IBM Security March 2017

White Paper

IBM i2 Analyst’s Notebook

Discover and deliver actionable intelligence to help identify, predict and
prevent criminal, terrorist, and fraudulent activities
2 IBM i2 Analyst’s Notebook
Contents
2 Introduction
3 Who should read this white paper
3 Potential benefits of i2 Analyst’s Notebook
5 Key features of i2 Analyst’s Notebook
23 Technical description
23 What prerequisites are required to install the product?
23 What documentation is provided?
23 For more information
IBM® i2® Analyst’s Notebook®
provides rich visual analysis capabilities that help to quickly
turn complex sets of disparate information into high-quality
and actionable intelligence. It is designed to help analysts,
and others involved in intelligence analysis to identify, predict,
and prevent criminal, terrorist and fraudulent activities.
i2 Analyst’s Notebook allows users to quickly collate both
structured and unstructured information in a powerful visual
analysis environment. It supports analysts in rapidly building a
single, cohesive intelligence picture. The intuitive, modern user
experience reduces user familiarization times, allowing users and
organizations to quickly take advantage of productivity gains. The
flexible data model and visualization environment coupled with a
comprehensive range of visual analysis tools help users build insight
and understanding on complex data sets. It helps drive the faster
discovery of key individuals, connections, relationships, events,
patterns and trends in data that might otherwise be missed.
Integrated Social Network Analysis capabilities also deliver
increased comprehension of social relationships and structures
within networks of interest.
The results that are delivered from this detailed analysis can
then be shared with intuitive and visual briefing charts or
visualizations. These simple visualizations can easily be
included in other end intelligence products. This greatly
simplifies the communication of sometimes complex
information and scenarios and ultimately helps to drive more
timely and accurate operational decision making.
i2 Analyst’s Notebook’s a technology is road-tested by
over 2,000 organizations worldwide. It is designed to help
government agencies and private sector businesses
in their fight against increasingly sophisticated criminal
and terrorist organizations.
i2 Analyst’s Notebook offers a wide range
of analysis and visualization capabilities
that can aid in the identification of key
actionable intelligence.
 IBM Security 3

Potential benefits of i2 Analyst’s Notebook

Reduce the time that is required to deliver rich,
actionable intelligence from complex sets of
disparate data
• Quickly turn data into easily understandable visualizations to
aid in the analysis of complex scenarios
• Combine all available information to build a single cohesive
intelligence picture
• Perform effective analysis of a wide range of data types with
a flexible data modeling and visualization environment
• Increase insight and understanding and the depth of
intelligence products for more effective resource utilization

i2 Analyst’s Notebook supports the dynamic

human thought process and offers unparalleled
visual analytics.
Who should read this white paper
This white paper is intended for:

• Potential users of i2 Analyst’s Notebook such as analysts

and investigators who want information about i2 Analyst’s
Notebook and the potential benefits it provides.
• Managers or team leads who want to learn more about
how their teams can use the application most efficiently.
• System administrators who want to gain a high-level
understanding of the product and system prerequisites
that are needed to install and run the application.

This document relates to i2 Analyst’s Notebook version 8.9.7

4 IBM i2 Analyst’s Notebook
Identify connections, patterns, and key intelligence
that might otherwise be missed
• Identify the key who, why, what, where and when of any
analysis question with a wide range of visual analysis tools
• Combine association, temporal and geospatial aspects of data
with multi-dimensional analysis views
• Quickly highlight key individuals and relationships and their
connections to key events with core link analysis capabilities
• Understand critical timeline of events or patterns within
criminal activities with powerful temporal analysis tools
• Identify potentially important intermediaries between
seemingly unconnected entities in a network
Increase understanding of complex criminal, terrorist,
and fraudulent networks
• Gain better insight and understanding of the structure,
hierarchy and ‘modus-operandi’ of complex networks with
integrated Social Network Analysis tools
• Aid the decision-making process and ensure best resource
utilization for operational activities in network disruption,
surveillance or influencing
Simplify the communication of complex information
to support timely and accurate decision making
• Clearly communicate complex data and scenarios with
intuitive and easy-to-follow charts and visualizations
• Drive the effective and efficient sharing of intelligence
for internal teams and across intelligence organizations
• Effectively share intelligence with a familiar tool that over
2,000 organizations use
Rapid deployment delivers near-immediate
productivity gains
• Remove the need for professional services deployment
costs with wizard-driven installer
• Reduce the time to streamline analysis and end intelligence
product generation activities with rapid deployment of
powerful visual analysis capabilities
• Rapid deployment and intuitive, modern user experience
delivers near immediate productivity gains
Proven worldwide visual analysis solution
• Over 2,000 organizations worldwide have used this
intelligence analysis solution
• Designed with input garnered from customer experiences
collected in real operational environments
• Comprehensive support infrastructure for global organizations
with language versions available in 17 languages
Key features of i2 Analyst’s Notebook
Overview
i2 Analyst’s Notebook is a powerful visual analysis environment
that offers users a comprehensive range of capabilities to
identify actionable intelligence hidden within disparate data
sets. These capabilities include:
• Flexible data acquisition tools to quickly ingest a wide
variety of data types and formats
• Flexible data modeling and visualization environment that
does not constrain the input of complex relational data
• Powerful range of visual analysis capabilities that enables
users to quickly gain increased understanding and reduces
the time to pin-point key intelligence
• Effective dissemination tools that simplify the communication
of complex data and scenarios
 IBM Security 5

