1.

Identify the possible hypotheses

to be considered. Use a group
Figure 11. Analysis of Competing Hypotheses Basic Counterintelligence Analysis in a Nutshell
of analysts with different perspec-
tives to brainstorm the possibili-
ties. Avoid discounting anyone’s
Quick Reference Guide
views simply because they are By Irvin D. Sugg, Jr., B.S., J.D., Course Chairman, CI Analysis Course
unpopular with you or your Joint Counterintelligence Training Academy
organization.
2. Make a list of significant Introduction to CI Analysis
evidence and arguments for and This guide describes a step-by-step methodology for employing analytical skills and processes. It introduces analytical tools and suggests
against each hypothesis. some sources of information that can be useful in CI situations, and can help you organize and process facts efficiently and effectively.

3. Prepare a matrix with hypoth- Analytic Traps and Mindsets

eses across the top and evidence Start each analytical project by clearing your mind of preconceived notions about the project
down the side. Analyze the Quick Reference Index
and information you are about to analyze. Otherwise, you may focus on proving your precon-
“diagnosticity” of the evidence ceived solution, and in so doing, overlook relevant information. Analytic Traps and Mindsets
and arguments – that is, identify • Perception
which items could be most helpful Perception: Why can’t we see what is there to be seen? The truth is, we tend to perceive
what we expect to perceive. Many factors influence perception, including past experiences, • Memory
in judging the relative likelihood
of the hypotheses. education, cultural values, and operating assumptions. To encourage objectivity and overcome • Cognitive Biases
tunnel-vision, analysts should solicit collaboration at points in the analytical process. Explic- • Tools for Overcoming Mindsets
4. Refine the matrix. Reconsider itly state your assumptions and reasoning, then ask others to challenge your thinking.
the hypotheses and delete evidence
and arguments that have no diagnostic value. Memory: Anything that influences what you remember also influences the outcome of your Seven Steps of the Analytical
analysis. Once you start thinking about a problem in a particular way, the same mental path- Process
5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses
ways are activated and strengthened each time you think about it thereafter, making it difficult 1. Identify the requirements and
rather than prove them.
to embrace new ideas. Make a conscious effort to be open to new information and incorporate develop hypotheses.
6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that it into the data already held in your memory, especially when it may cause you to change your 2. Formulate a plan.
evidence were wrong, misleading, or subject to a different interpretation. view.
3. Collect and collate information.
7. Report conclusions that discuss the relative likelihood of all hypotheses, not just the most likely one. Cognitive Biases: Cognitive biases are mental errors caused by the human tendancy 4. Analyze and evaluate information.
8. Identify milestones for future observation that may indicate events are taking a different course than expected. toward simplified information-processing strategies. Cognitive bias does not result from an 5. Draw conclusions and make
emotional or intellectual predisposition toward a particular judgment, but from subconscious recommendations.
6. Produce a Report information-processing procedures. As a result, we naturally pick and choose from the com-
6. Produce a report.
plete set of data and focus on a subset that suits our cognitive biases. An example is accepting
Typical CI reports include threat assessments, trial materials, as well as graphic representations that clearly and concisely present the data. 7. Monitor new information.
what we see and hear rather than abstract information that we don’t process as easily. Also,
Examples are: link and matrix analyses, time event and flow charts, telephone toll analysis maps, and ACH decision matrices. These reports
we tend to fully accept or reject data instead of assigning a probability that the information
can be used to document the result of the analysis, and also to suggest solutions. Such reports can present a range of detail — as simple as
is valid. This sets a bias, closing the mind to accepting the data as true when new supporting
a verbal synopsis of analytical results to a formal briefing or detailed document.
information is acquired.
Techniques for Overcoming Mindsets:
7. Monitor New Information
Technique Description When to Use
During the collection process, data and events can change on a regular basis. These changes can alter the result of the final analysis such
Brainstorming An unconstrained group process for generating new In the early stages of conceptualizing a problem or as a
that the entire requirement must be re-evaluated based upon new and contradictory information. Consequently, one must continually
ideas and concepts. mechanism to break free from a prevailing mindset.
monitor all old and new collection sources and be open to the possibilities raised by new information.
Key Assumptions An explicit exercise to list and challenge the Develop key assumptions as you begin a project, then review
Check key working assumptions that underlie analytic judg- them once the draft is completed to check how your thinking
Selected Bibliography ments. has evolved.
• Heuer, Richards J., Jr. Psycholog y of Intelligence Analysis. McLean: Central Intelligence Agency Center for the Study of Intelligence. 1999. Red Cell Analysis Predicting the behavior of another individual or When trying to predict the behavior of a specific person who
[Also available at http://www.cia.gov/csi/books/19104/index.html] group by trying to replicate how that person or has the authority to make decisions.
• U.S. Department of Justice, Criminal Division, Asset Forfeiture and Money Laundering Section, Finan- group thinks. Putting yourself “in their shoes.”
cial Investigations Guide, What If ? Analysis Positing that an event with potential major (positive When analysts are having difficulty getting a decisionmaker or
June 1998. or negative) impact has occurred and then explain- the policymaking community to focus on the potential for, or
ing how it came about. the consequences of, an event occuring, or when a conven-
• Haynal, Russ, www.Navigators.com
tional mindset is well-engrained.
• Gottlieb, Steven, Sheldon Arenberg, and Raj Singh. Crime Analysis, from first report to final arrest, Alpha Outside-In Identifying the range of systemic forces, factors, In the early stages, when attempting to identify all the factors
Publishing, Montclair, CA, 1998. Thinking and trends that would have an impact on shaping an that could influence how a particular situation will develop.
• Pherson Associates, LLC. Handbook of Analytic Tools & Techniques. issue, then factoring them into the analysis.
• Sugg, Irvin D. Jr. The Counterintelligence Analytical Process, 1st Edition, Joint Counterintelligence Training Indicators A pre-established list of observable events that is As a stand-alone tool or paired with other techniques; for
Academy, 2003. periodically reviewed to track events, spot emerging example, to help determine which scenario is emerging. Indica-
The Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is an authorized Joint Counterintelligence Training Academy (JCITA) publication. It is printed and distributed solely for Instructional Training purposes. All editorial content trends, and warn of unanticipated change. tors help “depersonalize” an argument by shifting attention to
of the Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is prepared and edited by JCITA’s Education Services Branch. Opinions expressed herein by the author and writers are their own and not an official expression by the Depart- a set of objective criteria.
ment of Defense. The appearance of commercial products in this publication is not an endorsement by the Department of Defense of the products depicted. All characters, companies, products and events depicted in the Basic Counterintelligence Analysis
in a Nutshell Quick Reference Guide are fictitious, and no similarity with any real persons or entities, living or deceased, is intended or should be inferred. Permission to use copyrighted materials was granted by the appropriate copyright holder. Use of continued
copyrighted materials in this document falls within the “fair use” doctrine and does not constitute an endorsement of any commercial companies depicted.
 Tools For Overcoming Mindsets: analysis, you use accounting and auditing techniques to
Figure 9. Known vs. Unknown Income
link financial events. You can find financial data in records
Technique Description When to Use
from many sources: people, public records, real estate,
Devil’s Advocacy Challenging a single, strongly held view or consen- Best performed just before sending a paper out for coordina- corporate/business, UCC fi lings, court records, DMV, tax,
sus by building the best possible case for an alterna- tion or presenting key conclusions to senior officials. Also and financial institutions. Spreadsheet software is very use-
tive explanation. helpful when there is widespread consensus on a critical issue. ful in financial investigations for gathering and organizing
Team A/Team B Using independent analytic teams to contrast two Most useful when there are competing views within the ana- data, and for calculating the subject’s financial status. Net
Analysis (or more) strongly held views or competing hypoth- lytic or policy communities or a single, strongly held view that worth is calculated as follows: Assets – Liabilities = Net
eses. needs to be challenged. Worth. Figure 8 is an example of the use of this software
Analysis of Identifying a complete set of alternative hypotheses, When an overarching framework is needed to capture all in tracking net worth.
Competing systematically evaluating data that is consistent and possible hypotheses and there is a robust flow of data to ab-
Hypotheses inconsistent with each hypothesis, and rejecting sorb and evaluate. Useful for dealing with controversial issues, • Map Analysis helps the analyst see patterns and as-
hypotheses that contain too much inconsistent data. especially when denial and deception may be present. sociations that are not easily detected from texts. Layering
Alternative Fu- A systematic method for identifying alternative tra- Useful for reducing uncertainty, anticipating surprise, and data on the map (contacts, places, events, times) makes
tures Analysis jectories by developing plausible but mind-stretch- uncovering “unknown unknowns” when dealing with little it easy to note the subject’s proximity to associates and
ing “stories” based on critical uncertainties in order concrete information. activities, and may reveal tradecraft and “hot” areas. The
to illuminate decisions made today. map might show stops at or near locations associated with
Quadrant A structured brainstorming technique for chal- Most useful for dealing with highly ambiguous issues, such as intelligence activities; or overlay surveillance results for
Crunching lenging assumptions and discovering “unknown terrorist threats, when little data is available. multiple subjects/
unknowns.” organizations to Figure 10. Map Analysis
compare foreign
Deception The systematic use of checklists to determine when When the analysis hinges on a critical piece of evidence and
intelligence enti- Surveillance
Detection to look for deception, if it actually may be present, accepting the data would require changing key assumptions or
ties’ routes, stops, Route
and how to avoid being deceived expending/diverting major resources.
or associations.

