Intelligence Analysis PDF

Table of Contents
1 Introduction ...................................................................................... 3
2 The Intelligence Process ................................................................... 3
2.1 The Principles of Intelligence ........................................................... 4
2.2 The Intelligence Cycle .................................................................... 5
2.3 The stages of the Intelligence Cycle ................................................. 5
2.4 Direction / Planning ........................................................................ 5
2.5 Collection ...................................................................................... 6
2.5.1 The Exploitation of Sources and Agencies ................................... 6
2.5.2 Delivery of Information ............................................................ 7
2.5.3 The Nature of the Collection Plan............................................... 7
2.6 Evaluation ..................................................................................... 7
2.7 Collation ....................................................................................... 8
2.8 Analysis ........................................................................................ 8
2.9 Dissemination................................................................................ 9
3 Interpretation and Hypothesis Development ................................... 10
3.1 Premises and Hypotheses ............................................................. 10
3.2 Deductive an Inductive thinking ..................................................... 13
3.3 Creative and Critical thinking ......................................................... 15
3.3.1 What is Critical and Creative Thinking? .................................... 15
3.3.2 Brainstorming ....................................................................... 16
3.3.3 Mind Mapping ....................................................................... 16
3.4 Visualisation/Data Integration Techniques ....................................... 18
3.4.1 Link Charting ........................................................................ 18
3.4.2 Flow Charting ....................................................................... 26
3.4.3 Event Charting ...................................................................... 27
3.4.4 Activity Charting ................................................................... 28
3.4.5 Crime Mapping ...................................................................... 29
3.4.6 Geographic Information Systems ............................................ 30
3.4.7 Frequency and Cause and Effect Charting ................................. 31
3.4.8 Cause and Effect Charting ...................................................... 34
3.4.9 Time and Sequence Charting .................................................. 35
3.4.10 Proportional vs. Non-proportional ............................................ 36
Europol Unclassified – Basic Protection Level

No dissemination of training material without prior authorisation by Europol
1 (36)
Table of figures
Figure 1: Course structure ................................ Error! Bookmark not defined.

Figure 2: Intelligence cycle ............................... Error! Bookmark not defined.
Figure 3: Hypothesis development..................... Error! Bookmark not defined.
Figure 4: Deductive vs. inductive reasonig....................................................14
Figure 5: Mind Mapping.............................................................................. 17
Figure 6: Flow charting…………. .................................................................... 26
Figure 7: Event charting ............................................................................. 27
Figure 8: Activity charting .......................................................................... 28
Figure 9: Map showing locations of burglaries in a specific neighbourhood ........ 29
Figure 10:Map showing ‘hot spots’ in connection with car theft in a specific area 30
Figure 11: Projection basics ........................................................................ 31
Figure 12: Projection example .................................................................... 31
Figure 13: Frequency chart ......................................................................... 33
Figure 14: Cause and effect chart ................................................................ 34
Figure 15: Time and sequence chart (example 1) .......................................... 35
Figure 16: Time and sequence chart (example 2) .......................................... 35
Figure 17: Proportional vs. Non-proportional ................................................ 36
Table of examples
Example 1: Preliminary chart ...................................................................... 19

Example 2: An individual involved in two companies with one other official
involved in each company .......................................................................... 22
Example 3: An individual involved in three companies, no other officials involved
............................................................................................................... 22
Example 4:Three individuals involved in the same company, links inferred and
official position shown ................................................................................ 22
Example 5: Individual linked to a company but not directly to the individuals
shown as employees of the company. .......................................................... 23
Example 6: Individual outside a company but with a link to the company and an
unconfirmed link to an employee of the company .......................................... 23
Example 7: Association between two companies but no known links between the
individual officials of the companies. ............................................................ 23
Example 8: An individual who is an official of a number of companies, which are
subsidiaries of each other ........................................................................... 24
Example 9: An example of a full link chart .................................................... 24
Example 10: A business with various subsidiary companies ............................ 25

2 (36)
1 Introduction
This manual is to support the modules of the first week of Europol’s Operational
Integrated Analysis Training (OIAT) Course. The material discussed during the
sessions will be described in the manual so that the participants will not have to
take any notes.
The first week of the OIAT will focus on matters such as the intelligence cycle,
critical thinking, interpretation of data and a number of visualisation techniques.
During the first week of the course, participants will be working without a
computer as the development of analytical thinking will have priority.
The course structure allows the students to participate actively in the classroom
sessions as the techniques described will be followed by practical in-class
exercises. Feedback will be provided by the distribution of suggested solutions
that will serve as a basis for comparison and discussion.
Figure 1: Course structure
The practical exercises will be undertaken following an introduction to the subject

area, and will be based upon real-life situations. The major exercise(s) will be
carried out in groups and each team will be asked to present their analysis
through an oral briefing.
2 The Intelligence Process
There are many definitions of the word ‘intelligence’. It would be ill-advised to

favour one over the other. Europol defines intelligence as:

3 (36)
‘Knowledge (processed information), designed for action’
The processing of information occurs in what is defined as the ‘Intelligence Cycle’

which is further discussed in this chapter.
In law enforcement, intelligence can be divided into ‘Operational Intelligence’ and

