Link Analysis
BLUF
Link Analysis is the structured intelligence technique for visually mapping and assessing relationships between entities — individuals, organizations, locations, events, and financial accounts — to identify hidden connections, key actors, and patterns of association non-apparent from linear data examination. It is the primary analytical methodology underlying network analysis and the visual product most commonly associated with investigation, counterterrorism, and financial crime analysis. Where Network Analysis Methodology covers the computational process, Link Analysis addresses the analytical tradecraft for interpreting relationship data and producing Link Analysis Charts (LACs) as finished intelligence products. The technique originated in UK police intelligence analysis (attributed to Hubert Williams, 1970s) and was subsequently adopted by intelligence agencies globally, operationalized in tools from IBM i2 Analyst Notebook to Maltego.
The Link Analysis Chart (LAC)
A LAC displays entities as nodes and relationships as edges, with standardized symbology encoding relationship type, strength, and confidence. Core symbology (i2 Analyst Notebook baseline):
| Element | Symbol | Meaning |
|---|---|---|
| Person | Circle | Individual subject |
| Organization | Rectangle | Corporate or institutional entity |
| Location | Diamond | Geographic location |
| Event | Hexagon | Dated event |
| Document/account | Triangle | Financial account, document, or artifact |
| Confirmed link | Solid line | Verified relationship |
| Probable link | Dashed line | Assessed but not confirmed relationship |
| Unconfirmed link | Dotted line | Alleged or single-source relationship |
| Direction | Arrowhead | Direction of relationship |
| Link label | Text on edge | Relationship type |
Relationship Types
| Type | Definition | Analytical significance |
|---|---|---|
| Association | Co-occurrence, shared attribute, or proximity | Low inferential weight; does not imply coordination |
| Communication | Direct communications link | Medium-high; implies contact |
| Coordination | Evidence of joint planning or synchronized activity | High; implies operational relationship |
| Command | Evidence of direction or control | Highest; implies organizational hierarchy |
| Financial | Money flows or transactions | High for operational relationships |
Critical discipline: never substitute Association for Coordination without additional evidence. Visual proximity does not imply operational significance.
Analytical Methodology
Phase 1 — Entity and Link Identification
Extract all entities and relationships from available evidence. Record each relationship with: source evidence, relationship type, date, and confidence. Maintain a structured entity-link register before visual construction. Never add a link without a register entry.
Phase 2 — Chart Construction
Build LAC from register: place high-centrality nodes near center; cluster related entities spatially; apply consistent symbology; label all links with type; distinguish confirmed from unconfirmed; apply time filters for temporal networks.
Phase 3 — Centrality Assessment
Apply centrality measures from Network Analysis Methodology:
- Betweenness-centrality: brokers and intermediaries
- Degree-centrality: hubs with most connections
- Isolation patterns: cut-outs, peripheral actors
Phase 4 — Pattern Identification
- Clique: fully connected subgraph — tight operational cell
- Hub-and-spoke: one center with multiple spoke connections — coordinator or logistics node
- Bridge node: connects otherwise disconnected clusters — critical interdiction point
- Temporal cluster: timestamped edges reveal operational tempo
Phase 5 — Gap Analysis
Disconnected nodes that analytical logic requires to be connected, but for which evidence is absent, are explicit collection priorities. Document gaps in the analytical product.
LAC Standards for Intelligence Products
Minimum standards for a finished intelligence LAC:
- All entities labeled with canonical identifier
- All links labeled with type and evidence source
- Unconfirmed links visually distinguished from confirmed
- Construction date and evidence cutoff date noted
- Legend explaining symbology
- Analytical note explaining what the chart shows and does not show
Failure modes: speculation links (no evidence), over-inference (association presented as coordination), exclusion of inconvenient entities, static chart where temporal analysis is needed.
Tools
| Tool | Type | Capability | Access |
|---|---|---|---|
| IBM i2 Analyst Notebook | Desktop, commercial | Industry standard; full LAC; timeline integration | Commercial |
| Maltego | Desktop, freemium | OSINT transforms; entity expansion; network visualization | Community (free/limited); commercial |
| Gephi | Desktop, open-source | Graph computation; community detection | Free |
| Neo4j Browser | Web | Cypher queries; persistent graph database | Free (self-hosted) |
| Palantir Gotham | Enterprise | Government-grade; classified + unclassified fusion | Commercial (government) |
Key Connections
Network Analysis Methodology — computational foundation Entity Resolution Methodology — prerequisite before LAC construction Maltego Guide — primary OSINT tool for entity expansion PMESII-PT — OE framework; link analysis maps actor relationships within it Attribution — link analysis as attribution chain visualization Financial Intelligence — financial network link analysis