engineering experience. 

Adams (2002), on constitution of designs [132]. 

This chapter presents our method. The development of suitable software system support for 

criminal network investigation is a, by no means, simple problem. We have approached this 

problem iteratively, to get an incremental understanding of the challenges involved, in the hope 

that we would not “fall back on some arbitrary chosen formal order” [8], as Alexander (1964) 

warns solution designers in general. We hope that our method will help others to understand and 

create their own support for criminal network investigation as well. We find our method to be a 

general method for solving ill structured problems. 

We have followed Bardram’s (2007) fish model during the three years of research (see Figure 2.1): 

first, a open-minded approach to the problem during the first year (the fish head), then a one 

and a half year where the focus is continuously narrowed (the fish body) and then a short six 

month period of writing the dissertation (the fish tail). This overall process is outlined in Section 

2.1. Our software development methodology has been iterative and incremental, each increment 

a proof-of-concept prototype, a manifestation of a design idea that concretize and externalize a 

conceptual idea [132] (see Section 2.2). Our method for empirical evaluation is tightly coupled 

with our prototyping approach, but also has other aspects, such as the use of case-studies, which 

are described in Section 2.3. Finally, we take time to describe the study program we have followed 

in Section 2.4, since the Danish model only leaves room for 18 months of actual research during 

three years of Ph.D. studies. We feel it is necessary, that our work is evaluated accordingly, but 

more importantly it is the framework within which we had to conduct our research, and hence 

19

2.1. GENERAL PH.D. APPROACH CHAPTER 2. METHOD 

relevant for our method. 

2.1 General Ph.D. approach 

Bardram’s (2007) fish model [22] shown in Figure 2.1 has provided the process framework for our 

Ph.D. project and research. 

Figure 2.1: Bardram’s (2007) fish model [22] describes a useful framework for a 3 year Ph.D. 

project: the open minded phase (12 months), followed by an increasingly focused phase (18 

months), and finally the writing up phase (6 months). 

In the first year our overall goals were: (1) to conduct literature studies of the application domain 

and the relevant supporting research fields. (2) to develop a first set of design concepts for the 

software tool and to evaluate the concepts based on a first prototype. This was achieved using an 

open-minded approach as described in Figure 2.1. The first year of our Ph.D. project included 

activities such as attending courses & conferences, conducting literature studies (reading related 

work etc.), prototype development (which includes making experiments) and participating in and 

organizing various conferences and symposiums, such as the international workshop on counterterrorism 

and open source intelligence (2009), the international conference on advances in social 

networks analysis and mining (2010), the international symposium on open source intelligence ‘& 

web mining (2010) and finally giving an invited presentation at the interdisciplinary terrorism and 

new media conference (2009) 12 . 

The work in year one made it possible for us at the beginning of the second year to start writing and 

publishing papers. The first one was for Hypertext 2011 13 describing a model of criminal network 

investigation we had developed 14 , indicating the responsibilities of tools for criminal network 

investigation and humans (investigators) [174]. The year continued with further implementation 

of the system requirements outlined in that paper. Half way through my second year I spent 

a month in London at Imperial College, Institute for Security and Science Technology, where I 

studied inference prediction methods under the supervision of Dr. Christopher J. Rhodes. At the 

end of the year I went to Germany and visited University of Hof, Institute of Information Systems, 

where I studied spatial hypertext and started the analysis and design of usability experiments 

under the supervision of institute director Dr. Claus Atzenbeck. 

20

CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY 

The third year focused on continued increments of CrimeFighter Investigator, authoring of conference 

papers, a journal paper for the Springer security informatics journal (special issue on criminal 

network investigation) [176], and a book chapter for the Springer handbook on computational approaches 

to counterterrorism [175]. The final months were focused on writing up the dissertation, 

aggregating all published and unpublished work into one cohesive whole. 

2.2 Software development methodology 

During periods of software development, we have applied our own knowledge about best agile 

practices [170–172] and concepts from agile development literature (e.g., [11, 43, 44, 125]). The 

cycle shown in Figure 2.2 is representative of both the overall release as well as the intermediate 

iterations 15 . The client testing upon delivery of a release is of course the intended end user (i.e. 

intelligence analyst), while the client testing the software after delivery of an iteration is most 

likely to be the supervisor, co-supervisor or other lab members. In the beginning, feedback would 

primarily be the result of discussions at supervisor meetings, and as the prototype grows it would 

become more and more about specific requirements for the prototype. 

Figure 2.2: A typical agile development loop of feedback, coding, delivery, and client testing. The 

cycle can be a month, a week, or even a day on an agile project, whereas the traditional alternative, 

sequential water fall methods, typically have cycles of several months to years, providing the 

development team with less feedback to learn from and adapt to [43]. 

Prototyping will be based on relevant scenarios related to the criminal network investigation 

domain. Selected scenarios are described in Section 3.5 and provide requirements and design 

concepts for initial prototypes. 

2.2.1 Prototyping reviewed 

This is primarily a review of Floyd (1984) [70], which we find relevant because a prototypes have 

formed the increments of our work. In this review, we focus on the term prototype in relation 

to software development, the different steps that characterizes prototyping and the different approaches 

to prototyping. We have included reviews of specific parts of the article relevant for our 

work. 

21

2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD 

A software development prototype: process not product 

A “prototype” literally means “first of type”, a notion which makes sense in those 

branches of engineering where the manufacturer’s aim is to mass-produce goods of the 

same type. 

Software development prototyping however takes place in the context of an overall system development 

process. When we use the term “prototyping” in connection with software development it 

indicates that we are primarily interested in the process rather than the “prototype” as a product. 

Due to a number of working experiences a lot of software developers are motivated to employ an 

approach that involves an early practical demonstration of relevant parts of the desired software 

on a computer. 

According to the iterative and incremental cycle of agile software development described above, 

prototyping helps introduce the element of communication and feedback. The degree of this 

depends on the chosen approach to prototyping. 

The four steps of prototyping 

Prototyping can be seen as consisting of four steps; functional selection, construction, evaluation 

and further use: 

1. Functional selection refers to the choice of functions which the prototype should exhibit. 

The interesting part of this is that the selection should be based on work tasks relevant for 

a later demonstration. The prototype is usually differentiated from the final product, by 

selecting a few functions that are completely implemented (“vertical prototyping”, see figure 

2.3) or a larger set of functions not implemented in detail (“horizontal prototyping”, see 

figure 2.3). The two directions are often both used in a single prototype. 

Figure 2.3: If you have a set of system requirements (functions) to prototype, then horizontal 

prototyping means implementing a few of those functions completely and vertical prototyping 

means implementing some part of many functions. 

2. Construction refers to the effort required to make the prototype. When constructing the 

prototype focus should be kept on the selected functions that are expected to be working at 

the intended evaluation. This also means that “certain quality requirements pertaining to 

the final product, such as reliability, data security or efficiency” [70] can be omitted, unless 

these requirements are supposed to be part of the demonstration. Morale: You should only 

do what is necessary in order to get the prototype ready for demonstration. 

3. Evaluation is the step where it is decided how to proceed with the further development of 

the prototype. Hence it is important that all necessary resources are made available during 

22

CHAPTER 2. METHOD 2.2. SOFTWARE DEVELOPMENT METHODOLOGY 

the evaluation. The communication channels should be considered at the level of which the 

evaluation takes place, e.g. problems arising from man-machine or man-man interactions 

should be considered. 

4. Further use of prototype. The prototype can be used “as a learning vehicle and be 

thrown away after wards, or it may be used fully or partially as a component of the target 

system” [70]. Creating the learning process involves the following aspects: 

Early availability (e.g. rapid prototyping), 

Demonstration, Evaluation and Modification (e.g. user feedback at evaluation 

of demo results in a modification of the prototype), 

Teaching and Training (preparing users for their work with the target system), 

Commitment (users also become stakeholders for design and functionality demonstrated 

by the prototype) 

It must be kept in mind that if a prototype is demonstrated and there is a 

discussion with the prospective users about its evaluation, the commitment to 

the target system is very strong. Should essential changes of some features of 

the prototype be made during implementation of the final product without the 

explicit content of the user, serious problems regarding its acceptance must be 

expected. 

We find the most important points for our work to be those related to commitment (why we 

had a complete quote). 

Three approaches to prototyping 

The purposes for creating a prototype can be many, and Floyd (1984) [70] distinguishes between 

the following three broad classes of prototyping: 

1. Exploratory prototyping. The emphasis is on clarifying requirements and desirable 

features of the target system and where alternative possibilities for solutions are discussed. 

2. Experimental prototyping. The emphasis is on determining the adequacy of a proposed 

solution before investing in [a] large-scale implementation of the target system. 

3. Evolutionary prototyping. The emphasis is on adapting the system gradually to changing 

requirements, which cannot reliably be determined in one early phase. 

Summary 

Since the initial prototypes of this Ph.D. project were based on architecture, design concepts and 

specific components from previous research within the same field, as well as development of new 

concepts and components all three approaches to prototyping will come into play. We specialize 

our approach to prototyping below. 

2.2.2 Proof-of-concept prototyping 

The above review of prototyping by Floyd (1984) represents the “current approaches in software 

[systems] engineering contexts where engineers use prototypes to identify and satisfy requirements” 

[132]. A more recent view is that “designers communicates the rationales of their design decisions 

through prototypes. Prototypes stimulate reflections, and designers use them to frame, refine, and 

discover possibilities in a design space” [132]. Lichter et al. (1993) also mentions communication: 

“prototyping provides a communication basis for discussions among all groups involved in the 

development process” [129]. Prototypes help traverse design space by their incompleteness. “This 

23

2.2. SOFTWARE DEVELOPMENT METHODOLOGY CHAPTER 2. METHOD 

characteristic of a prototype - being an incomplete portrayal of a design idea - is the reason behind 

[the] metaphorical description of prototypes as filters. [. . . ] When incomplete, a prototype reveals 

certain aspects of a design idea - that is, it filters certain qualities” [132]. 

We have adopted aspects of both the traditional requirements approach, and the communication 

of design rationale as well as functioning as a filter for a design space, to create our own proof-ofconcept 

prototyping approach: 

Requirements: We adopt the horizontal prototyping, realizing that our prototypes may span 

multiple requirements (criminal network investigation tasks). We adopt a mix of Floyd’s 

(1984) three approaches to prototyping: exploratory prototyping; experimental prototyping; 

evolutionary prototyping. 

Communication and filter: We use proof-of-concept prototypes for communication with supervisor, 

fellow lab colleagues, readers of scientific papers and of course potential end users. 

We use proof-of-concepts prototypes for filtering the design space, focusing on particular 

characteristics of prototypes (see Section 2.2.2). 

Following Lichter et. al (1993) and the four kinds of prototypes presented there [129], we typically 

develop presentation prototypes to present functionality to either our Ph.D. supervisor, other lab 

members, potential end users (i.e., intelligence analysts at the British Home Office [167]), or to 

explain functionality to the readers of our scientific papers. The presentation prototype then 

becomes part of our pilot system (CrimeFighter Investigator), either after some refactorings, or 

maybe the architecture is already suitable for the implemented extension. Figure 2.4 (below) 

describes our prototyping approach (process in lower left corner), as well as how it relates to the 

incremental growth of our pilot system, CrimeFighter Investigator. 

Finally, starting with a proof-of-concept approach has been noted as a common characteristic of 

successfully funded and high impact intelligence and security informatics projects [37]. 

How we have designed the prototypes 

We have in general focused on interactive visual functionalities, when designing and implementing 

our proof-of-concept prototypes (testing human-computer interaction). That means, that graphics 

(visualizations) such as information about what is happening on the screen, or which algorithm 

currently running, has not been implemented: “the designer screens out unnecessary aspects of 

the design that a particular prototype does not need to explore” [132]. 

2.2.3 Software baseline and CrimeFighter Investigator - evolution from 

prototype to tool 

The software baseline for this Ph.D. project was the output of our master thesis, the ASAP 

tool [170, 171]. The transition from the agile software planning domain to the criminal network 

investigation domain is briefly described in [172], and to some extent in Chapter 8 which describes 

our analysis of general software components for tool support of criminal network investigation. 

ASAP was based on relevant parts of the Construct Spatial Service [246] (Construct from now 

on), as illustrated in Figure 2.4. Construct is “a component-based open hypermedia environment 

for supporting scholarly work processes such as associative storage and retrieval, information 

analysis, and classification in digital libraries” [246]. The concept of digital libraries is highly 

related to hypermedia structuring mechanisms. Many investigations within this area focus on 

linking structures only, where the Construct environment also “provides support for [. . . ] work 

settings such as spatial and taxonomic” [246]. 

The basic idea of Construct is to assist the user in gaining a clear overview and a fundamental 

understanding of a problem domain. Organizing knowledge entities (e.g., research papers, web 

24

CHAPTER 2. METHOD 2.3. EMPIRICAL EVIDENCE 

pages, brainstorming ideas, scientific quotes, etc.) will reveal relationships between the entities 

and their associated topics [246]. This basic idea made Construct very interesting and usable with 

regards to ASAP. The following features of Construct were adopted (and refactored to a varying 

extent) in by ASAP: a square 2D movable entity with changeable fields, various mouse events for 

registering clicks, dragging etc. and the hierarchy feature. Construct had a feature for linking 

entities, but it was not utilized in ASAP, and therefore had to be re-introduced when starting the 

work on CrimeFighter Investigator. We refer to Chapter 8 for further details on the features and 

concepts adopted from ASAP when starting the work on CrimeFighter Investigator. 

Figure 2.4: The software baseline for this Ph.D. project was the output of our master thesis, the 

ASAP tool. The ASAP tool has been refactored to support various versions of the CrimeFighter 

Investigator, before the final version presented in this thesis. 

To illustrate the changes (or increments) made between the different tools, we list basic software 

metrics for each of the tools in Table 2.1 16 . CrimeFighter Investigator 1 (September 2010), 2 

(September 2011), and 3 (September 2012) are the major releases of CrimeFighter investigator, 

but metrics are only shown for the third and final release in the table. 

Metric Construct ASAP CFI 1 CFI 2 CFI 3 (Final) 

Packages 2 8 11 28 45 

Classes 22 69 38 167 245 

Methods 77 689 400 2385 3863 

MLOC 731 4572 2133 14767 22342 

LOC 1211 7398 3742 24129 37250 

Table 2.1: Selected software metrics for Construct, ASAP, and CrimeFighter Investigator after 

year 3 (CFI: CrimeFighter Investigator, MLOC: method lines of code, LOC: total lines of code). 

2.3 Empirical evidence 

When visiting the institute for information systems (iisys) at University of Hof, we talked with 

Dr. Atzenbeck about the importance of empirical 17 quantitative evidence in software systems 

engineering research: 

25

2.3. EMPIRICAL EVIDENCE CHAPTER 2. METHOD 

“Many Ph.D. students do cool projects, but to have statistical evidence for the effect 

of your implemented software features, you need to design and report usability 

experiments.” - Dr. Claus Atzenbeck, Director for Institute of Information Systems, 

University of Hof. 

However, as Dr. Atzenbeck also pointed out, designing and report usability experiments is a long 

process not suitable for a 18 months research project. We started designing usability experiments 

for CrimeFighter Investigator features under Dr. Atzenbeck’s supervision and following his for 

the WildDocs spatial hypertext system [18], guided by Field and Hole (2003) [69]. We hope to 

complete this work in the future. 

We decided to gather empirical, quantitative and qualitative, evidence using other methods. Because 

of the wide range of criminal network investigation processes and tasks we cover, several 

methods have been necessary to evaluate all aspects of our developed software system support: 

post-crime data sets and investigations 18 , end-user interviews, capability comparisons, and measures 

of performance. These methods are described in detail and discussed in Chapter 15. 

Before continuing to Section 2.3.1 on case study research, it is important to note that we have been 

doing case study research in the context of software systems engineering, not case study research 

of the effect of applied software systems engineering or criminal network investigation concepts. 

2.3.1 Case study research 

Prior to establishing whether or not we have been doing case study research, we need a definition 

of what a case study is. According to Thomas (2011), “case studies are analyses of persons, events, 

decisions, periods, projects, policies, institutions, or other systems that are studied holistically by 

one or more methods. The case that is the subject of the inquiry will be an instance of a class 

phenomena that provides an analytical frame - an object - within which the study is conducted 

and which the case illuminates and explicates” [224]. Let us consider this definition of the case 

study in the context of the criminal network investigation of the individuals who kidnapped and 

murdered Daniel Pearl, a case we use throughout this dissertation and which we have studied 

extensively (see Section 3.5.1): 

Subject: The kidnapping and murder of Daniel Pearl. 

Object: There has been several objects of study, in relation to the subject, namely our three 

challenges: 

1. Information What information structures are created in this investigation (complex 

system, project)? How does the information evolve? What information configurations 

causes what decisions? What events triggers information (i.e., about persons) being 

recorded? 

2. Process What are the policies for adding information? What persons are involved in 

the investigation process? Recording a chronology of events (periods) 

3. Human factors How do investigators (persons) interact with information? What 

types of persons are involved in investigations or in the kidnapping and murder? What 

is the policy of the investigation team? 

But can we generalize our findings in case studies and use them as arguments for the software 

requirements we generate? The strengths and weaknesses of case studies as compared to for 

example formal experiments (e.g., usability experiments) are summarized in the following quote: 

“Although [case studies] cannot achieve the scientific rigor of formal experiments, 

[they] can provide sufficient information to help you judge if specific technologies will 

benefit your own organization or project. Even when you cannot do a case study of 

26

CHAPTER 2. METHOD 2.4. PH.D. STUDY PROGRAM 

your own, the principles of good case-study analysis will help you determine if the 

case-study results you read about are applicable to your situation” [118]. 

Flyvbjerg (2006) further advocates the use of case studies and their scientific value by explaining 

and correcting five common misunderstandings about case studies: “(a) theoretical knowledge is 

more valuable than practical knowledge; (b) one cannot generalize from a single case, therefore, 

the single-case study cannot contribute to scientific development; (c) the case study is most useful 

for generating hypotheses, whereas other methods are more suitable for hypotheses testing and 

theory building; (d) the case study contains a bias toward verification; and (e) it is often difficult 

to summarize specific case studies.” [71] (misunderstandings are also discussed in Flyvbjerg (2011) 

[72]). An interesting conclusion on the strengths of case studies from the business management 

domain comes from Gill (1995): “theory developed from case study research is likely to have 

important strengths such as novelty, testability and empirical validity, which arise from its close 

linkage with empirical linkage” [76]. 

2.4 Ph.D. study program 

This Ph.D. project described in this dissertation, has been conducted according to the requirements 

of the Ph.D. school’s research training program Software Engineering 1 at the Technical Faculty, 

University of Southern Denmark. The program is three years (six semesters) of length, and 

includes the following compulsory activities: 30 ECTS (1 semester) of Ph.D. courses, one semester 

(1 semester) of work for the institute, environmental change ( 1 

2 semester), 300 hours of knowledge 

semester), ideally leaving room for 18 months of research. 

elicitation ( 1 

2 

1 The research training program was previously known as Information and Communication Technology. 

27

2.4. PH.D. STUDY PROGRAM CHAPTER 2. METHOD 

28

Part II 

The domain 

29

The chapters in part II introduces the domain of tool support for criminal network 

investigation, and then sharpens further our initial problem definition and hypothesis 

from Chapter 1. Chapter 3 describes criminal network investigation. Chapter 

4 describes existing tool support for criminal network investigation and explains 

strengths and weaknesses of these state-of-the-art tools. Chapter 5 summarizes a 

range of theories and technologies required for tool support for criminal network 

investigation. These three chapters represents our domain knowledge. Chapter 6 

expands our initial description of the three challenges information, process, and 

human factors, which we chose to focus on in Chapter 1, and which formed the 

foundation of our research hypothesis. For each challenge, a set of specific problems 

are listed, based on our domain knowledge. We also define our research focus for 

each of the three challenges, framed by a set of requirements. Each requirement 

is viewed as a software feature, which, if supported in a suitable fashion, would 

strengthen a software tool’s support of the related challenge. 

Figure 2.5 provides an overview of the central role that Chapter 6 plays in terms 

of previous and future chapters. Figure 2.5 shows that the research focus requirements 

relate to the criminal network investigation process model and tasks, and 

subsequently how the processes relates to Chapter 9 to 13, each of these chapters 

describing analysis, design, and CrimeFighter Investigator support for tasks associated 

with a process. Chapter 8 is also part of the foundation for Chapter 9 to 

13, and the concepts and components analyzed and designed in that chapter have 

been developed to support the research focus requirements in Chapter 6. Chapter 

9 to 13 leads to Chapter 14, describing criminal network investigation work flows 

involving multiple criminal network investigation processes and tasks. Chapter 15 

and Chapter 16 evaluates and concludes our dissertation. 

Figure 2.5: How Part II links to Part I, III, and IV of this dissertation. 

31

CHAPTER 3 

Criminal network investigation 

If we are to think seriously about the world, and act effectively in it, 

some sort of simplified map of reality . . . is necessary. 

Samuel P. Huntington (1996), in the clash of civilizations and the remaking of world order [102]. 

Network-based techniques are widely used in criminal investigations because patterns of association 

are actionable and understandable, but a criminal network is a special kind of network and a 

focused review of this domain is necessary. We start this chapter with our understanding of 

what a criminal network is and is not (Section 3.1). This includes a comparison of criminal 

networks with other networks such as social networks, biology networks, physics networks, and 

other complex systems. Investigations of how criminal networks evolve over time is important to 

understand the need for information structure support; a criminal network is not a static entity. 

Equally important is an understanding of how criminal networks form (emerge) and what ties a 

network together to sustain the required level of secrecy and efficiency necessary for the networks 

survival, as mentioned above. We discuss the differences between pre- and post-crime criminal 

networks, and again, how one becomes the other, e.g., through a radicalization process. Finally, 

we discuss the implication that individuals and other entities (organizations, locations, etc.) in 

criminal networks are criminals or part of criminal activity. Part of the explanation is given below, 

that criminal networks are investigated for potential criminals or criminal activity in situations 

where decision makers want to take proactive measures. But again, we need to be aware of the 

difference between legal and illegal activity [87]. 

We start the chapter with an introduction to what a criminal network is Section 3.1, followed by a 

review of criminal network structures. An investigator in any domain would benefit from a general 

knowledge about the known basic information structures within that domain [8,9,90]. In Section 

3.2, we present the building blocks of such structures. We divide the structures created with 

those entities in two categories, organizational (meta) structures and smaller (sub) structures, and 

discuss the structures in each category often appearing in criminal networks. 

After this review of various structures, we review two different types of processes for criminal 

network investigation; the linear approach and the target-centric approach. The analysis of these 

two different approaches will also serve as input for our problem definition in Chapter 6. The 

classic linear approach to investigation (see Section 3.3) is the “faulty” investigative process, 

because it introduces compartmentalization which has a negative impact on information sharing 

and shared responsibility, ultimately causing intelligence failure. The target-centric approach, on 

the contrary, has all stakeholders (collectors and processors, analysts, and customers) working 

33

3.1. CRIMINAL NETWORK? CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

on the same shared target-model removing compartmentalization from the equation and in stead 

helps introduce concepts such as ownership and transparency. Read about the our preferred 

investigative process in Section 3.4. 

We present four case studies of criminal network investigations in Section 3.5. We discuss and 

reference those cases throughout the dissertation. The cases are: the Daniel Pearl investigation, the 

hunt for Khalid Sheikh Mohammed, the Latonya Wallace and John Scott homicide investigations, 

and finally the Barksdale drug organization in Baltimore. For each of these case studies, we set the 

scene for investigation, we describe the investigative team and the individuals that constitute it, 

we discuss the investigative approach of the team, and the criminal network under investigation. 

We conclude this chapter with a summary based on three distinct criminal network investigation 

types 3.6. We give a short introduction to the the general characteristics of the criminal network 

investigations we focus on, and then we present the three specific investigation domains of our 

particular interest, namely policing, counterterrorism, and investigative journalism. We discuss 

each investigation domain in terms of the three challenges information, process, and human factors 

and present case-studies from each investigation domain. 

3.1 What is a criminal network? 

A criminal network is a special kind of social network with emphasis on both secrecy and efficiency 

19 [244]. Network-based techniques are widely used in crime investigations, because patterns 

of association are actionable and understandable. We later define the building blocks of criminal 

networks as well as observed structures (i.e., their organizational and smaller sub structures) to 

be three basic entity types (nodes, links, and groups) which are associated to form the network. 

Following this definition, a criminal network could be something as different as the Enron email 

dataset 20 where a network could be Enron individuals as nodes, links represent email send between 

individuals, and groups the position of individuals in the Enron company hierarchy. A 

criminal network could also be physical evidence (hair, bullets, knife, etc.), suspects and witnesses 

associated with a homicide crime scene. 

To get an initial understanding of what a criminal network more specifically is we discuss how they 

are different from more well known networks such as social networks or real world networks from 

e.g., biology like predator-prey networks (see Section 3.1.1). Since criminal networks emerge from 

entities already in the real world, we review why (root causes) they emerge (ideology, financial gain, 

radicalization, etc.) and how they then evolve (further radicalization) as described in Section 3.1.2. 

The strengths and weaknesses of criminal networks provides us with further understanding, and 

explains the proliferation of criminal networks as well as their demise (see Section 3.1.3). Criminal 

networks of associations between entities prior to crime or criminal activity are very different from 

criminal networks depicting the associations between entities after a crime or criminal activity 

as we show in Section 3.1.4. This brings forth another dimension of criminal networks, when 

compared to networks in other domains. There is an ethical aspect to criminal networks, since 

individuals are made suspects of having associations with some criminal activity or crime before 

it happens, at least when taking proactive measures. This issue is discussed in Section 3.1.5. 

3.1.1 Criminal networks and other networks 

“Many objects of interest in the physical, biological, and social sciences can be thought of as 

networks” [155]. Criminal networks differentiate from other networks in a number of ways. Given 

the popularity of social networks research, the differences between criminal and social networks 

are often in focus. Morselli (2009) discusses the criminal network perspective and his first task is 

therefore, according to him, “to establish why criminal networks are different from non-criminal 

social networks. Crime, after all, is a social phenomenon, but criminal networks and general criminal 

behavior do have distinctive features from noncriminal counterparts” [150]. As we mentioned 

in the introduction to this chapter, a criminal network is a special kind of social network with 

34

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.1. CRIMINAL NETWORK? 

emphasis on both secrecy and efficiency [244], but as we will see criminal networks also have other 

distinctive features. 

While the emphasis is different in terrorist networks and social networks, the entities are often the 

same, namely humans. In other network domains theory from physics is used to localize the source 

of diffusion in complex networks (e.g., “the source of a contaminant or virus”) [177], where the 

nodes might be houses or cities and links represent means of transportation between them, and 

so on (see Section 5.9 for examples). In all these networks the entities are of the same type within 

each individual network. But in criminal networks, as we will see in the investigations described in 

Section 3.5.1 to 3.5.4, it will be clear that many different types of entities can be expected to occur 

in the networks. And furthermore, the relations between entities are not of one type, but multiple 

types. In general, we think of criminal networks as semantic webs (see Section 5.2 for detailed 

review) of information entities. It is important to understand both the differences in emphasis 

and entity types, when analyzing criminal networks. Consequently, this is also important when 

developing tools support for criminal network investigation. 

3.1.2 The emergence and evolution of criminal networks 

Criminal networks often emerge as a consequence of radicalization, either of individuals or groups. 

The violent Islamist radicalization of individuals toward forming or joining terrorist networks 

is described in various studies of radicalization aspects such as radicalization phases [203], root 

causes [234], and violent online radicalization [29, 48, 49, 236, 241]. 

What complicates the analysis of criminal networks of a certain complexity, is that the picture 

constantly changes. “With every interaction, people change, group dynamics change, and social 

dynamics change” [28]. Morselli (2009) comments on this flexible order, as he calls it: “These 

ongoing interactions in criminal networks combine to create a context of flexible order. The idea 

of flexible order begins with the assumption that there is common ground to be found in the 

interaction between individual and collective interests. A second claim emphasizes the bottomup 

organizational force of individual interactions and that a central governing authority is not a 

necessary condition for reaching social order. In brief, the network is a self-organizing structure 

that is essentially driven by the emergent behavior of its parts” [150]. To summarize, associations 

are created between network entities from these interactions, and the addition of new associations 

evolve the criminal network and the structures within it. 

3.1.3 The strengths and weaknesses of criminal networks 

The emerging nature and strength of a criminal network can be the result of several aspects, such 

as ideology, cultural or family bonds, or the very structure and powerful entities of the milieu 

where people live. The success or failure of a criminal network has recently been found, not to 

be because of top-down leadership: “In Krebs’ (2002) analysis of the hijacker operation behind 

the September 2001 attack [122], it is the dense under-layer of prior trusted relationships that is 

found to be at the base of the network’s stealth and resilience and not the commanding control of 

a single or select few leader(s)” [150]. In urban organized crime, it is the different institutions of 

the city that impacts or controls the criminal networks and criminal (police) investigations: “it is 

the different institutions in the city that are the real powerful entities” [34, 127]. 

Node removal is a well known technique for destabilization of criminal networks [35,36]. Deciding 

which node or group of nodes to remove, i.e., finding the weak “spots” in the network, is dependent 

on available intelligence and the topology of the criminal network (hierarchical, cellular, etc.), complicating 

the prediction of secondary effects following a node removal. Inference-based prediction 

and social network analysis provides different perspectives on criminal networks, thereby assisting 

investigators in their decision making by answering the ’what if’ questions they inherently would 

like to ask [169]. 

35

3.2. STRUCTURES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

3.1.4 Pre- and post-crime criminal networks 

The criminal networks we see are normally organized in a classic nodes-and-links way before presentation. 

The typical organizational structures in these networks include hierarchical structures, 

cellular structures comprised of subgroups connected by bridges, and flat (or fluid) structures 

where individual entities are distributed in some (more or less) random manner, maybe based on 

subgroups or their relationship with nearby nodes. The entities are simply organized in a certain 

way, because it creates an easier to comprehend visualization of the criminal network. These 

networks are organized after the crime and the investigation thereof has been concluded, and we 

therefore refer to these networks as post-crime criminal networks. 

But as described in the previous sections, criminal network structures are emergent and evolving 

and the networks go through many iterations after a target is selected until the structure types 

mentioned above emerge. When investigations start, criminal network entities are often associated 

in other ways than through well established relationships to other entities. First, the entities are 

randomly positioned in an information space and maybe only a few are directly linked (e.g., 

the known accomplishes of the target). Later, more entities are linked, groups are created, and 

structures emerge. During the first iterations, spatial associations like entity co-location play an 

important role. A spatial association with a specific semantic meaning could be entities placed 

in close proximity of each other to indicate a subgroup in the network or snippets of information 

about a certain individual. Or entities might be placed above and below each other to indicate 

hierarchical importance [168]. In other words, “semantics happen” [197]. We refer to this type of 

networks as pre-crime criminal networks. 

The network visualizations we see in magazines, news papers and scientific journals and proceedings 

(post-crime) are often created specifically for presentation purposes. But they tell very little 

about the investigative efforts required to synthesize and making sense of the respective networks. 

The networks therefore convey limited information to the reader about what processes, tasks and 

techniques that a tool for criminal network investigation, working with pre-crime networks, should 

support. 

3.1.5 Ethical aspects 

Studying criminal networks from the initial relations are forged (and the increasing radicalization of 

each individual in the network) reveals that the individuals in the network are often not criminals, 

before a certain level of radicalization and extremism is reached. And this is certainly the case 

from a criminal network investigation perspective (see Section 3.6), in which a lot of individuals 

and other entities will be part of an investigation and then later excluded from that investigation, 

when it is realized that they are not criminals (part of the criminal network). [87] 

3.2 Criminal network structures 

Knowledge about the structures that criminal networks have formed in the past, is an important 

tool for investigators, as highlighted by the following comment from Alexander (1964): “Today 

functional problems are becoming less simple all the time. But designers rarely confess their 

inability to solve them. Instead, when a designer does not understand a problem clearly enough 

to find the order it really calls for, he falls back on some arbitrarily chosen formal order. The 

problem, because of its complexity, remains unsolved.” [8]. If required to choose a structure 

beforehand, then you would at least have to choose one that fits the nature of the criminal 

network that you are trying to model. But preferably, one should let the structure (evolve) and 

emerge as discussed in hypertext research [197,198], the right approach being to “seek, rather than 

anticipate, structure” [150]. In Section 5.1 we review hypertext structure domains that support 

emerging and evolving structures assisting analysts searching for structure. 

Based on literature studies of a mathematical perspective (e.g., [195, 240]) and the investigation 

36

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.2. STRUCTURES 

Figure 3.1: The three first class entities of criminal networks are information elements (nodes, left), 

relations (links, middle), and composites (groups, right). The circles indicate connection points 

for directly associating the entities, while the small light gray squares are for resizing entities. 

perspective (e.g., [188]), interviews and presentations (e.g., [166, 167]), and informal talks with 

criminal network investigators together with our own ideas, we present an outline of general 

organizational (meta) structures and smaller (sub) structures. The organizational structures are 

often used to describe the network as a whole 21 . However, large networks may exhibit the outlines 

of many such meta structures. The sub-structures are smaller structural components above the 

abstraction level of the basic network building blocks, the first class entities node, link, and group. 

3.2.1 Nodes, links, and groups: the basic entities of criminal network 

structures 

The building blocks of criminal networks are information entities. Our network model (Figure 3.1) 

defines three such entities, namely information elements (nodes), relations (links), and composites 

(groups). Nodes hold information about real-world objects. Investigators basically think in terms 

of people, places, things, and their relationships. We use rectangles as visual abstractions here 

for simplicity, but any symbol (circles, triangles, etc.) could have been used to illustrate different 

types of real-world objects. Links of different types and weights can associate information entities 

directly. Links have two endpoints, they can be both directed and undirected, and they have 

different visual abstractions (see Figure 3.1, middle). Composites are used to associate entities 

in sub groups. We work with three types of composites [174]: Reference composites are used to 

group entities in the common information space. Inclusion composites can collapse and expand 

information to let investigators work with subspaces. Relation composites can collapse and expand 

multiple relations between two information elements. The circles in Figure 3.1 indicate connection 

points for direct association of entities. The smaller light gray squares are for resizing entities. 

Later, we will abstract the concepts of the circles and light gray squares to a single concept. 

We formalize our criminal network model mathematically by stating that a criminal network (CN) 

is a list of entities (E) and entities are lists of nodes (N), links (L), and groups (G). Beyond this, 

the organizational structures and smaller sub structures described below have not been formalized 

mathematically. We leave this perspective for others and instead take a structural perspective, 

allowing for some investigative flexibility, that strict mathematical formalization might inhibit. 

3.2.2 Organizational (meta) structures 

As mentioned above, we will take a structural and investigative (i.e., operational) perspective 

on the presented structures. By an investigative perspective, we mean what information and 

knowledge does the structure reveal to the investigators, e.g., about the functional or operational 

nature of the criminal network. A mathematical description (or formalization) of a criminal 

network structure will rarely, if ever, be utilized during criminal network investigation, and it 

therefore makes more sense to focus on the investigative implications that the structure can have 

37


on immediate operational decision-making. 

We consider the structures to be independent of the information entities they structure. That 

is, the links could represent flow of information between people nodes, or money flow between 

geographic position nodes. Typical criminal network information entity structures that form 

during investigation include hierarchical structures (Figure 3.2, left), cellular structures comprised 

of cohesive subgroups (cliques) connected by bridges (Figure 3.2, middle), and flat (or fluid) 

structures where individual entities are distributed in some (more or less) random manner (Figure 

3.2, right), maybe based on factions or their relationship with nearby nodes, or simply because of 

a more desirable visual layout. 

It is important for us to point out here, that the structure examples from investigations that we 

present below are often the results of laborious research and then incremental synthesis of a network 

(see examples in Figure 3.2). Hence, it is not representative of the structures encountered during 

the early phases of investigations (see Figure 3.3). However, the more structures an investigator 

knows prior to investigation, the more likely it is that he/she will move toward the true nature 

of a criminal network and not a biased choice of structure due to the limited knowledge of the 

investigator. 

Figure 3.2: An example of hierarchical (left), a 

cellular (middle), and flat structure (right). 

HIERARCHICAL 

Figure 3.3: Emerging structures in the early 

phases of criminal network investigations. 

As previously mentioned, criminal network structures are emergent and evolving and the criminal 

network is modeled incrementally, from the selection of a target is selected to some meaningful 

structure emerges, that can provide insight and new potential leads for the investigators. 

Sageman (2004) state that “terrorist networks are not static; they evolve over time” [188]. A 

large organization like al-Qaeda has developed many “levels and concepts of organization” [155] 

from it’s establishment to now. Sageman depicts al-Qaeda as four clusters with one leadership 

cluster, the central staff. “After 1996, the central staff was no longer directly involved in terrorist 

operations, but the other three major clusters were connected to their central staff contacts by 

their lieutenants in the field” [188] (see Figure 3.5). Two of the al-Qaeda clusters are comprised 

of several cohesive subgroups, while the southeast Asian cluster is more hierarchically structured, 

with a leader and a consultative council at the top. When the cluster was created it was divided 

into four geographical regions, and each region had several branches: 

Building Jemaah Islamiyah was a remarkable achievement accomplished in very little 

time. Hambali and his Chinese wife moved into a tiny wooden shack in a small 

village [. . . ] south of Kuala Lumpur. [. . . ] Five years later he commanded a network. 

[. . . ] Hambali sat in his tiny Malaysian village and meticulously planned, then 

patiently built, Jemaah Islamiyah into an extraordinarily disciplined network. It had 

more structure than anything bin Laden ever attempted, with strict geographic sectors 

that covered all of Southeast Asia, an organizational chart in each of the sectors, and 

command tables delineating clear lines of authority and responsibility up and down. 

All the network information was gathered from public domain sources: “documents and transcripts 

of legal proceedings [. . . ], government documents, press and scholarly articles, and Internet 

38


Figure 3.4: Sageman’s (2004) ‘global salafi network’, 

as depicted in [188]. At first, the network 

may seem rather cellular, but when considering 

that one of the four clusters is central 

staff, links from there to other clusters creates a 

hiearchy. There are however also links between 

the clusters, flattening the structure. 

Figure 3.5: (mock-up) “After 1996, the central 

staff was no longer directly involved in terrorist 

operations, but the other three major clusters 

were connected to their central staff contacts 

by their lieutenants in the field. [. . . ] Each of 

these field lieutenant hubs was then connected 

to the operational field commanders in charge 

of specific operations” [188]. 

articles” [188]. Based on this information, an elaborate list of person attributes was synthesized. 

Hierarchical criminal networks can emerge in both top-down (i.e., recruitment [188]) and bottomup 

(i.e., linkage [236]) ways. 

CELLULAR 

After 10 years of investigative journalism the Pearl Project published a report on the kidnapping 

and murder of Daniel Pearl depicting five cells responsible for various tasks, with all cells connecting 

to the mastermind behind the kidnapping [227] (see Figure 3.6). However, from the account of the 

official investigation we know how fragmented and inconsistent information about the kidnappers 

initially was [162], and from another account we get a vivid description of how investigations 

faced “the eternal problem of any investigation into Islamist groups or Al-Qaeda in particular: the 

extreme difficulty of identifying, just identifying, these masters of disguise, one of whose techniques 

is to multiply names, false identities, and faces” [128]. 

FLAT 

Krebs’s almost iconic network of 9/11 hijackers has been referenced widely [122] (see Figure 3.7). 

It was aggregated based on open sources, but it is not possible to see the intermediate states of the 

network prior to the published version, which would have been interesting from an investigation 

point of view. Also, it is not clear what exact evidence that formed the individual links between 

the hijackers. But the final relatively flat structure of the network is informative for investigators, 

since it can be observed that each individual and cells on each of the flights have low connectivity. 

SEMI-LATTICE 

From an investigative point of view, it can be argued that the semi-lattice is a better structure 

for modeling for example organized crime networks (like the drug selling organization described 

in Section 3.5.4). And from a mathematical point of view we expect that the semi-lattice could 

39


Figure 3.6: The network of individuals involved 

in the kidnapping and murder of Daniel Pearl 

[227]. 

Figure 3.7: Krebs’ (2002) network of 9/11 hijackers 

(rotated 90 ◦ counterclockwise) [122]. 

more precisely be used to model overlapping network entities, whatever they might be. Alexander 

(1965) defines a semi-lattice based on sets: “A collection of sets forms a semi-lattice if and only if, 

when two overlapping sets belong to the collection, then the sets of elements common to both also 

belongs to the collection” [9] (see Figure 3.8). A semi-lattice can be used to represent overlaps 

between different (groups of) entities. This is a very interesting feature, since an overlap indicates 

some sort of association between entities, and that association can be key to solving the case. As 

commented by Hirtle (1995), “a tree structure is one realization for a hierarchical structure for 

the representation of space. It is easily constructed and understood, but it is also a rigid structure 

that does not allow for overlap. Ordered trees provide an extension that allows for some degree 

of overlap, whereas a semi-lattice is an even richer structure that appears to be consistent with 

many aspects of cognitive space [9]” [89]. In some literature, the organized crime networks are 

defined as hybrids [228]. We have observed that a hybrid of a flat tree (hierarchy) and the clique, 

shaped by the environment in which it resides, is an often occurring structure. 

The Wire is a television show about organized crime, based on yearlong embedded field work by 

the authors, that has inspired our work in this domain. It has been argued that the The Wire is 

actually a show about the city [10, 34, 163] and not the individual characters (e.g., criminals and 

police officers). It is the different institutions in the city that are the real powerful entities (quote 

from [127] as quoted in [34]): 

The narrative first emerges out of the police investigation of the drug trade, as law 

enforcement tries to capture Avon Barksdale by proving that he is the hub of a network 

of linked corners and dealers. In order to succeed, the law enforcement side must 

gain access to the dealers’ principles of interconnectedness, and they do so through the 

wiretap, which itself both emerges from and exposes new links: it first brings together 

the Baltimore police, the FBI, the District Attorney, and the courts, and it then allows 

them to piece together the structure of the Barksdale drug dealing hierarchy, which 

then links up to local politics and the real estate market; later, when the wire takes in 

the evidence of dockworkers, it also reveals global economic trading patterns that link 

urban poverty to unions and local politics to transnational criminal traffic. Thus the 

networking technology of the wiretap is itself a point of contact among other networks. 

The whole social world then emerges, in The Wire, not as a set of discrete hierarchies 

and institutions, but as the sum of the sites where they intersect. 

And it is exactly such intersections that the semi-lattice could be used to model. Taniguchi et al. 

(2011) presents a study of open air drug markets and the gangs selling drugs there. These drug 

markets are the street corners vividly described by Simon and Burns [204,205] and brought to life 

in The Wire. Taniguchi et al. provides the following definition of a gang: “a group of five or more 

people with (1) some type of structure, (2) a common identifier, (3) a goal or philosophy that binds 

40


them and (4) whose members are individually or collectively involved in criminal activity” [221]. 

To model street corners and associate gangs with those individual corners, Thiessen polygons are 

used to describe the corners, and census geography polygons are used to indicate individuals on 

each of those corners (see Figure 3.9). 

We find that specific structures often underpin or shape criminal networks. Krebs’ (2002) analysis 

of the hijacker operation behind the September 2001 attack found that it is the dense underlayer 

of prior trusted relationships that is found to be at the base of the network’s stealth and 

resilience and not the commanding control of a single or select few leader(s)” [122]. For urban 

organized crime “groups organize around criminal values and activities just as other groups would 

converge around noncriminal activities” [150]. The city has a great influence on organized crime 

networks: “[a network] can be, but does not have to be, a product of urban design and economic 

conditions” [150]. If the city shapes urban organized crime, then it could be interesting to know 

what the structure of a city is? Alexander (1965) argues that “a city is not a tree” but a semilattice: 

“I believe that a natural city has the organization of a semi-lattice; but that when we 

organize a city artificially, we organize it as a tree. [. . . ] Both the tree and the semi-lattice are 

ways of thinking about how a large collection of many small systems goes to make up a large and 

complex system.” [9]. 

Figure 3.8: The structure illustrated in a and 

b is a semi-lattice, since “wherever two units 

overlap, the area of overlap is itself a recognizable 

entity and hence a unit also” [9]. 

Figure 3.9: The solid line polygons are Thiessen 

polygons, forming unique spatial regions, systematically 

allocating crimes to the physically 

closest street corner. While the Thiessen polygons 

do not overlap or have gaps between them, 

other polygons could be added in a different 

layer to represent overlaps with the Thiessen 

polygons (in this case census geography for each 

of the polygons) [221]. 

Criminal networks of a certain complexity will typically have the features of more than one organizational 

meta structure. And the criminal networks we have studied have featured more than 

one of the smaller sub structures described below. 

41


3.2.3 Smaller (sub) structures 

As mentioned above, organizational meta structures will contain multiple smaller sub structures. 

Most prominent examples include cliques, bridges, hubs, singletons, dyads, and triads. Only 

the clique can be considered a criminal network within the larger network; a sub network. We 

characterize the other sub structures, as structural features of either the clique or the larger 

network. 

The sub structures described below can have a certain behavior associated with them, which 

could be formalized mathematically and used for pattern analysis together with the structural 

characteristics. But as we have mentioned earlier, we do not take the mathematical perspective 

here. We give examples of for example cliques (cohesive subgroups) where possible and also discuss 

attempts at profiling different types of subgroups. The three main sub structures (clique, bridge, 

and hub) are presented in Figure 3.10. 

(a) Clique (b) Bridge (c) Hub 

Figure 3.10: Examples of sub structures include cliques (left), bridges (middle), and hubs (right). 

CLIQUE 

A clique is a network structure where “every node is connected to every other node” [188], as 

shown in Figure 3.10a. Wasserman and Faust (1994) classifies the clique as cohesive subgroup, 

and gives the following definition of the clique: “a clique in a [network] is a maximal complete 

sub[network] of three or more nodes. It consists of a subset of nodes, all of which are adjacent to 

each other, and there are no other nodes that are also adjacent to all the members of the clique. 

The restriction that the clique contain at least three nodes is included so that mutual dyads are not 

considered to be cliques.” [240]. Scott (2000) suggests a distinction between strong cliques (cliques 

in directed networks) and weak cliques (when the direction of links is disregarded). For criminal 

network investigation (and perhaps sense-making algorithms in particular), the n-clique [195,240] 

is very interesting: 

“In this concept n is the maximum path length at which members of the clique 

will be regarded as connected. Thus, a 1-clique is the maximal complete sub-[network] 

itself, the set in which all pairs of [nodes] are directly connected at distance 1. A 

2-clique, on the other hand, is one in which the members are connected directly (at 

distance 1) or indirectly through a common neighbor (distance 2)” [195]. 

In our deployment of a custom made node removal algorithm (outlined in Section 14.2) we setup 

rules to detect a change in distance between nodes, changing from distance 2 prior to the node 

removal to distance 1 after the node removal (followed by an inference-based prediction of missing 

links in the network). In the deployment scenario, the investigators argue that links matching these 

rules might be indication of tasks being shifted from the removed node, to the new destination 

nodes of distance 1 from the source nodes. It could be interesting also to investigate a change in 

n-cliques after a node removal. 

“A clique is a very strict definition of cohesive subgroup. [. . . ] The absence of a single line, [. . . ] 

will prevent a subgraph from being a clique” [240]. To present examples of cliques in criminal 

networks, we have to take the mathematical (and textual) definition loosely, and think more of it as 

42


a tight-knit group 22 . A good example is provided by Sageman (2004) who references his discovery 

that “people joined the jihad in small groups” (he later refers to them as bunches-of-guys), and 

then states that: 

“When one of the friends was able to find a bridge to the jihad, they often went 

as a group to train in Afghanistan. Examples abound in [Sageman’s] sample: the 

Montreal group, the Hamburg group, the Khamis Mushayt group, the Lackawanna 

group. These are dense, small networks of friends who can vouch for each other. In 

network terminology, they form cliques.” [188]. 

Omar Saeed Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl 

(see Section 3.5.1 made an effort to keep his operational cells separate purposefully, as described 

below. “Amjad Hussain Farooqi, Asim Ghafoor, and Asif Ramzi were all allegedly implicated in 

helping Omar Sheikh plot Daniel Pearl’s kidnapping” [227]. Amjad Farooqi was a friend from 

militant circles. Asim Ghafoor came with Omar to Karachi, a 28 year old deputy in a militant 

group, “which would be instrumental in doing Sheik’s dirty work on the streets of Karachi” [227]. 

Salman Saqib met Omar and Asim at the airport to pick them up, but Omar kept introductions 

short, and Saqib therefore only knew Asim Ghafoor as “the fat guy”. Upon arrival in Karachi, 

Sheikh had only two days to setup his operation [227], another factor that surely helped keep the 

operational cells secret. 

BRIDGE 

“A bridge is a line that is critical to the connectedness of the graph. A bridge is a line such that 

the graph containing the line has fewer components than the subgraph that is obtained after the 

line is removed” [240]. Applying this to criminal networks, we define a bridge to be an entity 

or structure (several associated entities) who connects to distinct parts of the network. In more 

structural terms, Scott (2000) references work on cycle analysis which “goes on to define a bridge 

as a line that does not itself lie on a cycle but that may connect two or more cycles” [195]. This 

is illustrated in Figure 3.11, the link between node B and E bridges the two cycles ABDC and 

EFIH. In peak analysis a node is a peak if it is more central than any other point to which it is 

connected and a bridge is then a central node that connects two or more peaks [195]. An example 

of a bridge between peaks is shown in Figure 3.12 and the bridge was found to be an important 

feature of the al-Qaeda network that Sageman (2004) investigated: 

“In the case of global Salafi mujahedin [. . . ] there is one common element that is 

specific to them and to no one else, and that is the fact that they made a link to the 

jihad. These links are key to the dynamics of terror networks. How does one go about 

joining the global Salafi jihad?” [188]. 

Questions similar to that asked in the quote above are equally important for other types of criminal 

networks, such as “how does one go about joining organized crime groups?”, like for example a 

group selling criminals selling drugs (see Section 3.5.4). 

HUB 

“A major topic of research in recent years has been the investigation of hubs on the performance 

and behavior of network[s]. Results indicate that hubs can have a quite disproportionate effect, 

playing a central role particularly in network transport phenomena and resilience, despite being 

few in number” [155]. 

A hub in a criminal network is a well-connected (high degree) node [155], e.g. the entrepreneur of 

a terrorist cell [154] (i.e., clique), receiving information from the outside and communicating it to 

the other members of the cell. 

43


Figure 3.11: An example of a bridge in cycle 

analysis: the link between node B and E 

bridges the two cycles ABDC and EFIH (figure 

adopted from [195]). 

Figure 3.12: An example of a bridge in peak 

analysis: a node is a peak if it is more central 

than any other point to which it is connected 

and a bridge is then a central node that connects 

two or more peaks [195] (figure adopted 

from [195]). 

Figure 3.13: The three isomorphism classes of dyads: null dyads (left), asymmetric dyads (middle), 

and mutual dyads (right). (figure adopted from [240]) 

DYAD 

Knowledge about triads, dyads, and singletons in criminal networks can be useful for pattern 

searching (see sections and example below), and it is also primarily with this in mind that we 

review these three structures. 

“A dyad is an unordered pair of actors and the arcs that exist between the two actors in the 

pair” [240]. There are three possible states or isomorphism classes for dyads as shown in Figure 

3.13: null dyads (left), asymmetric dyads (middle two), and mutual dyads (right). 

TRIAD 

Three nodes (information elements) without the links that may exist between them is called a 

triple; when we also consider the links between these nodes we have a triad [155, 240]. Following 

our claim, that an understanding of basic network structures is advantageous when analyzing 

complex criminal networks, Scott (2000) refers to sociology researchers who argue that “complex 

social structures can be seen as built from simple structures” [195] and say specifically about 

the triad: “simple triadic structures are the building blocks of larger social structures, and the 

properties of complex networks of social relations can, they argue, be derived from an analysis of 

these building blocks” [195]. 

For directed networks, “a triple of actors gives rise to sixty-four possible configurations of choices 

and non-choices” [240]. Figure 3.14 shows the 16 triad isomorphism 23 classes (types) encapsulating 

these sixty-four configurations (adopted from [240]). The triad types in Figure 3.14 are organized 

in seven columns, and within each column the types have the same number of links present, where 

a mutually directed link counts as two links (i.e., mutual dyad), from 0 in the first column to 6 in 

the last column. Each triad class is labeled using standard MAN labeling 24 , which consists of three 

to four characters. The first character indicates number of mutual dyads, the second character is 

44


Figure 3.14: A triple of nodes gives rise to sixty-four possible triad configurations, 16 isomorphism 

classes of which are shown here with standard MAN labeling (see text). The classes are organized 

in columns, according to number of links present. (figure adopted from [240]) 

asymmetric dyads, and the third character represents null dyads. Finally, the fourth character, if 

present, is D for down, U for up, T for transitive, or C for cyclic [240]. 

SINGLETON 

We define a criminal network singleton as a structure consisting of one node that has zero to 

unlimited links or associations to other entities in the criminal network. In online social networks, 

a singleton is described as the type of user that does not connect with any other users [124]. This is 

an interesting structural concept for criminal network investigation, e.g., when investigating lone 

wolf terrorism [153]. Maybe the singleton does not have any relations to other users in the online 

social network, but could have relations to entities in the real world, like persons, activities etc. A 

challenge here will of course be the mapping of the online social network avatar of the individual 

and the persons identity in the real world [29]. In Section 14.1 and 14.3, we discuss analysis of 

criminal networks where single entities (individuals) played key roles. 

As with triads and dyads discussed above, the singleton is useful for building patterns, based on the 

experience of investigators (their heuristics), which can be used for searching and (visual) filtering 

purposes. We illustrate this with a short discussion of a technique using importance flooding to 

identify networks of criminal activity [139]. The technique uses three kinds of importance rules 

(activity-based group rules, multi-group membership rules, and path rules), as shown in Figure 

3.15. “Weights are assigned to rules, nodes are evaluated for group membership based on the rule, 

and nodes are assigned initial importances scores equal to the sum of the weights of groups to 

which they belong” [139]. 

45

3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

Figure 3.15: Three types of initial importance rules. Examples of how singletons, dyads and triads 

can form the foundations of rules and search patterns [139]. 

3.3 Linear process models 

Intelligence has traditionally been described as following a series of steps called the intelligence 

cycle. “The cycle defines an antisocial series of steps that constrains the flow of information. It 

separates collectors from processors from analysts and too often results in throwing information 

over the wall 25 to become the next person’s responsibility” [40], which makes it difficult to pinpoint 

responsibility for intelligence failures. Bruce and George (2008) follows up, by stating in their 

work, that “this definition of analysis conveys a mechanistic and also somewhat linear process. 

The production-line metaphor conjures up an image of analysts writing, reviewing, editing, and 

publishing an assessment, and then moving on to the next question or task” [32]. Figure 3.16 and 

3.17 shows examples of linear processes). The flaw of this linear problem-solving approach is that 

it obscures the real, underlying cognitive process: The mind does not work linearly - it jumps 

around to different parts of the problem in the process of reaching a solution [40, 239]. 

Figure 3.16: The intelligence cycle: “adapted 

from factbook on intelligence, office of public 

affairs, central intelligence agency (October 

1983), p. 14” [113]. 

Figure 3.17: The intelligence cycle as “adapted 

from a briefing, the intelligence community, 

available at the director of national intelligence 

website (www.dni.gov)” [32]. 

While the intelligence cycles presented in Figures 3.16 and 3.17 are linear and mechanistic in 

their approach, the cycle or circular visualization actually illustrates an important point, which 

should be included in future designs of intelligence analysis processes. Bruce and George (2008) 

says about their process model: “despite its simplification of what is a very complex process, this 

conceptualization does underline the analyst’s pivotal role in transforming information provided 

46

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.3. LINEAR 

by various collection systems into judgment and insight for the policy customer” [32]. Clark’s 

linear intelligence process model (shown in Figure 3.18 captures the two linear models discussed 

above, as well as others. 

Figure 3.18: The linear intelligence process. 

“The dotted line represents the transition from 

one cycle to the next, during which the customer 

reviews the analysis product and formulates 

new requirements and needs” [40]. 

Figure 3.19: The intelligence cycle of the 

Danish Defense Intelligence Service (DDIS) as 

adopted from a textual description on their web 

site [52] (see original text in Appendix B.2). 

The dotted line represents a feedback loop, in 

case new questions need to be asked, or a new 

intelligence need in general arises. 

The intelligence cycle of the danish defense intelligence service is described on their website [52] (in 

Danish, see Appendix B.2 for original text). We have adopted the visual model shown in Figure 

3.19 from the text version. The process is straightforward and individual steps resemble those 

of the other linear processes discussed in this section: (1) the starting point is a prioritization, 

considering the service’s tasks and resources, and the customers input; (2) next, it is outlined what 

the service already knows, and what it wants to know, resulting in a formulation of the intelligence 

need; (3) then follows intelligence gathering from open and closed sources; (4) intelligence gathering 

is followed by analysis, and the hypothesis is tested with available information. If the information 

doesn’t match the expectations, there might be a need to go back to (2), asking new questions 

and formulating a new intelligence need; (5) finally a report is generated, preferably as precise as 

possible, in which a special focus is put on the distinction between what is information and what 

is an assessment made by analysts. 

We make three interesting observations about the DDIS intelligence cycle: Although there is a 

feedback loop from analysis to intelligence need, it is stated that it will only be needed if there are 

new questions to be asked. From Figure 3.19 we can also see how the customer is actually “cut 

out” of the loop: once the prioritization of the task is made, then DDIS takes over until analysis is 

complete and a report can be generated for the customer. We find the recognition that analysis is 

not something that one analyst can do alone positive; it is team work. However, it is stated that 

it cannot be done by one person, which doesn’t recognize the negative impact that team work can 

also have (see Section 5.5 on the creative process which discusses this aspect). 

3.3.1 Intelligence failures 

Bruce and George (2008) warns against the listing of intelligence failures without analyzing how 

to improve on intelligence analysis, exemplified by the 9/11 Commission Report [152]: “The 9/11 

Commission Report provides a brilliant recounting of the hijackers’ plot and copious recommendations 

on how to improve intra governmental information sharing [. . . ]. However, there is scant 

47

3.3. LINEAR CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

attention at all devoted to understanding how analysis might have been better and to laying out 

any game plan for improving intelligence analysis on terrorism” [32]. The general problem seems to 

be a lack of focus on the analytical process it self, also in policing where “process models generally 

include some form of feedback or evaluation; however, there is a widespread paucity of evaluation 

of police tactics and the intelligence process” [180]. We have therefore decided not to list failed 

criminal network investigation, and then try to sum up the failures of those investigations, knowing 

it very likely would be “a linear criminal network investigation process or mechanistic approach 

was the key reason for intelligence failure. Compartmentalization was introduced, inhibiting information 

sharing”. Instead we review the Curveball case, which is a very good example of how 

a transnational intelligence operation increases compartmentalization and can potentially lead to 

war. The case is reviewed below in Section 3.3.1. 

CURVEBALL 

In this section, we take the intelligence process perspective on the intelligence estimates of weapons 

of mass destruction (WMD) in Iraq: “In addition to faulting collection efforts, fragmented intelligence 

community operations, management, and other aspects of the intelligence system, the 

Silberman-Robb WMD Commission [45] was explicit in critiquing the analytic record as well as 

the analytic process” [32]. We discuss how intelligence traveled from the mouth of an Iraqi defector 

to the German intelligence services, crossing the Atlantic to CIA Director George Tenet, 

who briefed the president and U.S. secretary of state Colin Powell. On February 5 (2003) Colin 

Powell presented to the United Nations (UN) council the evidence against Saddam Hussein and his 

allegedly active WMD program. The intelligence was based on a single source, an Iraqi defector 

who manufactured a story based on open source UN reports and his work as a chemical engineer. 

CIA director George Tenet convinced Powell that the intelligence was solid and in March 2003 the 

U.S. and their allies invaded Iraq (without UN mandate). 

Every piece of available intelligence was used for the UN 

presentation. Analysts created colored 3D versions of 

Curveball’s sketches and descriptions of mobile chemical 

laboratories (Figure 3.20), recorded audio was transcribed 

onto slides and played simultaneously and various 

satellite photos of mentioned locations were annotated 

with indications of suspicious activity. 

Figure 3.20: 3D drawings used as evidence 

in UN presentation. 

The Curveball investigation mainly involved overall tasks 

concerned with translation, interpretation, and re-formulation of the contents of interrogation 

reports crossing the Atlantic. Preparation of the evidence for the UN presentation involved linking 

many different information types. Issues were information scarcity, versioning of information, and 

most importantly compartmentalization between and within agencies: “Clandestine operatives are 

trained to spread falsehoods. Intelligence agencies spin or hide the truth as a matter of policy and 

law. And spy services, even close allies, routinely conceal information from each other” [59]. 

The channels through which the information traveled from Curveball to Colin Powell are depicted 

in Figure 3.21 using pictures and in a schematic form in Figure 3.22 26 . The Iraqi defector, ironically 

codenamed Curveball, was interrogated by the German foreign intelligence agency BND. The 

Germans normally interviewed Curveball in Arabic, using a translator, but the Iraqi spoke English 

sometimes (and even started to use a few words in German). The BND sent German summaries 

of their English and Arabic interview reports to the U.S. Defense Intelligence Agency (DIA) unit 

in Germany (Munich House) as well as the British intelligence service (not in Figure 3.21). 

The DIA team at Munich House translated the German back to English and prepared their own 

summaries. The summaries were sent to DIA’s directorate for human intelligence in a high-rise 

office building in Clarendon, Virginia. The directorate delivered 95 DIA reports to, among others, 

the new CIA unit named weapons intelligence nonproliferation and arms control, also known as 

WINPAC. WINPAC had been established to streamline CIA’s reporting and analysis of weapon 

48

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC 

Figure 3.21: Conceptual, structural, mathematical and computational models. 

related threats, and reported to CIA’s analysis department. 700 analysts worked in WINPAC, 

but only six analysts worked in the unit focused on biological warfare programs that handled the 

Curveball reports. The biological warfare unit sent the reports up the CIA hierarchical ladder. At 

some point they caught interest, and the CIA created new versions of the streamlined WINPAC 

reports to put in the president’s daily brief, which George Tenet brought to the White House [242]. 

On February 5 (2003) Colin Powell presented to the United Nations (UN) council the evidence 

against Saddam Hussein and his allegedly active WMD program. 

We bring this lengthy account of the Curveball informations journey, because it illustrates how 

many different compartments there was in the process, each compartment amending information 

with their own interpretations and translations, based on the text given to them from the previous 

compartment. The flow of intelligence reports and documents being sent between, assessed and 

reformulated by different compartments, is shown in great detail in Figure 3.22. 

3.4 Target-centric process models 

A target centric approach is now being promoted in the intelligence analysis community [40], due to 

the failure of previous investigations. We listed (sequential) investigation failures in Section 3.3.1. 

An alternative to the traditional intelligence cycle is to make all stakeholders (including customers) 

part of the intelligence process. Stakeholders in the intelligence community include collectors, 

processors, analysts and the people who plan for and build systems to support them [40] 27 : 

“Here the goal is to construct a shared picture of the target, from which all participants 

can extract the elements they need to do their jobs and to which all participants can 

contribute from their resources or knowledge, so as to create a more accurate target 

picture. [. . . ] It is important to note that the collaborative process is not a substitute 

for competitive analysis - the process by which different analysts present alternative 

49

3.4. TARGET-CENTRIC CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

Figure 3.22: Overview of the complete intelligence process from the interviews with Curveball to the Presidents Daily Brief and secretary of state 

Colin Powells presentation at the UN. The figure shows the many cycles of interpretation, summarization, rewriting and analysis it went through 

before reaching its destination [59]. 

50

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.4. TARGET-CENTRIC 

views of the target.” 

Figure 3.23: A target-centric view of the intelligence process [40]. 

To create and evolve information technologies assisting criminal network investigators “requires 

a deep understanding of the analytical processes that intelligence analysts carry out” [39]. Investigative 

teams from the terrorism and police fields are facing complex threat environments. As an 

example experts across academia, business, and government sectors have indicated that terrorism 

is becoming more amorphous, more complex, more sporadic, more amateurish, more difficult to 

predict, more difficult to trace, and more difficult to observe and analyze [109]. This issue was 

also outlined in the Home Office Strategic plan 2004-2008: “The growth of organized crime, fueled 

by the ease of communication and travel, as well as the changing terrorist threat, have demanded 

a significant shift in the way we operate”. 

Figure 3.24: Gill’s cybernetic model [77], as reproduced with permission in Ratcliffe (2008) [180]. 

Within the investigative domain of policing, intelligence policing has produced many interesting 

inputs toward a target-centric approach to criminal network investigation. As mentioned in Section 

3.3, the intelligence cycle “emphasizes the intelligence in intelligence-led policing, but not 

necessarily the policing” [180]. Ratcliffe (2008) references Gill’s cybernetic model [77] (see Figure 

3.24) as a positive development in that direction, because Gill (2000) in his process model has 

embedded the assertion “that the reality of the intelligence cycle is that time and other constraints 

play a limiting role on the ability of this ideal-type process to function as a cycle and that the 

process in reality is more messy and complex, and that each stage is autonomous” [180]. Another 

51

3.5. CASES CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

interesting feature of Gill’s model is the concept of the filter (or power screen) to indicate that, in 

generic terms, some entity has influence on the process in question [77,180]. Similar model filters 

could also be used to indicate responsibilities during criminal network investigation. 

We believe that human factors are a significant part of these other constraints mentioned above. 

Our target-centric model for criminal network investigation (see Chapter 7) is inspired by Clark’s 

target-centric approach to intelligence analysis [40]. However, while Clark’s model puts focus on 

the shared target-model (common information space) between all stakeholder of the intelligence 

process, he lacks to describe the human factors involved, e.g. human cognition and creativity, 

when modeling emerging and evolving information structures. In a review of Clark’s book, Wirtz 

(2006) states that the human element of identifying appropriate analytic techniques “limits the 

effectiveness of the techniques identified by Clark: their success and failure rest on analysts’ initial 

definition of the problem they face. If this cognitive framework is incorrect or unsophisticated, 

then it is unlikely that even the most advanced analytical techniques will yield useful results” 

[251] and concludes: “after all, no one has yet linked failure of intelligence to the fact that the 

opponent had better equations” [251]. To summarize, while the target-centric approach creates 

the right foundation for criminal network investigation process, there is a need also to include an 

understanding of human factors and information structures, to improve further on this approach. 

An example of how to work successfully in a target centric manner was Deuce Martinez, a CIA 

top analyst, who was assigned to temporary duty in Pakistan to help pinpoint the location of Abu 

Zubaydah 28 . Deuce Martinez “was regarded as one of the best targeters the agency had” [146]. 

In the following quote Martinez has been flown into Pakistan and is briefed about the target 

and available (limited) intel (see Section 3.5.2 for more details on that investigation), quotation 

from [146]: 

Martinez went to work immediately. He put Zubaydah’s name in the center of an 

analytical report, and then added lines radiating outward, representing NSA 29 signals, 

ground intel, emails, and whatever else he could – phone numbers of people Zubaydah 

had called or who had called him, and a second layer of calls made by and to the people 

he had talked to. He used a link-analysis computer program to build images of networks 

from the raw data. He drew his own crude reconstruction of the analysis on a huge piece 

of butcher paper pinned to a wall inside the CIA’s rooms in the Islamabad embassy. In 

a few weeks, Martinez had narrowed the range to fourteen distinct addresses that stood 

out as the most likely sites. Ten of the sites were in Faisalabad, four in Lahore. 

That list was later shortened down to two Faisalabad prospects, they were attacked simultaneously, 

and Zubaydah and two accomplishes where shot, but Zubaydah survived long enough to be 

interrogated [146]. 

The fact that Deuce Martinez did this targeting largely on his own (at least the analytical part, 

he was given access to intel already processed by others) leads to another important point of the 

target-centric approach: The target-centric approach is not an advocation for group work, albeit 

being a human-centered process. Years of research show that group work does not create more 

ideas or increase creativity [4]. We discuss human cognition and creativity in Section 5.4 and 5.5. 

A target-centric approach is about having a common information space, the target model, as a 

frame of reference for investigators on a team to refer to), so that no information is hidden from 

other investigators at any time. As opposed to the traditional intelligence process reviewed in 

Section 3.3, which introduces compartmentalization into investigations. 

3.5 Criminal network investigation cases 

In this section, we review four criminal network investigation cases that have inspired our work: the 

kidnapping and murder of Daniel Pearl, the hunt for Khalid Sheikh Mohammed, two overlapping 

homicide investigations, and an investigation of organized drug crime in Baltimore constructed 

52

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.5. CASES 

from year-long observations and experiences in the domain. For each review we set the scene 

for the investigation to get the reader situated, followed by a description of the criminal network 

investigation team and the investigative approach they take. Each review is concluded with 

summary of pre- and post-crime network structures, focusing on organizational meta structures, 

building block sub structures, and complexities and emergent behaviors of the network information. 

We will provide an overview of other criminal network investigation cases elsewhere (e.g., Section 

5.7). 

3.5.1 The Daniel Pearl investigation 

On January 23, 2002 Daniel Pearl, a reporter for the Wall Street Journal (WSJ), was kidnapped in 

Karachi, Pakistan [128,162]. As a result, an elaborate investigation was started to figure out who 

the kidnappers were and where they were keeping Daniel Pearl against his will. Eight days later 

Daniel Pearl was beheaded. The execution was recorded on video and distributed world-wide. 

SETTING THE SCENE 

When The Wall Street Journal reporter Daniel Pearl was kidnapped on January 23 2002 in 

Karachi, Pakistan, an elaborate investigation was started to figure out who the kidnappers were 

and where they had taken Daniel Pearl. We have chosen this specific investigation for four main 

reasons: First of all because of its complexity. It has been stated that societies where the police and 

security services are weak, corrupt or compromised are more susceptible to terrorist attacks [252]. 

The leader of one cell involved in the kidnapping of Daniel Pearl and responsible for exterior relations, 

was in fact a police man part of an elite anti-terrorist unit but also an Afghan war veteran 

and linked to Jaish e-Mohammad 30 [128, 162]. Adding to the complexity of the investigation is 

the city Karachi itself and its population that no one seems to know how to count: “there are 

two million Afghans, Bengalis, Arabs, Sudanese, Somalis, Egyptians, Chechens, in short, foreigners 

without papers forming an army of natural candidates for al-Qaida recruiting agents” [128]. 

Hence aliases play a key role because “you run up against the eternal problem of any investigation 

into Islamist groups or al-Qaida in particular: the extreme difficulty of identifying, just identifying, 

these masters of disguise, one of whose techniques is to multiply names 31 , false identities, and 

faces” [128]. 