Seven Steps of the Analytical Process • Pattern Anal-

ysis – All of the
above analytical
1. Identify the requirement and develop hypotheses tools can provide Known Drop
Make sure you fully understand the requirement. Clarify with who, what, where, how, and why questions, then state the question in a a pattern of prior Sites
single sentence plus a couple of sentences of explanation. activities that
could help predict
Develop Hypotheses - Brainstorm all possible answers to the question, but don’t try to determine the correct hypothesis at this
future behavior.
point. Your conclusions are only as good as the supporting data, and you have not yet fully evaluated it.
Timelines may
show that a sub-
2. Formulate a Plan ject or entity has
Think of the project plan as a framework to guide collection. Decide what information is needed to prove or disprove the hypotheses participated in
and where you will get such information. Use the key elements of the question you identified in step 1 (Identify the requirement and specific activities
on a regular basis
and help project
Figure 1. Project Plan when he may do
Assignment Date 21-Aug-02 Requestor Name Jay Pendleton it again. Flow
Target Completion Date 22-Oct-02 Requirements Purpose Is Charles Jones involved in espionage?
Charts reveal when a subject or entity has established a particular way of carrying out activities. Link Charts and Telephone
Project Number 1 Toll Analysis can show that a subject is associated with others and help predict future contacts based upon past communications.
Requirement
Gather background information concerning Jones, analyze it, and determine if he is a spy. If he is, what should we do with him. Financial Analysis can reveal spending habits. It can also show that money is received on a regular basis or after a certain catalyst
Description
event. Map Analysis can present a geographic pattern of routes with activities conducted along that route for one or more persons.
Hypotheses 1. He is a spy 2. He is innocent. 3. He is not a spy but involved in criminal activity.
Commercial Relevant Investiga-
Mapping DOD Databases Databases Subject Source - tive Technol- Major

