Analyst\'s Notebook guide Pre work reading PDF

Preview

Summary

Analyst Notebook guide...

Description

ANALYST’S NOTEBOOK GUIDE – 65313 FORENSIC INTELLIGENCE Computer lab 5

65313 – Forensic Intelligence Dr Marie Morelato in collaboration with Sabrina deSouza and Adrian Barfield (IBM)

Analyst’s Notebook Guide – 65313 Forensic Intelligence

1. Analyst’s Notebook IBM i2 Analyst’s Notebook provides a rich, data-centric single-user analysis environment that includes the key elements required to collate, manage, explore and analyse data. It is designed to help forensic scientists, analysts or investigators discover and visualise key information hidden in the mass of disparate data commonly collected in forensic science.

a. User interface

i. Charting area This is the area where entities and links between them are visually represented in a variety of formats such as link association (icons and lines), time line visualisations. Data can be added to the Chart from: •

The Repository or memory → IBase or the repository (this won’t be covered during the computer labs)

• •

Files The built-in palette ii. Palette

The palette contains three components: the entities, links and attributes

65313 – Forensic Intelligence

1

Analyst’s Notebook Guide – 65313 Forensic Intelligence

Entities

Links

Attributes

b. Manual charting Manual charting uses the icons and links in the palette section to drag into the chart area to create entities and links between entities. You can create charts either by manually adding entities and relationships, or by querying information from an i2 repository, or querying external data sources. This information might be personal knowledge, written reports, photographs, video clips, spreadsheets, emails, documents, and databases. Analyst's Notebook displays and analyses this information in visual form. Charts can depict: • Associations between entities such as people, places, vehicles, and organisations • The flow of data such as telephone calls and financial transactions • How related events unfold over time

65313 – Forensic Intelligence

2

Analyst’s Notebook Guide – 65313 Forensic Intelligence

i. Manually adding entities to a chart • • • • • •

ALL entities MUST have an identity (i.e. the identity field must never be blank) ALL entities MUST have a unique identity (i.e. the identity field must never be the same as another identity) Analyst’s Notebook is CASE sensitive and SPELLING sensitive Use consistent naming conventions to name entities (to avoid duplicates) NEVER use spaces, symbols or random numbering sequences to make entities unique NEVER use an Enter character in the Identity field

1. Switch on the Palette using button. Select an entity from the Palette, then drag and drop it into the chart area. If you want to add the same icons several times, you can double click on the entity.

When you add an entity on the chart, you can choose to represent it as an icon, theme line, event frame, box, circle or text block. If you mistakenly add an entity with the wrong representation or if you want to convert your chart from a relational chart to a temporal chart, you can change the representation at any time.

65313 – Forensic Intelligence

3

Analyst’s Notebook Guide – 65313 Forensic Intelligence

ii. Manually adding links to a chart • • • • •

Links can ONLY exist between TWO DIFFERENT entities Arrows can be added to show the direction DO NOT add arrow to links that show relationships between people You CANNOT create a link from one entity to itself Links do NOT have an identity field – only a Label field

1. Using the Links Palette, select the type of link relevant to your link (e.g. address, subscriber, etc.). Click and hold on the first entity and drag to the second entity. Then release the click. TIP: Hold down the shift key to keep adding links of the selected type.

Important tip: avoid line crossing and links should be at a 90 degrees angle. 2. You can edit the identity and label of the icon or link by, right mouse clicking, select Edit Item Properties and edit the text in the identity/label area. Then press OK.

65313 – Forensic Intelligence

4

Analyst’s Notebook Guide – 65313 Forensic Intelligence

The Identity field is the most critical and the one Analyst’s Notebook pays the most attention to. The identity field allows Analyst’s Notebook to keep track of entities and prevents you from placing the same entity on the chart more than once. In order for it to work, you need a consistent naming convention. If the identity field takes up too much space on the chart or you do not want to show all of it on the chart, you can either: -

Make the label different from the identity and remove unwanted characters Make the label different from the identity and put “Enter” characters in the Label field to make the label appear on multiple lines

65313 – Forensic Intelligence

5

Analyst’s Notebook Guide – 65313 Forensic Intelligence

iii. Add attributes • • •

An attribute class is the name of the characteristics being captured about the entity or link. It has a data format (text, date/time, number, Boolean flag) Attribute Values can either be created instantly (Attribute Instance) or be commonly occurring and permanently saved on the template as an Attribute Entry Attributes will appear below the label of the entity/link and should have a small symbol in front of the value

Attributes/properties are used for two main purposes: 1) To describe unique characteristics of the individual entities and links 2) To surface information that is required to assist in the detailed analysis of the information held within a chart.

Attribute

You can also add a picture that will then be shown on the chart. To add a picture, right click on an entity, then choose Edit Item Properties

Then you select Style > Picture > and browse the source folder in which the picture is kept, choose the image and press OK.

65313 – Forensic Intelligence

6

Analyst’s Notebook Guide – 65313 Forensic Intelligence

iv. Navigating the Chart The navigation functions can be found on the View menu as well as using the ribbon toolbar buttons:

1.1 Zoom in/out a) You can use the zoom in/out toolbars to zoom in/out on the last place you clicked b) You can use the Actual size button to return the chart to actual size → keyboard shortcut is the Home key 1.2 Mouse wheel zoom/scrolling a) You can use the mouse wheel to zoom in/out on the area wherever the mouse is placed b) You can hold the Ctrl key and use the mouse wheel to move up and down c) You can hold the Shift key and use the mouse wheel to right and left 1.3 Fit in window a) You can use the Fit to window toolbar to bring the entire chart in the window → keyboard shortcut: End key b) You can use the Fit height to window toolbar to make the window zoom into the maximum vertical extremities of the chart. It is used for very wide charts (such as timeline charts) and allows you to scroll left and right → keyboard shortcut: Shift + End keys c) You can use the Fit selection to window toolbar to make the window zoom into the selected items → keyboard shortcut: Ctrl + End keys d) Use the overview pane to zoom in/out → you can move the overview window on specific areas on the chart

65313 – Forensic Intelligence

7

Analyst’s Notebook Guide – 65313 Forensic Intelligence

v. Save chart as File In order to preserve the chart information you have created, charts can be saved to a file stored on the desktop or USB. Select File in the top left corner, then select Save>Save

c. Practical considerations The following list will provide you with several practical considerations useful for this subject. Society, organisations and locations (or countries) may be represented as boxes. However, boxes are not always ideal, in particular if there are many entities that belong to it.

1.1.1.1 Colour There is no fixed standard. The key is to be consistent on one chart, i.e. choose one colour per type of links (e.g. telephone calls, colleagues, etc.) or one colour per source (e.g. bank account of Mr X, phone number of Mr Z, etc.)

65313 – Forensic Intelligence

8

Analyst’s Notebook Guide – 65313 Forensic Intelligence The red colour is always more visible than all the other colours. Only use it if the links are of great importance so they stand out. For example, the red colour could be used to highlight contradictions or negation (e.g. Mr X denies being involved in the event). Yellow must be avoided as it is barely visible and will be difficult to see if the chart is printed. 1.1.1.2 Type of links There are three types of link strengths used to represent the validity of a relationship: -

Confirmed – solid line, used to show that the information is 100% confirmed with the source and information provided Unconfirmed – dashed line, used to show that the information is not 100% confirmed and there is some doubt present about the source or information used to create the link Tentative – dotted line, used to represent inferences (you are making the hypothesis)

You can modify the properties of the link by double clicking on the link → Style → Type → Line Strength.

65313 – Forensic Intelligence

9...