THE TEAM 

The investigative team (see Figure 3.25) consisted of Mariane Pearl (wife and French magazine 

journalist) and Asra Nomani (Indian-born Muslim and reporter for the WSJ). After the Pakistani 

authorities were involved, Captain (leader) and Dost (both representing a Pakistani counterterrorism 

unit) and Zahoor (also from Pakistan), joined the investigation. They are followed by four 

Americans: Randall Bennett (regional security officer at the U.S. consulate in Karachi), two FBI 

computer experts, and Maureen Platt. Finally, John Bussey (Daniel Pearl’s boss at the WSJ) and 

Steve LeVine (fellow foreign correspondent at the WSJ normally posted in Kazakhstan) joins the 

team. 

THE INVESTIGATIVE APPROACH 

Mariane and Asra start a link chart (target model) on a white board when they realize Daniel is 

missing (Figure 3.26). They add information as they discover it going through Daniel’s calendar 

and computer. They work asynchronously, taking turns adding text (mainly person names) and 

directed links (relations) to the chart. As more and more information is added, the link chart 

becomes increasingly complex. Attributes like phone numbers and pictures are added to the 

existing text entities. As more relations between persons are discovered, their lines start crossing 

each other and symbols like colored shapes are used to highlight and differentiate information. 

53


Figure 3.25: The team investigating the kidnapping 

of Daniel Pearl. 

Figure 3.26: Link chart complexity has increased 

significantly. 

Figure 3.27: The network behind the kidnapping of Daniel Pearl as synthesized by The Pearl 

Project [227] using Palantir software [5], a tool reviewed in Section 4.1. 

When the team encounters a dead end, the link chart is used to go through missing information 

that would potentially reveal something important. Team members joining the investigation late 

(e.g., Steve LeVine) use the chart to get up to speed on things. 

The type of information related to the Daniel Pearl investigation and the environment in which 

it takes place is very complex. In Karachi there are two million foreigners without official papers 

forming an army of potential candidates for Al-Qaeda kidnapping operations. The Daniel Pearl 

investigation was “up against the eternal problem of any investigation into Islamist groups or 

Al-Qaeda in particular: the extreme difficulty of identifying, just identifying, these masters of 

disguise, one of whose techniques is to multiply names, false identities, and faces” [128]. 

THE NETWORK 

The post-kidnapping network shows some well defined structures, that we review here. The prekidnapping 

network (i.e., the investigation) faced information complexities and dynamics, which 

we will also review here since it represents important knowledge about the early stages of criminal 

network investigations. 

The organizational meta structure of the Daniel Pearl kidnapping network was cellular with 

6 distinct cells as shown in Figure 3.27. The prominent and interesting sub structures of the 

network are the individual cells. Each cell in the kidnapping network were tightly nit cliques: 

Khalid Sheikh Mohammad alledgly brought his nephews for the killing of Daniel Pearl; Fahad 

54


Naseem and Salman Saqib, responsible for sending out ransom notes, where cousins. Omar Saeed 

Shaikh was the mastermind bridging them together and transmitting orders around the network. 

We find that several complexities and emergent behaviors were introduced into the Daniel 

Pearl investigation. Aliases as mentioned above (multiple names, false identities, and faces), made 

the identification of individuals involved in the investigation very difficult.The social and political 

context the criminal network investigation team had to work and navigate in, was very complex 

and hence an obstacle to progress. Omar Saeed Shaikh recruited individuals for the different cells 

only a few days before the kidnapping, and this sudden emergence of the network helped keep 

it secret and hence protected from detection. The fact that Daniel Pearl was meeting Shaikh 

Gilani on the day of his kidnapping made him the obvious suspect in the team’s “who did it?” 

hypothesis. Unfortunately, the hypothesis was wrong. 

3.5.2 The hunt for Khalid Sheikh Mohammed 

“Throughout the modern age of terror, Khalid Sheikh Mohammad has had the eerie 

ability to be at its center yet glimpsed only in the margins. He’s been the ghost of our 

times.” [146] 

As we saw in the previous criminal network investigation case (and which we will see in later 

investigations as well) Khalid Sheikh Mohammad (KSM) has an important role in many of them. 

In the investigation of Daniel Pearl’s kidnapping (Section 3.5.1), KSM was later revealed to have 

performed and video-recorded the murder of Daniel Pearl assisted by two of his nephews [146,227]. 

McDermott and Meyer (2012) describes how KSM had safe houses throughout Afghanistan, and an 

elaborate logistics network, though his connections with high ranking Afghan Taliban individuals 

are unclear - we summarize an interview with van Linschoten about the Afghan Taliban network 

in Section 15.2.1 and have also studied his book on the subject [134]. KSM was a key figure in the 

al-Qaeda organization (al-Qaeda and affiliated movements (AQAM) is reviewed in Section 14.3). 


KSM is the uncle of the worlds most famous Islamist terrorist before 9/11, Ramzi Yousef: “Yousef 

had attempted to blow up the world trade center in 1993, killing six people, wounding scores of 

others, and causing hundreds of millions of dollars in damage” [146]. KSM played a minor role 

by wiring 660 dollars to an accomplish of Yousef (Basit), for the planning and execution of the 

attack. Basit ended up using 3000 dollars on the building a bomb. KSM and Yousef then went to 

the Philippines planning to assassinate “the Roman Catholic pope and the American President 

Bill Clinton, and blow up a dozen American flagged jumbo jets in flight over the pacific” [146]. 

“KSM was secretly indicted in the US in 1996, thanks to [Pellegrino and his team]. When the 

indictment was unsealed, no one noticed. If your target wasn’t al-Qaeda, it didn’t matter” [146]. 

Shortly after 9/11 Abu Zubaydah informs FBI agents hat KSM was the mastermind of 9/11 [146]. 

The hunt for KSM continued until one year after 9/11. 

THE TEAM 

After 9/11 (2001) many agencies and even more agents were assigned to the KSM case, but we 

focus on the initial case officer Frank Pellegrino and his investigation partner, Michael Besheer. 

Pellegrino is the personification of the artistic creative type [210]: “Pellegrino was the real deal 

[. . . ]. Everybody wore by and large what might as well have been FBI issued dark suits. Their 

desks were perpetually clean. Pellegrino’s was a mess. By outward appearances so was he. His 

hair was long, at least by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ]. 

He was always busy, always late, always in a hurry” [146]. “Free association analytical work” 

is Pellegrino’s basic approach. Michael Besheer on the other hand, is the focused, rational, and 

conscious investigator. Besheer’s approach to collecting evidence was always the same, no matter 

55


the size of the task, in the following example a plane: “Parts of the plane had to be disassembled, 

examined, tagged as evidence and shipped to New York to be used as exhibits in a trial. His 

attention to detail was perfectly suited for the task” [146]. See Section 5.4.2 for a more detailed 

review of Pellegrino and Besheer’s collaboration and cognitive approach to investigation. 


The hunt for KSM has been called the most fragmented investigation in U.S. history [146], spanning 

multiple terrorist attacks prior to and after the 9/11 attacks (2001). As such, it is difficult to 

categorize the investigation to catch KSM as following either a linear process or a target-centric 

approach, since it actually comprises many investigations. 

To avoid the pitfall of setting intelligence failure equal to information sharing [32], we list the 

investigative efforts rooted in analytical process and tasks that inhibited the investigation progress: 

First failure was the overly adherence to the complete analyst skill that says: “self-confidence to 

admit and learn from analytical errors” [32]. Before 9/11 important leads had been missed, and 

after 9/11 there was a “white-out” of information. The 9/11 attacks created so much information 

that no one could make sense of it all: “there was no shortage of information. There was too 

much – a blizzard of it, a white out so complete investigators routinely lost their way in it” [146]. 

The second failure was, that the two main agencies on the investigation (FBI and CIA) had very 

different approaches: “the FBI, given its criminal investigation into the 9/11 attacks, was primarily 

concerned with the past, with what had happened, with the crime that had been committed. 

The CIA was interested in the future, what might happen tomorrow, or even today. The FBI 

wanted evidence; the CIA needed intelligence” [146]. In our opinion, the third failure of the 

KSM investigation was the removal of the case officer Frank Pellegrino from the investigation; the 

investigator with the most subject matter knowledge. 

THE NETWORK 

The organizational meta structure of KSM’s criminal network is a flat structure. KSM was a 

freelancer and an entrepreneur who over the years created his own network of contacts, however 

tightly embedded it was (became) in the al-Qaeda organization and other (smaller) organizations 

with allegiance to al-Qaeda, like Hambali’s Jemaah Islameyah [146]. Based on these observations 

it would be fair to argue that KSM’s network had resemblance of a social network of business 

contacts. He had relationships with individuals that had certain abilities that could help sort 

different problems when needed, often logistical problems. Interesting sub structures in KSM’s 

criminal network are the network cells that he deploys throughout the world to carry out terrorist 

plans hatched somewhere else. An early example was his nephew Basit (also known as Ramzi 

Yousef) and the people he recruited for the World Trade center bombing in 1993. 

The complexities and emergent behaviors in the KSM investigation are similar to those 

of other investigations into transnational terrorism or national security matters (e.g., see the 

Curveball case in Section 3.3.1). KSM used up two dozen aliases but curiously also sometimes 

traveled under his own name [146]. He was able to stay under the radar, not leaving any too 

obvious evidence around, or his world wide network helped him, either by hiding him or warning 

him before raids. Agency bureaucracy and inter-agency communication problems also inhibited 

and stalled investigations and sharing of important information. 

3.5.3 The Latonya Wallace and John Scott homicide investigations 

A homicide investigation is a special kind of criminal network investigation. There is one or more 

victims, there is a network of potential suspects together with a web of interrelated physical evidence, 

such as statements from witnesses, and information in general linked to particular locations 

at the crime scene. This section is primarily based on the account by Simon (1991), who spent 

one year with the Baltimore Police Department’s homicide unit [204]. 

56



The two homicide investigations that we use as an example here were investigated by detectives 

from the Baltimore Police Department’s homicide unit during 1988. In 1988, there were 234 

homicides in the city of Baltimore. “The vocabulary of the homicide unit recognizes two distinct 

categories of homicides: whodunits and dunkers. Whodunits are genuine mysteries; dunkers 

are cases accompanied by ample evidence and obvious suspect” [204]. Both the investigations 

described here were of the genuine mystery kind, which is why we found them relevant for analysis. 

Latonya Wallace’s body was found, 11 years old, in the alley behind a residential block in the city’s 

midtown. She lived three and a half block away with her mother and stepfather. She went to the 

library on a Tuesday, and was seen leaving the library, disappearing “into the daytime bustle of a 

Baltimore street and vanished” [204] until her body was then found the following Thursday in the 

morning. The John Scott homicide starts with John Scott stealing a car. A car chase is begun, 

and when the police catches up with John Scott, he leaves the car and starts running. An officer 

leaves starts pursuit by foot, but trips while releasing his gun from it’s holster and accidentally 

fires a round in the direction of John Scott. Moments later he is found death by other police, face 

down and with a bullet in his back. It seems to be a dunker, but it turns out that the bullet in 

John Scott’s back was not from the police officers service weapon; a genuine mystery. 

THE TEAM 

Homicide detectives usually work in pairs, where one is the primary investigator. The primary 

investigator owns the crime scene, and to a lesser degree the investigation. Two shifts, the night 

shift and the day shift. Simon (1991) follows the shift led by lieutenant Gary D’Addario. The shift 

has three squads of five detectives, each led by a squad supervisor (Detective Sergeant). When a 

little girl is shot or a police officer is involved in a shooting, the whole shift takes on the task of 

investigating those murders. 


The investigator who answers the phone will become the primary investigator, and the secondary 

investigator will depend on who’s turn is up, or simply who is nearby and free when the phone 

is answered: “by that argument, the repetitive violence of the city’s drug markets betrayed the 

weakness in the homicide unit, namely that investigations were individual, haphazard and reactive” 

[204]. Sometimes investigators participate in more long-term, surveillance based (intelligence-led) 

investigations: “Edgerton’s detachment from the rest of the unit was furthered by his partnership 

with Ed Burns, with whom he had been detailed to the Drug Enforcement Administration for an 

investigation that consumed two years. [. . . ] Unable to prove the murder, Burns and Edgerton 

instead spent months on electronic and telephone surveillance, then took the dealer down for drug 

distribution to the tune of thirty years, no parole.” [204]. 

THE NETWORK 

The network structures of homicide investigations are not focused on social networks (i.e., mainly 

with person entities) as in the investigations described earlier in this chapter. And the complexities 

and dynamics are also somewhat different, as it is outlined below. 

There isn’t much organizational meta structure to a dunker homicide investigation. Typically 

there is the victim, the assailant still at the crime scene, admitting to committing the murder and 

holding the weapon that was used to do it. The whodunit investigations also have a victim, and 

then no, one or multiple suspects. The meta structure of a whodunit investigation can be seen as 

a star network [240], with the victim at the center, and then each surrounding node represents the 

a suspect (an individual or a group of individuals), who has their own network of home address, 

friends, time lines, etc. 

57


Again, the sub structures of homicide investigations are not focused on social networks, like 

many of the other investigations discussed above, but focuses on other aspects (evidence). A lot 

of reasoning structures exist in reactive policing. “A body in an alley leaves a detective with 

questions: What was the dead man doing in that alley? Where did he come from? Who was 

he with?” [204]. The time line mentioned below is also used for reasoning, e.g., in relation to 

time of death. If time of death was at this particular hour, we create these hypotheses, but if 

it was 10 hours later, then we can create these other hypotheses. Since it was suspected that a 

cop had shot John Scott, all the radio communication from that night was transcribed, in order 

to match it up with statements taken from police officers during interrogation. Time lines are 

used extensively in the Latonya Wallace case to match the alibi’s of suspects with a chronology 

of events as the investigators has them synthesized at the time of interview with the suspects. 

The crime scene presents a network of physical evidence related to the scene and the victim. 

Homicide detectives typically solve cases by the use of physical evidence, and not first establishing 

the motive, as it is often portrayed in movies, tv shows, etc. When detective Edgerton realizes 

that Latonya Wallace’s body may not have been carried into the alley from the ground, but could 

also have been carried down from the fire stairs he draws a map. “Edgerton taped two sheets 

of letter paper together and divided the space into sixteen long rectangles, each representing one 

of the sixteen adjoining rowhouses on the north side of Newington Avenue. In the center of the 

diagram, behind the rectangle marked 718, Edgerton crudely drew a small stick man to mark 

the location of the body. The he indicated the location of the fire stairs at 718, extending from 

the rear yard to a second-floor landing and then the roof, as well as other fire stairs and ladders 

on other properties” [204]. Edgerton uses the drawing to narrow down the houses with roof top 

access, which means a person could have could the body down from the roof and put in the alley. 

Complexities and emergent behaviors are introduced in several ways. The location of the 

crime scene can add many new complexities to an investigation. The crime scene could be on 

the street, in an alley, or in a row house, each place associated with different challenges [204]. A 

homicide detective has three open cases on his desk at all times. On top of that, the bosses may 

decide that the homicide unit needs to focus on a particular series of murders for political reasons. 

The shift commander assigns the investigations of detectives busy with other prominent cases to 

new detectives, ruining their previous leg work and trust build up with informants etc. But the 

shift commander is often under pressure to raise the clearance rate and may see no other way. 

Information may change for homicide investigations in many different ways, e.g in the Latonya 

Wallace investigation the autopsy showed two meals in her stomach: One nearly digested meal of 

spaghetti and meat ball, and one only slightly digested meal of hot dogs with sauerkraut. This 

information is used to give an estimate of time of death. But deep into the investigation the 

criminal network investigation team learns that the menu at Latonya’s school did have those two 

meals on the menu at two days following each other, but each was in fact a day earlier than 

the police was initially informed, changing an important parameter in the estimate of time of 

death, and hence also the basis of many hypotheses. Witness statements can change many times 

during an investigation. The general thought is that suspects lie, often for no reason, and the 

investigators use physical evidence from the crime scene to catch the witnesses lying and make 

them tell the truth. A typical example is mentioning something that was or wasn’t at the crime 

scene, formulating interrogation questions accordingly. 

3.5.4 Organized drug crime investigation 

The Wire is a tv series, renowned for its authentic depiction of urban life on each side of the law 32 . 

In the first season we follow drug dealers on one side and law enforcement officers on the other [163]. 

The Wire is interesting and relevant as a criminal network investigation case study for a number of 

reasons. First of all, the target-centric, board-based approach 33 chosen by the investigative team 

maps well onto our criminal network investigation model [174]. Secondly, Analyst’s Notebook [2], 

a commercial software tool for visualization and analysis of criminal networks, is used to narrow 

down a list of suspects, based on a large number of intercepted phone calls. Finally, the shows 

58


ability to describe investigative context is exceptional. By context, we mean factors such as power, 

the pros and cons of law enforcement culture, distribution of resources, and the impact of politics 

that ultimately can decide the success or failure of investigations [34]. 


The organized crime investigation begins with narcotics lieutenant Cedric Daniels being ordered 

“to organize a detail of narcotics and homicide cops to take down Avon Barksdale’s drug crew which 

runs the distribution of heroin in several of Baltimore’s projects. Realizing that low-level buyand-busts 

are getting them nowhere 34 , the detail of cops [. . . ] add visual and audio surveillance 

to their law enforcement tools” [34]. The team is provided with office space in a basement, from 

where they can work the case and monitor the many wires they set up in an attempt to map out 

the network of individuals in the Barksdale organization. 

THE TEAM 

The criminal network investigation team has one narcotics lieutenant (Daniels) who is the team 

leader, four detectives, three police officers, and one informant. The lieutenant manages the team 

and is the final decision maker, the detectives take care of investigation and following leads, the 

police officers bring people in, take pictures, and so on. The informant provides the team with 

inside information from the streets, e.g., how to dress if a police detective is going undercover. 


A senior police officer, recognizing that “all the pieces matter” is put in charge of information 

collection and processing and he starts adding snippets of information on to the investigation 

board shown in Figure 3.28a. The board functions as the team’s common information space. 

Figure 3.28b shows some of the information entities used on the investigation board. There are 

polaroid close-ups of individuals, and two types of text cards: one with meta information about 

entities and one functioning as headers. In the middle, there is a surveillance photo and at the 

bottom a newspaper clipping. 

(a) investigation board (b) information entities 

Figure 3.28: The Wire case - a shared information space, in this case a physical board (left), with 

different types of information entities (right). 

59


THE NETWORK 

The organizational meta structure of the Barksdale organization is a hierarchical and somewhat 

flat structure, that maintains a top-down chain of command as shown in Figure 3.29 [10,206,249]. 

The top consists of the leader Avon Barksdale, his second-in-command Stringer Bell who administrates 

and manages the organization, and, Avon’s sister Briana Barksdale, who is responsible 

for the financial side together with Stringer. Maurice Levy is the organizations lawyer who offers 

legal advice and acts as defense lawyer for members of the organization. At the bottom of the 

organization are the drug selling crews: typically a crew is responsible for a high-rise building, 

an area in the low-rises, or a street corner (so called open-air drug markets [221]). Each crew 

has a chief, one or more high ranking lieutenants who control a number of dealers and runners, 

responsible for arranging a buy, getting the money, retrieving the drugs from a nearby location 

and handing it over to the buyer. For communicating strategies and commands to the crews, 

the leadership (primarily Stringer) has lieutenants to enforce his commands (in season one Anton 

Artis and Roland Brice work as the lieutenants), and they in turn have their enforcers who they 

forward tasks to. But Stringer Bell also shows up in person to ask crew chiefs to solve specific 

tasks or follow a new strategy. 

Figure 3.29: The Barksdale organization in season 

one of The Wire, chart from [249]. 

Figure 3.30: The Barksdale organization in season 

two of The Wire, , chart from [249]. 

Interesting network sub structures are the crews (or gangs), a group working their individual 

corners. The lieutenants function both as bridges between the leadership/top and the crews, 

while enforcing orders from the leadership, in terms of destabilizing other organizations, etc. 

Complexities and emergent behaviors are (again) introduced in several ways. Complexity in 

a surveillance-based investigation like that of the Barksdale organization, are a bit different than 

the complexities related to counterterrorism investigations. Examples include communication 

encryption used by the drug crews, e.g., applying a numerical encryption to phone numbers sent 

via pagers, or taking pictures to designate where to meet [10,206]. The legal framework is also 

responsible for some complexity. To arrest someone for dealing drugs (of a street corner) you 

typically have to catch the individual receiving money and then handing over the drugs. The 

60

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY 

crew running the street corner can circumvent this by having one person receive the money, a 

runner to get the drugs from a stash, and then a third will deliver the drugs around a corner or at 

the purchasers car. The police often make an undercover cop buy the drugs to be able to arrest 

individuals on a street corner (buy and bust). 

Dynamics are introduced by emergent and evolving information and political and management 

decisions: When investigations start, criminal network entities are often associated in other ways 

than through well established relationships to other entities. First, the entities are randomly 

positioned in the information space and maybe only a few are directly linked (e.g., the known 

accomplishes of the target). Later, more entities are linked, groups are created, and structures 

emerge. During the first iterations, spatial associations like entity co-location play an important 

role. A spatial association with certain semantics could be entities placed in close proximity of each 

other to indicate a subgroup in the network or snippets of information about a certain individual. 

Or entities might be placed above and below each other to indicate hierarchical importance. And 

it may take many iterations before it is clear what attributes (entity meta data) are relevant as 

input for analysis algorithms. In other words, “semantics happen” [197]. 

3.6 Summarizing criminal network investigation 

In this chapter we have discussed the characteristics of criminal networks compared to other complex 

networks. We have presented the building blocks of criminal networks and reviewed basic 

(abstracted) criminal network structures found to be re-occurring across investigation cases. Then 

we took a closer look at two very different processes for criminal network investigation, the linear 

and target-centric process models. We presented four criminal network investigations comprising 

three distinctive investigation domains (policing, intelligence analysis, and investigative journalism). 

We conclude this chapter by summarizing our findings for each of the three investigation 

domains. For each domain, we summarize work related to each of the three criminal network 

investigation challenges on which our main hypothesis is pinned (information, process, and human 

factors). 

Investigations such as police investigations, intelligence analysis, and investigative journalism involves 

a number of complex knowledge management tasks. Investigative teams collect, process, 

and analyze information related to a specific target, to create products that can be disseminated 

to their customers. We focus specifically on knowledge management situations where a lot of 

information must be interpreted rapidly or where a group shares and restructures information 

in order to coordinate or reach consensus [198] until now (see Figure 3.31). Collaboration and 

communication are important aspects of such group oriented situations, and connecting pieces of 

information that become known over time are a vital activity [20]. The described situations are 

very creative and social influences on creativity such as production blocking, evaluation apprehension 

and free riding has to be considered [239]. Different process models have been proposed to 

handle the complex tasks and issues involved in investigations (such as police investigations [53], 

intelligence analysis [40], and investigative journalism [136]). The three investigation types are 

briefly summarized below, in terms of process, information, and human factors. 

3.6.1 Policing 

Reactive policing is getting competition from intelligence-led policing, more information is being 

gathered and used, but evidence from interrogations and other street human intelligence weighs 

heavy; human factors play are large role for that aspect, less so for the analytical methods. We 

describe process models, information, and human factors related to policing below. 

Process (e.g., [7,53,83]). Many models have been developed over the years, ranging from reactive 

community and problem-oriented policing models to the more proactive intelligence-led and 

61

3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

Figure 3.31: A criminal network investigation example illustrating the preferred approach to 

analysis for policing, counterterrorism, and investigative journalism investigations. The screen 

shot is from the Daniel Pearl investigation, where two investigators discussing the relevance of one 

individual’s connection to the terrorist organization Jaish e-Mohammad. 

terror-oriented (i.e., political) policing models. These models run in parallel to the traditional 

law enforcement model characterized by its paramilitary and bureaucratic “command 

and control” structure, and focus on incident-driven response to calls for service. Police 

investigations include a variety of tasks like criminal profiling, crime scene analysis, data 

processing, and storing and sharing of information. 

Information (e.g., [10, 53, 204]) Most information produced by police officers is difficult to represent 

and thus to access and communicate due to its nature. Police knowledge tends to be 

implicit and experience-based. Human intelligence includes statements from witnesses and 

informants living on the street. A whodunit homicide crime scene produces a lot of physical 

evidence like crime scene photos, lifted fingerprints, hairs, etc., which gets examined and 

cataloged. Surveillance is used on bigger investigations producing signal intelligence such as 

audio (telephone calls), pager communication, and video. 

Human Factors (e.g., [204, 210, 239]) As mentioned, police knowledge tends to be implicit and 

experience-based, e.g., the questions an investigator asks himself or witnesses when confronted 

with a complicated investigation. Or what approach to use when you have a certain 

type of individual in the interrogation room. Other human factors relate to problem solving: 

detectives must have an ability to “think out of box” and associate different items, facts, 

and individuals from the crime scene and investigation to come up with new hypotheses 

that could potentially solve a standstill case. The capacity of a detectives working memory 

decides how many entities he or she can joggle when processing information. 

3.6.2 Counterterrorism 

Counterterrorism investigations are by far the investigation domain with most focus on keeping information 

classified, information is often signal and imagery intelligence, and human factors relate 

more to creativity and cognition for analytical abilities. We describe process models, information, 

and human factors related to counterterrorism below. 

Process (e.g., [39,40,178]). Before 9/11 (2001), investigations were mainly handled by a nations 

security services, but are now moving toward joint operations with police in what is often 

62

CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 3.6. SUMMARY 

referred to as the emerging policing-security nexus. Counterterrorism investigations are, like 

many of their targets, covert operations. The goal is to transform intelligence from different 

sources (humans, signals, images, open, etc.) into actionable intelligence products, typically 

for governments to take proactive measures in order to thwart high risk plots. Due to the 

complexity of terrorism and the people involved, some traditional crime-related investigative 

tasks like profiling have not yet been transferred to this domain. 

Information (e.g., [40, 146, 214]) Counterterrorism information mainly uses secret intelligence 35 

obtained from surveillance such as satellite imagery or phone calls. Open source intelligence 

is information readily available for everyone and has been found to actually represent 80% 

value whereas secret intelligence has been only to represent 20% of the value 36 . Information 

can vary from knowing whether it will be full moon and the fields have just been harvested 

before inserting troops on the ground in a foreign country 37 to year long surveillance (video, 

audio, infiltration, etc.) following a groups increasing radicalization and knowledge of bomb 

making right up to the point prior to a terrorist attack. 

Human factors (e.g., [146, 225]) Given the often proactive nature of counterterrorism efforts, a 

lot of “free association” and “out of the box” thinking is often required to generate hypotheses 

about potential outcomes. 

3.6.3 Investigative journalism 

We have chosen investigative journalism as a third domain of criminal network investigation, 

because of the many similarities it bears with counterterrorism and policing investigations, as 

the following quote illustrates: “we soon learned that tracking the story of a ghost is not much 

different than tracking the ghost itself” [146]. The Daniel Pearl investigation was an example 

of a criminal network investigation team with journalists, police officers, and counterterrorism 

experts working together to create a target-centric model with the goal of resolving a kidnapping 

situation [174]. But also because the tools and techniques that investigative journalists apply 

could benefit the domains of counterterrorism and policing. When Klerks (2001) joined a law 

enforcement intelligence department as an academic criminologist he gained the appreciation he 

had hoped for, “although it was gained mostly by displaying research skills [he] picked up in 

journalism instead of university” [120]. 

Process (e.g., [101,128,136]). While police and counterterrorism units enforce the law, investigative 

journalism often results in the first rough draft of (new) legislation. It has helped bring 

down governments, imprison politicians, reveal miscarriages of justice, and shame corporations. 

Classical investigative journalism was primarily about digging. It was done on the 

street, talking to people, drinking in bars, while tracing down leads, all the time scribbling 

notes on scraps of paper and stashing them away in files and boxes. The human factor is 

still important (see below), but the availability of computer-assisted reporting tools to search 

public databases and the online open source information overload has changed the game for 

ever. Everything has become more complex, and the investigators are adapting to this new 

situation. 

Information (e.g., [120, 162, 204]). Investigative journalism is still to a certain degree based on 

human intelligence (interviews with anonymous sources), especially in areas where a lot of 

local information might not be available on line. Open source intelligence for background 

checks or similar, database searches, interviews with relatives, colleagues, etc. Pictures by 

photographers and own audio from interviews. Information could also be the investigative 

journalists own observations, e.g., spending a year in a Baltimore police department homicide 

unit. Maybe a journalist will gain access to otherwise classified information, government or 

commercial, again based on interviews with anonymous sources. 

63

3.6. SUMMARY CHAPTER 3. CRIMINAL NETWORK INVESTIGATION 

Human factors (e.g., [128,146]). Experience and tacit knowledge (ability to ask the right questions, 

personal network, etc.) are key tools for a successful investigative journalist. Mind 

mapping abilities (linking together facts for correct understanding and coherent stories) are 

important, just as when a homicide detective is trying to understand a complicated crime 

scene. A journalist can sometimes have an advantage in gaining access to interviews and 

information, since the journalist is the protector of civil liberties and the voice of the people, 

while police officers and secret agents might have more trouble getting people to talk about 

an incident. 

64

CHAPTER 4 

Related work 

“We are good at modeling static networks,” he says, “but networks 

like these change over time. And we don’t yet have a dynamic graph 

theory.” When one terrorist is caught or killed, for example, “he is 

replaced by a cousin” with different social links. “Changing a single 

link can completely change the graph.” 

Interview with March Sageman (2009) [26]. 

Existing work related to criminal network investigation falls into two categories. Related work 

from various research fields has provided much inspiration in the design and development of 

CrimeFighter Investigator. This type of related work is reviewed in Section 5.1. The other type of 

related work is centralized around tools that support criminal network investigation tasks. This 

chapter focuses on such tools. A comparison of our approach against existing work in that area is 

described in Chapter 15. 

A number of existing tools support criminal network investigation processes and tasks. The tools 

have been selected to cover prominent commercial tools (Section 4.1), tools actually used by 

investigators, as well as research prototypes (Section 4.2) and tools for investigative journalism 

(Section 4.3) to get a comprehensive overview of the state-of-the-art tool support for criminal 

network investigation tasks. We find the review of investigative journalism tasks relevant, due to 

the supported tasks. 

Our analysis of state-of-the-art tools is mainly based on open source material (tool websites, 

reviews and blogs, academic papers, etc.), but for a few of the commercial tools, statements 

from end users have also been included. Naturally, the commercial tools have lots of information 

about their products on their website, but while there are many colorful screen shots and videos, 

and statements generated by the marketing department, there isn’t much technical depth to that 

material (with Palantir Government providing most technical explanations through the videos on 

their site). The research prototypes on the other hand are described with a technical point of view 

in academic papers, but other than that, not much material can be found (except if papers mention 

research prototypes other than their own). Network analysis tools, frameworks, and libraries gets 

perhaps the best open source coverage, since they are used by everyone when building their tools: 

the technologies are detailed described in academic papers, journal papers and books; their usage 

and examples thereof are provided by all the researchers, developers, and companies who utilize 

the technologies; even the software itself is often open source. 

65

4.1. COMMERCIAL TOOLS CHAPTER 4. RELATED WORK 

For each of the reviewed tools, we focus on support of criminal network investigation tasks. Our 

related work review is applied later, in Chapter 15, where we compare the capabilities of these 

state-of-the-art tools from the policing, counterterrorism, and investigative journalism domains 

against each other and CrimeFighter Investigator (see Section 15.3). The analysis of conceptual, 

structural, and mathematical models is also used later for a capability comparison of the tools on 

those parameters. 

The remainder of this chapter is organized as follows: we start out with a review of commercial tools 

in Section 4.1 covering Analyst’s Notebook 8.5, Palantir Government 3.0, Xanalys Link Explorer 

6.0, and COPLINK. We indicate the tool versions to set the boundaries of our analysis. Next, we 

look at research prototypes in Section 4.2, covering The Sandbox for Analysis, POLESTAR, Aruvi, 

and the mentioning of a new research prototype Dynalink. Tools for investigative journalism are 

reviewed in Section 4.3 and covers Namebase.org, Mindmeister, and a range of simple tools. 

4.1 Commercial tools 

The following commercial tools for policing and counterterrorism have been selected as particularly 

related to our work: Analyst’s Notebook 8.5, Palantir Government 3.0, Xanalys Link Explorer 6.0, 

and COPLINK. Our reviews of these tools is presented below, except for COPLINK since it is a 

tool that takes a different approach compared with the other three. It is however included in our 

capability comparisons in Section 15.3, given its relevance for criminal network investigation in 

general. 

4.1.1 Analyst’s Notebook 8.5 

Analyst’s Notebook 8.5 (AN) is part of IBM i2’s analysis product line 38 and “aims at supporting 

a rich set of analysis and visualization capabilities to support analysts in quickly turning large 

sets of disparate information into high-quality and actionable intelligence to prevent crime and 

terrorism” [2]. In Section 15.3, where we compare the capabilities of all the related work it is 

pointed out that Analyst’s Notebook is not strong on sense-making, except for their support of 

visualization and various filtering views. 

AN aims at supporting a broad spectrum of customers including national security, defense, law 

enforcement, government and private sector organizations. The tool has diagrammatic visual 

representations and is mainly used for visualizing connections (e.g., transactions, phone calls, ‘isrelated-to’ 

relations, etc) between various types of entities, social network analysis and different 

interactive views such as histograms and heat matrices [2, 107]. AN hides the full content and 

context of information (lack of transparency) and it seems better suited as a report tool than 

a thinking tool since it does not encourage various alternative thinking [254]. This claim was 

supported by end-users we met at an i2 user conference [106]: “I typically use Analyst’s Notebook to 

generate a report for the state attorney handling the case in court. I do not use AN before I am done 

with my analysis”. Furthermore, assumptions and evidence are not easily distinguishable [254], 

making it impossible to back-track how reasoning was done and on what grounds decisions were 

made. 

SPECIFIC FEATURES 

Analyst’s Notebook supports “flexible data acquisition via intuitive drag-and-drop, importing or 

multiple database access capabilities” [108]. Another interesting import feature is, that “when 

importing data into Analyst’s Notebook 8, users now have the ability to export transformed data 

into a comma separated or tab separated file allowing them to save and reuse the transformed 

version of their original file” [104]. Analyst’s Notebook supports column actions 39 on import [107], 

such as Add Prefix (“Adds text or values immediately before the values imported from a data 

66

CHAPTER 4. RELATED WORK 4.1. COMMERCIAL TOOLS 

column”) and Extract Portion of Text (“Extracts a specific portion of text or data from a data 

column”). 

AN supports information elements and relations, and visualization of groups in a network (see 

Figure 4.1). A range of 3D icons are supported as visual abstractions for information elements, 

e.g., ‘male person’, ‘telephone’, and ‘refugee center’ in Figure 4.1. Information elements are created 

using drag and drop from a special pane, and attributes are added to information elements 

also using drag and drop from a similar pane [104]. As mentioned, relations between information 

elements are supported and Figure 4.1 (upper left corner) shows simple examples such as ‘associate’, 

‘address’, and ‘subscriber’. Three types of directed links are supported: multiple, directed, 

and single. If information elements are phones, then the type multiple can be used to indicate 

number of phone calls between the two phones at different times of day. The type directed can be 

used to indicate phone calls from phone a to phone b and vice versa, and the type single could 

have the total number of phone calls between the two phones. Group entities (composites) are not 

supported, only indirectly using visualizations (see Figure 4.1). That also means that information 

cannot be collapsed or expanded. All information found relevant for the investigation exists at the 

same level in the information space, and then parts of it can be highlighted or emphasized using 

various filters, histograms, etc. [2, 104, 107]. AN supports multiple information types, e.g., drag 

and drop of pictures onto information elements to add the picture as a visual abstraction. 

The focus of AN is on visual analysis. It has support for many perspectives on information such 

as visual symbols in the information space, chronologies of events, heat matrices (e.g., indicating 

during what time spans crimes occurred in the past), positioning of information entities onto maps 

to do geographic analysis, etc. AN has strong support of social network analysis and visualization 

thereof. Multiple centrality measures (eigenvector, betweenness, degree, and closeness) can be 

selected to run simultaneously, the results of which are visualized using color and entity size in 

the information space. 

Finally, AN supports the generation of a wide range of reports for dissemination of analysis results. 

Creating hypotheses in a collaborative manner is not supported, but in one product video [105] 

there is an example of analysts that are asked to assemble a single target profile. While they are 

working they can comment on and review each others work, and when finished they can assemble 

their work into “a multi-dimensional report”. 

4.1.2 Palantir Government 3.0 

We analyze the tool with the most criminal network investigation capabilities of the state-of-theart 

in this section (see capability comparison in Section 15.3). Palantir Government 3.0 is a 

platform for information analysis designed for environments where the fragments of data that an 

analyst combines to tell the larger story are spread across a vast set of starting material. Palantir 

is currently used in various domains such as intelligence, defense, and cyber security. According 

to the company website of Palantir Technology, Palantir Government is increasingly “seen as the 

platform of choice for the spectrum of hard problems that we face today. Palantir provides an 

out-of-the box foundation for information management - full source tracking, fine grained access 

control, flexible data modeling, structured and unstructured data ingest - with a powerful frontend 

to explore all of this richness” [5]. 

A recent article in The Economist (2012) on big data analytics, stated that Palantir Technologies is 

the company “that has perhaps gone furthest in finding useful connections in disparate databases. 

[. . . ] Its specialty is building systems that pull together information from different places and try to 

find connections” [229]. The article also comments on Palantir’s initial customers, the spy agencies: 

“in America, the CIA and the FBI use it to connect individually innocuous activities such as taking 

flying lessons and receiving money from abroad to spot potential terrorists” [229]. Interestingly, 

Palantir Technology, is the producer of a commercial tool partially supporting criminal network 

investigation, which has put most thought into civil liberties and other ethical issues. Privacy 

and civil liberties are “embedded in Palantir’s DNA” [223], exemplified by technologies like access 

67


Figure 4.1: Augmented screen shot of Analyst’s Notebook illustrating supported entities and concepts: information elements and relations, various 

visual symbols, a satellite view, tabbed panes with e.g., chart creation tasks and examples of visual filtering for different purposes. (source: [2]) 

68


control model, revisioning database and immutable audit logs. Palantir also used existing legislation 

as guidelines on how to address ethical issues in implementation [223], e.g., the 9/11 commission 

implementation act [152]. 

Our analysis of Palantir Government is based on open source material such as white-videos (e.g., 

[191,194,237], video demonstrations (e.g., [230]), white-papers (e.g., [222,223]), and academic and 

other papers and articles (e.g., [26, 161]). For the intelligence community Palantir have described 

an intelligence infrastructure, where visualization and link analysis is the “top of the iceberg”, in 

a layered architecture comprising the four layers data integration, search & discovery, knowledge 

management and collaboration [192], as shown in Figure 4.2. 

Figure 4.2: Visualization and Link Analysis is the “top of the iceberg”, in a layered architecture 

comprising the four layers Data Integration, Search & Discovery, Knowledge Management and 

Collaboration (source: [192]). 

SPECIFIC FEATURES 

Palantir Government has a data integration platform, which is a framework for data integration 

with “a powerful model that accommodates every kind of enterprise data source” [194], structured 

and unstructured, such as online sources, databases, text files and spread sheets [192, 194]. To 

get an understanding of what Palantir means by structured and unstructured data, we use an 

example from a counterterrorism demonstration video [230]. In this video, a text file (document) 

describing an investigation asset meeting three other individuals at an charity event. When the 

document is viewed in a so called Browser, some entities such as names and email addresses, are 

recognized and highlighted as if they were hyperlinks in a web browser. The entities were high 

lighted using one of several entity extraction methods (automated or manual). If using automated 

extraction, errors will occur and not all important entities are highlighted (e.g., the home address 

of an individual). The user now has the option to manual extract entities such as phone numbers 

and addresses, indicate their type and link them to the already recognized entities (individuals) 

in the document. Furthermore, entities can be merged (i.e., they represent the same entity) using 

drag and drop, and the data is becoming increasingly structured. [230] 

In general, Palantir data integration focuses on the importance of supporting open formats and 

application programming interfaces (api): “you need a platform that allows you to import information, 

interact with that information, and then get it out of the system” [194]. A short, but precise, 

description of the purpose of criminal network investigation tools. The object (entity) model of 

Palantir Government is very impressive. It has its own separate architecture layer between the 

data storage and the end user (analysts, developers, and administrators) as shown in Figure 4.3 

69


(left). This separate layer for the data model leverages “lossless data abstractions” [237], making 

it possible to “track every piece of information back to its source” [237] (see Figure 4.3, right). 

Figure 4.3: The object model has its own separate architecture layer between storage and end 

user (left). This approach secures lossless data abstractions, even with multiple sources forming 

the basis for object properties, e.g., name or email (right). (source: [237]) 

Palantir Government supports nodes, links, and groups for synthesis and “users interact with 

their data as first order conceptual objects” [237]. It is our impression that objects only cover 

the nodes in criminal networks, not the relations between nodes nor the groupings of nodes, links, 

and groups, especially since we are to think about objects “as empty containers or shells, within 

which we fill attributes and other information about them. Examples of entities could be people, 

places, computers, phones, events like meetings or phone calls, or documents like email or message 

traffic” [237]. 

Figure 4.4: Different kinds of relations are 

shown (round icons), with the same visual relation 

(blue line). (source: [230]) 

Figure 4.5: Expanded group object and other 

objects (individuals) are shown on the left, 

and the result of collapsing the group object 

is shown on the right. (source: [230]) 

“We haven’t encoded any semantics into the object model itself. The organization actually gets to 

define their semantics using a tool called Dynamic ontology” [237]. Palantir Government supports 

directed links, either representing single relationships or multiple as shown in Figure 4.4, where 

there are multiple relations for each link (each one represented by a circle with an icon). The 

technological support relationships as means for connecting objects is based on ontologies, as 

shown in Figure 4.6. There is one ontology for objects, one for relationships, and one for object 

properties (attributes). 

Palantir Government supports group objects to which other objects can then connect (see Figure 

70


Figure 4.6: Palantir Government supports an object model that is different from the ontology 

describing relationships, objects, and properties (left). On the right is an example of an object 

model with an ontology. (source: [237]) 

4.5, left). While expanded we notice that the group icon remains in the space. When the group 

is collapsed all the connected objects are hidden (see Figure 4.5, right). 

Palantir government also records a history of the users actions. This means that investigators 

can return to a point in an investigation, i.e., a point where a certain action was done by the 

investigator (e.g., a search). However, if the investigator makes a change now, a branch is created 

in the investigation, visualized with a new icon in the history bar, indicating the number of old 

slides (the old branch), as shown in Figure 4.7 [230]. This means that investigators can use 

branches to represent different hypotheses, or maybe they are just alternate interpretations of 

the same information: “Unlike a typical undo redo, Palantir maintains a fully branched history 

of everywhere an investigation has been. This allows an analyst to explore hypotheses or see 

where [some evidence] might lead an investigation, without fear of in anyway contaminating or 

corrupting that investigation” [230]. Finally the history adds a learning perspective to Palantir 

Government: “this investigation [history] provides an importing training aid, allowing analysts to 

show other analysts how they reached their conclusions, which paths they take, and what they do 

when they reach dead ends” [230]. 

Figure 4.7: An example of Palantir history with a branch (the slide 

that says ‘3 old slides’). (source: [230]) 

Figure 4.8: How to search 

for Mike Fikri in investigations 

created by other 

analysts. (source: [230]) 

Palantir Government investigation summaries can be exported into Microsoft Powerpoint or HTML 

formats [230]. The user can select the individual history slides that are to included in the summary 

using check boxes, additional information about each individual slide can be added, and the 

summary can be given a title. 

Real-time update of database indexes is supported, since Palantir Government found it was necessary 

“in order to truly enable enterprise-wide real-time collaboration” [230]. The collaboration 

focuses on sharing data as well as analyses, collaboration inside as well as across agencies, across 

71


compartments and across classification. The collaboration concepts are based on how engineers 

collaborate. Finally, Palantir Government is the “only system designed with civil liberties and 

privacy protections” [192]. An example of how an investigator can search for a specific object in 

other investigations is shown in Figure 4.8. In terms of human-computer interaction, the circular 

object action menu in Figure 4.8 is interesting and an intuitive method for doing so; the object is 

in the middle with available menus around, no matter where it is positioned in the investigation. 

4.1.3 Xanalys Link Explorer 6.0 

Xanalys Link Explorer 6.0 (previously Watson [7]) allows investigators to apply powerful query 

and analysis techniques to their data, presenting the answers in a range of visualizations such as 

link charts, time lines, maps, and reports [6]. 

Xanalys Link Explorer information spaces are referred to as charts. In the hierarchy chart information 

elements can be organized, with pre-defined icons or the users own pictures as visual 

abstractions. Links can be placed between the information element to model relationships [6]. 

Link Explorer supports many different charts (perspectives) for information including “tabular, 

hierarchy, link, timelines, maps, clocks etc.” [6]. The user is free to move data entities between 

the charts. 

Two interesting features of Xanalys Link Explorer is the support of exporting a chart to a Microsoft 

Excel spreadsheet (Figure 4.9) and the ability to create search queries using drag and drop (Figure 

4.10). We have not come across these features in any of the other related work 40 . The drag and 

drop query example presented in Figure 4.10, a person, a vehicle, and a location are all linked to 

an incident report. We interpret this query as a desire to search for single individuals, who have 

been involved in an incident, where a car was also involved, and it happened at a specific location. 

Figure 4.9: Example of exporting a Link Explorer 

chart to Microsoft Excel spreadsheet. 

(source: [6]) 

4.1.4 COPLINK 

Figure 4.10: An example of to create search 

queries in Link Explorer by the use of drag and 

drop. (source: [6]) 

COPLINK is designed for both general policing and specialist use for detectives/crime analysis 

[53]. The tool consists of three modules: “Connect” database, “Detect” criminal intelligence, and 

“Collaboration” [84]. With the merger between Knowledge Corporate Computing and i2 in 2009, 

COPLINK became a separate product line within i2 Limited. In 2011, i2 Limited was purchased 

by IBM. We do not present our analysis of the COPLINK tool here, as we have chosen to focus 

on the other three tools reviewed above (Analyst’s Notebook, Palantir Government, and Xanalys 

Link Explorer), since they target a more complete investigation cycle. 

72

CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES 

4.2 Research prototypes 

We analyze three research prototypes in this section: The Sandbox for analysis focuses on easy 

drag-and-drop acquisition, expressive thinking, and implements interesting interaction gestures 

[254] (Section 4.2.1). POLESTAR is an integrated suite of knowledge management and collaboration 

tools for intelligence analysts [178] (Section 4.2.2), and Aruvi is the implementation of an 

information visualization framework that supports the analytical reasoning process [201] (Section 

4.2.3). Finally, we mention Dynalink, a recent prototype that demonstrates interesting features 

(Section 4.2.4). 

4.2.1 The Sandbox for Analysis 

Sandbox is a flexible and expressive thinking environment that supports both ad-hoc and formal 

analytical tasks [254]. Investigators can acquire “any relevant information, including documents, 

snippets, images, tables, etc. by dragging them into the Sandbox from TRIST 41 as well as MS 

Word, MS Explorer, IE and other systems” [254]. The Sandbox and TRIST are integrated in the 

same cognitive workspace (called nSpace), which means that information (e.g., text snippets or 

pictures) can be dragged directly to an investigation in the Sandbox, and entities in the Sandbox 

can be dragged to TRIST to function as a search query for additional information [254]. 

“Analysts need to be able to quickly and easily place, arrange, re-arrange, group, emphasize, 

highlight and compare information” [254]. Information is arranged, linked and grouped according 

to topics and issues. Based on Figure 4.11, associations are either made using simple unweighted 

relations or visual associations by spatial arrangement of entities. 

As shown in Figure 4.11 (d, b, and c), the conceptual model of the Sandbox has support for cardlike 

entities and groups (d), picture entities (b), and relations (c). The creation of hypotheses 

(argumentation for topics and issues) has clearly been a key requirement and has resulted in 

strong, intuitive, support. Hypothesis questions can be stated using ‘pin’ labels, and can be 

branched out to several sub questions in the work space. In Figure 4.11, the question Who wants 

to [. . . ]? is followed by the questions Who attacked [. . . ] in the past? and Who would benefit 

from [. . . ] death? 42 . Assertion groups can be used to gather evidence proving a hypothesis true 

or false. The assertion group has “Support and Refute Gates” along the sides. See Figure 4.11 

(e) for an example of dragging evidence through the support gate to an assertion group. 

Figure 4.12 shows some of the interesting information interaction gestures that the Sandbox supports: 

grouping of entities can be performed with a loop gesture (Figure 4.12a, entities not aligned 

vertically or horizontally can be selected using a so called lasso selection Figure 4.12b, and entities 

are delete with an x gesture (Figure 4.12c). Finally, the Sandbox supports direct manipulation, 

providing a sense of writing on physical objects (e.g., white boards or paper cards): “direct manipulation 

and annotation are used to build and express meaning.” [254]. 

4.2.2 POLESTAR 

POLESTAR (POLicy Explanation using STories and ARguments) is an integrated suite of knowledge 

management and collaboration tools for intelligence analysts [178]. Pioch and Everett (2006) 

points out the reasons for intelligence failure relating to current information systems that “inhibit 

collaboration and stifle insight with antiquated processes that encode [. . . ] compartmentalization” 

[178]. POLESTAR supports the end-to-end intelligence analysis process, covering the processes 

search, read, collect, structure, write, review, and revise. The entities in POLESTAR are 

so called Facts, which are basically text snippets collected from websites by first highlighting the 

text and then dragging it into a portfolio browser. The user can augment the fact with various 

meta data, such as the source of the information and their interpretation of it. 

The portfolio browser has tools for knowledge structuring such as the wall of facts (see Figure 

4.13) that includes a time line view (Figure 4.14). The wall of facts “is a blank workspace onto 

73

4.2. RESEARCH PROTOTYPES CHAPTER 4. RELATED WORK 

Figure 4.11: An augmented screen shot from the Sandbox for analysis, illustrating basic entities and features. ‘Pin’ labels are used to ask questions 

and start hypotheses (a). The conceptual model supports card-like entities and groups (d), picture entities (b), and relations (c). An assertion 

group are used gather evidence proving a statement true or false and the assertion group has “Support and Refute Gates” along the sides - (e) is an 

example of dragging evidence through the support gate to an assertion group. (source: [254]) 

74

CHAPTER 4. RELATED WORK 4.2. RESEARCH PROTOTYPES 

(a) Loop-to-group (b) Lasso-selection (c) X-to-delete 

Figure 4.12: The Sandbox interaction gestures includes loop-to-group gestures, lasso-selection 

gestures, and x-to-delete gestures. 

which the analyst can drag and drop snippets of information that they have collected” [178]. 

Snippets placed at the edge of the wall of facts is shrunk, while snippets at the center are full 

size. Investigators can add claim text boxes around which snippet arguments can be positioned, 

or snippets can be grouped hierarchically using sub-workspaces. The wall of facts time line view 

shows the chronology of snippets according to the dates that investigators have added: “seeing this 

arrangement can clarify relationships that are hard to detect when looking at a series of textual 

dates” [178]. Interestingly, the time line view supports also sub-time lines. 

Figure 4.13: POLESTAR Wall of Facts. Figure 4.14: POLESTAR Timeline. 

POLESTAR has strong support for creating hypothesis (like the Sandbox, see Section 4.2.1), and 

mentions the importance of having an explicit structure to easier locate weak arguments. As with 

any argumentative structure, the basis in POLESTAR is a hypothesis. The hypothesis can be 

supported or rebutted by claims (i.e., the claim box mentioned above) and assumptions. Claims 

and assumptions are typically based on interpretation of a fact, which the investigator has entered 

meta data about, such as info type, reliability, classification, and source. The fact originates from 

a source document. 

4.2.3 Aruvi 

Aruvi is the prototype implementation of an information visualization framework that supports 

the analytical reasoning process [200,201]. As mentioned, analysis is focused on what can be done 

using visualizations, but has some structure in terms of the argumentative reasoning support and 

the navigation history. Shrinivasan and Wijk (2008) formulate five requirements for the analytical 

reasoning process in information visualization [201], which are summarized to the challenge of 

providing the user with an overview of what has been done and found: “to keep track of the 

exploration process and insights, a history tracking mechanism and a knowledge externalization 

75

4.2. RESEARCH PROTOTYPES CHAPTER 4. RELATED WORK 

mechanism respectively are essential” [201]. Figure 4.15a, 4.15b, and 4.15c explain the Aruvi 

support of history tracking. Initially, Shrinivasan and Wijk (2008) . . . 

“. . . use a history tree representation to show the structure of the exploration process. 

A node represents a visualization state. An edge between the adjacent nodes is 

labeled with the user action (see Figure 4.15a). [. . . ] Figure 4.15a shows the structure 

of the navigation. A branch represents a revisit and reuse of an already existing visualization 

state. To understand the temporal context, it is important to see the sequence 

of visualization states along with the structure of the navigation. Figure 4.15b shows 

the structure of the navigation ordered by time in the horizontal direction. The user 

can toggle between the two representations during the analysis via the settings interface 

(see Figure 4.15c-1). The user can revisit the visualization states sequentially in the 

order of creation using the back and forward arrow keys. This action is similar to the 

undo-redo mechanism. Also, the user can hover over a node to get information about 

the visualization state (see Figure 4.15c-3) and jump to any visualization state in the 

navigation view. An overview window is used for panning over the history tree (see Figure 

4.15c-4). When a visualization state is linked to objects in the knowledge view, it is 

marked with a star in the navigation view (see Figure 4.15a, 4.15b and Figure 4.15c-2). 

The current visualization state in the navigation is highlighted in yellow.” [201] 

(a) History tree showing navigation structure. 

(b) History tree with navigation structure ordered by 

time. 

(c) Aruvi navigation view implementation. 

Figure 4.15: History trees and navigation view. Figure 4.16: Aruvi knowledge view. 

For knowledge externalization, Shrinivasan and Wijk (2008) decided to design a knowledge view 

as a basic graphics editor, because “it helps the users to construct diagrams to externalize their 

mental models and structure arguments” [201]. Figure 10.8 shows the Aruvi knowledge view, 

where: 

“A note is the basic entity to record findings. A note is either rectangular (see 

Figure 10.8a) or elliptical (see Figure 10.8b) in shape. Notes can be organized into a 

76

CHAPTER 4. RELATED WORK 4.3. INVESTIGATIVE JOURNALISM TOOLS 

group with a title (see Figure 10.8c). The tool supports multiple group levels (see Figure 

10.8d). A connector line can be drawn between notes, groups, and a note and a group 

([with or without direction], see Figure 10.8e). When an entity in the knowledge view is 

linked to a visualization state it is marked with a star” [201] (see Figure 10.8f).” [201] 

4.2.4 Dynalink 

Dynalink is a framework for visualizing dynamic criminal networks. “The interactive and visual 

features of Dynalink can be useful in discovering and analyzing both relational patterns of criminal 

networks” [160]. A primary strength of Dynalink “is that it can process huge datasets” [160], the 

system has been tested against a crime dataset consisting of 125.558 criminals. 

4.3 Investigative journalism tools 

Tools for investigative journalism are not nearly as elaborate as the above commercial tools for 

policing and counterterrorism. The market for policing and counterterrorism tools are much bigger 

than the market for watchdog journalism tools. Tools for computer-assisted reporting (CAR) 

spans from simple tools to more advanced mapping, statistical, and social network analysis tools. 

Compared to normal journalism, CAR tools are highly relevant for the amount of digging that 

investigative journalism requires while other tools are used for thinking tasks. The following tools 

have been selected for the comparison: 

4.3.1 Namebase.org 

Namebase.org 43 is a database of books and clippings where users can search for names and 

individuals, groups, and corporations [136]. The search finds books and clippings that cite the 

name searched. It also has an option to draw a social network diagram (see Figure 4.17). Searching 

can be performed in the following ways: ‘name search’, ‘proximity search’, ‘country search’ and 

‘document scan’, but only in the existing databases; no ingestion of additional data is possible. 

The before mentioned social network diagram can be used to draw relations between the search 

results, providing an alternative perspective to listed results. The user can click entities in the 

social network diagram, to focus on that entity. 

Figure 4.17: Namebase.org social network diagram based on a database search. 

77

4.4. SUMMARY CHAPTER 4. RELATED WORK 

4.3.2 Mindmeister 

Mindmeister is a collaborative tool for online mind mapping [3] (see screen shot in Figure 4.18). 

Mindmeister supports the following formats for import of mind map data: original Mindmeisterfiles, 

FreeMind TM 44 , Mindjet MindManager TM 45, and finally text files where entities are simply 

separated using spaces or tabs and the first line is the title of the mind map. 

Figure 4.18: Augmented Mindmeister screen shot, high lighting various concepts that the tool 

supports: entity types, groups, visual symbols, multimedia, and hypotheses. 

Entities are for example topics and ideas, or relations as shown in Figure 4.18. All entities support 

grouping. If one entity is dropped on another entity, it becomes a sub-entity of the entity it is 

dropped on (a group is started or expanded). Sub-entities can be collapsed by clicking the circle 

with a minus (see Figure 4.18). The minus becomes a plus which could be used for expanding that 

information again. Mindmeister supports real-time brainstorming: “simultaneously work with 

colleagues on the same map and see changes as they happen” [3]. Finally, like any mind mapping 

tool, Mindmeister is strong on generation of hypotheses and alternate interpretations. 

4.3.3 Simple tools 

Simple tools include applications for database searching, Microsoft Word, Excel, and Powerpoint 

for information overview, physical tools like paper, maps, calendars, etc. As we assume our readers 

will have a basic understanding of what can be done with these tools we do not review them here. 

4.4 Summary of related work 

The commercial tools (Analyst’s Notebook, Palantir Government, and Xanalys Link Explorer) 

all had a strong focus on visualization, together with their own particular feature support: Analyst’s 

Notebook has strong support of perspectives such as the heat matrix, Palantir Government 

has strong synthesis support through their expandable and collapsible information features (i.e., 

groups), and Xanalys Link Explorer supports drag and drop search queries. 

The research prototypes have a strong focus on the creation of hypotheses and argumentative 

structures in general. However, the Aruvi prototype is based on an extended understanding and 

analysis of reasoning theory: model construction, revision, and falsification. Furthermore, decisions 

78

CHAPTER 4. RELATED WORK 4.4. SUMMARY 

made in the Aruvi knowledge view are also indicated in the workspace (using the same color). 

This sort of decision-making support was not found in the other research prototypes. 

Each individual simple tool for investigative journalism solve the task they are intended for, but if 

more than one simple tool is required to solve task, it becomes a problem, since they do not exist 

in an integrated environment. And simple import and export tasks might be more complicated 

than for example solving (some of) the tasks by hand. 

In summary, the reviewed commercial tools and research prototypes supporting a cards-on-table 

metaphor, have some basic features in common. They support information elements and relations, 

the basic building blocks for creating networks. The support of composites (groups) is 

more sporadic, with Palantir having better support. For further comparison of criminal network 

investigation task and model support we refer to Section 15.3. 

79

4.4. SUMMARY CHAPTER 4. RELATED WORK 

80

CHAPTER 5 

Theory and technology 

Stick with simple tools, like pencil, paper, and whiteboard. 

Communication is more important than whizzbang. 

Kent Beck and Martin Fowler, Agile modeling by Ambler (2002) [11]. 

This chapter presents state-of-art on core theories and technologies relevant to the development 

of tool support for criminal network investigation, addressing the challenges associated therewith 

(see Section 1.2 and Chapter 6). We will elaborate our initial discussion of the theory and technology 

pillars introduced in Chapter 1. The pillars represent high level functional and non-functional 

aspects of developing criminal network investigation tools. Lower level (functional) software requirements 

are the research focus requirements presented in Chapter 6. The theories (sciences) 

and technologies listed for each pillar have provided us with the knowledge and understanding 

necessary to develop tool support of that particular aspect. The pillars are shown in Figure 5.1, 

and colors are used to indicate how well the different theories and technologies are covered in this 

chapter or in a fragmented manner throughout the dissertation (see the coverage legend at the 

bottom of Figure 5.1). The theories and technologies have been selected based on their relation 

to the overall hypothesis and the three criminal network investigation challenges, information, 

process, and human factors. 

We will present each theory and technology from the perspective of criminal network investigation. 

The pillars and their theory and technology building blocks are briefly described below, with 

references to the respective sections reviewing them in greater detail. 

Emerging and evolving pillar. A complex software systems engineering problem is the support 

of emergent and evolving information structures [172]. The complexity arises because 

the premise for such support is that you don’t know what structures will emerge as end 

users synthesize and organize their domain information: they might end up with spatial, hierarchical, 

or argumentation structures, and most often the result will be a mix of multiple 

structure types. In general terms, structure is an abstraction used to describe the form of 

some object, whether it is a house [8], a city [9], a software development plan [165, 170] or 

criminal network information entities pieced together, forming network structures [174]. We 

have presented basic sub structures and organizational meta structures of criminal networks 

in Section 3.2. 

Hypertext is a technology that provides methods for supporting various structure domains. 

Research of these structure domains is helpful in understanding how structures are formed 

81

CHAPTER 5. THEORY AND TECHNOLOGY 

Figure 5.1: Criminal network investigation pillars of theory and technology. The colors indicate 

how well each individual research area or technology has been covered, e.g., green building blocks 

are covered in great detail while red building blocks are not covered. 

82

CHAPTER 5. THEORY AND TECHNOLOGY 

and to learn general ways of implementing software support of similar structures, that can 

then be mapped to the other information domains (see Section 5.1). Semantic web is a 

technology aiming at adding semantics to web pages, to make them understandable by 

machines, through the description of knowledge domains using ontologies to describe the 

objects on web pages and their interrelationship. This has been extremely helpful in terms 

of supporting networks, where information elements can be of different types, where relations 

can be weighted and of different kinds (we cover basic semantic web technology relevant for 

our work in Section 5.2). Information science has helped find the appropriate trade-off 

between having a completely generic system that the end user can customize to suit any 

particular information domain and adding some domain knowledge into the system prior to 

providing the user with access (see Section 5.3). 

Problem solving pillar. This pillar deals with cognitive processes, creativity, and tools supporting 

a human-centered, target-centric team approach to criminal network investigation. We 

think of criminal network investigation as a process (or processes) for crime related problem 

solving. Section 5.4 deals with human cognition in terms of the mind’s approach to solving 

problems. More specifically, what are the strengths, weaknesses, and limitations of human 

cognition, so that we know how not to inhibit the strengths in any way and to decrease the 

impact of weaknesses and limitations. Software systems engineering has different processes 

describing approaches to software development, one of which, the agile approach, we find 

useful for our target-centric approach to criminal network investigation. Agile modeling is 

described in the section of software systems engineering and Section 5.6, covering a range of 

modeling techniques, very different from traditional approaches to problem solving. Many 

different tools - both physical and software - could be used for and are good for different 

kinds of problem solving. Such tools are described in Section 5.6. Finally, we have conducted 

a review of the creative process, which talks about creativity in general, and discusses the 

benefits of creativity in real versus nominal groups (Section 5.5). 

Suspects and criminals pillar. Domain knowledge has provided us with many functional and 

non-functional aspects of tool support for criminal network investigation. The functional 

aspects comes from experiences and literature that tells us about the individuals that form 

the type of criminal networks we want to investigate, and how and why these individuals 

became part of those networks; for example radicalization tendencies and processes. It can 

be argued, that such knowledge is more important than knowledge about individuals who 

have already committed a crime, in terms of the ability to take proactive (de-radicalizing) 

measures. But it is not the focus we have chosen in this Ph.D. dissertation, and would 

require very detailed modeling capabilities, but we hope our approach will evolve in that 

direction in the future. The field of Social Science is a large provider of such knowledge, 

and we used it and described in fragments throughout the dissertation. Also, studies from 

social science about criminals, i.e., the profile characteristics of individuals (Case-studies of 

individuals is covered in Section 5.7). For similar studies of groups we refer to Section 3.5. 

Investigation pillar. We reviewed two different approaches to criminal network investigation 

(linear and target-centric) in Chapter 3 and we will cover our process model and tasks for 

criminal network investigation in Chapter 7. Here we will focus on studies of technologies that 

can help investigators make sense of criminal networks together with a review of intelligence 

and the ethical issues involved in dealing with and making decisions based on criminal 


We review the concept of intelligence, by focusing on open source intelligence and what role 

it has played for our work in Section 5.8. Section 5.9 on mathematical models covers different 

types of computational network analysis (also referred to as techniques or algorithms), and 

how these mathematical models can be useful in terms of supporting various analysis needs 

when investigating criminal networks. Ethical issues such as privacy and civil liberties is 

discussed in Section 5.10, an aspect of security informatics often neglected by academic 

software system engineers. 

83

5.1. HYPERTEXT CHAPTER 5. THEORY AND TECHNOLOGY 

Tool usage pillar. In terms of tool usage aspects, this pillar focuses mainly on trust and user acceptance 

(see Section 5.11). Models for assessing the acceptance of new technology are many, 

e.g., the technology acceptance model (TAM) for information technology [51]. And technology 

assessment researchers have given their suggestions for the “fundamental determinants 

of user acceptance” [51], e.g. Davis (1989) suggests perceived usefulness and perceived ease 

of use. In the criminal network investigation domain we find trust to be the fundamental 

determinant for tool user acceptance. Because of the security nature of the information and 

the importance of decision being made based on that information, it is highly relevant that 

investigators and decision-makers (intelligence customers) trust the information, knowledge, 

and ultimately intelligence products that tools for criminal network investigation produce. 

We have a brief introductory review of interaction and visualization in Section 5.12. Computersupported 

collaborative work (CSCW) or simply groupware is not covered in this dissertation, 

but we have studied important work in the field (e.g., [60]), and a substantial part of the 

course advanced software technologies for knowledge management focused on groupware 46 . 

As indicated in Figure 5.1, software systems engineering is the foundation, on which all the theory 

and technology pillars stand. The color indicates that we do not have a separate section or 

chapter on the software system engineering concepts we have applied in this project, it is covered 

throughout the dissertation. 

5.1 Hypertext 

Organizing and making sense of information has been the main focus of hypertext research from 

its very beginning. Hypertext systems aim at augmenting human intellect, i.e. increasing the capability 

of man to approach a complex problem situation, to gain comprehension to suit particular 

needs, and to derive solutions to problems [62]. The most widely used structure abstractions in 

hypertext are nodes and links. Nodes are informational units that can be connected through links. 

Users can traverse links and thereby navigate through a hypertext (graph). Nodes and links, however, 

have been criticized for a lack of support for emergent and evolving structures [199]. Spatial 

hypertext was designed for dealing with these shifting structures, and is found to be well suited 

for the purpose, e.g., the ease of changing a visual property or moving an object [198]. 

”Hypertext, in its most general sense, allows content to appear in different contexts” 47 [141]. 

That is, a person who is about to encounter a diverse amount of knowledge (or data) can augment 

that knowledge with different hypertext structures, making it more intuitive and easier to 

comprehend. All the structuring domains reviewed below “contain basic notions, although each 

also has its own specialized and tailored abstractions” [159]. Over the years, various hypertext 

structuring mechanisms have been proposed to support different types of information structuring, 

organization, and sense-making tasks. Several of these structuring mechanisms (or structuring 

domains) play a vital role in the design and development of tool support for criminal network 


5.1.1 Associative structures 

Associative structures allow arbitrary pieces of information (nodes) to be associated (linked). 

Bush (1945) [33] reasoned that since people use associations to store and retrieve information in 

and from their own minds, a machine-supported mechanism that provided this ability would be 

useful for organizing information stored in external memory. 

Halasz (1988) [82] argued that the basic associative hypermedia model lacks a composition mechanism, 

i.e., a way of representing and dealing with groups of nodes and links as first class entities. 

The term composites was coined for this type of grouping mechanism. Composites group other 

first class entities (nodes, links, and composites) either by inclusion or by reference. The Device 

84

CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT 

Hypermedia System (DHM) [115] is a prominent hypermedia system that provides a rich set of 

composite types. 

For criminal network investigation purposes, associative structures (including composites) are useful 

for synthesis tasks such as manipulating entities and relations, re-structuring, and grouping. 

Relations can be unidirectional or bidirectional and either weak (suspected but unconfirmed relationship) 

or strong (known close relationship such as family or friendship ties). Bush (1945) 

summarizes how information is usually found by traversing a complex hierarchical structure of 

classes and then claims that: “The human mind does not work that way. It operates by association. 

With one item in its grasp, it snaps instantly to the next that is suggested by the association 

of thoughts, in accordance with some intricate web of trails carried by the cells of the brain” [33]. 

NoteCards is an example of a navigational hypertext system that allows the user to create such a 

“intricate web of trails” [73]. 

NoteCards 

We have selected NoteCards for analysis because the basic entities are cards: “The basic construct 

in NoteCards is a semantic network composed of note cards connected by typed links. NoteCards 

provides two specialized types of cards, Browsers and FileBoxes that help the user to manage 

networks of cards and links” [170]. Figure 5.2 illustrates some notecard examples, where “each 

notecard contains an editable [content] such as a piece of text, a structured drawing, or a bitmap 

image. Each card also has a title” [73]. Figure 5.3 illustrates examples of Browser cards and 

FileBox cards. 

Figure 5.2: Example Notecards with embedded link icons. [73] 

The purpose of the NoteCards environment is “to help people formulate, structure, compare, and 

manage ideas”. NoteCards intends to support the nature of idea processing, something that is very 

important to our work as described in Section 5.4. Halasz et al. (1987) considered idea processing 

to be “a convolution of several different activities that can be roughly divided into three phases: 

acquisition, analysis, and exposition” [73]. These phases are very similar to the three phases of 

the generic creative process model: problem preparation, idea generation and idea evaluation (see 

Section 5.5). Furthermore, the goal of idea processing is described as a way of moving “from 

a chaotic collection of unrelated ideas to an integrated, orderly interpretation of the ideas and 

their interconnections”. It comes as little surprise that the most common use of the NoteCards 

environment “is as database for storing personal information such as notes to oneself, clippings 

from electronic mail messages, quick ideas jotted down, sections of a paper in progress, etc”. 