Flexible data acquisition

i2 Analyst’s Notebook provides a range of methods to quickly
ingest the wide variety of information that intelligence analysts
are faced with everyday. This flexible approach to data
acquisition allows users to input a broad range of data types.
Examples include telephone call records, financial transactions,
computer IP logs and mobile forensics data, to name but a few.
i2 Analyst’s Notebook’s data acquisition allows users to:

• Rapidly import structured data via a wizard-style

visual importer
• Simplify manual data entry with an intuitive drag and
drop mode
• Connect to and query available data sources via numerous
extensibility options

Visual importing of structured data

i2 Analyst’s Notebook users can rapidly import data from
structured data files via the wizard-style visual importer. These import specifications can also be saved and shared. Data
Import specifications that map the data from tabular style files of the same format, for both individuals or across groups of
in to an i2 Analyst’s Notebook chart can be quickly created. analysts, can be quickly imported and visualized. These shared
Users are able to visually create how the different data aspects specifications help to provide data ready for analysis, with the
are to be mapped. Inputting this tabular style data into the minimum of effort and removal of any repetition of work.
visual environment of i2 Analyst’s Notebook can greatly
increase the potential of discovering key information. It helps
to identify connections and relationships or communication
and commodity flows across a network that would otherwise
remain hidden.
6 IBM i2 Analyst’s Notebook
Drag and drop manual data entry
i2 Analyst’s Notebook includes manual data entry options that
are designed to allow rapid chart item creation and editing. This
function provides an intuitive drag and drop interface that helps
to quickly build chart data. Users are able to choose from the
extensive array of icon types to visually represent real-world
items or events.
This visual interface in i2 Analyst’s Notebook displays the wide
range of icon, link, and attribute types available to users. This
extensive range can be used to best represent the imported data
and allows users to quickly add the wanted information on to a
chart. Templates that can be tailored to a user’s data entry
requirements can also be created.
Other importing methods
i2 Analyst’s Notebook also offers the ability to import data in
XML format. Style sheets can be created that are used in the
import process to transform the data into the format that is
required for i2 Analyst’s Notebook.
There are also a number of dedicated importers for specific
formats related to telephone and mobile forensics data.
Data acquisition extensibility options
The potential benefits of i2 Analyst’s Notebook can be further
enhanced by combining it with other capabilities from the
IBM i2 Intelligence Analysis Portfolio. Automated data
acquisition products such as IBM i2 iBridge and IBM i2
Information Exchange for Analysis Search for i2 Analyst’s
Notebook are available. Live connections, to one or more
of an organization’s existing data sources, can be established
directly from within the i2 Analyst’s Notebook environment.

This smooth integration gives analysts the ability to retrieve
and analyze information that is stored in multiple, standard
relational databases. With live data access, analysts can use
i2 Analyst’s Notebook to quickly retrieve vital information from
key databases. Users are also assured that any analysis is based
on the most up-to-date information available. It also helps
remove any reliance on a database specialist or the need to
learn a complex query language.
Organizations can also create data connections to existing data
sources themselves by using the IBM i2 Analyst’s Notebook SDK.
i2 Analyst’s Notebook can be upgraded to
allow connectivity to one or more of your
existing data sources.
IBM Security 7
Flexible data model and representation
i2 Analyst’s Notebook provides users with an environment
that offers flexibility in how data is modeled. The flexibility is
designed to ensure that users are not constrained in the input
of complex relational data. The intuitive environment allows
data to be modeled in various ways. Information can be
displayed in the most effective manner to suit the type of
data to be viewed and the analysis to be performed.
This flexibility allows users to:
• Represent information to best suit the data to be analyzed
• View data in multiple ways in the form of network and
timeline views
• Effectively visualize a wide range of data sets
• Perform various tasks for both analysis and briefing purposes
The visualization environment within i2 Analyst’s Notebook
allows users to represent information in association or timeline
charts. Items can be represented as entities, links, events,
timelines or attributes in order to best present the type of data
to be analyzed. This helps drive the effective analysis and
visualization of a wide range of data sets. Examples include
social networks, telephone records, financial transactions and
internet traffic records, to name but a few.
8 IBM i2 Analyst’s Notebook
Association charting/Link analysis
Link analysis, the bedrock of i2 Analyst’s Notebook since its
inception, is a proven tool for intelligence analysts. It remains a
key ingredient in identifying key connections and relationships
within complex data. The extensive association visualization and
analysis tools in i2 Analyst’s Notebook help users in identifying
key aspects within a data set of interest such as:
• Key individuals and their relationships with others
• Structures in networks
• Close-knit groups of individuals (clusters)
• Information or commodity flow across a network
The link analysis environment in i2 Analyst’s Notebook allows
users to display their data in association charts. The association
view can be used to show the relationships between entities
such as people and organizations and illustrate how they are
interconnected. A wide range of formatting options allows
users to quickly and easily represent real-world information.
These extensive options help provide increased insight and
understanding of a wide variety of ‘networks’. It helps analysts
better understand the relationships within criminal networks,
the communication patterns between individuals in a network,
and how money flows across a network and much more.
Timeline charting
i2 Analyst’s Notebook goes beyond just how entities are
interconnected by also allowing information to be portrayed in
the form of timeline charts. These temporal views can be used
to illustrate how sequences of events unfold over time.
They help not only reveal the interactions between entities but
also portray when these interactions occur.