Information
IIRs
- Imagery Websites
Internet
(ie. Lexis,
Dunn)
(i.e..
FinCEN)
Experts Witness
Surveillance
ogy (i.e.. Body Databases
wire, pen reg.)
5. Draw Conclusions and Make Recommendations
Collection
Methods x x x x x x After planning, collecting, and analyzing data, you must formulate conclusions and recommendations to report. It is at this point that
I will gather information to support or refute each of the hypotheses above and if other hypotheses are discovered, gather information you will evaluate the hypotheses developed in step 1 of the Analytical Process. A tool that will assist in selecting the most likely hypoth-
on this one also. esis is Analysis of the Competing Hypothesis (ACH).
Database
Map Link
Data Analysis Timeline Matrix Query/
Analysis Analysis
Method Reports
(Software
• Steps in Analysis of the Competing Hypothesis – With ACH you compare the supporting evidence for each hypothesis
x x
Tools, Other
Will use a timeline and link analysis to make sense of the collected data. Will also use map analysis to determine if route Jones took against the others. You then identify all reasonable alternatives and compete them against each other to determine which is best.
Tools)
was used by other Foreign intel agents. Many people rely on their intuition, picking what they suspect is the likely answer, then seeking evidence that supports this point
Written Informal PowerPoint of view. If they find enough evidence to support the favorite hypothesis, they pat themselves on the back and look no further. If
Reports Briefing Pres.
Reporting
Method x x the evidence points to another conclusion, they reject it as misleading or develop another hypothesis, which they attempt to prove
Present findings to JAY in a PowerPoint presentation. through the same procedure. This mindset prevents them from fully evaluating the data and what they end up with is the first solu-
2 tion that seems satisfactory. Don’t do that. Instead:
7
 required data from the telephone company is obtained, you must develop hypotheses) to drive the collection plan. The plan should include all possible sources of information that are relevant to each
Figure 7. Telephone Toll Analysis
organize and analyze it to convert it to a useful form. requirement element, along with the planned analysis method and reporting procedures.

• Frequency Analysis depicts the frequency of numbers called 3. Collect and Collate Information
from the target phone. Figure 6 is a simple example. Collect and collate information according to the project plan.

• Telephone Toll Analysis Charts information gleaned from 3 a. Collect Information

phone records. The phone numbers are associated with each other The Internet has become a major source of investigative information. It provides background information on people, businesses,
according to the number of calls made between the phones. (See criminal activity, and much more. Collecting information from the Internet requires a strategy to obtain the information sought. You
Figure 7.) should be aware of your personna as you search the internet. See
what you look like at coolredemo.com. You should always know Figure 2. Collect Information
• Financial Analysis is done to identify and document move- what web sites know about you.
ment of money during the course of an activity. Proving someone 1. Follow these steps to make your search more efficient:
has excess funds helps show espionage, terrorist, and other crimi-
nal activities. For example, you learn during an investigation that a • Spell out your search words. Define the topic, spell out key
suspect’s legitimate annual net income is $50,000. However, his total words, acronyms. Remember “what” and “who” defi ne the
annual cash expenditures are $100,000. What is the source of his ad- end product. (See Figure 2.)
ditional income? Gift? Trust Fund? Illegal activity? During financial • Strategize. Plan your approach, online resources, tools.
• Search. Get online, execute, stay focused, use advanced
search features.
Figure 8. Concealed Income Analysis Worksheet
• Sift. Filter the results and follow the leads.
for Sydney Slimeball
• Save. Take notes, organize results, bookmark results.
12/31/99 12/31/00 12/31/01
Cash in Bank $5,000.00 $7,000.00 $9,000.00 2. Use the right search tool.
Savings Account $7,800.00 $18,000.00 $20,000.00 • Directories (http://dir.yahoo.com) offer manually built
House (21005 Valenton Rd, Richmond, VA 15888) $280,000.00 $280,000.00 $280,000.00 “subject trees” and match search terms with text in the
directory’s own web page, category titles, website titles,
Assets (+)

Apartment Condo (1720 10th St., VA Beach, VA 23666) $68,000.00 $68,000.00 $68,000.00
description.
Apartment Condo (7782 11th St., Ocean City, NJ 21842) $0.00 $244,400.00 $244,400.00 • Search Engines (Google, http://search.yahoo.com) are very large databases with a search engine “robot” that explores the Internet
House (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $380,000.00 and copies web pages into their databases. These search engines support detailed keyword searches.
Lexus (1993) $14,000.00 $13,000.00 $12,000.00 • Metasearch Engines (Dogpile, Metacrawler) reach multiple databases and search engines simultaneously, returning results from
each at once. Thus, the user can conduct multiple searches by entering the search criteria once. Results vary, so try more than one.
Mercedes Benz (2001) $0.00 $0.00 $37,000.00
• Linear Search Engines ( www.kartoo.com and http://vivisimo.com) are metasearch engines that display query results in a link
Paintings $0.00 $4,000.00 $14,000.00 chart that relates the results to other sites or sub-topics.
Total Assets $374,800.00 $634,400.00 $1,064,400.00 • Clustering Search Engines (http://clusty.com or webclust.com) are metasearch engines that extract data into groups, such as top-
ics, sources, or urls, and display statistics showing what information relates to which part of the search criteria
entered by the user.
Mortgage (21005 Valenton Rd, Richmond, VA 15888) $180,000.00 $179,200.00 $178,200.00 • Virtual Libraries ( Joe’s guide to widgets) are built by subject experts and focus on a specific
Liabilities (-)

