{"id":3205,"date":"2025-03-27T17:01:54","date_gmt":"2025-03-27T17:01:54","guid":{"rendered":"https:\/\/elusivedata.io\/?p=3205"},"modified":"2025-08-13T15:55:36","modified_gmt":"2025-08-13T15:55:36","slug":"apple-notes-ios16-entschlusseln","status":"publish","type":"post","link":"https:\/\/elusivedata.io\/de\/decrypt-apple-notes-ios16\/","title":{"rendered":"Gesperrte Apple Notizen auf iOS 16.x entschl\u00fcsseln: Ein vollst\u00e4ndiger forensischer Arbeitsablauf (SQLite, CyberChef, Python) mit Hashcat"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"3205\" class=\"elementor elementor-3205\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c9155f5 e-flex e-con-boxed e-con e-parent\" data-id=\"c9155f5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2fc7219 elementor-widget elementor-widget-heading\" data-id=\"2fc7219\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Einf\u00fchrung<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d80253 elementor-widget elementor-widget-text-editor\" data-id=\"1d80253\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember625\" class=\"ember-view reader-text-block__paragraph\">Bei der Analyse eines Testger\u00e4ts mit einem beliebten kommerziellen forensischen Tool f\u00fcr Mobilger\u00e4te stie\u00df ich auf etwas Faszinierendes - eine gesperrte Apple-Notiz, die nur als \"versteckt\" angezeigt wurde. Das Tool zeigte die Zusammenfassung der Notiz an (mit der Bezeichnung \"Lance\"), aber der eigentliche Inhalt fehlte. Es gab keinen Hinweis darauf, was sich hinter dem Schloss verbarg, und so stellte sich mir eine brennende Frage: K\u00f6nnte ich das Geheimnis im Inneren l\u00fcften? Ich brauchte einen Arbeitsablauf, mit dem ich Apple Notizen unter iOS 16 entschl\u00fcsseln konnte.<\/p><p id=\"ember626\" class=\"ember-view reader-text-block__paragraph\">Das Ger\u00e4t lief <strong>iOS 16.7.10<\/strong>und nachdem ich die Datenbank NoteStore.sqlite durchforstet hatte, stellte ich fest, dass alle Hinweise auf die Verschl\u00fcsselung genau dort lagen und darauf warteten, entschl\u00fcsselt zu werden. Mit Hilfe von Open-Source-Tools machte ich mich daran, das Passwort wiederherzustellen und den Inhalt der Notiz zu entschl\u00fcsseln.\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/p><p id=\"ember627\" class=\"ember-view reader-text-block__paragraph\">Dieser Beitrag f\u00fchrt Sie durch die <strong>vollst\u00e4ndiger forensischer Arbeitsablauf<\/strong> wie man <strong data-start=\"979\" data-end=\"1012\">Apple Notes unter iOS 16 entschl\u00fcsseln:<\/strong><\/p><ul><li>\ud83d\udd13 <strong>Hashcat<\/strong> zum Knacken von Passw\u00f6rtern<\/li><li>\ud83d\uddc4\ufe0f <strong>DB Browser f\u00fcr SQLite<\/strong> um Verschl\u00fcsselungsparameter zu untersuchen und zu extrahieren<\/li><li>\ud83d\udc0d <strong>Python-Skripte<\/strong> f\u00fcr die Schl\u00fcsselableitung und das Entschl\u00fcsseln von AES-Schl\u00fcsseln<\/li><li>\ud83d\udd0d <strong>CyberChef<\/strong> zum Entschl\u00fcsseln, Dekomprimieren und Parsen der endg\u00fcltigen protobuf-Nutzdaten<\/li><\/ul><blockquote id=\"ember629\" class=\"ember-view reader-text-block__blockquote\"><p>\u26a0\ufe0f <strong>Wichtiger Hinweis:<\/strong> Dieser Arbeitsablauf gilt speziell f\u00fcr Apple Notes, die auf <strong>iOS 16.x<\/strong>. Mit iOS 17 \u00e4nderte Apple die Art und Weise, wie verschl\u00fcsselte Notizen gespeichert werden, und iOS 18 bringt sogar noch weitere \u00c4nderungen.<\/p><\/blockquote><p id=\"ember630\" class=\"ember-view reader-text-block__paragraph\">Lassen Sie uns eintauchen und die versteckte Botschaft in der verschlossenen Apple Note enth\u00fcllen.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-c525deb e-flex e-con-boxed e-con e-parent\" data-id=\"c525deb\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a21125 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"3a21125\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2086843 e-flex e-con-boxed e-con e-parent\" data-id=\"2086843\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9647810 elementor-widget elementor-widget-heading\" data-id=\"9647810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Einsicht in die NoteStore.sqlite<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03a06aa elementor-widget elementor-widget-text-editor\" data-id=\"03a06aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Zu diesem Zeitpunkt wusste ich, dass der Inhalt der verschl\u00fcsselten Notiz in NoteStore.sqlite gespeichert war, und zwar in der Tabelle ZICNOTEDATA. Apfel oft <strong><i>gzips<\/i><\/strong> die Protokolldaten der Notiz, aber im Fall von gesperrten Notizen wird zuerst das gesamte BLOB <strong>verschl\u00fcsselt<\/strong>-was bedeutet, dass ein direkter Dekomprimierungsversuch keinen lesbaren Text ergeben wird. Sie ben\u00f6tigen die <strong>richtiger Entschl\u00fcsselungsschl\u00fcssel<\/strong> bevor irgendeine Art von Entpacken oder Protobuf-Parsing stattfinden kann.