Halasz et al. (1987) assess NoteCards according to the subjects information management and 

idea processing [73]. It is concluded that information management is appropriately supported, 

especially when it comes to organizing information “into arbitrary (e.g., non-hierarchical) network 

85


Figure 5.3: Example Browser Card (large) and FileBox Card (small). [73] 

structures tailored to their specific applications”. Idea processing was found to be “relatively 

difficult” by many users. This is mainly because “representing and manipulating ideas in Note- 

Cards is a task that requires considerable strategic planning”. In other words, it is not intuitive 

for the users how to make a structure that can clarify their “unorganized and poorly understood 

collection[s] of ideas” [73]. 48 

5.1.2 Spatial structures 

Spatial structures were designed to deal with emergent and evolving structures of information 

which is a central task in information analysis. Marshall and Shipman [141] note that information 

analysts faced with the task of organizing and understanding large amounts of information develop 

structures over this information over time. As their understanding of the information space 

changes, the structures they use to characterize the space also change. Systems designed for such 

analysts are required to support emerging, dynamic structures that avoid the problems associated 

with premature organization and formalization, as discussed by Halasz [73, 82]. 

In the context of criminal network investigation, spatial structures (including spatial parsing and 

navigable history) are useful in various analysis and dissemination tasks such as re-structuring, 

brainstorming, retracing the steps, creating alternative interpretations, and story-telling. 

According to [20], the relevance and importance of spatial structures for intelligence analysis is 

documented by the fact that CIA’s Office of Research and Development funded early development 

and associated studies related to the first spatial hypertext systems (Aquanet [140] and VIKI [142]), 

as well as one of their earlier relatives (NoteCards [82], described above). 

Systems 

A spatial hypertext system allows its users to represent information elements as visual “icons”. 

Analysts can represent relationships among objects implicitly by varying certain visual attributes 

(e.g., color, size, and shape) of the icons and by arranging the icons in arbitrary ways in a large 2D 

space (spatial proximity). Information elements can be grouped in collections. A spatial parser 

can then recognize the spatial patterns formed by these icons. First generation spatial hypertexts 

primarily focus on research-related information analysis [142] and general idea-processing. Second 

generation spatial hypertexts have been used in tasks such as “note taking, writing, project 

management, and conference organization” [198] and scholarly work processes [246]. But first and 

86

CHAPTER 5. THEORY AND TECHNOLOGY 5.1. HYPERTEXT 

second generation spatial hypertexts are considered to be general-purpose as described in [199] due 

to their purely spatial hypertext concepts implementations [121] and non-formalized information 

elements. We do not consider them to be usage-oriented like the following tools (some of which 

have multiple usage-orientations). Over the years several strains of spatial hypertext systems 

have been developed and evolved, e.g. from NoteCards [73] over Aquanet [140] and VIKI [142] 

to VKB [198] and VITE [95] and from the Construct Space Tool [246] to ASAP [170–172]. A 

prominent example of a spatial hypertext system is the Visual Knowledge Builder (VKB) [198]. 

Aquanet (1991) started the strain and facilitates spatial manipulations and visually indicated 

links, using a browser-based approach [121, 140, 141]. Experiences with use showed that users 

created linkless spaces of nodes arranged in regular graphical patterns that indicated relationships 

among nodes spatially and visually [199]. Figure 5.4 shows an excerpt of an analysis of machine 

translation systems and technologies. The distinct patterns of graphical objects indicates the 

composites build by the users to represent a single machine translation system or technology (i.e., 

the red/pink, blue, green and white with gray border rectangles). 

Figure 5.4: Aquanet information element mock-ups. [140] 

VIKI (1994) was developed next to explore spatial hypertext as a geometric and visual structuring 

paradigm [142]. VIKI’s emphasis is on flexibility, informality and change. VIKI’s spatial 

hypertext model is based on information elements, visual symbols, collections and composites. 

The information elements in VIKI are semi-structured content-holding entities that may have no 

internal structure, or may have a number of fields added to them in order create user-specified 

structure. Visual symbols are manipulable references to an information element. The symbol size 

can be used to limit the amount of content revealed. Users can also specify which field’s contents 

are shown and they can scroll through content to focus attention on a specific segment. VKB 

extends on VIKI in a number of ways, but the focus is primarily on more advanced visual cues 

and support of collaborative tasks [198]. VKB kept the notion of information elements, collections, 

and subspaces (see Figure 5.5). VITE is a system developed to explore the design and reuse of 

systems incorporating two-way mappings, again following the cards-on-table metaphor [95, 97]. 

The attribute/value mapping pairs are the primary content rather than meta data attached to 

a larger plain text or image information element, which is likely to be the case in a structural 

computing environment (see Section 5.1.6). 

The Socs application “permits the intuitive connecting of information on a space. It supports 

emergent and dynamic knowledge structures, fosters communication, awareness, and notification 

services, enables multiple trails of thought in parallel (i.e., thought experiments), as well as versioning 

with easy access to previous states” [20]. The tool is targeted at criminal profiling or crime 

scene analysis supporting small teams of officers, following the cards on table metaphor. Atzenbeck 

(2008) presents the Socs social space on which information elements represent collaborators, 

87


using a graphical icon and a label as visual abstraction [19]. The space could be divided into 

separate areas, indicating the role of the persons in that specific setting. 

Figure 5.5: VKB information elements and menu options. 

The ASAP tool 49 uses spatial and taxonomic hypertext structuring mechanisms to provide support 

for project planning [170]. “Project planning in agile teams is a collaborative process relying 

on face-to-face communication and shared information to succeed” [171, 172]. The ASAP tool 

implements a bi-directional mapping between the interactive areas of the task card and the underlying 

data. Based on the tool’s usage-orientation, the separator was implemented as a novel 

structuring mechanism, allowing the user to create a temporal separation of grouped cards, enabling 

auto generation of views and reports. ASAP lets the user interact with an information 

element’s underlying content. 

To summarize, the majority of the reviewed tools implement a cards-on-table metaphor, and hence 

the geometric shapes representing pieces of information has not evolved considerably. The focus 

has been on developing powerful general purpose structuring mechanisms and support of long 

term collaboration, as the primary means for the users to reach their ends [198]. 

5.1.3 Taxonomic structures 

Taxonomic structures can support various classification tasks. Parunak (1991) argued that 

taxonomic reasoning is a particular kind of reasoning task that deals with the comparison and 

classification of highly similar nodes, in which an analyst viewing one node thinks not in terms of 

linking it to another node, but of including it in or excluding it from a set of related nodes [232]. 

Taxonomic structures are in essence hierarchical (tree) structures. Hierarchical structures are also 

known from other structuring domains (such as composites from the associative domain and collections 

from the spatial domain). In the context of criminal network investigation, taxonomic 

structures can provide a different visual (hierarchical) perspective of associative and spatial structures 

- hence supporting the exploring of perspectives on information. 

5.1.4 Issue-based structures 

Issue-based structures support argumentation and reasoning. McCall et al. (1992) describe 

community argumentation support systems in the context of capturing design rationale [145]. The 

88

CHAPTER 5. THEORY AND TECHNOLOGY 5.2. SEMANTIC WEB 

focus is on a unified community understanding of an information space. Argumentation support 

systems designed to support participants in a joint decision process or an argument must support 

simultaneous structure and information creation operations. Argumentation spaces consist of 

typed entities that represent issues to be discussed, positions with respect to issues, and evidence 

that argues for or against a position. Conklin and Begeman (1988) have produced issue-based 

hypertext tools during the last two decades [47]. For investigative purposes, issue-based structures 

can be used to support the creation of hypotheses and decision-making. 

5.1.5 Annotation and meta data structures 

Annotation and meta data structures. Finally, two other types of hypertext structuring is 

relevant for investigation purposes. Annotation structures can be used to add arbitrary comments 

in relation to entities and structural elements in the shared information space (i.e., to make a note 

about having to find additional evidence that supports the existence of a weak relation between 

two entities). Meta data structures can be used to add meta data to entities and structural 

elements in the shared information space (i.e., details about a person such as address, work, 

education, terrorist training, etc. or details about a relation such as weight, type, time, place, 

etc.). Adding annotation and meta data structures enrich the shared information space, hence 

these structures are created as part of synthesis tasks. However, the existence of annotation and 

meta data structures are for analysis. 

5.1.6 Structural computing 

The term structural computing was coined to describe the unification of various hypertext structuring 

mechanisms [158]. Hence, structural computing is in its own right an approach to knowledge 

management, being a generalization of hypertext [157]. Structural computing focuses on separation 

of structure and data, making it suitable for construction and management of meta data, 

especially in situations where the user does not have write access to data [243]. “Part of this structural 

focus is the understanding that all abstractions (data or structure) may stand in relation to 

other abstractions” [157] and “different users can manage their own personal structure over the 

same set of data” [243]. 

5.2 Semantic web 

The drastic increase of information on world wide web has made it impossible for humans to 

manage. Semantic web technology is a vision about using the full potential of the world wide 

web with its many documents which refer to each other. The vision was originally formulated by 

the inventor of semantic web Tim Berners-Lee in 1994 50 : “The web is a set of nodes and links 

(Figure 5.6). To a computer, then, the web is a flat, boring world devoid of meaning (Figure 5.7). 

This is a pity, as in fact documents on the web describe real objects and imaginary concepts, and 

give particular relationships between them (Figure 5.8). Adding semantics to the web involves two 

things: allowing documents which have information in machine-readable forms, and allowing links 

to be created with relationship values (Figure 5.9)” [23]. A semantic web would make it possible 

to use the computers processing power to gain an advantage of this information to a much larger 

degree than it is possible through human reading and interpretation. 

It is widely recognized that automatic interpretation requires a prior systematic structuring of the 

information. Basically, a formulation of concepts, terms and relations within a limited knowledge 

area is required. This is typically done using an ontology, which describes information classifications, 

the properties of each classification, and statements about interrelationships, together with 

rules that define these properties and relations [75]. Let us, as an example, use an ontology describing 

families. A family consists of persons, men and women, who individually could be either 

parent or child, which makes it possible to represent hierarchies of families using this ontology. An 

89

5.2. SEMANTIC WEB CHAPTER 5. THEORY AND TECHNOLOGY 

Figure 5.6: The World Wide Web in 1994 as 

presented by Tim Berners-Lee [23]. 

Figure 5.8: “A document might describe a person, 

the title document to a house describes a 

house and also the ownership relation with a 

person”, etc. [23]. 

Figure 5.7: A flat world, devoid of meaning [23]. 

Figure 5.9: Semantics have been added to web 

documents [23]. 

example of a relation rule for a family could be that a hasMum property can only exist between 

two persons if the hasParent property exists. 

Figure 5.10 presents these concepts and the technology used to realize the semantic part of semantic 

web. Each individual layer in Figure 5.10 is dependent on technology in underlying layers. The 

red layers represent technology that functions as the basis for the semantic technology: an URI is 

a web identification that can point to a specific semantic web resource. XML is an element-based 

syntax making it possible to create documents with structured data. Semantic web provides these 

structured data with meaning. 

The blue layers represent standardized semantic web technology: RDF is a simple language 

for description of data models referring to resources (using URI web identifications) and their 

relations [75]. An RDF based model could for example be written using XML syntax and consist 

of so called triples using the following formatting < subject, property, object >. A simple example 

of a web page sentence is shown in Figure 5.11, where the RDF triples for that sentence is explained. 

Where RDF adds meta data to documents, RDFS and OWL are used to annotate RDF data 

with semantic meta data [75]. Semantic meta data could be object properties such as how objects 

are related to each other hierarchically (taxonomies) as shown in Figure 5.12 where t-shirt and 

pants are subclasses in relation to the classification clothesType. An ontology, which only contains 

subclass-relations is also called a taxonomy. Another type of semantic meta data is data type 

properties, e.g., which brand a single piece of clothes belongs to. 

Even though semantic web projects have shown the advantages of using this technology within 

specific information domains parts of the technology has not yet been realized and standardized. 

90

CHAPTER 5. THEORY AND TECHNOLOGY 5.3. INFORMATION SCIENCE 

Figure 5.10: Semantic Web technology architecture - the blue layers is the semantics technology 

while the red layers are basic World Wide Web technology. 

Figure 5.11: RDF t-shirt example - graph visualization 

and matching RDF triples. 

Figure 5.12: A hierarchical taxonomy with 

classes and subclasses. 

A list of primary security related layers are left out in Figure 5.10: A vertical encryption layer for 

securing and verifying the authenticity of data from the semantic web. This could be achieved by 

using suitable digital signatures for RDF statements. Related to this layer are layers for creating 

trust in semantic web information. The user interface is the final layer making it possible for 

humans to use semantic web applications. [75] 

5.3 Information science 

As a consequence of the central role that information has in criminal network investigation, information 

science has provided many important ideas and answers. Information science is considered 

an unclassified discipline, albeit a discipline with a central theme [187]: “It is evident, perhaps 

self-evident, to note that all of the variant definitions and explanations of the information science 

discipline have centered on the idea of information”. Hjørland and Albrechtsen (1995) talk about 

the importance of focusing on information objects: “the path to understanding how information 

should be organized is to analyze the nature of common information objects themselves” [91]. 

91

5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY 

Hjørland and Albrechtsen (1995) are particular concerned with a theoretical background from 

which to make priorities between all possible information connections and relations [91]. The 

domain-approach to information science is argued to be able to provide such a theoretical framework. 

Putting this in a system context, “it is probably useful to specify some conceptual relationships 

to provide the system with at least a rudimentary domain knowledge facility prior to 

any interaction with users” [91]. Hjørland and Albrechtsen (1995) also present an user-centered 

paradigm in information science: “By a user-centered paradigm, we refer to information access 

driven not by the structure of the database in the system, but rather by views of the databases 

needed to satisfy an information need as perceived by the user. Thus, the user defines dynamically 

the type, amount, and structure of the data required to satisfy an information need. This implies 

not just the user definition of the view, but the user selection of the model in which the view is 

framed.” [91] 

Some positive synergies exist between the information science discipline and hypertext (described 

in Section 5.1). Hjørland and Albrechtsen (1995) argue that “hypertext is a fascinating research 

area and a promising technology. It is however only a technology, and as such cannot substitute 

for a theoretical approach such as domain analysis. But a theoretical approach can illuminate a 

technology and its possibilities” [91]. And follow up by stating that, “hypertext is a technology, 

which is fertile soil for remedies to classical problems in information science” [91]. 

5.4 Human cognition and problem solving 

We found in Chapter 3, that a linear problem-solving approach obscures the real, underlying 

cognitive process of criminal network investigation: the mind does not work linearly - it jumps 

around to different parts of the problem in the process of reaching a solution [40, 239] (Figure 

5.13 left). When a computer solves a problem it is typically done based on a series of pre-defined 

steps (Figure 5.13 right), taking a linear approach to problem solving [130]. But what if software 

systems supported criminal network investigation in a way consistent with the internal cognitive 

map of the investigators?: “The ability to present and interpret spatial data in a method that is 

consistent with the internal cognitive map of the user would lead to systems that are more flexible 

and will provide greater functionality in terms of cognitive spatial tasks” [89]. Bush (1945) [33] 

reasoned that since people use associations to store and retrieve information in and from their own 

minds, a machine-supported mechanism that provided this ability would be useful for organizing 

information stored in external memory. Augmenting human intellect, i.e. increasing the capability 

of man to approach a complex problem situation, to gain comprehension to suit particular needs, 

and to derive solutions to problems [62]. 

Humans are in control of software tools and they are to be the ultimate decision-making body (and 

thereby be responsible for the majority of the ethical impact). Therefore, we review research on 

human cognition, with a particular focus on creativity, to understand it’s influence on the success 

and failure of criminal network investigation. We will attempt to learn what role creativity, 

and hence human cognition, plays for individual criminal network investigation processes (i.e., 

information collection, processing, and analysis). “Creativity is a general capacity of our brain, 

which we all possess, and which we use every day” [210]. 

The goal of this section is ultimately to find out whether or not we can define the cognitive 

“characteristics” of criminal network investigation tasks. A map of such characteristics would 

serve as important arguments for the challenges related to human factors during criminal network 

investigation. Human factors is one of three challenges we have chosen to focus our research on, 

as described in Section 1.2. 

5.4.1 Two types of creativity 

In an interview with leading cognition researchers, De Dreu and Nijstad, their hypothesis about 

two basic types of creativity is outlined (translated from danish): “one is to be flexible and freely 

92

CHAPTER 5. THEORY AND TECHNOLOGY 5.4. HUMAN COGNITION 

Figure 5.13: Human and computer approaches to problem solving. 

associating - the traditional understanding of creativity, and what might be called the artistic 

approach. The other type of creativity is to be persistent and focused – a more rational and 

conscious creativity, which we maybe could call the engineering approach” [210]. “The two ways of 

being creative does not exclude each other Bernard Nijstad explains in the interview and continues: 

the majority of us switch between the methods based on needs and switch back and forth several 

times during a task” [210]. We call the rational and conscious approach to creativity problem 

solving because it exists in a less free domain, where goals and means are defined beforehand [210]. 

Human working memory and long term memory is described by De Dreu and Nijstad: 

The working memory was initially described as our ability to remember seven different 

things, such as names or numbers. Today, we have a more complex picture of 

working memory as a sort of central arena, where you put the things that are part of 

your conscious thinking - it still only has room for a rather limited number of elements, 

normally five to nine. But the elements should rather be seen as a sort of focus points 

into your collective pool of knowledge and associations. Think about a super advanced 

3D version of Wikipedia (see Figure 5.14), where all words and images has dozens of 

associations to other places. A memory element is a piece of this spider web, that you 

have lifted up to look at. [210] 

5.4.2 Besheer and Pellegrino - a case in point of rational and free association 

creativity 

FBI case officer Frank Pellegrino hunting Khalid Sheikh Mohammed and Matthew Besheer [146] 

serve as an example of the two types of creativity described above from the domain of criminal network 

investigation. Their background is outlined in Section 3.5.2. Pellegrino is the personification 

of the artistic, creative, and free-association type described in [210]. Michel Besheer (see below) 

makes the following observations about him: “Pellegrino was the real deal [. . . ]. Everybody wore 

by and large what might as well have been FBI issued dark suits. Their desks were perpetually 

clean. Pellegrino’s was a mess. By outward appearances so was he. His hair was long, at least 

by FBI standards. He wore T-shirts and jeans and comfortable shoes [. . . ]. He was always busy, 

always late, always in a hurry” [146]. When Pellegrino asks Besheer if he wants to join in the hunt 

for an international target to the Philippines and Malaysia, he offers the following arguments: “If 

this guy is going, [. . . ] I’ll be happy to go with him. Maybe even protect him; free him up to do 

his free-association analytical work” [146]. 

93

5.4. HUMAN COGNITION CHAPTER 5. THEORY AND TECHNOLOGY 

Figure 5.14: When a person thinks about something the memory element (green cube) related to 

that is brought from the long term memory (left) into the working memory (right). 

Michael Besheer is the focused, rational, and conscious creative type. Detective Besheer had 

written a report about the security at the World Trade Center in 1992, stating that the Trade 

Center garage was vulnerable to truck bombs. Nobody listened to that report, but when the 

attack happened in 1993, his expertise was suddenly needed: “Even with high security clearance, 

he ended up digging through stacks of parking tickets, any record that somebody wanted chased. 

It was pure grunt work. He did it all tirelessly and without complaint”. His approach to collecting 

evidence was always the same, no matter the size of the task, in this case a crashed plane: “Parts 

of the plane had to be disassembled, examined, tagged as evidence and shipped to New York to 

be used as exhibits in a trial. His attention to detail was perfectly suited for the task” [146]. 

5.4.3 Representational structures for human cognition 

Given our focus on hypertext structure domains, we are interested in learning what structures 

are better suited for representation of human cognition: “a tree structure is one realization for a 

hierarchical structure for the representation of space. It is easily constructed and understood, but 

it is also a rigid structure that does not allow for overlap. Ordered trees provide an extension that 

allows for some degree of overlap, whereas a semi-lattice is an even richer structure that appears 

to be consistent with many aspects of cognitive space [9]” [89]. We discussed the semi-lattice in 

Section 3.2. 

Hypertext research found that the premature decisions of structure was inhibiting human information 

organization capabilities (see review of NoteCards [73], Section 5.1.1). New approaches that 

avoid this early commitment to structure were therefore researched, developed, and formalized. 

Researchers on creativity have written about how the personal need for structure can have both 

a negative and a positive impact on creativity depending on that persons level of personal fear of 

invalidity [239]. 

94

CHAPTER 5. THEORY AND TECHNOLOGY 5.5. THE CREATIVE PROCESS 

5.5 The creative process 

When researching the human factor aspects of agile software development planning in our master 

thesis [165], we reviewed the creative process. And given the relevance for criminal network 

investigation, we bring that review here, almost in its entirety. Warr and O’Neil (2005) and 

Gabora (2002) discuss what creativity is, how the mind actually conceives creative ideas, why 

real groups ought to produce more creative ideas than nominal groups and finally the articles 

review the phases of some existing creative process models [74, 239]. Moore (1997) presents nine 

possible phases in the life cycle of creative endeavors and uses the geometric shape of an irregular 

enneagram 51 surrounded by a circle to visualize this [149]. This model is appealing since it allows 

for relevant “jumps” between phases which shows support of iterative and incremental behavior. 

Another interesting fact is that the work is based on experiences from the computer software 

industry, e.g. participation in “countless innovative projects” [149]. 

The discussion of what being creative really means is interesting, but we keep our focus on the 

phases that the creative process includes and how groups compared to individuals may affect 

the level of creativity (Figure 5.15). The ‘Product’ in Figure 5.15 is considered to be the ideas 

generated during the ‘Creative Process’ [239]. 

Figure 5.15: The components of creativity [239] are an individual or a group going through a 

creative process to develop a product. 

At the end of this chapter we hope to have gained enough knowledge to conclude where creativity 

ends and planning starts, what skills (creative, systematic, analytic) are important when planning 

or managing and the phases included in these very different processes. We begin the review, by 

looking at relevant creative process models. 

5.5.1 History of creative process models 

We will present a number of creative process models that all apply to the generic stages in Figure 

5.16. It should be noted that the models presented are not step-wise linear models, “but rather 

models which show various phases of the intertwined and iterative nature of creativity” [239] 

(Figure 5.16). 

Figure 5.16: Generic creative process model [239]. 

95

5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY 

One of the first models was given by Wallas [74, 239] in 1926. Wallas describes creativity as 

involving four phases: preparation, incubation, illumination and verification. In the preparation 

phase “the creator becomes obsessed with the problem, collects relevant data and traditional 

approaches to it, and perhaps attempts, unsuccessfully, to solve it” [74]. During incubation the 

creator unconsciously continues to work on the problem without actively attempting to solve it. In 

the illumination phase “a possible [solution] surfaces to consciousness in a vague and unpolished 

form” [74], i.e. a creative insight has occurred. Finally verification of the idea is performed by 

proof and communication to others. 

Later models by Osborn (1963), Amabile (1983), and Scheiderman (2000) all “moved away from 

proposing unconscious stages of incubation and illumination, toward a more conscious process 

of deliberately coming up with ideas” [239]. Table 5.1 summarizes the phases included in their 

individual models. 

Table 5.1: Generic creative process model as described by Warr and O’Neil (2005) [239]. 

Summary and discussion 

All the creative process models presented in Table 5.1 have an analytical phase of preparation, 

where relevant information is collected to understand the problem and its domain. Then there 

is “the more specifically creative phase” where ideas are generated based on the gathered and 

reviewed information. Finally all the models have an idea evaluation phase, where it is evaluated 

if the goal of producing truly creative ideas is achieved. 

We believe that the generic problem preparation phase (analysis of problem in Table 5.1) would 

be difficult to support by a computer system, since it is a head-on approach where traditional 

solutions are applied and not much time is spend on creative thinking. The idea generation phase 

however has a brainstorming feel to it which is very interesting because it seems to map into 

initial phases of a criminal network investigation process, just as it does the planning process. 

Idea evaluation using for example communication to or response from others would benefit from 

an electronic version of the generated ideas, because they could easily be altered, deleted and 

moved around. And it would be easy to distribute the ideas to people at other locations. 

5.5.2 Are more heads better than one? 

When going through the creative process, what is better: real or nominal groups? 52 The question is 

essential to our work because we believe that using a real group for criminal network investigation 

will increase that groups effectiveness. Theoretical proof exists that a real group produces more 

creative ideas than a nominal group [239] and by intuition this should also be true in practical 

situations. However, research comparing the production of novel ideas in real groups compared to 

nominal groups, shows that the real groups actually produce less ideas. According to [239] this is 

mainly due to a number of social influences on creativity: 

96


Production blocking. Production blocking has the highest negative effect when ideas are expressed 

verbally within a group. Only one person can speak at a time and hence communicate 

his/her ideas. People “may subsequently forget their ideas or suppress them because they 

may feel their ideas less relevant as time passes”. Or they rehearse their ideas internally not 

paying attention to other group members. Usually, however, ideas are not only communicated 

verbally but also jotted down on notepads, white boards or flip charts. A number of 

synchronous interaction techniques have been applied to solve the production blocking problem. 

Examples relevant to our work are: writing ideas down on cards and using electronic 

brainstorming systems. This also helps the influence of evaluation apprehension discussed 

next, because such methods make ideas anonymous by allowing the group members to use 

writing as a communication channel. 

Evaluation apprehension “Members of a group may [. . . ] fear criticism from other group 

members, preventing them from expressing ideas” [239] and thoughts which results in a 

reduced number of ideas produced by the group. This usually happens when someone 

believes that another group member has expert knowledge within the domain and then 

expects some sort of negative evaluation from that person (This is the primary reason for 

separating Idea Evaluation from Idea Generation in Table 5.1). To overcome the negative 

effects it has been suggested [239]: 

[. . . ] that anonymous means of expressing ideas remove an individual’s identification 

with an idea and therefore help encourage people to express their ideas as 

the fear of criticism is removed. This anonymous communication has been a key 

feature of electronic brainstorming systems. 

Free riding. “Free riding [. . . ] is the result of group members becoming lazy, relying on other 

members in the group and not contributing as many ideas as they could”. This usually 

happens when contributors to some work are evaluated as a group, compared to when their 

individual performance is evaluated. 

Two solutions that could reduce the effect of free riding are: Highlighting identifiability in 

groups and increasing the accountability for individual performance. However a balance has 

to be kept between evaluation comprehension and free riding, e.g. exposing everybody’s 

work in the weekly company newsletter to avoid free riding will most likely make people 

more comprehensive to evaluation. 

5.5.3 The life cycle of creative endeavors 

Figure 5.17 presents a simplified version of the life cycle of creative endeavors as it is depicted 

in [149]. We have removed the indication of the two mental forces reason and intuition, and their 

role (active, responsive or passive) in each phase. The arrows indicate subtle relationships between 

phases: Some arrows function as feedback paths, some skip one or more phases and some reminds 

us to reflect on the purpose of another phase than the one we are currently in 53 . In the following 

tour of the enneagram we are looking for phases that are part of the creative process, the planning 

process or phases that usually are related to management of information. 

9: Encountering events. The solid arrows indicate what typically happens when some sort of 

event is encountered: “notice is taken of the event (9), a competent response is chosen (3), 

and that response is carried out (6)”. An example could be that somebody realizes they need 

milk, they decide to go to the grocery store and then they go get the milk. But sometimes 

a response doesn’t emerge right away and instead the event sparks an idea 54 . And that is 

when the complete tour around the life cycle of creative endeavors begins. Analysis: This 

phase is obviously part of what we defined as the ‘Creative Process’ in the introduction. In 

terms of software development the initiating event could be the investigation leader passing 

a task to an investigator. At this point nothing tangible (to others) has been produced; only 

the urge of the creator to pursue the idea exists. 

97

5.5. THE CREATIVE PROCESS CHAPTER 5. THEORY AND TECHNOLOGY 

1: Formulating a goal. Formulating a goal is about transforming an idea into a description 

of future reality, a description that is appropriately abstract. The arrow pointing to the 

problems associated with the idea reminds us we can think of those problems in order to 

refine the imagined scenario. Analysis: It can be hard to define how abstract appropriately 

abstract actually is, but we believe it means that no specific details should be added, because 

it might prevent certain ways of obtaining the goal at this point. This is a creative phase 

where you start jotting down problems and imagine a scenario that could fulfill our idea. 

The scenario spans a conceptual “space of potential future outcomes” in our mind. 

2: Exploring options. This phase deals with exploring the conceptual space defined by the 

formulated goal in search of the optimal objective. It is important that all of the space 

is visited in order to be sure that the most promising options are not missed. One way 

of boosting this exploration could be to “arrange for a group of people to join in a formal 

brainstorming process” [149]. Other suggested techniques are simulation and prototyping 

because they envision the future in a systematic way which can be illuminating. Analysis: 

We consider this phase both creative and analytical. Creative because we are requested 

to come up with ideas for unexplored conceptual space. And analytical when investigating 

those “discovered” conceptual spaces. 

3: Making a choice. At this point one of the objectives defined in earlier phases is selected or it 

is simply decided to do nothing and abort the endeavor. Analysis: This decision phase is not 

creative but a matter of making a systematic and analytic assessment of how to continue the 

endeavor, if any of the explored options seems promising enough. To make such a decision 

requires an overview of all possible objectives. 

4: Identifying the problems to be solved. Obstacles and problems are systematically visualized 

in this phase when imagining how the endeavor will unfold in the selected environment. 

It is important in this phase not to be tempted to start planning just yet. Premature planning 

might result in major problems being undiscovered. Related to this [149] suggests that 

all aspects of the creative endeavor (funding, staff, machinery etc.) should be considered 

in this phase. Analysis: We note that this is the first phase that suggests writing things 

on paper: “[...] list the classes of problems in a circle around the center. [...] list subproblems 

adjacent to each major category, and thus systematically generate a map of the 

difficulties” [149]. The identification of problems is a creative process, not an analytical one. 

The point that all aspects should be considered in this phase before continuing doesn’t seem 

very agile (target-centric) since too much thinking could actually delay or stop the endeavor. 

A solution to this could be setting a time limit for the phase, or using the arrow back to the 

exploring options phase creating an iterative cycle. 

5: Making a plan to deal with the problems. Now it is time to take all the identified problems 

and make a plan that will help achieve the objective. The purpose of the plan is to 

realize the formulated goal (the arrow), it is not enough just to create a plan that solves all 

goals. A way to achieve this is planning according to the customer needs by creating a feedback 

channel facilitating this. Strong analytical skills are needed to transform the thinking 

about a project (earlier phases) “into a plan of action to accomplish the objective”. If the 

plan is not complete, accurate and orderly it might result in “delays, confusion, extra costs, 

duplicate work and an unsatisfactory result” [149]. Analysis: The focus on the need of a 

perfect plan to avoid defects goes against our studies of agile literature, that highlights the 

need to acknowledge human error and change in our cognitive understanding of the problem 

domain and hence the appearance of new problems to be solved. The phase is obviously a 

planning phase and creativity has done its main part. Too much creativity when combining 

the defined units of work into releases and iterations would result in unrealistic plans. 

6: Doing the work. After the plan is finished its time to do the work. All earlier phases have 

been aimed at setting things up so that work can proceed. Analysis: We consider this phase 

to be analysis and all the activities this includes. 

98


7: Reorienting ones perspective / realizing the goal. The first product is finished which is 

something that needs to be acknowledged and a response to this new situation is necessary. 

The arrow back to ‘Formulating a goal’ is a sort of reflection arrow: Did things turn out 

as expected? What can be said about the goal set up in the first place? Etc. Analysis: 

Creativity plays a part in this phase, when trying to imagine how to maximize the outcome 

of the newly released product. The reflection on how the result is compared to initial 

formulation of the goal is considered to be an important learning process for future products. 

8: Using the result. Launching the product as imagined in phase 7 when the goal was realized. 

It “is the most spontaneous and unpredictable phase of the endeavor, and for the right 

people, the most exciting.” [149]. It is also the phase were it is possible to reflect on all 

the phases leading to the launched product, by looking at the plan as indicated by the 

arrow. After a while the new product is merged into the general understanding of status 

quo and new events are encountered because of this, i.e. the cycle is complete. Analysis: 

The reflective learning nature of this phase is interesting. 

Summary 

Figure 5.17: The life cycle of creative endeavors showing steps 9 to 8 [149]. 

The phases of the lifecycle of creative endeavors are summarized in [149]: 

Out of routine life arises desire for change. A raw idea is refined into a goal, which 

is further refined into a concrete objective. A decision is then made, the consequent 

implementation problems identified, and a plan made which takes them into account. 

The work is then carried out, bringing the innovator (or team) to the realization of the 

goal. The result is then exploited, and eventually becomes part of the everyday routine. 

In Table 5.2 we consider if each phase applies to the creative process discussed in this section: 

(Y)es or (N)o. It is also indicated whether or not each phase is considered supportable or not by 

a software tool. The reasoning behind these indications are given in the analysis of each phase of 

the life cycle of creative endeavors above, and summarized below in the table. 

99

5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY 

9: Encountering events 

1: Formulating a goal 

2: Exploring options 

3: Making a choice 

4: Identifying the problems 

to be solved 

5: Making a plan to deal 

with the problems 

6: Doing the work 

7: Reorienting ones perspective 

/ Realizing the 

goal 

The Creative Process Y Y Y Y Y N N Y N 

Supportable N N Y N Y Y Y N N 

Table 5.2: Phases vs. the creative process 

We find that ‘encountering events’, ‘formulating a goal’, and ‘exploring options’ are part of the 

generic problem preparation phase in creative process models. ‘identifying the problems to be 

solved’ is similar to the generic idea generation phase and ‘making a choice’ and ‘reorienting ones 

perspective’ is part of the generic idea evaluation phase. 

The suggested tools for ‘exploring options’ like a team brainstorming process, simulation and 

prototyping indicates to us, that the phase is supportable by a software tool. ‘Identifying the 

problems to be solved’ by listing them in classes around a circle and then putting subproblems 

adjacent to each problem is very well suited for computational support, just like the phase ‘making 

a plan to deal with the problems’. When ‘reorienting ones perspective’ it would be convenient to 

have an electronic version of the old plan to alter according to the new perspective. 

5.5.4 Summary 

We have reviewed the creative process by analyzing relevant models (their nature and phases) and 

have gained important insight into this, to us, previously unknown domain. Furthermore, we have 

looked at some human factors that might influence the outcome of the creative process and finally 

we reviewed and analyzed the phases comprised in an entire creative endeavor. 

5.6 Simple tools for criminal network investigation 

We reviewed a range of tools support criminal network investigation processes in Chapter 4. And 

when studying criminal network investigation cases, we often found that simple tools, such as large 

pieces of paper on the wall (Daniel Pearl, Section 3.5.1), a pin board, with wheels, in the team 

common room (organized drug organization, Section 3.5.3), are central to the kind of criminal 

network investigation approach we aim to support. This preferred way of working and the simple 

tools used is very similar to those tools promoted by agile software development methodologies. 

Criminal network investigation can benefit from agile modeling and we therefore bring excerpts of 

an agile modeling review as well a look into the agile modeling toolbox, as described in our master 

thesis [165]. For our master thesis project, we developed tool support for a specific agile planning 

method (blitz planning), intended to run on a large interactive surface in a so called creative room, 

much like the “war rooms” setups that criminal network investigation teams work in (see Figure 

5.18). 

5.6.1 Agile modeling and simple tools 

Ambler (2002) addresses the fundamental question of how to model in an effective and agile 

manner in his book on agile modeling (AM) [11]. Ambler (2002) suggests tailoring AM with a 

100 

8: Using the result

CHAPTER 5. THEORY AND TECHNOLOGY 5.6. SIMPLE TOOLS 

Figure 5.18: A sketch of the creative room we designed for agile planning sessions during our 

master thesis. [165] 

base process like eXtreme Programming [165] (often referred to as XP) or Crystal Clear [42], 

or “alternatively, you may decide to pick the best features from a collection of existing software 

processes, to form your own process” [11] (see Figure 5.19). This alternative matched well with 

our purpose of building a creativity enhancing tool that could form software processes as well as 

the many different approaches to criminal network investigation. 

Figure 5.19: AM enhances other software processes [11], and criminal network investigation processes 

could also benefit. 

AM is not prescriptive but a collection of practices, “guided by principles and values, for software 

professionals to apply on a day-to-day basis” [11]. The following points describing the scope of AM 

are important to us: “AM is not an attack on documentation”, “AM is not an attack on CASE 55 

tools” and “AM is a way to work together effectively to meet the needs of project stakeholders” 

(which is also what the collaborative Blitz Planning 56 session is all about). 

We were also interested in AM’s views on tools for modeling and agile work areas (e.g., criminal 

network investigation work areas, or war rooms, as they are often called). These views would 

support the decisions made when developing the Blitz Planning prototype and creating the vision 

for the Creative Room. These are reviewed next. One of AM’s core practices dictates using the 

simplest tools. AM distinguishes between two types of modeling tools; simple tools and CASE 

tools where simple tools are “manual items you use to model systems” [11]. These simple tools 

can however also be supported with different technology which will be explained later. CASE 

tools (defined as “software packages”) can also be applied since the AM core practice on tools is: 

101

5.6. SIMPLE TOOLS CHAPTER 5. THEORY AND TECHNOLOGY 

“use the simplest tools” and not “use simple tools”. 

Agile modeling with simple tools 

Ambler (2002) lists a number of simple tool advantages [11]. We find that the following advantages 

are relevant to apply, and comments on the direct relation whenever it is found necessary. Simple 

tools are inclusive (we decided that our software version of Blitz Planning would have to be as 

similar as possible compared to the paper card version of Blitz Planning), provide tactile feedback, 

are flexible, are non-threatening to users, are quick to use, can be used in combination with complex 

ones and promote iterative and incremental development. 

As mentioned earlier, simple AM tools can be supported with technology. One important point 

here is that electronic white boards are mentioned. We limit ourselves to presenting some relevant 

examples here. The examples are mainly taken from [41] which presents “a survey of agile 

teams for tools they say help produce better software quicker”. The survey is conducted Cockburn 

(2004), “an internationally respected expert on object-oriented design, software development 

methodologies, use cases, and project management” [41]. 

Cockburn categorizes simple tools by purpose (hiring, collaboration, communication and management) 

and form (environmental, social, physical devices, process and thinking). We select tools 

that are relevant to our work and comment when necessary. In the next section we list simple, 

but computerized, tools such as WIKIs and Spreadsheets. 

Purpose: Communication. Active communication using shared workspace technology to look 

at the same screen. Passive communication using information radiators, e.g. a flat monitor 

hung over the cubicle wall, a real traffic light in the development area or the build status 

maintained on a Web page expressing minute-to-minute changes. Management. Cockburn 

notes that project management tools like VersionOne and XPlanner (see Cockburns (2004) 

[41]) don’t report status with respect to planning. 

Form: Environmental. Again lots of wall space for posting information radiators and convex 

or straight desks so people can cluster around the monitor. Social. Collocated teams for 

fast communication, personal interaction, retrospectives and reflection activities, pair programming 

and posting information radiators in unusual places to attract communication 

(e.g., in the bathroom). Physical. Index cards and Post-it notes, butcher lining walls and 

halls, white boards (standard or movable, printing, recording, or with a camera) and poster 

sheets (plain paper, 3M sticky, or plastic cling sheets e.g. LegaMaster Magic-Charts). We 

note the wall-to-wall writable and movable surface concept for expressing ideas. Process. 

Project planning jam session (XP’s planning game [125], Crystal Clear’s blitz planning [42], 

or Scrum’s sprint planning [125]), reflection or retrospective workshops, pair programming 

sessions, refactoring, growing the system functional bit by bit, time boxing, spike prototyping 

57 and frequent delivery. 

Agile modeling with simple, yet computerized, tools 

As agile development moved into distributed development, people started to find and invent online 

collaboration tools [41]: “WikiWiki and thread-based discussion group technologies, instant 

messaging technologies with group and recording variants, and distributed brainstorming technologies”, 

e.g. CardMeeting (see www.cardmeeting.com and [165]). The Wiki Web technology 

discussed next was created by Ward Cunningham, one of the XP founders [125]. 

Our own experiences with project Wikis are few, but they have proved useful during previous 

master courses, where it was used for fast accumulation of knowledge on the project subject. 

Larman elaborates further on the concept in [125]: “Like blogs, Wiki Webs (or Wikis) allow people 

to edit Web pages using only their browser, but they go farther: they allow one to easily create 

new pages. and hyperlinks between Wiki pages, using only a browser and special WikiWords. 

102

CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS 

Of course, these capabilities are available with myriad tools, but Wikis make the tasks especially 

simple and fast. Thus, Wikis are a popular tool on agile projects to capture project information, 

and as a simple knowledge management tool”. 

The need for, and how to make, agile planning software has been discussed by many [11, 44]. On 

his website www.xprogramming.com Ron Jeffries comments on planning software claiming that: 

“There’s something very right about a team working together with whiteboard[s], cards, things 

posted on the wall. Everyone can be engaged, involved, equal”. We note that the important 

point is not that physical items (or tools, as described in section 4.3.3) are at play, but more what 

these items make the users feel and do. This is highly related to the social approach to software 

development and management described in Peopleware [54] by DeMarco and Lister: “The major 

problems of our work are not so much technological as sociological in nature”. 

Ron Jeffries claims that making the switch to software results in “someone own[ing] the keyboard, 

and everyone else [being] an observer”. We interpret this as being a problem of cramping the 

whole team together in front of a single work station. A solution could be to move everybody in 

front of a larger media with which everybody can interact. Cohn (2004) [44] discusses the main 

advantages of paper over software and lists: “Their low tech nature is a constant reminder that 

stories are imprecise”, “The typical note card can hold a limited amount of writing. This gives it 

a natural upper limit on the amount of text.” and “note cards [. . . ] are very easy to sort and can 

be sorted in a variety of ways. A collection of stories can be sorted into high, medium and low 

priority piles”. We consider all the findings in this section so far to be requirements for any agile 

piece of planning software. 

Agile work areas 

AM recognizes that “the physical environment in which you work has a significant impact on how 

effective you are as an agile modeler”. It states a number of factors that are considered critical 

when creating an effective work area, like the creative room scenario envisioned in our master 

thesis [165] (see Figure 5.18): 

Dedicated space is important if the project teams are to be most effective. The team should 

not have to “find an available meeting room to get some modeling done”. And the team 

should not have to worry about other people erasing the white board sketches and other 

notes. 

Significant white board space. The working area can never have too much white board space: 

“My preference is white boards floor to ceiling, wherever empty wall exists” [11]. 

A computer in the modeling area can be an advantage, if the team wants to research something 

on the Internet or “access previous models that have been placed under version control”. 

This relates to the wanted prototype feature: project methodology history database. If a 

computer is placed in the modeling area, we have to make sure it is not counterproductive 

for the team as a whole, e.g. complicated software can introduce a barrier to communication. 

Wall space to attach paper. Space for attaching information on paper is also important: “It’s 

good to have some non-white board wall space” [11]. 

To make the concept of a creative modeling area work, it is important that private areas are also 

provided to team members. Everybody needs private time during the day. 

5.7 Case-studies of individuals in criminal networks 

Case-studies of individuals in criminal networks are important in terms of criminal network investigation 

and the development of assisting software therefore, for a number of reasons. First of 

103

5.7. CASE-STUDIES OF INDIVIDUALS CHAPTER 5. THEORY AND TECHNOLOGY 

all, we have observed that in many of the criminal network investigations we have reviewed and 

studied, a single individual has made plans and carried them out on his own, or an individual 

has been the main reason in terms of driving a network subgroup toward a crime (i.e., the entrepreneur 

in Nesser’s (2006) model of jihadist terrorist cells in the UK and Europe [154]). Having 

established the relevance of studying a single individual in criminal network (as well as the life of 

the person prior to joining that particular network), what should such study focus on? We list 

our first priority choices here: 

“Open source world” associations: The individual’s links (associations) to the “open 

source world”, particularly prior to and during a crime. By “open source world” we mean 

associations that could have been picked up on through open source intelligence channels. 

Knowledge about these associations is required, in order to analyze how that particular 

individual could have been found prior to the crime. Again, such associations would have to 

be abstracted as much as possible, in order to be found applicable to future cases. Examples 

of a persons associations with the “open source world” are very different in nature, but for 

the sake of argument we list a subset of those here: re occurring locations, other individuals, 

money transfers, phone calls, emails, etc. 

Meta data: Case-studies of individuals will reveal patterns in attribute (meta data) that 

are available about criminals, as well as differences in meta data. This is important in 

terms of establishing what attributes are typically static and which are typically dynamic. 

We divide attributes into biographical (year of birth, marital status, children, parents) and 

characteristics (employment, education, skills, etc.). 

The individuals we discuss below have already been subject to a lot of research, and therefore 

discuss the potential of looking at these individuals once more, taking an even more structural (or 

network) approach. Khalid Sheikh Mohammed is mentioned throughout this dissertation, but is 

not covered in this section. Omar Saeed Sheikh, the mastermind of the Daniel Pearl kidnapping, 

is reviewed in Section 5.7.1. David Headley, who was in Copenhagen to scout the locations of 

future Mohammed caricature attacks, is reviewed in Section 5.7.2. 

5.7.1 Omar Saeed Sheikh 

Our knowledge about Omar Saeed Sheikh is mainly based on the case study of the kidnapping 

plot against Wall Street Journal reporter Daniel Pearl [128,162] (see Section 3.5.1). But Sageman 

(2008) [189] and Levy (2003) [128] also contain lengthier biographies (profiles) which have inspired 

this case study. 

Omar Saeed Shaikh was born in London on December 23, 1973. Omar, as he was called, grew 

up in a upper-middle-class environment and attended expensive elite private schools. He did well 

in school and gained acceptance at the London School of Economics and began his studies there 

in October 1992. Every version of Omar’s life agrees that his commitment to Islam deepened 

dramatically at the London School of Economics, where he immediately joined the school Islamic 

society. He became involved in the situation for Bosnian Muslims at the end of 1992 and his 

involvement become more and more serious during the following months. In April 1993 he accompanied 

a convoy taking relief material to Bosnia, which also provided clandestine support for 

Muslim fighters there. And it was on that trip he had first contact with the jihadist infrastructure, 

after which a number of trips to Pakistani and Afghan training camps ensued. In June 1994, some 

leaders of Harakut-ul Mujahedin 58 (HUM) had been captured in India and Omar was asked to 

help free them. He accepted the mission and arrived in New Delhi on July 26, 1994, where he 

gained his first experiences in kidnapping westerners. But the mission in New Delhi failed and 

Omar was taken prisoner. [189] 

What is interesting about Omar, is not so much his life story as a whole (interesting as it may 

be), but his historical track record as a terrorist. Much like Khalid Sheikh Mohammed (see his 

104

CHAPTER 5. THEORY AND TECHNOLOGY 5.7. CASE-STUDIES OF INDIVIDUALS 

case in Section 3.5.2), but at a much smaller scale and less successful, he was the entrepreneur 

and mastermind in the 1994 kidnappings of tourists in India and the 2002 kidnapping of Daniel 

Pearl. It would be interesting to look at the individuals involved in the failed 1994 kidnappings, 

the 1999 hijacking that set Omar free after the 1999 failure, the 2002 kidnapping of Daniel Pearl, 

and finally how it came to be, that when he was arrested, he had stayed with a retired ISI general 

for one week, living near a Pakistani military base. It would be relevant to search for links between 

the different attacks and kidnappings, and if it would be reasonable to say something about how, 

if possible, those links could have been discovered during the investigations of the events. 

5.7.2 David Coleman Headley 

Until his arrest October 3 rd 2009 in Chicago O’Hare International Airport David Coleman Headley 

was the locus of activity in a terrorism plan named the ’Mickey Mouse Project’ 59 (MMP) by himself 

and his alleged accomplishes. Although the US official complaints does not contain any information 

about why that name was selected [56–58], it may have been meant as a direct reference to the 

Muhammad caricature cartoons 60 ? 

Nevertheless, the plans where obscured by cooperation of FBI and the Danish secret intellingence 

service PET, and after 24 days of further investigations and interrogations, the news of the arrest 

and the alleged plans were announced to the Danish press by PET manager Jacob Scharf on 

October 27 th 2009. Jacob Scharf elaborated that the initial target was the danish newspaper 

JyllandsPosten as a whole, while later the target set was focused on cultural editor Flemming 

Rose and Prophet caricature cartoonist Kurt Westergaard, resembling assassination plans. 

On October 3 rd 2009 David Coleman Headley entered Chicago O’Hare International Airport, 

unaware that his recent movements and communication had been under surveillance. “Before 

boarding a flight to Philadelphia, intending to travel to Pakistan” [181], he is arrested by the FBI 

Joint Terrorism Task Force (JTTF) [181]. In his bag they find a front page of JyllandsPosten, a 

map over Copenhagen, a memory stick with video sequences from Kings Square in Copenhagen 

where JyllandsPosten’s offices and the main train station were located 61 . Headley “was charged 

with one count of conspiracy to commit terrorist acts involving murder and maiming outside the 

United States and one count of conspiracy to provide material support to that overseas terrorism 

conspiracy” [181]. 

Headley was apparently a functioning citizen back home in Chicago and not a bewildered young net 

surfer, complaining about lack of day centers or life content [103]. His neighbors and people from 

the Indian-Pakistani community in Chicago found him and his family to be somewhat introverted: 

“David Headley kept to himself. I have rarely seen him and his wife”, says an Islamic bookstore 

owner in the neighborhood [226]. Daood Saleem Gilani (changed his name to David Coleman 

Headley in 2006 [57]) “was born in 1960 in Washington to a couple” of very different origins: “His 

mother, Serrill Headley, was a 19-year-old [. . . ] woman with a memorable laugh and a taste for 

adventure. His father, Syed Saleem Gilani, “had a traditional Islamic view of a woman’s place 

in the home”. They both worked at the Pakistani Embassy, but left for Pakistan soon after the 

marriage. She left Pakistan in 1968 and returned to Philadelphia, where she attended bar tending 

school and later bought a pub which she named Khyber Pass. In 1977 she persuaded Daood to 

leave his military school in Pakistan and he came to Philadelphia as a teenager. [220] 

The military school which Headley and Rana (see below) attended from age 14 (starting 1974) [123] 

is located in “the Pakistani town of Hasan Abdal” [181], named Cadet College Hasan Abdal and 

considered to be the oldest military boarding school in Pakistan [123]. The cadets are trained to 

become religious elite soldiers in the Pakistani army. The daily schedule consisted of five times 

prayer to Allah, Koran recitals and outdoor military skills [123]. 

On line postings in the Yahoo group named “abdalians” 62 “reflect that both Rana and Headley 

have participated in the group and referred to their attendance at that school” [181]. On October 

29 th 2008 Headley made a posting 63 central to the FBI complaints, where he among other things 

mentioned his anger toward the Danish caricatures of Muhammad [31, 57]. 

105

5.8. INTELLIGENCE CHAPTER 5. THEORY AND TECHNOLOGY 

Tahawwur Hussain Rana usually arranged Headley’s travels, taking the role as organizer and 

financier. Headley was an employee of Rana’s company, First World Immigration Services, and 

has claimed to travel as part of his employment, however never bringing much evidence in his 

luggage [57]. Both Headley and Rana traveled extensively between United States, Asia and Europe: 

On two occasions (January and July 2009) prior to his arrest October 3 rd 2009 Headley was in 

Denmark, visiting JyllandsPosten in both Copenhagen and Aarhus. He also met with high ranking 

representatives of fundamental islamist organizations, including Lashkar-e-Taiba, Harkat-ul Jihad 

Islami and their leader and front figure Muhammad Ilyas Kashmiri, who supported Headley’s 

continued focus on Denmark, when asked by LeT to change their focus to target Indian interests. 

Kashmiri is a well connected man in terms of terrorism contacts: He has worked with the Afghan 

Taleban leader Mullah Omar and is one of the leaders in Al-Qaeda’s Brigade 313. Furthermore he 

has experience with guerrilla warfare and terrorism from his participation in the Kashmir conflict. 

In summary, Headley’s role was primarily that of a minion and planner, traveling the world, 

meeting people and gathering information [220], which was then communicated to other parts of 

the MMP network. 

5.7.3 Summary 

While Omar Saeed Sheikh was an example of the entrepreneurial terrorist, the mastermind who 

plans and plays minor roles, David Coleman Headley and the Mickey Mouse project was an 

example of a new strategy implemented by Al-Qaeda. Terror cells now have their base in a different 

country, using their foreign passport, plus a business visa in Headley’s case which he used to avoid 

questioning from immigration authorities (e.g., India, Mumbai 2008). After the announcement on 

October 27 th PET added this threat from “outside” to their threat level assessment [16], since the 

general opinion in Denmark previously was that the threat mainly was from persons already in 

the country. Also there has been added a new role of planner to the terrorism cell, separated from 

the person who actual carries out the attack. Before the attacks in India, Mumbai 2008, this was 

usually the same person. 

5.8 Intelligence 

The following anecdote from 2009 describes the authors first encounter with intelligence (prior to 

that the focus had been on information): 

After a successful opening ceremony for the research lab at city hall only 1 month 

into my Ph.D. studies, another student and I was chatting with Jarret Brachman and 

Arno Reuser. Little did I know who I was talking to at the time. The opening ceremony 

had been attended by local police brass, the mayor, the United States and Pakistan ambassadors, 

and so on, and I had decided that paying attention to the titles of individuals 

was not important. At one point, Reuser shares some of his experience on open source 

intelligence: “Let us say that the Netherlands wanted to deploy ground troops in an 

African country. The most valuable actionable intelligence for securing the success of 

such an operation would be information about whether or not the crops in the area had 

recently been harvested and if it had, is it going to be a full moon on the night of the 

operation, and if so, will it be cloudy?”. 

The anecdote makes it clear that the nature of actionable intelligence can be many things, and 

that simple information such as the weather and local harvest season could be more important 

to success than, let’s say, information about the target of Arno Reuser’s operation scenario. Hitz 

(2009) presents a somewhat different perspective on intelligence and intelligence gathering today: 

When all is said and done, counter-terrorism and counter-proliferation intelligence 

gathering follows a new paradigm. It is less about classic espionage than persistent 

106

CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS 

tracking of terrorists and their potential weapons by good detective work and perceptive 

mining of reams of open sources. This is no longer back-alley skulking in a trench coat. 

It is down-and-dirty police investigative work, tracing radicals and their bomb-making 

materials, and recruiting informants to watch mosques and radical meeting sites. 

Since we have discussed the intelligence process and its elements (activities) in Chapter 3 (more 

precisely Section 3.3 and 3.4), we will focus here on intelligence in general, and two different types 

of intelligence, open source intelligence and secret intelligence. We will discuss the value of open 

source intelligence against secret intelligence, and outline their role in a bigger intelligence picture 

(see Section 5.8.2). But first we take a look at the differences and similarities between intelligence 

and information (Section 5.8.1). 

5.8.1 Intelligence and information 

What exactly are the differences between information, which we have primarily talked about until 

now, and intelligence, which we discuss in this chapter? Of course intelligence is ultimately information, 

and it is our understanding that the difference is more in purpose of the two: information 

is for synthesis and sense-making, and then the thing you actual disseminate to your customer 

(intelligence customer) is information turned into intelligence. It is something concrete for the 

customer to make informed decisions upon, so-called actionable intelligence [40]. In general, intelligence 

has a more operational feel to it (as described in the introduction). It is either gathered 

in an operational setting, or it is product of intelligence analysis, an aggregate of what is known, 

for decision makers to base operational decisions on: “intelligence is information that has been 

collected, processed, analyzed, and presented in order to support a decision that increases security 

or profit, or reduces risk or cost. Intelligence is decision-support” [215]. 

5.8.2 Open source intelligence and secret intelligence 

Steele (2009b) defines open source intelligence (osint) as “unclassified information that has been 

deliberately discovered, discriminated, distilled and disseminated to a select audience in order to 

address a specific question” [215]. Secret intelligence is typically gathered from classified sources 

(i.e., satellites or spies), only available to intelligence staffs, whereas open source intelligence is 

available to everyone [113, 214]. As shown in Figure 8.1, open source intelligence is found to 

produce 80% of the valuable information at 5% of the cost, while secret intelligence only provides 

20% of value at 95% of the cost. Steele (2009) quotes the “hard-earned and practical observations” 

of General Tony Zinni as the basis for 80-20 rule of thumb: 80% of what I needed to know as 

CINCENT 64 I got from open sources rather than classified reporting. And within the remaining 

20%, if I knew what to look for, I found another 16%. At the end of it all, classified intelligence 

provided me, at best, with 4% of my command knowledge. 

5.9 Mathematical models (techniques) 

Researchers study complex systems within different disciplines such as physics, biology, sociology, 

etc., and develop mathematical models to analyze the networks within their particular domain. 

However, these model are often generic, and can be applied to analysis of criminal networks. This 

type of research is often referred to as computational, i.e., computational physics, computational 

biology, and computational social science. And it is also scientists from physics, biology, and social 

science that created the foundations for network science (see Newman (2010) for more details and 

references). Network-based techniques are widely used in crime investigations, because patterns 

of association are actionable and understandable. As mentioned above, this makes network-based 

mathematical models applicable to the criminal network domain, e.g. the recent publication of 

a technique for locating the source of an epidemic, using relatively little information. The same 

107

5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY 

Figure 5.20: Secret Intelligence Misses 80 percent of the Relevant Information [source: OSS.NET]. 

method has also been used to locate leaders in terrorist networks, by traversing a network of phone 

calls, locating sources [177] 65 . 

Specific techniques for terrorist network analysis often take the mentioned centrality measures as 

input to their computations. Examples include measures of link importance based on secrecy 

and efficiency [245], the prediction of covert network structure [184], missing links [183], and 

missing key players [182], and custom-made techniques developed by investigators to target 

network-specific analysis tasks, such as the node removal technique described in [169]. In this 

section we discuss various mathematical models (techniques) relevant for criminal network investigation. 

We look at social network analysis for criminal network investigation in Section 5.9.1 

and prediction techniques in Section 11.1.7. 

5.9.1 Social network analysis 

Many of the well known techniques for criminal network analysis are adopted from sociology: “the 

field of sociology has perhaps the longest and best developed tradition of the empirical study of 

networks as they occur in the real world, and many of the mathematical and statistical tools that 

are used in the study of networks are borrowed, directly or indirectly, from sociologists” [155]. We 

review the centrality measures for networks of entities and the semantic web (see Section 5.2 for 

more on semantic web technology). 

Centrality measures for entities in criminal networks 

Techniques from social network analysis and graph theory can be used to identify key entities 

in criminal networks [240]. Information about key entities (individuals, places, things, etc.) is 

helpful for network destabilization purposes [35], or as input for other criminal network analysis 

108

CHAPTER 5. THEORY AND TECHNOLOGY 5.9. MATHEMATICAL MODELS 

algorithms. Relevant social network analysis measures include [111, 240]: 

Measures of centrality have been developed for different types of networks. Most prominent are 

social network analysis techniques (see [111,150,195]) that can measure the centrality of entities in 

criminal networks based on their direct and indirect associations to other entities in the network. 

But “although the premise that centrality is an indication of importance, influence, or control in a 

network may appear valid, it is also contestable, particular in criminal contexts. [. . . ] What does 

it mean to be central in a criminal network?” [150]. We argue that centrality is dependent on the 

specific criminal network being investigated. It depends on the associations between entities that 

investigators deem important, and it depends on the weights of those associations. Furthermore, 

the accuracy of centrality measures depends on the investigator’s ability to embed their tacit 

knowledge and novel associations into centrality algorithms. We review a selection of techniques 

below, which we find to be relevant for criminal network analysis on the above mentioned premises. 

Entity degree centrality. An entity is central when it has many links (associations) to 

other entities in the network. This kind of centrality is measured by the degree of the entity, 

the higher the degree, the more central the entity. Degree centrality can be divided into indegree 

centrality and out-degree centrality, referring to the number of incoming and outgoing 

links an entity has. A social network with high degrees of both is a highly cohesive network. 

Entity closeness centrality. Closeness centrality indicates that an entity is central when 

it has easy access to other entities in the network. This means that the average distance 

(calculated as the shortest path) to other entities in the network is small. 

Entity betweenness centrality. Usually not all entities are connected to each other in 

a network. Therefore, a path from one entity to another may go through one or more 

intermediate entities. Betweenness centrality is measured as the frequency of occurrence 

of an entity on the geodesic connecting other pairs of entities. A high frequency indicates 

a central entity. These entities bridge networks, clusters, and subgroups: “betweenness 

centrality fleshes out the intermediaries or the brokers within a network” [150]. 

Entity eigenvector centrality is like a recursive version of entity degree centrality. An 

entity is central to the extent that the entity is connected to other entities that are central. An 

entity that is high on eigenvector centrality is connected to many entities that are themselves 

connected to many entities. 

Centrality measures for semantic web 

Semantic web concepts have many characteristics in common with our understanding of criminal 

network entities and their associations. Similar to centrality measures for criminal networks (see 

Section 5.9.1 above), semantic web concepts have been developed to measure the centrality of 

entities in online social networks. We are interested in analysis of complex systems in which nodes 

could be any object, relations (links) could be of any nature, and structures are generated by 

the users (investigators). Semantic web technology can explicitly model the interactions between 

individuals, places and things in complex systems of information entities, but classical social 

network analysis methods are typically applied to “these semantic representations without fully 

exploiting their rich expressiveness” [64]. A short summary of semantic web technology and a 

social network analysis example is given in [63]: 

Semantic web [technologies] provide a graph model, a query language and type and 

definition systems to represent and exchange knowledge online. These [technologies] 

provide a [. . . ] way of capturing social networks in much richer structures than raw 

graphs. Several ontologies can be used to represent social networks. The most popular 

is FOAF 1 , used for describing people, their relationships and their activity. A 

1 http://www.foaf-project.org/ 

109

5.9. MATHEMATICAL MODELS CHAPTER 5. THEORY AND TECHNOLOGY 

large set of properties is dedicated to the definition of a user profile: “family name”, 

“nick”, “interest”, etc. The “knows” property is used to connect people and to build a 

social network. [. . . ] The properties in the RELATIONSHIP 2 ontology specialize the 

“knows” property of FOAF to type relationships in a social network more precisely (familial, 

friendship, or professional relationships). For instance the relation “livesWith” 

specializes the relation “knows”. 

Figure 5.21: “Queries that extract the degree centrality of [individuals] linked by the property 

foaf:knows and its specialization relationship:worksWith” [63]. 

5.9.2 Prediction 

Prediction techniques include extrapolation, projection, and forecasting based on past and current 

states of a criminal network. These three predictive techniques follow the approach of assessing 

forces that act on an entity [40]. The value of prediction lies in the assessment of the forces that 

will shape future events and the state of the criminal network. An extrapolation assumes that 

those forces do not change between the present and future states; a projection assumes that they 

do change; and a forecast assumes that they change and that new forces are added. 

Bayesian inference is a (forecasting) prediction technique based on meta data about individuals 

in criminal networks. A statistical procedure that is based on Bayes’ theorem can be used to infer 

the presence of missing links in networks. The process of inferring is based on a comparison of 

the evidence gathered by investigators against a known sample of positive (and negative) links in 

the network, where positive links are those links that connect any two individuals in the network 

whereas negative links are simply the absence of a link. The objective is often to assess where 

links may be present that have not been captured in the collected and processed criminal network 

information. 

Prediction techniques 

Prediction of covert network structure [184] is useful when you have a list of individuals suspected 

to be part of your current criminal network investigation. The algorithm indicates probable covert 

members on the list and how they are linked to the existing structure. The predict missing links 

algorithm [183] starts prediction based on the current criminal network structure. The likelihood of 

a link being present between all node pairs in the network is calculated based on the attribute data 

of the remaining individuals. Links that have a missing likelihood higher than a pre-determined 

value (calculated from the product of individual attribute likelihoods) are predicted as new links 

in the network. Links are predicted in the same way by the covert network structure algorithm, 

using a Bayesian inference method. 

5.9.3 Other mathematical models 

As mentioned, there are many mathematical models for criminal network analysis, such as terrorist 

network analysis models: Recent work has proposed link importance as a new metric for destabi- 

2 http://vocab.org/relationship/ 

110

CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS 

lizing terrorist networks. This novel method is inspired by research on transportation networks, 

and the fact that the links between nodes provide at least as much relevant information about the 

work as the nodes themselves. The measure of link importance offers new insights into terrorist 

networks by pointing out links that are important to the performance of the network. A terrorism 

domain model with both nodes and links as first class objects will allow additional features to be 

built into the terrorist network and visualization tools [80, 244]. we 

5.10 Ethical impact and issues 

Ethics are concerned in many ways with software systems that manage information about people, 

like tool support for criminal network investigation, involving multiple processes such as information 

collection, gathering, and dissemination. In this section we review how the magnitude of 

ethical impact and types of ethical issues are different from process to process. Criminal network 

investigations benefit from tool support to various degrees, depending on the processes covered 

and the tasks carried out. Assigning ethical responsibilities is therefore a prerequisite to assessing 

the ethical impact of criminal network investigation tools. But the typical black box approach does 

not separate end-user and tool responsibilities nor considers the ethical impact of individual criminal 

network investigation processes and tasks. To address tool related ethical issues we propose 

ethical principals and values and demonstrate what main design concepts can be implemented in 

tools to support these principles and values. 

5.10.1 Ethical impact 

criminal network investigations can benefit from varying degrees of tool support depending on 

the processes covered and the tasks carried out. The ethical impact of tools supporting criminal 

network investigation processes is difficult to assess, and the development of methodologies for such 

assessments are still in its infancy. Important reasons for this underdevelopment of a methodology 

for morally evaluating technology development are related to its complex, uncertain, dynamic, 

and large-scale character that seems to resist human control [253]. As an example, when a new 

criminal network investigation tool is explained in the media, there is a tendency to view the tool 

as a kind of black box. While this simplification is justified by the before mentioned complexity, it 

creates the misunderstanding that criminal network investigation tools take huge amounts of data 

as input and analyzes it using complex mathematical models, only requiring a few mouse clicks 

from the user. When conducting an ethical impact assessment of a new technology, one should 

not treat the technology as a black box. Since technologies potentially shape human actions and 

interpretations on the basis of which moral decisions are made, we are obligated to try and give 

this influence a desirable and morally justifiable form. In this section we will try to open the black 

box that criminal network investigation tools often implement, to facilitate the development of 

ethical impact assessment of new technologies for our particular domain. We identify a number 

of problematic tasks followed by an assessment of the ethical responsibilities as shared by end 

users and tools. Based on these observations a list of ethical principles and associated values for 

criminal network investigation tool developers are suggested. A selection of design concepts using 

these ethical principles and values as guidelines have been developed. 

Assigning ethical responsibilities 

Criminal network investigation involves collection, processing and analysis of information related 

to a specific target creating products that can be disseminated to customers. A number of complex 

task are associated with these processes [174]. When supported by tools these tasks have significant 

ethical impact because their usage is more or less controlled. One example is profiling, both 

personal and especially group profiling by means of data mining [50] or manually inferred rules 

based on observations of reoccurring relationships or characteristics of persons and groups [154]. 

111

5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY 

The transparency of social network analysis (SNA) measures like betweenness and closeness centrality 

[240] and prediction algorithms decreases, when applied to an increasing number of nodes 

and links. Lack of evidence source linking might result in situations where it is unclear who created 

the link to the source, when was the link created, who collected and processed the information 

in the first place etc. [222]. Inferential judgments are based on pros and cons about positions 

and issues. But if the pros and cons are not saved these decisions cannot be audited by a third 

person [46]. 

Figure 5.22: Determinism continuum, from open-ended to closed, indicating the degree to which 

technology predetermines usages [119]. 

During analysis, especially when applying automated features such as social network analysis and 

prediction, the tool has more ethical impact and power of influence. The determinism continuum 

in Figure 5.22 illustrates this perfectly. The analyst cannot help to have his or her actions and 

interpretations influenced by the output of a complex analysis. When information is disseminated 

to the customer, the customer has the power of influence to interpret and use the disseminated 

information as he or she finds convenient. 

Addressing ethical issues on the tool side 

To investigate the ethical issues on the tool side, we have studied existing literature on ethical issues 

(e.g., [143]) and methodologies for ethical impact assessment of new (information) technology 

(e.g., [233, 253]). However, identification of ethical issues and the development of methodologies 

for impact assessments are still in its infancy [179,253]. Important reasons for this underdevelopment 

of a methodology for morally evaluating technology development are related to its complex, 

uncertain, dynamic, and large-scale character that seems to resist human control [253]. And while 

identified ethical issues like ‘dissemination and use of information’, ‘control, influence and power’ 

and ‘impact on social contact patterns’ are relevant for criminal network investigation tools they 

are not process specific, making it difficult to assign ethical responsibilities. 

We believe that human control of criminal network investigation tools is possible [247]. If we 

combine this understanding with our findings that ethical impact at the task level is higher for 

criminal network investigation tasks that dictate predetermined usage (i.e. automated tasks), 

we have identified the core problem: The choices that analysts, collectors and customers prefers 

to make are never fully predictable and tool support should therefore be dynamic and openended 

[119] (Figure 5.22). 

This suggests a human-centered approach where the humans (end users) are in charge of the 

criminal network investigation processes and tasks and the tools are there to support them. If 

the end users loose control (i.e. the tool predetermines usage) the ethical impact of the criminal 

network investigation processes and tasks will increase. The challenge is to overcome the high 

level of controllability that is inherent in the security and risk burdened world of criminal network 


112

CHAPTER 5. THEORY AND TECHNOLOGY 5.10. ETHICS 

Ethical principles and values for criminal network investigation tools 

We now have an initial understanding of the ethical responsibilities of end users and tools, as well 

as the remedy for the ethical impact on the tool side: a human-centered approach. Based on these 

observations we have designed the following list of ethical principles and values. The values can 

apply to more than one principle in various ways as seen below. Not all combinations of principles 

and values have been described. 

Transparent. Tool transparency is a precondition to human trust. A lack of transparency 

undermines the use of tool supported tasks. 

(Customizable) Entities. Using an entity-based approach in which all entities are first class 

is a precondition for several ethical values e.g. dynamic structuring. 

(Dynamic) Reasoning. Being able to record and review reasoning sessions would clarify how 

inferential judgments are made. 

(Interactive) History. Creating, updating and deleting content related to entities should 

be recorded for later reference. Storytelling using history events adds transparency to the 

progress of an investigation. 

Related work 

Two approaches to addressing the ethical impact of criminal network investigation processes have 

been reviewed. The following commercial tool supporting criminal network investigation work 

flows represents the point of view that the protection of privacy and civil liberties should be 

embedded in tools 66 . This is the approach we would like to adopt. Palantir Government 3.0 is a 

platform for information analysis designed for environments where the fragments of data that an 

analyst combines to tell the larger story are spread across a vast set of starting material [5]. Privacy 

and civil liberties are “embedded in Palantir’s DNA”, exemplified by technologies like Access 

Control Model, Revisioning Database and Immutable Audit Logs. Palantir used existing legislation 

as guidelines on how to address ethical issues in implementation, e.g. the 9/11 Commission 

Implementation Act [223]. More importantly, Palantir Government 3.0 has separated their entity 

model from the domain ontology, making the representation of entities and their relationships 

customizable. Furthermore, an interactive and navigable history of events is logged and finally 

various hypertext structures are, unintentionally, facilitated. This suggests an open-ended and 

dynamic approach to criminal network investigation tool support. 