Mortgage (1720 10th St., VA Beach, VA 23666) $40,000.00 $39,300.00 $38,600.00 subject. Many can be found in Yahoo web directories, indices, FAQ’s, organizations
(www.vlib.com).
Mortgage (7782 11th St., Ocean City, NJ 21842) $0.00 $150,000.00 $149,200.00
3. Search Mailing lists, Reflectors, Listservs email information to people who are part of
Mortgage (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $270,000.00 the group or interest association. You can find these groups searching for your group and adding the phrase
Bank Loan $35,000.00 $32,800.00 $20,000.00 “mailing list.”
Total Liabilities $255,000.00 $401,300.00 $656,000.00 4. Search Usenet Newsgroups allow individuals to post comments on particular topics. They also allow
others to post responses. You can locate these newsgroups using Google “groups” (http://www.google.com).
5. Specific Search Engines provide a deeper search for specific topics.
Net Worth $119,800.00 $233,100.00 $408,400.00
• Search Systems links to over 30,000 public record databases (http://www.searchsystems.
Less: Networth of Previous Year $119,800.00 $233,100.00 net/).
Increase in Networth $113,300.00 $175,300.00 • Publicly Held Business Records can be found at (http://www.sec.gov/), Hoover’s Online
(http://www.hoovers.com/free/).
Add: Personal Living Expenses (+) $64,400.00 $81,700.00
• Search Engines Worldwide include (http://www.searchenginecolossus.com/)
Total Income $297,500.00 $490,100.00
• Phone Directories, People finders, Yellow and White Page directories include (http://www.melissadata.com/lookups/),
Less: Income from Known Sources Microsoft Salary (-) $85,000.00 $105,000.00 (http://peoplesearch.net/), (http://refdesk.whitepages.com/).
Income from Unidentified Sources $212,500.00 $385,100.00 • Imagery can be found at http://local.live and http://earth.google.com.
6 3
 • Research Portal containing references and links is Refdesk at http://www.refdesk.com.
• Live Airline Tracker is at www.aeroseek.com/links/tracking2.html.
• Real Estate information can be obtained from www.netroline.com/public_records.htm; http://realestate.yahoo.com/re/
homevalues/; www.zillow.com.
6. Data Removed from the Internet can be obtained from The Wayback Machine site (http://www.archive.org/).
Federal Agency Sources can provide a multitude of unclassified and classified data sources that track people, organizations,
finances, and countries. This information is collected on topics of interest to military and civilian agencies. They include aviation, postal
service, border control, law enforcement, and homeland security.
• Flow Charts show the progression of activities over time. The purpose of a flowchart is to graphically depict relationships be-
tween activities, events, and commodities.
1. Activities Flow Charts pinpoint sequential patterns of activity. It is useful in illustrating a process or sequence where one activ-
ity depends upon completion of another.
2. Event Flow Charts is a timeline of an organization and/or individual’s activities.
3. Commodity Flow Charting assists in determining the distribution pattern of weapons, money, goods, or services within an
intelligence or criminal network. It is also useful in helping to identify key players in an organization’s hierarchy.

Major Computer Data Sources include Federal agency databases, such as defense personnel (Defense Manpower Data Center • Link Charts show the relationship between people and entities. They provide an overview of the interrelationships among the
[DMDC]), fi nancial crimes and money laundering (Financial Crimes Enforcement Network [FinCEN]), and many others. subjects of complex conspiracy investigations. They are used when there is a large amount of data, a need to show relationships be-
tween a number of people and organizations. To create a link chart you must first list all chart entities in an association matrix. From
State and Local Sources, such as state police departments, provide criminal and forensic services.
the matrix, you decide who is at the center of the organization and create the link chart from the matrix.
Confidential Informants, also known as assets, confidential sources, or cooperating witnesses, can be a most valuable source of
information in any investigation. Many times such sources provide specific information that cannot be obtained by any other means;
often because they have been involved in criminal, espionage, or terrorist activities themselves and have trusted access to others involved Figure 5. Link Chart
in the same activities. Their reliability, and therefore, their information, must always be verified, as their motives for talking to you can Step 1. Create an Association Matrix Step 2. From the Association Matrix,
range from money, revenge, fear, ego, guilt about past wrong-doing, to simple good citizenship. Create a Link Chart
“Mohammad’s Right Hand” Association Matrix “Mohammad’s Right Hand” Attack Cell
Private Business Databases maintain vast records on customer purchases, fi nancing, background, and other useful information.
They also maintain information on every aspect of their business operations.
Commercial Databases contain very detailed information about people, businesses, and organizations not only in the U.S. but
in many other countries. Examples include names, addresses, relatives, neighbors, home purchase price, news media from around the
world, and legal research.
Investigative Technology consists of covert devices that record, transmit, and listen such that they collect valuable information
undetected.

3 b. Collate Information

After you have collected all information that would support or not support each of your hypotheses, organize your information such that
information relating to each hypothesis is grouped with that hypothesis.

4. Analyze and
Evaluate Information Figure 3. Timeline of M’Aziq-Heri Activities
Compare, contrast, and review data,
looking not only at what is there, but
what is missing. Formulate leads to Link Chart Rules
feed back into the analytical cycle as Use solid lines for confirmed/ Box entities that Associating people No crossed lines. No curved lines.
necessary. Specific analytical tools are strong links and dashed lines are associated with with multiple
invaluable in analyzing data. for unconfirmed/weak links. each other. associations.

Analyze
There are a number of techniques to Figure 4. Flow of Funds to Support M’Aziq-Heri
aid in analysis, including: pen and paper
analysis and computer programs (spread-
sheet analysis). For example:
• Timelines graphically display facts
in chronological order, making it • Telephone Toll Analysis has many uses in an investigation.
easier to understand what took place It is one of the most important methods of collecting data. It Figure 6. Frequency Analysis
when. They are useful in preparing for provides evidence of associations, contact between two phones, for Peter Grey Telephone Tolls
interviews, conducting interrogations, identifies previously unknown associates, corroborates informant 5/9/2002
informing key players, and provid- information, assists in establishing probable cause for wiretaps, Target Number Number Called # of Calls
ing clear courtroom demonstrations. and provides evidence in court proceedings. Forms of com- (834) 777-8695 (993) 898-2385 6
Timelines can also be used to show munication include phones, pagers, cell phones, computers, fax
patterns that might lead to prediction (834) 777-8695 (993) 283-9491 2
machines, PDAs. Raw data acquired from telephone companies
of future events. (834) 777-8695 (993) 348-3422 3
has little value because of the volume of information. Once the
4 5
 • Research Portal containing references and links is Refdesk at http://www.refdesk.com.
• Live Airline Tracker is at www.aeroseek.com/links/tracking2.html.
• Real Estate information can be obtained from www.netroline.com/public_records.htm; http://realestate.yahoo.com/re/
homevalues/; www.zillow.com.
6. Data Removed from the Internet can be obtained from The Wayback Machine site (http://www.archive.org/).
Federal Agency Sources can provide a multitude of unclassified and classified data sources that track people, organizations,
finances, and countries. This information is collected on topics of interest to military and civilian agencies. They include aviation, postal
service, border control, law enforcement, and homeland security.
• Flow Charts show the progression of activities over time. The purpose of a flowchart is to graphically depict relationships be-
tween activities, events, and commodities.
1. Activities Flow Charts pinpoint sequential patterns of activity. It is useful in illustrating a process or sequence where one activ-
ity depends upon completion of another.
2. Event Flow Charts is a timeline of an organization and/or individual’s activities.
3. Commodity Flow Charting assists in determining the distribution pattern of weapons, money, goods, or services within an
intelligence or criminal network. It is also useful in helping to identify key players in an organization’s hierarchy.