‘Strategic Intelligence’. Operational intelligence focuses on short term solutions or
immediate law enforcement objectives such as investigations against specified
targets or organised crime groups. Strategic intelligence deals with long term
issues and goals and is useful for describing matters such as the nature of a
specific crime, trends and phenomena in crime and for future planning.
2.1 The Principles of Intelligence
The eight basic principles which govern the function, organisation and operation
of the intelligence system, are:
 Centralised Control: Intelligence must be centrally controlled to avoid

needless duplication of work, provide mutual support and ensure the
efficient, economic use of all resources.
 Accessibility: Relevant information and intelligence must be readily
accessible to intelligence staff and to users. Intelligence is of no value if it
is not disseminated nor made accessible to those who require it.
 Responsiveness: The intelligence staff must be responsive to the
intelligence requirements of senior staff at all times.
 Systematic Exploitation: Sources and agencies must be systematically
exploited by methodical tasking, based on a thorough knowledge of their
capabilities and limitations.
 Continuous Review: Intelligence must be continuously reviewed and
where necessary revised, taking into account all new information and
comparing it with that which is already known.
 Objectivity: Any temptation to distort information to fit preconceived
ideas must be resisted.
 Source Protection: All sources of information must be adequately
protected.
 Timeliness: Intelligence is useless if it arrives at its destination too late.
In addition, the system through which sources and agencies are tasked
must be capable of reflecting, without delay, any significant changes in the
operational situation.

4 (36)
2.2 The Intelligence Cycle
In order to develop the available information into intelligence, a structured and

systematic series of activities should be adopted. The Intelligence Cycle is the
framework in which six stages are conducted resulting in the distribution of a
finished intelligence product. The six stages are a flexible process and there are
no firm boundaries separating them. The stages consist of: Direction / Planning,
Collection, Evaluation, Collation, Analysis and Dissemination and will be described
in the next chapter.
2.3 The stages of the Intelligence Cycle
In this section the stages of the Intelligence Cycle will be further explained.
Figure 2: Intelligence cycle
2.4 Direction / Planning
The start point of the intelligence cycle is always the Direction / Planning given by
a client, which could be a senior staff member or an EU Member State. The client
supplies a number of intelligence requirements after which a collection plan is
drafted and the issuing of orders and requests to collection agencies begins.
Example: A senior law enforcement commander has an intelligence

requirement of needing to know which transit countries trafficked women
pass through to be able to focus his resources appropriately. Analysts are
directed or tasked to determine through analysis which states act as
transit countries in this instance.

5 (36)
2.5 Collection
Collection is the second stage in the intelligence cycle and is the directed, focused
gathering of information by collection agencies. Information is gathered through
overt and covert means, from all possible sources in order to meet the
information and intelligence requirements identified in the Direction/Planning
stage. Obtained information is then delivered to the appropriate analytical unit for
use in the production of intelligence. A ‘Collection Plan’ describes the approach of
how, case related, information can be collected. When drafting a collection plan,
the analyst must answer the following questions:
 What information do we want?

 Where do we get it from?
 Who does what?
 How much data can we handle?
 What is our goal?
2.5.1 The Exploitation of Sources and Agencies
The essential difference between a source and an agency is that a source

produces raw data and information, and an agency, in addition to having a
collection capability, also possesses some degree of analytical power and
therefore produces intelligence. Sources and agencies are defined as:
a. A Source. This is a person from whom, or element from which,

information can be obtained. A source possesses information either
acquired randomly (e.g. an overheard conversation in a café) or acquired
to meet a specific request (e.g. a surveillance camera recording images).
The source is the primary origin of the information. The only change to
the information that the source may effect is to its format. This may be,
for example, a translation from one language to another by a human
contact or the conversion of a picture from a visual image to a radio signal
by a satellite. A source has no capacity to analyse information.
b. An Agency. This term is an organisation or individual engaged in

collecting and/or analysing information. An agency may be capable of
collecting and analysing information or may simply have the capability to
collect information and must pass that information to another agency for
analysis. Agencies may be as small as a surveillance team reporting
suspect activity and can be as large as a government department
receiving information from a wide variety of sources with significant ability
to analyse and produce intelligence. A single-source agency is one that
produces intelligence that is largely based on a single source such as
imagery.
Sources and agencies can be grouped under three headings:
 Controlled. These are those sources and agencies, which can be tasked
to provide answers to questions. These would include, for example, overt
or covert surveillance assets, technical monitors, patrol vehicles and
helicopters.
 Uncontrolled. Those sources and agencies which provide information but

which are not under control and cannot be tasked directly. Newspapers,
radio and television broadcasts, technical journals, navigational
6 (36)
instructions, and maps and charts are but a few examples of uncontrolled
sources and agencies. Also within this category could fall information
provided by other Member States. Whilst data from other states might be
made available, tasking would be under the control of one state and other
nations may have no say in their use.
 Casual. A casual source provides information voluntarily and