Another approach is presented in [179]: “the solution lies in developing and integrating advanced 

information technologies for counterterrorism along with privacy-protection technologies to safeguard 

civil liberties. Coordinated policies can help bind the two to their intended use”. Examples 

of privacy-protection technologies are: privacy appliance involving the use of a separate tamperresistant, 

cryptographically protected device on top of databases. Making information anonymous 

is a technique used within the privacy appliance: it generalizes or obfuscates data, providing the 

system with a guarantee that any personally identifiable information in the released data can’t be 

determined, yet the data still remains useful from an analytical viewpoint. 

5.10.2 Denmark and terrorism (The Muhammad caricatures, legislation 

and civil liberties) 

Denmark and Danish interests have been the target of terrorism plans and attacks on numerous 

occasions from 2005 to 2010. It seems Denmark is getting a lot of attention compared to the 

relatively small population and the fact that Denmark, before the engagement in Afghanistan 

in 2002 and the invasion of Iraq in March 2003, had our international focus on peacekeeping 

missions 67 . Especially the reprinting of the Danish caricatures in February 2008 in multiple 

113

5.10. ETHICS CHAPTER 5. THEORY AND TECHNOLOGY 

newspapers has given Denmark a high ranking on terrorism target lists around the world. Despite 

this Denmark is a nation facing actual terrorism plans only intermittently, resulting in the media 

intensifying their coverage when such events occur. 

The fact that the danish politicians did not hesitate to announce they were ready to evaluate 

and tighten the Danish counter terrorism legislation enacted in 2002 and 2006 after the Mickey 

Mouse project (MMP) had been revealed, is another interesting aspect of the influence of media 

in “preparing” the public to support such statements. The controversy is that tightening the 

laws conflicts with citizen liberties. Also, if “terrorism is as much about the threat of violence as 

the violent act itself” [92], did David Headley (Mickey Mouse project surveillance, etc.), and his 

accomplishes achieve their goal? Or is it acceptable to disregard the civil liberties of the public 

for increased safety through more and stricter legislation? 

Time line (Muhammad caricatures) 

The first serious response to the initial printing of the Muhammad caricatures September 30 th 

2005 from within Denmark, was the postulated plans and intend to murder caricature cartoonist 

Kurt Westergaard by the use of strangulation [15]. On February 12 th 2008 three men were arrested 

facing these complaints, one Danish citizen was released while two Tunisians were administratively 

expelled [15] and controversially imprisoned without trial [151]. The final verdict in the Tunisian 

case is still not given, and on December 4 th 2009 it was decided to try the case at the Danish 

Supreme Court [138]. 

The more recent incidents have had some interesting characteristics in common with the Mickey 

Mouse project (see Section 5.7.2). First of all the cases described below all had links to the training 

camps in north Waziristan, more specifically the Federally Administered Tribal Areas (FATA) on 

the border to Afghanistan. Especially the main person involved in the Glasvej case, who used 

some of the same codewords as in the Mickey Mouse project. 

On October 21 st 2008 an unanimous jury declared Hammad Khürshid (Danish-Pakistan) and 

Abdoulghani Tohki (Afghan) guilty of planning terrorism intending to use bombs [85, 209]. The 

men had experimented with producing the very unstable explosive TATP 68 in their common 

apartment in Copenhagen [209]. The wire-puller Hammad Kürshid was sentenced 12 years in jail 

at the court in Glostrup, while Abdoulghani Tohki was punished with a seven year sentence and 

expelled from Denmark for life because of his Afghan citizenship [209]. After the sentencing new 

information was revealed 69 , which showed that Hammad Khürshid had been recruited and trained 

by one of Osama bin Ladens most important lieutenants, the Egyptian Abu Ubaidah al-Masri, 

in the northern Pakistani province Waziristan [213]. The first arrests associated with the Glasvej 

case were made on April 2007 [209]. 

On June 2 nd 2008 followed an incident not similar to the previous cases, primarily because it took 

place in Pakistan: “A car bomb exploded outside the Danish Embassy in an upscale area of the 

Pakistani capital” [164] Islamabad “killing eight persons and injuring up to 30” [185]. Al-Qaeda 

later claimed to be responsible for the attack, stating it was “revenge for the publishing of the 

Muhammad cartoons” [133]. The Mickey Mouse project followed this incident as the next case 

with links to Pakistan. 

On January 1 st 2010, a 28 year old Somali man attacked cartoonist Kurt Westergaard in his home, 

threatening him with a knife and an ax [186]. Westergaard successfully escaped to his custom made 

panic room, and later the Somali man was pacified by the police using gun shots [186]. According 

to PET the offender had close contact with the militant group al-Shabaab in Somalia [88]. 

The political climate in Denmark in October 2009 and Danish counterterrorism legislation 

“During the last decade the Danish political system has undergone a polarization. Where the political 

scene earlier has been characterized by minority governments that have sought parliamentary 

114

CHAPTER 5. THEORY AND TECHNOLOGY 5.11. TRUST AND USER ACCEPTANCE 

support across the middle, Danish policy today is dominated by two political blocs, respectively, 

a center-left block and a right block” [90], a change that started with the election of a right wing 

government in 2001. On June 8 th 2002 the first Danish counter terrorism law was enacted as a 

direct impact of 9/11 (2001) 70 . The extension of the law grants the Danish secret intelligence 

service PET a number of extended powers concerning surveillance of private individuals and the 

right to perform multiple searches with a single court order [14]. 

Denmark has been involved in the international NATO mission in Afghanistan since 2002. On 

January 11 th 2002 the Danish parliament unanimously decides that Danish military forces should 

be available for an international security force in Afghanistan [17]. A status report from October 

22 nd 2009 shows that Denmark has 690 soldiers in Afghanistan, and that 28 soldiers has been 

killed. “Denmark is one of the countries that measured per citizen has most soldiers killed in the 

NATO led operation in Afghanistan, consisting of 43 countries” [98]. During March 2003 Denmark 

also decided to join the US and British led coalition forces, although there was disagreement in 

government. The majority of the population was against the decision since there was no mandate 

from the UN [156]. 

On June 10 th 2006 the second counter terrorism law was enacted 71 following the 7/7 bombings 

2005 in London 72 . The 2006 law raised concerns of Civil Libertarians, although strong support 

existed in the general public for the further tightening of the counter terrorism laws from 2002 [218]: 

“The mood has shifted in Europe more toward security than it was before the London bombings,” 

said Daniel Keohane, senior research fellow at the Center for European Reform in London. “The 

Europeans have always been very nervous about infringing on civil liberties. But when you 

experience terrorism, it changes your views.” 

However, arguments regarding whether or not these laws are too strict is beyond the scope of this 

Ph.D. dissertation. One comment is however describing the medias influence on Danish policy 

makers: 

In a 1987 speech at Hebrew University in Jerusalem, Associate U.S. Supreme Court 

Justice William J. Brennan Jr. reviewed what he called the “shabby treatment” that 

America’s vaunted freedoms have received in times of war and threats to national security 

[...] 73 . He attributed these lapses to the crisis mentality that Americans develop 

when faced with danger intermittently, rather than living with it constantly. America’s 

decision-makers have been inexperienced in assessing the severity of security threats 

and in devising measures to cope with them in ways that respect conflicting rights and 

liberties. [81] 

Given the relatively short list of terrorist events related to Denmark directly, the same can be said 

of the Danish governments experience with enacting and enforcing such counter terrorism laws. 

And the Danish populations propensity to support them immediately after the revelation of plans 

to strike against Denmark and Danish interests. 

5.11 Trust and user acceptance 

In this section we review user acceptance of information technology for criminal network investigation, 

and we discuss how trust is a prerequisite to such acceptance, and tightly coupled with 

transparency and ownership [175]. 

Taking a computational approach to criminal network sense-making, claiming that investigators 

will benefit from the information provided, raises concerns about user acceptance of this computed 

information 74 . Experienced investigators with the skills to manually derive the computed 

information (given more time) might question how exactly the information has been automatically 

computed and they might be inclined not to trust this computed information enough to base 

their decisions on it [193]. For computational sense-making to be effective, decision makers must 

consider the information provided by such systems to be trustworthy, reliable [144], and credible. 

115

5.12. INTERACTION AND VISUALIZATIONCHAPTER 5. THEORY AND TECHNOLOGY 

See Chapter 11 for more on criminal network sense-making and Section 5.10 for a look at ethical 

issues and in trust in terms of tool support for criminal network investigation. 

5.12 Interaction and visualization 

We give a brief introduction to interaction and visualization in this section. 

5.12.1 Interaction 

We mention and discuss interaction theory and concepts throughout this dissertation. How we 

use interactive “proof-of-concept” prototypes [132] to develop tool support for criminal network 

investigation. What we would like to discuss in this section is human-tool synergies which better 

describes our goals with the aforementioned tool support development. Investigators are the 

decision-makers in criminal network investigations (e.g. low probability situations [130]), while 

algorithms do routine calculations: “Men will fill in the gaps, either in the problem solution or 

in the computer program, when the computer has no mode or routine that is applicable in a 

particular circumstance” [130]. 

5.12.2 Visualization 

Information visualization technologies have proved indispensable tools for making sense of complex 

data [86]. Visualization techniques use both retinal properties and spatial arrangement for the 

presentation of structured information, taking advantage of the human perceptual system. However, 

most visualization systems do not support the visual editing of structured information. The 

lack of direct manipulation of structured information in visualization systems means that there is 

no expression in such an environment, and expression is part of a real decision making process [97]. 

Another problem is that “information visualization applications do not lend themselves to “one 

size fits all” solutions; while successful visualizations often reuse established techniques, they are 

also uniquely tailored to their application domain, requiring customization” [86]. 

Although visualization libraries primarily offer advanced unidirectional mappings, a lot can be 

learned from them in terms of requirements for a graphical-oriented framework design. The 

prefuse toolkit [86] for interactive information visualization is presented as an interesting case. 

Our interest is mainly due to the set of finer-grained building blocks that prefuse provides for constructing 

tailored visualizations. The template-modeled design process of “representing abstract 

data, mapping data into an intermediate, visualizable form, and then using these visual analogues 

to provide interactive displays” is very interesting. 

5.13 Summary 

This chapter started with an introduction to five pillars of theory and technology, describing the 

relevance of each pillar for developing tool support for criminal network investigation, followed 

by a summary of the theory and technologies within each pillar. A color legend was used to 

indicate whether or not each theory or technology was covered in this chapter and to what degree, 

or if it was covered in a fragmented manner throughout the dissertation. Then followed reviews 

and summaries of individual theories and technologies, covered to a certain extent, matching 

their role for this Ph.D. project. Hypertext, semantic web, human cognition, the creative process, 

intelligence, and mathematical models therefore received the most attention. But theory from 

information science, knowledge about simple tools for idea generation, case studies of individuals, 

ethics, trust and user acceptance, and interaction and visualization have also played a role and 

will play a role for future developments in criminal network investigation. This chapter illustrates 

116

CHAPTER 5. THEORY AND TECHNOLOGY 5.13. SUMMARY 

the many perspectives that a software systems engineer in criminal network investigation must 

have, when developing tool support for criminal network investigation. 

117

5.13. SUMMARY CHAPTER 5. THEORY AND TECHNOLOGY 

118

CHAPTER 6 

Problem definition and research focus 

In Chapter 1 we reviewed criminal network investigation challenges, and selected to focus on three 

of them (information, process, and human factors), arguing that investigator centric challenges 

of a quantitative nature (i.e., suitable for modeling) would be addressable by software system 

support. Based on the three selected challenges, we stated the following research hypothesis: 




In this chapter we specialize our hypothesis and conduct a more detailed analysis of specific 

problems associated with each challenge. Based on these problems (and our own knowledge and 

ideas) we also formulate a research focus for each challenge, resulting in a list of requirements to 

guide and evaluate our work (see Section 6.4 for more details on how we propose to do this). The 

list of research focus requirements are considered software development requirements for developing 

software tool support for criminal network investigation, while the criminal network investigation 

tasks presented in Chapter 7 are considered criminal network investigation requirements, i.e., 

a list of tasks that investigators perform (for the majority) whether or not they use dedicated 

tool support or not. Our review of criminal network investigation (criminal networks, structures, 

processes, cognitive bases, and cases 75 ), related work (commercial tools and research prototypes), 

and relevant theories and technologies for tool support of criminal network investigation revealed 

the following problems related to information (Section 6.1), process (Section 6.2), and human 

factors (Section 6.3). 

6.1 Information problems and research focus 

Based on criminal network investigation cases, analysis of criminal network structures, etc. (Chapter 

3), reviews of commercial tools and research prototypes (Chapter 4), literature studies (Chapter 

5), and other analysis work we state information amount, incompleteness, and general complexity 

as information problems for criminal network investigation. 

1. Information amount (e.g., [59,110,116]) includes information abundance and information 

scarcity problems. If information is abundant and resources required to process the informa- 

119

6.1. INFORMATION CHAPTER 6. PROBLEM DEFINITION 

tion are limited, potential suspects might not be discovered. On the other hand, if information 

is scarce, decisions might be based on uncorroborated intelligence later proved to be false. 

Many techniques have been developed that can analyze large amounts of networked information 

and applied during criminal network investigations. Most prominent is social network 

analysis, the study of human relationship networks, or the application of statistical techniques 

to the field of sociology (we review social network analysis in Section 5.9.1). Since 

its beginning, the field has become more mathematical and rigorous, and has widened in 

scope to encompass networks arising in other contexts. Today the field has become known 

as network science [68]. 

The introduction of network science did not add to the network theory for detecting and 

exposing hidden terrorist networks. Time-consuming manual tasks for synthesis of criminal 

networks are still applied by law enforcement and intelligence services (e.g., [68, 139]). On 

a concrete case, it took an experienced crime analyst six weeks to manually extract a fraud 

link chart with 110 people, “even though most of the information in the chart came from 

computerized records. [. . . ] The base network extracted for the [fraud] evaluation (all links 

between all nodes connected within two associational hops of the targets) included 4,877 

nodes and 38,781 reported associations” [139]. This example also illustrates why it has been 

“estimated that police officers spend up to 40% of their time handling information, making 

it one of the most extensive police activities” [20]. 

2. Information incompleteness (e.g., [39, 168, 183]) like variation in available meta data 

(attributes) for entities or missing attribute values. Other incompleteness includes missing 

links and missing network structure (nodes and links). It can be difficult to automatically 

detect associations between entities when information is incomplete. 

Once a criminal network is synthesized, its characteristics can be studied using standard 

network measures such as centrality. However, the well-established techniques are not well 

suited for the fragmented networks that organized crime and terrorism networks often are. 

An intelligence analyst at the British Home Office, pointed this out, during a presentation 

and talk there [167]. Researchers have started developing techniques take into account 

incomplete information (e.g., [177, 183]). We have developed measures of performance for 

transformative prediction algorithms, to see how they reacted when attributes where missing 

from the data or the accuracy of information was not complete [176]. 

3. Information complexity (e.g., [20,116,128]) is typically caused by the emerging and evolving 

nature of information, especially within the counterterrorism domain. Information abundance 

or scarcity on its own does not necessarily make the relations between entities in the 

information more complex. The use of aliases, social complexity (e.g., culture and language) 

and the mix of different information types (e.g., audio, images, signals, video) are all factors 

that will increase the complexity of information. 

Criminals prefer to remain covert, balancing secrecy and efficiency [244], e.g., by encrypting 

their communication or keeping individuals and groups isolated from each other and on a 

need-to-know basis in terms of communication. Or information is complex simply because 

it is fragmented, as mentioned above. The use of deliberate (semantic) aliases, i.e. using 

different names in different contexts, is a well known technique to remain covert. Omar Saeed 

Sheikh, the mastermind behind the kidnapping of investigative journalist Daniel Pearl, was 

known to have used at least 17 aliases [128], and Khalid Sheikh Mohammad, who murdered 

Daniel Pearl, and was the mastermind behind i.a., 9/11 (2001), used two dozen aliases [146]. 

Simon and Burns share their experiences from organized drug crime environments, where 

the drug dealers are out in the open, but use for example encryptions of phone numbers 

when paging each other, to setup business, schedule meetings, etc. [10, 206]. 

120

CHAPTER 6. PROBLEM DEFINITION 6.2. PROCESS 

6.1.1 Research focus (requirements) 

Criminal network investigators deal with information from a variety of sources, all of which are 

important to their decision making process. As pointed out by the 9/11 report [152], linking and 

communicating those pieces of information is a critically important issue. In order to deal with 

the increasing amount of information available, especially through the Internet, automatic tools 

are used to harvest relevant information [148] and compute relationships that implicitly exist in 

the acquired data [55]. The output is a pre-selection that helps analysts to focus on the most 

relevant parts. Those tools, however, focus on a predefined repository and are limited in their 

structural representation. Due to their focus on computation, most of them model relationships 

as graphs. Graphs have been well researched and thus permit the application and use of a variety 

of mathematical models and algorithms. Even though machines are necessary to deal with the 

vast amount of information, final decisions, however, are taken by humans. Analysts need support 

for their decision making process, of which criminal network analysis tools play an important role. 

Dedicated software tools targeted at supporting criminal network investigators in their knowledge 

management work should fulfill the following overall requirements related to information [20]: 

1. Supporting the emergent and fragile nature of the created structure and fostering its communication 

among investigators. 

2. Integrating with the information sources used by the investigators, permitting them to be 

represented and structured in a common information space. 

3. Supporting awareness of, and notification based on, linked information across information 

source boundaries. 

4. Permitting multiple directions of thought through versioning support. Supporting emergent 

structure as a means for knowledge representation, communication, integration, and 

awareness/notification has been and still is discussed in depth in hypertext research. 

6.2 Process problems and research focus 

Compartmentalization is the source of several process related problems, such as responsibility and 

(non optimal) information sharing. By compartmentalization, we mean the restrictions on the natural 

flow of information and problem solving, inhibiting criminal network investigations. Based 

on analysis of criminal network investigation cases and processes (see Chapter 3), literature studies 

(Chapter 5), and other analysis work we summarize incremental deterioration, responsibility, 

overlapping processes, and information sharing problems for criminal network investigation. 

1. Incremental deterioration (e.g., [5,52,59,242]) often happens when following a linear process, 

where investigators receive a mix of information (evidence) and interpretations of that 

information, in the form of reports. Especially, if the institution is collaborating with other 

institutions, information is exchanged in reports. Some law enforcement institutions and 

intelligence services have as part of their intelligence process, to make clear the distinction 

between information and interpretation. But that doesn’t stop the intelligence customer from 

further interpretations of the analysts interpretations. And typically not all information is 

included in reports for the customer, or collaborators. 

The degree of incremental deterioration of information is different if the investigation is 

solely within a single organization compared to (transnational) collaboration between agencies, 

services, and law enforcement. However, while the problem is smaller, it is still there 

and important to address. The most significant example we have come across is Curveball, in 

which interrogation reports traveled from Germany through several compartments in agencies 

and national security organizations in different nations, being translated from Arabic, 

to German to English, before reaching CIA analysts and ultimately decision makers in the 

121

6.2. PROCESS CHAPTER 6. PROBLEM DEFINITION 

White House. Commercial tools for criminal network investigations recognizes this problem 

and promotes their support of loss less data abstractions in commercial material [5]. 

2. Responsibility (e.g., [40,54,59]) often depends on whether a person has something personal 

at risk, the esteem of colleagues or the consequences of bad or rushed decisions. When 

following a process with many compartments, it becomes easier to push the work requiring 

responsibility on to the people responsible in the next compartment. And the individuals in 

that department might be reluctant to “ask back” into the compartment from where they got 

the information, and instead forward it to someone else. 

An example of responsibility, again from the Curveball case, is Alex Steiner 76 , the United 

States defense intelligence agency’s (DIA) liaison to the German federal intelligence service 

(BND), receiving the incoming intelligence reports from BND. The Germans refused Steiner 

or anyone else access to Curveball. Steiner didn’t mind, the case was very complex, and he 

was looking forward to retirement. The case was as a “hot potato”, but he let other people 

care about the details, his role was “to oversee things” [59]. The 22/7 (2011) commission 

report points out that the Norwegian police security service (PST), had received information 

about individuals suspicious purchases of chemicals in Poland, from the customs directorate 

to which other authorities such as the national postal service had raised their concerns. PST 

received this information on 6/12 (2010), but the lead had not been followed up on when 

the attacks happened 22/7 (2011), because the different sections within the police security 

service had spent five months deciding whose domain it was, and later when the case was 

assigned to a section, the responsible case officer had to go on vacation for 10 weeks [153]. 

3. Overlapping processes (e.g., [170, 175]) becomes a software development problem, when 

choosing a target-centric approach. The target-centric alternative to a linear process means 

that criminal network investigation processes will be overlapping, i.e., the structuring of 

information and algorithm-based computations has to be performed on the same model. With 

a linear process, with process compartments, one compartment have one model to solve their 

task, and another compartment uses a different approach to solve theirs. 

Investigators move pieces of information around, they stop to look for patterns that can help 

them relate the information pieces, they add new pieces of information and iteration after 

iteration the information becomes increasingly structured and valuable. Synthesizing emerging 

and evolving information structures is a creative and cognitive process best performed 

by humans. Making sense of synthesized information structures (i.e., searching for patterns) 

is a more logic-based process where computers (tools) outperform humans as information 

volume and complexity increases [175]. 

4. Information sharing (e.g., [40, 152, 242]) problems are often a consequence of the chosen 

intelligence process, the culture of intelligence agencies and the trade craft of secret intelligence. 

Several reports have concluded that information sharing between intelligence agencies 

was the root cause of intelligence failure. The main objective of criminal network investigation 

research should be to understand the problems, processes, and tasks involved and then 

develop tools assisting the people working with these processes and tasks every day to help 

minimize the impact of the problems faced. 

The wall between FBI and CIA before and after the investigations into 9/11 was high and 

thick, and destructing for investigations: “The wall, as it was called, was often misunderstood 

and frequently interpreted too broadly. The agents assigned to collecting intelligence 

sometimes couldn’t, or wouldn’t, talk to their colleagues who were working the criminal side 

of the same cases. Big things – like leads and plots and potential sources – fell through 

the cracks” [146]. On Baltimore police department’s homicide shifts, the numbers game of 

open and closed investigations, readily available for everyone to see in the coffee room took 

a toll on the investigators willingness to talk and discuss cases with detectives from other 

shifts: “For the last several years, detectives from one shift had interacted with those from 

the other only at the half-hour shift changes or on rare occasions when a detective pulling 

122

CHAPTER 6. PROBLEM DEFINITION 6.3. HUMAN FACTORS 

overtime on a case needed an extra body from the working shift to witness an interrogation 

or help kick down a door” [204]. 


A target centric and iterative approach to criminal network investigation is preferred to a linear 

approach, due to the failure of investigations following a linear process model that introduces compartmentalization. 

An alternative to the traditional intelligence cycle is to make all stakeholders 

(including customers) part of the intelligence process. Stakeholders in the intelligence community 

include collectors, processors, analysts and the people who plan for and build systems to support 

them: “Here the goal is to construct a shared picture of the target, from which all participants 

can extract the elements they need to do their jobs and to which all participants can contribute 

from their resources or knowledge, so as to create a more accurate target picture” [40]. To ensure 

shared responsibility throughout a criminal network investigation, and given the many iterations 

over the information and its structure, the source of network changes, interpretations, and decisions 

must be maintained, whether made by investigators or the tool (e.g., algorithms). Developing 

a common data model for both investigators restructuring and organizing information and tools 

analyzing the same information is necessary to support target-centric and iterative investigation. 

In summary, dedicated software tools targeted at supporting target-centric and iterative criminal 

network investigation should fulfill the following overall requirements: 

1. Permitting a target-centric and iterative approach to criminal network investigation is essential, 

thereby creating a shared information space for investigators, functioning as a common 

reference point. 

2. Supporting loss-less data abstractions, so that all investigators can see what has happened, 

if information has to be shared between compartments. 

3. Ensuring that all collectors, analysts, and customers become stakeholders in the success of 

the criminal network investigation, whether working alone or as a team. 

4. Integration of conceptual and computational models to support the target-centric, iterative 

approach with overlapping criminal network investigation processes. 

6.3 Human factors problems and research focus 

Human factors are inherently a challenge for criminal network investigations and often have great 

influence on the impact of the other problems discussed. Contextual pressures such as time 

constraints, dynamism, and changing goals are interrelated to required resources (see for example 

[110, 183, 252]). Existing evidence suggests that decision-making and information processing 

abilities are often not optimal because the informational complexity of the world overwhelms 

human cognitive abilities and creates bias: 

1. Human cognition and creativity (e.g., [9,89,165,201,239]) complicated tasks to support 

and leverage for a software system. The human mind solves problems in certain ways and 

creating new ideas is essential for problem solving, not similar to how a computer solves 

problems. And there are different approaches to creativity, such as “free association” creativity 

and rational creativity produced by persistent, hard work. It is not enough to support 

collaboration and group work, since real groups do not necessarily create more ideas than 

nominal groups. Certain representational structures for cognitive space must be embedded in 

tools supporting criminal network investigation. 

Understanding the boundaries of human cognition is necessary for tool support of criminal 

network investigation: “it is difficult for the human working memory to keep track of all 

123

6.3. HUMAN FACTORS CHAPTER 6. PROBLEM DEFINITION 

findings. Hence, synthesis of many different findings and relations between those findings 

increase the cognitive overload and thereby hinders the reasoning process” [201]. Because 

of this, humans often use simple physical tools when generating new ideas, but existing 

software tools used for criminal network investigation usually don’t have the necessary easeof-use 

compared to scribbling ideas on a whiteboard or paper cards. 

2. Making humans more capable (e.g., [33,62,130]) is the intended purpose of most software 

systems, but when humans and tools have to cooperate, it becomes a difficult task. The 

problem is how to make a software system augment human intellect, instead of trying to 

mimic it, trying to make the computer think, which it cannot. It is necessary to understanding 

what humans do well and what computers do well, to solve this problem. 

“The human eye is enormously gifted at picking out patterns, and visualizations allow is to 

put this gift to work on our network problems. On the other hand, direct visualization of 

networks is only really useful for networks up to a few hundreds or thousands of vertices 

[and] the number of edges is quite small” [155]. Visualizations on their own, whatever 

layouts are applied, are not enough for. Bush (1945) [33] reasoned that since people use 

associations to store and retrieve information in and from their own minds, a machinesupported 

mechanism that provided this ability would be useful for organizing information 

stored in external memory. Augmenting human intellect, i.e. increasing the capability of 

man to approach a complex problem situation, to gain comprehension to suit particular 

needs, and to derive solutions to problems [62]. 

3. Habitual and biased thinking (e.g., [8, 116]) Contextual pressures such as time constraints, 

dynamism, and changing goals affects criminal network investigators. Existing 

evidence suggests that decision-making and information processing abilities are often not optimal 

because the informational complexity of the world overwhelms human cognitive abilities 

and creates bias. The result being that known solutions are chosen and the problems remain 

unsolved. 

“Today functional problems are becoming less simple all the time. But designers rarely 

confess their inability to solve them. Instead, when a designer does not understand a problem 

clearly enough to find the order it really calls for, he falls back on some arbitrary chosen 

formal order. The problem, because of its complexity, remains unsolved” [8]. Humans have 

a tendency to rely on hierarchical tree structures, when faced with complex problems [9,89]. 

Pressure could also make investigators fall back on often applied methods, e.g., homicide 

detectives who are assigned to new crime scenes, having three open cases on their desks, and 

continuously pressured to turn red cases into black by the public display of their stats in the 

office [204]. 

4. Trust (e.g., [144, 175]) in information generated by software tools can be difficult to attain, 

if it is not clear how that information was derived. For computational sense-making to 

be effective, decision makers must consider the information provided by such systems to be 

trustworthy, reliable, and credible. Trust is important for the adoption of software tools for 


Simply by turning to the computer when confronted with a problem, we limit our ability 

to understand other solutions. The tendency to ignore such limitations undermines the 

ability of non-experts to trust computing techniques and applications [193] and experienced 

investigators would be reluctant to adopt them. 


Investigators are the decision-makers in criminal network investigations (especially in low probability 

situations [130]), while algorithms do routine calculations: “men will fill in the gaps, either 

in the problem solution or in the computer program, when the computer has no mode or routine 

124

CHAPTER 6. PROBLEM DEFINITION 6.4. SUMMARY 

that is applicable in a particular circumstance” [130]. In software system development humans 

seem to work better with board-based approaches (e.g., paper cards on a board) compared to 

the traditional form-based approach, where structure is predetermined and the humans have to 

adapt [171, 172]. It is often a good approach to use well known metaphors (e.g., desktop and file 

explorer in Windows) or the way that people interact with each other or physical tools like white 

boards, etc. [174]: “simple gestures help interactions with ideas” [254]. Humans can contribute 

with creativity, but while group work is often promoted as the way to more creativity, “the last 50 

years of empirical studies overwhelmingly suggest that real group creativity is not as effective as 

nominal group creativity.” [239]. Dedicated software tools targeted at supporting human factors 

problems in criminal network investigation should fulfill the following overall requirements: 

1. Augmenting human intellect through knowledge about human cognition, creativity, and 

problem solving theory and practice is essential. 

2. Leveraging transparency and ownership through tailorable models to ensure the end user’s 

trust in calculated information is an important step toward tool usage and output used for 

decision-making. 

3. Software tools used for analysis of criminal network investigation entities must have an easeof-use 

as close as possible to that of scribbling ideas on a whiteboard or paper cards. 

4. Bridging the gap between conceptual and computational models to support cooperation 

between man and software system tool, where humans think, make decisions, and fill the 

gaps, while tools do routine calculations. 

6.4 Summary 

We started this chapter by repeating our hypothesis as formulated in Chapter 1. It was based 

on the three criminal network investigation challenges, which we had chosen to focus on. In this 

chapter, we have provided a more detailed analysis of those challenges and presented specific 

problems related to each challenge. The problems have been used to create a set of research focus 

requirements to guide our development of software tool support for criminal network investigation, 

to address the problems and ultimately reduce the impact of the challenges significantly, supporting 

our hypothesis. We will base our evaluation of whether or not the challenges are met and the 

hypothesis supported, on the research focus requirements formulated for each challenge. In the 

next part of our dissertation (Part III) we use the research focus requirements during analysis 

and design, to ensure that our support of the criminal network investigation tasks will address the 

challenges information, process and human factors. In Chapter 15, we present a mapping between 

criminal network investigation tasks and research focus requirements. 

From now on we will refer to information research requirements as information #1 (emerging 

and fragile structure), information #2 (integrating information sources), information #3 

(awareness and notification), and information #4 (versioning support). We will refer to process 

research requirements as process #1 (target-centric and iterative), process #2 (loss less data 

abstractions), process #3 (make everybody stakeholders), and process #4 (integrate conceptual 

and computational models). Finally, we will refer to human factors requirements as human 

factors #1 (augment human intellect), human factors #2 (transparency and ownership), human 

factors #3 (simple tools ease-of-use), and human factors #4 (human-tool synergy). 

125

6.4. SUMMARY CHAPTER 6. PROBLEM DEFINITION 

126

Part III 

The tool 

127

CHAPTER 7 

Process model and tasks 

That’s the trouble with the red-ball treatment, Pellegrini tells himself, 

scanning one typewritten page after another. By virtue of their 

importance, red balls have the potential to become [. . . ] four-star 

departmental clusterfucks beyond the control of any single 

investigator. 

Homicide detective, in [204]. 


journalism involves a number of complex knowledge management tasks such as collection, 

processing, and analysis of information [173,174]. This chapter presents a human-centered, targetcentric 

process model for criminal network investigations that divides the investigative tasks into 

five overall processes: acquisition, synthesis, sense-making, dissemination, and cooperation. Based 

on case studies and observations of criminal network investigation teams, contact with experienced 

investigators from various communities, examination of existing process models and existing tools 

for investigation, as well as our own ideas for investigative tool support, we have generated a list 

of tasks that a tool for criminal network investigation should support. 

The process model first of all addresses the process challenge that we described in Chapter 6. 

Specifically, the model fulfills process #1 (target-centric and iterative”) and process #3 (make 

everybody stakeholders). We start out by presenting the process model in Section 7.1 and a list 

of criminal network investigation tasks for each of the five overall processes in Section 7.2. We 

conclude the chapter in Section 7.3 by summarizing the model and the tasks, we explain their role 

for the remainder of the dissertation and explain how we intend to evaluate the process model and 

the list of criminal network investigation tasks. 

7.1 Process model 

Criminal network investigation involves the collection, processing, and analysis of information related 

to a specific target to create products that can be disseminated to the customers. Different 

process models have been proposed to handle the complex tasks and issues involved in criminal 

network investigations (such as police investigations [53], intelligence analysis [40], and investigative 

journalism [136]). The three investigation types and related process models are described in 

Section 3.6. 

129

7.1. PROCESS MODEL CHAPTER 7. PROCESS MODEL AND TASKS 

Figure 7.1: Human-centered, target-centric criminal network investigation. 

Criminal network investigation models include the following overall knowledge management processes 

77 : acquiring the needed information (collection and processing), creating a model of the 

target (synthesis), extracting useful information from that model (sense-making), and finally creating 

a representation of the results (dissemination). Based on a specific target-centric model for 

intelligence analysis [40], we propose a generic model for target-centric criminal network investigation 

to embrace police investigations, intelligence analysis, and investigative journalism (Figure 

7.1). 

The customer requests information about a specific target. The investigators request information 

from the collectors (that may also be investigators). Information related to the target is acquired 

in disparate pieces over time. The investigators use the acquired information to build a model 

of the target (synthesis) and extract useful information from the model (sense-making). The 

extracted information results in changes to the model (synthesis). The sense-making - synthesis 

cycle is continued throughout the investigation as new information is acquired and extracted from 

the model. The investigators both work individually and cooperatively as a team. The results of 

the investigation are disseminated to the customer at the end of the investigation or at certain 

intervals (or deadlines). 

Investigation is a human-centered knowledge management process. Investigators (and collectors) 

rely heavily on their past experience (tacit knowledge) when conducting investigations. Hence, 

these processes cannot be fully automated and taken over by software tools. The philosophy is 

that the humans (in this case the investigators) are in charge of the criminal network investigation 

tasks and the software tools are there to support them [248]. The tools should be controlled by the 

investigators and should support the complex intellectual work (e.g., synthesis and sense-making) 

to allow the investigators to reach better results faster. 

CrimeFighter Investigator focuses on providing human-centered, target-centric support for criminal 

network investigation (acquisition, synthesis, sense-making, cooperation, and dissemination). 

Tool support for collection and processing is beyond the scope of this Ph.D. dissertation. The 

CrimeFighter Explorer tool focuses on this type of tool support (see Section 1.4). Tool support 

for advanced structural analysis and visualization of the generated target model is also beyond 

the scope of this Ph.D. dissertation. The CrimeFighter Assistant tool focuses on this type of tool 

support (see Section 1.4). 

130

CHAPTER 7. PROCESS MODEL AND TASKS 7.2. TASKS 

7.2 Tasks 

Based on cases and observations of investigative teams, contact with experienced end-users (investigators) 

from various communities, examination of existing process models and existing tools supporting 

criminal network investigation tasks (e.g., [2,5,7,19–21,25,39,40,53,83,84,101,136,178,254] 

and [6,201,212,252]), and our own ideas for investigative tool support, we maintain a list of investigation 

tasks divided into five processes: acquisition, synthesis, sense-making, dissemination, and 

cooperation. The list of tasks can be seen as a wish list of requirements for what an investigative 

tool should support; the list serves as the basis for our tool development efforts. So far our requirement 

generation and development efforts have primarily focused on tasks related to acquisition, 

synthesis, sense-making, and dissemination, while cooperation will be addressed in more detail in 

future work. The list is not exhaustive; we expect to uncover additional requirements for all five 

processes over time. 

7.2.1 Acquisition 

Acquisition. Some information may be available at the beginning of an investigation, but new 

information tends to dribble in over time in disparate pieces. Information arrives from various 

sources and should be easy to insert (import, drag-and-drop, cut-and-paste, etc.) into the investigation 

tool in a manner that is transparent to the investigator in order to keep trust in the 

information. 

Acquisition methods. Information arrives from various sources and should be easy to 

insert into the investigation tool using methods such as import, drag-and-drop, and cut-andpaste. 

Dynamic attributes are required to support acquisition of various data sets formatted 

using graph markup language (GraphML) or comma separated values (CSV). 

Attribute mapping. To support dynamic attributes it is necessary to map attributes in 

the acquired information to the investigation data model. For example mapping attributes 

to information element labels. 

7.2.2 Synthesis 

Synthesis tasks assist investigators in enhancing the target model: 

Creating, editing, and deleting entities. Investigators basically think in terms of people, 

places, things, and their relationships. 

Creating, editing, and deleting associations. The impact of association analysis on investigative 

tasks is crucial to the creation of the target model. Descriptive associations between 

entities helps discover similarities and ultimately solve investigation cases. 

Re-structuring. During an investigation, information structures are typically emerging 

and evolving, requiring continuous re-structuring of entities and their relations. 

Grouping. Investigators often group entities using symbols like color and co-location 

(weak), or they use labeled boxes (strong). Groupings can be used to highlight and emphasize 

particular entities and their relations. 

Collapsing and expanding information is essential since the space available for manipulating 

information is limited physically, perceptually, and cognitively. Zooming is a way to 

visually collapse or expand information in the space; however, depending on the zooming 

degree, it facilitates information overview at the expense of information clarity. 

131

7.2. TASKS CHAPTER 7. PROCESS MODEL AND TASKS 

Brainstorming is often used in the early phases of an investigation to get an initial overview 

of the target and the investigation at hand. Brainstorming is an example of a task that 

involves both synthesis and sense-making activities. Brainstorming is often supported by 

different types of mind mapping tools that allows the generated information elements to be 

organized in a hierarchical manner. 

Information types. Multimedia support is helpful when investigators want to add known 

positions of persons to a map or link persons to different segments within an audio file. This 

would support for example more intuitive storytelling. 

Emerging attributes are needed to support import of data sets and emerging attributes 

in investigations as well as imported algorithms. 

7.2.3 Sense-making 

Sense-making tasks assist investigators in extracting useful information from the synthesized 

target model: 

Retracing the steps. Criminal network investigators often retrace the steps of their investigation 

to see what might have been missed and where to direct resources in the continued 

investigation. Walking through an existing recorded investigation is used by new team members 

to understand the current status of the investigation and for training purposes. 

Creating hypotheses. Generating hypotheses and possibly competing hypotheses is a core 

task of investigation that involves making claims and finding supporting and opposing evidence. 

Investigators use both fact- and inference-based reasoning to rationalize about their 

beliefs either in a top-down or bottom up manner. This results in different interpretations of 

the information at hand (sequences of information, thought experiments, alternative stories, 

etc.). 

Adaptive modeling. Representing the expected structure of networks for pattern and 

missing link detection is a proactive sense-making task. Adaptive modeling embeds the tacit 

knowledge of investigators in network models for prediction and analysis. 

Prediction. The ability to determine the presence or absence of relationships between and 

groupings of people, places, and other entity types is invaluable when investigating a case. 

Alias detection. Network structures may contain duplicate or nearly duplicate entities. 

Alias detection can be used to identify multiple overlapping representations of the same real 

world object. 

Exploring perspectives. To reduce the cognitive biases associated with a particular mind 

set, exploring different perspectives (views) of the information is a key investigative task. 

Decision-making. During an investigation, decisions have to be made such as selecting 

among competing hypotheses and selecting among alternative interpretations of the information. 

Social network analysis. Network centrality measures such as degree, betweenness, closeness, 

and eigenvector can provide important investigation insights. 

Terrorist network analysis. A terrorist network is a special kind of social network with 

emphasis on both secrecy and efficiency (especially covert terrorist networks. Operational 

focus is on destabilization, and techniques include inference-based prediction, measures of 

link efficiency and secrecy to determine link importance, and community and key players 

detection. 

132

CHAPTER 7. PROCESS MODEL AND TASKS 7.3. SUMMARY 

7.2.4 Dissemination 

Dissemination tasks help the criminal network investigators to formulate their accumulated 

knowledge for the customer: 

Storytelling. Investigators ultimately “tell stories” in their presentations when disseminating 

their results. Organizing evidence by events and source documents are important tasks, 

so that the story behind the evidence can be represented. 

Report generation involves graphics, complete reports, subspaces, etc. Being able to 

produce reports fast is important in relation to time-critical environments and frequent 

briefing summaries. 

7.2.5 Cooperation 

Cooperation is a natural part of investigations. Cooperation leads to better synthesis and 

sense-making that is informed by more perspectives. In addition, more advanced communication, 

collaboration, and coordination support is necessary to support asynchronous and synchronous 

cooperation among team members, situations where investigators are distributed in time and 

space, as well as advanced investigation work flows. 

Shared information space. Sharing of the target model among team members is the 

starting point of cooperation. 

Discover emergent collaboration. The discovery of emergent collaboration, would help 

the coordination of resources by putting investigators analyzing similar or the same entities 

in touch with each other. 

Shared work flows. Sharing work flows, like sense-making work flows and custom algorithms 

or mining work flow patterns from the previous use of intelligence information. 

7.3 Summary of process model and tasks 

We have developed and presented a target-centric process model for criminal network investigation. 

We have also defined a list of investigation tasks based on our aggregated domain knowledge, 

for each of five processes in the model (acquisition, synthesis, sense-making, dissemination, and 

cooperation). The process model was developed as a response to the challenge that process poses 

to criminal network investigation, but it will also be used as a framework for our development of 

software tool support for criminal network investigation. Each process has a dedicated chapter 

(Chapters 9 to 13) where tasks for that process are further analyzed, designs for the implementation 

of each task are presented, and finally CrimeFighter support of those tasks is reviewed. 

We have primarily focused on synthesis and sense-making processes as they were found to be most 

central to our hypothesis and research focus requirements. Less focus has been on acquisition and 

dissemination, while cooperation has received only limited attention, and will be part of our future 

work. We will evaluate the process model and tasks by comparing the implemented support 

in CrimeFighter Investigator against the capabilities of similar commercial tools and research 

prototypes (see Section 15.3). 

133

7.3. SUMMARY CHAPTER 7. PROCESS MODEL AND TASKS 

134

CHAPTER 8 

Concepts, models, and components for CrimeFighter Investigator 

That which is over designed, too highly specific, anticipates outcome; 

the anticipation of outcome guarantees, if not failure, the absence of 

grace. 

[William Gibson] 

Perfection is reached not when there is no longer anything to add, but 

when there is no longer anything to take away. 

[Saint-Exupéry] 

Initially, we wanted to present an elaborate analysis, design, and implementation of a domainindependent 

framework for knowledge management, based on our research of and experience with 

criminal network investigation and other ill-structured problems, such as software development 

planning. However, we realized that it would be of much more importance and relevance to present 

the basic concepts we developed for criminal network investigation and the software components 

we built to support them. As Sifakis (2011) mentions in his review of computer science: “we 

should study principles in building correct systems from components” [202]. 

In this chapter, we describe our developed conceptual and computational models (see Figure 8.1). 

An overview of mathematical models (or techniques) was given in Section 5.9, and examples 

of computational models for some of these techniques that CrimeFighter Investigator supports 

are explained in Chapter 11 covering criminal network sense-making. We have separated structural 

concerns from the default mathematical models 78 , since the mathematical models should be 

able to process or adapt to any structural model they are faced with and not only the traditional 

navigational structures. Frequently used structural models are reviewed in Section 5.1, and Crime- 

Fighter Investigator designs and support using these structural models are covered in Chapter 10 

on criminal network synthesis. In summary, we have, like others, weighed the trade offs between 

“representations designed for human perception and use, and those designed for computer manipulation” 

[95], and the result was an improved understanding of separated structural, mathematical, 

and computational models that supports both synthesis and sense-making, separately but more 

importantly combined for criminal network analysis (synthesis and sense-making), as shown in 

Figure 8.1. 

The remainder of this chapter is organized as follows: In Section 8.1 we describe our conceptual 

criminal network investigation model and how it was developed, followed by different aspects of our 

computational model in Section 8.2. Section 8.3 outlines basic concepts for information, process, 

135

8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS 

Figure 8.1: Conceptual, structural, mathematical and computational models for support of individual 

synthesis and sense-making processes, but more importantly also for criminal network 

analysis (both synthesis and sense-making). 

and human factors research focus requirements, and relates these to specific software components. 

Requirements for a selection of these components is given in Section 8.4 and their designs are 

presented in Section 8.5. Finally, we give a short introduction to the basic concepts supported by 

CrimeFighter Investigator in Section 8.6. 

8.1 Conceptual model 

The building blocks of criminal networks are information entities. The CrimeFighter Investigator 

conceptual model (Figure 3.1) defines three such entities, namely information elements (nodes), 

relations (links), and composites (groups), as shown in Figure 8.2 (and Figure 8.1). Information 

elements hold information about real-world objects. Investigators basically think in terms of 

people, places, things, and their relationships. For visual abstractions of the information element 

we use rectangular visual symbols for simplicity, but they could have any form (circles, triangles, 

etc.) to illustrate different types of real-world objects. Relations represent links of different types 

and weights that can associate information entities directly. We refer to the connecting ends 

of relations as endpoints. Links have two endpoints, they can be both directed and undirected, 

and they have different visual abstractions (see Figure 8.2, middle). Composites are used to 

organize entities in sub groups. We work with three types of composites: reference composites 

are used to group entities in the common information space, inclusion composites can collapse 

and expand information to let investigators work with subspaces, and relation composites, though 

technically an inclusion composite for relations instead of information elements (see also Chapter 

10 for analysis, design, and support of composites). The circles in Figure 8.2 indicate connection 

endpoints for each entity type. 

Previous research on criminal networks has to a large degree focused on making sense of nodes. 

Links are seldom first class objects in the terrorism domain models with the same properties as 

nodes. This is in contrast to the fact that the links between the nodes provide at least as much 

relevant information about the network as the nodes themselves [79]. The nodes and links of 

criminal networks are often laid out at the same level in the information space. Composites are first 

136

CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL 

Figure 8.2: Abstract conceptual model. 

Figure 8.3: CrimeFighter Investigator conceptual model - software components. 

class entities that add depth to the information space. Navigable structures and entities (including 

composites) are useful for investigative synthesis tasks such as manipulating, re-structuring, and 

grouping entities [174]. The way a criminal network breaks down into subgroups can reveal levels 

and concepts of organization and help us to understand how the network is structured [155]. 

An information entity comprises several components. Each entity has a set of dynamic attribute(s) 

(meta data). Currently three types of attributes are supported: strings (single line of text), text 

areas (multiple lines of text), and enumerations (a defined set of allowed values). The visual 

abstraction of an entity is computed from it’s visual content and menu button(s). The visual 

content is used to create the default information elements available in CrimeFighter Investigator, 

which are all composed using geometric shapes (circles, lines, rectangles and polygons). A number 

of menu buttons can be added to entities to create a link to a specific functionality. The examples 

shown in Figure 8.3 are the delete button (X symbol) and the attributes button (A symbol). 

Below, we summarize information elements, relations, and composites we have come across in our 

studies of criminal networks, investigations thereof, and tool support therefor. See Chapter 3 on 

criminal network investigation, our review of theory and technology in Chapter 5, and related 

work on commercial tools and research prototypes for criminal network investigation in Chapter 

4. We focus on the functional and visual parts of entities that are consistently there, but might 

be positioned differently in relation to other elements/parts of the entities. Figure 8.5 shows some 

examples of the different kind of entities we came across in our analysis and will be used as the 

basis for our design below. But first a review of and our perspective on entity layers. 

8.1.1 Entity layers 

As previously mentioned, the basic entities of CrimeFighter Investigator are information elements, 

relations, and composites. These are placed in the information layer of the architecture for instantiations 

of the conceptual model, as shown in Figure 8.4. Instances of information elements, 

137

8.1. CONCEPTUAL MODEL CHAPTER 8. SOFTWARE COMPONENTS 

Figure 8.4: CrimeFighter Investigator conceptual model entity layers. 

relations, and composites can be created to serve the domain-specific information analysis tasks, 

e.g. for criminal network analysis a person would be an obvious and often used information 

element. 

Information elements and relations are both associated with a set of entity specific attributes and 

rules. Information elements are also associated with an adaptive graphical abstraction. In Figure 

8.4 it is a stick man figure, but we also imagine a more detailed abstraction showing physical 

characteristics of a group of people or maybe a photograph of the specific person. Relations are 

associated with less adaptive graphical abstractions, only visual symbols such as color and line 

thickness can be edited. Composites can be outlined, and either have a solid background of some 

color, be transparent, or empty. Examples of visual abstractions can be seen in Figure 8.5. 

The associative semantics of information elements, relations, and composites are embedded in 

the structure layer. The structure layer is divided into two sub layers, the spatial and network 

layers. The semantics of the spatial layer is based on the physical co-location of information 

elements in the information analysis space. The semantics of the network layer is based on the 

relations connecting information elements. The presentation layer facilitates visualization of and 

the user’s interactions with the underlying layers. Interactions based on drag and drop gestures 

and direct manipulation of information element and relation content are key to mimicking physical 

cards-on-table information analysis. 

8.1.2 Information element designs 

We use the information element examples in Figure 8.5 as a point of reference. We summarize 

the ideas presented below (as well as for relations and composites), when we define requirements 

for the entity component in Section 8.4.1. Information elements represent different types of information 

about investigation entities such as persons, locations, organizations, etc. and about 

138

CHAPTER 8. SOFTWARE COMPONENTS 8.1. CONCEPTUAL MODEL 

Figure 8.5: Examples of entities that we have come across in our reviews and analyses. 

information entities such as emails, articles, notes, reports, etc. (see Figure 8.5). A number of 

default information elements should be default (i.e., some degree of domain-orientation assists the 

user [91]). If a criminal network investigation team needs additional types of information elements 

to better depict their case, new information elements should be easy to create and add to the 

default list. Information elements must be component-based to make them dynamic and flexible. 

A separation of content and human-computer interaction areas is preferred, as they have different 

functional purposes. A content space contains the visual abstraction (i.e., a combination of graphics 

and interactive areas with or without text). The menu space holds a number of menu buttons 

that can access specific interactions (e.g., delete), or the content of the information element (e.g., 

attributes used for meta data). If we base the graphical abstractions of information elements are 

on geometric shapes such as circles, rectangles, and triangles, it will be possible to make human 

perception easier and faster, compared to more textual representations. 

8.1.3 Relation designs 

Again, we use the relation examples in Figure 8.5 as a point of reference. CrimeFighter Investigator 

relations must capture relationships between information elements [33]. A relation can hold textual 

information about the nature of the relation (e.g., “leader-of”, “lives-at”, etc.) as well as the 

direction of the relation (unidirectional or bidirectional), see Figure 8.5 for examples. Relations 

must be first class entities, just like information elements; this means that they will have attributes 

for holding meta data, investigators can interact with relations in the same manner as information 

elements, and finally, the visual semantics must be the same. If an information element linked with 

a relation is deleted, the relation itself cannot be deleted; the action performed on the information 

element was independent from the relation, and the relation should therefore not be affected, 

except for the fact that it can no longer be connected to that information element, obviously. 

If both endpoints are deleted, the relation should be movable in a fashion similar to that of 

information elements and composites. Functionally for reconnecting relations to other entities 

139

8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS 

must be supported, preferably using drag and drop. 

8.1.4 Composite designs 

As above, we use the composite examples in Figure 8.5 as a point of reference. CrimeFighter 

Investigator support of composites would be useful in terms of grouping information elements and 

relations in the information space [82]. Composites must be first class entities, just like information 

elements and relations. As an example, if two persons are considered to belong to either of two 

groups, but it is unclear which one, overlapping composites could be used to indicate that they 

are in both composites. It would be a way of representing what is known at that time in the 

investigation, which is what criminal network investigators often ask themselves: what do we 

know? [52]. Relation composite is another type of composite that would allow investigators to 

group multiple relations between two entities (such as multiple emails or phone calls between two 

persons) into a single visible entity (composite). Relation composites group relations by inclusion. 

A third type of composite could be useful for support of collapsing and expanding information. 

This type of composite would group all information elements by inclusion. It must be considered 

what to do with relations that are internal to the composite (i.e., have both endpoints inside), 

should be included or not, and whether or not external relations (one endpoint outside) are 

referenced or included. This type of composite would support the concept of a subspace, allowing 

the investigators to work in detail with a portion of the overall network. Ideally, a subspace would 

provide the same functionality as the space. 

8.2 Computational model 

Associations between entities is the basic input for computations. Here, we further enhance the 

computational model for criminal networks proposed in [244] to assist criminal network investigators 

searching for specific patterns in their gathered information. We furthermore propose the 

need to describe the nature of links and nodes, and thereby extend traditional social network 

analysis model: “without accounting for the content of communication, social network analysis 

runs into the pizza guy delivery problem: confusing regular contact with significant contact” [26]. 

A person A can be related to a person B in a number of ways, and any subset of these relations 

can mean something within a certain context, and hence would be weighted differently according 

to their importance. The complete set of relations would constitute what is known about the 

relationship at that place in time. 

During target-centric criminal network investigations, the investigative team adds information 

pieces as they are discovered and step-by-step information structures emerge as entities are associated. 

We have observed that initially the information entities are placed randomly in an 

information space. If a new entity is somehow associated with an entity already in the shared 

information space, then it is positioned next to that entity (co-located). Later, some co-located entities 

are directly associated using link entities, because the investigators have learned the nature of 

the relationship between the entities. Depending on the level of time criticality (e.g., high security 

risk), a decision has to be made at some point. When the network is fragmented and incomplete 

such decision-making can be a challenging task due to the uncertainty. Sense-making algorithms 

are often applied to assist investigators in making these decisions and we discuss measures of 

centrality for individual network entities below. 

Information entity associations form information structures and centralities are computed based 

on these associations. Subsequently, associations impact the measures of centrality we want to 

calculate. Criminal network investigation has to a large degree so far focused on the direct association 

of nodes. Links are seldom first class objects in the terrorism domain models with the same 

properties as nodes. This is in contrast to the fact that the links between the nodes provide at least 

as much relevant information about the network as the nodes themselves [79]. The nodes and links 

of criminal networks are often laid out at the same level in the information space when the network 

140

CHAPTER 8. SOFTWARE COMPONENTS 8.2. COMPUTATIONAL MODEL 

is visualized. Composites (groups) are first class entities that add depth to the information space. 

For investigative purposes navigable structures and entities (including composites) are useful for 

synthesis tasks such as manipulating, re-structuring, and grouping entities. Our understanding of 

information links (relations) and groups (composites) is based on hypertext research [174]. 

CrimeFighter Investigator supports two structure algorithm types: measures (e.g., entity centrality), 

transformative algorithms (e.g., prediction of entities). Combinations of these are referred 

to as custom algorithm types. Custom algorithms are templates of specific criminal network investigation 

work flows, e.g., understanding the secondary effects of entity removal or insertion. 

All algorithms implement the report interface, where an algorithms report elements and design is 

defined. Rules are used to describe entity-to-entity relations, attribute cross products etc. Each 

algorithm has a set of general settings and specific settings. Specific settings includes algorithm 

hooks, i.e., the entity attributes that algorithms base their computations on, and customizable 

algorithm parameters. 

8.2.1 Entity association design 

Based on the concepts of centrality and association, we outline a topology of associations between 

criminal network entities which impact the centrality of individual entities with varying degree. 

Our topology is divided into direct and semantic associations (see Figure 8.6 and 8.7). Direct 

associations are expressed using link entities. The link may be weak by weight (low value), by 

type (rumor, acquaintance, one-visit-to, etc.), or by evidence (uncorroborated, questionable news 

paper, etc.), but it is nonetheless interpreted as a direct association by sense-making algorithms 

and in visualizations. Semantic associations between criminal network entities are build incrementally 

based on the tacit knowledge of investigators and the investigation domain their target 

operates within. Initially, investigators express information “via visual or textual means and later 

formalize that [information] in the form of attributes, values, types, and relations” [197]. 

The visual symbol for direct associations is a thick solid line, and thin solid circles indicate entity 

connection points in Figure 8.6 and 8.7. The visual symbol for semantic associations is a dashed 

line and dashed circles indicate connection points. We realize that some of these associations 

are more relevant than others, and it is exactly this relevance of alternative associations that we 

are investigating in this section. In Figure 8.6a to 8.6c, we show three classic associations: the 

node-link-node association is the most frequently used (8.6a), together with the less frequently 

used node-link-group (8.6b) and group-link-group (8.6c) associations. 

(a) node-node (b) node-group (c) group-group 

(d) link-link (e) empty endpoint I (f) node-sub node (g) empty endpoint II 

Figure 8.6: Direct associations in our topology includes classic associations (a-c) and novel associations 

in terms of centrality measures (d-g). 

141

8.2. COMPUTATIONAL MODEL CHAPTER 8. SOFTWARE COMPONENTS 

(a) clique I (b) clique II (c) meta data (d) sequential 

(e) group-subgroup (f) node-subnode (g) node below 

Figure 8.7: Semantic associations in our topology include spatial associations (a-d) and hierarchical 

associations (e-g). 

Figure 8.6d to 8.6g shows four examples of direct associations that occur in criminal network 

investigations, but are not included when entity centrality is computed. A link could be the 

target of an investigation, e.g., Daniel Pearl was investigating whether or not there was a link 

between Richard Reid (the shoe bomber) and the leader of a local radical Islamist group [162]. 

Other examples include knowledge about the money transfer between two individuals or that 

one individual had seen them talk at the same location on numerous occasions (Figure 8.6d). 

The empty endpoint is another example of a direct association that occurs in criminal network 

investigations, but is not (directly) addressed by traditional centrality algorithms. The need to 

include empty endpoints in centrality is straightforward: if investigators know that someone is 

distributing drugs to three individuals, e.g., based on wire taps, but they don’t know who those 

individuals are, then an empty endpoint can be used until it is clear. This could be the case for 

both nodes and groups (see Figure 8.6e and 8.6g). Finally, direct associations between entities 

outside groups to entities inside groups are needed (both for reference and inclusion composites, 

see Figure 8.6f). When criminal network investigators start grouping entities, structures where 

entities outside the group are linked to entities inside the group might emerge. But the relation 

still has association to that entity in the subgroup. 

The semantic co-location association should be used carefully by investigators. If the investigators 

position entities near each other spatially because they are assumed to be related somehow, then 

it will make sense to use spatially based associations. But if not, then it will simply clutter the 

network with non-relevant relations. If entities are placed near each other or as overlapping entities 

it could mean that they are forming a sort of clique (Figure 8.7a and 8.7b). Also, as it is the case 

in the analyzed organized drug crime investigation board, position entities next to or around a 

(centered) entity could mean that the information entities are meta data about the centered entity 

(Figure 8.7c). Entities positioned next to each other horizontally or vertically, could mean that 

the entities represent a sequence (Figure 8.7d). 

Semantic hierarchical associations can occur either when composites are used or when information 

entities are positioned spatially in a manner that resembles that of a hierarchy. If a group contains 

single information entities and subgroups, the single entities must have some sort of relationship 

to the entities in the subgroups since their overall classification is the same (Figure 8.7e). Also 

it could be that a single entity is associated with a composite (group) and therefore might have 

142

CHAPTER 8. SOFTWARE COMPONENTS 8.3. CONCEPTS AND COMPONENTS 

some sort of relation with entities within that composite (Figure 8.7f). Finally, positioning entities 

in spatial hierarchies as shown in Figure 8.7g indicates entities below other entities represent sub 

entities. 

The topology of associations can be seen as a wish list of requirements for what a computational 

model for criminal network investigation should support in this regard. The topology is not exhaustive; 

we expect to uncover additional associations over time. Especially new semantic associations 

based on temporal distance (when individuals appear on an investigation time line together with 

other individuals and events etc.), distance between entities in the real world, distance in family 

ties, and so on. 

8.3 Concepts and components 

Based on the research focus requirements we listed in Chapter 6 for each of three criminal network 

investigation challenges (information, process, and human factors), we propose a list of 

generic knowledge management system and hypertext concepts and explain how they can support 

these research focus requirements. Based on the generic knowledge management requirements, 

we decompose these knowledge management system and hypertext concepts into actual software 

components (see Figure 8.8). Some concepts are supported by multiple components, while others 

have been directly mapped to an equivalent component. 

Figure 8.8: Concepts and components from research focus requirements. 

Below is a selection of the concepts in Figure 8.8, and what we mean by each one, and what 

individual research focus requirements they relate to (refer to Figure 8.8 for the name of research 

focus requirements). The list contains concepts mentioned when presenting the CrimeFighter 

toolbox, when reviewing hypertext structures, 

143

8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS 

1. Information A tool for criminal network investigation must encapsulate (pieces of) information, 

making it available for interaction and manipulation. The information concept relates 

to information #1 (emergent and fragile structures) and information #2 (integrating 

information sources). 

2. Structure domains To support different structuring domains and to be able to separate 

the structural models from the mathematical models, the structure domains have to be well 

defined. Hypertext provides us with such well defined structures. The structure domains 

concepts relates to information #1 (emergent and fragile structures) and process #4 

(integrating conceptual and computational models). 

3. Versioning. Supporting different versions of a criminal network investigation is essential, 

and the concept of versioning offers different approaches to such support. The versioning 

concepts relates to information #1, #2, and #4. 

4. Storage The information and knowledge generated during investigations has to be saved 

for later retrieval and continued investigation. Storage is a different kind of versioning, not 

having the same conceptual meanings as the versioning concept above. With a knowledge 

base in place, storage becomes a matter of being able to externalize or share (parts of) 

a criminal network investigation. We do not consider storage to be related to any of the 

research focus requirements. 

5. Interpretation The investigator interpretation of events, open questions, or other parts 

of an ongoing criminal network investigation. This concepts relates particularly to human 

factors #1 and human factors #4. 

6. Analysis refers to either the investigator organizing the available evidence in ways to make 

associations between information pieces more clear, or the use of algorithm-based tools for 

semi-automated analysis. The concept of analysis primarily relates to the research focus 

requirements information #3 and human factors #1, #2, and #4. 

It is tempting to start drawing lines between concepts and components in Figure 8.8, but it defeats 

the purpose of focusing on individual components instead of a complete framework; as long as the 

component interface is clearly defined (i.e., abstracted to a suitable level), there should be so 

many possible combinations of these components, that drawing lines becomes pointless. Instead, 

we present each mentioned software component and the knowledge management and hypertext 

system concepts these components are intended to support in a software tool for criminal network 

investigation. The components are listed according to their importance and focus for our Ph.D. 

project (see the next section for component requirements). 

1. Entity is the basic information component, a prerequisite for support of all concepts. 

2. History is a component for support of versioning. 

3. The algorithm component will support analysis. 

4. Datafile is a component for storage of criminal network investigations. 

8.4 Component requirements 

For each of the software concepts presented in Section 8.3, we define a list of component requirements, 

for each of the four components we chose to focus on in the previous section. First in 

Section 8.4.1, for the most basic concept Entity we list design requirements, followed by History 

(see Section 8.4.2), Algorithm (see Section 8.4.3) and Datafile (see Section 8.4.4). 

144

CHAPTER 8. SOFTWARE COMPONENTS 8.4. COMPONENT REQUIREMENTS 

8.4.1 Entity requirements 

First, for the most basic concept, we have created information entity requirements based on analysis 

done in this Ph.D. dissertation together with our previous work [165,170]. These requirements 

are presented below and will primarily support the research focus requirements information #1 

(emerging and fragile strucure), process #3 (simple tools ease-of-use), and process #4 (humantool 

synergy), but in general the entity will be the basic supporting element of all research focus 

requirements. 

1. Graphical abstractions. 2D graphical composites constructed using geometric shapes 

should be supported. Each geometric shape must be placed relatively to the information 

element’s (0,0) position, i.e. the position of the information elements upper left corner on 

the space. 

Our motivation is to provide a proper but easy comprehensible visual abstraction for usageoriented 

information elements. This would provide the spatial hypertext developer with an 

opportunity to setup some conceptual relationships, prior to the user getting system access. 

2. Interactive abstractions. All geometric shapes (e.g., circles and polygons) should be 

interactive in the sense that clicking them creates an event, on which the spatial hypertext 

can act. This also covers simple textual visualizations such as rectangular labels. 

This is partly due to our positive experience with a board-based approach using directmanipulation 

techniques, as opposed to the more obstructive form-based approach where all 

available fields has to be edited through a pop-up dialog box. Also it supports the creation 

of yet-to-be imagined visual abstractions representing information elements. 

3. Editable abstractions. The visual abstractions of pre-defined usage-oriented information 

elements should not be locked. They should be editable through an embedded abstraction 

editor (see next requirement). And also stored in a format which would allow them to be 

edited in a third party structural drawing application or used by other spatial hypertexts. 

4. Typed abstractions. To support automated and meaningful (i.e., usage-related) viewgeneration, 

all visual abstractions must allow type assignment. 

5. Visual cues. Textual cues like text alignment, font, font size, number of lines of text, text 

width. Graphic cues like background image, background/border color, transparency. 

6. Bidirectional mappings. The framework should support a graphical approach to bidirectional 

(two-way) mappings between visual representations and their underlying data 

stores. We propose to embed an information element editor within spatial hypertexts, offering 

drag-and-drop ‘entity attribute to visual abstraction’ mapping options. We propose 

a drag and drop approach where a data field is grabbed and dropped onto one shape in the 

drawing area. The mapping between the data field and the geometric shape is automatically 

generated. 

8.4.2 History requirements 

The aim of the history component is to provide support beyond traditional undo-redo, and we will 

list requirements that reflects this. Undo-redo can be realized using a linear history which records 

criminal network investigation delta’s, and we use this as a starting point. But should also support 

branched history, navigation of branched history, story telling etc. Our requirements are based 

on our own criminal network investigation domain knowledge and previous work on history and 

branched history [96,117,198]. A history component would support the requirements information 

#4 (versioning support) and to a certain degree process #2 (loss less data abstractions) and 

process #3 (make everybody stakeholders). 

145

8.4. COMPONENT REQUIREMENTS CHAPTER 8. SOFTWARE COMPONENTS 

1. Event. The basic entities of criminal network investigation history are events. Events must 

encapsulate the investigators interaction with information in the common information space, 

as well as the tools interactions with that information (see algorithm requirements in Section 

8.4.3). Examples of criminal network investigator interactions are creating, deleting, 

and updating entities, and moving entities. It would be relevant to record sense-making 

interactions as well: the investigator requested betweenness centrality measures, the user 

made the following updates in the time line view. Such information might be relevant for future 

retracing the steps. Examples of tool interactions with information includes algorithms 

transforming the criminal network. 

2. Type of event. There are many type of basic history events, such as create, delete, move, 

update, etc. Sense-making event types might include applied measure algorithm or applied 

transformative algorithm. Such basic event types are required, to know what to do, when 

navigating the history event, whether it is navigation of a linear or branched history. 

3. Content of event. Some network content is associated with history events. If the type is 

create, then the content might be a single information element, relation, or composite. If 

the event is applied transformative algorithm, the content of the event might be a network 

structure of information elements, relations, and composites all together. Again, information 

about the content is required for navigating history. 

4. Visual symbols. The type of event and content of event would benefit from visual symbols, 

to be able to differentiate between them. Supporting user choice of symbol would be 

preferred. 

5. Editable. History must be editable. A fine grained history is often required to capture all 

events, but this is not suitable for dissemination to intelligence customers or fellow investigators. 

Grouping and annotation of events is therefore required. 

6. Parser. A parser that search for patterns in history, e.g., these three events where created 

within seconds of each other, and we therefore assume they are part of the same synthesis 

action. The history parser should ask the user to approve history editing patterns before 

applying them automatically to series of history events. 

7. Structure. The history should support structure domains. We imagine that taxonomic 

structure will be necessary to support a branched history [96, 117]. Navigational structures 

would be necessary to present jumps between events in different branches of history. This 

could be used for story telling, i.e. comparison of decisions made in different branches of 

investigation history. 

One particular parameter to consider related, is the amount of memory required to store the history 

supporting the requirements we have described above 79 , i.e., a fine grained, branched history, 

supporting the investigator’s interactions with information in a common information space. 

8.4.3 Algorithm requirements 

To ensure that algorithms do not become black box components in tools supporting criminal 

network investigation, we suggest to focus on providing the users with options for interaction with 

algorithms. The algorithm component requirements will primarily support the research focus 

requirements human factors #1, #2, and #4, focusing on augmentation of human intellect, 

transparency and ownership, and leveraging human-tool synergies. 

1. Types of algorithms. During analysis we have found a need to support three basic algorithm 

types, namely measuring algorithms, transformative algorithms, and custom algorithms. 

The measuring algorithms simply provide different measures for (parts of) criminal 

146

CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN 

network structures of entities. Transformative algorithms suggest an alteration of the network, 

either by adding or removing entities, changing attribute information, or visually 

updating (some selection of) entities somehow. 

2. Algorithm steps. Controlling the steps of an algorithm, requiring a separation of algorithm 

into steps, where each step has inputs and outputs. Guide the user through steps once they 

have been tailored, and the user have customized them. 

3. Input and output. Algorithms for criminal network investigation take criminal networks 

as input and outputs the same criminal network with the results of the algorithm augmented. 

Algorithms must in other words be able to parse the conceptual model (i.e., traverse hierarchies 

and follow associations) prior to or during computation. 

4. Customizable. Algorithms must have an interface for customization to the extent it is 

possible for individual algorithms. Typically customization would involve adjusting input 

and output variables, loading specific information for the algorithm etc. Visual customization 

is preferred to traditional graphical user interface input fields. 

5. Tailorable. Both individual algorithms and custom algorithms should be tailorable. Individual 

algorithms, in the sense that controlling the computational steps of the algorithm 

could become useful in some situations. An example could be, letting the investigator sort 

shortest paths between all vertice pairs, before running the remainder of the algorithm. For 

custom algorithms, comprising more than one algorithm, it must be possible to tailor in 

terms of the order of algorithms, as well as what to do with the output from one algorithm, 

before forwarding it to the next. 

8.4.4 Datafile requirements 

A datafile component will deal with mapping information to and from our conceptual model (information 

elements, relations, and composites). It needs to encapsulate both the proprietary saving 

and loading of criminal network investigation in CrimeFighter Investigator (serialized XML), as 

well as general data formats such as comma separated values (CSV), XML, and other formats 

used by other tools like social network analysis tools. The datafile component primarily supports 

the research focus requirements information #2 (integrating information sources) and to some 

extent information #4 (versioning support). 