Major Computer Data Sources include Federal agency databases, such as defense personnel (Defense Manpower Data Center • Link Charts show the relationship between people and entities. They provide an overview of the interrelationships among the
[DMDC]), fi nancial crimes and money laundering (Financial Crimes Enforcement Network [FinCEN]), and many others. subjects of complex conspiracy investigations. They are used when there is a large amount of data, a need to show relationships be-
tween a number of people and organizations. To create a link chart you must first list all chart entities in an association matrix. From
State and Local Sources, such as state police departments, provide criminal and forensic services.
the matrix, you decide who is at the center of the organization and create the link chart from the matrix.
Confidential Informants, also known as assets, confidential sources, or cooperating witnesses, can be a most valuable source of
information in any investigation. Many times such sources provide specific information that cannot be obtained by any other means;
often because they have been involved in criminal, espionage, or terrorist activities themselves and have trusted access to others involved Figure 5. Link Chart
in the same activities. Their reliability, and therefore, their information, must always be verified, as their motives for talking to you can Step 1. Create an Association Matrix Step 2. From the Association Matrix,
range from money, revenge, fear, ego, guilt about past wrong-doing, to simple good citizenship. Create a Link Chart
“Mohammad’s Right Hand” Association Matrix “Mohammad’s Right Hand” Attack Cell
Private Business Databases maintain vast records on customer purchases, fi nancing, background, and other useful information.
They also maintain information on every aspect of their business operations.
Commercial Databases contain very detailed information about people, businesses, and organizations not only in the U.S. but
in many other countries. Examples include names, addresses, relatives, neighbors, home purchase price, news media from around the
world, and legal research.
Investigative Technology consists of covert devices that record, transmit, and listen such that they collect valuable information
undetected.

3 b. Collate Information

After you have collected all information that would support or not support each of your hypotheses, organize your information such that
information relating to each hypothesis is grouped with that hypothesis.

4. Analyze and
Evaluate Information Figure 3. Timeline of M’Aziq-Heri Activities
Compare, contrast, and review data,
looking not only at what is there, but
what is missing. Formulate leads to Link Chart Rules
feed back into the analytical cycle as Use solid lines for confirmed/ Box entities that Associating people No crossed lines. No curved lines.
necessary. Specific analytical tools are strong links and dashed lines are associated with with multiple
invaluable in analyzing data. for unconfirmed/weak links. each other. associations.

Analyze
There are a number of techniques to Figure 4. Flow of Funds to Support M’Aziq-Heri
aid in analysis, including: pen and paper
analysis and computer programs (spread-
sheet analysis). For example:
• Timelines graphically display facts
in chronological order, making it • Telephone Toll Analysis has many uses in an investigation.
easier to understand what took place It is one of the most important methods of collecting data. It Figure 6. Frequency Analysis
when. They are useful in preparing for provides evidence of associations, contact between two phones, for Peter Grey Telephone Tolls
interviews, conducting interrogations, identifies previously unknown associates, corroborates informant 5/9/2002
informing key players, and provid- information, assists in establishing probable cause for wiretaps, Target Number Number Called # of Calls
ing clear courtroom demonstrations. and provides evidence in court proceedings. Forms of com- (834) 777-8695 (993) 898-2385 6
Timelines can also be used to show munication include phones, pagers, cell phones, computers, fax
patterns that might lead to prediction (834) 777-8695 (993) 283-9491 2
machines, PDAs. Raw data acquired from telephone companies
of future events. (834) 777-8695 (993) 348-3422 3
has little value because of the volume of information. Once the
4 5
 required data from the telephone company is obtained, you must develop hypotheses) to drive the collection plan. The plan should include all possible sources of information that are relevant to each
Figure 7. Telephone Toll Analysis
organize and analyze it to convert it to a useful form. requirement element, along with the planned analysis method and reporting procedures.

• Frequency Analysis depicts the frequency of numbers called 3. Collect and Collate Information
from the target phone. Figure 6 is a simple example. Collect and collate information according to the project plan.

• Telephone Toll Analysis Charts information gleaned from 3 a. Collect Information

phone records. The phone numbers are associated with each other The Internet has become a major source of investigative information. It provides background information on people, businesses,
according to the number of calls made between the phones. (See criminal activity, and much more. Collecting information from the Internet requires a strategy to obtain the information sought. You
Figure 7.) should be aware of your personna as you search the internet. See
what you look like at coolredemo.com. You should always know Figure 2. Collect Information
• Financial Analysis is done to identify and document move- what web sites know about you.
ment of money during the course of an activity. Proving someone 1. Follow these steps to make your search more efficient:
has excess funds helps show espionage, terrorist, and other crimi-
nal activities. For example, you learn during an investigation that a • Spell out your search words. Define the topic, spell out key
suspect’s legitimate annual net income is $50,000. However, his total words, acronyms. Remember “what” and “who” defi ne the
annual cash expenditures are $100,000. What is the source of his ad- end product. (See Figure 2.)
ditional income? Gift? Trust Fund? Illegal activity? During financial • Strategize. Plan your approach, online resources, tools.
• Search. Get online, execute, stay focused, use advanced
search features.
Figure 8. Concealed Income Analysis Worksheet
• Sift. Filter the results and follow the leads.
for Sydney Slimeball
• Save. Take notes, organize results, bookmark results.
12/31/99 12/31/00 12/31/01
Cash in Bank $5,000.00 $7,000.00 $9,000.00 2. Use the right search tool.
Savings Account $7,800.00 $18,000.00 $20,000.00 • Directories (http://dir.yahoo.com) offer manually built
House (21005 Valenton Rd, Richmond, VA 15888) $280,000.00 $280,000.00 $280,000.00 “subject trees” and match search terms with text in the
directory’s own web page, category titles, website titles,
Assets (+)