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-96d0945 elementor-widget elementor-widget-image\" data-id=\"96d0945\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"373\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png\" class=\"attachment-large size-large wp-image-3208\" alt=\"Apple Notes iOS 16 mit SQLite DB Browser entschl\u00fcsseln\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-300x140.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-768x359.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-600x280.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB.png.webp 1133w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Verschl\u00fcsseltes BLOB im ZDATA-Feld f\u00fcr die gesperrte Notiz (DB Browser f\u00fcr SQLite)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-192f056 elementor-widget elementor-widget-text-editor\" data-id=\"192f056\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Auf dem Screenshot sehen Sie die rohen Hexadezimalwerte f\u00fcr ZDATA. Diese Daten werden effektiv verschl\u00fcsselt durch <strong>AES-Verschl\u00fcsselung<\/strong>Die kritischen Metadaten - wie Salze und Iterationszahlen - werden in anderen Teilen der Datenbank gespeichert. Von einer <strong>kriminaltechnische Untersuchung<\/strong> Wenn Sie erkennen, dass die Notiz vollst\u00e4ndig verschl\u00fcsselt ist, sollten Sie die Tabelle ZICCLOUDSYNCINGOBJECT nach den Parametern durchsuchen, die f\u00fcr die <strong>Riss<\/strong> den Passcode und <strong>freischalten<\/strong> die Note \ud83d\udd13.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d0ab9d6 e-flex e-con-boxed e-con e-parent\" data-id=\"d0ab9d6\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-40be78a elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"40be78a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-38e76a3 e-flex e-con-boxed e-con e-parent\" data-id=\"38e76a3\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-52d7880 elementor-widget elementor-widget-heading\" data-id=\"52d7880\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Warum sind gesperrte Apple-Notizen in iOS 16 verschl\u00fcsselt?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5f10962 e-flex e-con-boxed e-con e-parent\" data-id=\"5f10962\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c925db9 elementor-widget elementor-widget-text-editor\" data-id=\"c925db9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember636\" class=\"ember-view reader-text-block__paragraph\">Apple Notes sichert gesperrte Notizen durch eine Kombination aus <strong>PBKDF2<\/strong> (Schl\u00fcsselableitung) und <strong>AES<\/strong> (Verschl\u00fcsselung). Wenn ein Kennwort f\u00fcr eine Notiz aktiviert ist, speichert Apple wichtige kryptografische Metadaten in der Datenbank, wie z. B.:<\/p><ul><li>ZCRYPTOITERATIONCOUNT<\/li><li>ZCRYPTOSALT<\/li><li>ZCRYPTOWRAPPEDKEY<\/li><\/ul><p id=\"ember638\" class=\"ember-view reader-text-block__paragraph\">Diese Werte stellen sicher, dass nur jemand mit dem richtigen Passcode den Inhalt der Notiz entschl\u00fcsseln kann.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-bb87437 e-flex e-con-boxed e-con e-parent\" data-id=\"bb87437\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9c2a25d elementor-widget elementor-widget-heading\" data-id=\"9c2a25d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Forensischer Ansatz<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-734c922 e-flex e-con-boxed e-con e-parent\" data-id=\"734c922\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9077bae elementor-widget elementor-widget-text-editor\" data-id=\"9077bae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember640\" class=\"ember-view reader-text-block__paragraph\">Aus forensischer Sicht umfassen Ihre Schritte in der Regel Folgendes:<\/p><ol><li><strong>Identifizieren Sie<\/strong> die entsprechenden gesperrten Notizeintr\u00e4ge in ZICNOTEDATA und ZICCLOUDSYNCINGOBJECT.<\/li><li><strong>Auszug<\/strong> die kryptografischen Details, wie Iterationszahl, Salz und den verschl\u00fcsselten Schl\u00fcssel.<\/li><li><strong>Crack<\/strong> das Passwort des Benutzers mit <strong>Hashcat<\/strong> (oder ein anderes Passwort-Wiederherstellungsprogramm wie John the Ripper oder Passware).<\/li><li><strong>Ableiten<\/strong> die letzten Schl\u00fcssel in <strong>Python oder CyberChef<\/strong>\u00a0und <strong>entschl\u00fcsseln<\/strong> das BLOB der Notiz.