Timeline charts are commonly used to analyze information such
as telephone call records and any forms of communications or
financial transactions. They also enable users to build a picture
of a sequence of events for time periods of interest. These type
of charts provide a powerful visualization that help to simplify
both the analysis and briefing of key temporal information.
Item property model
Users can easily use the following methods to store properties
or supplemental information for an item within i2 Analyst’s
Notebook:
• An item’s type is an important property. The type property is
used to define both entity and link types in a chart. In the
case of entities, the type can be used to define the visual icon
style that is displayed in the chart.
• Semantic types can be applied to give real-world meaning
for an item type. The real-world meaning helps when
performing a search on a data set. For example, a search for
a person type returns both males and females in the results.
• Other item properties can be stored as attributes against
an item.
• i2 Analyst’s Notebook includes a wide range of entity
(including associated visual icons), link, and attribute types.
However, users can easily create and add their own.
• Users (or their organization) can create templates so that
users are only given the option to choose types that are most
commonly used. Organizations can standardize the way
information is entered across an entire organization.
• An image — for example mug shots or CCTV imagery — can
also be stored against an entity. These images can then be
used to display on the chart in place of an entity’s visual icon.
• Supplemental information — that is, extra information on an
item from a different source — can be added in the form of
cards. These cards provide a method to record text-based
information against an item while also recording the source.
IBM Security 9
• Items can also be graded to record information such as source,
reliability and clearance level. The grading structure is
configurable to suit the needs of an organization.
• Items that are imported from external data sources can also
return the property information on those items in the form
of data records. This rich data can then be used by many of
the analysis tools within i2 Analyst’s Notebook.
Item visualization/Formatting
i2 Analyst’s Notebook provides an extensive icon set with a
high-quality, ultra-modern 3D look that offers clear, modern
and detailed real-world representations in charts. The extensive
range of icons that are provided includes individual sets that are
targeted at specific sectors. These icon sets include Defense,
Cyber, Telephone and Financial / Fraud analysis to name a few.
Users are also provided with many formatting options. These
options help in the identification of key information during
analysis or for emphasizing important items when briefing
intelligence. The formatting options available in i2 Analyst’s
Notebook include the ability to:
• Apply color icons to visually represent real-world properties
of an entity, such as the color of a vehicle.
• Visually categorize items in the form of colored Icon
Frames that can be used to visually group items with common
properties. These Icon Frames can also be used
to visually display analysis results from tools such as Social
Network Analysis.
• Modify the size of entities to identify or emphasize key or
important entities within a data set
• Include other supporting data such as pictures to enhance
briefing charts or reports with images of individuals. Timeline
charts can also be enhanced to include event
frames that depict, for example, CCTV images of an event.
10 IBM i2 Analyst’s Notebook
• Display the direction of links to visually represent who called
who within a phone call or how money flows
between accounts
• Categorize links with the use of color, width, or link
style. Easily identify differing types of relationship, higher
volumes of calls between individuals, relative size of financial
transactions between accounts, or the confidence level of
information that links two people together.
• Group items within a chart to ensure that items can be
selected and moved together as a group either manually
or when a user runs one of the analytical layouts.
• Change the display status of an item. Items can be hidden
(the item still exists but is not displayed) or “grayed-out” so
they are de-emphasized compared to other chart items.
Users can then put emphasis on particular items in a chart
but still maintain their context within a wider network.
Conditional formatting
Any formatting can also be applied semi-automatically with the
use of i2 Analyst’s Notebook Conditional Formatting. Users can
define a set of rules that automate the process of formatting
chart data to emphasize significant information for analysis or
presentation purposes. Rules can also be saved so that repetitive
tasks that are required across many charts can be automated.
Multiple rules can be set up in conditional formatting
specifications to perform complex formatting tasks. These
rules can be configured to work against the properties that are
contained within chart entities, links and attributes. As with
import specifications, the conditional formatting specifications
can be saved either locally or in a workgroup. Organizations
are provided with an effective method of standardizing analysis
and briefing tasks across wider teams. These specifications
can be shared to standardize the techniques that are used for
both analysis and presentation purposes. Examples include
identification of important information in the analysis phase,
or for standardizing the format of charts for reporting and
presentation purposes.
Powerful analysis capabilities
i2 Analyst’s Notebook provides a wide range of analysis
capabilities. The extensive analysis environment enables users to
quickly gain understanding of the information they are faced
with and pin-point any key intelligence.
These capabilities can help analysts to quickly analyze complex
data sets and allows users to:
 IBM Security 11