1. Mapping to conceptual model. A datafile component must be able to map data to the 

conceptual model of a tool. In relation to criminal network investigation, this is entities 

(information elements, relations, composites). 

2. Import data formats. The datafile component must have an abstract interface for import 

of various data formats. This should ensure that the tool support remains open and 

extensible, in order to be able to accommodate new data formats. 

3. Export data types. The datafile component must also have an abstract interface for 

exporting to various data formats. 

8.5 Component design 

Here we present component designs of three of the four previously chosen components entity, 

history and algorithm. The datafile component was found to be sufficiently described by the 

component requirements in the previous section. 

147

8.5. COMPONENT DESIGN CHAPTER 8. SOFTWARE COMPONENTS 

8.5.1 Entity 

The design of the entity component is essential as the success or failure of all other components 

and hence features relies on it. The design is presented in Figure 8.9. 

Figure 8.9: Entity component design includes the component’s relations to the common information 

space (left), the interrelationship of basic component elements (middle), and other elements 

related to the component, but not directly part of it (right). 

Figure 8.9 reflects how all entities should have a fixed absolute position in the common information 

space. An entity has a number of visual elements, all positioned relatively to the absolute position. 

A visual abstraction is at the center. This is a symbol informing the user in an intuitive what 

the contents of the entity is. It will be encouraged to build the visual abstraction using geometric 

shapes such as rectangles, circles, and triangles, since that would make possible later association 

of specific semantics with individual areas of the visual abstraction. However, for criminal network 

investigations, it would also be useful to use a picture as visual abstraction. Our analysis showed 

that simple entity actions such as delete and edit should be visual elements positioned relatively 

to the entity. These sort of manipulations concerns the entity as a whole. 

Direct manipulation of content (or meta data, described below) is essential to keep interaction 

simple. Important meta data that are often edited for a specific entity should be available for 

direct manipulation as an visual element. Finally, an element that will allow both the resizing 

of an entity and provide connection points between entities is necessary. For a relation, for 

example, this element would be at either end of the relation. Initially empty, since the relation is 

not connected to any other entities, but then grabbing and dragging the element (endpoint) would 

resize the length of the relation (just as if an information element was connected to that end of 

the relation). 

Furthermore, the entity component must as a minimum include the following non visual elements: 

Meta data are essential, and will be formatted according to a type (text, number), name (what 

is this meta data called) and finally the actual value of the meta data. Some meta data will 

be static for an entity and others will be dynamic. It should be possible to add new meta data 

through out the life time of the entity. Included entities (or encapsulated entities) are required 

to represent hierarchical structures in investigations. These entities will be grouped or classified 

according to some parameters selected by the end user and they also have an entity to represent 

them at a higher level, the entity that encapsulates them. It will be necessary to denote the type 

of individual entities, in order to let the developers add functionality particularly developed for 

a specific type of entity, e.g., relation or composite. The set of entity types should of course be 

extensible. 

148

CHAPTER 8. SOFTWARE COMPONENTS 8.5. COMPONENT DESIGN 

8.5.2 History 

Our history component is designed with the intend to support versioning, which in turn will 

provide support for important criminal network investigation tasks based on versioning. The 

history component design is shown in Figure 8.10. 

Figure 8.10: History component design includes the component’s relations to the common information 

space (left), the interrelationship of basic component elements (middle), and other elements 

related to the component, but not directly part of it (right). 

A criminal network investigation event is the basic element of the history component. The event 

is created by some action in the common information space, either by the user (synthesis actions) 

or by the tool (on behalf of the user, an algorithm based sense-making action). An event can 

be of a specific type (create, delete, move, transform, etc.) and will have some information 

content. Visual abstractions for event types and content must be supported, illustrated by the 

link to geometrical shapes in Figure 8.10. Finally, events are to be stored either following an 

associative structure, a hierarchical structure, or a combination of these. Provided that 

storage is implemented in a suitable way, an editor can interact with the stored history events, to 

group events, annotate events, or interact and present the events in ways required for the specific 

criminal network investigation, intelligence customers, etc. 

8.5.3 Algorithm 

Our algorithm component is designed with the intend to support analysis (synthesis, sense-making, 

and synthesis and sense-making), which in turn will provide support for important criminal network 

investigation tasks depending on analysis support. The algorithm component design is shown 

in Figure 8.11. 

An algorithm is the central algorithm component element. This might be confusing, and requires 

further explanation. The terminology is used to encapsulate our intended support for single, yet 

customizable and tailorable, criminal network investigation techniques (e.g., see mathematical 

models in Section 5.9) and custom algorithms which might refer to a combination of multiple 

techniques or one or more techniques together with one or more custom algorithms. We will 

also refer to the latter as sense-making work flows. As mentioned, an algorithm is the central 

element, receiving its input from the common information space (i.e., criminal network entities 

or structures), and returning output to the common information space as well. An algorithm, 

whether custom or a single technique, will have a number of computational steps that must be 

tailorable by humans (investigators). There will also be some general settings for all algorithms 

149

8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS 

Figure 8.11: Algorithm component design includes the component’s relations to the common 

information space (left), the interrelationship of basic component elements (middle), and other 

elements related to the component, but not directly part of it (right). 

and some specific settings for the particular instantiation of the algorithm component, which 

must be customizable by investigators. Finally, all algorithms must implement a report interface 

to allow for the generation of reports based on the computational steps, customizations, inputs 

and outputs, etc., of algorithms. Letting the user tailor what to put in these reports using a 

report editor would be preferable. 

8.6 CrimeFighter Investigator concepts 

To summarize our work presented in this chapter, and as an introduction to Chapters 9 to 13, 

covering implemented support for criminal network investigation tasks based on the concepts and 

components discussed, we describe the basic concepts supported by CrimeFighter Investigator. 

CrimeFighter Investigator [169,173–176] is based on a number of concepts, adopted primarily from 

knowledge management and hypertext research and systems. Figure 8.12 shows an augmented 

screen shot of CrimeFighter Investigator, with the most basic and important concepts emphasized 

and labeled. At the center is a shared information space. Spatial hypertext research has inspired 

the features of the shared information space including the support of investigation history [174] 

(emphasized in the tool bar). The view concept provides investigators with different perspectives 

on the information in the space and provides alternative interaction options with information 

(hierarchical view to the left (top); satellite view to the left (bottom); spatial view at the center; 

algorithm output view to the right). Finally, a structural parser assists the investigators by relating 

otherwise unrelated information in different ways, either based on the entities themselves or by 

applying algorithms to analyze them (see the algorithm output view to the right). 

In the following chapters, central CrimeFighter Investigator concepts are designed and analyzed 

together with specific criminal network investigation tasks, before implementing support of these 

tasks based on the concepts. 

150

CHAPTER 8. SOFTWARE COMPONENTS 8.6. SUMMARY 

Figure 8.12: CrimeFighter Investigator screen shot with concept overlays. 

151

8.6. SUMMARY CHAPTER 8. SOFTWARE COMPONENTS 

152

CHAPTER 9 

Acquisition 

Intelligence gathering in the twenty first century is now less about 

James Bond and George Smiley than it is a Frankenstein composite 

of law enforcement, spies, and forensics. 

Hitz (2009) concluding on how “counter-terrorism and counter-proliferation intelligence gathering is 

following a new paradigm” [113] 

Some information may be available at the beginning of a criminal network investigation, but new 

information tends to dribble in over time in disparate pieces. Information arrives from various 

sources and should be easy to insert into the investigation tool in a manner that is transparent 

to the investigator. The remainder of this chapter is organized as follows: in Section 9.1 we 

will analyze the acquisition tasks outlined in Section 7.2.1 and related CrimeFighter Investigator 

concepts. In Section 9.2 we present the designs we have created for those tasks and concepts. 

Finally, Section 9.3 describes implementations of tasks and concepts in CrimeFighter Investigator, 

using tool and feature screen shots. Not all designs are implemented, and in general it should 

be noted that acquisition has received less attention, compared to synthesis and sense-making. 

We started out focusing on synthesis and sense-making, and later, following an agile and iterative 

approach to software development, we found a need to also focus on acquisition, to be able to 

ingest information. 

9.1 Analysis 

Based on cases and observations of criminal network acquisition, contact with experienced endusers 

from various investigation communities, examination of existing tools that support acquisition 

of criminal network entities and structures (see Chapter 4), and our own ideas for acquisition 

support, we maintain a list of acquisition tasks. Acquisition tasks primarily support the research 

focus requirements information #1 (emerging and fragile structure) and information #2 (integrating 

information sources). 

9.1.1 CONCEPT: Storage 

In order for investigations to be saved, they need to be stored somehow, preferably in a data 

base like structure. And when acquiring information, either to append it to an existing criminal 

153

9.1. ANALYSIS CHAPTER 9. ACQUISITION 

network investigation or to start a completely new investigation. See Chapter 8 for a requirements 

list (Section 8.4) for the datafile component. 

9.1.2 TASK: Acquisition methods 

Information arrives from various sources and should be easy to insert into the investigation tool 

using methods such as import, drag-and-drop, and copy-and-paste (see Figure 9.1). 

Figure 9.1: Methods for acquiring information includes import (left), drag-and-drop (middle), and 

copy-and-paste (right). 

Direct integration with other tools like for example CrimeFighter Explorer or Assistant would be 

a fast way to import already processed data and information into CrimeFighter Investigator [245]. 

The research prototype POLESTAR supports direct import of text snippets using drag and drop 

from web sites into the application [178]. Methods such as drag-and-drop and copy-and-paste are 

especially relevant when working with open source intelligence (web sites, data bases, online news 

papers, etc.), especially considering that open source intelligence have been found to provide 80% 

of the value to criminal network investigations (see Section 5.8). 

9.1.3 TASK: Dynamic attributes 

Dynamic attributes are required to support acquisition of various data sets formatted using graph 

markup language (GraphML) or comma separated values (CSV) (see also mapping attributes 

below). The attributes are also relevant for synthesis, as new attributes will be added and the 

names of existing ones will be changed, as new information continue to dribble in over time (see 

Figure 9.2). 

Figure 9.2: Dynamic attributes. 

Having to match the newly acquired information (intelligence) into an existing data model (conceptual 

model) could potentially inhibit creativity and the desire to use software tools for criminal 

154

CHAPTER 9. ACQUISITION 9.2. DESIGNS 

network investigation. Supporting dynamic attributes is one step on the way, but then intuitive 

interaction with attributes for easier restructuring is necessary. In the Daniel Pearl investigation 

we saw how there are initially only the names of individuals, but then gradually new meta data 

(attributes) are added, such as telephone numbers and pictures [162]. See Section 3.5.1 for a 

review of the Daniel Pearl kidnapping and murder. 

9.1.4 TASK: Attribute mapping 

To support dynamic attributes it is necessary to map attributes in the acquired information to 

the investigation data model. For example mapping attributes to information element labels (see 

Figure 9.3). 

Figure 9.3: Attribute to data model mapping (left) and attribute to algorithm mapping (right). 

There are many examples where the attributes of imported entities do not match the entities in 

the investigation’s conceptual model. In Sageman’s 2003 al-Qaeda data set 80 , there are only short- 

Name and fullName attributes (see the al-Qaeda related deployment of CrimeFighter Investigator 

in Section 14.3 and development of measures of performance in Section 15.4, for more information 

about the data set). 

9.2 Designs 

In this section we present designs for some of the acquisition tasks analyzed in the previous section. 


As the purpose of this task is to ensure that tools for criminal network investigation have multiple 

methods for acquiring data and information, it is difficult to frame a design. What we can do is to 

present designs for what should happen once the data and information has re-entered the system, 

and needs to be mapped to the conceptual model, like support of dynamic attributes through 

mapping of attributes. The designs of these two acquisition tasks are described below. 


We design a drag-and-drop approach to editing the attributes of entities. Figure 9.4 shows our 

design for visual abstractions and attribute editor. The attribute related parts has options for 

adding new attributes and mapping available attributes to visual abstraction labels. 

155

9.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 9. ACQUISITION 

Figure 9.4: Entity visual abstractions and attribute editor - Options for editing the visual graphics 

abstractions of entities, adding new attributes, mapping available attributes to visual abstraction 

labels and deciding the order and positioning of menu buttons. 


Our design for attribute mapping is simply to arrange all the attributes for entities in the acquired 

information and then support the users mapping of these attributes to the current attributes of 

entities in CrimeFighter Investigator. 

9.3 CrimeFighter Investigator 

Support of acquisition tasks is limited. However, to enable our development of measures of performance 

we have implemented support of import of various file types. Also, the option of saving 

investigations in the CrimeFighter Investigator format permits sharing the common information 

space for collaborative purposes. 


As mentioned above, we have implemented support for file import. CrimeFighter Investigator supports 

import of network information formatted as comma separated values (CSV files). Relations 

are imported as either an adjancy matrix or a list of information element pairs (large criminal 

networks). 

An import dialog (see Figure 9.5) is available from the Session menu. The import feature has 

options for importing either information element entities, or all three types of entities (information 

elements, relations, and composites). When importing all three types of entities from one file, the 

import dialog has the option of importing relations as an adjancy matrix or as a list of < id, id > 

indicating from and to id’s of the entities that each relation connects. Using lists of from and to 

id’s becomes the preferred solution, when a data set has more relations than it is the case for the 

samples shown in Figure 9.5 (right). When the data are imported, the user is prompted to map 

attributes of imported entities to the conceptual and computational models of the investigation 

156

CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR 

Figure 9.5: The CrimeFighter Investigator import dialog with options for importing just information 

elements, or information elements, relations and composites. 

(see below, Section 9.3.3) 


The CrimeFighter Investigator information element editor has partial support of the design described 

in Section 9.2.2. A screen shot of the current implementation of the information element 

editor is shown in Figure 9.6: The drop down box at the top (A) lets the user select the entity 

for editing. Possible visible settings are selecting which visual abstraction is to be shown when 

creating new entities of the given type (B). Four categories have been created; maybe when there 

are not many entities in the space, it is nice to use the a large visual abstraction, because it is 

more descriptive, and then when the number of entities increases it could be beneficial to sacrifice 

some description for a small visual abstraction. Two other visual abstraction types that 

can be useful depending on the investigation are the circle and label abstractions. Typically, if a 

single attribute has been selected to represent the entity, then these abstractions can be useful. 

Information about the currently selected visual abstraction is shown in the view to the left (C). 

It indicates how the entity will appear in the common information space, and the placement of 

different internal components. Refer to Section 8.4.1 and 8.5.1 for a more detailed description of 

the entity component. Support for editing the visual abstraction is not implemented (D), but a 

design of the intended feature is shown in Figure 9.2.2 (acquisition design, Section 9.2.2). At the 

bottom the entity’s current attributes are shown in a table (E) and the input fields for adding new 

attributes are just below the table (F). Attributes are deleted by deleting them from the table, 

which is of course a cumbersome way to do it, and also not according to the intended design. 

157


Figure 9.6: CrimeFighter Investigator information element editor - options for adding new attributes 

and deleting existing ones, as well as selecting between pre-defined visual abstractions for 

entities. 


We have implemented support of the attribute mapping task for data file import and sense-making 

work flows (see Section 11.3). Here we focus attribute mapping for import. When importing 

criminal network information into investigations, it is necessary to map all network dependent 

variables of the existing data model to attributes of the imported entities. Figure 9.7 shows the 

entity attributes for a data set containing person information elements. The visual abstraction of 

person information elements has a label that links to one specific attribute and is displayed below 

the graphical abstraction. When importing data, the user is requested to select the attribute to 

link to that label by dragging the desired attribute to the label reference area. 

158

CHAPTER 9. ACQUISITION 9.3. CRIMEFIGHTER INVESTIGATOR 

Figure 9.7: (semi mock-up) Mapping information attribute to data person information element 

label. 

159


160

CHAPTER 10 

Synthesis 

By gathering the myriad of information that is available I hoped to 

each a portrait of that which is unknown, the way negative space can 

define an object. 

Bernard-Henry Lévy in [128]. 

Criminal network investigators move pieces of information around, they stop to look for patterns 

that can help them relate the information pieces, they add new pieces of information and iteration 

after iteration the information becomes increasingly structured and valuable. Synthesizing 

emerging and evolving information structures is a creative and cognitive process best performed 

by humans. The nature of modeling something as complex and diverse as crime is an ongoing and 

potentially open-ended process that demands for an interactive modeling approach [30]. What 

complicates everything is that the picture constantly changes. With every interaction, people 

change, group dynamics change, and social dynamics change [28]. If we are to think seriously 

about this sort of complexity, and reason effectively about it, some sort of simplified map of 

reality, some theory, concept, model, paradigm, is necessary [102]. The CrimeFighter Investigator 

approach to synthesis is based on three first class entities, which, combined with hypertext 

structure domains (see Section 5.1) are used to support a set of synthesis tasks. 

Criminal network investigators working in teams merge and organize pieces of information from 

different sources in order to reason about them and support their decision making process. The 

structure of the relationships between these pieces of information is fragile by nature, since new 

information may change it substantially. Besides supporting the emergent nature of incoming 

information, such structures should also be an appropriate medium for communicating with others 

(see our introduction to dissemination in Chapter 12). Their presentation should foster awareness 

and permit notification services that inform the investigator about potential unseen and non 

obvious connections beyond the borders of individual information sources [20] (the synthesized 

information should support sense-making, see Chapter 11). 

The remainder of this chapter is organized as follows: analysis (Section 10.1) and design (Section 

10.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 10.3) is 

explained below. 

161

10.1. ANALYSIS CHAPTER 10. SYNTHESIS 

10.1 Analysis 

Based on cases and observations of criminal network synthesis, contact with experienced end-users 

from various investigation communities, examination of existing tools for synthesis of criminal networks, 

and our own ideas for synthesis support, we maintain a list of synthesis tasks. Synthesis 

tasks assist criminal network investigators in enhancing the target model. The concepts of perspectives 

and versioning and their related component view and history support synthesis tasks 

and are therefore analyzed first, followed by the synthesis tasks. Our analysis of synthesis tasks 

is primarily based on criminal network investigation cases where simple physical tools (human 

factors #3) are used such as the whiteboard in the Daniel Pearl investigations, and the boards 

used in many investigations with paper based evidence, such as paper clippings, Polaroids, and 

text cards etc. together with related work tools or prototypes who support the synthesis task in 

a manner addressing our research focus requirements. 

10.1.1 CONCEPT: View 

The view concept plays an important role for synthesis, in terms of providing more perspectives 

on the synthesized criminal network information. As long as the entities are laid out at the same 

level in the common information space (spatial view), then no other views are required. However, 

once groups are being added, entities associated to groups by inclusion, and the groups are then 

collapsed, it becomes important with for example a hierarchical view (taxonomic view) of the 

information since it is now being organized into hierarchies. 

Taxonomic view 

A taxonomic view for criminal network investigation has two main objectives. First of all, the 

taxonomic view must visualize the created hierarchical structure as synthesized by the user using 

composites with reference relations to information elements, or traditional sub-spaces attached 

to single information elements accessed using expand and collapse functionality. Secondly, a 

taxonomic view must support manipulation of the existing hierarchical structure, allowing for the 

user to move information elements between composites, i.e. the spaces and sub-spaces that the 

composites represent. 

10.1.2 CONCEPT: History 

The recording of synthesis tasks is essential for later sense-making (see Chapter 11 and dissemination 

(see Chapter 12). Navigable history (inspired by the feature in VKB [96,117]), can provide 

a new time dimension for an investigation, that of its construction. Investigators can navigate 

through the history, perceiving the constructive events of the space, by moving between current 

and prior states. Navigable history supports learning and interpreting investigators work practices, 

recognizing patterns of activity in the space, and disambiguating specific actions and content. Furthermore, 

it allows the criminal network investigation team to review the path or progress of their 

investigation or to reclaim information that previously had been deemed irrelevant or deleted, but 

then found to have greater significance due to new incoming information. 

10.1.3 TASK: Create, delete, and edit entities 

Here we focus on the abstraction over these three entities, the entity. Investigators basically think 

in terms of people, places, things, and their relationships. All these different types of information 

can be encapsulated by criminal network investigation entities, which can be created in a number 

of different ways as shown in Figure 10.1. 

162

CHAPTER 10. SYNTHESIS 10.1. ANALYSIS 

Figure 10.1: Creating entities can be done in multiple ways: information entities are created using 

dragging gestures in the tool, drag-and-drop from other applications, clicks, import (all left), links 

based on entity selection (middle), or grouping (right). 

Creating entities can be done in multiple ways: information entities are created using dragging 

gestures, drag-and-drop from other applications, clicks, or import of information from files. Linking 

entities could happen using a dragging gesture, or selecting the two entities that are going to linked 

and then activating linking functionality. Creating groups can be done by collapsing information 

or using visual symbols (see Section 10.1.6 for analysis of grouping). Creating entities in the space 

using a drag gesture or a click requires the user to first select the entity to create (if not already 

selected), while drag and drop from another application would create the entity immediately, at 

least with some initial entity encapsulation. 

In the Daniel Pearl investigation new information pieces (entities) are added to a whiteboard by 

drawing on it (see Section 3.5.1, resembling a dragging gesture. Police detectives often use boards 

on which they pin evidence, typically written or printed on paper (see Section 3.5.4). In that case 

new information pieces are created away from the board, resembling a drag-and-drop gesture from 

somewhere else or a simple import of a few entities. 

Figure 10.2: Delete entities - . 

In the Daniel Pearl investigation, entities are deleted from the board by wiping (gesture) and in 

the board-based police investigations pieces of paper with evidence are simply removed from the 

board and thrown to the trash can (drag-and-drop). 

There are typically two ways to editing entities, either in terms of using a form-based approach 

such as a object inspector, listing the attributes and other adjustable meta data of the entity in 

a tabular way, or alternative some meta data might be editable through direct manipulation in 

the common information space. On a white board, like in the Daniel Pearl investigation, person 

names are easily updated, a telephone number added, or a picture used as visual abstraction, in 

a direct manipulation fashion. 

163

10.1. ANALYSIS CHAPTER 10. SYNTHESIS 

10.1.4 TASK: Create, delete, and edit associations 

The impact of association analysis on investigative tasks is crucial to the creation of the target 

model. Descriptive relations between entities helps discover similarities and ultimately solve investigation 

cases. Associations between entities can be created, deleted, and edited using for example 

the link entity, visual symbols, co-location or based on the value of specific attributes (see Figure 

10.3). 

Figure 10.3: Associations between entities can be created, deleted, and edited using links, visual 

symbols, co-location or attribute similarities. 

Using spatial hypertext technology for information analysis, one can define relationships between 

information elements, simply through the proximity and location of information elements. But 

since relations within terrorist networks are much more complex than the simple indication of 

belonging to a certain group, these relations must be weighted to match that complexity appropriately. 

We suggest that providing a structured language to describe the inner complexity of these 

weights, a language that is interpretable by both humans and computer algorithms. 

There is a need to describe the nature of links and nodes, since “Without accounting for the 

content of communication, social network analysis runs into the “pizza guy delivery problem”: 

confusing regular contact with significant contact” [26]. A person A can be related to a person 

B in a number of ways, and any subset of these relations can mean something within a certain 

context, and hence would be weighted differently according to their importance. The complete set 

of relations would constitute what is known about the relationship at that place in time. 

10.1.5 TASK: Restructuring 

During an investigation, information structures are typically emerging and evolving, requiring 

continuous re-structuring of entities and their relations. Besides creating and deleting entities, 

restructuring involves tasks such as move entity, reconnect link, merge entities, and group entities, 

etc. (see Figure 10.4). 

Figure 10.4: Restructuring involves synthesis actions such as move entity, reconnect link, merge 

entities, and group entities. 

164

CHAPTER 10. SYNTHESIS 10.1. ANALYSIS 

Restructuring of information structures happens during all criminal network investigations, except 

maybe for the simplest of cases (e.g., the homicide dunkers described by Simon (1991) [204]). 

10.1.6 TASK: Grouping 

Investigators often group entities using symbols like color and co-location (weak), or they use 

labeled boxes (strong). Groupings can be used to highlight and emphasize particular entities and 

their relations (see Figure 10.5 and also Section 10.1.4 that analyzes associations). 

Figure 10.5: Entities are often grouped either semantically by reference (left), or hierarchically by 

inclusion of either nodes (middle) or links (right). 

Often reference grouping is used, when the affiliations of entities with a certain group is not certain. 

Then later when (maybe) more evidence backs up the grouping, the entities (nodes and/or links) 

are grouped by inclusion. 

10.1.7 TASK: Collapsing and expanding 

Collapsing and expanding information is essential since the space available for manipulating information 

is limited physically, perceptually, and cognitively. Zooming is a way to visually collapse 

or expand information in the space; however, depending on the zooming degree, it facilitates 

information overview at the expense of information clarity. 

For collapsed information it is necessary to consider what the abstraction should be. Maybe it 

makes to represent with graphical abstraction indicating that the underlying entities are all related 

to a specific group, a company, or a meeting. Alternatively, it just be label or some of the other 

abstractions for information entities that we discussed in Chapter 8. Another requirement would 

be to support an intelligent expansion of collapsed information in the space. Other entities might 

have been added to the space that the collapsed information was located in before, and more 

entities have been added to the new sub space that the collapsed entities are synthesized within, 

meaning that they will take up more space once they are expanded. 

Typically collapsing information is used if a set of information entities becomes of second priority, 

because of new leads, or if the set of entities can be abstracted to a single entity, which makes 

mores sense, but the investigators would still like to keep the information that the abstraction was 

based on in the investigation. On a white board it is impossible to collapse information without 

loosing it; only the entity abstracted from the collapsed information remains. On a board that 

information is pinned to, multiple pieces of paper could be pinned together, only the piece of paper 

at the top being visible. The same would be the case with arranging documents on a table, where 

they can be stacked according to some classification (see Atzenbeck (2006) [18]). 

165

10.2. DESIGNS CHAPTER 10. SYNTHESIS 

10.1.8 TASK: Information types 

Multimedia support is helpful when investigators want to add known positions of persons to a 

map or link persons to different segments within an audio file. This would support for example 

more intuitive storytelling. Information types includes text, maps, images, audio, and video (see 

Figure 10.6. 

Figure 10.6: Information types includes text, maps, images, audio, and video. 

When previous Secretary of State Colin Powell presented the United States case on Saddam 

Hussein’s alleged weapons of mass destruction to the United Nations in 2003 the evidence included 

intercepted phone calls, augmented satellite photos, 3D sketches, etc. Tools and research 

prototypes reviewed in Chapter 4 supports many different kinds information, e.g., Mindmeister, 

an investigative journalism tool that supports embedding pictures and video in mind maps (see 

Section 4.3.2). 

10.2 Designs 

We present our designs of key synthesis concepts and tasks. The designs that have not been 

implemented support for are considered important areas of future work. 


A tool for criminal network investigation requires two types of support for hierarchical structuring: 

creating groups in the same space and hierarchies using sub spaces. Example is given in Figure 

10.7. Sub spaces are expanded or collapsed into the shared information space. 


A design of history support is presented in Chapter 8 on concepts, models, and components for 



We do not discuss the actual design of individual entities here, elaborate designs of the information 

element, relation and composite entities are given in Section 8.1. We focus on how those designs 

can be utilized to create, delete, and edit entities. Later we will demonstrate how these designs 

have been implemented in CrimeFighter investigator. 

In general, we want entities to be created using a drag gesture, this way the user can create an 

entity and position it in the space, in the same way. The dragging gesture can then also be used 

166

CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR 

Figure 10.7: Hierarchical structuring types. 

to decide the size of the relation and composite entities. For editing, we want to support direct 

manipulation of often accessed meta data, alternatively editing using a form which is accessed by 

a menu icon attached to the entity positioned at its outline. Deletion should be possible using 

direct manipulation, i.e. direct interaction with therefore designated areas. 


In this section, we present our implemented tool support for criminal network investigation synthesis 

tasks, which we analyzed in Section 10.1 and created designs for in Section 10.2. 


View is a well-known concept for providing different perspectives on information. 

Taxonomic view 

The taxonomic view (left hand in Figure 8.12) provides a hierarchical overview of the organization 

of entities. The tree root reflects the name of the investigation, nodes in the tree are composites 

and leafs in the tree are information elements. The taxonomic view and the spatial view are 

synchronized in the sense that changes made in one view are instantly reflected in the other view. 

There are no limitations to the number of nested hierarchies. The two views are separated by 

a divider that can be moved left or right to expand/minimize the views depending on the users’ 

preference. Icons reflecting their space equivalents are used to make it easier for the investigators 

to recognize the entities from the space in the taxonomic view. It is still the same information, 

although offering a different perspective. A spatial parser algorithm is used to parse the entities 

in the space and then create the structure shown in the taxonomic view. 

An example of reference composite support is shown in Figure 10.9. In Figure 10.9a, Mr. X is 

part of both Composite 1 (C1) and Composite 2 (C2). In Figure 10.9b, C2 is moved away and 

now Mr. X is no longer part of C2, and this change is reflected in the taxonomic view to the left. 


The user interface of the navigable history feature is embedded in the tool bar (see Figure 8.12). 

It records everything that happens in the space. It has back and forth buttons for navigating 

the recorded events, and the current event displayed in the space is visualized using a slider as 

well as a label showing both the current event and the total number of events (e.g., 48/48). The 

167

10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS 

Figure 10.8: Screen shot 

of taxonomic view from the 

Daniel Pearl investigation. 

(a) Reference composite example - non-overlapping reference composites. 

(b) Reference composite example - non-overlapping reference composites. 

Figure 10.9: History trees and navigation view. 

history feature records all the interactions that investigators have with entities in the space as 

events, e.g., “create information element”, “resize composite”, “move information element”, and 

so on. Each event is given a time stamp and added to the sequential history. If the history bar is 

not positioned at the end of the history when an investigator causes an event, the investigator is 

prompted whether or not to delete all events after the current event, or canceling whatever action 

that caused the event to happen. 


Creating, editing and deleting entities is done using well-known interaction metaphors. Information 

elements are created using a simple mouse drag gesture within the investigation space. 

Once created, delete and edit functionalities are available from a menu attached to the information 

element as shown in Figure 8.12. Connected relations are created by selection of two information 

elements (using the ctrl-button). Subsequently, the direction and the label of the relation can 

be edited by clicking the relation label. Relations are, like information elements, deleted using 

a menu button positioned relatively to the relation label. Composites are created, edited and 

deleted in the same way as information elements. They have an interactive label and the color of 

the composite can be set before and after its creation (Figure 8.12, top). 

10.3.4 TASK: Restructuring 

Restructuring is supported by the concept that all entities are first class. When an information 

element with several relations is deleted, the relation endpoints are considered empty and can be 

moved freely in the space and the investigator can connect them to other entities if desired using a 

drag and drop gesture. The hierarchical view (Figure 8.12, left) is used for classification by moving 

168

CHAPTER 10. SYNTHESIS 10.3. CRIMEFIGHTER INVESTIGATOR 

information elements in the hierarchically displayed structure (see example in Figure 10.10). 

Figure 10.10: An example of supported restructuring where a relation is reconnected to a new 

information element, after the previous one was deleted. 

10.3.5 TASK: Grouping 

Different types of composites can be used to group information. The inclusion composite is one 

example, and CrimeFighter Investigator support of another was discussed in an example using a 

reference composite (Section 10.3.1). The relation composite allows investigators to group multiple 

relations between two entities (such as multiple emails or phone calls between two persons) into a 

single visible entity (composite). Relation composites group relations by inclusion. Another type 

of composite supports collapsing and expanding. 

169

10.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 10. SYNTHESIS 

170

CHAPTER 11 

Sense-making 

Analysis is the key to successful use of information; it transforms 

raw data into intelligence. Without the ability to perform effective 

and useful analysis, the intelligence process is reduced to a simple 

storage and retrieval system for effectively unrelated data. 

Intelligence analysts training manual of the metropolitan police (Scotland Yard, London) 

After all, no one has yet linked failure of intelligence to the fact that 

the opponent had better equations. 

Wirtz (2006) in his review [251] of Robert M. Clark’s book intelligence analysis: a target-centric 

approach [40] 

Criminal network sense-making is tightly coupled with criminal network synthesis as described in 

the previous chapter; synthesis and sense-making are core analysis tasks. Synthesizing emerging 

and evolving information structures is a creative and cognitive process best performed by humans. 

Making sense of synthesized information structures (i.e., searching for patterns) is a more 

logic-based process where computers outperform humans as information volume and complexity 

increases. CrimeFighter Investigator supports sense-making tasks through the application of 

advanced software technologies such as hypertext, semantic web, well-known human-computer interaction 

metaphors, and a tailorable computational model rooted in a conceptual model defining 

first class entities that enable separation of structural and mathematical models (see Chapter 8). 

Therefore, our modeling approach must embrace frequent customization and extension through 

robustness and scalability of the underlying mathematical framework [30]. At the beginning of 

an investigation it is not clear what sense-making approach will be required to understand and 

reason about a certain criminal network. Sometimes more than one measure has to be calculated 

for the criminal network or maybe some measures are used as input for an algorithm providing yet 

another measure. It is impossible to know beforehand what information attributes (meta data) 

will be the deciding factors for a criminal network investigation. First of all, information attributes 

are emerging over time, just like the information entities. Second, investigators have to decide 

if they will try to predict missing information entities in the network based on for example an 

individual’s record of supplying weapons or a measure of each individual’s centrality in a criminal 

network. 

Taking a computational approach to criminal network sense-making, claiming that investigators 

will benefit from the information provided, raises concerns about user acceptance of this com- 

171

11.1. ANALYSIS CHAPTER 11. SENSE-MAKING 

puted information 81 . Experienced investigators with the skills to manually derive the computed 

information (given more time) might question how exactly the information has been automatically 

computed and they might be inclined not to trust this computed information enough to base 

their decisions on it [193]. For computational sense-making to be effective, decision makers must 

consider the information provided by such systems to be trustworthy, reliable [144], and credible. 

The calculations are not the hard part; the challenge is to find a good way to use the data and 

understand them. This is very well described by the following story by Stoll (1995) [217]: 

Computer security expert Clifford Stoll spent a year studying at a Chinese observatory 

with Professor Li Fang. Li studied star observations and used a Fourier transform, the 

standard tool of astronomers everywhere, to hunt for periodic motions. Li, however, did 

the Fourier transform completely by hand! Stoll decided to show Li how his new Hewlett 

Packard HP-85 could be used to calculate some 50 coefficients for the polar wandering 

in under a minute. The task had taken Professor Li 5 months. When presented to the 

computer’s results, Li smiled and said: “When I compare the computer’s results to my 

own, I see that an error has crept in. I suspect it is from the computers assumption 

that our data is perfectly sampled throughout history. Such is not the case and it may 

be that we need to analyze the data in a slightly different manner”. Stoll realized that Li 

had not spent 5 months doing rote mechanical calculations. Instead, he had developed a 

complex method for analyzing the data that took into account the accuracy of different 

observers and ambiguities in the historical record. 

Simply by turning to the computer when confronted with a problem, we limit our ability to 

understand other solutions. The tendency to ignore such limitations undermines the ability of 

non-experts to trust computing techniques and applications [193] and experienced investigators 

would be reluctant to adopt them. 

In this chapter, we focus on criminal network sense-making and how tailoring can leverage transparency 

and ownership, increasing trust in information provided by sense-making algorithms. 

CrimeFighter Investigator [169, 173, 174] is based on a number of sense-making related concepts 

(see Figure 11.1). At the center is a shared information space. Spatial hypertext research has 

inspired the features of the shared information space including the support of investigation history 

[174]. The view concept provides investigators with different perspectives on the information 

in the space and provides alternative interaction options with information (hierarchical view to 

the left (top); satellite view to the left (bottom); spatial view at the center; algorithm output view 

to the right). Finally, a structural parser assists the investigators by relating otherwise unrelated 

information in different ways, either based on the entities themselves or by applying algorithms to 

analyze them (see the algorithm output view to the right). In the following, central CrimeFighter 

Investigator sense-making concepts and tasks are presented. 

11.1 Analysis 

Based on cases and observations of criminal network sense-making, contact with experienced endusers 

from various investigation communities (intelligence, police, and journalism), examination 

of existing process models and existing tools for making sense of criminal networks (e.g., [7,20,21, 

25, 35, 40, 53, 59, 110, 116, 128, 152, 162, 212, 244]), and our own ideas for sense-making support, we 

maintain a list of sense-making tasks. The list of tasks can be seen as a wish list of requirements 

which the sense-making part of a tool for criminal network investigation should support; the list 

serves as the basis for our tool development efforts. The list is not exhaustive; we expect to uncover 

additional sense-making requirements over time. We provide examples for each sense-making task 

to emphasize the many different applications. Sense-making tasks assist investigators in extracting 

useful information from the synthesized target model [175]. 

172

CHAPTER 11. SENSE-MAKING 11.1. ANALYSIS 

Figure 11.1: CrimeFighter Investigator screen shot with sense-making overlays. 

11.1.1 CONCEPT: Algorithm 

The algorithm plays an important role for criminal network sense-making. At the same time, 

supporting algorithms for sense-making is a great challenge, which our analysis in the beginning 

of this chapter emphasized: an algorithms computational approach to analysis is a rather rigid 

contraption, taking an input and producing an output, representing a sort of black box magic 

to the inexperienced investigator. But criminal network investigation is an open ended creative 

process requiring different sense-making for different investigations. The tailoring of algorithms 

would be a way to bridge the rigidness and black box feeling of algorithms with the cognitive 

sense-making tasks that criminal network investigators perform. We define three distinct types 

of algorithms: structural measure algorithms, structural transformation algorithms, and custommade 

algorithms (often a mix of the two other types, see Figure 11.2). 

Figure 11.2: Algorithm types for sense-making, includes measure algorithms providing metrics for 

entities such as links and nodes (left); transformation algorithms alter the structure of criminal 

networks by either adding or removing entities (middle); custom-made algorithms encapsulate 

multiple measure and transformation algorithms (right). 

Measure algorithms provide metrics for entities such as links and nodes, and examples includes 

centrality measures from social network analysis [155,195,240] and link importance from terrorist 

network analysis [80, 245]. Transformation algorithms alter the structure of criminal networks by 

173


either adding or removing entities. Prediction techniques [183, 184] transform criminal networks 

by predicting missing links or covert structure (nodes and links). Finally, custom-made algorithms 

encapsulate multiple measure and transformation algorithms to represent tailored algorithms for 

more complex sense-making tasks, such as node removal in criminal networks [169] (see analysis 

of sense-making work flows below). 

Sense-making work flows 

We outline the typical work flow of applying algorithm-based sense-making to a criminal network 

as described below. The steps are at the same time the requirements for software support of such 

work flows: 

1. Work flow input. The input for a sense-making work flow is a criminal network of entities 

(information elements, relations, and composites) forming structures through associations. 

2. Need for sense-making. (e.g., [168,169,175]) The investigator wants to ask some question 

about the criminal network, such as ‘what if’ questions or questions related to a network 

measure, i.e. ‘measure’ questions. An example of a ‘what if’ question could be: What will 

happen if we remove these two nodes from the network? Followup questions could be are any 

new relations between remaining nodes forming? or are other information elements going 

to take the place of the removed ones? Questions related to measures could be: who control 

communication in this network? or what individuals in the network are connecting to the 

key individuals in the network?. The purpose of such questions is typically to determine 

weak points in a network, where infiltration would be feasible. 

3. Tailoring desired sense-making work flow. Tailoring a desired work flow for a specific 

sense-making task has many steps: (a) involves selecting what algorithms to run to match 

the desired questions. (b) When running multiple algorithms in a work flow it should be 

possible to decide the order they run if sequential. If the algorithms on the other hand are 

set to run parallel then order does not matter. (c) Customizing each individual algorithm 

according to visual symbols, associations, reports, etc. (d) Deciding the input and output 

of each individual algorithm. The output of the final algorithm will be the output of the 

sense-making work flow. 

4. Run the sense-making work flow Starting the sense-making work flow must also be a 

user controlled process. If the work flow produces one or several network measures as output, 

the measure can be computed on every event that occurs in the common information space. 

But the system should also consider another type of algorithm, which changes the structure 

of entities (editing, adding, or removing). 

5. Results. Deciding what to do with the results, should they be discarded from or appended 

to the investigation. Typically a lot of sense-making synthesis are required to reach a certain 

point of clarity. The importance of keeping a record (history) of such discard and 

append actions (events) is illustrated by investigators often needing to retrace the steps of 

investigations to see if something was missed [128, 162, 204]. 

6. Retrieve a report. If interesting results are yielded, the end user can decide to retrieve a 

report with the information, analysis, and results aggregated. 

7. Save sense-making work flow. Finally, the user could want to save a work flow, if it 

might be useful for future investigations, or if it is to be shared with other investigators. 

The application of standardized sense-making algorithms (such as measures of centrality) and 

custom-made algorithms (e.g., node removal), requires a great deal of abstraction and interpretation 

by the user. When an algorithm anticipates certain information element and relation types, it 

will be up to the user to map the results back into the domain of their criminal network. If, on the 

174


other hand, the user can tailor the algorithm to the available data and customize the generation of 

a specific output structure for results, then the user is controlling the algorithm, and the algorithm 

is merely assisting the investigator, functioning as a tool. The algorithm is not in control of the 

sense-making work flow, forcing the investigator to do additional conversions of the output to be 

useful for an intended analysis. 

11.1.2 CONCEPT: Structural parser 

A separate tool is required to tailor and customize the three algorithm types (and their many 

instantiations) discussed above and control the creation and execution of sense-making work flows 

according to investigator’s intended application. The structural parser is such a tool. The parser 

is a concept we have adopted from hypertext, generally used for particular structure domains, i.e., 

spatial parser, taxonomic parser, etc. We have decided to use the more generic term structural, 

to decouple the structural parser from knowing what structure domain the algorithms it supports 

will require parsing of (see Figure 11.3). 

Figure 11.3: A structural parser must be able to: tailor algorithms of different types (e.g., the 

order of algorithms - see left); customize the settings and inputs for algorithms (middle); and 

create new algorithms by combining the existing ones (right). 

Examples of parsers responsible for specific tasks within a certain structure domain, includes 

the spatial parsers in VKB [198] and ASAP [170]. The social network analysis tabbed pane in 

Analyst’s Notebook [2] (see Section 4.1.1) has an ‘Options’ tab for customization, where the user 

can tick off the centrality measures they want to include, together with other options such as 

normalization of results and whether or not to use the directions of links [107]. 


History is not just an important concept for synthesis; it is equally important, if not more, for 

sense-making tasks. Just like history must keep track of synthesis events, it should also keep a 

record of sense-making events, such as ‘calculate centrality measure’, ‘predicted 2 new entities’, 

etc. And the recorded history events themselves can be used for sense-making, e.g., retracing the 

steps (see Section 11.3.4 below). 

11.1.4 TASK: Retracing the steps 

Criminal network investigators often retrace the steps of their investigation to see what might 

have been missed and where to direct resources in the continued investigation. Walking through 

an existing recorded investigation is used by new team members to understand the current status 

of the investigation and for training purposes. 

Homicide detectives retrace through all the evidence on their unsolved genuine mystery investigations: 

“It is a bastard of a case, and again Landsman asks himself: what are we missing? 

175


Figure 11.4: To be able to utilize history for sense-making purposes, the history of user actions 

must be recorded (left), it should be possible to navigate the history (middle), and editing the 

history is essential (right). 

Figure 11.5: Retracing the steps of investigations is often used when an investigation has stalled 

(i.e., no new leads are generated) or for training or explanatory purposes (see Section 12.1.1 in 

the chapter on dissemination). 

Maneuvering through the evening traffic on Liberty Road, he runs two weeks of investigation 

through his mind” [204]. 

11.1.5 TASK: Creating hypotheses 

Generating hypotheses and competing hypotheses is a core task of investigation that involves 

making claims and finding supporting and opposing evidence. Investigators often retrace the 

steps of their investigation to see what might have been missed to evolve an existing hypothesis 

or start a new one (see Figure 11.6). 

Figure 11.6: Creating new hypotheses using argumentation and alternatives, or retracing the steps 

of existing hypotheses. 

Journalist Daniel Pearl was kidnapped in Karachi in early 2002 and the criminal network investigators 

followed the hypothesis that the leader of a radical islamist group, Shaikh Gilani, 

masterminded the kidnapping, since Pearl was scheduled to meet him on the day of his disappearance. 

One day the investigative team receives an email, profiling a shadowy character suspected 

176


of having bankrolled the 9/11 attacks, Omar Saeed Sheikh: “Omar has a particular specialty: he 

kidnaps Westerners”. But the team finds nothing linking Omar to Daniel’s disappearance (besides 

this specialty), and the current state of their hypothesis has a lot more supporting arguments 

pointing towards Gilani. [128, 162, 227] 

On February 5, 2003, secretary of state (Colin Powell) presented to the United Nations council the 

US hypothesis on Saddam Hussein’s weapons of mass destruction program. The supporting arguments 

were primarily based on one human intelligence source, an Iraqi defector who manufactured 

a story based on open source United Nations reports and his work as a chemical engineer. [59,242] 

11.1.6 TASK: Adaptive modeling 

Representing the expected structure of networks for pattern and missing information entity detection 

is a proactive sense-making task. Adaptive modeling embeds the tacit knowledge of investigators 

in network models for prediction and analysis (see Figure 11.7). 

Figure 11.7: Extracting a model from a criminal network investigation, adapting the model to a 

new situation, and then applying the model to the same or another criminal network. 

Several studies have described the structural evolution of terrorist networks and cells related to al- 

Qaeda and affiliated movements (AQAM), and plotting to hit targets in Europe. This structural 

evolution has gone through four phases. Vidino 2011 outlines the evolution of these European 

networks during the first three phases, and provides a detailed description of the fourth phase 

including characteristics in terrorism related to AQAM [236] and resembling a model. Sageman 

(2004) found in his work on structural patterns in “terror networks” [188] that people had joined 

the jihad in small groups (called cliques, where every node is connected to every other node). 

Several individuals lived together for a while and had intense discussions about the jihad. When 

one of the friends were able to find a bridge to the jihad, they often went as a group to train 

in Afghanistan. Nesser (2006) models the structures of jihadist terrorist cells in the UK and 

Europe [154]. Nesser identified a distinct set of profiles: a typical cell includes an entrepreneur, 

his protege, misfits and drifters which also explains the Sageman 2004 concepts of cliques (network 

cells), bridges and hubs (the entrepreneur). The relations among cell profiles as well as meta data 

characteristics for each profile (e.g., education, marital status, children, age) are described. 

11.1.7 TASK: Prediction 

The ability to determine the presence or absence of relationships between and groupings of people, 

places, and other entity types is invaluable when investigating a case. Prediction based on different 

information entities, i.e., information elements, relations, composites, and their attributes is 

preferable (see Figure 11.8). 

“The value of a prediction lies in the assessment of the forces that will shape future events and the 

state of the target model” [40]. “Determining the pattern of links within a large social network 

is often problematic due to the labor-intensive nature of the data collection and analysis process” 

[183]. After Operation Crevice a list with 55 suspects linked to the case was created, but MI5 

did not have enough resources for surveillance of everybody on the list. They selected (predicted) 

177


Figure 11.8: Predicting missing information entities: links, structures, key players, and subgroups. 

the 15 individuals they thought were a threat to national security, missing key individuals behind 

the July 7th bombings [110]. The links between Operation Crevice and the July 7th bombings is 

something that is still investigated by the British Home Office [167]. 

In an 2011 interview, Alex Strick van Linschoten [134] suggested prediction of missing links between 

Afghan Taliban members based on knowledge about their andiwali 1 system, “where groups tend 

to gather based on prior connections. Young men from the same village could group together in 

one cell; madrassas also allow young men to form ties. Some groups may have blood relations that 

bring them together in a group of andiwali” [137, 166]. 

11.1.8 TASK: Alias detection 

Network structures may contain duplicate or nearly duplicate entities. Alias detection can be 

used to identify multiple overlapping representations of the same real world object. Semantic 

and orthographic aliases are two types of aliases that relevant for criminal network investigation. 

Semantic aliases could be intentional (using different names in different contexts) or overlapping 

(two persons use the same alias in the same context). Orthographic aliases typically refers to 

different spellings of the same name because the language (writing system) is different, but it 

could also mean simple mis-spellings such as typos, etc. (see Figure 11.9). 

Figure 11.9: Detecting semantic and orthographic aliases to analyze if two entities are in fact the 

same, or if a single entity was in fact two different entities. 

An extreme example is the mastermind behind the kidnapping of journalist Daniel Pearl, Omar 

Saeed Sheikh, who used up to 17 aliases [128]: “You run up against the eternal problem of any 

investigation into Islamist groups or al-Qaeda in particular: the extreme difficulty of identifying, 

just identifying, these masters of disguise, one of whose techniques is to multiply names, false 

identities, and faces”. Khalid Sheikh Muhammad used more than two dozen aliases [146]. In 

the UK investigation of whether or not the July 7th bombings in London 2005 could have been 

prevented based on information from the prior Operation Crevice, MI5 had come across different 

variations of the name “S. KHAN” (the name of the plot ringleader, Mohammed Siddique Khan). 

They consequently believed the name could have been an alias “due to a combination of both the 

multiple spellings and lack of traces on databases” [110]. Aliases are inherently also a problem 

when analyzing on line violent radical milieu’s: “the Internet allows for the virtual construction 

1 “Andiwal” is the Pashto (Afghani language) word for “friend”. 

178


and projection of personalities that may or may not be accurate reflections of the physical lives 

controlling those avatars” [29]. 

11.1.9 TASK: Exploring perspectives 

To reduce the cognitive biases associated with a particular mind set, the exploration of different 

perspectives (views) of the information is a key criminal network investigation task (see Figure 

11.10). 

Figure 11.10: Alternatives to the often used navigational (link) perspective are the spatial, taxonomic, 

time line, map, and audio perspectives. 

During the Daniel Pearl investigation a chronology of events (time line) is created simultaneously 

with the criminal network (link chart) of involved individuals who were potentially linked to the 

crime [162]. A time line perspective could also be used for temporal organization of previous 

investigations, e.g. terrorism plots in the European Union [236] (see also Figure 14.10). 

When Colin Powell presented United States’ hypothesis on Saddam Hussein’s weapons of mass 

destruction program, he used both augmented satellite photos (images/maps) and recordings of 

intercepted phone calls (audio) with subtitles [238, 257]. 

11.1.10 TASK: Decision-making 

During an investigation, decisions have to be made such as selecting among competing hypotheses. 

Auto-generated reports and storytelling can also be used for higher-level decision-making (see 

Figure 11.11). 

Figure 11.11: Decision-making is typically done by selecting arguments and alternatives, or it is 

based on reports and storytelling. 

As mentioned, a list with 55 individuals was created after Operation Crevice, and it had to be 

decided how to focus limited resources [110, 252]. In the case of CIA’s investigation into possible 

weapons of mass destruction in Iraq, the CIA based their decision on uncorroborated evidence 

(arguments) [59, 242]. The team investigating the kidnapping of Daniel Pearl decides to focus 

resources on the alleged mastermind Sheikh Gilani, the man who Pearl was scheduled to interview 

on the day of his disappearance [128, 162, 227]. 

179


11.1.11 TASK: Social network analysis 

Social network analysis measures such as degree, betweenness, closeness, and eigenvector can 

provide important criminal network insights (see Figure 11.12). These and similar measures are 

often used as input for other more advanced and specialized sense-making algorithms, either 

producing new measures or transforming the network. 

Figure 11.12: Degree, betweenness, closeness, and eigenvector measures of centrality. 

Slate reporter Chris Wilson has described how the US military used social network analysis to 

capture Saddam Hussein [250]: “In Tikrit, players were captured, killed, and replaced at a low 

enough rate that the network was able to cohere. The churn rate is likely much higher in an 

extremist group like al-Qaeda”. In one assessment of destabilization tactics for dynamic covert 

criminal networks, it is pointed out that in standard social network analysis node changes are the 

standard approach to network destabilization [35]. 

“MI5 [. . . ] decided not to continue surveillance of Khan and Tanweer because the quantity of 

Khan and Tanweer’s links to the fertilizer bomb plotters targeted in Operation Crevice were less 

than 0.1 percent of the total links. Their argument failed to take into account the betweenness 

centrality of Khyam. Betweenness centrality refers to relationships where one individual provides 

the most direct connection between two or more groups. These individuals bridge networks, or 

subnetworks. In the case of Khan and Tanweer, Khyam was likely serving a liaison role rather 

than a broker role, meaning his betweenness was not likely critical to their plot but was indicative 

of Khan and Tanweer’s intelligence value” [111]. 

11.1.12 TASK: Terrorist network analysis 

Sense-making measures specifically developed for terrorist networks such as level of secrecy (covertness) 

and efficiency can provide more focused insights due to their domain focus. Terrorist network 

measures are used to understand and subsequently destabilize networks (e.g., to reduce the flow 

of information through the network or to diminish the network’s ability to reach consensus as 

a decision-making body) or to search for specific entities or patterns in the network (e.g., key 

players). Examples are shown in Figure 11.13. 

Figure 11.13: Terrorist network measures includes secrecy and efficiency for measuring link importance, 

and detection of key players and communities (subgroups). Terrorist network destabilization 

criteria are often used to determine the success or failure of such measures. 

180

CHAPTER 11. SENSE-MAKING 11.2. DESIGNS 

The link importance measure has been shown to offer new insights into the 9/11 and Bali bombing 

terrorist networks by pointing out links that are important to the network [244]. Community 

(subgroup) detection has been applied to a network of 60 criminals dealing with drugs [255] and 

prediction of missing key players has been tested on the Greek terrorist network November 17 [182]. 

11.2 Designs 

In this section, we present designs for criminal network sense-making tasks supported by Crime- 

Fighter Investigator but also ideas that remained ideas, yet found useful by criminal network 

investigators we have discussed them with or through investigations of our own. 

11.2.1 CONCEPT: Algorithm (sense-making work flows) 

Custom-made algorithm design is exemplified by the design of our node removal algorithm below, 

followed by designs of our sense-making work flows. Please refer to Section 11.2.6 on social network 

analysis for designs of measure algorithms such as traditional and extended entity centralities. 

CUSTOM-MADE ALGORITHM (NODE REMOVAL) 

Based on literature reviews (e.g., [35,36,40,174,183]), feedback from intelligence analysts and our 

own ideas, we propose a node removal algorithm involving the following eight steps. The two 

perspectives (steps 5 and 6) are exchangeable and adaptive by adjustment of their settings: 

1. Define ‘what if’ question(s), thereby focusing on specific secondary effects of node removal. 

Investigators typically frame these ‘what if’ questions that they want to ask using natural 

language, for example: “what network paths with a change in distance from 2 to 1 will 

emerge when the node is removed”. This could point out individuals gaining direct access 

to key individuals after node removal, if the investigators have prior knowledge about who 

these key individuals are. The ‘what if’ questions are framed by the investigators. 

2. Select nodes of interest. All nodes are not necessarily relevant for the defined ‘what if’ 

question(s). The investigators will decide which individuals it would make sense to include 

based on their tacit knowledge and other preconceived notions or experience. 

3. Select node to remove. Although the algorithm lets the investigator see the probable effect 

of removing any node from the criminal network, network information such as social network 

measures, predicted future states, and destabilization criteria are considered when selecting 

which node to remove. 

4. Remove selected node and all associated links. Removing a node with more than a few links 

can be a cumbersome synthesis task to perform manually, i.e., removing the links one by 

one without accidentally deleting other individuals’ links. 

5. Perspective 1: predict new links. Prediction of new probable links between the remaining 

individuals in the network based on for example open source information and the tacit 

knowledge of the investigators. The predicted links are input data for the processing of 

‘what if’ questions. 

6. Perspective 2: changing degree centrality. Displaying the changing degree centrality of each 

node will disclose changes in node importance to the investigator. 

7. Discard or append new links. The investigator might want to follow some leads based on 

the links predicted after the node removal. Or maybe some settings need to be adjusted, 

and the investigator will discard the results. 

181

11.2. DESIGNS CHAPTER 11. SENSE-MAKING 

8. Dissemination of secondary effects. Before the algorithm results are appended or discarded, 

a report which outlines the secondary effects of the node removal, listing the current setting 

and how the algorithm reached its conclusions would be helpful for (easy) dissemination to 

intelligence customers or other investigative team members who did not participate in the 

reasoning session. 

We present a node removal scenario in Section 14.2 describing how the CrimeFighter Investigator 

supports the above defined algorithm steps. 

SENSE-MAKING WORK FLOW 

The list below outlines our design for how we believe criminal network investigators should be 

able to work with algorithms, to define so-called work flows. The design of the CrimeFighter 

Investigator Algorithm component is described in greater detail in Section 8.5.3. Here we describe 

the design for each of the steps for creating sense-making work flows, as outlined in Section 11.1.1 

(analysis): 

1. Work flow input. Input is either based on a series of synthesis and sense-making iterations 

or imported from a previous investigation. A design is therefore not created for this step. 

2. Need for sense-making. This is a decision made by the investigator based in the current 

state of the criminal network in the common information space. The need for sense-making 

cannot be decided by software. 

3. Run the sense-making work flow. There is a need to differentiate between transformative 

algorithms and measures. The created work flow(s) should be added to a list that is 

available from the common information space. That is, (parts of) the network must be visible, 

simultaneously with the list of created sense-making work flows. We suggest to embed 

a view for algorithms in the common information space. 

4. Results. As described in the analysis, there is only a need for deciding what to do with 

results produced by algorithms that transform the network. A pop-up should ask the user 

whether or not to deal with all results at once or each individual result (i.e., each predicted 

link or information element). If all results is selected, then all entities related to the transformation 

are highlighted, to inform the user what entities precisely the decision to discard 

or append those results concerns. If possible, display additional information about the results, 

e.g., number of information elements, relations, and composites, or perhaps the link 

importance measure for all relations should be displayed. Whether the results are appended 

or discarded, the action (event) should be appended to the criminal network investigation 

history. 

Alternatively, if individual results is selected, iterate through each result action and perform 

the following for each one: highlight the entity related to the transformation, to inform 

the user what precisely the decision to discard or append that entity concerns. If possible, 

display additional information about the entity, e.g., what caused the entity to be predicted, 

what is the centrality of the entity, or general meta data information about the entity such 

as attributes or the entity’s visual abstraction. This could be displayed in a so-called object 

inspector, or in the specialized sense-making view. Again, the append or discard action 

(event) should be appended to the criminal network investigation history. 

5. Retrieving a report. When a sense-making work flow has been executed, this should be 

indicated somehow in the specialized sense-making view. It should also be indicated whether 

or not the execution produced any results. If a sense-making work flow is marked as executed 

and the work flow produced results, then a selection of that button should make available a 

button that the user can push to extract the report (if multiple reports are available, then 

the user should be given the choice between these options). The analysis and design of the 

actual report generation process is described in Section 12.1.2 and Section 12.2.2. 

182


6. Save sense-making work flow. Option to save the sense-making work flow must be 

available through the specialized sense-making view. Another option could have been the 

spatial parser, but since it is unclear at the point of customization of the algorithm, this 

could potentially inhibit the creativity involved in tailoring an algorithm. The process of 

saving the work flow will be controlled by a dialog, asking for various information about the 

work flow. Minimally a name, but a description of the type of criminal network sense-making 

that the work flow is suitable for could also be relevant. 


We divide our design of the creating hypothesis task into reasoning using issue-based argumentation 

and reasoning by creation of alternated interpretations using structural capabilities to create 

e.g., branched information structures (lines of reasoning or thinking). 

TASK: Issue-based argumentation 

Investigators use evidence (i.e., facts) or inferential judgments to reason about the issues they 

come across in their work. Inferential judgments typically require detailed reasoning involving 

several positions and even more “pro” and “con” arguments, while fact-based reasoning typically 

is done by creating relations to pieces of evidence in the space. Algorithms for machine inferential 

judgments exist; such functionality would be helpful for investigators. 

Besides creating the link chart and a chronology of events, the Daniel Pearl investigative team also 

continuously updates the thoughts and evidence about “Who kidnapped Daniel Pearl?” (i.e., who 

are the master mind(s) behind the kidnapping). The most wicked problem of an investigation is 

always “Who did it?” or “Who are going to do it?” - and part of that problem is the acknowledgment 

of “Who didn’t do it.”, as a result of listing pros and cons regarding the suspects. A sketch 

of the intended issue-based argumentation interface is shown in Figure 11.14. 

Figure 11.14: A design sketch of our intended issue-based argumentation interface. 

183



The goal of adaptive modeling is to enhance criminal network synthesis tasks with the option to 

build adaptive rule-based models of re-occurring criminal network structures. We have reviewed 

literature on terrorist profiling that provides arguments for focusing on the modeling of relational 

and biographical profile characteristics. The entities of the models (information elements, relations, 

and composites) are related to each other based on their individual attributes. This allows the 

investigators to embed their skill, expertise and experience into the system, facilitating a teamoriented 

criminal network investigation. We propose the following design for adaptive modeling: 

1. Synthesis of models. It is necessary to build models of criminal network structures based 

on profiles of persons and other information entities, who are related to each other by specific 

attributes (e.g. age, home country, education, family ties, sub group, etc.). 

If rules can be created based on natural language instead of mathematical models (but 

still representing the same semantics), it will provide criminal network investigation teams 

with a more intuitive approach to describe the world in a more detailed way than simply 

using node and relation weights. Modeling profile characteristics (a): selecting profile 

characteristics suitable for rule-based modeling is a complex task, although the psychological 

parts of profiles are being disregarded. And not all biographical or relational characteristics 

are straightforward to model using language based rules. Rule format and parameters 

(b). It is important to keep the rule format simple in order to follow the natural language 

strategy. Relational and biographical characteristics (c) can be modeled using natural 

languages, and computational rules can be defined to encapsulate them. 

2. Adaptable models. These models of criminal network structures must be adaptable to 

changes in the associations between entities, or parts of existing models can be used to create 

new models. 

We believe that the following interaction requirements will provide investigators with a 

way to embed their personal knowledge and experience into adaptive rule-based models of 

criminal network structures. All stakeholders of the intelligence cycle followed by a criminal 

network investigation team should be able to use these tools. Each of the following design 

requirements are deducted from these paradigms, and desired functional requirements are 

listed to underpin each one. 

Team-orientation through adaptation is essential for criminal network investigation team, 

i.e., adapting the data model of their investigation tool to match the team member’s view of 

the world. Attribute adaption (a), includes editing (renaming, adding, deleting etc.) the 

attributes of information elements such as persons, city, organizations and their relations. 

Rule adaption (b) as the world changes or new information about profile characteristics 

emerges is essential. If a set of rules are locked and cannot be altered it would prevent the 

improvement and sophistication of models. 

Intuitive gesture-based interactions: this applies to information analysis but also the creation 

of rules between the individual attributes of information elements. Drag-and-drop features 

would facilitate a more visual approach to rule building and hence aid the user. Clear and 

simple graphical user interfaces combined with gesture guided interactions to access the 

information on which rules are based would also be a benefit in building rules. 

3. Models as input for sense-making. Profiles of individuals based only on relational and 

biographical data (that is disregarding the psychological part of their profile), can be connected 

together in networks representing expected cell structures (like Nesser did in [154]), and then 

re-used for sense-making in other criminal network investigations. 

Our design for support of computations over adaptive network structure is as follows: a 

parser must be implemented to handle the processing of rules, running against the complete 

network structure. The network structure analyzer and parser must be able to cooperate 

184


with a parser analyzing spatial structures in order to create a combined presentation and 

analysis within the criminal network investigation tool. 

Rule design 

Since rules are the conditional logic of adaptive models, we will focus the design in this section 

on those rules. It is important to distinguish semantically between information element, relation, 

and composite rules. Information element rules are used to described attributes that applies to 

profiles of individual persons, locations or organizations etc. Relation rules associate information 

elements, forming the criminal network structure of the model. In this section, we will discuss 

some observed general characteristics of the intended CrimeFighter Investigator rules and then 

give examples of both information element and relation rules. 

The general rule format used for both information element and relation rules is given in Figure 

11.15. Attribute name indicates which information element or relation attribute (Figure 11.16) 

this rule is targeted at. Attribute type is information about the type of the attribute content, 

i.e. is it an integer number, a text string or an array of text strings. The rule operators function 

is to provide the conditional logic that will decide if a rule is evaluated true or false based on 

the rule attribute name and the provided rule parameters if any. A criminal network investigator 

must offer a number of both boolean operators (SmallerThan, BiggerThan, EqualTo etc.) and text 

string operators (EqualsIgnoreCase, SubStringOf, MinimumOccurences(#) etc.). Rule parameters 

is an option to add some additional parameters to be included in the rule evaluation. It could 

be an integer number, text string or an array of text strings. It could also another attribute of 

the information element that this rule is attached to. And finally, it could be a classification 

(or taxonomy) on a certain topic as described by the criminal network investigation team or an 

individual team member. As an example, if the team builds a taxonomy of militant religious 

groups, it would be possible to use classes of that taxonomy as a parameter for rules. 

Figure 11.15: Design of general rule characteristics. 

Before giving rule examples, we would like to discuss the attributes associated with person information 

elements and person-to-person relations by the Investigator tool (Figure 11.16). The 

list of attributes is partly based on (Gniadek 2010) [80] and partly our own experiences gained 

from studying Nesser’s 2006 model (see Section 14.1.1) together with our analysis of the criminal 

network involved in Daniel Pearls kidnapping (see Section 3.5.1 and Section 14.1). General 

attributes like ‘Source of information’, ‘Time of entering data’, ‘Source reliability’ and ‘Date of 

relation creation’ etc. have been disregarded for the sake of simplicity, but are of course important 

steps of the intelligence gathering process. 

As described in Section 14.1.1, it was part of the profile of jihadist terrorist cell leaders in the 

UK and Europe that they typically have participated in jihad in their original home country (or 

Afghanistan, Pakistan, Chechnya, Bosnia). A prerequisite of participating in jihad in a country 

must be to have visited that country, and it could also be useful information even though the ‘participation 

in jihad’ might not show any matches. Aiming at analyzing large amounts of data, we 

cannot know if a persons home country is part of the list {Afghanistan, P akistan, Chechnya, Bosnia} 

and we have to make two rules in order to be sure (shown below). 

1: 

2:


Figure 11.16: Information element and relation attributes. 

{Afghanistan, Pakistan, Chechnya, Bosnia}> 

Figure 11.17 shows an example of a person-to-person relation rule, where the aim is to determine 

whether or not the person on the left is older than the person on the right. The direction of 

a relation plays a key role when defining relation rules, since it indicates how the comparisonoperator 

is applied. The algorithm parsing this rule simply takes the age of the person attached 

to the left side of the relation. If one end of the relation is not connected to an information 

element, (or if the information element does have the requested attribute) that specific rule should 

be disregarded during analysis, but will be invoked immediately when relation endpoints become 

connected again. Please note that in the example given in Figure 11.17, the rule parameters are 

not used and therefore set to null. 

11.2.4 TASK: Alias detection 

Figure 11.17: Relation rule example. 

If a person deliberately uses different names in different contexts it can be very confusing for criminal 

network investigators because it complicates the sense-making process. Algorithms that can 

detect the relations between aliases, and then indicate the probability that these two individuals 

are actually the same person could solve this problem (see example shown in Figure 11.19a). If, 

at the same time, the inferences made by such a detection technique is made available, it would 

be a helpful decision-making tool for criminal network investigators (see Figure 11.18). The investigator 

should be offered the option to merge the two entities representing the individuals, the 

result of which is shown in Figure 11.19b. 

Levy (2003) describes how confusing it can be if two persons use the same alias, using an example 

of individuals involved in Daniel Pearls kidnapping and murder (see Section 3.5.1 for more details): 

“Sometimes you think you’re dealing with two men when, in reality, there are two using one name. 

Asif Ramzi for example, is also the pseudonym of another terrorist, a resident of Muhammad Nagar 

186


Figure 11.18: Imagined visualization of detected 

aliases, either deliberate aliases (one person) 

or same alias (two persons). An indication 

of the probability that the two linked individuals 

are in fact the same person or two different 

persons is also shown. 

(a) An example where a person is using his real name in 

one context and an alias in another. 

(b) A person who appeared twice in a network has been 

merged to one entity. 

Figure 11.19: Example of how the detection 

of an alias can help reduce the complexity of 

criminal networks, by merging two entities. 

in Karachi, who is also known as Hafiz or Chotto, Chotto being one of the pseudonyms of Mazhurul 

Islam as well, the latter also known as Dhobi.” (see Figure 11.20). 

Figure 11.20: It can also complicate an investigation significantly, if two persons are using the 

same alias. In this case Muhammad Nagar and Mazhurul Islam both use the alias Chotto. 

187

11.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 11. SENSE-MAKING 

11.2.5 TASK: Exploring perspectives 

The hierarchical (taxonomic) view is essential for both synthesis and sense-making, as some criminal 

network investigations might make more sense looking at the network ordered hierarchically 

(see design in the chapter on synthesis Section 10.2.1). Issue-based argumentation is designed to 

exist in a separate view (see Section 11.2.2). 


The classic centrality algorithms have been extended by adding some analysis prior to the existing 

steps, which alter the criminal network depending on entity associations added by the user. 

Our implemented betweenness algorithm (described in [169]) with the extra step for the selected 

centrality extension(s) works as follows: 

1. Pre-analysis; In this step the algorithm analyzes whether or not the included association 

types appear in the criminal network. If they do then changes are temporarily made to the 

network accordingly. 

2. List all entity pairs; This step creates a list of all entity pairs that exists in the network, 

again based on the included associations. This means that if the direct node-group association 

is included, then all entities that are directly or indirectly (by association through 

intermediary entities) associated to the group with links are added to the list of entity pairs. 

3. List all shortest path(s) for each entity pair; We calculate the shortest path(s) for all 

entity pairs without considering the cost-efficiency of our algorithm: we take a breadth first, 

brute-force approach [207], visiting all nodes at depth d before visiting nodes at depth d + 

1, removing all loops and all paths to the destination node longer than the shortest path(s) 

in the set, until only the shortest path(s) remain. 

4. Node occurrence; We calculate the ratio by which each node in the network appear in the 

accumulated set of shortest path(s). 

5. Bubble sort; The results are sorted according to the user’s choice, usually descending with 

the highest centrality first. 

6. Generate report; If the user requests it, a pdf report is generated for easy dissemination of 

the results of the centrality measure. The user can decide what report elements to include. 