unexpectedly. An example of such a source might be a detained illegal
immigrant or a local source with knowledge of imminent activity or
criminality. Information from a casual source should always be treated
with extra caution as the ability to ‘plant’ information through a casual
source can form part of a deception plan.
The Intelligence staff must know the detailed capabilities of all the sources and
agencies that are likely to be available to them. This will enable them to select
the appropriate source or agency for a particular collection task and to maintain a
check on the reliability and productivity of the sources and agencies that they are
using.
2.5.2 Delivery of Information
Information and intelligence degrades rapidly, its value decreasing with the
passage of time. In order to reduce the rate of degradation, timings within the
intelligence cycle must be as short as possible. It is, therefore, essential that
sources and agencies should be able to deliver the collected information or
intelligence as quickly as possible within a specified time frame.
2.5.3 The Nature of the Collection Plan
The Collection Plan must be seen as a continuous process in that it will task
sources and agencies, and react, by re-tasking or by tasking different sources and
agencies, to changes in the information and intelligence requirements. These will
emerge as the operation progresses and in some cases, will result from the
information and intelligence derived from the original tasking.
2.6 Evaluation
Analysts must know where information used for analysis has come from. There
are many reasons why information may not be reliable or entirely accurate.
Evaluation is the appraisal of an item of information in respect of the reliability of
the source and the credibility of the information. It is an assessment of how
reliable the source is and how likely the information that comes from it is to be
true. The evaluation step allocates an alphanumeric rating to each piece of
information or intelligence indicating the degree of confidence which may be
placed upon it.
Three fundamental principles need to be adopted before undertaking evaluation:
 Evaluation must not be influenced by personal feelings but be based on

objective professional judgement. Evaluation should be based upon
experience of other information produced by the same source and, in the
case of information obtained by a technical means, on knowledge of the
accuracy of that system.
 Evaluation of the source must be made separately from evaluation of the
information. This is to ensure that the rating allocated to the reliability of

7 (36)
the source does not influence that given to the credibility of the
information, or vice versa.
 Evaluation must be carried out as near to the source as possible
The accepted standardised values for allocating ratings for reliability of the source
and credibility of the information are:
Evaluation of Source Evaluation of Information

A Completely Reliable in all 1 Accuracy not in doubt.
instances
B Usually Reliable 2 Known personally to source but not known
personally to official passing it on.
C Not usually reliable 3 Not known personally to source, but
corroborated by other information held.
X Reliability cannot be judged 4 Accuracy cannot be judged or corroborated
in any way (at this time)
2.7 Collation
Collation is where the grouping together of related items of information or

intelligence provides a record of events and facilitates further analysis. In
practice, it is made up of the procedures for receiving, grouping and recording all
reports arriving in an intelligence office, at any level and it involves:
a. Allocating identifying references to and registering the receipt of each

incoming piece of information and intelligence.
b. Appropriate categorising each piece of information or intelligence

through logging, marking on a map or chart, filing or card indexing or
through the entry into an electronic database.
c. Maintaining a system for conducting these procedures which can be

operated rapidly and efficiently.
2.8 Analysis
Analysis is a step in the intelligence cycle in which information is subjected to

review in order to identify significant findings for subsequent interpretation and
combined into a pattern in the course of the production of further intelligence.
The analysis stage of the intelligence cycle is the most important as it concerns
the examination of the meaning of the available information highlighting the
essential features. The correct application of analysis can highlight information
gaps, strengths, weaknesses and indicate future courses of action. It consists of
two phases: data integration and data interpretation.
The scope for analysis and its overall credibility is dependent on the level and
accuracy of the information supplied combined with the skills of the analyst.
Analysis is a recurring process, which can be performed on all types of law
enforcement objectives. To enable effective analysis the type of information
examined should not be pre-set by artificial measures, but by the availability of
the information and the legal restrictions of each country.
Data integration This is the first phase of the analytical process combining
various types of information from different sources in order to develop hypothesis
for supporting operational activities. Although analysis is not solely about drawing
pictures, various techniques can be used to display this information; the most

8 (36)
commonly accepted being the use of charting techniques or visualisation tools to
show links.
In analysis, the evaluated and collated information is scanned for significant facts.
These are then related to data that are already known. Integration is the drawing
together of these conclusions and the identification from them of a pattern of
intelligence. This is a mental thought process and is the critical point in the
intelligence cycle where there is, as yet, no substitute for the experience and
judgement of the analyst.
The disciplined approach of analysis requires the maximum amount of information

to be assessed during integration to determine its relevance. Excluding
information at the beginning of the process can often lead to the significance of a
vital piece of information being overlooked resulting in the analysis being
incorrect, and more importantly jeopardising operational activity.
It is acceptable to collect, evaluate and analyse information, but all these

activities should lead to increased knowledge of, and insight into, criminal
activities that can be put to operational use. To really contribute to investigations
the analysts aim should be to produce hypotheses and predictions that lead to
additional clues for fact finding.
Data interpretation The next step in the analytical process is interpretation