• Quickly analyze data by providing multiple analytical information of relevance. Any non-relevant information that
views on data of interest does not pass the filter criteria can be filtered out by either
• Drill down into data sets to identify non-obvious hiding it or ‘graying’ it out. Multiple filters can also be applied
connections, patterns, and trends to quickly and efficiently narrow down larger data sets and
• Get better insight into the critical timeline of events. identify possible high-value intelligence.
• Identify potentially important intermediaries between
seemingly unconnected entities in a network
• Increase understanding of target criminal, terrorist,
or fraudulent networks
• Identify potential duplicates within imported data.
• Understand the who, what, when, where and why of
any analysis task

i2 Analyst’s Notebook provides the tools to quickly analyze

complex data sets and the ability to create multiple analysis views
on data of interest. Data can be displayed as association,
temporal, spatial, statistical and spreadsheet views. These
multiple views help to give a wider understating of all the
important who, why, what, when and where aspects.

i2 Analyst’s Notebook provides users with a range of temporal,

social and geospatial analysis tools. The multiple views can
help analysts gain greater insight of a charted data set from
within a single user environment.

Data filtering and histograms

The dynamic filtering and histogram views available within i2
Analyst’s Notebook provide users with quick feedback on the
information that is contained within a charted data set. Users
can quickly browse and filter information that is based on any
property of the data within a charted data set. Insight is
provided to a user with the use of visual bar graphs, such as list
view or histograms. These interactive list and histogram views
allow users to quickly identify, select and drill down into
12 IBM i2 Analyst’s Notebook
Histogram view filtering —Histogram filters provide a
powerful mechanism for quickly delivering visual feedback
on a range of data types that are contained within any chart.
This interactive view is highly suitable for range-based data
types such as date, time or transactional amounts. It allows
users to identify areas of interest in chart data set such as peaks,
troughs, or patterns in activities. Users can then drill down to
quickly highlight any relevant information.
The interactive histogram view provides the following capabilities:
• Select single or multiple bars in the histogram view to highlight
the corresponding items within the main chart view
• Drill down to perform more detailed analysis of a data set
Users can display a more granular view of the entire data
set or display the information for a selected range only
• Run an animation of chart data to show how activities
occur over time or how a data set builds over time
• Copy the histogram view as a bitmap to allow easier
integration into reports or presentations
List view filtering — List view filters provide effective and fast
visual feedback for non-range-based data with a chart
data set. This visual statistical summary can be used for any
aspect of a charted data set. It can offer quick insight into the
information that is contained within. Multiple list view filters
can also be used to quickly identify commonality within items
in a chart that is based on complex filter criteria.
Temporal analysis and visualization
Answering the ‘when’ question is a critical need for most tasks
that are posed to intelligence analysts and their organizations.
i2 Analyst’s Notebook provides a set of temporal analysis tools
that help in understanding the temporal aspects of any data
set. These powerful tools help analysts to:
• Drill down in to the temporal aspects of an entire charted
data set with instant, interactive visual temporal views
• Identify areas of interest within chart data, such as
temporal peaks, troughs, or patterns in activities that require
further investigation
• Understand potential temporal trends such as activities
that occur more at a particular time of day and day of week
• Create a more detailed timeline view of activities for
items of interest down to individual event granularity
Activity view — To fully understand a timeline of events there
is the need for analysts to understand a timeline down
to individual event granularity. Many of these events also
occur over time. It is vitally important to be able to record and
visualize the duration over which any particular event
occurred. The Activity view in i2 Analyst’s Notebook allows
users to do just that. The ‘Gantt-style’ temporal visualization
allows users to plot, down to individual event granularity, all
time-based activities that occur within selected chart data.
Both ‘point-in-time’ events and activities that occur over time
can be plotted with the Activity view. It provides users with a
full view of an item’s activity timeline.
 IBM Security 13

Histogram view — The histogram functionality in i2 Analyst’s

Notebook provides a powerful tool to display temporal data.
The interactive view allows analysts to select time periods of
interest and filter out non-relevant information that falls outside
these times. This powerful capability helps users to quickly
identify potential time periods of interest, such as peaks,
troughs, or patterns in activities, in a chart data set. Users can
then drill down in these areas of interest to gain better insight in
to the potential causes.

This detailed temporal view greatly reduces the time that is

required to re-create and then understand any critical timeline
of events. It also helps analysts to identify potential anomalies
within a timeline. It can highlight overlaps in an individual’s
activities, such as being in two places at the same time. It also
more clearly highlights time periods with no information,
helping to pinpoint areas for further data-gathering by
operational teams.