Apartment Condo (1720 10th St., VA Beach, VA 23666) $68,000.00 $68,000.00 $68,000.00
description.
Apartment Condo (7782 11th St., Ocean City, NJ 21842) $0.00 $244,400.00 $244,400.00 • Search Engines (Google, http://search.yahoo.com) are very large databases with a search engine “robot” that explores the Internet
House (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $380,000.00 and copies web pages into their databases. These search engines support detailed keyword searches.
Lexus (1993) $14,000.00 $13,000.00 $12,000.00 • Metasearch Engines (Dogpile, Metacrawler) reach multiple databases and search engines simultaneously, returning results from
each at once. Thus, the user can conduct multiple searches by entering the search criteria once. Results vary, so try more than one.
Mercedes Benz (2001) $0.00 $0.00 $37,000.00
• Linear Search Engines ( www.kartoo.com and http://vivisimo.com) are metasearch engines that display query results in a link
Paintings $0.00 $4,000.00 $14,000.00 chart that relates the results to other sites or sub-topics.
Total Assets $374,800.00 $634,400.00 $1,064,400.00 • Clustering Search Engines (http://clusty.com or webclust.com) are metasearch engines that extract data into groups, such as top-
ics, sources, or urls, and display statistics showing what information relates to which part of the search criteria
entered by the user.
Mortgage (21005 Valenton Rd, Richmond, VA 15888) $180,000.00 $179,200.00 $178,200.00 • Virtual Libraries ( Joe’s guide to widgets) are built by subject experts and focus on a specific
Liabilities (-)

Mortgage (1720 10th St., VA Beach, VA 23666) $40,000.00 $39,300.00 $38,600.00 subject. Many can be found in Yahoo web directories, indices, FAQ’s, organizations
(www.vlib.com).
Mortgage (7782 11th St., Ocean City, NJ 21842) $0.00 $150,000.00 $149,200.00
3. Search Mailing lists, Reflectors, Listservs email information to people who are part of
Mortgage (30052 Bangor Rd., Bala Cynwyd, PA 19004) $0.00 $0.00 $270,000.00 the group or interest association. You can find these groups searching for your group and adding the phrase
Bank Loan $35,000.00 $32,800.00 $20,000.00 “mailing list.”
Total Liabilities $255,000.00 $401,300.00 $656,000.00 4. Search Usenet Newsgroups allow individuals to post comments on particular topics. They also allow
others to post responses. You can locate these newsgroups using Google “groups” (http://www.google.com).
5. Specific Search Engines provide a deeper search for specific topics.
Net Worth $119,800.00 $233,100.00 $408,400.00
• Search Systems links to over 30,000 public record databases (http://www.searchsystems.
Less: Networth of Previous Year $119,800.00 $233,100.00 net/).
Increase in Networth $113,300.00 $175,300.00 • Publicly Held Business Records can be found at (http://www.sec.gov/), Hoover’s Online
(http://www.hoovers.com/free/).
Add: Personal Living Expenses (+) $64,400.00 $81,700.00
• Search Engines Worldwide include (http://www.searchenginecolossus.com/)
Total Income $297,500.00 $490,100.00
• Phone Directories, People finders, Yellow and White Page directories include (http://www.melissadata.com/lookups/),
Less: Income from Known Sources Microsoft Salary (-) $85,000.00 $105,000.00 (http://peoplesearch.net/), (http://refdesk.whitepages.com/).
Income from Unidentified Sources $212,500.00 $385,100.00 • Imagery can be found at http://local.live and http://earth.google.com.
6 3
 Tools For Overcoming Mindsets: analysis, you use accounting and auditing techniques to
Figure 9. Known vs. Unknown Income
link financial events. You can find financial data in records
Technique Description When to Use
from many sources: people, public records, real estate,
Devil’s Advocacy Challenging a single, strongly held view or consen- Best performed just before sending a paper out for coordina- corporate/business, UCC fi lings, court records, DMV, tax,
sus by building the best possible case for an alterna- tion or presenting key conclusions to senior officials. Also and financial institutions. Spreadsheet software is very use-
tive explanation. helpful when there is widespread consensus on a critical issue. ful in financial investigations for gathering and organizing
Team A/Team B Using independent analytic teams to contrast two Most useful when there are competing views within the ana- data, and for calculating the subject’s financial status. Net
Analysis (or more) strongly held views or competing hypoth- lytic or policy communities or a single, strongly held view that worth is calculated as follows: Assets – Liabilities = Net
eses. needs to be challenged. Worth. Figure 8 is an example of the use of this software
Analysis of Identifying a complete set of alternative hypotheses, When an overarching framework is needed to capture all in tracking net worth.
Competing systematically evaluating data that is consistent and possible hypotheses and there is a robust flow of data to ab-
Hypotheses inconsistent with each hypothesis, and rejecting sorb and evaluate. Useful for dealing with controversial issues, • Map Analysis helps the analyst see patterns and as-
hypotheses that contain too much inconsistent data. especially when denial and deception may be present. sociations that are not easily detected from texts. Layering
Alternative Fu- A systematic method for identifying alternative tra- Useful for reducing uncertainty, anticipating surprise, and data on the map (contacts, places, events, times) makes
tures Analysis jectories by developing plausible but mind-stretch- uncovering “unknown unknowns” when dealing with little it easy to note the subject’s proximity to associates and
ing “stories” based on critical uncertainties in order concrete information. activities, and may reveal tradecraft and “hot” areas. The
to illuminate decisions made today. map might show stops at or near locations associated with
Quadrant A structured brainstorming technique for chal- Most useful for dealing with highly ambiguous issues, such as intelligence activities; or overlay surveillance results for
Crunching lenging assumptions and discovering “unknown terrorist threats, when little data is available. multiple subjects/
unknowns.” organizations to Figure 10. Map Analysis
compare foreign
Deception The systematic use of checklists to determine when When the analysis hinges on a critical piece of evidence and
intelligence enti- Surveillance
Detection to look for deception, if it actually may be present, accepting the data would require changing key assumptions or
ties’ routes, stops, Route
and how to avoid being deceived expending/diverting major resources.
or associations.