which frequently means ‘going beyond the facts’, asking “what if” questions.
Indeed this should be a prerequisite for any analytical product. For this to be
successful the previous stages must be accurate and complete, to minimise the
risk that the analyst takes in making a subjective judgement on the information
available. The hypotheses made can be tested by the operational teams and
feedback is then essential.
The acceptation, modification or rejection of hypotheses can only take place using
additional information. The collection of information of test hypotheses is most
effectively done when some prior thought has been given to the development of
indicators. Indicators are clues that point to specific events corroborating or
falsifying earlier assumptions. Indicators save time and effort by allowing
focusing the collection of information on items that are relevant to a question.
The development and testing of hypotheses, in the context and with the benefit of
all the research done in the analysis process should finally result in the drafting of
conclusions and recommendations. Conclusions, intelligence requirements and
recommendations are a vital element of any analysis in communicating the
essence of the work done and the insights resulting from it to the parties with
operational or managerial responsibilities.
2.9 Dissemination
Dissemination is the timely delivery of intelligence, the result of the analysis, in

an appropriate form, by suitable means and to a selected audience. Delivering the
right information to the right person at the right time is a key responsibility.
The result of the dissemination will be presented by means of an intelligence

report and/or an oral presentation. This particular training course will focus on the
latter. For the purpose of this course, the participants are required to prepare an
oral briefing of the analytical results. A number of tools will assist the analysts in
achieving this.

9 (36)
It is advised to start the presentation by outlining the hypothesis. From there on
the analyst will present the premises which led to the hypothesis. The explanation
of the premises will be supported by charts or other data integration techniques.
When preparing a presentation, the analyst is advised to rehearse the

presentation beforehand, for example, by testing the equipment that is being
used and by considering the questions he or she may have to answer. In order to
do this, it is important to ‘analyse’ the audience. This means that the analyst
must be aware of who will attend and what the audience will try to get out of the
presentation. It is important the analyst knows the case and shows confidence.
The advantages of an oral briefing are the opportunity to answer questions from
the audience directly and the fact that an oral briefing will allow the analyst to
make last-minute changes. The advised time frame for a presentation is between
15-20 minutes. During this period of time the analyst must present the main
findings of the analysis, conclusions and recommendations.
3 Interpretation and Hypothesis Development
This chapter deals with building premises and hypotheses which are vital within
the analysis process and are tools for the analyst to convince his or her audience
of the result of the analysis. Furthermore, this chapter touches upon deductive
and inductive thinking.
3.1 Premises and Hypotheses
This training course is focused on the development of premises and hypotheses. A

premise is a:
“Statement or idea that forms the basis for a reasonable line of argument”
When assessing the available data, the analyst can build premises on matters
such as the structure of the organised crime group, criminal activities, the
financing of criminal activities, the Modus Operandi and the key individuals
involved. It is important that the analyst provides his audience what led him or
her to this particular premise.
Examples of premises and information leading to these premises are:
Premise 1: There is a fast rise in availability of counterfeit currency in the city of

London since May 2008
(Source: Statistical analysis, Bank of England and reports from informants)
Premise 2: Individuals with counterfeiting related backgrounds have moved to

the city
(Source: Concrete police reports about moves of specific criminals to London)
Premise 3: Robert Greene owns a printing plant and employs an engraver with a
record of counterfeiting.
(Source: Chamber of Commerce records, employment records, previous

convictions of Robert Greene)
Premise 4: Counterfeit notes are increasingly showing up at casinos.

10 (36)
(Source: Gaming board report on counterfeit notes)
This reasonable line of argument, mentioned in the definition of a premise will be

your hypothesis. A hypothesis can be defined as:
“An explanation or suggestion based on a few known facts but that has not yet
been proved to be true or correct”
The hypothesis is a working theory and the basis for further investigation by law
enforcement authorities. The hypothesis is a logical result of the premises that
were built and needs further testing, or disproving. The premises built in this
chapter could lead to the following hypothesis:
“Robert Green is the head of a criminal organisation responsible for the

production and distribution of counterfeit currency. The counterfeit money is
mainly distributed through casinos in London since May 2008”.
There are a number of key questions the analyst must try to answer when
building a hypothesis. These are:
 Key individual or individuals who ?
 Criminal activities what ?
 Method of operation how ?
 Geographical scope where ?
 Motive why ?
 Time frame when ?
The diagram below shows the steps needed to develop hypotheses. The
information collected is structured and integrated into charts by the analyst who
carefully examines the data. This information is grouped into areas of topics (e.g.
transportation, distribution, main suspects etc.) and summarised into premises
(statements) which are still based on facts. The analyst then looks at the
premises closely and formulates hypotheses using inductive logic and going
beyond the facts.

11 (36)
FRAGMENTED
INFORMATION
HYPOTHESIS FLOW
DEVELOPMENT
INFORMATION
INTEGRATED
INFORMATION
ITEM Z
PREMISE 1
ITEM B
ITEM M
ITEM K
PREMISE 2
ITEM G
ITEM S
CHARTS
ITEM T
ITEM B PREMISE 3 Hypothesis
Hypothesis
INFERENCE
ITEM L
ITEM R
ITEM Q
PREMISE 4
ITEM Y
ITEM N
ITEM P
ITEM S PREMISE 5
ITEM D
CHARTS
Figure 3 - Hypothesis development

12 (36)
3.2 Deductive an Inductive thinking
The building of premises and hypotheses is the result of a thinking process by the
analyst. These lines of thought can be specified in deductive and inductive
reasoning.
Arguments can be separated into two categories: deductive and inductive. With
deductive logic the conclusion must follow the premises. So if the premises are
true, the conclusion must be true.
Here is a classic example:
 All men are mortal (premise).