The activity view can also be used side-by-side with a network

chart, allowing analysts to compare both association and
temporal aspects simultaneously.
14 IBM i2 Analyst’s Notebook
Users can perform a more detailed analysis of a data set with
interactive histogram view. Data can be viewed at a more granular
level — for example, show by days instead of months.
It can also display the data for a selected range only —for example,
show only the items in June.
The histogram view also works interactively with the main
chart view. Data that falls outside the selected time period
within the histogram can be hidden or ‘grayed-out’ within the
chart. Users can then display both association information
within the main chart and temporal information within the
histogram simultaneously. This combination is designed
to help users to gain better insight into how, over time,
communications occur between individuals or how finances
might flow across a network.
Heat matrix view — The heat matrix takes the temporal
analysis of a charted data set a step further. It offers a more
detailed breakdown of the temporal content of data, allowing
users to map and visualize activities against two temporal ranges.
This capability helps to provide a much quicker answer to
temporal questions — do activities happen at a certain time of
day AND a particular day of the week?
This understanding can help users to quickly identify patterns
in activity or aspects of a target’s likely pattern of life. It also
helps identify how and when a target individual works or
whether there are any regular patterns in terms of their
common activities.
The heat matrix view, in the same way as the histogram view,
works interactively with the main chart view.
Social network analysis
i2 Analyst’s Notebook provides analysts with the means to
increase understanding of the structure, hierarchy and modus
operandi of criminal and terrorist networks.
Social network analysis (SNA) has emerged as an effective
intelligence analysis technique. It enables the analysis of how
and why social groups operate, interact and behave in particular
ways. This quantitative technique enables users to map and
measure complex networks of entities such as people and
organizations, by measuring the interactions between them.
SNA techniques can help analysts gain better insight and
understanding of complex networks by providing users with
insight into aspects of social structure and sources and distribution
of power of a network. This can shed critical insight on the
intricacies of a network, highlighting who knows whom and who
does business with whom. By monitoring the communication
patterns between network nodes, the network’s structure can be
established, which then enables identification
of critical nodes and their relationships.
SNA techniques can also help give insights into the performance
of a network as a whole and its ability to achieve its key
goals. It helps to identify characteristics of a network that
normally are not immediately obvious, such as the existence
of smaller subnetworks that operate within a larger group.
The relationships between prominent people of interest who

wield the greatest influence over the rest of the network can be
understood better. SNA also helps identify how directly and
quickly information flows between people in different parts of the
network.
Using SNA measures can help analysts to understand individuals’
roles within a network. Coupled with the temporal analysis
capabilities within i2 Analyst’s Notebook, SNA can help identify
so-called emerging leaders and rising stars. These individuals are
people who increase in importance or influence within a network
over time.
Better understanding of a network, its structure, hierarchy, and
individuals’ roles within a network is vitally important. This
understanding helps drive better operational decision making
whether for network disruption, surveillance, or information
access and dissemination purposes.
IBM Security 15
The SNA centrality measures that are included in i2 Analyst’s
Notebook are:
Degree centrality — Identifies entities who are the most
active in a network that is based on the number of direct links
to other entities
Closeness centrality — Identifies entities who have the best
access to other parts of a network and visibility of activities
within the rest of a network
Betweenness centrality — Identifies entities who act as
gatekeepers or bridges of information and control information
flow between different parts of a network
Eigenvector centrality — Identifies how well-connected an
entity is and how much direct influence it has over the most
active entities in the network
i2 Analyst’s Notebook also includes an SNA clustering
technique in the form of K-Cores. This clustering measure
can help identify tightly interlinked groups within a network;
this information points to potentially smaller subnetworks that
operate within a wider group.
SNA can also be enhanced by the use of weightings. These
scores help to indicate the strength of differing relationships
(links), each of which can affect a target network. Weighting
relationships helps to deliver a more real-world indication of
the dynamics and structure of a target network.
Directed links can also be included in the calculation of
centrality measures in i2 Analyst’s Notebook. The use
of link direction on a chart is often useful in assessing how
information and commodities flow through a network.
16 IBM i2 Analyst’s Notebook

This direction of flow has an important bearing on how

quickly information is passed from one part of the network
to another. For example, a person may receive information
from many others in the network but only send information on
to a select few.

For more information, see the overview and technical Social

Network Analysis white papers. These white papers are
available at ibm.com/i2software

Find connecting networks

i2 Analyst’s Notebook offers users the means to help identify
potential important intermediaries between entities in a network.

The Find Connecting Networks feature helps users to identify

potential intermediaries between seemingly unconnected
entities and highlight possible networks that connect multiple
entities of interest.
One example of this is searching for a network that joins several
bank accounts that are involved in fraud. Find Connecting
Network results could help to identify an intermediate account
or accounts that distribute money to those accounts and possibly
play a central role in the fraudulent activity.
Users can control this analysis to:
• Exclude specific entity or link types to refine the search such
as concentrating just on actual communication or
transactional information.
• Exclude specific entities to remove those known not be
involved in investigations.
• Test hypothesis by excluding items to help identify potential
effects of removing that entity from a network. For example
the effects of freezing a bank account on the movement of
funds between other accounts of interest.
• Format the results on the chart to help to clearly
communicate analysis findings
Geospatial analysis
Combining geospatial data and understanding with both
association and temporal understanding is a key requirement for
analysts and their organizations. The combined understanding
of all these aspects helps to facilitate turning information into a
full intelligence picture. The Google Earth Exporter within i2
Analyst’s Notebook enables users to export selected chart data
to an installed Google Earth client. More detailed geospatial
analysis is also available with the addition of the optional
IBM i2 Analyst’s Notebook Connector for Esri.
Google Earth Exporter — If items in a chart contain
geographical information, i2 Analyst’s Notebook can identify
and map this information to a separately installed Google
Earth client. As well as the ability to simply map selected chart
data, the date, and time information can also be sent
to Google Earth. This extra information allows users to track
the movement of suspects or events over time with the time
slider animation in Google Earth. i2 Analyst’s Notebook also
enables users to export selected chart data to a kml or kmz file.