Pre-analysis is the algorithm step of primary interest to the work presented here. For the direct 

empty endpoint association, pre-analysis involves adding temporary information elements as 

placeholders of empty endpoints. For the semantic co-location association, we create a temporary 

relation between two entities if they are not already related and they are within the user-defined 

boundaries of each other (see Figure 11.21). 


In this section we present our implemented support of software tool concepts and criminal network 

investigation tasks, which we analyzed in Section 11.1 and created designs for in Section 11.2. 

11.3.1 CONCEPT: Algorithm 

CrimeFighter Investigator supports three structure algorithm types: measures (e.g., entity centrality), 

transformative algorithms (e.g., entity prediction), and combinations of these. Custom 

algorithms are templates of specific criminal network investigation work flow, e.g., understanding 

188

CHAPTER 11. SENSE-MAKING 11.3. CRIMEFIGHTER INVESTIGATOR 

the secondary effects of entity removal or insertion. All algorithms implement the report interface, 

where an algorithms’ report elements and design is defined. Rules are used to describe entity-toentity 

relations, attribute cross products, etc. Each algorithm has a set of general settings and 

specific settings. Specific settings include algorithm hooks, i.e., the entity attributes that algorithms 

base their computations on, and customizable algorithm parameters. 

We refer to Section 11.3.2 (structural parser) for the descriptions of how to use different algorithms, 

since it is the role of the structural parser to tailor, customize, and run sense-making algorithms. 

Furthermore, Chapter 14 describes three different deployments of CrimeFighter Investigator where 

a variety of the discussed algorithms are used. 

11.3.2 CONCEPT: Structural parser 

CrimeFighter Investigator algorithms are managed by a structural parser (Figure 11.22), where 

investigators can select different algorithms to run and control the order in which they are applied, 

for example either simultaneously or sequentially. 

Figure 11.22 (left, top-frame) shows tabs for different algorithm types. The SNA tab covers social 

network analysis measures such as degree, closeness, and betweenness [111, 240]. The terrorist 

network analysis measures on the TNA tab are part of our future work, supporting integration 

with the CrimeFighter Assistant [244, 245]. The default prediction algorithms include predict 

covert network structure and predict missing links [183, 184]. Figure 11.22 (left, bottom-frame) 

shows the algorithms selected by the investigators to run. The structural parser will indicate if 

there is a potential conflict between the selected algorithms. If a prediction algorithm is selected 

to run on every network event, it could create a loop (since it is transformative). Similarly, if 

algorithms are running sequentially the position of an entity centrality measure before or after a 

transformative algorithm is quite important. 

Algorithm settings, both general and specific, are accessed by clicking on the options button shown 

in Figure 11.22 (left, top-frame). The predict missing links customization window is also shown in 

Figure 11.22 (on the right). Algorithms can run on every system event or when the investigator 

requests it (Figure 11.22, top right). 

Tailoring prediction of missing links 

The user can customize when and how often a prediction algorithm should compute (Figure 

11.22a). One option is to automatically run the algorithm every time a change is made to the 

criminal network. But the predict missing links algorithm is a transformative algorithm, and 

would continue to predict missing links, since each transformation of the network would start the 

(a) without (b) with (c) without (d) with 

Figure 11.21: The two implemented algorithm extensions, the empty endpoint association and 

the co-location association are explained. Without the empty endpoint association, the link from 

the empty endpoint to the connected entity is not included in measures of betweenness centrality 

and degree centrality is not calculated for the empty endpoint (a) and with that association the 

link is included (b). Without the co-location association entities positioned near each other in 

the information space are not included in measures of centrality (c), but if entities fall within the 

boundaries defined by the investigators and the association is included, then those entities are 

included in measures of centrality (d). 

189


Figure 11.22: The structural parser (left) and the predict missing links algorithm customization 

window (right). 

algorithm again. Therefore, an option to run algorithms when clicking a button has been added 

(see Figure 11.1, right side). 

Next is the selection of algorithm hooks (Figure 11.22c). A special drag and drop view is used 

for this task (Figure 11.23). Both entity attributes and centrality measures can be selected as 

algorithm hooks. 

Numerical algorithm variables are customized using standard input fields such as text fields (any 

number or text), sliders (bounded numbers), and drop down boxes (enumerated values) as shown 

in Figure 11.22d. Network information (evidence) is what the prediction algorithms base their 

inferences on (Figure 11.22e). For predict missing links, it will be all entities currently in the 

network. 

The network layout drop down box (Figure 11.22f) can be used to select one of several default 

layout algorithms that will be applied after the prediction. Finally, the investigators can customize 

what visual symbols (color, thickness, etc.) to apply to the predicted links (Figure 11.22g). 

Tailoring measure of betweenness centrality 

The interface for customizing measures of centrality is structured in the same way as the interface 

for transformative algorithms described above (Figure 11.24). There are however a couple 

of important differences which we would like to emphasize, using betweenness centrality as an 

example: 

Entities? The investigator should decide which entities to include for the calculation of 

betweenness centrality, all or only selected entities (e.g., persons)? If not all entities are 

included, what should the algorithm do if it encounters a non-included entity when tracing 

shortest paths? Should it skip the entity and then continue on the other side if the path 

190


Figure 11.23: Selecting algorithm hooks for the predict missing links algorithm. 

continues, or simply not count the path? 

Associations? The investigator has to decide how to deal with for example empty relation 

endpoints in terms of calculating betweenness centrality. If a relation endpoint is expected 

to contain a person-entity, but it is not yet known who, then it might be relevant to include 

that empty endpoint in the measure of centrality anyway. 

Results? Often it is an advantage to normalize the measure of betweenness centrality for 

all entities for comparison purposes, but not always. Also, in some situations it might be 

relevant to only list the first 10 or 20 results and in other situations all measures are required 

for further sense-making. Finally, it could be useful to emphasize the entity (or entities) with 

the highest degree centrality, using color, relative size, or other forms of visual symbols in 

the information space. 

Figure 11.24 shows the interface for customizing SNA measures of centrality (left) and the subinterface 

for setting up visual symbols for visualization of results in the information space (right). 

Tailoring extended centrality work flows 

CrimeFighter Investigator algorithms are managed using a structural parser, where investigators 

can select different algorithms to run and control the order in which they are executed, for example 

either simultaneously or sequentially. Figure 11.25 (left) shows how individual centrality 

algorithms can be customized by the user. The user must decide how to run an algorithm (Figure 

11.25a) and what entities to include for the respective centrality algorithm (Figure 11.25b). This 

is done using drag and drop between two defined areas as shown in Figure 11.25 (right, top frame). 

For included entities the user can set a weight (maybe a location counts less than a person for a 

measure of betweenness centrality) and for excluded entities the user how the algorithm should 

deal with it, e.g., when tracing a shortest path. Should it not include the shortest path or simply 

ignore this entity and continue along the path? Direct and semantic associations are included 

or excluded using the same drag and drop approach as for entities (see Figure 11.25c and 11.25d). 

Again, weights can be setup for included associations and the algorithms action(s) for excluded 

associations. Finally, we imagine many settings for how to format and list results (Figure 11.25e). 

Typically, normalization is important for comparison of results. If an investigation has many of the 

included entities it can be useful only to display for example 10 results based on some parameter, 

e.g., highest centrality. 

191


Figure 11.24: The user can customize which entities and associations to include, how to display 

results, and the visual symbols for betweenness centrality. 

192


Figure 11.25: Setting up centrality algorithms using structural parser windows: the centrality 

algorithm settings window is shown on the left, and the window for inclusion and exclusion of 

entities together with specific settings for each of those entities is shown on the right. 

It is currently possible to set the visual symbols for the information space and the algorithm view 

(see Figure 11.25f). For the information space the user can decide whether or not to overlay 

entities with a geometric shape (circle, square, or rectangle) containing the calculated centrality 

(instead of just showing the results in the algorithm view). The color, size and outline of the shape 

can be decided together with the font and font size of the printed centrality. For the algorithm 

view it can be decided how to display the results textually in a list. Maybe a certain attribute 

should be printed (e.g., person ’name’ or email ’date’). And the font (type, size and color) can be 

set. 

Tailoring node removal work flows 

CrimeFighter Investigator supports a node removal approach with two perspectives: an inferencebased 

prediction of new probable links and changes in standard social network degree centrality. 

In this section we demonstrate how to tailor node removal work flows. In Chapter 14 we go 

through such a node removal work flow and test the tailored algorithm on a criminal network 

aggregated from open source reports, creating hypotheses based on path distance and degree 

193


Figure 11.26: Structural parser settings and information. 

Figure 11.27: Node removal algorithm settings. 

centrality changes. Figure 11.26 (right) shows the algorithms selected by the investigators to run, 

in this case ‘CustomNodeRemoval’ and ‘DegreeCentrality’. As mentioned above, the structural 

parser will indicate if there is a potential conflict between the selected algorithms. Algorithm 

settings, both general and specific, are accessed by clicking on the ’options’ button shown in 

Figure 11.26 (left). Selected parts of the node removal window are shown in Figure 11.27. Specific 

visual symbols can be added and edited, in the case of node removal visual symbols are associated 

with the different ‘what if’ questions. 

The ‘what if’ question editor is shown in Figure 14.7, with the settings for the following question: 

“what if individuals who didn’t interact directly before the node removal start to interact 

afterwards?”. In order to visualize the links that match the ‘what if’ question constraints, the 

question has been setup as follows: the question is focused on Relation entities (links), and will 

run computations between all combinations of connected nodes (individuals) in the given criminal 

network. The before constraint that has to be fulfilled, is that path distances between individuals 

should be of length greater than 1 and the post prediction constraint is that path-length should 

now be exactly 1. If these conditions are fulfilled, then those links will be colored red. 


The history editor provides the investigative team with an option to edit the history and basic 

space-level events, typically simplifying it or making it more intuitive/descriptive. The sequential 

list of history events is presented in a tree view, where nodes are events grouped by the investigator 

(explained below) and leafs are basic events raised by the users interactions with the common 

information space. The investigative team can use the history editor to group, annotate, delete, 

and move events up or down in the history. Storytelling is an example of how editing history 

events can be used for information sharing. Creating stories based on events is a matter of 

194


Figure 11.28: The ‘what if’ question editor. 

grouping the space-level events into the steps telling the story. This will allow the investigator to 

disseminate only the most important points to the customer (see Chapter 12 on dissemination). 

Simply replaying all the space-level events could be very confusing to the customer, if there are 

many. 

11.3.4 TASK: Retracing the steps 

Retracing the steps of criminal network investigations is facilitated by a history feature. Recording 

investigation history allows the investigative team to review the path or progress of their investigation 

or to reclaim information that previously had been deemed irrelevant or deleted, but 

then found to have greater significance due to new incoming information. The user interface of the 

navigable investigation history feature is embedded in the tool bar (see Figure 11.1, at the top). 

It has buttons for navigating the recorded events, and the current event displayed in the space is 

visualized using a slider as well as a label showing the total number of events (e.g., 59/59). The 

history feature records all the interactions that investigators have with entities in the space as 

events, e.g., “create information element”, “resize composite”, “move information element”, and 

so on. Each event is given a time stamp and added to the sequential history. 


CrimeFighter Investigator supports two types of hypotheses supported by issue-based argumentation 

technology and the option to create branched information structures. 

TASK: Issue-based argumentation 

Reasoning can be done using the issue-based argumentation feature of CrimeFighter Investigator. 

The example presented in Figure 11.29 is based on what is known 60 hours into the Daniel Pearl 

investigation, when the team receives an email from a colleague at the Wall Street Journal London 

bureau, which the bureau received from Andrea Gerlin of the Philadelphia Inquirer. Attached to 

the email is an article from the January 24 Independent, profiling a shadowy character suspected 

of having bankrolled the 9/11 attacks, Omar Saeed Sheikh. But what disturbs Andrea is that 

“Omar has a particular specialty: he kidnaps Westerners”. However, the team finds nothing 

linking Omar to Daniel’s disappearance (besides this specialty), and given the current state of the 

issue chart where a lot more ‘Pro’-arrows (i.e., supporting arguments) are pointing towards Gilani 

(the person that Daniel was supposed to meet on the evening of his kidnapping). 

Reasoning can be attached to any entity in the criminal network. A small hexagon icon with the 

195


text “IPA” is used to show that reasoning is attached, and clicking the icon opens the issue-based 

argumentation view. Reasoning can be used for several purposes: (1) to capture and visualize 

disagreement in an analysis situation, ensuring that all positions and arguments are heard; (2) to 

reason argumentatively during storytelling (e.g., a senior police officer is creating a briefing based 

on an investigation); and (3) to create and explore (competing) hypotheses. According to the IBIS 

model [47], we have adopted the following predefined relations: is-suggested-by (←), responds-to 

(→), supports (+), objects-to (−), questions (?), and generalizes or specializes (○). The relation 

direction can be both ways in all cases. These predefined relations aids the investigative team in 

controlling the mapping of their dialog about issues, positions, and arguments. 

Figure 11.29: CrimeFighter Investigator - Issue-based argumentation view from the Daniel Pearl 



The developed rule editor for adding, deleting and updating rules is shown in Figure 11.30. The 

editor is divided into three panels, from top to bottom they are: Information panel, rule editing 

panel and existing rules panel. The information panel shows information about the information 

element or one relation and two information elements depending on the type of rule being edited. 

The rule editing panel handles update and creation of individual rule parameters, and the existing 

rules panel provides an overview of the rules association with the information element or relation. 

11.3.7 TASK: Prediction 

CrimeFighter Investigator has support implemented for two Bayesian inference algorithms. Prediction 

of covert network structure and prediction of missing links are both described below. 

Predict covert network structure 

The predict covert network structure algorithm works computationally like the predict missing 

links algorithm, the main difference being the inclusion of individuals in the (Bayesian) evidence, 

not already in the criminal network. 

196


Figure 11.30: CrimeFighter Investigator rule editor for creating and updating rules. 

Predict missing links 

In the following example, we describe CrimeFighter Investigator support of the Bayesian inference 

method described in [183]. As discussed in analysis, the network nodes and attributes used in 

this example are inspired by the Greek criminal network November 17 (see [183] for more details). 

The major steps involved in the calculation are shown in Algorithm 1 and the network we predict 

missing links for, is shown in Figure 11.31. The network has six nodes and seven (positive) links. 

Part of the customization of this algorithm (see Section 11.3.2) is to select the entity attributes 

(algorithm hooks) for the prediction algorithm. Only enumerated attributes are accepted as 

algorithm hooks, i.e., name is not eligible since it can have basically any value. 

The first step of the algorithm (line 1), is to calculate the contingency table for each of the selected 

algorithm hooks. We will explain how to calculate the contingency table for a role hook which 

can have one of two enumerated values: leader (L) or operational (O). The faction can have one 

of three enumerated values (G, S, or K), each named after an individual within that respective 

faction. The contingency table records the relation between positive and negative links in the gold 

standard (purple nodes in Figure 11.31). 

197


Figure 11.31: A predict missing links example. 

Algorithm 1: Predict missing links 

input : A criminal network investigation (gold standard) 

output: A list of missing links 

hookRules ← InitHookRules(); 

hookProductRules ← InitHookProductRules(); 

bayesianEvidence ← GetAlgorithmSettings().GetBayesianEvidence(); 

1 foreach Hook h in Hooks do CalcContingencyTable(h); 

; 

2 productRuleResults ← CalcHookProducts(); 

3 predictedLinks ← PredictLinks(productRuleResults, bayesianEvidence); 

4 missingLinks ← GetMissingLinks(); 

The second step is to calculate the products of different hook relations if more than one hook is 

added to the inference. Only the products above a cut-off value of 2,14 are included. The cut-off 

value is calculated as the total possible links in the gold standard divided by the existing links 

(see line 2): 

L − L × G − S = 3, 00 × 1, 14 = 3, 42 

L − L × S − K = 3, 00 × 3, 43 = 10, 29 

O − L × S − K = 0, 75 × 3, 43 = 2, 57 

O − O × S − K = 0, 75 × 3, 43 = 2, 57 

The third step is the actual prediction of missing links based on the likelihood products calculated 

above together with the likelihoods for individual algorithm hooks (line 3). The second input to 

the prediction of links is the evidence, that is the attributes and their values for all individuals 

in the network. If we chose to apply the predict covert network structure algorithm then the 

evidence could also be information about individuals not in the network. These individuals would 

be added if a link (relation) to them is predicted from within the gold standard network. From 

the likelihoods we see that L − L and S − K relations are above the cut-off value, together with 

the products mentioned under the second step above. We see that entities sharing both L − L and 

S − K relations are especially likely to be connected, hence the thicker red line between C and H 

in Figure 11.31. 

198


The fourth step is a simple clean-up function which will remove those links already in the network 

prior to the prediction, leaving only new (missing) links (line 4). 

The result of a missing links prediction on a sampled version of 20 individuals from the al-Qaeda 

network is shown in Figure 11.32. The investigator can decide to append the predictions to the 

network or simply discard them. 

Figure 11.32: The result of a missing links prediction 

on a sampled version of 20 individuals from 

al-Qaeda central staff [188]. Blue solid lines are 

true positives while green dashed lines indicate 

false positives. 

11.3.8 TASK: Decision-making 

Figure 11.33: Betweenness centrality for the individuals 

in Figure 11.32, with 4 added links (thick 

blue). 

Decision-making is currently supported in the issue-based argumentation view (see Section 11.3.5). 

A decision is one position, the issue it responds to and associated arguments. 


CrimeFighter Investigator supports dangling endpoints during synthesis (empty relation endpoints), 

and the social network analysis algorithms are therefore extended to include this aspect 

in calculations if it is found necessary for the investigation. We focus on betweenness centrality 

and describe how this centrality measure is implemented (see Algorithm 2). How the algorithm is 

customized to suit different needs is also described. 

Algorithm 2: Betweenness centrality 

input : A criminal network investigation 

output: A measure of betweenness centrality for individual entities 

1 allEntityPairs ← GetAllEntityPairs(); 

2 foreach entityPair in allEntityPairs do shortestPaths; 

← GetShortestPaths(entityPair, relations); 

3 foreach shortestPath in shortestPaths do snaResults; 

← GetNodesOccurenceFraction(shortestPath); 

4 snaResults ← BubbleSort(snaResults); 

The betweenness algorithm starts by creating a set of all entity pairs in the criminal network (line 

1). Then the shortest path between each pair of entities is calculated (line 2). For each entity pair, 

199


we determine the fraction of shortest paths that pass through each entity on those paths (line 3). 

The betweenness of each entity is the sum of all these fractions across the entire network. The 

results are bubble sorted with for example highest centrality first before it is presented to the user 

(line 4). 

The betweenness centralities of a sampled version of 20 individuals from Sagemans al-Qaeda 

network [188] are shown in Figure 11.33. The investigator has decided to append the predicted 

links shown in Figure 11.32 to the network before calculating the centralities. 

200

CHAPTER 12 

Dissemination 

Dissemination tasks help the criminal network investigators to formulate their accumulated knowledge 

for the customer. As previously mentioned, dissemination has not received the same amount 

of attention as synthesis and sense-making. 

The remainder of this chapter is organized as follows: analysis (Section 12.1) and design (Section 

12.2) of selected synthesis tasks and their CrimeFighter Investigator support (Section 12.3) is 

explained below. 

12.1 Analysis 

Based on cases and observations of criminal network dissemination, contact with experienced 

end-users from various investigation communities, examination of existing tools supporting dissemination 

of criminal network investigations or parts thereof, and our own ideas for dissemination 

support, we maintain a list of dissemination tasks. 

12.1.1 Storytelling 

Investigators ultimately “tell stories” in their presentations when disseminating their results. Organizing 

evidence by events and source documents are important tasks, so that the story behind 

the evidence can be represented. Storytelling can be useful for different purposes such as briefings, 

learning, and training. 

12.1.2 Report generation 

Report generation involves graphics, complete reports, subspaces, etc. Being able to produce 

reports fast is important in relation to time-critical environments and frequent briefing summaries. 

It will be necessary to support the generation of reports for complete investigations, algorithms, 

and sense-making work flows. 

201

12.2. DESIGNS CHAPTER 12. DISSEMINATION 

Figure 12.1: Mock-up showing algorithm report elements, that can be dragged to report template 

(right). 

12.2 Designs 

Our designs for story telling and report generation are outlined below. 


Storytelling is based on versioning concepts and the history component, which we presented a 

design for in Chapter 8. The intended support for storytelling is an editor of history events inspired 

by the one supported by visual knowledge builder (VKB) [198], a spatial hypertext system. Once 

the history events have been edited, the story can be told using navigable history. 


Report generation should be based basic report elements, that can be added and removed from 

report templates, as the user prefers. The intended support for adding and removing report 

elements to and from reports is shown in Figure 12.1. The report elements in the example are 

based on an predict missing links technique, illustrating that report elements will be different from 

algorithm to algorithm. 


In this section, we present our implemented tool support for criminal network investigation dissemination 

tasks. 


Storytelling is done using the History Editor (Figure 12.2). The granularity of system level history 

events is often too fine grained for telling a story. The history editor allows the investigators to 

group history events that are relevant for the story individually, but when grouped together they 

explain one important step of the investigation. The investigators can delete events (if an entity 

was created by mistake and then deleted), they can annotate events or groups of events if they feel 

that the system generated description is not sufficient, and finally events can be moved up and 

down in order to match a time line of events (a person’s association with a group in a criminal 

network investigation can easily be different from when that person became associated with the 

group in real time). 

202

CHAPTER 12. DISSEMINATION 12.3. CRIMEFIGHTER INVESTIGATOR 

Figure 12.2: History editor, annotating a grouping of four events. 


Report generation is not only available for complete criminal network investigations. All Crime- 

Fighter Investigator features implement a report-interface that facilitates the addition or removal 

of individual report elements. The order in which elements are added to the report is also dynamic. 

This makes it easier to create reports targeting specific usages (briefing on specific subject). For 

example, after a prediction is done, a pdf report with the detailed calculations is available and 

can be retrieved using the algorithm view (see Figure 8.12, right hand side). 

203

12.3. CRIMEFIGHTER INVESTIGATOR CHAPTER 12. DISSEMINATION 

204

CHAPTER 13 

Cooperation 

They begin to order the network. They have stepped out of normality 

and into the exciting world of counterterrorism. 

Television and terror: conflicting times and the crisis of news discourse [94] 

Cooperation is a natural part of investigations. Cooperation leads to better synthesis and sensemaking 

that is informed by more perspectives. Sharing of the target model among criminal network 

investigators is the starting point for such cooperation, and is possible with the current setup. But 

for further support, the CrimeFighter toolbox knowledge base mentioned in Section 1.4 will be key 

to cooperation support. Assuming that such a knowledge base is in place, we will analyze the 

cooperation tasks defined in Chapter 7. 

13.1 Analysis 

Sharing of the target model among collaborating criminal network investigators or colleagues 

in other organizations, who might be interested in the particular target or entities related to 

it, is the starting point of cooperation. Sharing work flows, like sense-making work flows and 

custom algorithms, or mining work flow patterns from the previous use of intelligence information 

(history), would lead to shared knowledge and potentially also cooperation. The discovery of 

emergent collaboration, would help the coordination of resources by putting investigators analyzing 

similar or the same entities in touch with each other. Such cooperation requires support of a 

common knowledge base (see Figure 13.1). 

Investigators often share their findings with colleagues or other organizations (agencies, services, or 

departments), who might have an interest in the findings. Prior to the terrorist attacks on Norway 

22/7 (2011), the Norwegian customs directorate and the postal service had shared findings related 

to, what they found to be, suspicious purchases of chemicals in Poland. They forwarded their email 

correspondence to the liaison at the Norwegian police security service (PST), who unfortunately 

took a long time to assign that particular lead to a specific section [153]. Based on the interrogations 

of the Iraqi defector Curveball, information was shared between many agencies, services, and 

departments, but the original information was not shared, only selected parts, translations, and 

interpretations [59]. Finally, in criminal network investigation environments, work flow sharing often 

occurs in the sense that experienced investigators might educate less experiences investigators 

how to do certain work [204]. 

205

13.2. CRIMEFIGHTER INVESTIGATOR CHAPTER 13. COOPERATION 

Figure 13.1: Supporting cooperation by sharing the information space (criminal network) (left) or 

sharing work flows, e.g. sense-making work flows such as node removal (right), and discovery of 

emerging collaboration based on a common knowledge base (middle). 

We did not find specific examples of emerging collaboration notifications within the same organization 

(agency, service, or department), places where it would be reasonable to have established 

a common knowledge base, like the one described for the CrimeFighter toolbox in Section 1.4. 

The examples described above for sharing of findings and work, could to a certain degree be considered 

emerging collaboration. To establish tool support, it would be necessary to define the 

levels of awareness and notifications, i.e. how fine grained notifications do we want to send to the 

investigators. If too many notifications are sent out, it might become an annoying feature for the 

investigators and there could be a risk they would turn it off. If too few notifications are sent important 

emergent collaborations could be missed. Emergent collaboration notifications might be 

a way to break down the wall of secrecy discussed throughout this dissertation. If an investigator 

he receives a notification that a colleague in a different section of the secret service is actually 

investigating the same individuals, but has some other information as well, the investigator might 

be more willing to approach the colleague to start a collaboration, rather than asking around at 

meeting or conferences, if anybody else are looking at the same things. 


CrimeFighter Investigator supports sharing of the information space, in the sense that investigators 

can save their complete investigation in the original CrimeFighter Investigator format and then 

send it to other investigators, who can load it into their CrimeFighter Investigator tool. 

206

CHAPTER 14 

Testing the hypothesis: 

support of criminal network investigation work flows 

A history in which every particular incident may be true may on the 

whole be false. 

Thomas Babington Macaulay [134] 

In this chapter, we demonstrate that the premise for testing (evaluating) our main hypothesis (i.e., 

a software tool “that is useful for criminal network investigators in their work”) is in place. In 

Chapters 9 to 13 we focused on support of individual criminal network investigation tasks. Here 

we describe three deployments of CrimeFighter Investigator supporting a specific work flow. We 

define a work flow to be a process that involves multiple criminal network investigation tasks, 

processes, and techniques (but not all of them). Our descriptions of work flow support are based 

on relevant criminal network investigation scenarios, sometimes using mock-up figures indicating 

how we suggest the implementation of the intended feature. This could indicate a need to place it 

in design sections of previous process chapters. However, we find it is necessary to first describe 

the intended work flow, to be able to find out how to design experiments that could be used to 

evaluate the individual tasks within each work flow. 

We have deployed CrimeFighter Investigator in the following work flow settings: An example of 

adaptive modeling of Omar Saeed Sheikh and his kidnapping network is given in Section 14.1. A 

complete work flow for how to apply the implemented node removal algorithm to a criminal network 

is given in Section 14.2. Finally, we demonstrate the deployment of CrimeFighter Investigator 

in a setting where a team of investigators are interested to know whether domestic (Danish) 

fundamental Islamists are linked up with global al-Qaeda and affiliated movements (see Section 

14.3). Section 14.4 summarizes the conclusions and suggestions of future work that the deployment 

sections have introduced. 

14.1 Adapting existing model of Omar Saeed Shaikh and 

his kidnapping network 

A typical work flow for adapting an existing model to a new usage involves the following steps: 

(1) acquiring the model, either (a) through several synthesis and sense-making iterations or (b) 

by importing a work flow from a previous investigation; (2) adapting the model to the new investigation 

and the change in tendencies observed there; (3) apply the model to the criminal network 

207

14.1. ADAPTIVE MODELING CHAPTER 14. WORK FLOW SUPPORT 

investigation, for customized sense-making controlled by a structural parser. Refer to Section 

11.1.6 for an analysis of adaptive modeling. 

In this section, we will test if the relational and biographical characteristics of text-based profiles 

can be modeled and used for criminal network analysis. We will use a model of jihadist terrorist 

cells in the UK and Europe by Nesser (2006) [154] as our starting point. Later, we will compare 

a specific profile of this model with the characteristics of Omar Saeed Shaikh (see Section 5.7) 

the mastermind behind the kidnapping of The Wall Street Journal reporter Daniel Pearl case we 

described in Section 3.5.1. 

Based on the comparison of characteristics we will adapt the rules used to describe Nesser’s profile, 

to evaluate how easy it is to adapt these rule-based models to changes in the profile characteristics. 

We adapt parts of the entrepreneur profile to match with the profile of Omar Saeed Shaikh and 

his role in the kidnapping plot. We find that the adapted model, as well as Nesser’s original 

model, are examples that could be used for criminal network analysis to alert investigators of e.g. 

potential terrorist cells forming. 

For the kidnapping of Daniel Pearl on January 23, 2002, Omar used four cells as depicted in 

Figure 14.1 (not counting the cells responsible for distributing the murder video and baiting 

Daniel Pearl [227]). Besides being the mastermind of the plot he was himself member of the 

initially established cell, the contact cell. The assignment of the contact cell, was to arouse the 

journalist’s professional curiosity and, on the pretext of leading him to a person linked to a case 

he was investigating, persuade him to come to the place of the kidnapping. The second cell was 

responsible for external relations, e.g. sending emails to the media with demands etc. The third 

cell (the jailers) was at the kidnapping rendezvous and stayed with Danny right up until his 

execution. And finally, the (initially) mysterious fourth cell (the executioners), later known to be 

Khalid Sheikh Mohammed and his two nephews, who decapitated Daniel Pearl and recorded a 

video of the murder later circulated to the media [128, 146, 162, 227]. 

Figure 14.1: Omar Saeed Shaikh and four of the cells involved in the kidnapping and murder of 

Daniel Pearl Nomani et al. (2011) describes two more cells, responsible for distributing the murder 

video and baiting Pearl [227]. 

208

CHAPTER 14. WORK FLOW SUPPORT 14.1. ADAPTIVE MODELING 

14.1.1 Modeling jihadist terrorist cells in the UK and Europe 

As mentioned earlier, a criminal network model is sometimes evolved from scratch, and some times 

a model from a previous investigation can be adapted and reused. We use Nesser’s (2006) model of 

jihadist terrorist cells in the UK and Europe as our starting point. The model is based on a survey 

of “a number of al-Qaida associated or al-Qaida inspired terrorist cells that planned, prepared, and 

in three instances managed to launch attacks in European countries in the period 1998 until the 

present” [154]. Firstly, Nesser’s survey points to a crucial role for socially and politically motivated 

activists and idealists, defying stereotypical perceptions of Islamist extremists. Secondly, there are 

different roads into, and different motivations for joining terrorist networks. Finally, the activists 

need to connect to and interact with the jihadist infrastructure (local jihadists, training camps 

and media influence) in order to translate activism and grievances into terrorist acts 82 . 

A distinct set of profiles among those involved that recurred across the cases was also identified. 

A typical cell included an entrepreneur, his protégé, misfits and drifters as visualized in Figure 

14.2. The profiles are explained in more detail below, and selected relational and biographical 

characteristics of the three main profiles are listed in Table 14.1, 14.2 and 14.3. In Section 14.1.2 

we present parts of a CrimeFighter Investigator model of these profiles and their relations, as well 

as the rules used to model the profiles. 

Figure 14.2: Outline of Nessers Model. 

The entrepreneur is the crucial profile; he is the person who makes things happen. No jihadist 

cell forms without him. The entrepreneur has an “activist mindset”, being driven by ideas rather 

than personal grievances. He is interested in and committed to social issues and politics, he 

demands respect from his surroundings and he has a strong sense of justice. Table 14.1 shows 

biographical and relational characteristics of the entrepreneur profile that we have found most 

suitable for modeling. As our understanding of the modeling technique is further developed we 

believe more complex relational and biographical characteristics could be added. 

The ‘Links to’ column indicates where information about this characteristic could be found, e.g. 

deciding whether or not a person is a senior compared to the other operatives of a terrorist cell 

would be based on a comparison of age. The ‘Bio/rel’ column indicates the nature of the profile 

characteristic: Is it relational, biographical or a combination? This classification can be quite dis 

ambiguous, since, e.g., a persons record of failed ambitions (characteristic #3) would be related 

to projects he or she failed to succeed with, but in terms of an ongoing investigation it would be 

background information, hence biographical information (e.g., “the individual had the role of [role] 

in project [project], back in [year]”). That being said, considering our network approach, other 

persons associated with those past projects could very well be playing a key role in the current 

investigation as well, but if the link charts of those projects does not exist 83 , the incident reports 

209


would be of a biographical nature. Finally, the ‘Rule input’ column indicates the type of the rule 

parameters used to search for the information indicated in the ‘Links To’ column (see Section 

14.1.2 for rule examples). When the profile characteristic is of a relational nature, we could argue 

that the rule parameter type would be an information element (e.g., a person or a group) to allow 

for more sophisticated rules. But to keep things simple we have decided to use text strings as the 

most advanced input parameter type for rules. 

# Characteristic Links to Bio/rel Rule input 

1 Typically a senior in the cell. Age Bio Integer 

2 NGO Activity Organizations Rel Text Strings 

3 A record of failed ambitions Projects Bio Text Strings 

4 Becomes affiliated with militant groups Organizations, Per- Rel Text Strings 

and individuals 

sons 

5 In charge of the cells external relations Organizations, Per- Rel Text Strings 

with the jihadist infrastructure sons 

6 Maybe educated and employed or on 

welfare 

Education, Job(s) Bio/Rel Text Strings 

7 Inspired, supported and guided by his 

mentors 

Persons Rel Text Strings 

8 Married Marital Status Bio/Rel Text Strings 

9 Children Children Bio/Rel Text Strings 

10 Participation in jihad in original home Visited Countries Rel/Bio Text Strings 

country (or Afghanistan, Pakistan, 

Chechnya, Bosnia) 

Table 14.1: Selected characteristics of the entrepreneur Profile. 

The protégé profile appears to hold a special position vis-á-vis the cell leader (i.e. the entrepreneur). 

The protégé is someone the leader respects and trusts with important tasks. He 

admires and looks up to the leader. The presence of such a character in the cell tells us something 

about the sophistication of the entrepreneur and the ideology that he offers his young accomplices. 

It means that jihadism appeals to highly intelligent, socially skilled and well-off people, 

social segments that, according to rational choice arguments, would have much to lose by engaging 

in terrorist activity. The misfit is someone who performs less well socially, and often has 

a troubled background as well as a criminal record. He differs from the entrepreneur and the 

protégé because he is not an idealist, appearing to have a somehow “weaker” and more hesitant 

personality. The drifter is not a clear-cut profile. He tends to be someone who is ‘going with the 

flow’ rather unconsciously. He does not appear to be very ideologically committed when he joins 

the jihadist group. He becomes part of the cell by being in the wrong place at the wrong time, or 

having social ties with the wrong people. Since drifter characteristics are not easy to define, we 

have decided to exclude this profile from further modeling considerations, except for the possible 

relation with the misfit profile. 

As mentioned above, it is relation rules that glue together the information elements (and each 

information element’s rules) to form criminal network structures. The rules representing Nesser’s 

structure of profiles as modeled using CrimeFighter Investigator are reviewed in the next section. 

Our rule design is described in Section 11.2.3 and the CrimeFighter Investigator rule editor 

approach to creating the rules is discussed in Section 11.3.6. 

14.1.2 CrimeFighter Investigator model and rules 

A CrimeFighter Investigator model and selected adaptive rules based on Nesser’s model are the 

results of the first deployment. A visualization of the model is shown in 14.3. Only information 

about the relations between the profiles can be deducted from this presentation, i.e. the stronger 

210


# Characteristic Links To Bio/Rel Rule Input 

1 Holds a special position vis-á-vis the 

cell leader. 

Persons Rel Text Strings 

2 Most gifted and intelligent of the young 

terrorists 

Education, Skills Bio Text Strings 

3 Excels professionally Employment Bio/Rel Text Strings 

4 Excels academically Education Bio/Rel Text Strings 

5 Excels socially Friends Rel Text Strings 

6 Provides the cell with needed expertise Education, Internet Bio/Rel Text Strings 

(bomb making skills, IT skills) Activities, Skills 

7 Young and inexperienced Age Bio Number 

8 Well-off Family, Finances Rel/Bio Text 

Number 

Strings, 

Table 14.2: The protégé profile. 

# Characteristic Links To Bio/Rel Rule Input 

1 Troubled background Education, Family, 

Crimininal record 

Bio/Rel Text Strings 

2 Criminal record Criminal record Bio Text Strings 

3 Recruited in prison Persons, Meetings Rel Text Strings 

4 Might meet militants in the criminal 

underworld 

Criminal record Rel Text Strings 

5 Seldom educated Education Bio Text Strings 

6 Physically fit Organizations Rel Text Strings 

7 Into sports, some very talented Organizations, 

Prizes 

Rel/Bio Text Strings 

8 Age varies, but younger than en- Age Bio Integer 

9 

trepreneur 

Might be a friend or acquaintance of the 

cell leader or one of the other members. 

Persons, Friends Rel Text Strings 

10 Some have violent tendencies, and some 

have been convicted for acts of violence 

in the past 

Criminal Record Bio Text Strings 

11 In charge of acquiring weapons and Purchases, Crimi- Rel Text Strings 

bomb making materials 

nal Record, Persons 

Table 14.3: The misfit profile. 

relation between the entrepreneur and the protégé is symbolized by a thicker line. Based on the 

number of relations it is actually not possible to say who is the cell leader and who are the foot 

soldiers, it can however be deducted based on the profile names. 

We have listed the relations found suitable, in terms of the abstractions embedded in our current 

rule design (see Section 11.2.3), to be described using relation rules in Figure 14.4 (disregarding 

relation 4 between the misfit and the drifter). We found seven relations to be suitable for modeling. 

And only the ‘recruited’ relations would have the potential to distinguish any average group of 

friends from the jihadist terrorist cells described by Nesser. 

In order to make such a differentiation it is clear that the relation rules must be combined with 

information element rules describing the individual profiles of the model. A set of information 

element rules, corresponding to the 10 characteristics of the entrepreneur listed in Table 14.1 are 

shown in Figure 14.5. 

211


Figure 14.3: Nesser’s jihadist cell structure modeled using CrimeFighter Investigator (screen shot 

from early version of tool). 

Figure 14.4: (semi-mockup) CrimeFighter Investigator with Nesser model relation rules. 

Figure 14.5: The list of entrepreneur profile rules. 

14.1.3 Demonstrating the need for rule-based model adaption 

In this section, we focus on adopting the entrepreneur profile to that of Omar Saeed Shaikh, and 

the entrepreneurial role he played in the kidnapping of Daniel Pearl, ignoring that the events 

took place ten years ago (and four years prior to Nesser’s model). By comparing part of Nesser’s 

entrepreneur profile with the relational and biographical characteristics of Omar Saeed Shaikh we 

have noticed a number of differences as shown in Figure 14.6. 

The entrepreneur profile characteristics ‘Senior to other operatives’, ‘Central to the recruitment 

of other cell members’, ‘Central to the radicalization of other cell members’, and ‘In charge of the 

cells external relations with the jihadist infrastructure’ do not match with characteristics of Omar 

Saeed Shaikh, while the remaining characteristics are found to match. Adapting the model of the 

212


Figure 14.6: Mapping part of the entrepreneur profile to Omar Saaed Shaikh. 

entrepreneur profile in this case would be a matter of deleting the rules associated with these four 

characteristics, and potentially add new ones. But again, during a real investigation these changes 

would not have been made before this “new trend” had occurred in more cases. 

14.1.4 Discussion 

Our first deployment demonstrated difficulties with modeling some characteristics, initially thought 

to be suitable for modeling. It became clear that a lot the rule complexity was embedded in the 

operator part of rules, when attempting to describe more complex relational or biographical characteristics. 

However the complexity could be decreased by dividing profile characteristics into a 

number of sub-characteristics and then describe each of these using the rules. Another option 

would be to allow for a combination of multiple boolean and text string operators within one 

single rule. But that would go against the system requirement stating that the building blocks of 

rules should be based on natural language, as we expect more math-based rules would be created, 

if multiple operators are supported for rules. The rules would over time become interpretable only 

by the investigator who initially created them not adhering to the principles of simplicity and 

transparency (human factors #2 and human factors #3). 

Since rules are associated with specific characteristics and relations they can be adapted independently 

without affecting the remaining part of a model. The separation of rules and target-model 

synthesis is convenient as they can then be developed independent, but in the shared information 

space. A single rule (or a set of rules) can be updated or deleted using the CrimeFighter Investigator 

rule editor (see Section 11.3.6). And new rules can be added using the same rule editor, if 

new profile characteristics or relations are discovered. 

213


14.1.5 Conclusions and future work 

We have presented support of a work flow, a novel rule-based criminal network analysis technique, 

adaptive modeling, involving synthesis tasks to create input for sense-making tasks. This technique 

was implemented in CrimeFighter Investigator, in order to assist criminal network investigators in 

embedding their experience and knowledge in models, thereby customizing them for their particular 

domains. We focused on modeling the relational and biographical characteristics of terrorist 

profiles organized in cell structures, and found this to be a rather complex task. To summarize, 

our demonstration of this work flow has presented the following contributions to criminal network 

investigation tools: 

1. We have described first results with converting textual descriptions of terrorist profiles into 

computerized models based on relational and biographical characteristics. We have visualized 

how relation rules can be used to glue the terrorist profiles together to form network 

structures which can be processed by computer algorithms. 

2. We have demonstrated support of 2 steps out of 3, for an adaptive modeling work flow: 

(1) acquiring a model and (2) adapting the model. Application of the model to a criminal 

network for analysis (step 3), is still not implemented, and will be the subject of future work. 

We plan to investigate the following topics in relation to the further development of CrimeFighter 

Investigator support for adaptive modeling work flows: 

1. Proper test data. In order to appropriately evaluate the usefulness of rule-based criminal 

network analysis, we need proper test data. It would be highly relevant to follow ongoing 

investigations, and create models of expected targets and emerging cells based on previous 

cases as well as the investigation teams experience and ideas. 

2. Extending rule-based criminal network analysis with weights. The concept of rulebased 

terrorist network analysis could be improved on a number of parameters. First of 

all, in order to determine more accurately whether or not a relation exists, it is necessary 

to have individual rule weights. When editing and creating rules in the relation rule editor 

visual weights should be applied (similar to adjusting the thickness of relations, depending 

on how important, specific, verified the relation is). A semantic weight could also be added 

in terms of a number (e.g. 1-10). Rule weights should be used to indicate the importance 

of each individual rule in terms of deciding whether or not the relation (as described by the 

rules) exists or not. 

3. Coupling with CrimeFighter Assistant. We would like to connect CrimeFighter Investigator 

with CrimeFighter Assistant in the future, working toward the CrimeFighter toolbox 

architecture. It would be essential in order to provide a second criminal network analysis 

technique (link importance [244]), which would strengthen the reliability of analysis results 

if applied as intended by the investigators. 

4. Missing model structure detection. The described rule format can be used to model 

relational and biographical characteristics of profiles. CrimeFighter Investigator implements 

a structural parser that can handle the comparison of the rules with a criminal network, 

but the options are many. If for example 75% of a criminal network cell model is matched 

with some criminal network information by the structural parser, then it could be useful to 

inform the investigator about this. We imagine using a visual approach, where the already 

confirmed information elements and relations are shown in their normal colors, and the 

missing parts would be shown using for example a gray color. It would then be possible for 

the investigator to determine whether or not this could be a forming criminal network cell, 

and if it is, what individuals (according to profiles) are still missing from cell. 

214

CHAPTER 14. WORK FLOW SUPPORT 14.2. NODE REMOVAL 

14.2 Node removal in the November 17 criminal network 

A criminal network is a special kind of social network with emphasis on both secrecy and efficiency. 

Such networks are intentionally structured to ensure efficient communication between members 

without being detected. A criminal network can be modeled as a generalized network (graph) 

consisting of nodes and links. Nodes are entities (people, places, events, etc.) and links are relationships 

between the entities [245]. Node removal is a well known technique for destabilization 

of criminal networks [35, 36]. Deciding which node or group of nodes to remove is dependent on 

available intelligence and the topology of the criminal network (hierarchical, cellular, etc.), complicating 

the prediction of secondary effects following a node removal. Inference-based prediction and 

social network analysis provides different perspectives on criminal networks, thereby assisting investigators 

in their decision making by answering the ‘what if’ questions they inherently would like 

to ask. We consider prediction to be one of many investigative work flows that criminal network 

investigation teams use to analyze criminal networks; a work flow involving both synthesis and 

sense-making tasks. The ability to determine the presence or absence of relationships between 

groupings of people, places, and other entity types is invaluable when investigating a criminal 

case. Standard social network analysis is another investigative task, providing investigators with 

information about the centrality of individual nodes in criminal networks. 

CrimeFighter Investigator supports a custom made node removal algorithm assisting criminal 

network investigators with two perspectives on the changes following node removal: an inferencebased 

prediction of new probable links and changes in standard social network degree centrality. 

Many interventions against criminal (and other covert) networks often take place in the context 

of a multi-agency effects-based operations doctrine [211]. Consequently, it is imperative that tools 

are developed to assist analysts and investigators in assessing the likely impact and consequences 

of interventions against proposed targets in complex socio-technical systems. 

In an assessment of destabilization tactics for dynamic covert criminal networks, Carley (2003) 

points out that from an adaptation perspective node changes (e.g., node removal or insertion) can 

be more devastating than relationship changes and of the node changes those involving change 

in personnel are the most devastating. Carley further argues “that the removal or isolation of 

personnel is more practical, in the short term, than adding personnel, as the latter, particularly 

in covert networks, requires infiltration” and notes that in standard social network analysis node 

changes are also the preferred approach to network destabilization [35]. 

Measures and techniques for analysis of secondary effects 

We review this theory here, as it is important for understanding the aspects involved in the work 

flow. As a consequence of the complexity of criminal networks, investigators need more than one 

perspective to assist them when asking ’what if’ questions about the probable secondary effects 

of removing a node from a criminal network. Many analysis measures and techniques can provide 

such relevant perspectives, including: 

Network node and link measures [240,245,248] are used to analyze and make sense of criminal 

networks. Standard social network centrality measures are useful for node analysis of complete 

static social networks and can indicate the importance of individual nodes in the network. Social 

network measures include degree, closeness, betweenness, and eigenvector centrality (see Section 

5.9 for more details). Eigenvector centrality is particular interesting in the context of this work 

flow, since a node is considered central to the extent that the node is connected to other nodes 

that are central (i.e., high degree centrality). For link analysis, measures such as link betweenness 

and link importance have been suggested. Link importance measures how important a particular 

link is in a criminal network by measuring how the removal of the link will affect the performance 

of the network. 

Prediction techniques [40, 182–184] include extrapolation, projection, and forecasting based 

on past and current states of a criminal network. These three predictive techniques follow the 

215

14.2. NODE REMOVAL CHAPTER 14. WORK FLOW SUPPORT 

approach of assessing forces that act on an entity. The value of prediction lies in the assessment 

of the forces that will shape future events and the state of the criminal network. An extrapolation 

assumes that those forces do not change between the present and future states; a projection 

assumes that they do change; and a forecast assumes that they change and that new forces 

are added. Bayesian inference is a (forecasting) prediction technique based on meta data about 

individuals in criminal networks. A statistical procedure that is based on Bayes’ theorem can be 

used to infer the presence of missing links in networks (see Section 11.3.7 for more details). The 

process of inferring is based on a comparison of the evidence gathered by investigators against a 

known sample of positive (and negative) links in the network, where positive links are those links 

that connect any two individuals in the network whereas negative links are simply the absence of 

a link. The objective is often to assess where links may be present that have not been captured 

in the collected and processed criminal network information. 

Destabilization criteria [35,36] are established by investigators to have a measure of the success 

or failure of an operation involving destabilization. Criteria includes ’the rate of information flow 

through the network has been reduced (perhaps to zero)’, ’the network, as a decision making 

body, cannot reach a consensus’, and ’the ability of the network to accomplish tasks is impaired’. 

These destabilization criteria could provide useful perspectives on the secondary effects of node 

removal. Although they seem eligible for framing as ’what if’ questions, we have focused on 

analysis measures and prediction techniques in this work. 

Scenario: custom-made node removal 

In this section, we describe a CrimeFighter Investigator usage-scenario following the steps presented 

in Section 11.2.1. The ‘what if’-question the investigators want to follow in this scenario is: 

“what if individuals who didn’t interact directly before the node removal start to interact afterwards?” 

(step 1 ). The ‘what if’ question editor setting for this question is shown in Figure 14.7. In 

order to visualize the links matching the ‘what if’ question constraints described above, we setup 

the question as follows: the question is focused on relation entities (links), and will run computations 

between all combinations of connected nodes (individuals) in the given criminal network. 

The before constraint that has to be fulfilled is that path distances between individuals should 

be of length greater than 1 and the post prediction constraint is that path-length should now be 

exactly 1. If these conditions are fulfilled then those links will be colored red. For testing purposes 

we have inserted a second ‘what if’ question asking the algorithm to color the true-positive links 

green, i.e., links occurring in the full N17 network but not in the sampled N17 network currently 

being investigated. 

The investigators are prompted to select which nodes (individuals) they find relevant for the node 

removal (step 2 ). They have three choices: include all nodes, select the nodes individually by 

clicking on individuals, or drag a square to select a subset of nodes (useful if the criminal network 

is large with many nodes). Then the investigator is requested to select the node to remove (step 

3 ). We base this decision solely on degree centrality within the partially observed N17 network 

as shown in Figure 14.9; we choose Pavlos Serifis, since he is observed to have the highest degree 

centrality (Table 14.4, second column). In reality, more analytical techniques are needed to make 

a decision about a networks’ vulnerabilities [35, 36]. After the removal of Pavlos Serifis and his 

links (step 4 ) the updated degree centralities are as described in Table 14.4 (third column). 

The node removal algorithm starts predicting missing links [183] based on the new network structure 

following the node removal (step 5 ). The likelihood of a link being present between all pairs 

in the network is calculated based on the attribute data of the remaining individuals. Links that 

are higher than a pre-determined likelihood level (calculated from the product of individual attribute 

likelihoods) are accepted as representing predictions of new links [183]. Constraints on how 

to visualize the predicted links are used to emphasize paths, previously reaching the leadership 

figures through Pavlos Serifis and predicted links not directly related to the removal of Pavlos 

Serifis. The evidence that the inferences are based on includes all the individuals in the sampled 

network as well as other individuals that the investigators might think could be related to N17, 

216


Figure 14.7: The ‘what if’ question editor. 

but are not sure how and who specifically are related to. 

When the predicted links are shown, the investigators will evaluate whether or not this was a 

useful result. The evaluations is based on the change in degree centralities (step 6 ) and their 

general observation of changes. The investigators are prompted to either append the predicted 

links to the network or simply discard the results as shown in Figure 14.8 (step 7 ). If satisfied 

with the result, the investigators can retrieve a pdf report from system, as documentation of their 

work and as background for dissemination of the results (step 8 ). 

The Greek terrorist group November 17 

To demonstrate the implementation of the developed algorithm, we use a criminal network of the 

(believed defunct) Greek terrorist group November 17 (N17) that was derived from open source 

reporting [112]. The N17 group was a small close knit organization of 22 individuals with 63 

links out of a potential 231 links. There were three main factions within the organization; 1st 

Generation Founders faction, the Sardanopoulos faction, and the Koufontinas faction. The links 

of the dataset indicate that open source reporting has demonstrated some connection between the 

two individuals at some point in the past, but no specific weightings of the links are indicated. 

We use a sampled version of the N17 network in which 50 percent of the links are removed (Figure 

14.9). Relevant hindsight about N17 is that Nikitas, Alexandros Giotopoulos, and Anna were 

leaders and key individuals within the 1st Generation Founders faction. We want to test if individuals 

connected to key individuals through one or more go-betweens will be directly connected 

after removal of the go-between node(s). Figure 14.9 shows three individuals indirectly connected 

with the three key leaders. 

The attribute data for each individual is presented in [184]; the missing links algorithm [183] has 

been extended by the addition of a degree centrality attribute. This additional attribute is a 

measure of how many links each individual node in the network has. Individuals are classified 

according to their level of degree centrality (high, medium, or low). 

Results 

The removal of Pavlos Serifis from the partially observed N17 network resulted in the criminal 

network shown in Figure 14.8. Red lines indicate predicted links that previously were indirect 

(length 2), with Pavlos Serifis as the go-between. In this case only two of them are present in 

the complete N17 network (see [184]) and could indicate a change in the network structure where 

Anna plays a more important role: Anna is now directly connected with five additional individuals 

(L = leader, O = operational): Nikitas (L), Dimitris Koufontinas (L), Christodoulos Xiros (L), 

217


Figure 14.8: Secondary effects and new degree centralities caused by the removal of Pavlos Serifis 

from the N17 network. 

Figure 14.9: Annotated, partially observed N17 network [183]. 

218


Constantinos Karatsolis (O) and Sardanopoulos (L). Constantinos Karatsolis is connected to three 

more individuals: Sardanopoulos (L), Patroclos Tselentis (O), and Anna (L). Green links are true 

positives according to the full N17 network and we therefore consider these links unrelated to the 

removal of Pavlos Serifis. However, the true positives have an impact on the degree centrality of 

the nodes they connect and they could be valuable as potential new leads. 

The degree centrality of each node is displayed in the algorithm view on the right in Figure 14.8 - 

initially to decide which node to remove and later to show the change in degree centrality of each 

node after node removal. The evolution of degree centrality for each node is shown in Table 14.4. 

The red square indicates the individual with the highest degree centrality at network changing 

steps of the node removal algorithm, including that of the full N17 network, from which the 

sampled version used in this paper, was created. 

Table 14.4: Degree centrality of each node after network changing steps of the node removal 

algorithm. 

Creating hypothesis based on interpretation of results (secondary effects) 

Generating hypotheses and possibly competing hypotheses is a core task of criminal network investigation 

that involves making claims and finding supporting and opposing evidence [174]. In 

the presented scenario, we were interested in individuals who utilized one go-between to connect to 

leadership individuals, but after removal of the go-between node they would be directly connected. 

Without considering the hindsight information about the leadership individuals, we create a hypothesis 

based on our interpretation of the centralities presented in Table 14.4 and the probable 

new links in Figure 14.8. 

Constantinos Karatsolis achieves the third highest centrality, and inherits three of Pavlos Serifis’ 

previous links significantly increasing his importance within the network and he could potentially 

be upgraded from an operational member of N17 (his original role) to leadership member (maybe 

inherited after Pavlos Serifis). Anna’s degree centrality changes from the second lowest (2) to the 

second highest (7), and she apparently inherits four of Pavlos Serifis’ previous leadership links 

as well as one inferred link to an operational individual. We conclude that Anna is part of the 

highest ranking leadership individuals as compared to the partially observed N17 network where 

she might be considered a simple operational person, if no other information than the criminal 

network is available. 

219


To summarize, Anna and Constantinos Karatsolis are two individuals we would subject to further 

surveillance after removing Pavlos Serifis. As mentioned earlier, decision-making with the severity 

and impact of removing an individual will not be made based on for example a single centrality 

measure. However, the purpose of this work was to demonstrate CrimeFighter Investigator support 

of investigators asking ‘what if’ questions about node removal in criminal networks. 

Discussion 

A number of problems related to the current approach need to be discussed. First of all, the 

N17 criminal network data is more or less complete (only three attribute values are missing). 

Feedback from intelligence analysts working with ongoing investigations informs us that attribute 

information is typically much sparser (see end user interviews in Section 15.2) and the overall 

number of attributes is lower than for the N17 criminal network. We are making a prediction 

that we currently cannot test or validate against any (open source) ground truth data. Currently, 

we have no assessment of the performance of the custom node removal algorithm 84 . Whilst the 

results are plausible, and the prediction part of the algorithm has produced good results in other 

contexts [183,184], a direct measure of the veracity of the node removal predictions is lacking. The 

issue of scalability is particularly relevant for the open source intelligence community where larger 

networks are often the consequence of web harvested data sets. Larger networks present different 

challenges. The number of individuals, links between them and attributes are much larger. The 

prediction algorithm is scalable, but there will be additional difficulties arising from visualizing 

the results of computations on larger networks than the example in this work flow. 

This work on node removal is based on bits and pieces of other work and it would be fair to ask 

the following question: “What are the benefits of a node removal algorithm versus predicting new 

links when analyzing criminal networks?” The main difference is the specification and management 

of criminal network investigation work flows using the question editor. The custom made node 

removal algorithm represents a more specialized work flow compared to the prediction algorithms. 

The option to select the specific nodes that the investigator wants to include in the analysis of 

secondary effects is an example of this. Furthermore, we consider the work with node removal 

the first steps toward combining existing algorithms into new custom made algorithms, which is 

an important criminal network investigation task assisting criminal network investigators to build 

support for more specialized work flows themselves. 


We have presented a knowledge management and hypertext based approach to visualization of 

probable secondary effects after node removal by providing investigators with an option to ask 

‘what if’ questions about criminal networks. We consider this work a first step toward support 

of custom made algorithms for criminal network analysis. A node removal algorithm has been 

proposed together with partial support of the algorithm based on the following building blocks: 

A ‘what if’ question editor lets investigators manage the constraints (e.g., specific changes in 

path distance), visual symbols (e.g., color and link thickness) and other question settings. The 

automation of criminal network synthesis tasks, facilitating intuitive and fast removal of a node 

and associated links, and two perspectives: inference-based prediction to detect new probable links 

between nodes and social network centrality measures to observe changes in node importance. 

Currently the node removal algorithm steps 1, 3, 4, and 7 are fully supported. Furthermore, we 

provide 2 perspectives supporting the exchangeable part of the algorithm (step 5 and 6). Selection 

of the nodes of interest (step 2) and dissemination of results (step 8) are not supported. In our 

future work, we will address the following functional requirements to achieve full support of the 

proposed node removal algorithm: 

Link weights. All links are not equally important and with weights investigators could 

discuss “broader theories as to the impact of culture on social relationships, and narrow 

220

CHAPTER 14. WORK FLOW SUPPORT 14.3. INVESTIGATING LINKAGE 

theories concerning the definitions of specific relationship indicators, like what should be 

weighted more; relations based on common economy between two actors or common blood”, 

as one reviewer of our node removal support noted. 

Missing key players. An algorithm, to predict the presence of missing key players has 

been proposed by Rhodes (2011) [182]. It is planned to include this in a future version of 

CrimeFighter Investigator. 

Removing multiple nodes. Supporting the removal of node groups would be an interesting 

and relevant feature. In larger networks it may be desirable to focus attention on a 

larger number of specified individuals in sub-networks or communities. 

Report generation. Generation of a report with all node removal results and calculations 

is required to support step 8 of the proposed node removal algorithm (dissemination of 

results). 

Furthermore, requirements for evaluation of the node removal algorithm will also be addressed in 

future: 

Scalability. In order to evaluate the relevance of this work for the open source intelligence 

community, we have to test scalability of the proposed method. With its 22 nodes, the N17 

network is far from the sizes that are to be expected. 

Datasets. We will test node removal on more realistic versions of the N17 dataset as well as 

other open-source datasets with varying attributes, size (in terms of nodes and links), and 

other complexity (such as aliases, etc. 

Human-computer interface. CrimeFighter toolbox philosophy [14] and our research focus 

requirements dictate that humans (investigators) must control the tools. Adhering to this 

philosophy, we will improve the interface of the ‘what if’ question editor by adopting the 

spatial drag-and-drop approach normally utilized by CrimeFighter Investigator. 

14.3 Combining prediction and social network analysis for 

investigation of linkage between DNRI and AQAM 

The purpose of this work flow scenario, besides testing our main hypothesis, is to demonstrate how 

the calculations are not the hard part of criminal network analysis; the challenge is to find a good 

way to use the data and understand it. The scenario is inspired by previous criminal network sensemaking 

work (e.g., see [169]) and describes a proactive investigation into potential linkage between 

aspiring extremists in a fabricated Danish network of radical Islamists (DNRI) and al-Qaeda and 

affiliated movements (AQAM). The scenario is centered around AQAM’s role in plots in Europe 

[65–67,92,111,154,188,189,219,235,236], and various aspects of violent Islamist radicalization such 

as radicalization phases, root causes, and violent online radicalization [29,48,49,203,234,236,241]. 

The DNRI network is based on open sources about violent radical Islamists in Denmark and 

especially the younger individuals aspiring to join their cause, and in some cases were very close 

to do so [208]. Another source of information were newspaper articles about the recently thwarted 

terrorism plots in London [126, 231] (September 2010), Norway [12, 135] (December 2010), and 

Denmark [196] (December 2010). The DNRI network is based on the assumption that the Danish 

intelligence services (both foreign and domestic) are monitoring individuals inside Denmark who fit 

this description, or Danish citizens traveling to other parts of the world participating in activities 

that could lead to further radicalization. A total of 52 individuals and 170 relations have been 

fabricated. The fabricated part of the DNRI network is divided into three bridges, while a fourth 

bridge with the personal relations of violent radical Islamists (family, friends, colleagues, etc.) is 

left empty. 

221

14.3. INVESTIGATING LINKAGE CHAPTER 14. WORK FLOW SUPPORT 

The AQAM data set contains elaborate meta data information on 366 individuals. It is a 2003 

snap shot of AQAM and is not updated according to the time of the scenario (January 2011). The 

network information was gathered from public domain sources: “documents and transcripts of legal 

proceedings involving global Salafi mujahedin and their organizations, government documents, 

press and scholarly articles, and Internet articles” [188]. We have included acquaintance, friend, 

and post joining jihad relations, all with the same weight. In total, the AQAM network used has 

999 links. 

It is important to note that the vast majority of EU-wide terrorist attacks in 2010 were carried 

out by traditional separatist terrorists and not violent radical Islamists [49]. More precisely, three 

Islamist terrorist attacks were carried out within the European Union. However, 249 terrorist 

attacks in total were reported, and of 611 arrests for terrorism-related offenses, 89 individuals 

were arrested for the preparation of attacks. Islamist terrorists continue to undertake attack 

planning against member states, as Europol concludes in their EU Terrorism Situation and Trend 

Report 2011 [67]. 

14.3.1 The work flow scenario 

It is January 2011, and Mark enters the office as usual. He has been working for the al-Qaeda 

section of the Danish counterterrorism unit (Danish CTU) 85 since late 2000. The section is daily 

assessing the risk that al-Qaeda associated or affiliated movements (AQAM) will strike the Danish 

homeland and they use CrimeFighter Investigator for different work tasks. 

Mark and his fellow investigators have been synthesizing a chronology of AQAM related terrorism 

plots in selected European countries. The time line provides them with an interactive overview of 

all the plots (entities). Clicking one entity will open the corresponding CrimeFighter Investigator 

information space, showing the networked information related to the case. They can organize 

the entities spatially, and filtering is applied to only show the desired information (date, name, 

country, and type) and highlight Danish plots with a red color. The time line is shown in Figure 

14.10. 

Mark’s area of expertise is terrorism information structures and how they evolve over time. He 

has studied existing literature on AQAM structure and organization primarily in Europe. From 

Sageman (2004) describing the global violent radical Islamism (phase 1-2) [188] and how European 

terrorist networks are radicalized and associated with AQAM, over Nesser’s profile of AQAM 

terrorist networks in Europe [154] to the most recent fourth phase of plots and attacks [236]. 

The fourth phase of terrorism plots in Europe (from about 2006 to present) is characterized by a 

bottom-up approach defined as linkage, in which terrorist networks get associated with AQAM in 

different ways. They are not recruited by AQAM or other transnational networks. However, in 

the majority of plots (about 75%) the plotters worked independently (and amateurishly), while 

about one third were hybrid plots connecting to AQAM. But the hybrid plots pose a higher 

security risk and they represent about 50% of the most lethal plots. Other characteristics of 

the homegrown fourth phase jihadist networks and individuals include: a much higher degree of 

violent online radicalization (e.g., YouTube, Facebook, and Twitter, forums, and blogs) or printed 

media (e.g., Inspire magazine published by al-Qaeda), and lack of uniformity in the attributes of 

the networks operating on the ground. The novelty of the fourth phase is the increased linkage 

from European terrorist networks to AQAM. Finally, these characteristics of terrorist networks 

also differ significantly from country to country and, in many cases, within each country from 

region to region and from city to city. Marks analysis of the evolution of terrorist network cells in 

Europe is outlined in Figure 14.11. 

The recent arrests in September and December 2010 just confirmed Mark’s analysis of 4 th phase 

plots: the London Stock Exchange plot, the Oslo plot, and the Denmark/Sweden Jyllands-Posten 

plot. Mark believes strongly in the bridging concept (connecting two network clusters) and the 

novel observation of bottom-up linkage in European terrorist networks as opposed to top-down 

recruitment. Mark is certain that if a radicalized individual has a large network of close and 

222


Figure 14.10: (mock-up) CrimeFighter Investigator timeline view with all plots against targets 

inside Denmark, Sweden, Norway, United Kingdom, and Germany from January 1, 2006, to 

December 31, 2010 [236]. 

Figure 14.11: Evolution of terrorist networks in Europe from 1990 to 2011. 

223


likely-minded friends and relatives, other members for a future network cell could come from that 

group of people. Mark decides to use a measure of betweenness centrality as an extra condition 

for predicting links between two individuals in adjacent bridges. He thinks that if an individual 

is peripheral to a network in terms of betweenness centrality, the probability of linkage from this 

individual to an individual in the bridge above is low. 

Mark starts creating his prediction model by first dividing the violent radical part of the DNRI 

network under surveillance into three bridges. He places the relations (who are not known to be 

violent radicals) of these individuals in a fourth bridge. Mark thinks there is a potential for topdown 

recruitment, where violent radical Islamists could radicalize family, friends, or colleagues in 

Bridge 4 because of their close ties. Mark’s classification of individuals in Bridge 1 to 3 is shown 

below. 

Bridge 1 contains individuals that can provide ideological approval of violent radical Islamism 

and linkage to AQAM. Mark places known radical Islamic scholars in this bridge. 

Retired violent radicals and other individuals who received operational training could provide 

linkage to AQAM because of their skills or knowledge about previous operations. Established 

al-Qaeda media individuals are also placed in Bridge 1. 

Bridge 2 is the radical violent milieu in Denmark - self-proclaimed imams, online “celebrity 

shayks” who preach violent radical Islamism, and individuals who sell radical Islamist propaganda 

like books, magazines, CDs, and DVDs etc. Finally, self-established online recruiters 

are also made members of this bridge. 

Bridge 3 is by volume the largest. Individuals aspiring to become violent radical Islamists 

are placed here. This aspiration may have been externalized through online expression of 

desire to contribute violently. It could be individuals somehow alienated from society or 

otherwise non-integrated (e.g., a group of young individuals living together or meeting in 

an apartment). Bridge 3 individuals are often rather entrepreneurial in their approach. 

They might be consumers of violent radical online and printed propaganda, or they might 

be creating such propaganda themselves, pretending to be an established al-Qaeda media 

organization. 

AQAM and the four bridges in the DNRI network constitute four sub-networks each containing two 

bridges: the ‘Bridge 1 → AQAM’, ‘Bridge 2 → Bridge 1’, ‘Bridge 3 → Bridge 2’, and ‘Bridge 3 → 

Bridge 4’ networks. The four networks are encapsulated in collapsed composites. For each of these 

sub-networks Mark defines a set of attributes he believes could enable linkage from individuals in 

the lower bridge to individuals in the upper bridge: 

Bridge 1 → AQAM: Information about previous operations is a relevant linkage attribute 

for this bridge, since Bridge 1 individuals might have participated in the same militant 

operations in the past. Information about operational training may very well overlap with 

the previous operations, but also covers training camps and similar. A school attribute could 

indicate that the same madrassas, universities, or other schools have been attended at the 

same time. A weapons attribute would cover similar skills in use of weapons; guns, explosives 

etc. andiwaal group, albeit an Afghan concept [137,166], it applies to many societies (tribal, 

western, asian, etc.) that if you were part of a group in your teens, you will have strong 

relations to those individuals the rest of your life. 

Bridge 2 → Bridge 1: Mark decides that family, friend, and school information are linkage 

attributes from Bridge 2 to Bridge 1. 

Bridge 3 → Bridge 2: Key linkage attributes from Bridge 3 to Bridge 2 are: Local area 

in which random meetings could happen, online violent radical milieu meaning what forum, 

chat room or social network site the Bridge 3 individual reads and posts comments to, and 

who reads it from Bridge 2. Mosque and Sunday school could be other places for random 

meetings or radicalizing preachings. 

224


Figure 14.12: Mark’s prediction model: the DNRI bridges with linkage and recruitment attributes 

in between adjacent bridges. 

Bridge 3 → Bridge 4: Mark defines key recruitment attributes from Bridge 3 to Bridge 

4 to be: school, hobby, workplace, mosque, and current residence. Mark’s argument is that 

the aspiring violent radical Islamists might meet and influence individuals at these places. 

Mark decides to use the Oslo, London, and Denmark/Sweden networks, whose plots were thwarted 

in late 2010, as the gold standard for his predictions. After feeding these networks to his prediction 

model, he predicts missing links for each of the four sub networks, and asks CrimeFighter 

Investigator to merge individuals with the same names to see if there is probable linkage which 

forms networks spanning all bridges. A mock-up of predicted links between the four collapsed 

bridges is shown in Figure 14.13. 

Mark’s prediction model computes four cells (the second cell is shown in Figure 14.14) to have 

linkage potential with AQAM. Before retrieving a pdf report with the information he has requested, 

he marks the second cell as being of particular interest, since the predicted links here have the 

highest likelihoods of linkage. Plus, the individuals in the network seem to have skills necessary to 

carry out a small scale attack. Mark summarizes his findings in an email to his decision-making 

superiors and attaches the computed pdf report. 

14.3.2 Summary 

Mark used his knowledge about terrorist networks in Europe to design a prediction model that 

could solve the specific problem at hand. Later, he tailored existing CrimeFighter Investigator 

functionality to actually apply his sense-making approach to a network of established and aspiring 

violent radical Islamists living in Denmark from which future (terrorist) networks could form and 

pose a threat to Danish society. 

Mark’s first step towards applying his understanding of these networks was to use CrimeFighter 

Investigator synthesis functionality to divide the DNRI network and related individuals into four 

bridges, that he believed were actually functioning as linkage bridges. The CrimeFighter Investigator 

tool helped Mark apply prediction to two bridges at a time, and then compare a centrality 

measure of betweenness for each individual in the (possibly) transformed network and in the 

original DNRI network. 

To disseminate his findings according to his prediction mode, Mark used the CrimeFighter Investigator 

report generation feature to create documentation of relevant parts of the sense-making 

process and the computed information. 

225


Figure 14.13: (semi mock-up) CrimeFighter Investigator showing the AQAM and DNRI bridges 

and predicted links between them. 

Figure 14.14: (mock-up) One of the predicted network structures as shown in the report generated 

based on the prediction model. 