 Socrates was a man (premise).
 Socrates was mortal (conclusion).
As can be seen, if the premises are true (and they are), then it simply is not
possible for the conclusion to be false. If you have a deductive argument and you
accept the truth of the premises, then you must also accept the truth of the
conclusion; if you reject it, then you are rejecting logic itself.
With inductive logic the conclusion may follow from the premises but there is no
guarantee that the conclusion is true even if the premises are true.
Here is an example:
 Socrates was Greek (premise).

 Most Greeks eat fish (premise).
 Socrates ate fish (conclusion).
In this example, even if both premises are true, it is still possible for the
conclusion to be false (maybe Socrates was allergic to fish, for example).
When implementing inductive reasoning, the premises will lead to a hypothesis

which is necessary for crime analysis. Using deductive reasoning is less useful for
crime analysis as it is a structured way of thinking only focusing on known facts.
Deductive reasoning is only useful for crime analysis if the deductive logic
supports the inductive logic.

No dissemination of training material without prior authorisation by
Europol
13 (36)
Here is an overview and summary of the two reasoning described.
DEDUCTIVE INDUCTIVE
Hypothesis does not go Hypothesis goes beyond the

beyond the premises premises therefore an
therefore cannot arrive at opportunity for discovery and
something new. prediction.
No risk: If the premises are Risk: If the premises are true,
true, the hypothesis must be the hypothesis may or may not
true. be true.
Not very useful for criminal Useful for criminal intelligence

intelligence analysis. analysis.
Figure 4: Deductive vs. inductive reasoning

14 (36)
3.3 Creative and Critical thinking
3.3.1 What is Critical and Creative Thinking?
Critical thinking is the ability to think clearly and rationally. It includes the ability
to engage in reflective and independent thinking. Someone with critical thinking
skills is able to:
 Make use of information to solve problems

 Indentify relevance of information
 Solve problems systematically
 Review previous statements
 Be self-critical
 Be open-minded
Critical thinkers are able to identify the relevance of information and solve
problems in a systematic way.
Critical thinking techniques include the continuously asking of questions in order

to have a better understanding and to better define the problem. Being open-
minded and avoid biases is crucial. When coming to solutions on how to tackle a
certain problem, an analyst must consider a range of interpretation and possible
solutions and tolerate a level of uncertainty. Each final theory will require testing
or disproving in order to come to a balanced solution.
Creative thinking comes from:
 seeing things differently

 seeing different things
 generating multiple options
 ‘think outside the box’
 test your theory, see if it works
 a high level of awareness
 playing ‘what ifs’
Creative thinkers come up with new and/or alternative solutions to problems.

Developing creative thinking skills will help the crime analyst to have a wider
perspective and create a variety of options and scenarios which can be tested.
Developing both critical and creative thinking skills will assist in seeing multiple
perspectives, will avoid generalisation and will result in the development of even
better premises and hypotheses. Being an open-minded, critical and creative
thinker will improve your analytical skills

15 (36)
3.3.2 Brainstorming
A method to develop critical and creative thinking skills is brainstorming. This is

an idea-generating technique for attacking a specific problem. When responsible
for developing an analysis, it is advised to form a group of people with whom a
number of ideas are generated from which a solution is chosen. Key components
of a brainstorm session are to:
 Suspend judgement: Don’t criticise any idea which is brought forth. Write
all ideas down, evaluate them later
 Think freely: Wild thoughts are fine. Impossible and unthinkable ideas are
fine. Think outside the boundaries of ordinary, normal thought so brilliant,
new solutions may arise.
 Tag on: Improve, modify, build on ideas of others. What’s good about the
idea that’s being suggested? How can it be made to work? What changes
would make it better? Use another’s idea as stimulation for your own
improvement or variation.
 Quantity of ideas is important: Concentrate on generating a large stock of
ideas so that later on they can be sifted through. There are two reasons
for desiring a large quantity. First, the obvious, usual, stale, unworkable
ideas seem to come to mind first, so that the first, say, 20 or 25 ideas are
probably not going to be fresh and creative. Second, the larger your list of
possibilities, the more you will have to choose from.
3.3.3 Mind Mapping
A useful tool for writing down the ideas that result from a brainstorm session is a
Mind Map. This is an effective method of note taking where you organise and
cluster the ideas and suggestions derived from a brainstorm session. The basic
problem discussed in the group is centralised and all ideas are clustered per topic
by using words and phrases.
The example below shows how a Mind Map may look. This map concerns writing a
book.