This mapping file format can be imported in to other common
mapping applications.
Analyst’s Notebook Connector for Esri — i2 Analyst’s
Notebook Connector for Esri is an optional plug-in to i2
Analyst’s Notebook. It enables users to combine the link and
temporal analysis capabilities of i2 Analyst’s Notebook with the
geospatial capabilities provided by an available Esri ArcGIS
Server. This powerful combination allows users to connect to
and utilize available Esri geospatial analysis services. These
services include base maps, dynamic map feature layers, and
analytical services such as Geocoding, Find Route, and
Drive-time analysis.
This closely coupled, two-way integration allows users to
create a geospatial view directly inter-connected with the
association and temporal views of i2 Analyst’s Notebook.
It allows users to perform the who, what, when and where
analysis all from within a single combined environment.
IBM Security 17
More information on the benefits and capabilities of this
offering can be found in the i2 Analyst’s Notebook Connector
for Esri Product Overview white paper. This white paper is
available at ibm.com/i2software
Entity matching
With the ability to take data from a wide variety of sources it
becomes important to identify, and utilize items from different
data sources that are in fact the same real-world object. Entity
matching, within i2 Analyst’s Notebook, is the process of finding
occurrences of items on a chart that represent the same item. i2
Analyst’s Notebook provides two types of
entity matching:
Automatic entity matching — i2 Analyst’s Notebook
automatically detects entities that are the same as other entities
as they are being imported into a chart. This matching works
on item identity or database identity. The identities of two
entities are deemed to be the same if they match exactly and
are the same case character for character. Because two identical
entities are not allowed to coexist on the same chart, i2
Analyst’s Notebook merges them together, even if their labels
are not the same.
Find Matching Entities — With data potentially coming from
different data sources, situations commonly arise where data
imported into a chart has differing unique identities but refers to
the same real-world object. This situation could involve people
who are imported from different data systems, where name
formats are different or name synonyms used, such as Danny
instead of Daniel. Items also could have been imported with
different unique identities but have a number of equivalent
properties behind them. The use of an alias name is one example.
18 IBM i2 Analyst’s Notebook
Find Matching Entities allows users to quickly identify imported
items that have enough similarity that may indicate they are the
same entity. All matches are ranked by smart matching
technology that automatically analyzes chart item information
for equivalency. This technology uses various inputs from name
variants, spelling, and phonetics to Semantic Type Libraries.
The Semantic Type Libraries can be used to categorize items by
defining common meaning, for example, male and female can
be categorized as person.
These definitions can be used to align data from different
sources. Better data alignment improves the accuracy of any
potential matching and reduces the time that is taken to identify
possible duplicates. These ranked results help in the final
human-led decision as to whether the items are the same and
can be merged into a single item.
Search and discovery
With the ability to ingest a wide variety of information from a
wide variety of sources comes the need to be able to efficiently
search that data. Effective search techniques are vital to allow
users to quickly identify information of interest, key connections,
or patterns that are hidden within any charted data set.
i2 Analyst’s Notebook provides a number of search and
discovery capabilities that aid users in the identification of
key areas of interest. These capabilities include:
Search — i2 Analyst’s Notebook provides two main search
functions that can be used based on the depth of search that is
required by the user. The Find Text search returns exact text
matches, ideal for when a user knows exactly what they are
looking for. The Search Bar provides a wider search by taking
into account name variants. It returns results in a ranked list
that is based on the closeness of the match. This method is
ideal when performing a search with terms that are likely to
have potential variances in the data to be searched.
List Items — The List Items view in i2 Analyst’s Notebook
allows users to view charted data in a spreadsheet (tabular) view.
This structured view allows analysts to quickly sort data based
on specific properties. Sorting helps quickly identify items with,
for example, the highest or lowest values or to identify specific
groups of items that have certain properties in common.

Infotips — Any top-level item in i2 Analyst’s Notebook can hold
a wealth of information underneath it. Infotips provide faster
access to an item’s information by providing an instant summary
view of an item. This view can include information about the
item’s properties. It can also display any supplemental
information, who or what the item is linked to and information
on an item that is sourced from external data sources. Infotips
can also be configured to display only relevant information of
interest so users can identify and highlight the most important
information quickly.
IBM Security 19
Visual Search — Visual Search provides an intuitive search
interface that allows users to visualize the search criteria they
wish to perform on a charted data set. Search criteria can be
quickly created for both single item and linked item searches.
Single item searches can be built based on their type, label,
date and time, and attributes. Linked item searches take that a
step further by being able to visually specify the search criteria
for a pair of linked items. This linked search helps to find items
or the links between them that match the specified conditions.
One example is searching for a “blond male who owns a blue
BMW with license plate number that includes YH57”.
20 IBM i2 Analyst’s Notebook

Find Path — Identifying hidden connection paths between

items that appear not to be directly connected is important in
determining potential relationships between parties. The Find
Path function in i2 Analyst’s Notebook helps to identify paths
from one item to another, based on a user’s specified criteria.

It helps answer the questions of “Is Item A connected to Item B

and how are they connected?”. Users are able to set various rules
about which items are allowed on the path both entities and links.
These rules allow users to exclude particular relationships or
communication types as being valid connection paths.

