Using Link Analysis to Define Data Relationships in Investigations
Clarifying the Who Behind the What and When
Today’s digital investigations are being powered by link analysis. Link analysis is an analytical process whereby data points, often referred to as “nodes”, are used to identify relationships and connections between disparate data sources. The power behind link analysis and its rapid adoption in today’s era of big data is that it enables data visualization, data clustering, charting, timelining and more through data aggregation. When it comes to the copious amounts of data that can be acquired throughout the course of a legal investigation, the process is invaluable to identify patterns and context between a vast number of seemingly disconnected data sources.
Subruta Paul, in his 2013 article entitled, “On Some Aspects of Link Analysis and Informal Network in Social Network Platform” explains different linking types, which include explicit links and aggregate links. Explicit links are those that are created between nodes which correspond to a specific defined entity. One example, as provided by Paul, is a phone call. When a phone call is placed, there is a defined link between the originating phone number and the destination phone number. When all of these phone calls between two specific phone numbers are combined, it results in an aggregate link, representing all of the placed calls.
Leveraging explicit and aggregate link analysis is invaluable to digital investigators seeking to establish contextual relationships and behavior patterns.
Leveraging explicit and aggregate link analysis is invaluable to digital investigators seeking to establish contextual relationships and behavior patterns. Explicit linking, beyond that of just the phone numbers themselves, can be taken a step further helping to define the behavior of the individual being investigated, providing further context. Let’s explore this concept.
If we gathered data from someone’s smartphone in the course of an investigation, we can examine the call log and extrapolate all calls placed and received by that specific device. The phone number of the device can then be explicitly linked to an individual via the IMSI (International Mobile Subscriber Identity), defining the relationship between the user and the phone. We can then aggregate the data as well as the underlying metadata, including things like call duration and the date of each of the calls. Given this additional explicit link, we can now identify the phone numbers that this individual contacted the most or engaged with for the longest period of time.
This example extends itself to a plethora of other potential explicit links. The individual’s phone may have geolocation artifacts, text messages, app data, transactions and even connected device data (often referred to as the Internet of Things or “IoT”) recorded in its device history. Performing link analysis on these additional nodes by linking the phone number, the device’s IMEI (International Mobile Equipment Identity), or the user’s IMSI can result in a cornucopia of links to examine.
Our example barely scratches the surface of how using link analysis to identify explicit links and aggregation of data for analysis can aid an investigation. This type of analysis can establish context, and even possibly intent. This is where the power of tools like ESI Analyst can help refine an investigation by demonstrating a series of events in a timeline, showing their relationships to a given individual or set of actors. The power of link analysis is a proven and effective tool that enables robust data visualization and, most importantly, a clear and comprehensive understanding of the data being analyzed. If you would like to learn more, please reach out and arrange a demonstration today.