Imagine a situation: you are an intelligence officer, and your task is to identify a particularly dangerous blackmailing criminal who appears on the network periodically and only for data transmission. For criminal activities, he or she started a separate laptop, from which he or she “cut out” a microphone, speakers and a camera. A smart decision, given that the speakers also know how to listen.
He or She uses Tails as an operating system, although Whonix would be worth taking for maximum anonymity. One way or another, all traffic goes through Tor, he does not trust the VPN, or only trusts his VPN, and he still needs Tor to work on the Darknet. He or She uses PGP-encrypted Jabber to communicate, he or she could also install Telegram, but this is the representative of the old school of criminals. Even if you have access to the Jabber server, you can only get encrypted data and Tor IP addresses. This is useless information. The criminal works on the principle of "silence is gold", he will not say too much, he or she will not open links or files. It is only known that he must be in the same country with you. It would seem that there is no chance to establish his identity, but this is an illusion, it is possible to establish his identity despite all the measures he or she takes. The described case is ideal for applying a timing attack on a messenger or a thematic forum. The first thing you need is a program that will track and record all user logins and logouts. He appeared on the network - the system immediately notes the time, left - the system recorded the exit time. Now you have a log of his activity in your hands for several days, it's time to use the ORM (operational-search measures) system. Similar systems are at the disposal of the special services of most countries, in Russia it is SORM. You need to find out who connected to the Tor network during these +/- 5 minutes in your country. We know that the target that needs to be deanonymized connected on 04/11/2022 at 11:07 and disconnected at 12:30. At the same time points (+/- 5 minutes), 3,000 people connected to the Tor network and disconnected from it throughout the country. We take these 3000 and see which of them reconnected at 14:17 and disconnected at 16:54, how many people do you think will remain? So, step by step, the circle narrows, and in the end you will be able to calculate the place where your victim or criminal enters the network. The more often he enters the network and the fewer other users at this time, the faster the timing attack will work. Example: metrics.torproject.org - checks if the IP address was used as a host to send traffic to Tor. check.torproject.org (https://check.torproject.org/cgi-bin/TorBulkExitList.py) github.com/SpiderLabs - will find a list of all Tor exit nodes in the last 16 hours that could contact the IP; ipqualityscore.com/user/proxy-detection-api/lookup - Find out if a person is using a proxy, VPN or TOR. The constant change of access points to the network makes such an attack meaningless. If the target periodically changes the exit points, this may complicate the search, but is a pre-admissible option and is not capable of confusing the system.