Linked Items Bar — The Linked Items Bar is an analysis

tool that can help users discover the items that are connected
to a selected entity. In smaller charts, which are created
manually, it is simple to see which chart items are linked to
a particular entity. However, in larger charts, from sources
such as telephone call logs, it can be more difficult to see what
other items are directly connected across an entire network.
The Linked Items Bar provides a quick summary of each of the
connections for a selected entity, and also interacts with the
main chart view.

Analytical layouts — i2Analyst’s Notebook provides a number

of analytical layouts that can be applied to charted data. These
layouts help analyze the structure of chart data or help in
managing the data on the chart for briefing or presentation
purposes. Two main types of layout are provided. Depending
on what data a chart contains, users can apply layouts for both
association and for timeline charts. These layouts can be used to
emphasize different aspects within a charted data set. Layouts
help to visualize the structure of a network, identify different
groups, or display data as a hierarchical or organizational view.

Simple communication of complex data
But with all these visual analysis capabilities it is equally
important for analysts to be able to effectively convey key
intelligence in a clear and concise manner. The effective
dissemination of data is vital to aid operational decision
makers in making rapid, accurate, and informed decisions.
i2 Analyst’s Notebook provides users with the means to:
• Communicate complex data with intuitive and
• easy-to-follow visual briefing charts
• Create detailed charts or visuals to enhance other end
intelligence products
• Export chart visualizations to other commonly used
distribution formats
• Create ‘down-graded’ versions of charts to easily share the
right level of information with others who have different
security clearances
• Easily share charts with non-Analyst’s Notebook users
Charts — i2 Analyst’s Notebook charts are a common currency
for the dissemination of key intelligence. The comprehensive
visualization environment that is coupled with the array of visual
formatting options allows users to convey complex information
within easy-to-understand visual representations. These visual
charts can then be used for the effective briefing of end
intelligence information. i2 Analyst’s Notebook also
provides a tool to further simplify the process of briefing, in
particular, larger charts.
The Snapshot tool enables users to store multiple snippets of
a chart and then play them back in a required order. Users are
able to ‘walk-through’ chart information during briefings with
the minimum of effort.
IBM Security 21
Sharing chart information — Information that is often
identified within a chart is required for other end intelligence
reports in differing formats. i2 Analyst’s Notebook provides
a number of methods that allow users to:
• Copy or save a whole chart or parts of a chart to various
image formats (.bmp, .jpg, .png). These visuals can then
be used in other intelligence documents.
• Copy or save a view of the visual results of i2 Analyst’s
Notebook analysis tools. These tools include the Histogram,
Heat Matrix, and Activity views.
• Export all snapshots of a chart that are taken with the
Snapshot tool to a Microsoft PowerPoint presentation
• Export a whole chart or parts of a chart to an Adobe
PDF document
Chart redaction — i2 Analyst’s Notebook provides the means to
grade all data within a chart. The grading aids in recording
information such as confirmation status, reliability of source or
security clearance level. Users are also provided with the ability
to save a redacted version of a chart. Redacted versions can
be created to include information that is based on either the
grading level of items within a chart or on a specific property.
This capability allows users to easily share chart information
with others who have a lower security level. Users can quickly
create separate charts with all ‘sensitive’ information removed.
IBM i2 Chart Reader — i2 Analyst’s Notebook charts can also
be shared electronically to anybody who does not have access to
i2 Analyst’s Notebook. IBM i2 Chart Reader is available at no
charge and provides read-only access to charts that can then be
navigated, searched, or printed. Rich information behind chart
entities and links can also be searched and read.
22 IBM i2 Analyst’s Notebook
Extensibility
i2 Analyst’s Notebook is a powerful stand-alone visual analysis
environment in its own right. There is also an extensive range of
options available to further extend the capabilities to provide
even greater value to analysts and their wider organization.
IBM i2 Analyst’s Notebook Premium
IBM i2 Analyst’s Notebook Premium builds on the powerful
visual analysis capabilities of i2 Analyst’s Notebook. It provides a
rich data-centric analysis environment complete with an
optimized local analysis repository. It further helps to reduce the
costs that are associated in uncovering key connections,
networks, patterns, and trends to help predict and prevent
criminal, terrorist, and fraudulent activities
It includes all the key elements that are required for single
users to collate, manage, explore, and analyze all of their
local information.
• Local analysis repository that is optimized for data
management, information discovery and analysis
• Data management interface to enable rapid data entry
and management, as well as powerful search and discovery
capabilities
• Near-seamless integration with the powerful capabilities
of the rich visual analysis environment empowers users to
quickly build multi-dimensional views on the identified data
of interest
IBM i2 Analyst’s Notebook SDK
i2 Analyst’s Notebook SDK (software development kit) enables
organizations to extend i2 Analyst’s Notebook to meet their
individual requirements. It provides technical specialists with the
software, documentation, and sample materials that are required
to extend and enhance (through development) the functionality
available within i2 Analyst’s Notebook.
i2 Analyst’s Notebook SDK empowers developers, by using the
i2 Analyst’s Notebook API, to:
• Develop plug-in components to enhance and extend the
functionality that is provided by i2 Analyst’s Notebook
• Create separate applications that can control and power
i2 Analyst’s Notebook via its automation interfac.
• Build custom stand-alone applications that use the i2
Analyst’s Notebook controls to add analysis capabilities
to the application
Data acquisition
IBM i2 iBridge — IBM® i2® iBridge enables i2 Analyst’s
Notebook users to directly connect to key existing databases
to speed the data acquisition and analysis process. A live
connection allows users to access the most current data.
The powerful search and query capabilities help analysts to
uncover hidden links that are buried in existing data sources.
i2 iBridge enables users to sequentially access data from multiple
sources, increasing the accuracy and depth of analysis.
IBM i2 Information Exchange for Analysis Search
Services — IBM® i2® Information Exchange for Analysis Search
for i2 Analyst’s Notebook enables i2 Analyst’s Notebook users to
connect to multiple data sources and perform a single,
simultaneous search. This single search across multiple sources
accelerates data acquisition processes and promotes greater
efficiencies in the use of analyst resources.
Collaboration
IBM i2 iBase — IBM i2 iBase is an intuitive intelligence
database application. It enables collaborative teams of analysts
to capture, control and analyze multi-source data in a secure,
workgroup environment. i2 iBase enables multiple users to
effectively and securely access and share key information.
This collaborative ability aids intelligence analysis teams in
uncovering meaning and connections in increasing volumes
of complex structured and unstructured data.
 IBM Security 23