16 (36)
Figure 5: Mind Mapping

17 (36)
3.4 Visualisation/Data Integration Techniques
Visualising data is beneficial for building premises and hypotheses and for
presenting the results of the analysis. Various techniques can be used to display
information and analytical findings. Well-known visualisation tools are charts and
maps. This chapter will describe and present a variety of options useful for crime
analysis. It must be emphasised that charting is not analysis but merely a tool to
assist the analyst in his or her daily activities.
3.4.1 Link Charting
The purpose of a link chart is to visualise information concerning relationships

between entities such as people, places, organisations etc. This may lead to
further clarification of the case or it can be used as a tool in a presentation or
report to visualise written text or spoken word.
When building a chart it is advised to start building a preliminary chart showing

all the entities and relations extracted from the available data. Confirmed entities
(A1, A2, B1, B2) and relations have solid lines on the charts whereas unconfirmed
entities and relations have striped lines. The tentative link should be used when
the analyst interpret the information and would like to show an assumed or
hypothesised link between two entities. The analyst should try to avoid crossing
lines. The structure of the chart is only relevant for the analyst.
See below the seven steps to construct a chart manually using a matrix.
1. Assemble all raw data

2. Determine focus of the chart
3. Construct an association matrix
4. Note the associations in the matrix
5. Determine number of links for each entity
6. Draw a preliminary chart
7. Clarify and re-plot the chart
These symbols are used to fill in the matrix.
= Confirmed association between two entities
= Unconfirmed association between two entities.
= Confirmed participant in the organisation or company.

Europol
18 (36)
= Unconfirmed participant in the organisation or company.
Before creating the chart the matrix should be completed with the collected
information. The following conversion rules apply.
A 1
+ Confirmed link
B 2
All the others

A3, A4, B3,
B4, C1, C2,
- Unconfirmed
link
….

19 (36)
Here is an example of a matrix filled in with data and symbols. The calculations
are done from left to right and from top to bottom and are equal to the total
number of associations for each entity. The sum is written below the matrix (see
red arrow). The entity with the highest number is indicating that this entity will be
placed in the middle of the chart as it has the most links. However, take note that
this does not mean the person is the main target in the investigation.
1,3,4,5
1,2
7,8
3,2,6
4,7,9,10
3,8,9
5
10
5,6
5 324 4 4 1 2 3

20 (36)
These symbols can be used for visualising the entities.
= Represent persons
= Represents companies or organisations.
= Confirmed links
= Unconfirmed links
= Tentative links
Below there are 10 examples of charts where the seven steps have been used
producing these charts manually.
TITUS Ltd
G RAYLING Ltd
STANTON B ROWN
FRANCIS
WENG LER Ltd
KESSLER
MARX
Example 1: preliminary chart
From there on the entities and links that are useful for the dissemination of the
case are kept in the chart. Below are some examples of how to visualise a larger
number of links between entities in a simple and pragmatic manner.

21 (36)
JAMES TRAVEL
JAMES
WHITE ALTON
FOREIGN TOURS
Example 2: An individual involved in two companies with one other

official involved in each company
GRANGE
INSURANCE LTD
HARVARD
FINANCE LTD ALTON MORTAGE
BROKERS LTD
DAVIS
Example 3: An individual involved in three companies, no other officials

involved
FRENCH MANSELL
Chairman Director
BOLTON
Secretary
BOLTON ENGINEERS LTD

Example 4: Three individuals involved in the same company, links
inferred and official position shown

22 (36)
BRAGLIA MANCINI
CIRESE
BORDOLI
FINANZIARIA SRL
Example 5: Individual linked to a company but not directly to the

individuals shown as employees of the company.
BRAGLIA MANCINI
CIRESE
BORDOLI
FINANZIARIA SRL
Example 6: Individual outside a company but with a link to the company

and an unconfirmed link to an employee of the company
.
EAST
LEE BATTEN
WEST HAMPSON
EAST WEST
MARKETING LTD L H B ADVERTISING LTD
Example 7: Association between two companies but no known links

between the individual officials of the companies.

23 (36)
FREEWAY SAVINGS LTD
GATEWAY INVESTMENTS LTD
CONSOLIDATED FINANCE LTD
SURTEES
Example 8: An individual who is an official of a number of companies,

which are subsidiaries of each other
SPECIALIST BROKERS LTD FREEWAY SAVINGS LTD
LOTUS INVESTMENTS LTD GATEWAY INVESTMENTS LTD
CONSOLIDATED FINANCE LTD
SURTEES
MONZA DATA LTD INTEREST FREE SAVINGS LTD
PERSONAL SAVINGS LTD PRESTIGE LOANS LTD
Example 9: An example of a full link chart

24 (36)
HOWSON Ltd AGRO BV
DRAKE VASSI ARNOLD POULSON LAZURE

OLSON
MANTON TRANSPORT
JONG MANCINI DAVID
BITTON
DUPRE COLES COSTAS
ROBERTS HERTZOG JANSSEN DION ALBERT
JANSSEN METALS D & A FINANCE
Example 10: A business with various subsidiary companies