Seven Steps of the Analytical Process • Pattern Anal-

ysis – All of the
above analytical
1. Identify the requirement and develop hypotheses tools can provide Known Drop
Make sure you fully understand the requirement. Clarify with who, what, where, how, and why questions, then state the question in a a pattern of prior Sites
single sentence plus a couple of sentences of explanation. activities that
could help predict
Develop Hypotheses - Brainstorm all possible answers to the question, but don’t try to determine the correct hypothesis at this
future behavior.
point. Your conclusions are only as good as the supporting data, and you have not yet fully evaluated it.
Timelines may
show that a sub-
2. Formulate a Plan ject or entity has
Think of the project plan as a framework to guide collection. Decide what information is needed to prove or disprove the hypotheses participated in
and where you will get such information. Use the key elements of the question you identified in step 1 (Identify the requirement and specific activities
on a regular basis
and help project
Figure 1. Project Plan when he may do
Assignment Date 21-Aug-02 Requestor Name Jay Pendleton it again. Flow
Target Completion Date 22-Oct-02 Requirements Purpose Is Charles Jones involved in espionage?
Charts reveal when a subject or entity has established a particular way of carrying out activities. Link Charts and Telephone
Project Number 1 Toll Analysis can show that a subject is associated with others and help predict future contacts based upon past communications.
Requirement
Gather background information concerning Jones, analyze it, and determine if he is a spy. If he is, what should we do with him. Financial Analysis can reveal spending habits. It can also show that money is received on a regular basis or after a certain catalyst
Description
event. Map Analysis can present a geographic pattern of routes with activities conducted along that route for one or more persons.
Hypotheses 1. He is a spy 2. He is innocent. 3. He is not a spy but involved in criminal activity.
Commercial Relevant Investiga-
Mapping DOD Databases Databases Subject Source - tive Technol- Major

Information
IIRs
- Imagery Websites
Internet
(ie. Lexis,
Dunn)
(i.e..
FinCEN)
Experts Witness
Surveillance
ogy (i.e.. Body Databases
wire, pen reg.)
5. Draw Conclusions and Make Recommendations
Collection
Methods x x x x x x After planning, collecting, and analyzing data, you must formulate conclusions and recommendations to report. It is at this point that
I will gather information to support or refute each of the hypotheses above and if other hypotheses are discovered, gather information you will evaluate the hypotheses developed in step 1 of the Analytical Process. A tool that will assist in selecting the most likely hypoth-
on this one also. esis is Analysis of the Competing Hypothesis (ACH).
Database
Map Link
Data Analysis Timeline Matrix Query/
Analysis Analysis
Method Reports
(Software
• Steps in Analysis of the Competing Hypothesis – With ACH you compare the supporting evidence for each hypothesis
x x
Tools, Other
Will use a timeline and link analysis to make sense of the collected data. Will also use map analysis to determine if route Jones took against the others. You then identify all reasonable alternatives and compete them against each other to determine which is best.
Tools)
was used by other Foreign intel agents. Many people rely on their intuition, picking what they suspect is the likely answer, then seeking evidence that supports this point
Written Informal PowerPoint of view. If they find enough evidence to support the favorite hypothesis, they pat themselves on the back and look no further. If
Reports Briefing Pres.
Reporting
Method x x the evidence points to another conclusion, they reject it as misleading or develop another hypothesis, which they attempt to prove
Present findings to JAY in a PowerPoint presentation. through the same procedure. This mindset prevents them from fully evaluating the data and what they end up with is the first solu-
2 tion that seems satisfactory. Don’t do that. Instead:
7
 1. Identify the possible hypotheses
to be considered. Use a group
Figure 11. Analysis of Competing Hypotheses Basic Counterintelligence Analysis in a Nutshell
of analysts with different perspec-
tives to brainstorm the possibili-
ties. Avoid discounting anyone’s
Quick Reference Guide
views simply because they are By Irvin D. Sugg, Jr., B.S., J.D., Course Chairman, CI Analysis Course
unpopular with you or your Joint Counterintelligence Training Academy
organization.
2. Make a list of significant Introduction to CI Analysis
evidence and arguments for and This guide describes a step-by-step methodology for employing analytical skills and processes. It introduces analytical tools and suggests
against each hypothesis. some sources of information that can be useful in CI situations, and can help you organize and process facts efficiently and effectively.