Geospatial analysis What prerequisites are required

IBM i2 Analyst’s Notebook Connector for Esri — i2 Analyst’s to install the product?
Notebook Connector for Esri integrates i2 Analyst’s Notebook For information about hardware and software
with Esri ArcGIS server. It provides analysts with a single compatibility, see the detailed system requirements
centralized work environment that integrates link and temporal at ibm.com/software/products/en/analysts-notebook
analysis with geospatial analysis. It helps analysts increase
understanding into the critical where aspects of any analysis, and What documentation is provided?
reduces the time to build a comprehensive operational picture. The following documentation is supplied with
i2 Analyst’s Notebook:
Unstructured data analysis
IBM i2 Text Chart — IBM i2 Text Chart is an intuitive,
• i2 Analyst’s Notebook Release Notes
user-controlled tool that speeds the process of extracting and
• i2 Analyst’s Notebook Online Help
visualizing key information that is hidden within unstructured
data. It also facilitates the effective sharing of findings via
The documentation (other than the online help) is provided in
intuitive visual charts.
electronic form only. In order to display the documentation a
PDF viewer must be present on the installation system.
IBM i2 Text Chart Auto Mark — IBM i2 Text Chart Auto
Mark builds on i2 Text Chart with the automatic discovery and Is i2 Analyst’s Notebook available in languages
markup of key entities. This ability further reduces the time that other than English?
is required for the manual tagging and extraction process. i2 Analyst’s Notebook is developed in US English. It is
supported on Western Europe, United States, Central
For more information, visit ibm.com/i2software European, Baltic, Cyrillic, Turkic, Arabic, Korean, Japanese,
Simplified Chinese and Traditional Chinese regional versions
Technical description of the supported operating systems.
Product Architecture
i2 Analyst’s Notebook is a stand-alone desktop product that
is designed to provide users with a powerful visualization and
analytical tool. i2 Analyst’s Notebook has an API to enable
programmatic control of the application via the i2 Analyst’s
Notebook SDK.
As well as English, i2 Analyst’s Notebook is available in the
following language versions:

• French
• German
• Spanish © Copyright IBM Corporation 2017
• Italian IBM Corporation
• Portuguese (Brazilian) IBM Security
• Japanese Route 100
Somers, NY 10589
• Chinese (Simplified)
• Chinese (Traditional) Produced in the United States of America
March 2017
• Korean
• Russian IBM, the IBM logo, ibm.com, i2, and Analyst’s Notebook are trademarks of
International Business Machines Corp., registered in many jurisdictions
• Polish
worldwide. Other product and service names might be trademarks of IBM
• Arabic or other companies. A current list of IBM trademarks is available on the
• Hungarian Web at “Copyright and trademark information” at
www.ibm.com/legal/copytrade.shtml.
• Turkish
• Czech Microsoft, Windows and Windows NT are trademarks of Microsoft
Corporation in the United States, other countries, or both.
• Slovak
• Hebrew This document is current as of the initial date of publication and may
be changed by IBM at any time. Not all offerings are available in every
country in which IBM operates.
For more information
To learn more about IBM i2 Analyst’s Notebook, please The performance data discussed herein is presented as derived under
specific operating conditions. Actual results may vary. It is the user’s
contact your IBM representative, or visit: ibm.com/i2software responsibility to evaluate and verify the operation of any other products
or programs with IBM products and programs. THE INFORMATION IN
To learn more about all of the IBM Smarter Cities solutions, THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT
ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING
visit: ibm.com/smartercities WITHOUT ANY WARRANTIES OF MERCHANT­ABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY
OR CONDITION OF NON-INFRINGEMENT. IBM products are
warranted according to the terms and conditions of the agreements under
which they are provided.

The client is responsible for ensuring compliance with laws and regulations
applicable to it. IBM does not provide legal advice or represent or warrant
that its services or products will ensure that the client is in compliance with
any law or regulation.

Please Recycle

ZZW03172-USEN-04