25 (36)
3.4.2 Flow Charting
Flow charting can be used to determine the flow of a commodity (drugs, money,
goods, human beings, political influence, power etc.) between entities and to
outline the sequence of flows that have taken place. Like in link charting persons
are placed in a circle and organisations are placed in a square box which is
connected by an arrow indicating a direction. The arrows can be solid
(confirmed), striped (unconfirmed) or dotted (tentative). A hypothesised flow
chart can be used when very little of the information is known or when most of
the information is unconfirmed. Then solid (confirmed) arrows will be inserted in
the flow chart and the title of the chart will be ‘hypothesised flow chart’.
Figure 6 - Flow charting

Europol
26 (36)
3.4.3 Event Charting
Event charts show the relationship in time between events which are described in circles or rectangles. Like in flow charting, connecting
arrows are used to indicate a relationship between the evens. The events are also connected to a particular date and/or time.
15--20th May 2008 20--25th May 2008 Friday 30th Ma

12:00 15:00 18:00 21:00 00:00 16th 17th 18th 19th 20th 21st 22nd 23rd 24th 25th 26th 27th 28th 29th 00:00 03:00 06:00 09:00 12:00
Jacobs seen at US$1m into

MB Ltd. White's
account
Shipment
White met Delivery to Delivery to
arrives at MB
Jacobs Java & Co. Jacobs
Ltd.
Green seen at Delivery to

Java & Co. Green
Figure 7 - Event charting

27 (36)
3.4.4 Activity Charting
Activity charting is a useful tool for illustrating and analysing a process or

sequence of activities directed towards an objective. The amount of information
must be minimal. When making an activity chart, the analyst must answer three
questions:
1. What activities can be independent from other activities?

2. What activities must precede a given activity?
3. What activities must follow a given activity?
All activities for the chart must be identified after which it must be decided which
activities are dependant on others and which are not. Each activity is represented
by a symbol.
Select
Pack
travel
suitcase
clothes
Begin Itinerary Obtain

Withdraw Purchase
prepera- to travel ticket Start trip
savings tickets
tion agent costs
Get birth
certificate
Get Get Assemble

Get visa entry
photos passport
documents
Get
Get shots health
certificate
Figure 8 - Activity charting

Europol
28 (36)
3.4.5 Crime Mapping
Crime Mapping comes from considering the geographical aspect of the crime by
making use of maps and/or Geographical Information Systems (GIS) to capture,
analyse and visually interpret crime and crime patterns.
Location is an integral part of crime. For a crime to occur there must be an

offender and a suitable target together at a location. Crime mapping particularly
contributes to the analysis process in that it helps to generate a real
understanding of a criminal activity and the direction in tackling it. Proper use of
crime maps can lead to the identification of new problems or emerging crime
trends. In addition, analysis of crime maps can assist planners and policymakers
in devising effective responses to observed crime.
The emergence of the Geographic Information System (GIS) software allows

police to combine their crime location database with maps of the areas they
serve. The result is a crime map that effectively captures large amounts of data in
a format that is easy to comprehend.
Below two examples of maps are provided:
Figure 9 - Map showing locations of burglaries in a specific

neighbourhood

29 (36)
Figure 10 - Map showing ‘hot spots’ in connection with car theft in a
specific area
3.4.6 Geographic Information Systems
Geographic Information Systems (GIS) are computer systems for the collection,
storage, manipulation and retrieval of data used for the analysis of geo-
referenced data.
In order to work with GIS and to understand the Crime Mapping exercise of this
training course, the following cartography definitions are important:
Longitude (X): the angle east or west of the north–south line between the two
geographical poles that passes through an arbitrary point.
Latitude (Y): the angle between a point on the earth's surface and the equatorial
plane, measured from the centre of the sphere
Meridians: lines joining points of the same longitude. They are halves of large
circles, and are not parallel. They converge at the north and south poles.
Parallels: lines joining points of the same latitude which trace concentric circles
on the surface of the earth, parallel to the equator.
Origin: Greenwich meridian: Longitude 0. The equator divides the globe into the
Northern and Southern Hemispheres: Latitude 0.

30 (36)
Figure 11 - Projection basics
The map below shows the X and Y coordinates of Lisbon and Prague as well as
the Greenwich Meridian which represents the Equator.
Figure 12 - Projection example
3.4.7 Frequency and Cause and Effect Charting

31 (36)
The generation of large quantities of data increases the necessity of thorough
analysis. One way to analyse a substantial number of events is to look at
frequency, cause and effect. For instance, these events can include:
 Telephone communications
 Travel
 Financial activity
A frequency chart illustrates the occurrences of specified events concerning more

than one entity. This is used to highlight and identify entities of intelligence
interest.
The frequency chart clearly shows, for example, the number of times a specific
telephone number has been called or a location visited or a bank account
accessed.
It is important to emphasise that single occurrences may be more significant than

multiple occurrences and that the context of the events should not be overlooked.
The most effective use of a frequency chart is in producing regular updates to the
frequency chart based upon fresh data. These updates should enable comparison
between historic charts to further highlight significant changes, patterns and
trends.
Analytical results of frequency charts should be integrated with existing

operational data to increase the situational overview. For example, identification
of the telephone user or bank account holder or house owner concerned provides
more context to the findings of the frequency chart.
A cause and effect chart is used to establish if there is any pattern to the
connections between designated core entities. Charts of this type can be
produced in a number of formats, such as either showing links between the
entities or adding additional background data which may include information from
surveillance reports or witness statements.

