I went over to the apartment, checking the alarm system before unlocking the front door. The computer I had set up to get the mail messages from the anonymous remailer had been merrily grabbing messages, decoding them, and placing them in a separate directory on the hard disk. So far, it had grabbed over 187,000 messages. (Good thing that computer had a big hard drive with plenty of empty space.) Each message was just a packet of data, with the special delay codes inserted into the headers.
I let the computer continue to get those packet header messages. I sat down at one of the other computers to finish up the analysis program. Its job was to go through the messages, extract the IP addresses, and place them into a table for analysis. Not a hard job for a computer to do, since they are really good at doing the same thing over and over.
But I had started thinking that it was getting close to time to close up the apartment. I didn't want to leave any trails for anyone looking for me. I decided that after I got all the packet headers I needed, I would pack up things and clear out the apartment. I'd have the data on encrypted ZIP disks for analysis at home - or at the Cabin.
I wasn't really interested in the actual data in the packet messages, since they would just be pieces of someone's email message, or part of a document, or some file. The important part was where the packet came from, although I set up the program to extract the destination IP address also.
I copied a few hundred of the files from the "on-line" computer into the second computer (they were networked together), and ran some tests on them with the program. I decided also to take out the time stamp out of the header, so I tweaked the program to put that in the table. So each entry in the table would look like this:
Source IP address Date Time Count
145.24.166.22 10/20 11:31:44 5
So that entry would tell me that address 145.24.166.22 had five different delay packets, the earliest was sent on 10/20 at 11:31:44 hours. I also set up the program to make a similar table for the Target IP address.
Remember that the source IP address was the originating source, not any of the intermediate locations that the packet traveled along the way. If I could collect enough delay packets, some statistical analysis would tell me where the delay packets were originating.
I ran the program a few more times with the test data, and set up a status screen so I could see the progress through the packet header files. I then set it up to work with the real data. I looked over at the other computer, and the count had gone from about 187,000 to about 255,000. It was time to start processing that data.
I started the program, and watched as the counter on the status screen started showing the progress through the data. The screen counter showed the number of packets processed, and the number of unique IP addresses. It also showed the IP address of the 'most popular' source IP address. The first number was moving pretty fast, the second number was pretty close behind, and the third number ("Miss Popularity") was jumping all over the place.
It was too early to make any sense of those numbers. I'd have to let the program cook for a while to get any decent information. Besides, I was hungry. I didn't want to go too far, so it looked like peanut butter (smooth) and jam (apricot) sandwich with some macaroni and cheese. So I went out into the kitchen to fix it, leaving the computers to continue to do their thing.