In time of active operations it is important that captured or intercepted cipher messages reach the examining office with the least possible delay. The text of messages, captured at a distance from the examining office, should be sent to the office by telegraph or telephone, the original messages being forwarded to the office as soon thereafter as possible.

The preamble, “place from,” date, address and signature, give most important clues as to the language of the cipher, the cipher method probably used, and even the subject matter of the message. If the whole of a telegraphic or radio message is in cipher, it is highly probable that the preamble, “place from,” etc., are in an operators’ cipher and are distinct from the body of the message. As these operators’ ciphers are necessarily simple, an attempt should always be made to discover, by methods of analysis to be set forth later, the exact extent of the operator’s cipher and then to decipher the parts of the messages enciphered with it.

In military messages, we almost invariably find the language of the text to be that of the nation to which the military force belongs. The language of the text of the message of secret agents is, however, another matter and, in dealing with such messages, we should use all available evidence, both external and internal, before deciding finally on the language used. Whenever a frequency table can be prepared, such a table will give the best evidence for this purpose.

All work in enciphering and deciphering messages and in copying ciphers should be done with capital letters. There is much less chance of error when working with capitals and, with little practice, it is just about as fast. An additional safeguard is to use black ink or pencil for the plain text and colored ink or pencil for the cipher. A separate color may be used for the key when necessary.

The following blank form is suggested as convenient for keeping a record of a cipher under examination. It should accompany the cipher through the examining process and should be filled in as the facts are determined. This record, the original cipher and all notes of work done during the examination, should be filed together when the examination is completed, whether the cipher has been solved or not. It may be that other ciphers solved later will give clues to the solution of such unsolved ciphers.

The first column of this blank should be filled out from data furnished by the officer obtaining the cipher from the enemy. A general order, emphasizing the importance of promptly forwarding captured or intercepted ciphers to an examining office, could specify that a brief report embodying this data should be forwarded with each cipher.

The second column of the blank should be filled out progressively as the work proceeds. The office number should be a serial one, the first cipher examined being No. 1. The date and hour of receipt at examining office will be a check as to the time required to transmit it from place of capture. The spaces “From,” “At,” “To,” “At,” “Date,” are for the information concerning sender and addressee of the cipher and are to be obtained from the message. In case an operators’ cipher has been used, these parts of the message will have to be deciphered before the blanks can be filled in.

The probable language of the text is assumed from the preceding data and, if necessary, from internal evidence. Thus a cipher from a Mexican source and not containing K or W is probably in Spanish.

The class and case are determined by the rules laid down later. The space for remarks is to permit notation of any special features. When the solution is completed, the date and hour are noted, the language of text and key (if determined) are entered and a type number, to identify it with other ciphers prepared by the same method (but not necessarily the same key), is given to it. The file number is for convenience in filing and in preparation of a card index.

The process of examination in an office with one examiner, one stenographer and one clerk, might be as follows: On receipt of a captured cipher with accompanying report, the stenographer makes four copies of the cipher on the typewriter. The clerk and stenographer then check the work. The stenographer then proceeds to fill out the first column and first two lines of the second column of the record blank from the report of the capturing officer, keeping the original cipher and two copies with the record. He may also fill out the first seven lines of the second column, if this data is on the captured cipher in plain text. In the meantime the clerk is counting and setting down the whole number of letters of the cipher and the occurrence of AEIOU, LNRST, and JKQXZ, while the examining officer is looking over the cipher for possible recurring groups of letters and underlining them when found.

This work being completed, the examining officer is in a position, ordinarily, to decide on the class of the cipher and he may have found something in his examination which will lead him to the case under the class. The clerk in this preliminary count should keep track of the total occurrence of each of the fifteen check letters and not of the three groups given above. This takes a little longer but when done, the data for fifteen letters of the alphabet for a frequency table is completed, leaving only eleven other letters, and in Spanish, but nine, to be counted, in case it is necessary to prepare a frequency table.

If the examining officer decides the cipher to be of the transposition class, no further work with frequency tables is necessary. The clerk should proceed to count and set down the number of vowels in each line and column and the examining officer should look for any occurrence of the letter Q and try to connect it with U and another vowel. The stenographer may be set to work putting the cipher into rectangles of different dimensions. The clerk’s work gives data for possible rearrangement, for if the vowels are much out of proportion at any point, they must be connected with the proper proportion of consonants as a first step in rearrangement. Work with transposition ciphers must necessarily include much of the fit and try method. The details of this work are taken up later.

If a cipher seems to be a substitution cipher, the examining officer should look over the frequency of occurrence of each of the fifteen letters counted. If some letters (it is of no importance at present which ones) occur much more frequently than others and some occur rarely or not at all, we may safely decide on Case 4, 5 or 6 and let the clerk proceed to finish the frequency table for the message. On the other hand, if all the fifteen letters examined occur with somewhere near the same frequency—for example, the most common letter occurring not over three or four times as often as the least common letter—we may at once eliminate the first three cases and let the clerk proceed to examine the cipher for recurring pairs and groups, counting the intervening letters, so that the examining officer may decide whether Case 7, or some more complicated case, should be chosen.

If something more complicated than Case 7 has been used and other ciphers are on hand awaiting examination, the cipher should go into the unsolved file to be worked on when other work permits, unless the contents of the cipher are believed to be very important. Every opportunity should be taken to clean up the unsolved file and, whenever a message is solved, the methods should be tried, if applicable, to everything remaining in the file.

The first few days or weeks after the establishment of an examining office will be the most trying time. When solved ciphers begin to pile up, the methods of the enemy will be more and more apparent and it will often be possible to determine the method from knowledge of the name of the sender and receiver.

When a cipher has been solved, the solution should be prepared in triplicate and given the serial number of the cipher. Any parts which are not clear, through errors in enciphering or in transmission, should be underlined or otherwise made conspicuous, so that the head of the Intelligence Section may note them and, possibly, from other sources, supply the deficiency.

One of the copies of the cipher and report of examination, with a copy of the solution, should be turned over at once to the head of the Intelligence Section or to the Chief of Staff. The other copies of the solution should be filed with the original cipher, the report of examination, and all work done on the cipher.

Periodically, say once a week or even daily at the beginning of active operations, there should be an interchange between all examining offices of solved messages involving new methods used by the enemy. All the examining offices will thus be kept in touch. It may also be possible to assign certain hostile radio stations to each examining office to prevent duplication of work.