226

CHAPTER 14. WORK FLOW SUPPORT 14.4. SUMMARY OF DEPLOYMENTS 


Based on the presented work flow scenario and our previous work on criminal network synthesis 

and sense-making ( [168, 169, 174–176], we found that: 

1. The sense-making algorithms supported by CrimeFighter Investigator are applicable to criminal 

networks that are synthesized using multiple structure domains. In other words, our 

developed computational model, that separates structural models from mathematical models 

and is based on a conceptual model of first class entities, works. 

2. CrimeFighter Investigator supports both transformative and measuring sense-making algorithms. 

To achieve this, a structural parser was implemented to provide an interface to these 

algorithms. 

The novelty of the CrimeFighter Investigator approach to criminal network analysis (synthesis 

and sense-making) is the underlying tailorable computational model. Tailorability was (partially) 

achieved with a structural parser that provides the user with an interface to customize and combine 

sense-making algorithms. The approach introduces transparency of the sense-making process 

and ownership of the computed information. In our comparison of state-of-the-art commercial 

tools and research prototypes and the models they support in Section 15.3, we find that Crime- 

Fighter Investigator has better support of first class entities (conceptual model), structure domains 

(structural models), and transformative and measuring algorithms (mathematical models). 

14.4 Summary of deployments 

To test our main hypothesis, we presented three different criminal network investigation work 

flows involving multiple acquisition, synthesis, sense-making, and cooperation tasks. We found 

that CrimeFighter Investigator, and the concepts, models, and components on which the tool is 

based, provides supports for such work flows, and hence support for the premise of our hypothesis. 

227

14.4. SUMMARY OF DEPLOYMENTS CHAPTER 14. WORK FLOW SUPPORT 

228

Part IV 

Evaluation and conclusion 

229

CHAPTER 15 

Evaluation and discussion 

Dr. John McKittrick: “I think we ought to take the men out of loop.” 

General Beringer: “Mr. McKittrick, you are out of line Sir!” 

WarGames (1983) 

Look after the customer and the business will take care of itself. 

Ray Kroc, founder of McDonald’s. 

We have used three methods for our evaluation: first method is capability comparisons of criminal 

network investigation task support and support of conceptual, structural, and mathematical models. 

The second method is interviews with potential end users providing feedback on relevance of 

tasks (usability for their particular work), and the third method is measures of performance for 

our developed techniques. 

To understand how we have evaluated our developed processes, tools, and techniques for criminal 

network investigation, it is necessary to first understand the relations between criminal network investigation 

challenges, our main hypothesis, the research focus requirements, the criminal network 

investigation tasks, and the evaluation methods. The relation between challenges, hypothesis, and 

requirements is straight forward: we chose three criminal network investigation challenges, based 

on which we framed our hypothesis. For each of the three challenges we defined a set of requirements 

to guide our research - if those requirements are met, the problems associated with each 

individual challenge would be met, and ultimately the impact of the related challenge on criminal 

network investigation would be reduced. Now, some of our evaluation methods evaluate support 

of criminal network investigation tasks and others evaluate support of research focus requirements 

(explained below). We therefore need a mapping between the tasks and the requirements, since we 

would like to summarize all three evaluation methods according to their support of the research 

focus requirements. Our task to requirement mapping is presented in Figure 15.1, where a line 

between a task and a requirement indicates that support of the task is equal to support of the 

requirement. It should be noted, that support from more than one task is typically required to 

achieve the desired support of the research focus requirement. 

As mentioned, the evaluation methods evaluate either criminal network investigation tasks or 

research focus requirements. One capability comparison focuses on support of criminal network 

investigation tasks (see Section 15.3.1), and we interpret support across tasks as support of the 

hypothesis (which we tested in Chapter 14). A second capability comparison evaluates support 

of conceptual, structural, and mathematical models (see Section 15.3.2). The mapping between 

231

Figure 15.1: Mapping research focus requirements to criminal network investigation tasks: a line between a task and a requirement indicates that 

support of the task is support of the requirement. 

232 

CHAPTER 15. EVALUATION

CHAPTER 15. EVALUATION 

Figure 15.2: Mapping research focus requirements to conceptual, structural, and mathematical 

models: a line indicates that support of the model is support of the requirement. 

each model and our research focus requirements is shown in Figure 15.2, where a line indicates 

that support of the model is equal to support of the requirement. 

End user interviews provided us with an initial qualitative evaluation of criminal network investigation 

tasks (see Section 15.2). Measures of performance for our extension of centrality algorithms 

and the transformative predict missing links algorithm evaluate research focus requirements, and 

the mapping between requirements and measures of performance can be seen in Figure 15.3, where 

a line indicates, that if a measure of performance is good, then it is supporting the requirement. 

Our research has focused on developing new concepts for criminal network investigation, and 

our methods for evaluation have been designed to evaluate those concepts. Consequently, our 

software development approach has been based on “proof-of-concept” prototyping, and involved 

the integration of criminal network investigation processes (primarily synthesis and sense-making) 

by applying a variety of technologies, such as software systems engineering, hypertext and various 

mathematical models for computational support. Because of this integration of processes, we 

apply the three mentioned evaluation methods (end-user interviews, capability comparisons, and 

measures of performance). But we also review the importance post-crime data sets because they 

have been our main source of evaluation data (both for synthesis and sense-making evaluation) 

and we therefore found it necessary to describe their relevance as opposed to pre-crime or real-time 

crime criminal networks (see Section 15.1). We present usability feedback gathered from semistructured 

interviews with a number of end-users from various criminal network investigation fields 

(see Section 15.2). We have compared the capabilities of CrimeFighter Investigator with other 

leading commercial tools and research prototypes for criminal network investigation (see Section 

15.3). Finally, we have evaluated the sense-making algorithms using measures of performance 

found relevant for the intended use of CrimeFighter Investigator (see Section 15.4). 

233

15.1. POST-CRIME DATA AND INFORMATION CHAPTER 15. EVALUATION 

Figure 15.3: Mapping research focus requirements to measures of performance. A line indicates, 

that if a measure of performance is good, then it is supporting the requirement at the other end 

of the line. 

15.1 Post-crime data and information about criminal network 

investigations 

Obtaining data for testing criminal network investigation tools is an obstacle for much security 

informatics research, especially when focusing on synthesis, sense-making and dissemination 86 . 

One option would be to have access to first-hand evidence, but “it is very difficult to get firsthand 

evidence of crimes while they are being perpetrated - an observer would most likely be 

legally required to try to prevent the crime rather than letting it take place” [30]. It is however 

often preferred to take proactive measures, (e.g., be able to act before a bomb explodes), and we 

would benefit more from a first-hand witness account of all the steps leading up to a crime being 

perpetrated, but it is often not possible for researchers to follow such investigations (according to 

our experience). 

A secondary option would be to gain access to classified information (secret intelligence such 

as human intelligence and technical intelligence, see Section 5.8) directly from the intelligence 

agencies - some of which might be real-time and other from for example human sources, who 

might have infiltrated criminal groups to follow their planning of crimes. But as we will discuss in 

Section 15.6.2, such cooperation between the Danish intelligence services and academia does not 

exist to our knowledge. 

That leaves researchers in the field of criminal network investigation with the option typically 

resorted to: building their own data sets based on publicly available sources of information (open 

source intelligence) 87 or using already existing data sets of past crimes and attacks. And open 

source intelligence has actually been quoted to provide 80% of the relevant information in allsource 

analysis [214] (with secret intelligence providing the gold nuggets connecting that relevant 

information). Collecting and processing open source intelligence can however be a very time 

consuming task, which is why researchers are developing tools that can automatically harvest 

and pre-process information to assist criminal network investigators in their work. But automatic 

harvesting and processing cannot be applied to all open information sources, and investigators are 

almost always required as part of the process. 

But why do criminal network investigation researchers want synthesized criminal networks in 

234

CHAPTER 15. EVALUATION 15.1. POST-CRIME DATA AND INFORMATION 

Figure 15.4: How post crime data and information can be used for two very different types of 

evaluation, either directly for computational evaluation, or indirectly for usability testing through 

the synthesis of the post crime data and information as the data and information emerged and 

evolved in the criminal network investigation. 

the first place? Because we use post-crime data, often referred to as data sets, for evaluation of 

acquisition and algorithm based sense-making investigation tasks. These data sets are, to a certain 

extent, synthesized, complete data sets. We use post-crime information about how information 

structures emerged and evolved throughout the criminal network investigation for testing the 

synthesis functionality of our tool. Finally, we use post-crime information about investigations for 

requirement generation (i.e., criminal network investigation tasks) as well as validation (evaluation) 

of requirements. 

To be able to say that a tool can be used for usability testing through the synthesis of the post 

crime data and information as the data and information emerged and evolved in the criminal 

network investigation, we would first have to establish that synthesis is equivalent to a certain 

degree to the actual real-time synthesis of criminal networks (illustrated in Figure 15.4). We 

describe our first steps toward establishing this below, in Section 15.1.1. 

15.1.1 Comparing post-crime data set creation and real-time investigation 

Synthesizing criminal networks post crime based on multiple sources resembles, to a certain degree, 

the process of initially synthesizing the actual criminal network during real-time investigation. You 

gradually learn more and more about the criminal network under investigation - structures emerge 

and evolve. It would therefore be relevant to task some one with synthesizing a post crime network, 

e.g., the Daniel Pearl network (see Section 3.5.1), based on open sources. The hypothesis for this 

work would be to test whether or not a tool for real-time criminal network investigation is also 

suitable for synthesizing networks after the investigation is concluded, since it is essentially the 

same task only with different type of input and output. We would expect to learn two things from 

researching such a hypothesis: First, we would know if CrimeFighter Investigator is suitable for 

criminal network synthesis of the information in the post crime data, and if the result of this would 

be suitable for sense-making and visualization. Secondly, if our first research focus would fail, we 

would know what kind of support was missing from CrimeFighter Investigator. Two specific tasks 

have been formulated for the synthesis of the Daniel Pearl network: 

1. Outline the chronology of events as they were revealed to the investigation team (for each 

source independently). 

2. Synthesize the networks as presented by each source, together with a network based on all 

three sources. 

235

15.2. END-USER INTERVIEWS CHAPTER 15. EVALUATION 

Secret Public Both 

Investigative journalists 0 1 1 

Intelligence analysts 1 5 6 

Police officers 3 0 3 

Research community 0 7 7 

TOTAL 4 14 24 

Table 15.1: An overview of end users that have been interviewed. 

We have done much of this work ourselves and using CrimeFighter Investigator, but doing it in a 

more structured way, would allow us to make conclusions about synthesis of post crime criminal 

networks and tool support therefore. 

15.2 End-user interviews 

We have received usability feedback from a number of people investigating criminal networks from 

various fields such as investigative journalism, counterterrorism, and policing (see Table 15.1). For 

each of the unstructured usability feedback interviews (individuals or groups) we followed three 

steps (not always in the listed order): first, we gave a general introduction to and demonstration 

of CrimeFighter Investigator. Second, the criminal network investigators were asked to describe 

their background and ongoing network investigations. Third, we discussed which CrimeFighter 

Investigator features would be useful for the criminal network investigators in their work. 

15.2.1 Alex Strick van Linschoten (Trafalgar Square, London) 

To exemplify our interview approach we provide extracts of an interview held with historian and 

investigative journalist Alex Strick van Linschoten (author of [134]). The example demonstrates 

the value of CrimeFighter Investigator usability feedback for both development of future features 

and evaluation of existing features. Alex is investigating the alleged links between al-Qaeda and 

the Afghan Taliban and he has observed several network characteristics. 

Alex’s data set on the Afghan Taliban spans the time-period 1970-2011. As of 2011 the data 

set has 500-600 individuals, a network he claims to have memorized. The data set is based 

on interviews with Taliban members who were asked who they fought with in the ’80s, their 

andiwaal groups (friend groups formed by Afghans when teenagers) and other relations. Reports 

on Afghanistan by the International Security Assistance Force (ISAF) are also contributing to 

the data set. 70 percent of the relations in the network are based on rumors, which is indicated 

using relation weights. When Alex interviews Taliban members he notes down attributes such 

as ‘name’, ‘date of birth’, ‘place of birth’, ‘tribe’, ‘ethnicity’ and ‘andiwaal group’. Alex uses 

Tinderbox [24], a spatial hypertext tool, to record and structure his collected and processed 

network information. A snap shot from a Tinderbox investigation is shown in Figure 15.5, showing 

“Taliban fronts, commanders and fighters in Panjwayi/Zheray during the 1980s” [134]. 

Alex works with the network information in a number of different ways and has in general many 

ideas for how it could be used. Alex studies the evolution of the network from one time period to 

the other (a historical evolution perspective). He believes that knowledge about an individual’s 

andiwaal group could be used to predict who that person might be fighting side by side with 

in future operations. Alex is searching for different tendencies in the data set like for example 

changes in age or gender. 

Alex has encountered a number of problems for which he requires specialized tool support, for 

instance a social network analysis tool that also supports an actual time line (Tinderbox only 

supports snapshots of the network). At the time of interview he is analyzing the network data 

236

CHAPTER 15. EVALUATION 15.2. END-USER INTERVIEWS 

Figure 15.5: A snapshot of Linschoten’s investigation in Tinderbox [24]: “Taliban fronts, commanders 

and fighters in Panjwayi/Zheray during the 1980s” [134]. 

to see if there are any important observations that he has missed. Alex mentions that different 

layout functionality would be useful for this, e.g., laying out nodes according to betweenness 

centrality. Finally, if Alex exports information from Tinderbox [24] to import it into Analyst’s 

Notebook [2] to create a special visualization, it is not possible to get that visualization back into 

Tinderbox. The interchange of information is not facilitated both ways. 

15.2.2 British home office 

During a stay as a visiting researcher at Imperial College in London, we presented CrimeFighter 

Investigator at the British Home Office [167], followed by a discussion of particular tool features 

and current and previously undertaken intelligence analysis work by the British Home Office. Six 

intelligence analysts participated in the meeting and to protect their identities we refer to them 

as IA1, IA2, etc. 

During the demonstration of CrimeFighter Investigator I walked the meeting participants through 

a couple of sense-making work flows, applying predict missing links and predict covert network 

structure algorithms to the November 17 network. Based on the responses, we found that a higher 

degree of work flow transparency would be required, to have the participants ask questions for 

particular steps in the work flows, basically to understand what is going on. The questions and 

statements from the meeting participants were of a much more general nature, and some of them 

referred to tasks not within my focus areas such as web harvesting (see below). The questions and 

statements included: 

IA1: “We typically have much less data, or not so many attributes, as it was the case in 

the November 17 network you presented”. 

IA2: “Would it be possible to do predictions on hierarchical links (i.e., links from a space 

237

15.3. CAPABILITY COMPARISONS CHAPTER 15. EVALUATION 

to a sub space)? And would it be possible to represent such structures in CrimeFighter 

Investigator?”. 

IA3: “We would really like to be able to process large amounts of data and generate networks 

based on that.” 

IA3: “What I have seen the last five to six months, was a tool where you could link a person 

to a location and say, okay this person participated in a meeting here, and this other person 

was on the location in this and that time span; what is it the chance that they have spoken?” 

IA3: “It is a bit mischievous, but it could be interesting to import the information about 7/7 

which we had back then about individuals in the milieu to see if the algorithms could predict 

what would happen, that is, what individuals where involved in the planning”. 

IA4: “Is it possible to collect network information from youtube and other accounts?”. 

Based on this, we found it interesting that, given the current focus areas of the British Home 

Office, they seemed very interested in the adaptive modeling approach, rather than the prediction 

techniques presented at the meeting. 

15.2.3 Summary 

Besides the two usability feedback interviews described in Section 15.2.1 and 15.2.2, we also had 

unstructured interviews with Danish law enforcement police detectives, intelligence analysts, and 

a financial fraud expert at the i2 end user conference in Brussels 2010. Finally, we had discussions 

and talks with high-level researchers at security informatics and hypertext conferences. The end 

user interviews are summarized in Figure 15.2, where it is indicated whether or not each individual 

criminal network investigation task was found to be relevant for support in a tool for criminal 

network investigation. The end user interviews are discussed and further summarized in Section 

15.6.3. 

15.3 Capability comparisons 

We have carried out two capability comparisons, one based on the criminal network investigation 

tasks presented in Section 7.2 and the other is based on support of first class entities, selected 

hypertext structures, and transformative and measure algorithms (see Section 8.1, 5.1, and 8.2). 

In both cases, CrimeFighter Investigator is compared to the tools and prototypes reviewed in 

Chapter 4. 

15.3.1 Criminal network investigation task support 

The evaluation and comparison of the selected tools was made based on the identified tasks for 

criminal network investigation. A thorough examination of each tool has been made by the 

authors based on the available research literature, books, manuals, and other publicly available 

information. The results can be seen in Table 15.2. 

Each tool is rated against each task in the list. A judgment has been made whether the tool 

provides full support, partial support, or no support for the task. This is indicated by different 

icons in the table. Based on the support for individual tasks, each tool has been given a score 

for each process based on a judgment of how many of the tasks that they support. This score 

is between 0 (no support), 1 (fragmentary support), 2-4 partial support, and 5 (full support). 

Fragmentary support means that the core task is in theory supported by the tool through the 

combination of various features, but it is found to be too time-consuming to be really useful. We 

discuss the capability comparison of tasks in Section 15.6.4. 

238

CHAPTER 15. EVALUATION 15.3. CAPABILITY COMPARISONS 

Shared work flows 

Emergent collaboration 

Shared information space 

COOPERATION 

Report generation 

Storytelling 

DISSEMINATION 

Terrorist network analysis 

Social network analysis 

Decision-making 

Exploring perspectives 

Alias detection 

Prediction 

Adaptive modeling 

Creating hypotheses 

Retracing the steps 

SENSE-MAKING 

Emerging attributes 

Information types 

Brainstorming 

Collapsing & expanding 

Grouping 

Re-structuring 

Associations 

Entities 

SYNTHESIS 

Attribute mapping 

Dynamic attributes 

Acquisition methods 

ACQUISITION 

CAPABILITY COMPARISON 

Analyst’s Notebook 8.5 3 2 1 3 2 ◦ ◦ ◦ 

Palantir Government 3.0 4 3 3 4 4 ◦ ◦ ◦ 

Xanalys Link Explorer 6.0 4 2 1 2 3 ◦ ◦ ◦ 

COPLINKa 4 2 1 2 2 ◦ ◦ ◦ 

Namebase.org 0 1 1 1 0 ◦ ◦ ◦ 

Mindmeister 2 4 1 2 4 ◦ ◦ ◦ 

Simple tools 1 3 1 1 2 ◦ ◦ ◦ 

Aruvi 2 1 2 3 2 ◦ ◦ ◦ 

Sandbox 2 3 2 2 3 ◦ ◦ ◦ 

POLESTAR 3 2 2 1 3 ◦ ◦ ◦ 

CrimeFighter Investigator 2 4 4 3 2 ◦ ◦ ◦ 

END USER INTERVIEWS 

Investigative journalism ⊠ + + + ⊠ − + + − − + − − ⊠ − + − + − − − + ◦ ⊠ + − ⊠ ◦ ◦ ◦ 

Counterterrorism ⊠ + + + ⊠ + + + − + − + + ⊠ + + + + + + − + ◦ ⊠ − − ⊠ ◦ ◦ ◦ 

Policing ⊠ + + + ⊠ + + − − − − + − ⊠ + + − − − + + + ◦ ⊠ + + ⊠ ◦ ◦ ◦ 

Researchers & Industry ⊠ + + + ⊠ + + + + + + + + ⊠ − − − + − − − − ◦ ⊠ − − ⊠ ◦ ◦ ◦ 

Capability Comparison legend - investigative processes (0: no support, 1: fragmentary support, 5: full support) investigative tasks (: supported, : 

partially supported, : not supported). ◦ indicates that specific cooperation tasks were added after the capability comparison was complete. 

End user interview legend ⊠ indicates criminal network investigation tasks not relevant for the evaluation method. + indicates the relevance of supporting 

the task for the given profession and a − indicates the opposite. ◦ means that the task was added after the interviews 

239 

Table 15.2: An overview of the capability comparison of CrimeFighter Investigator, the end user interviews, and the criminal network investigation 

processes and tasks the tool was evaluated against. 

a Based on a combined evaluation of the three modules COPLINK Connect, Detect, and Collaboration as well as the COPLINK criminal network analysis tool CrimeNet 

Explorer (previously CrimeLink Explorer).

15.4. MEASURES OF PERFORMANCE CHAPTER 15. EVALUATION 

Figure 15.6: Proposed computational modeling concepts and their interrelationship. 

15.3.2 Capability comparison of the computational model supported 

For this capability comparison we will assess state-of-the-art according to tailorability of the computational 

model. We have previously defined ownership of information and transparency of 

process to be direct results of tailorability, meaning the ability to extend and customize existing 

functionality for a specific purpose. In our chosen approach, we claimed that the level of 

tailorability depends on the computational model. We proposed a computational model that separated 

structural and mathematical models, both utilizing a conceptual model offering three first 

class entities. 

The evaluation and comparison of the selected tools was made based on the concepts developed 

for our approach to criminal network sense-making. These concepts are summarized in Figure 

15.6. At the center is tailoring, a concept that facilitates extension and customization of structural 

and mathematical models. Tailoring leads to transparency of the sense-making process and 

ownership of sense-making computed information. Transparency and ownership increases trust 

in the provided information, which will increase the likelihood of that information being used for 

operational or other decision-making. 

A thorough examination of each tool has been made by the authors based on the available research 

literature, books, manuals, and other publicly available information. The results can be seen in 

Table 15.3. 

Each tool is rated against each concept (model) and sub-concept in the list. A judgment has been 

made whether the tool provides full support (), partial support (), or no support () for this 

concept, indicated using the shown icons in the table. Based on the support for individual subconcepts, 

each tool has been given a score for each concept (conceptual model, structural models, 

and mathematical models) based on a judgment of how many of the sub-concepts that they 

support. This score is between 0 (no support), 1-2 (fragmentary support), 3-7 (partial support), 

and 8-9 (full support). Fragmentary support means that the core concept is in theory supported 

by the tool through the combination of various features (not the listed sub-tasks), but it is found 

to be too complicated to be really useful in terms of tailorability. We discuss our comparison of 

model capabilities in Section 15.6.4. 

15.4 Measures of performance 

We have developed measures of performance (MOPs) for the algorithm-based techniques that 

CrimeFighter Investigator supports, also referred to as criminal network sense-making. We first 

calculate measures of performance for our extended centralities, and then we describe the development 

and subsequent test of three MOPs for the transformative predict missing links work 

240

CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE 

Conceptual model 5 7 5 2 5 7 7 8 

First class information elements 

First class relations 

First class composites 

Structural models 4 7 5 2 5 6 7 8 

Navigational structure 

Spatial structure 

Taxonomic structure 

Mathematical models 5 5 5 0 2 0 0 7 

Transformative** 

Measuring 

Table 15.3: The authors’ assessment of computational modeling concepts *(AN = Analyst’s Notebook, 

PG = Palantir Government, XLE = Xanalys Link Explorer, CFI = CrimeFighter Investigator), 

**(Filtering is not included). 

flow. 

15.4.1 Social network analysis: extending centrality measures 

Based on an organized drug crime network and other reviewed cases 88 , we define three tool requirements 

describing investigative needs that we aim to support: 

1. When node-link-node associations are not dominant, then semantic associations will reduce 

investigation uncertainty by computation of extended centrality measures. 

2. Centrality measures for criminal network entities, must support empty endpoint associations 

for more accurate results. 

3. A combination of several direct and semantic associations can be necessary to support when 

computing centrality measures for criminal network entities. 

Method 

We have tested CrimeFighter Investigator’s support of three tool requirements on a filtered version 

of the investigation of an organized drug crime network [10], and a semi-altered version of the same 

investigation. We calculate two centrality measures, degree and betweenness, for two conditions, 

with and without two designed and implemented associations. 

We test the co-location association on an investigation inspired by an organized drug crime network 

to evaluate the requirement for support of semantic associations. The investigation had no direct 

associations between entities prior to the test. We have filtered out all entities except the closeup 

photos (i.e., the blue rectangles) and created an investigation using CrimeFighter Investigator 

where individuals are positioned with the same relative distance. All individuals are given numbers 

or letters as name, except for the two lieutenants Anton Artis (A.A.) and Roland Brice (R.B.). 

The network with the semantic co-location association included is shown in Figure 15.7a and the 

calculated centralities are shown in Figure 15.7b. 

We have defined the following four information entities used on the investigation board and use 

colored rectangles to represent them in Figure 15.8: portrait pictures are blue, large surveillance 

241 

AN 8.5* 

PG 3.0* 

XLE 6.0* 

COPLINK 

Aruvi 

Sandbox 

POLESTAR 

CFI 1.0*


photos are orange, text cards with meta data about individuals are green, and header text cards 

with red text are dark red. Based on this augmentation of the investigation board we observe a 

number of semantics. Most obviously all portrait Polaroid pictures are placed below a meta data 

text card. Sometimes a surveillance photo is placed next to the portraits. Finally, the investigation 

board is divided horizontally into areas by the header text cards placed at the top. 

Prior to testing the empty endpoint association we found that empty endpoints rarely occurred 

in the investigation we analyzed. Links are used to connect two entities, and even if the contents 

of one entity is unknown it is still created as a placeholder. It is unclear whether this is simply 

because it does not make sense to work with empty endpoints or if it is because of a structural bias 

toward links as simple entity connectors. To test the influence of the empty endpoint association 

we have used some of the links from the previous test to create a new test case (see Figure 11.1). 

We assume that a number of subgroups have been detected (the four colored composites) and that 

the investigators know there is some connection from the main network to each of these subgroups 

but it is unclear how and therefore an empty endpoint is positioned next to each subgroup. 

To test the requirement for centrality measures to consider multiple associations, we use the same 

network as for the empty endpoint requirement (see Figure 11.1). However, this time we test 

both the empty endpoint association and the co-location association together. The with condition 

therefore means that the algorithm replaces empty endpoints with actual nodes (placeholders) and 

creates links between co-located nodes that are not already directly associated. 

Summary of results 

Testing the requirement for semantic associations illustrated how centrality measures can be applied 

to spatial network structures using a co-location association. It is evident that when no 

relations exist in an investigation prior to analysis, there is a need to define associations between 

entities in a different way if the investigators want to calculate node centrality to deal with the 

uncertainty of an ongoing investigation. We see that degree centrality indicates the individuals 

on the right hand side in Figure 15.7b as central to the network (e.g., 9, 6, 8, and 10), but they 

are of little importance, when considering betweenness. At the same time degree doesn’t point 

to the two lieutenants A.A. or R.B. as key players like we expected. We therefore find that one 

should be careful with considering spatial co-location as a measure for network degree centrality. 

Betweenness centrality clearly points to A.A. and R.B. as key players in the network together 

with individual 2. Given the results of our two other tests it is also interesting that individual 5 

is placed in top four in terms of betweenness. 

When we tested the empty endpoints requirement we found that the measure of degree centrality 

provides investigators with no clear tendencies, although it more strongly indicates individual F, D, 

A.A., and 3 as central to the network. The betweenness results more distinctly point to A.A. and 

R.B. when including the empty-endpoints association. We also observe that individual 2 is ranked 

as fourth instead of seventh which is a more realistic depiction of this individual’s betweenness in 

the network. Individual 5 has the highest change in betweenness when including empty endpoints, 

making him an interesting subject for further investigation. As mentioned earlier, it would be 

possible to model empty endpoints using information element placeholders until the content of the 

empty endpoint is known. This also means that traditional social network analysis measures of 

centrality could be applied. We therefore recommend to test if empty endpoints have higher value 

for restructuring tasks during synthesis than for centrality algorithms. 

Our test of the requirement for support of multiple associations was successful in terms of extending 

two measures of centrality with more than one association from our topology. But for the test 

investigation the test results did not add much investigative value. The inclusion of both empty 

endpoint and co-location associations connects all entities in the criminal network through the 

empty endpoints (individual 5 is connected to individual 6 and 12, individual F to individual H, 

and individual A.A. to individual M). This makes the degree and betweenness centrality of key 

nodes without the associations less distinctive. The numbers are flattened because the information 

242

CHAPTER 15. EVALUATION 15.4. MEASURES OF PERFORMANCE 

al-Qaeda November 17 

version → full full id 1-20 full full 

sampling → 100% 25% 50% 100% 50% 

Nodes 366 256 15 22 17 

Attributes 17 17 17 11 11 

Complexity* 9.53 9.53 9.53 2.09 2.09 

Links 999 249 18 63 32 

Link density 0.015 0.008 0.17 0.27 0.24 

*Complexity indicates the average number of 

enumerated values for each entity attribute. 

Table 15.4: The November 17 and al-Qaeda datasets. 

elements in the subgroups achieve higher measures of betweenness centrality with the associations 

included. The most interesting result for this final test was that the degree and betweenness 

centrality of individual 5 is increased considerably when the associations are added. Together, 

our three requirement tests have shown that measures of centrality extended with novel types of 

associations provided new insights into two organized crime networks that traditional centrality 

measures could not provide. Most important result was that the centrality of individual 5 was 

increased in all three tests. Individual 5 was not known to be a central entity in the network 

before the tests. 

15.4.2 Predict missing links algorithm 

Our measures of performance (MoPs) for the predict missing links algorithm focus on the internal 

structure, characteristics, and behavior of the CrimeFighter Investigator sense-making sub-system. 

We have developed three measures that helped us answer questions about how the CrimeFighter 

Investigator predict missing links algorithm performs in terms of information volume, attribute 

completeness, and attribute accuracy. In the longer term, these MoPs will help us build a process 

that criminal network investigators can have confidence in, going before a decision maker [216]. 

We need to make sure that algorithm supported sense-making tasks can perform on the criminal 

networks that investigators are dealing with on a daily basis. More specifically, we want to evaluate 

if the integration of synthesis and sense-making tasks is feasible. 

To test the developed algorithm, we use two criminal networks: November 17 and al-Qaeda. The 

data set of the (believed defunct) Greek terrorist group November 17 (N17) was derived from open 

source reporting [112]. The N17 group was a small close knit organization of 22 individuals with 

63 links out of a potential 231 links. The links of the dataset indicate that open source reporting 

has demonstrated some connection between the two individuals at some point in the past, but no 

specific weightings of the links are indicated [184]. 

The second dataset is the al-Qaeda network (2003). All the network information was gathered 

from public domain sources: “documents and transcripts of legal proceedings involving global 

Salafi mujahedin and their organizations, government documents, press and scholarly articles, and 

Internet articles” [188]. We have included acquaintance, friend, and post joining jihad relations, 

but the algorithm does not differentiate between them. Nuclear family, relatives, religious leader, 

and ties not in sample links are excluded from our version of the data set. 

We use sampled versions of the full networks for our evaluations and the topology of all networks 

are presented in Table 15.4. The sampled networks are created by removing either 50 or 25 

percent of the links in the network and then see what is left. The number of nodes and links 

are inherently an issue for performance. The number of attributes that each node has does not 

impact the performance of the ‘missing links’ algorithm since tests are run with four attributes 

every time. We define the complexity of node attributes as the average of valid enumerated values 

243


Data set → November 17 al-Qaeda 

L Cutoff 2.5 2.5 

Attribute 1 Role Children 

Attribute 2 Faction Clump 

Attribute 3 Resources Fate 

Attribute 4 Degree centrality Degree centrality 

Table 15.5: Algorithm setup for the November 17 and al-Qaeda data sets. 

Data set 

“Original” data set 

Version Sampling Time (s) TP*# TP% FP*# FP% 

November 17 (full) (50%) 0.219 9 42.9 12 57.1 

100% al-Qaeda (id 1-20) (50%) 0.078 7 35.0 13 65.0 

al-Qaeda (full) (25%) 63.093 288 4.9 5547 95.1 

Attribute accuracy 

November 17 (full) (50%) 0.235 5 35.7 9 64.3 

90% al-Qaeda (id 1-20) (50%) 0.79 6 46.2 7 53.8 

al-Qaeda (full) (25%) 37.562 165 5.1 3052 94.9 

November 17 (full) (50%) 0.124 1 16.7 5 83.3 

70% al-Qaeda (id 1-20) (50%) 0.62 5 45.5 6 54.5 

al-Qaeda (full) (25%) 24.656 167 5.0 3171 95.0 

Attribute completeness 

November 17 (full) (50%) 0.282 5 45.5 6 54.5 

90% al-Qaeda (id 1-20) (50%) 0.094 7 41.2 10 58.8 

al-Qaeda (full) (25%) 41.344 197 4.8 3939 95.2 

November 17 (full) (50%) 0.531 5 45.5 6 54.5 

70% al-Qaeda (id 1-20) (50%) 0.079 5 41.7 7 58.3 

al-Qaeda (full) (25%) 24.328 146 4.4 3167 95.6 

* TP = true positives, FP = false positives. 

Table 15.6: Measures of performance for the ’predict missing links’ algorithm. This algorithm is 

at the core of the predict ’covert network structure’ and ’custom node removal’ algorithms. 

per attribute. Link density is the ratio between the number of links and the number of potential 

links and indicates for example how connected and covert the given network is. 

We logged three variables for each test. Time is the seconds it takes to predict missing links. 

True positives are predicted links that exist in the non-sampled version of the data set. False 

positives are predicted links that do not exist in the non-sampled version of the data set. The 

’predict missing links’ algorithm was customized in the same way for each sampled data set before 

each test as described in Table 15.5. The al-Qaeda attributes are selected to match the number 

of enum values for each November 17 attribute. 

We evaluate the ’predict missing links’ algorithm against all the data sets using the three measures 

of performance. The results listed in Table 15.6. 

Information volume. This measure of performance is based on an evaluation of the change in 

processing time and true and false positive ratios when the number of nodes and links increases 

across the three sampled data sets. 

We observe that the sampled al-Qaeda data set increases the time required to process the prediction 

significantly (as expected). However, in the worst case the logged time is only 63 seconds and it 

does not raise any operational concerns for most criminal network investigations. We realize that 

the network can be much larger, and expect the required time to increase also for the tested data 

set if attributes with more enumerated values were selected. But it is our experience that for very 

244

CHAPTER 15. EVALUATION 15.5. SUMMARY 

large networks, criminal network investigators will request predictions within subgroups mostly 

and not the whole network. 

Attribute accuracy. The ‘missing links’ prediction algorithm is based on that attribute values 

are machine-recognizable, i.e., the value should be one of a list of predefined enumeration 

values (e.g., Role [leadership, operational] or Degree centrality [high, middle, low]). We 

have decreased the attribute accuracy of the sampled data set by scrambling a percentage of the 

enumeration values. 

The decreasing accuracy of enumeration values clearly impacts on the number of predicted links, 

but the ratio between them does not change indicating some robustness of the ‘missing links’ 

algorithm. The time actually decreases together with the decreasing accuracy of attribute values; 

a decrease in predicted links can more easily be processed by the algorithm. One interesting 

observation here is that the ratio of true positives dropped significantly for the November 17 data 

set at 70% accuracy to 1 (from 5 at 90%). We expect this is caused by the less attributes compared 

to the al-Qaeda data set, making it more vulnerable to the random scrambling of attribute values. 

Attribute completeness. End user requirements and usability feedback have indicated a need 

to support dynamic and emerging entity attributes, since limited information is typically available 

about the individuals in criminal networks. To simulate this we delete attribute values from the 

data sets by replacement with empty values. 

Like attribute accuracy the total number of predicted links decreases as the number of non-empty 

attribute values increases but the ratios stay more or less the same. We anticipated this similarity 

between the accuracy and completeness MoPs as the CrimeFighter Investigator does not support 

technology that could improve the attribute accuracy by correcting for example typographical 

spelling errors. 

15.5 Summary 

To summarize our evaluations, we have used three different methods for evaluating our developed 

tool support for criminal network investigation: capability comparisons, end user interviews, and 

measures of performance. The use of multiple of multiple evaluation methods was necessitated by 

the different nature of different criminal network processes embedded in our target-centric model. 

Our three methods gave us good evaluation coverage across all of them, from acquisition to cooperation. 

Acquisition and synthesis tasks maps to evaluation of information #1 (emerging and 

fragile structure). Acquisition tasks, information types, and emerging attributes maps to evaluation 

of information #2 (integrating information sources). Sense-making tasks maps to human 

factors #1 (augment human intellect) and human factors #4 (human-computer synergies). 

Dissemination tasks maps to evaluation of human factors #2 (transparency and ownership), 

and so forth. 

A couple of requirements were found not to be covered by the selected evaluation methods, this was 

however expected. Observing the mapping figures for requirements to tasks (Figure 15.1), measures 

of performance to requirements (Figure 15.3), and models to requirements (Figure 15.2), we see 

that Process #1 (target-centric and iterative) and Process #3 (make everybody stakeholders) 

are not covered by our evaluation methods. Only argument for coverage would be that support of 

the retracing the steps task, and hence information #4 (versioning support), would reveal who 

take e.g., early decisions in an investigation and hence their responsibility for the final outcome 

would stay throughout the investigation and they would be stakeholders. But we find that to be 

a rather weak argument for coverage. As mentioned, this was expected. Our process model was 

developed to address these two research focus requirements, and our arguments for designing the 

process model in this particular way based on literature studies, expert end users, and our ideas 

for how to design such a process. 

In summary, for the evaluations presented in this chapter of a tool for criminal network investigation, 

CrimeFighter Investigator, we find it has strong support for information #1, information 

245

15.6. DISCUSSION CHAPTER 15. EVALUATION 

#3, process #4, human factors #1, and human factors #4, medium support of information 

#1, human factors #2, and human factors #3, and weak support of information 

#1 and process #2. This summary is visualized in Table 15.7. Comparison of CrimeFighter 

Investigator with other tools was covered in Section 15.3. 

Information Process Human factors 

Requirement #1 #2 #3 #4 #1 #2 #3 #4 #1 #2 #3 #4 

Measures of performance 3 1 1 1 - 1 - 2 2 1 - 1 

Models 2 1 2 2 - 2 - 3 3 3 1 3 

Capability comparisons 6 1 3 1 - 1 - 2 3 2 3 3 

Support - - 

Table 15.7: Summary of evaluation according to requirements. A large black square indicates 

strong support of a requirement, a medium sized black square means medium support, and a 

small black square is a symbol for weak support of the requirement. We have used values of 1 to 

6, to indicate the support of individual evaluation methods for each research focus requirements, 

primarily based on the mappings between the methods and the requirements (see Figure 15.1, 

15.2, and 15.3). 

15.6 Discussion 

We will discuss the implications of the evaluation results for CrimeFighter Investigator above in 

Section 15.2, 15.3, and Section 15.4. But first we discuss visualization as a lead-in to discussing 

who are treated as the customer, when it comes to tool support for criminal network investigation, 

and who really are the customer(s). A second discussion before that of the evaluation results, is 

about end user involvement in evaluation of criminal network investigation tools, the problems we 

faced in relation to this and our suggestions for how to get the end users from the security domains 

and law enforcement (police officers, detectives, intelligence analysts) involved in the evaluation, 

but also development, of tool support for criminal network investigation. 

15.6.1 Visualization or visual filtering 

Even with the carefully placed disclaimer in the introduction, we feel a need to discuss the issue 

of visualization here, based on who we think the customer for tool support of criminal network 

investigation is. The general critical reader (or perhaps a PhD committee member) could question 

our lacking coverage of visualization, and rightfully so. All we have done in terms of visualization 

is to mention (with certain amounts of sarcasm) how beautiful pictures it can make. And we have 

presented much criticism: on how static visualization tools often seem [166] and how users often 

only use the tools to draw the final networks of their investigation to present to their higher level 

managers (see Section 15.2). We have described, maybe not in so many words, how we have sat 

at the back of an IBM i2 end user conference and chuckled when the CEO mentioned the new 

3D icons, how cool they were (he used the word cool), and then looked up at them and paused. 

One would have expected, when looking around the room, to see other people smiling and shaking 

their heads; but no, everybody were looking mesmerized at the CEO and the icons; 3D icons are 

mesmerizing. 

We didn’t do structured literature reviews of information visualization and related fields, so who 

are we to offer an opinion on the subject? Clearly, we have no idea of the depth of this field and the 

246

CHAPTER 15. EVALUATION 15.6. DISCUSSION 

many important applications in relation to security informatics and criminal network investigation. 

Nonetheless, we discuss it, and we use Ray Kroc’s quote from the beginning of this chapter, as a 

basis of our discussion, and to indicate the non-scientific nature of the discussion. When Ray Kroc 

talks about “looking after the customer”, he is most likely referring to customer service: smiling 

service; fast service; and a nice, clean, and well kept establishment. In the documentary SuperSize 

Me, the implication is that McDonald’s is looking after the customer by providing them with well 

tasting food that to some extend makes them addicted to that same food; or the amount of sugar 

it contains. In combination, looking after the customer, becomes excellent service, a nice, clean, 

and (might we add) colorful restaurant, together with selling the customer something that tastes 

very good, but ultimately is not good for the customer. 

For companies that sell criminal network visualization software, the customer is first of all the 

individuals who pay the large license fees, typically managers in companies and organizations 

requiring such software. We believe that the true customer of criminal network investigation tools 

are the investigators who are going to use the tools. The questions is now, how best to look after 

this customer? We should surely not inhibit the investigator in any way, not inhibit the sense for a 

specific emerging structure, the investigator’s imaginativeness and creativity, when an idea makes 

the investigator draw a row of two story houses, before asking a tool which of those houses have 

roof access to a certain back alley. When the investigator thinks of new and innovative ways to 

fill the negative (void) space in a criminal network investigation, producing new leads and solving 

cases. That is our point of view, and it is the point of view we have had throughout this work and 

which we have been developing tool support for. 

Naturally, when all that is said, visualization is important in a tool box for fighting crime (e.g., 

criminal network investigation). And there is a tool in the CrimeFighter toolbox which focuses 

on visualization (see Section 1.4 in the introduction). Maybe, if we could call it something like 

visual filtering, indicating a more active involvement on the part of the investigator, rather than 

just selecting between a variation of layouts and color schemes, it would be a better match, and 

also become useful for the tasks of the criminal network investigator. 

15.6.2 End user involvement 

Evaluation of new processes, tools, and techniques for criminal network investigation is a challenging 

task, at best. Especially when humans are given such a central role as we have given them, 

and because our intended end users are from a part of society where it is not custom to talk freely 

and openly about your work and methods. Initially, when security informatics researchers start 

their work, they turn to the institutions of their homeland for inspiration, advice, and guidance. 

These institutions includes intelligence services and agencies, police and special units. In Denmark 

this would be either the danish security and intelligence service (DSIS 89 ) or the danish defense 

intelligence service (DDIS 90 ). Our supervisor, Professor Uffe Kock Wiil, has held several meetings 

with representatives from the Danish intelligence services prior to the beginning of our research, 

and the author has met representatives as well, on a number of occasions during the past three 

years. The feedback received by the author can be summarized to “you are using all the right 

words”, but “we do not adopt or test software within the organization before it reaches a certain 

level of maturity”. While that seems like a reasonable strategy for institutions whose work and 

information from outside sources depends on a certain level of secrecy [27], all software engineers 

know what happens when you leave the customer out of the development process loop: the risk 

for project failure (i.e., not delivering the desired product or any product at all) is significantly increased 

[43,54,165]. But there is a trade off between secrecy and openness that has to be carefully 

balanced 91 . During the nineties the media suspected DSIS to be a ‘state within the state’, and 

the previous director of operations for DSIS says that his sources within the media have noticed a 

return close to that level of secrecy [27]. As the 22 July commission report [153] states, ‘extreme 

secrecy’ might have contributed to not stopping (parts of) the terrorist attacks on 22 July (2011) 

in Norway [27, 153]. 

As mentioned above, the development of complex software systems requires the involvement of the 

247


customer as a stakeholder together with the developers and their managers, in order to produce 

a product with the required level of maturity, suitable for testing on classified data. We suggest 

that collaboration is established between the Danish intelligence services or the less secretive parts 

of law enforcement, such as police, with domestic research institutions. Such collaborations exists 

in other countries: at Simon Fraser University the Institute for Canadian Urban Research Studies 

(ICURS) based in the School of Criminology has a secure crime lab, where researchers can test 

their algorithms on police data. At Arizona University’s AI lab, 300 police officers participated 

in a survey-based evaluation of the COPLINK software 92 . Naturally, it takes time to build the 

required level of trust between academia and law enforcement, once your software tool is mature 

enough. Our three years in the security informatics research community helped us reach a point 

where we now find ourselves knowledgeable enough to ask these questions. But if was not required 

to experience the classical “oops, I tripped and spilled your wine on you (to test if you are wearing 

a wire)” before gaining access to knowledge from intelligence service agents, we might have been 

able to ask these questions earlier. 

15.6.3 Discussing end user interviews 

Unstructured and informal interviews, where the interviewer asks questions about individual criminal 

network investigation tasks and demonstrates some tool features, and the interviewee talks 

about their work and answers questions, have proved useful for an initial establishment of whether 

or not the research is on the right tracks. However, the aggregation of the interviews often becomes 

a difficult task for the interviewer. It is the interviewer who decides how to map responses and 

statements, and the evaluation naturally becomes subjective to a certain degree, and is qualitative 

in the sense that it is based on the opinions of interviewers. We found it to be a good approach, 

to keep separate the interviewees from different investigation domains, also because certain terminologies 

exist within those domains, making it easier to decide if a statement was for or against 

the support of a certain criminal network investigation task. 

15.6.4 Discussing capability comparisons 

We discuss our capability comparison of tasks in Section 15.6.4 and models in Section 15.6.4. 

Capability comparison of tasks 

Before discussing the results in Table 15.2, it makes sense to ask the question whether the tasks 

used for evaluation and comparison are the right tasks to support by software tools? The goal 

should be that the investigators can use the tools to reach better results faster. We have interacted 

with investigators when compiling the task list. The task list has subsequently been confirmed 

by investigators as important tasks to support in a software tool. The investigators also noted 

the absence of details regarding tasks in the acquisition and cooperation processes. We intend to 

address this in future work and constantly expand and revise our list of tasks to be supported 

based on interactions with end-users. 

The results in Table 15.2 are not surprising. Our focus on synthesis, sense-making, and dissemination 

have resulted in relatively good support for these processes ranging from 3 (dissemination) 

over 4 (sense-making) to 4 (synthesis). On the other hand, our tool scores somewhat low on 

acquisition (2) and cooperation (2) as expected. 

Compared to the other tools, CrimeFighter Investigator is the only tool that supports the majority 

of the envisioned synthesis tasks. Other tools support the synthesis tasks to a varying degree. 

Regarding sense-making, our tool scores higher than the other tools except for Palantir that 

received the same score. Our plans for future work (see Section 6) will result in a tool that 

fully supports the envisioned tasks related to synthesis, sense-making, and dissemination. Our 

conclusion is that our tool currently provides the most comprehensive support for synthesis and 

248


sense-making. 

It can be observed from Table 15.2 that the tools used in watchdog journalism are not as elaborate 

as the commercial tools for policing and counterterrorism. The market for policing and counterterrorism 

tools are much bigger than the market for watchdog journalism tools. We envision that 

our tool can be useful to investigative journalists due to the supported tasks. 

It can also be observed from Table 15.2 that the commercial tools provide good support for 

acquisition and dissemination. Acquisition is essential for a commercial tool, since many of their 

customers have enormous amounts of data that needs to be made available to the investigations. 

Dissemination is also essential for a commercial tool, since the investigation results needs to be 

communicated to the customer in a comprehensive manner. In the longer term, our future work 

will also address the acquisition and dissemination issues, but not to the extent of what commercial 

tools do. Our long term research goal is to provide the most comprehensive support for synthesis, 

sense-making, and cooperation. 

Commercial tools provide many powerful features for the synthesis tasks that they support, while 

there seems to be an increased focus on supporting sense-making tasks in research prototypes 

like Sandbox, POLESTAR, and CrimeFighter Investigator. For example, Analyst’s Notebook is 

very strong on visualization as part of its synthesis support, but lacks many of the features for 

sense-making. Wright et al. states that Analyst’s Notebook seems better suited as a report tool 

than a thinking tool since it does not encourage various alternative thinking [254]. This claim was 

supported by end-users we met at an i2 user conference 93 : “I typically use Analyst’s Notebook 

to generate a report for the state attorney handling the case in court. I do not use Analyst’s 

Notebook before I am done with my analysis”. 

The comparison of supported tasks is made based on whether a particular feature is supported 

or not - not how well it is supported. Commercial tools are by nature more mature and typically 

provides qualitatively better features than research prototypes (which often aim at providing proofof-concept 

implementations of features). CrimeFighter Investigator has so far only been evaluated 

based on the existence of support for tasks, not how well end-users feel they are supported in 

practice. This type of evaluation involving investigators from the three overall areas is planned to 

start, when the envisioned list of tasks have been implemented. 

CrimeFighter Investigator uses well-known (and tested) hypertext concepts and structuring mechanisms 

that have proved useful to solve similar knowledge management tasks. In fact, the tool 

builds on previous work by the authors on the use of multiple hypertext structures to support 

knowledge management tasks related to agile planning [170]. Thus, we are confident that the 

provided support to a large degree will be conceived as useful by the end-users in supporting the 

investigative tasks. Further evaluation results will help fine-tune the usability of the provided 

features. 

Capability comparison of tasks 

We observe two tendencies in our assessment of computational modeling concepts in commercial 

tools and research prototypes for criminal network investigation. Separating commercial tools from 

research prototypes, we see that the research prototypes are slightly more diverse in their support 

of first class entities. Tools and research prototypes are equally strong in terms of structure domains 

supported; the commercial tools are strong on navigational structures, where the research 

prototypes have better support for spatial structures. Finally, the commercial tools outperform the 

research prototypes in terms of mathematical models (measures) supported. CrimeFighter Investigator 

has better support of first class entities (conceptual model), structure domains (structural 

models), and transformative and measuring algorithms (mathematical models) than the state-ofthe-art 

tools and research prototypes analyzed for this comparison. 

In our “invented” work flow scenario described in Section 14.3, Mark used sense-making tailoring 

to be able to understand and reason about the network information he was asked to analyze. More 

specifically he customized a prediction algorithm to base its inferences on different information 

249


element attributes for different parts of the network. He also extended the actual prediction of 

links to be conditioned by the betweenness centrality of the individuals between who links where 

predicted, prior to that prediction. The tailoring in CrimeFighter Investigator made the process 

transparent and helped Mark to gain a feeling of ownership toward the information provided. In 

other words, he trusted the sense-making provided information enough to forward his findings to 

his decision-making superiors. 

15.6.5 Discussing measures of performance 

We have developed and calculated measures of performance (MoP) for two extended centrality 

algorithms (degree and betweenness) and one transformative algorithm (predict missing links). 

In the longer term, these MoPs will help us build a process that criminal network investigators 

can have confidence in, going before a decision maker. MoPs are therefore also related to our 

discussion of involving end users in the evaluation of new tools for criminal network investigation 

(see Section 15.6.2). We expect that good MoPs will also be required to convince individuals in law 

enforcement institutions in order for them to decide whether or not to start a collaboration with 

the purpose of further development of the tool, or bringing it in-house to test on some up-to-date 

data. 

It is interesting that the information volume MoP does not have strong relations to our research 

focus requirements as it was illustrated in Figure 15.3. In fact, we only found it to have limited 

relations to support of the augmentation of human intellect requirement (human factors #1). 

But it is not surprising, as we have never thought of information volume on its own to be a 

complicated information problem, as it will be a matter of computing power and resources to 

solve it (as previously mentioned). However, if other information problems such as accuracy 

and completeness are introduced, information volume could become an issue, since computations 

becomes more complicated and time consuming. 

250


(a) test scenario 1 (b) colocation results 

251 

(c) empty endpoint results (d) two associations results 

Figure 15.7: The organized drug crime investigation with links representing co-location associations (a). The degree and betweenness centralities for 

each of three tests: co-location association (b), empty endpoints association (c), and both co-location and empty endpoints associations (d).


Figure 15.8: Augmented version of an organized crime investigation showing a shared information 

space and various content. Close-up pictures are blue, surveillance photos are orange, text cards 

with meta information about individuals are green and text cards functioning as headers are dark 

red. 

252

CHAPTER 16 

Conclusion and future work 

The art of investigation is in part the art of seeing, of finding a place 

to stand so that you can see. To see a ghost presents a special kind of 

problem. 

McDermott and Meyer (2012), in the hunt for Khalid Sheikh Mohammed [146] 

Criminal network investigation involves a number of complex knowledge management tasks such 

as collection, processing, and analysis of information. Synthesis and sense-making are core analysis 

tasks; analysts move pieces of information around, they stop to look for patterns that can help them 

relate the information pieces, they add new pieces of information and iteration after iteration the 

information becomes increasingly structured and valuable. Synthesizing emerging and evolving 

information structures is a creative and cognitive process best performed by humans. Making 

sense of synthesized information structures (i.e., searching for patterns) is a more logic-based 

process where computers outperform humans as information volume and complexity increases. 

CrimeFighter Investigator is a novel tool that supports a target-centric and iterative criminal 

network investigation process and related tasks through the application of advanced software 

technologies such as hypertext structure domains, semantic web concepts, known human-computer 

interaction metaphors, and a tailorable computational model rooted in a conceptual model defining 

first class entities that enable separation of structural and mathematical models. 

As a result of numerous commission reports evaluating the efforts of counterterrorism and police 

(e.g., [110,152,153]), there is a growing request for more openness in intelligence agencies and law 

enforcement in general, especially close to home (e.g., Norway [153] and Denmark [27]). As we have 

mentioned, these Commission Reports often presents how the information was there, available and 

linkable, and therefore resorts remedies such as information sharing, joint intelligence units, merged 

databases etc, but does little to improve on the intelligence process [32] (analytical methods). The 

22 July Commission Report concluded, among other things, that following a different methodology 

could have changed if not the final outcome, then the outcome of sub-parts of the Norwegian 

tragedy. Intelligence services in Denmark, such as the danish defense intelligence service have 

made organizational changes and talked about more openness 94 , and the author has through 

interviews and meetings learned that new technologies such as semantic web technology, and ideas 

such as intelligence in the cloud, readily retrievable by phones and tablets in the field 1 . We believe 

that the Danish intelligence services are moving in the right direction, with an increased focus 

on utilizing available information and communication technologies. But in terms of tool support 

1 This information is based on classified interviews and meetings, held between the author and the anonymous. 

253

16.1. SUMMARY CHAPTER 16. CONCLUSION 

based on an increased understanding of the interrelationship between information, process, and 

human factors, much knowledge has still to be acquired, new concepts and models developed, and 

software designed, implemented, and tested. In our opinion, the research that we present in this 

Ph.D. dissertation makes important contributions to further developments in that direction. 

This chapter concludes our work by presenting our final conclusions. Section 16.1 summarizes our 

work. Section 16.2 summarizes our results related to criminal network investigation challenges 

and associated problems. Finally, Section 16.3 outlines the major contributions of our work, and 

Section 16.4 presents suggested future work and evaluation. 

16.1 Summary 

We started out as engineers, with the goal to engineer a software system for criminal network 

investigation. We studied our domain, we talked with the end users, we analyzed related work, 

theory and technology, and generated requirements. We created designs for those requirements, 

and implemented software prototypes as proof of the concepts we had developed. We did so, 

following an agile methodology, iteration by iteration, release by release. We incrementally built 

Crimefighter Investigator one proof-of-concept prototype at the time, from a pilot system to an 

actual criminal network investigation tool, assisting investigators when investigating their genuine 

mysteries and hunts for ghosts. As software systems engineers, we succeeded early. 

But as we got further into the research, we discovered a need to develop a new criminal network 

investigation process, new concepts and models as the foundation for tools and techniques. Three 

criminal network investigation challenges that had been found to result in (tool supported) criminal 

network investigation failure, either separately or together, where being addressed in a manner 

suitable for the tasks of the criminal network investigator. We noticed that existing software systems 

were only in part guided by requirements addressing problems related to information, process, 

and human factors challenges. We identified these problems, formulated such requirements, and 

adopted some concepts from knowledge management and hypertext theory and technology. Based 

on those concepts we developed models and software components for support of criminal network 

investigation. We found, that no matter what ill-structured problem an individual or a group of 

individuals are trying to solve, there are some basic concepts, structures, and components that 

can be applied. Some basic building blocks from which to build software systems. 

In summary, we first took in the scattered particulars related to criminal network investigation 

under one idea, so that everyone understood what we were talking about. Second, we separated our 

idea into parts, by dividing it at the joints (information, process, and human factors), as nature 

directs, not breaking any limb in half as a bad software systems engineer might Phaedrus (265D). 

16.2 Requirements, challenges, and hypothesis 

In our introduction, we listed challenges associated with criminal network investigation. We chose 

to focus our work on three of those challenges (information, process, and human factors), based 

on an estimation of the bigger impact that software technologies could make on meeting these 

three challenges through the assistance of a software tool (compared to the other challenges). 

General problems within each of the three challenge domains were listed in Chapter 6. To guide 

our research we created a number of research focus requirements to resolve the problems and 

ultimately meet the challenges of information, process, and human factors in criminal network 

investigations by assisting the investigators through the implementation of a novel software tool, 

CrimeFighter Investigator. We present our conclusions with regard to research focus requirements 

in Section 16.2.1, challenges in Section 16.2.2, and finally our hypothesis in Section 16.2.3. 

254

CHAPTER 16. CONCLUSION16.2. REQUIREMENTS, CHALLENGES, AND HYPOTHESIS 

16.2.1 Requirements 

The research focus requirements we listed in Chapter 6 were evaluated using three different methods 

in Chapter 15. A summary of the evaluation is shown in Table 16.1, indicated whether 

evaluations found that we had strong, medium, or weak support of each research requirement, 

through our developed processes, tools, and techniques. Our evaluation methods were found to 

provide good coverage of the research focus requirements, except for process #1 (target-centric 

and iterative) and process #3 (make everybody stakeholders). However, this was expected, and 

our process model was found to cover those two requirements. 

Information Process Human factors 

Requirement #1 #2 #3 #4 #1 #2 #3 #4 #1 #2 #3 #4 

Support 

Table 16.1: Summary of evaluation according to requirements. A large black square indicates 

strong support of a requirement, a medium sized black square means medium support, and a 

small black square is a symbol for weak support of the requirement. 

The results in Table 16.1 shows that we have provided strong to medium support of all requirements, 

and we can therefore conclude that we have addressed the problems associated with each 

individual criminal network challenge. Furthermore, the strong to medium support of the requirements 

also leads us to conclude that we chose the right challenges to focus on, as our developed 

processes, tools, and techniques were found to address and have an impact on those challenges. 

16.2.2 Challenges 

Following the conclusions on research focus requirements above, we conclude on the degree to 

which we have addressed each challenge in more detail. Below we present our conclusions on each 

of the three criminal network investigation challenges: 

Information. We conclude that the weak support of information #2 (integrating information 

sources) is because this requirement has not been prioritized. We focused on the development of 

a conceptual model with first class entities, then it would later have been easier to provide e.g., 

images as visual abstractions for information elements. The same is the case for information #4 

(versioning support), which development was dependent on strong support of information #1 

(emergent and fragile structure), and as a consequence a well developed conceptual model. We 

can conclude that key information challenge requirements have strong support, and that the less 

supported information challenge requirements still require further development to be finished. 

Process. Our developed process model provides the strong support of process #1 (emergent and 

fragile structure), while support of process #3 (make everybody stakeholders) is considered weak, 

although closely related to the choice of process model. However, limited support of cooperation 

tasks has inhibited the development of support for process #3. Process #2 (loss-less data 

abstractions) is supported by the design of our entity software component, but due to the lack of 

support for the information types task, process #2 support is not strong. Finally, the process 

#4 (integration of conceptual and computational models) has strong support, and given the 

amount of attention, this is not surprising to us. Again, process challenge requirements have 

strong support, and those less supported requirements still require further development to be 

supported (or are related to investigation tasks, which require further development). 

Human factors. The research focus requirements human factors #1 (augment human intellect) 

and human factors #4 (human-tool synergy) were evaluated to have strong support by 

the developed processes, tools, and techniques. They are also closely related, as human intellect is 

255

16.3. CONTRIBUTIONS CHAPTER 16. CONCLUSION 

augmented using advanced software technologies, thereby increasing the capabilities of man (i.e., a 

synergy effect). Human factors #3 (simple tools ease-of-use) has medium support, mainly due 

to the common information space where entities can be organized in different structures, like paper 

cards or similar on a table. Human factors #4 (transparency and ownership) receives support 

from our dissemination tasks, as well as the investigators options for tailoring sense-making work 

flows for their particular needs. It seems that human factors are often not considered when tool 

support is developed for criminal network investigation. Our human factors requirements have 

been evaluated with a positive outcome, and the decision to also focus on the human factors 

challenges, has proved to have a positive impact on criminal network investigation. 

Based on the conclusions for the individual criminal network investigation challenges, we will make 

our final conclusions about support of our hypothesis below. 

16.2.3 Hypothesis 

Our hypothesis was formulated based on three criminal network investigation challenges: 




Support of the hypothesis therefore depends on whether or not the problems associated with these 

challenges are dealt with. Based on our conclusions for research focus requirement support, and 

the importance of individual requirement support address each individual criminal network investigation 

challenge, we can conclude that all indicators points toward support of our hypothesis. 

Our approach to criminal network investigation results in tool support for criminal network investigation 

which assists the investigator throughout the individual processes, ensuring powerful 

collaboration between human and tool with a focus on addressing information, process, and human 

factors challenges integrated in the same software system. 

16.3 Contributions 

The CrimeFighter Investigator approach for criminal network investigation has been developed 

based on different types of analysis work: 

Involving end users. We have interacted with investigators from various communities to 

get their input on what kind of tool support is needed. 

Exploring methods. We have explored analytical practices, processes, and techniques 

related to policing, counterterrorism, and watchdog journalism. 

Studying related work. We have found inspiration from existing tools supporting criminal 

network investigation as well as from various existing hypertext systems. 

Together, this analysis work resulted in a list of tasks that guided our development. Currently, 

most of the envisioned tasks are supported. In general, our work has resulted in the following 

contributions: 

Challenges. Based on analysis of criminal network investigation cases, criminal network 

information, structures, and investigation domains, we have presented a list of key challenges 

for criminal network investigation. These challenges can all mean the failure or success of 

criminal network investigations. We selected to focus on three of these challenges, for which 

tool support was estimated to be applicable and useful. We further analyzed those three 

challenges for specific problems, and subsequently set out a list of research requirements that 

help us (and other software system engineers) to address the problems. 

256

CHAPTER 16. CONCLUSION 16.4. FUTURE WORK 

Process model. We have developed a target-centric and iterative criminal network investigation 

process model to address problems associated with a linear approach to investigation, 

with a particular focus on the compartment problem. More specifically, the model provides 

support of process #1 (target-centric and iterative) and process #3 (make everybody 

stakeholders). 

Task list. To support the acquisition, synthesis, sense-making, dissemination, and cooperation 

processes of our model we developed a list of criminal network investigation tasks, 

based on the three types of analysis work described above. 

Tool support for criminal network investigation. We have developed a tool to support 

criminal network investigation and assist investigators in creating target-centric models for 

their customers. The tool provides more comprehensive support for synthesis and sensemaking 

tasks than existing tools. Furthermore, evaluation has shown that we are on the 

right path to integrate a broad range of investigative synthesis and sense-making tasks in 

one tool to support target-centric criminal network investigation. We have observed that 

existing tools typically are strong on either synthesis or sense-making tasks. 

Novel approach to tool support. We have demonstrated how a combination of theory 

and technology can be used to develop tool support for the criminal network investigation 

processes. Other researchers have discussed the importance of human-machine cooperation. 

We chose hypertext technologies to bridge human and machine capabilities to resolve 

challenges and problems in criminal network investigation, separating structural and mathematical 

models. 

Components for tool support. We have developed generic software components for 

support of criminal network investigation. The components have helped develop support 

research focus requirements such as human factors #2 (transparency and ownership) 

and process #4 (integration of conceptual and computational models). Furthermore, the 

software components are applicable to similar knowledge management problems. 

Publications. Our work has been published in peer-reviewed international conference proceedings 

published by ACM, Springer, and IEEE. Parts of our work is accepted for publication 

in Springer handbook of computational approaches to counterterrorism and Springer 

journal on security informatics (special issue on criminal network investigation). See Appendix 

A for further details. 

While these are individual and important contributions to the field of criminal network investigation, 

proof-of-concept prototypes are not proof in the generic sense, further evaluation is required 

in order to advance the research both academically and commercially. It is important that we 

have implemented proof-of-concept prototypes to further enhance our understanding of analyzed 

and design conceptual ideas (concepts), but quantitative empirical evidence for effect to measure 

the impact of our conceptual ideas on criminal network investigation, together with the measures 

of performance we have developed and tested on some algorithms in CrimeFighter Investigator 

would be crucial. In essence, our work presents the guidelines for how to start a research project 

on criminal network investigation. We will discuss future research and other perspectives in future 

work (section 16.4). 

16.4 Future work 

Our future work focuses mainly on three ares: literature studies, further implementation of criminal 

network investigation concepts and tasks in CrimeFighter Investigator, and evaluation of 

CrimeFighter Investigator. The main objective of our future work is to develop a version of 

CrimeFighter Investigator that intelligence agencies or police think is mature enough that they 

257

16.4. FUTURE WORK CHAPTER 16. CONCLUSION 

would be willing to test it within their organization 95 , using it on a real investigations and the 

(often) classified information related to these investigations. The future work described in this 

chapter is our suggestion of how to reach that point of maturity. 

The literature studies will focus on topics primarily related to technology adaptation, human cognition, 

and creativity, like for example “how does ‘trust’ affect the adaptation of new technology?” 

(see Section 16.4.1). In terms of future software development, it would be important to test for 

example the extensibility of our developed framework, by the addition of new synthesis structures 

such as the semi-lattice (discussed in Section 3.2). We outline that and other relevant future 

software development tasks in Section 16.4.2. As described in Chapter 15, we have evaluated our 

approach with a number of different methods. Future evaluations and methods are described in 

Section 16.4.3. 

16.4.1 Literature reviews 

We have studied various literature throughout this Ph.D. project to solve independent problems 

and we have studied literature guiding the understanding of all these problems under a cohesive 

whole. Just like with the software development (although with longer iterations), we have also 

iterated through our literature studies, and the literature listed below has come to our attention 

at the end of the Ph.D. project and will be necessary to study before moving forward (starting 

the next iteration). 

1. Technology adaptation. It should be investigated what factors decide the adoption of 

new technologies, to improve the chances of having new technologies evaluated and then 

later adopted by the intended end users. E.g., how does trust affect the adaptation of new 

criminal network investigation technology? A good starting point would be the technology 

acceptance model (TAM) [51]. 

16.4.2 Future software development 

In this section, we list future software development work, according to criminal network investigation 

processes and tasks: 

Besides better acquisition support through integration with CrimeFighter Explorer, we propose 

the following future work for acquisition support: 

1. Drag and drop. Acquiring information using drag and drop from other applications is 

essential for fast and easy synthesis of information in the common information space. It 

would also mean that support for information #2 (integrating information sources) would 

be significantly improved. 

2. Import. Providing support for import of basic network formats beyond comma separated 

values would increase the options for integrations with other tools, and increase support of 

information #2 (integrating information sources). 

CrimeFighter Investigator currently has strong support for synthesis tasks, but increased focus 

on the following tasks would make the support more complete, and make the tool more ready for, 

e.g., usability experiments: 

1. Branched history. It will be necessary to extend the navigable history feature to also 

support branched history [96,117]. In terms of synthesis, this means development of methods 

for recording and navigating branched history. This would result in stronger support of 

versioning (information #4). 

2. Information types. Extend support of information types beyond text snippets and meta 

data information to also include pictures, maps, audio, etc. (information #2). 

258

CHAPTER 16. CONCLUSION 16.4. FUTURE WORK 

Although CrimeFighter Investigator has good support for sense-making, there are some criminal 

network investigation tasks that should get more attention in the future, and new concepts would 

have to be developed accordingly: 

1. Branched history. Overlaps with branched history support for synthesis (above). Branched 

history would leverage creating hypotheses using information structures (as opposed to using 

argumentative structures). The Visual Knowledge Builder (VKB) [198] introduced the 

concept of navigable history [96, 117]. 

2. Visualization. It would be important to support the integration with visualization libraries, 

to import basic layouts, that can then be applied to CrimeFighter Investigator networks. 

Integration could also be with other tools, e.g. CrimeFighter Assistant [80, 147, 245], for 

advanced structural analysis and visualization integration. See also filtering below. 

3. Filtering. We have found that once networks grow to a certain size in CrimeFighter Investigator, 

filtering becomes a key sense-making task. We can think filtering features in 

two categories: visual filtering, using colors, size, and positioning, and actual filtering, i.e., 

taking a subpart of network into a separate space to work with it there or alternatively 

the removal of entities from the space, in both cases based on entity attributes or patterns. 

Commercial state-of-the-art tools (reviewed in Section 4.1) such as Analyst’s Notebook and 

Palantir Government are very strong on visual filtering, and we therefore suggest to focus 

on actual filtering to think some of the challenges associated with such an approach. As an 

example, what if a sub-part of network is filtered out and placed in a new space to work on 

it there, and then later after the work is complete, the analyst wants to merge the results 

back into the original network? 

4. Custom algorithms and sense-making work flows. Future work for custom algorithms, 

includes saving sense-making work flows and later application of saved work flows together 

with a dedicated editor for building these work flows in a more intuitive manner, rather than 

having to use list boxes, sliders, and check boxes to tailor the work flows. 

5. Prediction. When developing the support for the transformative inference-based prediction 

algorithms at Imperial College in London, a range of interesting future work was discussed 

with Dr. Christopher J. Rhodes, e.g., how would variations in the gold standard impact the 

measures of performance for the covert network structure and missing links algorithms. It 

was also discussed to add support for analyzing the secondary effects of agent insertion into 

a criminal network (i.e., the opposite of the already supported node removal algorithm). 

Dissemination has received some attention in this Ph.D. dissertation and interesting further 

development for both story telling and report generation is mentioned below: 

1. Story telling. To further enhance story telling beyond simple navigation of history, e.g., 

by letting the user attach specific views to the history to show how the betweenness between 

entities at that particular point or maybe an animation of the evolution of the criminal 

network so far. 

2. Report generation. The transparency and ownership of investigations (human factors 

#2) would be significantly improved, if the end user had access to a report template editor. 

The user could then add the specific building blocks (visualizations, results, etc.) to reports 

they want to generate for their particular investigation, in order to highlight certain aspects 

of the information. 

Finally, providing better support for cooperation, human-computer interaction, and visualization, 

is part of our longer term goals. 

