Understanding Link Analysis and Using it in Investigations - ShadowDragon.io

Understanding Link Analysis and Using it in Investigations


I started using link analysis for investigations somewhere around 2009/2010 when we were developing the first version of SocialNet.  A longtime friend, Roelof from Paterva, shared his vision for a link analysis platform.  Within a year SocialNet was born.  It was an unique marriage of link analysis with the process of collection and enhancement of data for deeper investigations and “open source intelligence”.

Somewhere along the way I forgot that not everyone gravitates towards data and visualization like myself. In addition, many in the information security space simply do not fully understand why or how to use link analysis.  This article will share the basics of link analysis and how you can to use it to strengthen investigation findings.

What is Link Analysis and Why Use it?

  • Link Analysis helps an investigator visualize complex “links” within an investigation that may be hard to communicate with others or hard to discern.
  • Link Analysis is helpful in quickly visualizing outliers for a target-centric investigation.
  • Many platforms exist enabling you to put information on a graph, document this information, and then link that information to another correlating item on the graph.

How Do I Get Started?

The concept of “entities” or “nodes” is common with each link analysis platform.  An entity can represent a person, place, thing and in many cases (depending on platform) other pieces of information can be documented in this entity.  As you put other entities on the graph, these entities are either connected to one another or they are not. When you have a connection, simply draw a line between one entity for a link to the other.  If there is a reciprocal link between the two entities draw a shared line back to the original entity.  Pretty easy right?

You can also treat entities as items that can be acted upon, like a search query in Google. For instance, on the graph below I created an entity entitled “Djohar Tsarnaev“.  I right clicked on it and searched all known Social Media providers for this name, just like a query in a search bar.  The results helped me discover Djohar had an account on Vkontakte (VK).

5 Minutes after the name of Djohar Tsarnaev was released, we used SocialNet in 2013 to discovery these findings. (April 16, 2013)

Chart Creation & Entity Management Best Practices

Entity naming conventions and placement are important when you need to remember things or keep some form of unity within the team.

Entity Creation, ALL CAPS

The recommendations for creating entities follows:

  • Name Entities in ALL CAPS.
  • Keep Entity Names on ONE LINE
  • No Punctuation
  • Entity Placement and Screenshots
    Sometimes you need to make a point with one, particular screenshot and nothing more

You should organize and place new entities onto your graph as you discover new things.  Sometimes you may simply be finding new clues, putting them in, and then focusing on each entity as a separate stage for prolonged periods of time.  Eventually, the value of link analysis graphing will show and you will have what I call the circle of truth represented on your graph.  Circles of truth will be literal circles where entities reference each other in different ways, making larger weighted nodes on your graph for easy interpretation of importance when full context may be lacking.

What Else Can or Should you do With Entities?

You can edit entities, fill in information / keep notes in entities and automate interaction (some link analysis platforms do not have this by default), and generally upload attachments.  The image posted below shows areas within Maltego where you can upload attachments and place notes into the entity.

This is a required feature in most link analysis platforms so you keep as many facts related to one entity in one place.

Adding Information to an Entity. Default screenshot of Maltego Entity.

Concluding Process

Your link analysis process should have the following work flow.

  1. Create Entities of Interest
  2. Document information in Each Entity
  3. Document Relationships between Entities
  4. Document Links To
  5. Document Links From
  6. Organize as you go!!

Even if you can’t automate things with lightening speed in the platform you are using, focus on being methodical in your collection, graphing, and documenting process.

The Bottom Line

Link Analysis can be an invaluable tool for investigators by enabling users to draw conclusions more precisely through the visual analysis of connections. It helps with analytical tasks where target-centric link analysis is key.  (Life-style Analysis, Analysis of Friends of Friends, Etc.).  It enables the story of complex relationships to be told with a picture, which can make trends and connections more obvious. Link Analysis will make dossiers more compelling.

Two of our most popular tools leverage link analysis for social media forensics and malware. To find out more, watch this video about SocialNet and this video about MalNet.

If you would like to discuss link analysis or target node analysis in greater detail give me a call.


Daniel Clemens

Daniel Clemens is the founder and CEO of both ShadowDragon and Packet Ninjas, a niche cyber security consulting and services company.

With extensive experience in defensive and offensive security, Daniel has been a quiet trailblazer in digital intel gathering long before cyber intelligence became a discipline. More than a decade ago he was inventing and applying his own intelligence tools in support of companies and governments around the world facing urgent threats. Using this deep understanding of web technologies and the behaviors of cybercriminals, he has enhanced, updated and packaged these tools under ShadowDragon.

Daniel is a member of the Odonata Holdings, Inc.
Scroll to Top