3. Prepare a matrix with hypoth- Analytic Traps and Mindsets

eses across the top and evidence Start each analytical project by clearing your mind of preconceived notions about the project
down the side. Analyze the Quick Reference Index
and information you are about to analyze. Otherwise, you may focus on proving your precon-
“diagnosticity” of the evidence ceived solution, and in so doing, overlook relevant information. Analytic Traps and Mindsets
and arguments – that is, identify • Perception
which items could be most helpful Perception: Why can’t we see what is there to be seen? The truth is, we tend to perceive
what we expect to perceive. Many factors influence perception, including past experiences, • Memory
in judging the relative likelihood
of the hypotheses. education, cultural values, and operating assumptions. To encourage objectivity and overcome • Cognitive Biases
tunnel-vision, analysts should solicit collaboration at points in the analytical process. Explic- • Tools for Overcoming Mindsets
4. Refine the matrix. Reconsider itly state your assumptions and reasoning, then ask others to challenge your thinking.
the hypotheses and delete evidence
and arguments that have no diagnostic value. Memory: Anything that influences what you remember also influences the outcome of your Seven Steps of the Analytical
analysis. Once you start thinking about a problem in a particular way, the same mental path- Process
5. Draw tentative conclusions about the relative likelihood of each hypothesis. Proceed by trying to disprove the hypotheses
ways are activated and strengthened each time you think about it thereafter, making it difficult 1. Identify the requirements and
rather than prove them.
to embrace new ideas. Make a conscious effort to be open to new information and incorporate develop hypotheses.
6. Analyze how sensitive your conclusion is to a few critical items of evidence. Consider the consequences for your analysis if that it into the data already held in your memory, especially when it may cause you to change your 2. Formulate a plan.
evidence were wrong, misleading, or subject to a different interpretation. view.
3. Collect and collate information.
7. Report conclusions that discuss the relative likelihood of all hypotheses, not just the most likely one. Cognitive Biases: Cognitive biases are mental errors caused by the human tendancy 4. Analyze and evaluate information.
8. Identify milestones for future observation that may indicate events are taking a different course than expected. toward simplified information-processing strategies. Cognitive bias does not result from an 5. Draw conclusions and make
emotional or intellectual predisposition toward a particular judgment, but from subconscious recommendations.
6. Produce a Report information-processing procedures. As a result, we naturally pick and choose from the com-
6. Produce a report.
plete set of data and focus on a subset that suits our cognitive biases. An example is accepting
Typical CI reports include threat assessments, trial materials, as well as graphic representations that clearly and concisely present the data. 7. Monitor new information.
what we see and hear rather than abstract information that we don’t process as easily. Also,
Examples are: link and matrix analyses, time event and flow charts, telephone toll analysis maps, and ACH decision matrices. These reports
we tend to fully accept or reject data instead of assigning a probability that the information
can be used to document the result of the analysis, and also to suggest solutions. Such reports can present a range of detail — as simple as
is valid. This sets a bias, closing the mind to accepting the data as true when new supporting
a verbal synopsis of analytical results to a formal briefing or detailed document.
information is acquired.
Techniques for Overcoming Mindsets:
7. Monitor New Information
Technique Description When to Use
During the collection process, data and events can change on a regular basis. These changes can alter the result of the final analysis such
Brainstorming An unconstrained group process for generating new In the early stages of conceptualizing a problem or as a
that the entire requirement must be re-evaluated based upon new and contradictory information. Consequently, one must continually
ideas and concepts. mechanism to break free from a prevailing mindset.
monitor all old and new collection sources and be open to the possibilities raised by new information.
Key Assumptions An explicit exercise to list and challenge the Develop key assumptions as you begin a project, then review
Check key working assumptions that underlie analytic judg- them once the draft is completed to check how your thinking
Selected Bibliography ments. has evolved.
• Heuer, Richards J., Jr. Psycholog y of Intelligence Analysis. McLean: Central Intelligence Agency Center for the Study of Intelligence. 1999. Red Cell Analysis Predicting the behavior of another individual or When trying to predict the behavior of a specific person who
[Also available at http://www.cia.gov/csi/books/19104/index.html] group by trying to replicate how that person or has the authority to make decisions.
• U.S. Department of Justice, Criminal Division, Asset Forfeiture and Money Laundering Section, Finan- group thinks. Putting yourself “in their shoes.”
cial Investigations Guide, What If ? Analysis Positing that an event with potential major (positive When analysts are having difficulty getting a decisionmaker or
June 1998. or negative) impact has occurred and then explain- the policymaking community to focus on the potential for, or
ing how it came about. the consequences of, an event occuring, or when a conven-
• Haynal, Russ, www.Navigators.com
tional mindset is well-engrained.
• Gottlieb, Steven, Sheldon Arenberg, and Raj Singh. Crime Analysis, from first report to final arrest, Alpha Outside-In Identifying the range of systemic forces, factors, In the early stages, when attempting to identify all the factors
Publishing, Montclair, CA, 1998. Thinking and trends that would have an impact on shaping an that could influence how a particular situation will develop.
• Pherson Associates, LLC. Handbook of Analytic Tools & Techniques. issue, then factoring them into the analysis.
• Sugg, Irvin D. Jr. The Counterintelligence Analytical Process, 1st Edition, Joint Counterintelligence Training Indicators A pre-established list of observable events that is As a stand-alone tool or paired with other techniques; for
Academy, 2003. periodically reviewed to track events, spot emerging example, to help determine which scenario is emerging. Indica-
The Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is an authorized Joint Counterintelligence Training Academy (JCITA) publication. It is printed and distributed solely for Instructional Training purposes. All editorial content trends, and warn of unanticipated change. tors help “depersonalize” an argument by shifting attention to
of the Basic Counterintelligence Analysis in a Nutshell Quick Reference Guide is prepared and edited by JCITA’s Education Services Branch. Opinions expressed herein by the author and writers are their own and not an official expression by the Depart- a set of objective criteria.
ment of Defense. The appearance of commercial products in this publication is not an endorsement by the Department of Defense of the products depicted. All characters, companies, products and events depicted in the Basic Counterintelligence Analysis
in a Nutshell Quick Reference Guide are fictitious, and no similarity with any real persons or entities, living or deceased, is intended or should be inferred. Permission to use copyrighted materials was granted by the appropriate copyright holder. Use of continued
copyrighted materials in this document falls within the “fair use” doctrine and does not constitute an endorsement of any commercial companies depicted.