32 (36)
Figure 13 - Frequency chart

33 (36)
3.4.8 Cause and Effect Charting
A Cause and Effect chart is a graphical display showing how various entities within an investigation act either separately or together. It
assists in understanding events and triggers analysis of why a particular event happened (the cause) and the results which follow (the
effects).
Figure 14 - Cause and effect chart

34 (36)
3.4.9 Time and Sequence Charting
A Time and Sequence chart illustrates a sequence of events for a number of

entities (persons, telephones, companies etc.) over a set period of time. This type
of chart will help the analyst to identify whether these events can be linked to
each other.
18-08-2008 25-08-2008 27-08-2008
Guy becomes Meeting of

Isis shareholders
director
Agency inc. Carstein
A2 514 A2 327
Carstein and
Dolcis Dubois consult
Office with chairman
Services
A2 514
Inherits
US dollar
Michelle
2,000,000
Dubois
A1 112
Figure 15 - Time and sequence chart (example 1)
Figure 16 - Time and sequence chart (example 2)

Europol
35 (36)
3.4.10 Proportional vs. Non-proportional
Any time-line can be illustrated in both a proportional and non-proportional

layout. The proportional layout illustrates a regular distance between time
intervals. This means that events which occurred 10 minutes apart are shown
twice as far apart on the chart as events that occurred 5 minutes apart. This type
of layout displays an accurate picture of when events occur in relation to each
other. A proportional layout could result in extensive charts with items appearing
far apart.
A non-proportional layout can be more useful when items are spread over a
longer period of time and the accuracy of the picture is less important.
Proportional Non-proportional
01/05/08
01/01/08 01/02/08 01/03/08 01/04/08 10:00 10:30 12:58 20:55
Time - scale
Title - period
meeting
John Wayne
Time - scale
10/10/60
unconfirmed confirmed End
Figure 17 Proportional vs. Non-proportional

36 (36)

Intelligence Analysis PDF

Uploaded by

Copyright:

Available Formats

You might also like

Intelligence Analysis PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Intelligence Analysis PDF

Uploaded by

Copyright:

Available Formats

Table of Contents

Europol Unclassified – Basic Protection Level

Figure 1: Course structure ................................ Error! Bookmark not defined.

Example 1: Preliminary chart ...................................................................... 19

Europol Unclassified – Basic Protection Level

Figure 1: Course structure

The practical exercises will be undertaken following an introduction to the subject

2 The Intelligence Process

There are many definitions of the word ‘intelligence’. It would be ill-advised to

Europol Unclassified – Basic Protection Level

The processing of information occurs in what is defined as the ‘Intelligence Cycle’

In law enforcement, intelligence can be divided into ‘Operational Intelligence’ and

2.1 The Principles of Intelligence

 Centralised Control: Intelligence must be centrally controlled to avoid

Europol Unclassified – Basic Protection Level

In order to develop the available information into intelligence, a structured and

2.3 The stages of the Intelligence Cycle

Figure 2: Intelligence cycle

2.4 Direction / Planning

Example: A senior law enforcement commander has an intelligence

Europol Unclassified – Basic Protection Level

 What information do we want?

2.5.1 The Exploitation of Sources and Agencies

The essential difference between a source and an agency is that a source

a. A Source. This is a person from whom, or element from which,

b. An Agency. This term is an organisation or individual engaged in

Sources and agencies can be grouped under three headings:

 Uncontrolled. Those sources and agencies which provide information but

 Casual. A casual source provides information voluntarily and

2.5.2 Delivery of Information

2.5.3 The Nature of the Collection Plan

Three fundamental principles need to be adopted before undertaking evaluation:

 Evaluation must not be influenced by personal feelings but be based on

Europol Unclassified – Basic Protection Level

Evaluation of Source Evaluation of Information

Collation is where the grouping together of related items of information or

a. Allocating identifying references to and registering the receipt of each

b. Appropriate categorising each piece of information or intelligence

c. Maintaining a system for conducting these procedures which can be

Analysis is a step in the intelligence cycle in which information is subjected to

Europol Unclassified – Basic Protection Level

The disciplined approach of analysis requires the maximum amount of information

It is acceptable to collect, evaluate and analyse information, but all these

Data interpretation The next step in the analytical process is interpretation

Dissemination is the timely delivery of intelligence, the result of the analysis, in

The result of the dissemination will be presented by means of an intelligence

Europol Unclassified – Basic Protection Level

When preparing a presentation, the analyst is advised to rehearse the

3 Interpretation and Hypothesis Development

3.1 Premises and Hypotheses

This training course is focused on the development of premises and hypotheses. A

Examples of premises and information leading to these premises are:

Premise 1: There is a fast rise in availability of counterfeit currency in the city of

(Source: Statistical analysis, Bank of England and reports from informants)

Premise 2: Individuals with counterfeiting related backgrounds have moved to

(Source: Concrete police reports about moves of specific criminals to London)

(Source: Chamber of Commerce records, employment records, previous

Premise 4: Counterfeit notes are increasingly showing up at casinos.