259

16.4. FUTURE WORK CHAPTER 16. CONCLUSION 

16.4.3 Future evaluation of tool support 

We propose the following future evaluations of CrimeFighter Investigator tool support for criminal 

network investigation: 

1. Usability experiments would involve finishing up experiment designs and then actually 

executing the experiments to get quantitative evaluation of our approach, i.e. our approach 

to synthesis. We plan to involve researchers and end-users in these capability comparisons 

in the future. We are currently designing structured usability experiments following [18, 69] 

for evaluation of specific CrimeFighter Investigator features. 

2. Capability comparisons. A logical next step for our capability comparisons of both 

criminal network investigation tasks and conceptual, structural, and mathematical models 

would be to provide professional end users of the commercial tools and research prototypes 

with surveys where they could indicate the support of individual tasks or models. 

3. Software components. It would be important to test the extensibility of our developed 

software components. We propose to evaluate the entity component, by testing the addition 

of new synthesis structures such as the semi-lattice. Evaluation criteria could be whether 

or not sense-making algorithms would still run as expected, given this (and other) new 

abstractions for the entity concept. Taniguchi (2011) mentions that the use of Thiessen 

polygons “to understanding the relationship between gang drug activity and crime is not 

without limitations” [221], since they “may be both over inclusive (encompassing areas not 

used for drug distribution) and under inclusive (missing areas used for drug distribution)” 

[221]. We believe this to be a strength in terms of criminal network investigation; being 

able to represent entities in a non-final manner, whether they overlap (semi-lattice) or not 

(Thiessen polygon) makes it possible to iterate toward a solution for an ill-structured problem 

without requiring predefined structures. 

4. Ethical responsibility and impact. We propose to use the developed process model to 

first of all assign ethical responsibilities for investigators and tool (CrimeFighter Investigator) 

according to each of the five processes (acquisition, synthesis, sense-making, dissemination, 

and cooperation. Once ethical responsibilities have been assign, the impact of each of those 

could be assessed and evaluated. See Figure 16.1, for our initial thoughts on how to assign 

ethical responsibility and our expected impact of that responsibility for the different 

stakeholders as well as the tool. 

Figure 16.1: Assessing ethical impact responsibilities. 

260

Notes 

1 We find reconciliation in the fact that even a multi million dollar company like Palantir Technologies have found 

it necessary to start with disclaimers in some of their presentations. One presentation, Palantir as Intelligence 

Infrastructure [191, 192], has a slide with the header ‘What Palantir ISN’T!’, and then lists (1) A Visualization 

Tool, (2) A closed environment, and (3) One database to rule them all. 

2 We recognize that some investigations can be solved using e.g., social network analysis, if the investigators 

have a hairball of 100.000 phone calls and 10.000 people and you want to learn if these guys are calling the same 

group of people. This was an example given at the i2 EMEA user conference 2010 in Brussels, Belgium. But, when 

investigating Operation Crevice and the 7/7 (2005) bombings in London, there was a lot of registered phone calls, 

but one individual appearing in Operation Crevice, was missed because of slight variations in his name. 

3 Professor Hsinchun Chen (AI lab, University of Arizona) gave a talk about his health informatics research at a 

workshop on information and knowledge management for welfare technology. Chen has given keynote talks on the 

big data analytics topic in the security informatics domain (dark web), e.g. at EISIC 2011 and EISIC 2012. EISIC 

stands for European International Security Informatics Conference. 

4 The user conference mentioned, was the 2010 i2 EMEA user conference held in Brussels, Belgium. 

5 Sometimes the term ‘compartmentation’ is used instead of compartmentalization. 

6 The July 22nd Commissions report was made public and presented on August 13th 2012. The original text of 

our translation is (PST the Norwegian Police Security Service: Med en bedre arbeidsmetodikk og et bredere fokus 

kunne [Politiets sikkerhetstjeneste] PST ha kommet p˚a sporet av gjerningsmannen før 22/7. Kommisjonen har 

likevel ikke grunnlag for ˚a si at PST dermed kunne og burde ha avverget angrepene. 

7 Petter Gottschalk has done police research for years and written several books on the subject, e.g. [53]. His 

comment as it was printed in Information on August 13 is [78]: Politiet har i 10 ˚ar isoleret sig og afvist al kritik. 

Norsk politi har været meget lukket og ikke villet forandre sig. Kommissionen gentager kritik, som har været rejst 

mange gange før, men denne gang kan de ikke afvise det 

8 The 2010 International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2010), held 

9-11 of August 2010 in Odense, Denmark, jointly with the International Symposium on Open Source Intelligence 

and Web Mining 2010 (OSINT-WM 2010). 

9 The work to make criminal network investigation a separate area within security informatics has begun, e.g., 

with the call for papers for a special issue of the security informatics journal on criminal network investigation 

(see http://www.springer.com). We hope that by presenting our own boundaries for the field of criminal network 

investigation, we can help shape and position the area even better within the field of security informatics research 

10 The term security informatics was coined by Hsinchun Chen (2006) initially as Intelligence and Security Informatics 

(ISI): “development of advanced information technologies, systems, algorithms, and databases for international, 

national and homeland security related applications, through an integrated technological, organizational, 

and policy-based approach” [37]. Terrorism informatics is another related field that was also coined by Hsinchun 

Chen (2008): “application of advanced methodologies and information fusion and analysis techniques to acquire, 

integrate, process, analyze, and manage the diversity of terrorism-related information for national/international 

and homeland security-related applications” [1, 38] 

11 Our analysis of commercial tools and research prototypes used for policing, intelligence analysis, and investigative 

journalism in Chapter 4 is naturally also part of state-of-the-art. 

12 The invitation to give a talk at the terrorism and new media conference (2009), was based on a submitted 

paper, adaptive counterterrorism tools over silver bullets (see Appendix A). 

13 See Appendix A for further information on our published papers and other work. 

14 Our model for criminal network investigation published at Hypertext 2011 is described in Chapter 7. 

15 Figure adopted from the following url: http://www.mikesmart.com/application_development/agile_development. 

htm. 

16 The metrics have been calculated using the Metrics plugin (version 1.3.6) for Eclipse [source: http://metrics. 

261

NOTES NOTES 

sourceforge.net/update]. 

17 Information acquired by means of observation or experimentation [61]. 

18 By post-crime data sets and investigations we mean simply data sets and investigations that have been aggregated 

and described after a criminal offense has been committed, and typically also prosecuted in court. This is 

explained in greater detail in Section 15.1 

19 This statement was initially made in relation to terrorist networks in [244], but we believe that the same applies 

to different types of criminal networks, such as organized crime networks. 

20 The Enron email dataset was collected and prepared by the CALO project (Cognitive Assistant that Learns 

and Organizes) [http://www.ai.sri.com/project/CALO]. 

21 Newman (2010) discusses general large-scale structures of networks [155]. Authors have studied general structures 

in particular criminal network domains such as terrorist networks (e.g., [92,122,188,189]), many of which are 

focused on the organization of al-Qaeda (e.g., see the discussion between Hoffman and Sageman (2008) [93, 190]). 

22 The term cell is also often used about cliques and tight-knit groups [128, 188, 227]. 

23 Two triad configurations are considered isomorphic, if they share dyadic features (i.e., the number of null dyads, 

asymmetric dyads, and mutual dyads). 

24 Standard MAN labeling is described by Wasserman and Faust (1994) [240]. 

25 This compartmentalization problem has also been recognized by software development experts [43, 54] 

26 Our account of the assessment processes of Curveball reports is primarily based on Drogin (2008) [59]. 

27 Similar observations have been made for software development processes [43]. 

28 Abu Zubaydah was one in a group of global jihadists believed to have “holed up” in Punjab (Pakistan). Abu 

Zubaydah “had long-standing and close ties to [al-Qaeda’s] inner circle of leadership” [146], and CIA therefore 

thought he could have information about the next attack. 

29 National Security Agency. 

30 Jaish e-Mohammad (JEM), “Army of the Prophet”. The police man, Adil Mohammad Sheikh, claimed in court 

that he did not know the purpose of the operation he was involved in [162]. 

31 Omar Saeed Shaikh, the mastermind of the plot, used at least seventeen aliases himself: Mustafa Ahmad, 

Mustafa Ahmed al-Hawsawi, Mustafa Sheikh Saeed, Omar Saiid Sheikh, Shaykh Saiid, Chaudry Bashir, Rohit 

Sharma, Amir Sohail, Arvindam, Ajay Grupra, Raj Kumar, R. Verma, Khalid, P. Singh and Wasim! [128] 

32 The primary writers are David Simon and Ed Burns. Burns has worked as a Baltimore police detective for 

the homicide and narcotics divisions. Simon is an author and journalist who worked for the Baltimore Sun city 

desk for twelve years. He authored homicide: a year on the killing streets and co-authored the corner: a year 

in the life of an inner-city neighborhood with Burns [10, 204–206]. We have previously focused on policing and 

investigative journalism as two investigation types that could benefit from the concepts we develop and implement 

in CrimeFighter Investigator [174]. 

33 We have previously described the advantages of a board-based approach for the planning domain, where information 

structures are also emergent and evolving (see [172]). 

34 “After years of random buy-and-bust interventions, law-enforcement controls of serious crime networks have 

gradually come to follow the key player strategy” [150]. Morselli follows up by stating that “a more accurate 

appraisal of the social organization of drug-trafficking [. . . ] would follow a resource-sharing model in which collaboration 

among resourceful individuals would be at the base of coordination in such operations” [150]. We find that 

this is also the approach taken by the investigators in The Wire by targeting not only Avon Barksdale but a range 

of important individuals in and around the decision-making body of the organization. 

35 Secret intelligence includes human intelligence (humint), signal intelligence (sigint), imagery intelligence (imint), 

and measurement and signature intelligence (masint). 

36 A copy of the manuscript draft documenting this [214] is on file with the author. 

37 As mentioned by Arno H. P. Reuser, Chief of Open Source Intelligence, Defense Intelligence and Security 

Service, the Netherlands. 

38 We are aware that the IBM i2 analysis product line has products covering aspects of criminal network investigation 

not covered by Analyst’s Notebook. 

39 Analyst’s Notebook supports the following column actions on import: Add Prefix, Add Suffix, Change Capitalization, 

Compress Repeated Characters, Copy Value from Previous Row, Extract Portion of Text, Find and 

Replace Text, Prefix with Another Column, Remove Characters, Remove Prefix. The source of this information is 

hands on lab handouts [107], on file with the author. 

40 After submission of the dissertation, we have become aware that IBM i2 iBase also has support for creation of 

search queries using drag and drop http://www-142.ibm.com/software/products/us/en/ibase/. 

41 TRIST stands for “The Rapid Information Scanning Tool” [114]. 

42 Apparently, the information in the Sandbox has been cleaned for names and similar. 

43 Namebase.org website at http://www.namebase.org/, last visited 2012. 

44 FreeMind is a free mind-mapping software written in Java. See http://freemind.sourceforge.net/wiki/ 

262

NOTES NOTES 

index.php/Main_Page for more details. 

45 See http://www.mindjet.com/ for more details on Mindjet Manager. 

46 The author and supervisor shared the lecturing for the course advanced software technologies for knowledge 

management. 

47 It is important to note that this quote uses “the term hypertext broadly, to cover both textual and multimedia 

content”. 

48 The review of NoteCards was to some extent also part of our master thesis [165]. 

49 ASAP is an acronym for advanced support for agile planning. See Section 2.2.3 for more information on this 

tool, or refer to [165, 170, 171] 

50 Tim Berners-Lee gave a “talk a[t] the very first International World Wide Web Conference, at CERN, Geneva, 

Switzerland, in September 1994. This was the conference at which the formation of W3C was announced” [23] 

51 We would like to point out that the link to the ‘Enneagram of Personality’ for deciding peoples personality has 

not affected our work. 

52 In a nominal group each individual works separated from the rest of the when generating ideas 

53 “Wisdom indicators” [149]. 

54 The event that starts the life cycle of creative endeavors could be a dream: “The classic example is Kekule’s 

discovery of the ring-shaped structure of the benzene molecule via a dream about a serpent biting its tail.” [74] 

55 CASE stands for Computer-aided Software Engineering. 

56 Blitz Planning is the planning method promoted by Crystal Clear [42], which we were developing support for 

during our master thesis. 

57 Throwaway prototyping lasting not more than a day or two [41]. 

58 Harakut-ul Mujahedin (HUM) was one of the many small Islamic guerrilla groups that proliferated in Pakistan 

and Afghanistan around the time when Omar went the Convoy of Mercy to Bosnia, but ended up in Split, Croatia 

[189]. 

59 The project was also mentioned as ‘the Northern Project’ in various correspondence. 

60 More often referred to in international media simply as the “Danish Cartoons” 

61 When Headley’s home was searched on October 18 th , a plane ticket to Copenhagen for October 29 th with 

departure from Atlanta was found 

62 Persons graduated from Cadet College Hasan Abdal. 

63 “Everything is not a joke [. . . ]. We are not rehearsing a skit on Saturday Night Live. Making fun of Islam 

is making fun of Rasoosallah SAW [Messenger of Allah, Peace be on Him], [. . . ] call me old-fashioned but I feel 

disposed toward violence for the offending parties, be they cartoonists from Denmark or Sherry Jones (Author of 

Jewel of Medina) or Irshad Manji (Liberal Muslim trying to make lesbianism acceptable in Islam, among other 

things) [. . . ] They never started debates with folks who slandered our Prophet, they took violent action. Even if 

God does not give us the opportunity to bring our intentions to fruition, we will claim ajr (a religious award) for 

it [. . . ]”. [57] 

64 CINCENT: Commander-in-Chief, U.S. Central Command. 

65 See also APS Physics news at http://physics.aps.org/articles/v5/89. 

66 Another commercial tool is Analyst’s Notebook 8.5, stating to have protection of civil liberties ‘baked in’ [2]. 

67 Before Afghanistan and Iraq, Denmark had an international focus on peacekeeping missions, when it came to 

inserting soldiers on the ground. 

68 An primary high explosive, known as “Satans Mom” because of its unstable nature [209]. 

69 Morten Skjoldager, a Politiken journalist, has authored a book on Danish terrorism cases entitled “Truslen 

indefra - De danske terrorister” (translated: “The threat from within - The Danish terrorists”), published by 

‘Lindhardt og Ringhof’ in 2009. 

70 More specifically the addition of §114 to the existing Danish Penal Code 

71 Refer to [13] for a description of the extensions of existing Danish Penal Code provided in the second counter 

terrorism law. 

72 Following the most recent incident, where an intruder threatened cartoonist Kurt Westergaard in his own home 

on January 1 st 2010, the right wing parties, has suggested that further tightening of law might be necessary. [88] 

73 For Brennans complete speech, please refer to [William J. Brennan Jr., 1987. ‘The Quest to Develop a Jurisprudence 

of Civil Liberties in Times of Security Crisis.’ Speech, December 22, 1987, at the Law School of Hebrew 

University, Jerusalem, Israel.] 

74 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK 

[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However, 

none of these studies ask the users to what degree they trust the information provided by the systems and how 

that affects their acceptance of the technology. 

75 Criminal network investigation cases other than those presented in Section 3.5 have been analyzed, e.g., the 

263

NOTES NOTES 

intelligence used for the United States case against Iraq concerning their (alleged) weapons of mass destruction 

program [59,242], and the links between Operation Crevice and the 7/7 bombings in the United Kingdom [110,252]. 

Studies of the Afghan Taliban network (based on literature (e.g., [134]) and an interview (Section 15.2.1)) and al- 

Qaeda and affiliated movements (AQAM) (Section 14.3). 

76 Alex Steiner is a pseudonym for a DIA (defense intelligence agency) officer [59]. 

77 Many abbreviations are used in the literature for the described criminal network investigation steps. Processing 

is also referred to as triage [7]. Synthesis [40] was chosen over foraging [25,254], collation [83], and textualization [20]. 

Sense-making over analysis [40]. Dissemination over presentation [25]. 

78 Structural models are typically embedded in mathematical models (e.g., see Brantingham (2009) [30]). 

79 The amount of memory required to store branched history is an important concern that was raised by Dr. 

Atzenbeck during the authors visit to institute for information systems (iisys) at University of Hof. 

80 The Sageman (2003) data set was provided by a classified source and is on file with the author. 

81 We have found 3 studies evaluating user acceptance of intelligence and security informatics technology (COPLINK 

[100], COPLINK Mobile [99], and POLNET [256]) all based on the Technology Acceptance Model [51]. However, 

none of these studies ask the users to what degree they trust the information provided by the systems and how 

that affects their acceptance of the technology. 

82 Sageman (2004) discusses the concept of a bridge to jihad [188], Veldhuis and Staun (2009) reviews the root 

causes for radicalization of European minorities [234], and many researchers have studied online radicalization 

[29, 48, 49, 236, 241] 

83 The link charts could of course be automatically generated based on these incident reports, as it has been 

suggested for organized crime using a so called importance flooding technique [139]. 

84 However, we have developed and tested measures of performance for the predict missing links algorithm in 

Section 15.4. The predict missing links algorithm plays an important role in the custom node removal algorithm. 

85 The Danish CTU is “invented” for this scenario and is not related to the Danish Security and Intelligence 

Service’s Center for Terror Analysis or other Danish counterterrorism units. 

86 We know that for entity extraction from text there exists data sets (corpus’s), which researchers can test the 

efficiency of their algorithms on and then compare it to the efficiency of other researcher’s algorithms (e.g., see [55]) 

87 We have built our own data sets and investigation information from the Daniel Pearl investigation [128,162,227]. 

Sageman (2004) aggregated his al-Qaeda network from open sources [188], as was the November 17 data set [184]. 

88 Several criminal network investigations have inspired our work. The investigation of Daniel Pearl’s kidnapping 

and murder was target-centric and used large pieces of paper on a wall to synthesize information entities as they were 

discovered [128, 162, 227]. The investigation to locate and arrest the 9/11 mastermind Khalid Sheikh Mohammed 

(both before and after the attacks), was, by the Federal Bureau of Investigation, conducted in a target-centric 

manner and always with a focus on gathering evidence both for later potential trials but also to map and understand 

the network of individuals, events, and places that was emerging [146]. Researchers and writers Strick van Linschoten 

and Kuehn have been mapping a network of Afghan Talibans to investigate their associations with the Afghan Arabs 

from 1970 to 2010 [134]. They use Tinderbox for their mapping efforts [166]. Tinderbox is a software tool that 

takes a board-based approach to synthesis of networks and supports multiple structures [24]. 

89 In Danish ‘Politiets efterretningstjeneste’, PET in short. 

90 In Danish ‘Forsvarets efterretningstjeneste’, FE in short. 

91 See Steele (2009) discussing secret intelligence vs. open source intelligence [214], and a recent article by 

Bonnichsen (2012), previous DSIS director of operations [27]. 

92 Professor Hsinchun Chen (AI lab, University of Arizona) told author this during an informal conversation, 

August 2012. Professor Chen also mentioned that it had taken about two years to establish the required trust with 

law enforcement, before law enforcement let the 300 police officers participate in the survey. 

93 The 2010 i2 EMEA user conference held in Brussels, Belgium. 

94 During the spring of 2011 DDIS restructured their organization in order to shape and streamline the service, 

to be better equipped to manage future tasks (see [52] and Appendix B.2 (danish text). 

95 A classified source has told the author during an informal conversation that maturity was a key criteria within 

the source’s organization, that has to fulfilled before they would take a look at any new technology. 

264

Bibliography 

[1] Terrorism informatics - knowledge management and data mining for homeland security. 

Springer (2008) 

[2] Ibm i2 analyst’s notebook (2012). URL http://www.i2group.com/ 

[3] Mindmeister (2012). URL http://www.mindmeister.com 

[4] Npr: Ted radio hour podcast - where ideas come from (2012) 

[5] Palantir government (2012). URL http://palantir.com/government 

[6] Xanalys (2012). URL http://www.xanalys.com/ 

[7] Adderly, R., Musgrove, P.: Police crime recording and investigation systems - a user’s view. 

International journal of police strategies and management 24(1), 100–114 (2001) 

[8] Alexander, C.: Notes on the Synthesis of Form. Harvard University Press (1964) 

[9] Alexander, C.: A city is not a tree. Architectural Forum 122(1), 58–62 (1965) 

[10] Alvarez, R., Simon, D.: The Wire: Truth Be Told. Pocket Books (2004) 

[11] Ambler, S.: Agile Modeling. John Wiley & Sons inc (2002) 

[12] Amland, B.H.: 2 convicted in al-Qaida terror plot in Norway. Associated Press (2012) 

[13] Anonymous: Den nye anti-terrorpakke (danish) 

[14] Anonymous: The legal framework of pets workspaces: The penal code chapter 12 and 

13 (danish) URL http://www.pet.dk/Arbejdsomraader/Lovgrundlaget/Straffeloven. 

aspx 

[15] Anonymous: Fakta: Tuneser-sagen (2008). August 29 

[16] Anonymous: Assesment of the terror threat against denmark (2009). October 27 

[17] Anonymous: Tidslinje: Danmark i krig i afghanistan (2009). January 1 

[18] Atzenbeck, C.: Wilddocs - investigating construction of metaphors in office work. Ph.D. 

thesis, Aalborg University (2006) 

265

BIBLIOGRAPHY BIBLIOGRAPHY 

[19] Atzenbeck, C., Hicks, D.L., Memon, N.: Emergent structure and awareness support for 

intelligence analysis. In: Proceedings of the conference on information visualization, pp. 

326–332. IEEE Press (2008) 

[20] Atzenbeck, C., Hicks, D.L., Memon, N.: Supporting reasoning and communication for intelligence 

officers. International journal of networking and virtual organisations 8(1/2), 15–36 

(2011) 

[21] Badalamente, R.V., Greitzer, F.L.: Top ten needs for intelligence analysis tool development. 

In: proceedings of the 2005 international conference on intelligence analysis (2005) 

[22] Bardram, J.E.: The art of doing a phd. online (2007). URL http://www.itu.dk/people/ 

bardram/pmwiki/pmwiki.php?n=Main.ArtPhD. Last consulted: Jan 28 th 2010 

[23] Berners-Lee, T.: W3 future directions. Plenary at International World Wide Web Conference, 

CERN, Geneva, Switzerland (1994) 

[24] Bernstein, M.: The Tinderbox Way. Eastgate Systems (2006) 

[25] Bier, E.A., Card, S.K., W, B.J.: Principles and tools for collaborative entity-based intelligence 

analysis. IEEE transactions on visualization and computer graphics 16(2), 178–191 

(2010) 

[26] Bohannon, J.: Counterterrorism’s New Tool: ’Metanetwork’ Analysis. Science 325(5939), 

409–411 (2009). DOI 10.1126/science.325\ 409. URL http://dx.doi.org/10.1126/ 

science.325_409 

[27] Bonnichsen, H.J.: Man skal kunne være sine hemmeligheder bekendt (2012). September 20 

[28] Brachman, J.M.: Global Jihadism: Theory and Practice. Routledge (2009) 

[29] Brachman, J.M., Levine, A.: You too can be awlaki! Fletcher Forum of World Affairs 35, 

25–46 (2011) 

[30] Brantingham, P., Glässer, U., Jackson, P., Vajihollahi, M.: Modeling criminal activity in 

urban landscapes. In: N. Memon, J.D. Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical 

methods in counterterrorism, pp. 9–31. Springer, Wien (2009) 

[31] Børsting, M., Østergaard, M.: Politikere er klar til at stramme terrorloven (2009). October 

28 

[32] Bruce, J.B., George, R.Z.: Introduction: intelligence analysis - the emergence of a discipline. 

In: R.Z. George, J.B. Bruce (eds.) Analyzing intelligence - origins, obstacles, and innovations, 

pp. 1–15. Georgetown University Press (2008) 

[33] Bush, V.: As we may think. Atlantic Monthly 176(1), 101–108 (1945) 

[34] Capers, B.: Crime, legimaticy, our criminal network, and the wire. Ohio state journal of 

criminal law 8, 459–471 (2011) 

[35] Carley, K.M.: Destabilizing dynamic covert networks. In: Proceedings of the 8th international 

command and control research and technology symposium. Evidence Based research 

(2003) 

[36] Carley, K.M., Lee, J.S., Krackhardt, D.: Destabilizing networks. Connections 24, 31–34 

(2001) 

[37] Chen, H.: Intelligence and Security Informatics for International Security - Information 

Sharing and Data Mining. Springer (2006) 

266


[38] Chen, H.: Terrorism informatics. In: Dark Web, Integrated Series in Information Systems, 

vol. 30, pp. 31–41. Springer New York (2012) 

[39] Chin, G., Kuchar, O.A., Wolf, K.E.: Exploring the analytical processes of intelligence analysts. 

In: proceedings of the international conference on human factors in computing systems, 

pp. 11–22. ACM Press (2005) 

[40] Clark, R.: Intelligence analysis: a target-centric approach. CQ Press (2007) 

[41] Cockburn, A.: What the agile toolbox contains (2004) 

[42] Cockburn, A.: Crystal Clear - A human-powered methodology for small teams. Addison 

Wesley (2005) 

[43] Cockburn, A.: Agile Software Development: The Cooperative Game (2nd Edition) (Agile 

Software Development Series). Addison-Wesley Professional (2006) 

[44] Cohn, M.: User stories applied - for agile software development. Addison Wesley (2004) 

[45] Commission on the Intelligence Capabilities of the United States Regarding Weapons of 

Mass Destruction, Washington DC: Report to the President of the United States (2005) 

[46] Conklin, J.: Dialogue Mapping. John Wiley and Sons Ltd (2006) 

[47] Conklin, J., Begeman, M.L.: gibis: a hypertext tool for exploratory policy discussion. ACM 

Trans. Inf. Syst. 6(4), 303–331 (1988) 

[48] Conway, M.: Jihadi video and auto-radicalisation: evidence from an exploratory youtube 

study. In: Intelligence and Security Informatics. Lecture Notes in Computer Science (LNCS), 

pp. 108–118. Springer, Wien (2008) 

[49] Conway, M.: From al-zarqawi to al-awlaki: The emergence of the internet as a new form of 

violent radical milieu (2012) 

[50] Custers, B.: Effects of unreliable group profiling by means of data mining. In: Discovery 

Science, pp. 291–296 (2003) 

[51] Davis, F.: Perceived usefulness, perceived ease of use and user acceptance of information 

technology. MIS Quarterly 13, 319–340 (1989) 

[52] DDIS: Danish defense intelligence service website (2012). [url:http://fe-ddis.dk/Pages/ 

Default.aspx, last visited September 2012] 

[53] Dean, G., Gottschalk, P.: Knowledge management in policing and law enforcement. Oxford 

University Press (2007) 

[54] DeMarco, T., Lister, T.: Peopleware: Productive Projects and Teams (Second Edition). 

Dorset House Publishing Company, Incorporated (1999) 

[55] DeRosa, M.: Data Mining and Data Analysis for Counterterrorism. Center for Strategic 

and International Studies (CSIS) (2004) 

[56] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. abdur rehman hashim syed’, 

also known as “pasha,” “major,” and “abdur rahman” (2009) 

[57] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. david c. headley, also known 

as “daood gilani”’ (2009) 

[58] DIVISION, U.S.D.C.N.D.O.I.E.: ‘united states of america v. tahawwur hussain rana’ (2009) 

[59] Drogin, B.: Curveball. Ebury Press (2008) 

267


[60] Ellis, C.A., Gibbs, S.J., Rein, G.: Groupware: some issues and experiences. Commun. 

ACM 34(1), 39–58 (1991). DOI 10.1145/99977.99987. URL http://doi.acm.org/10. 

1145/99977.99987 

[61] Empirical: The american heritage dictionary of the english language (4th ed.) (2000) 

[62] Engelbart, D.C.: A conceptual framework for the augmentation of man’s intellect. In: 

Computer-supported cooperative work, pp. 35–65. Kaufmann (1988) 

[63] Erétéo, G., Buffa, M., Gandon, F., Grohan, P., Leitzelman, M., Sander, P.: A state of the 

art on social network analysis and its applications on a semantic web (2008) 

[64] Erétéo, G., Limpens, F., Gandon L., F., Corby, O., Buffa, M., Leitzelman, M., Sander, P.: 

Semantic social network analysis: a concrete case. In: Handbook of Research on Methods 

and Techniques for Studying Virtual Communities: Paradigms and Phenomena, pp. 122– 

156. IGI Global (2011) 

[65] Europol: TE-SAT 2009: EU Terrorism Situation and Trend Report 2009 (2009) 



[68] Ferry, J.P., Lo, D., Ahearn, S.T., Phillips, A.M.: Network detection theory. In: N. Memon, 

J. David Farley, D.L. Hicks, T. Rosenorn (eds.) Mathematical Methods in Counterterrorism, 

pp. 161–181. Springer Vienna (2009) 

[69] Field, A., Hole, G.: How to Design and Report Experiments. Sage Publications Ltd (2003) 

[70] Floyd, C.: A systematic look at prototyping. In: B. et al. (ed.) Approaches to Prototyping, 

pp. 105–122. Springer-Verlag (1984) 

[71] Flyvbjerg, B.: Five misunderstandings about case-study research. Qualitative Inquiry pp. 

219–245 (2006) 

[72] Flyvbjerg, B.: Case study. In: N.K. Denzin, Y.S. Lincoln (eds.) The Sage Handbook of 

Qualitative Research, pp. 301–316. Sage (2011) 

[73] Frank G. Halasz, T.P.M..R.H.T.: Notecards in a nutshell (1987) 

[74] Gabora, L.: Cognitive mechanisms underlying the creative process. In: Proceedings of the 

4th conference on Creativity & cognition, C&C ’02, pp. 126–133. ACM, New York, NY, USA 

(2002). DOI 10.1145/581710.581730. URL http://doi.acm.org/10.1145/581710.581730 

[75] Gerber, A.J., Barnard, A., var der Merwe, A.J.: A semantic web status model (2006) 

[76] Gill, J.: Building theory from case studies. Small business and enterprise development 2, 

71–75 (1995) 

[77] Gill, P.: Rounding up the usual suspects? Developments in contemporary law enforcement 

intelligence. Ashgate Pub Ltd (2000) 

[78] Gjerding, S., Toft, S.B.: Ansvarlige for utøya-svigt er for længst g˚aet af (2012). August 13 

[79] Gloor, P.A., Zhao, Y.: Analyzing actors and their discussion topics by semantic social 

network analysis. In: Proceedings of Information Visualization (IV 2006), pp. 130–135 

(2006) 

[80] Gniadek, J.: Destabilizing terrorist networks through link importance analysis. Master’s 

thesis (2010) 

268


[81] Graber, D.A.: Terrorism, censorship and the 1st amendment: In search of policy guidelines. 

In: P. Norris, M. Kern, M. Just (eds.) Framing Terrorism - The News Media, the Government 

and the Public, pp. 27–42. Routledge (2003) 

[82] Halasz, F.G.: Reflections on notecards: seven issues for the next generation of hypermedia 

systems. Commun. ACM 31(7), 836–852 (1988) 

[83] Harper, W.R., Harris, D.H.: The application of link analysis to police intelligence. Human 

Factors 17(2), 157–164 (1975) 

[84] Hauck, R.V., Chau, M., Chen, H.: Coplink: arming law enforcement with new knowledge 

management technologies. In: Advances in digital government: technology, human factors, 

and policy, pp. 163–179. Kluwer Academic Publishers (2002) 

[85] Havaleschka, L.: Tidslinje: Glasvej-sagen dag for dag (2008). October 28 

[86] Heer, J., Card, S.K., Landay, J.A.: prefuse: a toolkit for interactive information visualization. 

In: Proceedings of the SIGCHI conference on Human factors in computing systems, 

CHI ’05, pp. 421–430. ACM, New York, NY, USA (2005). DOI 10.1145/1054972.1055031. 

URL http://doi.acm.org/10.1145/1054972.1055031 

[87] Hemmingsen, A.S.: Anti-demokratiske og voldsfremmende miljøer i danmark, som bekender 

sig til islamistisk ideologi - hvad ved vi? Research report for the danish ministry of social 

affairs and integration, DIIS - Danish Institute for International Studies (2012) 

[88] Henriksen, M.: Venstre ˚abner for terrorstramninger (2010). URL http://www.berlingske. 

dk/danmark/venstre-aabner-terrorstramninger. January 3 

[89] Hirtle, S.: Representational structures for cognitive space: Trees, ordered trees and semilattices. 

In: A. Frank, W. Kuhn (eds.) Spatial Information Theory A Theoretical Basis for 

GIS, Lecture Notes in Computer Science, vol. 988, pp. 327–340. Springer Berlin / Heidelberg 

(1995) 

[90] Hjarvard, S.: Den politiske presse - en analyse af danske avisers politiske orientering. Journalistica 

(2007) 

[91] Hjørland, B., Albrechtsen, H.: Toward a new horizon in information science: Domainanalysis. 

Journal of the American Society for Information Science 46(6), 400–425 (1995) 

[92] Hoffman, B.: Inside Terrorism. Columbia University Press (2006) 

[93] Hoffman, B.: The myth of grass-roots terrorism. Foreign Affairs 87 (2008) 

[94] Hoskins, A., O’Loughlin, B.: Television and Terror: Conflicting Times and the Crisis of 

News Discourse. New Security Challenges. Palgrave MacMillan, Basingstoke, Hampshire, 

U.K. (2007). [Chapter 7: ‘Drama and Documentary: The Power of Nightmares’] 

[95] wei Hsieh, H., III, F.M.S.: Supporting visual problem solving in spatial hypertext. J. Digit. 

Inf. 10(3) (2009) 

[96] Hsieh, H., Shipman, F.: Activity links: supporting communication and reflection about 

action. In: Proceedings of the sixteenth ACM conference on Hypertext and hypermedia, 

HYPERTEXT ’05, pp. 161–170. ACM, New York, NY, USA (2005) 

[97] Hsieh, H., Shipman, F.M.: Manipulating structured information in a visual workspace. In: 

Proceedings of the 15th annual ACM symposium on User interface software and technology, 

UIST ’02, pp. 217–226. ACM, New York, NY, USA (2002) 

[98] Hüttemeier Christian og Børsting, M.: Afghanerne skal selv overtage ansvaret om 2 ˚ar 

(2009). URL http://politiken.dk/politik/article844927.ece. November 26 

269


[99] Hu, P.J.H., Chen, H., Hu, H., Larson, C., Butierez, C.: Law enforcement officers’ acceptance 

of advanced e-government technology: A survey study of coplink mobile. Electronic 

Commerce Research and Applications 10, 6–16 (2011) 

[100] Hu, P.J.H., Lin, C., Chen, H.: User acceptance of intelligence and security informatics technology: 

A study of coplink. The American Society for Information Science and Technology 

56, 235–244 (2005) 

[101] Hunter, M.L., Hanson, N., Sabbagh, R., Sengers, L., Sullivan, D., Thordsen, P.: Story-based 

inquiry: a manual for investigative journalists. UNESCO (2009) 

[102] Huntington, S.P.: The Clash of Civilizations and the Remaking of World Order. Simon & 

Schuster (1996) 

[103] Ib, H.: Ledende artikel: Fjenden p˚a besøg (2009). October 28 

[104] IBMi2: i2 analyst’s notebook 8. What’s New (technical report) (2009). [issue 1, downloaded 

from company website] 

[105] IBMi2: i2 analyst’s notebook product video. i2 EMEA user conference (2010). [on file with 

author] 

[106] IBMi2: i2 emea user conference (2010). [http://www.i2group.com/emeauc/index.asp, 

last visited 2011] 

[107] IBMi2: Training team: hands on lab handouts. i2 EMEA end user conference (2010). [on 

file with author] 

[108] IBMi2: Ibm i2 analyst’s notebook premium. Handout at IBM i2 intelligence analysis seminar 

(2012). [on file with author] 

[109] III, J.O.E.: Countering terrorism with knowledge. In: H. Chen, E. Reid, J. Sinai, A. Silke, 

B. Ganor (eds.) Terrorism Informatics - Knowledge Management and Data Mining for Homeland 

Security. Springer (2008) 

[110] Intelligence and Security Committee, United Kingdom: Could 7/7 have been prevented? 

Review of the intelligence on the London terrorist attacks on 7 July 2005 (2009) 

[111] Irons, L.R.: Recent patterns of terrorism prevention in the united kingdom. Homeland 

Security Affairs 4 (2008) 

[112] Irwin, C., Roberts, C., Mee, N.: Counter terrorism overseas. Defence Science and Technology 

Laboratory (Dstl/CD053271/1.1), UK (2002) 

[113] Johnson, L.K. (ed.): Handbook of intelligence studies. Routledge (2009) 

[114] Jonker, D., Wright, W., Schroh, D., Proulx, P., Cort, B.: Information triage with trist. In: 

Proceedings of the International Conference on Intelligence Analysis, (2005) 

[115] Grø nbæk, K.: Composites in a dexter-based hypermedia framework. In: Proceedings of the 

1994 ACM European conference on Hypermedia technology, ECHT ’94, pp. 59–69. ACM, 

New York, NY, USA (1994) 

[116] Kebbell, M.R., Muller, D.A., Martin, K.: Understanding and managing bias. Dealing with 

uncertainties in policing serious crime pp. 87–97 (2010) 

[117] Kim, D., Shipman, F.M.: Interpretation and visualization of user history in a spatial hypertext 

system. In: Proceedings of the 21st ACM conference on Hypertext and hypermedia, 

HT ’10, pp. 255–264. ACM, New York, NY, USA (2010) 

270


[118] Kitchenham, B., Pickard, L., Pfleeger, S.L.: Case studies for method and tool evaluation. 

IEEE Software pp. 52–62 (1995) 

[119] Kleine, D.: The capability approach and the ‘medium of choice’: steps towards conceptualising 

information and communication technologies for development. Ethics and Inf. Technol. 

13(2), 119–130 (2011) 

[120] Klerks, P.: The network paradigm applied to criminal organizations: Theoretical nitpicking 

or a relevant doctrine for investigators? Connections 24(3), 53–65 (2001) 

[121] Kolb, D.: Other spaces for spatial hypertext. Journal of Digital Information 10(3) (2009) 

[122] Krebs, V.: Mapping networks of terrorist cells. CONNECTIONS 24(3), 43–52 (2002) 

[123] Krog, T.N.: Her trænede terroristerne (2009). October 29 

[124] Kumar, R., Novak, J., Tomkins, A.: Structure and evolution of online social networks. In: 

Proceedings of the 12th ACM SIGKDD international conference on Knowledge discovery 

and data mining, KDD ’06, pp. 611–617. ACM, New York, NY, USA (2006). DOI 10.1145/ 

1150402.1150476. URL http://doi.acm.org/10.1145/1150402.1150476 

[125] Larman, C.: Agile & Iterative Development - A Managers Guide. Addison Wesley (2004) 

[126] Laville, S.: Al-Qaida-inspired plotters planned attacks on high-profile London targets. The 

Guardian (2012) 

[127] Levine, C.: Artful accuracy and the problem of form: Why the wire feels real Unpublished 

manuscript 

[128] Levy, B.H.: Who killed Daniel Pearl? Melville House Publishing (2003) 

[129] Lichter, H., Schneider-Hufschmidt, M., Züllighoven, H.: Prototyping in industrial software 

projects - bridging the gap between theory and practice. In: Proceedings of the 15th international 

conference on Software Engineering, ICSE ’93, pp. 221–229. IEEE Computer 

Society Press, Los Alamitos, CA, USA (1993). URL http://dl.acm.org/citation.cfm? 

id=257572.257623 

[130] Licklider, J.C.R.: Man-computer symbiosis. IRE transactions on human factors in electronics 

pp. 4–11 (1960) 

[131] Lillie, B.: Human-machine synergy: Shyam sankar at tedglobal 2012. TED (2012). [blog, 

http://blog.ted.com/, last visited September 2012] 

[132] Lim, Y.K., Stolterman, E., Tenenberg, J.: The anatomy of prototypes: Prototypes as filters, 

prototypes as manifestations of design ideas. ACM Trans. Comput.-Hum. Interact. 

15(2), 7:1–7:27 (2008). DOI 10.1145/1375761.1375762. URL http://doi.acm.org/10. 

1145/1375761.1375762 

[133] Lindhardt, C.: Al-qaeda st˚ar bag ambassadebombe (2008). URL http://politiken.dk/ 

udland/article518880.ece. June 5 

[134] Linschoten, A.S., Kuehn, F.: An enemy we created: the myth of the Taliban/Al-Qaeda 

merger in Afghanistan, 1970-2010. Hurst (2012) 

[135] MacDougall, I.: Norway ’bomb plot’ highlights al-Qaida problems. Associated Press (2012) 

[136] MacFadyen, G.: The practices of investigative journalism. In: H. De Burgh, P. Bradshaw 

(eds.) Investigative journalism, pp. 138–156 (2008) 

[137] MacKensie, J.: The battle for aghanistan: Militancy and conflict in helmand (2010) 

271


[138] Maltesen, B.: Tunesersag skal for højesteret (2009). URL http://politiken.dk/indland/ 

article852324.ece. December 4 

[139] Marshall, B., Chen, H., Kaza, S.: Using importance flooding to identify interesting networks 

of criminal activity. J. Am. Soc. Inf. Sci. Technol. 59(13), 2099–2114 (2008). DOI 10.1002/ 

asi.v59:13. URL http://dx.doi.org/10.1002/asi.v59:13 

[140] Marshall, C.C., Halasz, F.G., Rogers, R.A., Janssen Jr., W.C.: Aquanet: a hypertext tool 

to hold your knowledge in place. In: Proceedings of the third annual ACM conference on 

Hypertext, HYPERTEXT ’91, pp. 261–275. ACM, New York, NY, USA (1991) 

[141] Marshall, C.C., Shipman III, F.M.: Spatial hypertext: designing for change. Commun. ACM 

38(8), 88–97 (1995) 

[142] Marshall, C.C., Shipman III, F.M., Coombs, J.H.: Viki: spatial hypertext supporting emergent 

structure. In: Proceedings of the 1994 ACM European conference on Hypermedia 

technology, ECHT ’94, pp. 13–23. ACM, New York, NY, USA (1994) 

[143] Mason, R.O.: Four ethical issues of the information age. MIS Q. 10(1), 5–12 (1986) 

[144] McBride, M., Morgan, S.: Trust calibration for automated decision aids (2010) 

[145] McCall, R.J., Bennett, P.R., D’Oronzio, P.S., Oswald, J.L., Shipman III, F.M., Wallace, 

N.F.: Hypertext: concepts, systems and applications. chap. PHIDIAS: integrating CAD 

graphics into dynamic hypertext, pp. 152–165. Cambridge University Press, New York, NY, 

USA (1992) 

[146] McDermott, T., Meyer, J.: The Hunt for KSM - Inside the Pursuit and Takedown of the 

Real 9/11 Mastermind, Khalid Sheikh Mohammad. Little, Brown and Company (2012) 

[147] Memon, B.: Identifying important nodes in weighted covert networks using generalized 

centrality measures. In: European Intelligence and Security Informatics Conference 2012, 

Odense, Denmark. Odense, Denmark (2012) 

[148] Memon, N., Wiil, U.K., Alhajj, R., Atzenbeck, C., Harkiolakis, N.: Harvesting covert networks: 

a case study of the iminer database. Int. J. Netw. Virtual Organ. 8(1/2), 52–74 

(2011) 

[149] Moore, R.K.: The life cycle of creative endeavors. Enneagram Monthly (1997) 

[150] Morselli, C.: The criminal network perspective. In: Inside criminal networks, Studies of 

organized crime, vol. 8, pp. 1–21. Springer New York (2009) 

[151] Mortensen, M.N., Bangsgaard, J.: Tidligere pet-chef: Uværdig tuneser-sag (2008). URL 

http://www.berlingske.dk/danmark/tidligere-pet-chef-uvaerdig-tuneser-sag. 

November 15 

[152] National commission on terrorist attacks upon the United States, United States: The 9/11 

Commission Report (Executive Summary) (2004). URL http://www.9-11commission. 

gov/report/911Report_Exec.pdf. 

[153] National commission on terrorist attacks upon the United States, Norway: The 22/7 Commission 

Report (2012). URL http://22julikommisjonen.no/Rapport 

[154] Nesser, P.: Structures of jihadist terrorist cells in the uk and europe. In: Proceedings of the 

Joint FFI/King’s College Conference on “The Changing Faces of Jihadism” (2006) 

[155] Newman, M.E.J.: Networks - an introduction. Oxford University Press (2010) 

272


[156] Nørgaard Kristensen, N., Ørsten, M.: Danish media at war - the danish media coverage of 

the invasion of iraq 2003. Journalism : theory, practice and criticism 8, 323–343 (2007) 

[157] Nürnberg, P.: Structural computing and metadata management. In: Proceedings of the 2 nd 

Conference on Knowledge Management and Knowledge Technology (2002) 

[158] Nürnberg, P.J., Leggett, J.J., Schneider, E.R.: As we should have thought. In: Proceedings 

of the eighth ACM conference on Hypertext, HYPERTEXT ’97, pp. 96–101. ACM, New 

York, NY, USA (1997). DOI 10.1145/267437.267448. URL http://doi.acm.org/10.1145/ 

267437.267448 

[159] Nürnberg, P.J., Wiil, U.K., Leggett, J.J.: Structuring facilities in digital libraries. In: 

Proceedings of the Second European Conference on Research and Advanced Technology for 

Digital Libraries, ECDL ’98, pp. 295–313. Springer-Verlag, London, UK, UK (1998) 

[160] Park, A.J., Tsang, H.H., Brantingham, P.L.: Dynalink: A framework for dynamic criminal 

network visualization. In: Proceedings of European Intelligence and Security Informatics 

Conference, pp. 217–224. IEEE (2012) 

[161] Payne, J., Solomon, J., Sankar, R., McGrew, B.: Grand challenge award: Interactive visual 

analytics - palantir: The future of analysis. In: Proceedings of Symposium on Visual 

Analytics Science and Technology, pp. 201–202. IEEE (2008) 

[162] Pearl, M.: A mighty heart. Virago Press (2004) 

[163] Penfold-Mounce, R., Beer, D., Burrows, R.: The wire as social science-fiction? Sociology 

45(1), 152–167 (2011) 

[164] Perlez, J., Shah, P.Z.: Embassy attack in pakistan kills at least 6 (2008). URL http: 

//www.nytimes.com/2008/06/03/world/asia/03pakistan.html. June 3 

[165] Petersen, R.R.: Asap: Agile planning in future creative room. Master’s thesis, University of 

Southern Denmark (2008) 

[166] Petersen, R.R.: Interview with alex strick van linschoten. A discussion of CrimeFighter 

Investigator, Tinderbox, Gephi, Analyst’s Notebook in relation to Alex’s work with mapping 

the temporal evolution of Afghan Taliban., Trafalgar Square, London, United Kingdom 

(2011) 

[167] Petersen, R.R.: Presentation of crimefighter investigator. Presented and demonstrated work 

on prediction of covert network structure and missing links to a group of British intelligence 

analysts, British Home Office, London, United Kingdom (2011) 

[168] Petersen, R.R.: Association and centrality in criminal networks. In: Proceedings of European 

Intelligence and Security Informatics Conference. IEEE (2012) 

[169] Petersen, R.R., Rhodes, C.J., Wiil, U.K.: Node removal in criminal networks. In: Proceedings 

of European Intelligence and Security Informatics Conference, pp. 360–365. IEEE 

(2011) 

[170] Petersen, R.R., Wiil, U.K.: Asap: a planning tool for agile software development. In: 

Proceedings of the nineteenth ACM conference on Hypertext and hypermedia, HT ’08, pp. 

27–32. ACM, New York, NY, USA (2008) 

[171] Petersen, R.R., Wiil, U.K.: Asap: A lightweight tool for agile planning. In: Proceedings of 

the 4th International Conference on Software and Data Technologies (ICSOFT), pp. 265–272 

(2009) 

273


[172] Petersen, R.R., Wiil, U.K.: Analysis of emergent and evolving information: the agile planning 

case. In: J. Cordeiro, K. Ranchordas Alpesh, B. Shishkov (eds.) Software and data 

technologies, Communications in computer and information science, vol. 50, pp. 263–276. 

Springer Berlin Heidelberg (2011) 

[173] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: A novel tool for criminal network 

investigation. In: Proceedings of European Intelligence and Security Informatics Conference, 

pp. 360–365. IEEE (2011) 

[174] Petersen, R.R., Wiil, U.K.: Hypertext structures for investigative teams. In: proceedings of 

the 22nd ACM conference on hypertext, pp. 123–132. ACM Press (2011) 

[175] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: Criminal network sense-making. In: 

V.S. Subrahmanian (ed.) Computational Approaches to Counterterrorism (2012). Accepted 

for publication 

[176] Petersen, R.R., Wiil, U.K.: Crimefighter investigator: Integrating synthesis and sensemaking 

for criminal network investigation. Security Informatics (special issues on criminal 

network investigation) (2012). [Accepted for publication] 

[177] Pinto, P.C., Thiran, P., Vetterli, M.: Locating the source of diffusion in large-scale networks. 

Phys. Rev. Lett. 109, 068,702 (2012). DOI 10.1103/PhysRevLett.109.068702. URL http: 

//link.aps.org/doi/10.1103/PhysRevLett.109.068702 

[178] Pioch, N.J., Everett, J.O.: Polestar: collaborative knowledge management and sensemaking 

tools for intelligence analysts. In: proceedings of the international conference on information 

and knowledge management, pp. 513–521. ACM Press (2006) 

[179] Popp, R., Poindexter, J.: Countering terrorism through information and privacy protection 

technologies. IEEE Security and Privacy 4(6), 18–27 (2006) 

[180] Ratcliffe, J.: Intelligence-Led Policing. Willan Publishing (2008) 

[181] Reuters: Two chicago men charged in connection with alledged roles in foreign terror plot 

that focused on targets in denmark (2009). October 27 

[182] Rhodes, C.: The use of open source intelligence in the construction of covert social networks. 

In: U.K. Wiil (ed.) Counterterrorism and Open Source Intelligence. Lecture Notes in Social 

Networks (LNSN 2), pp. 159–170. Springer, Wien (2011) 

[183] Rhodes, C.J., Jones, P.: Inferring missing links in partially observed social networks. Journal 

of the operational research society 60(10), 1373–1383 (2009) 

[184] Rhodes, C.J., Keefe, C.M.J.: Social network topology: a bayesian approach. Journal of the 

operational research society 58(12), 1605–1611 (2007) 

[185] ritzau: Fængslet for terror mod dansk ambassade (2009). URL http://politiken.dk/ 

udland/article763350.ece. August 5 

[186] ritzau: Pet: Attentatmanden handlede alene (2010). URL (http://politiken.dk/ 

indland/article871831.ece. January 2 

[187] Robinson, L.: Information science: communication chain and domain analysis. Journal of 

Documentation 65(4), 578–591 (2009) 

[188] Sageman, M.: Understanding Terrorist Networks. University of Pennsylvania Press (PENN), 

Philadelphia, Pensylvania (2004) 

[189] Sageman, M.: Leaderless Jihad. University of Pennsylvania Press (2008) 

274


[190] Sageman, M.: The reality of grassroots terrorism. Foreign Affairs 87 (2008) 

[191] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [video, http://youtu. 

be/jTnDyLndIqI, last visited September 2012] 

[192] Sankar, S.: Intelligence infrastructure. Palantir Technologies (2009). [Powerpoint Presentation, 

on file with author] 

[193] Saunders-Newton, D., Scott, H.: “but the computer said!”: Credible uses of computational 

modeling in public sector decision making. Social Science Computer Review 19, 47–65 (2001) 

[194] Schimpf, B.: Data integration platform. Palantir Technologies (2011). [online video, http: 

//www.palantirtech.com/government/videos/whitevideos, last visited 2011] 

[195] Scott, J.: Social network analysis, a handbook (second edition). Sage (2000) 

[196] Security, D., (PET), I.S.: Terror arrests in Copenhagen (undated). URL http://www.pet. 

dk/Nyheder/morkhoj-uk.aspx 

[197] Shipman, F., Moore, J.M., Maloor, P., Hsieh, H., Akkapeddi, R.: Semantics happen: knowledge 

building in spatial hypertext. In: Proceedings of the thirteenth ACM conference on 

Hypertext and hypermedia, HYPERTEXT ’02, pp. 25–34. ACM (2002) 

[198] Shipman III, F.M., Hsieh, H., Maloor, P., Moore, J.M.: The visual knowledge builder: 

a second generation spatial hypertext. In: Proceedings of the 12th ACM conference on 

Hypertext and Hypermedia, HYPERTEXT ’01, pp. 113–122. ACM, New York, NY, USA 

(2001) 

[199] Shipman III, F.M., Marshall, C.C.: Formality considered harmful: Experiences, emergingthemes, 

and directions on the use of formal representations ininteractive systems. Comput. 

Supported Coop. Work 8(4), 333–352 (1999). DOI 10.1023/A:1008716330212. URL 

http://dx.doi.org/10.1023/A:1008716330212 

[200] Shrinivasan, Y., van Wijk, J.: Supporting exploration awareness for visual analytics. In: 

Visual Analytics Science and Technology, 2008. VAST ’08. IEEE Symposium on, pp. 185 

–186 (2008). DOI 10.1109/VAST.2008.4677378 

[201] Shrinivasan, Y.B., Wijk, J.J.: Supporting the analytical reasoning process in information 

visualization. In: proceedings of the 26th conference on human factors in computing systems. 

ACM Press (2008) 

[202] Sifakis, J.: A vision for computer science - the system perspective. Central European Journal 

of Computer Science 1, 108–116 (2011) 

[203] Silber, M.D., Bhatt, A.: Radicalisation in the West: The Homegrown Threat (2007) 

[204] Simon, D.: Homicide - a year on the killing streets. Picador (1991) 

[205] Simon, D., Burns, E.: The corner - a year in the life of an inner-city neighbourhood. Broadway 

Books (1997) 

[206] Simon, D., Burns, E.: The wire (the complete first season) (2002) 

[207] Sipser, M.: Introduction to the theory of computation. PWS Publishing Company (1997) 

[208] Skjoldager, M.: Truslen indefra: De danske terrorister. Lindhardt & Ringhof (2009) 

[209] Skjoldager, M., Holst, N.: Landsretten dømmer to for terror (2009). June 26 

275


[210] Skøt, J.: At løse et svært ingeniørproblem er som at spille p˚a et instrument. Ingeniøren pp. 

14–15 (2012). Translated title: “Solving a difficult engineering problem is like playing an 

instrument 

[211] Smith, E.A.: Complexity, networking, & effects-based approaches to operations. CCRP 

(2006) 

[212] Sparrow, M.K.: The application of network analysis to criminal intelligence: An assessment 

of the prospects. Social Networks 13, 251–274 (1991) 

[213] Sørensen, L.M.: Al-qaeda-leder trænede dansk terrorist (2009). URL http://politiken. 

dk/indland/article807742.ece. October 11 

[214] Steele, R.D.: Human intelligence (humint): All humans, all minds, all the time (2009). 

[Draft 3.7 Article 11 Jul 09 APPROVED By DoD and CIA PRB. On file with author.] 

[215] Steele, R.D.: Open source intelligence. In: L.K. Johnson (ed.) Handbook of intelligence 

studies, pp. 129–147. Routledge (2009) 

[216] Stenbit, J.P., L, W.I., Alberts, D.S.: NATO code of best practice for C2 assessment, [Chapter 

5: Measures of Merit]. CCRP (2002) 

[217] Stoll, C.: Silicon snake oil: Second thoughts on the information highway (1995) 

[218] Sullivan, K.: Denmark tries to act against terrorism as mood in europe shifts (2005). August 

29 

[219] Taarnby, M.: Jihad in Denmark: am overview and analysis of jihadi activity in denmark 

1990-2006. Danish Institute for International Studies (2006) 

[220] Tanfani, J., Shiffman, J., Shea, K.B.: American suspect in mumbai attack was dea informant 

(2009). December 14 

[221] Taniguchi, T.A., Ratcliffe, J.H., Taylor, R.B.: Gang set space, drug markets, and crime 

around drug corners in camden. Journal of research in crime and delinquency 48, 327–363 

(2011) 

[222] Technologies, P.: Hard technical problems in civil liberties protection. Tech. rep. (2011). 

Whitepaper 

[223] Technologies, P.: Privacy and civil liberties are in palantir’s dna. Tech. rep. (2011). Whitepaper 

[224] Thomas, G.: A typology for the case study in social science following a review of definition, 

discourse, and structure. Qualitative Inquiry 17(6), 511–521 (2011) 

[225] Thompson, J., Hopf-Weichel, R., Geiselman, R.E.: The cognitive bases of intelligence analysis. 

Tech. rep., U.S. Army, Research Institute for the Behavioral and Social Sciences (1984) 

[226] Thomsen, C.B.: P˚a sporet af to terrormistænkte (2009). November 15 

[227] Todd, B.F., Nomani, A.: The Truth Left Behind: Inside the Kidnapping and Murder of 

Daniel Pearl (2011) 

[228] Tusikov, N.: The godfather is dead: A hybrid model of organized crime. Aprehendiendo al 

delincuente: crimen y medios en América del Norte pp. 143–160 (2010) 

[229] Unavailable: Big data: crunching the numbers. The Economist (2012) 

[230] Unknown: Palantir counterterrorism demonstration. Palantir Technologies (2009). [video, 

http://www.palantir.com/2009/03/fullct/, last visited September 2012] 

276


[231] Unknown: London terror bomb plot: the four terrorists. The Telegraph (2012) 

[232] Van Dyke Parunak, H.: Don’t link me in: set based hypermedia for taxonomic reasoning. 

In: Proceedings of the third annual ACM conference on Hypertext, HYPERTEXT ’91, pp. 

233–242. ACM, New York, NY, USA (1991) 

[233] Vedder, A., Custers, B.: Whose responsibility is it anyway? dealing with the consequences 

of new technologies. In: P. Sollie, M. Düwell, A.M. Cutter, B. Gordijn, G.E. Marchant, 

A. Pompidou (eds.) Evaluating New Technologies, The International Library of Ethics, Law 

and Technology, vol. 3, pp. 21–34. Springer Netherlands (2009) 

[234] Veldhuis, T., Staun, J.: Islamist Radicalisation: A Root Cause Model (2009) 

[235] Vidino, L.: Al Qaeda in Europe: The New Battleground of International Jihad. Prometheus 

Books (2005) 

[236] Vidino, L.: Radicalization, linkage, and diversity: Current trends in terrorism in europe 

(2011) 

[237] Vijaykumar, S.: Object model. Palantir Technologies (2011). [online video, http://www. 

palantirtech.com/government/videos/whitevideos, last visited 2011] 

[238] Vogel, K.M.: ‘iraqi winnebagos T M of death’: Imagined and realized futures of us bioweapons 

threat assessment. Science and Public Policy 35, 561–573 (2008) 

[239] Warr, A., O’Neill, E.: Understanding design as a social creative process. In: Proceedings of 

the 5th conference on Creativity & cognition, C&C ’05, pp. 118–127. ACM, New York, NY, 

USA (2005) 

[240] Wasserman, S., Faust, K.: Social Network Analysis: Methods and Applications. Cambridge 

University Press (1994) 

[241] Weiman, G.: Terror on facebook, twitter, and youtube. Brown Journal of World Affairs 16, 

45–54 (2010) 

[242] Weiner, T.: Legacy of Ashes: The History of the CIA. Anchor Books (2008) 

[243] Wiil, U., Hicks, D., P., S.: Vision and progress towards structural computing support for 

knowledge management. UCS 9 (2003) 

[244] Wiil, U.K., Gniadek, J., Memon, N.: Measuring link importance in terrorist networks. In: 

Proceedings of the international conference on advances in social networks analysis and 

mining, pp. 225–232. IEEE (2010) 

[245] Wiil, U.K., Gniadek, J., Memon, N., Petersen, R.R.: Knowledge management tools for 

terrorist network analysis. In: Knowledge Discovery, Knowledge Engineering and Knowledge 

Management. Lecture Notes in Communications in Computer and Information Science 

(LNCCIS). Springer, Wien (2011) 

[246] Wiil, U.K., Hicks, D.L.: Tools and services for knowledge discovery, management and structuring 

in digital libraries. In: Proc. 8 th Conf. Concurrent Engineering, pp. 580–589 (2001) 

[247] Wiil, U.K., Memon, N., Gniadek, J.: Knowledge management processes, tools and techniques 

for counterterrorism. In: K. Liu (ed.) KMIS, pp. 29–36. INSTICC Press (2009) 

[248] Wiil, U.K., Memon, N., Gniadek, J.: Crimefighter: A toolbox for counterterrorism. Lecture 

notes in communications in computer and information science (Knowledge discovery, 

knowledge engineering and knowledge management) 128, 337–350 (2011) 

277


[249] anonymous Wikipedia: Avon barksdale. URL http://en.wikipedia.org/wiki/Avon_ 

Barksdale. [last visited on August 5, 2012] 

[250] Wilson, C.: Searching for saddam: A five-part series on how the u.s. military 

used social networking to capture the iraqi dictator (updated 2010). URL 

http://www.slate.com/articles/news_and_politics/searching_for_saddam/2010/ 

02/searching_for_saddam_5.single.html 

[251] Wirtz, J.J.: Targeting intelligence. International Journal of Intelligence and CounterIntelligence 

(2006) 

[252] Woo, G.: Intelligence constraints on terrorist network plots. In: N. Memon, J.D. Farley, 

D.L. Hicks, T. Rosenorn (eds.) Mathematical methods in counterterrorism, pp. 205–214. 

Springer, Wien (2009) 

[253] Wright, D.: A framework for the ethical impact assessment of information technology. Ethics 

and Inf. Technol. 13(3), 199–226 (2011) 

[254] Wright, W., Schroh, D., Proulx, P., Skaburskis, A., Cort, B.: The sandbox for analysis: 

concepts and methods. In: Proceedings of the conference on human factors in computing 

systems, pp. 801–810. ACM Press (2006) 

[255] Xu, J., Chen, H.: Criminal network analysis and visualization. Commun. ACM 48(6), 

100–107 (2005) 

[256] Yalcinkaya, R.: Police officers’ adoption of information technology: A case study of the 

turkish polnet system. Ph.D. thesis, University of North Texas (2007) 

[257] Youtube: General colin powell un speech on iraq part 1of5 (2012). URL http://www. 

youtube.com/watch?v=Nt5RZ6ukbNc. Last visited on February 19th 2012 

278

APPENDIX A 

Published papers and other written work 

This appendix lists all our published work (Section A.1) together with unpublished papers and 

manuscripts (Section A.2). 

A.1 Published papers 

Published papers with most recent papers first. 

1. Petersen, R.R. “Association and Centrality in Criminal Networks”, paper submitted to 

EISIC conference, IEEE, 2012. Published. 

2. Petersen, R.R., and Wiil, U.K., “CrimeFighter Investigator: Integrating Synthesis and Sensemaking 

for Criminal Network Investigation”, paper submitted to Security Informatics journal, 

Springer, 2012. Accepted. 

3. Petersen, R.R., and Wiil, U.K., “CrimeFighter Investigator: Criminal Network Sense-making”, 

Computational Approaches to Counterterrorism book, Springer, 2012. Accepted. 

4. Wiil, U.K., Gniadek, J., Memon, N., and Petersen, R.R., “Knowledge Management Tools 

for Terrorist Network Analysis”, In LNCCIS, Vol. 272, pp. 322-337, Springer, 2012. 

5. Petersen, R.R. and Wiil, U.K., “CrimeFighter Investigator: A novel tool for criminal network 

investigation”, In Proc. EISIC, pp. 197-202, IEEE, 2011. 

6. Petersen, R.R., Rhodes, C.J., and Wiil, U.K., “Node removal in criminal networks”, In Proc. 

EISIC, pp. 360-365, IEEE, 2011. 

7. Petersen, R.R. and Wiil, U.K., “Hypertext Structures for Investigative Teams”, In Proc. 

Hypertext, pp. 123-132, ACM, 2011. 

8. Petersen, R.R. and Wiil, U.K., “Analysis of Emergent and Evolving Information: The Agile 

Planning Case”, In LNCCIS, Vol. 50, pp. 263-276, Springer, 2011. 

A.2 Unpublished papers and manuscripts 

1. Petersen, R.R. and Wiil, U.K., “A Framework Design for Information Analysis”, Submitted 

to I-KNOW 2010, 2010. 

279

A.3. PRESENTATIONS APPENDIX A. PUBLICATIONS AND OTHER WORK 

2. Petersen, R.R., “Towards a Framework Design for Usage-Oriented Spatial Hypertexts”, 

Written for PhD course on Scientific Writing, 2010. 

3. Terrorism and new media essay. “Danish Newspapers and the Mickey Mouse Project”, Exam 

essay written for PhD course on Media and Terrorism in the Middle East, 2010. 

A.3 Presentations 

1. Petersen, R.R., and Wiil, U.K., “Adaptive Counterterrorism Tools over Silver Bullets”, at the 

International and Interdisciplinary Terrorism and New Media Conference, Dublin, Ireland, 

2010. 

A.4 Previously published 

1. Petersen, R.R. and Wiil, U.K., “ASAP: A Lightweight Tool for Agile Planning”, In Proceedings 

of the International ICSOFT Conference, pp. 265-272, 2009. 

2. Petersen, R.R. and Wiil, U.K., “ASAP: A Planning Tool for Agile Software Development”, 

In Proceedings of the International Hypertext Conference, pp. 27-35, ACM, 2008. 

280

APPENDIX B 

Danish Defense Intelligence Service (DDIS) web documents 

The Danish Defense Intelligence Service intelligence cycle in Danish text is repeated below [52]. 

B.1 Efterretningskredsløb 

Sammenhængen mellem indhentning, bearbejdning og analyse samt rapportering er central for 

efterretningsarbejdet. Vi beskriver det ved den s˚akaldte efterretningskredsløb. Kredsløbet beskriver 

en sammenhængende arbejdsproces, som gentages løbende. 

Udgangspunktet er en prioritering. Den fastsættes med udgangspunkt i tjenestens opgaver og 

ressourcer samt efter drøftelse med vores kunder - b˚ade i og udenfor forsvaret. Styrende er hensynet 

til Danmark og danske militære styrkers sikkerhed. 

Dernæst gør vi os klart, hvad vi allerede ved, og hvad vi gerne vil vide. Det sker ved, at vi 

formulerer et s˚akaldt efterretningsbehov - en liste over de spørgsm˚al, som vi gerne vil have besvaret, 

og de oplysninger, som vi mangler. De er udgangspunkt for indhentningen. 

Indhentningen søger at besvare de stillede spørgsm˚al ved at skaffe oplysninger fra kilder - det 

kan være b˚ade lukkede og ˚abne kilder. ˚Abne kilder er kilder, som alle kan skaffe sig adgang til, 

som f.eks. Internet, aviser og andre publikationer. Lukkede kilder kræver en efterretningsmæssig 

indsats. Det er adgangen til lukkede kilder, som er et særkende for den efterretningsmæssige 

vurdering. Oplysninger fra b˚ade˚abne og lukkede kilder skal vurderes og analyseres. Er oplysningen 

og/eller kilden troværdig? I den forbindelse er det en styrke i analysen at kunne sammenholde 

oplysninger fra ˚abne og fra lukkede kilder. 

I analysen tager man udgangspunkt i en forestilling om, hvordan situationen er - en s˚akaldt 

hypotese - som man afprøver mod de oplysninger, man har. Det, som er interessant, er om der er 

oplysninger, som ikke passer med ens forestilling. S˚a er der m˚aske en anden hypotese, som passer 

bedre p˚a de oplysninger, man har. Dette er ikke et arbejde, som én medarbejder kan gøre alene. 

Det er i høj grad et holdarbejde, hvor man afprøver sine hypoteser og analyser med sine kolleger. 

I den forbindelse kan analytikeren støde p˚a nye spørgsm˚al, som vedkommende ønsker besvaret, 

eller oplysninger, som er mangelfulde. S˚a formulerer analytikeren et nyt efterretningsbehov. 

N˚ar en analyse er færdig, skal den omsættes til en rapport. I den forbindelse er det vigtigt 

at videregive vurderingen s˚a præcist som muligt. I rapporteringen skelner vi normalt skarpt 

mellem oplysninger og vurdering. Vi gengiver oplysninger, s˚a det ikke fremg˚ar, præcist, hvorfra 

de stammer. Det er nødvendigt for at beskytte kilderne og FE’s indhentningskapacitet. Af samme 

281

B.2. FE FORETAGER OMPRIORITERINGER APPENDIX B. DDIS WEB DOCUMENTS 

˚arsag er FE’s rapporter normalt klassificeret. Det gælder ogs˚a de rapporter, som FE modtager 

fra udenlandske samarbejdspartnere. 

B.2 FE foretager omprioriteringer 

FE omprioriteter sine ressourcer for fortsat at kunne leve op til de udfordringer, som 

en moderne efterretningstjeneste st˚ar over for, og samtidig kunne imødekomme krav 

om besparelser. 

06-01-2012 - kl. 14:50 

FE ser behov for at foretage en række omprioriteringer. Dette indebærer nedlæggelse af nogle af 

tjenestens nuværende indhentningskapaciteter og samtidig en styrkelse af andre. Konsekvensen 

er, at FE’s station ved Dueodde p˚a Bornholm lukkes, ligesom der sker ændringer p˚a FE’s indhentningsstationer 

i Nordjylland og p˚a Amager. Det er forventningen, at der vil skulle afskediges 27 

medarbejdere, heraf 17 p˚a Bornholm. Samtidig er det hensigten at ansætte ca. 20 nye medarbejdere 

med andre kompetencer. 

˚Arsagen til disse omprioriteringer er behovet for at tilpasse FE til den teknologiske udvikling 

kombineret med udviklingen i det samlede trusselsbillede, holdt op imod de samlede økonomiske 

rammer. 

FE gennemfører s˚aledes omprioriteringerne med henblik p˚a at styrke indhentningen inden for de 

omr˚ader, der vurderes at være mest relevante for Danmarks sikkerhed. Det kræver en fortsat 

tilpasning af kapaciteter og kompetencer. 

I for˚aret 2011 gennemgik FE en større reorganisering for at m˚alrette og effektivisere tjenesten, s˚a 

den er rustet til at h˚andtere fremtidens opgaver. Den nye organisation udspringer af kravet om, 

at organisationen til enhver tid skal understøtte og afspejle FE’s prioriteter og opgaveløsning. Det 

samme krav gælder for FE’s indhentningskapaciteter. 

Trusselsbilledet rettet mod Danmark samt behovet for støtte til forsvarets udsendte styrker, 

kræver, at vi hele tiden har en tidssvarende indhentning, der kan agere fleksibelt. 

282

Criminal Network Investigation - Rasmus Rosenqvist Petersen

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?