<\/li><li><strong>Dekomprimieren<\/strong> die entsperrten Protobuf-Daten (mit <strong>CyberChef oder Python<\/strong>), um den endg\u00fcltigen Klartext zu enth\u00fcllen.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8357e17 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"8357e17\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/de\/sqlite-forensik\/?v=efad7abb323e\">\n\t\t\t\t\t<div class=\"elementor-cta__bg-wrapper\">\n\t\t\t\t<div class=\"elementor-cta__bg elementor-bg\" style=\"background-image: url(https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/07\/SQLite-Forensics-1024x543.png);\" role=\"img\" aria-label=\"SQLite-Forensik\"><\/div>\n\t\t\t\t<div class=\"elementor-cta__bg-overlay\"><\/div>\n\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tM\u00f6chten Sie volle Kontrolle \u00fcber Ihre SQLite-Untersuchungen?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tLernen Sie, wie Sie \u00fcber die Grenzen des Tools hinaus arbeiten k\u00f6nnen, vom Parsen verschl\u00fcsselter App-Daten bis zur Wiederherstellung gel\u00f6schter und versteckter Datens\u00e4tze. Wenden Sie es sofort bei Ihren eigenen Ermittlungen an.\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tMehr erfahren\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-56ca2f1 e-flex e-con-boxed e-con e-parent\" data-id=\"56ca2f1\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-18231c3 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"18231c3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-062def9 e-flex e-con-boxed e-con e-parent\" data-id=\"062def9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-37b1e55 elementor-widget elementor-widget-heading\" data-id=\"37b1e55\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Das Passwort des gesperrten Apple Note mit Hashcat knacken<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-55bf6d5 elementor-widget elementor-widget-text-editor\" data-id=\"55bf6d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Mein Ziel war es, ein realistisches forensisches Szenario zu simulieren: Ich hatte ein gesperrtes Apple Note und musste den Passcode wiederherstellen, um den Inhalt zu entschl\u00fcsseln. Das ist der Punkt <strong>Hashcat<\/strong> ins Spiel kommt. Durch die Nutzung des Apple Secure Notes Hash-Modus (ID <strong>16200<\/strong>), hat Hashcat systematisch Passw\u00f6rter ausprobiert, bis es das richtige gefunden hat.<\/p><h3 id=\"ember644\" class=\"ember-view reader-text-block__heading-3\">Extrahieren der erforderlichen Spalten<\/h3><p id=\"ember645\" class=\"ember-view reader-text-block__paragraph\">Ich begann mit dem \u00d6ffnen <strong>NoteStore.sqlite<\/strong> in DB Browser und zielen auf Zeilen mit ZISPASSWORDPROTECTED = 1 in der Tabelle ZICCLOUDSYNCINGOBJECT. Ich habe dann die folgenden Spalten abgefragt:<\/p><ul><li>Z_PK - der eindeutige Bezeichner der Notiz.<\/li><li>ZCRYPTOSALT - der Salzwert f\u00fcr PBKDF2.<\/li><li>ZCRYPTOWRAPPEDKEY - der verpackte Schl\u00fcssel, der sp\u00e4ter wieder entpackt wird.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d4f816 elementor-widget elementor-widget-image\" data-id=\"4d4f816\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"337\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png\" class=\"attachment-large size-large wp-image-3219\" alt=\"SQLite command line commands \u2014 forensic database querying and analysis technique\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-300x126.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-768x323.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-600x253.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1.png.webp 1373w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">SQLite-Abfrage der erforderlichen Parameter f\u00fcr Hashcat<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-63ee483 elementor-widget elementor-widget-text-editor\" data-id=\"63ee483\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember571\" class=\"ember-view reader-text-block__paragraph\">Die Hashcat-Eingabedatei wurde durch ein kleines Python-Skript erzeugt <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/notes_to_hashcat.py\" target=\"_self\" data-test-app-aware-link=\"\">notes_to_hashcat.py<\/a>die diese Werte in eine einzige Zeile formatiert, die Hashcat analysieren kann, einschlie\u00dflich der Iterationszahl (von ZCRYPTOITERATIONCOUNT).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9cb96ba elementor-widget elementor-widget-image\" data-id=\"9cb96ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"194\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png\" class=\"attachment-large size-large wp-image-3222\" alt=\"notes_to_hashcat.py sammelt die erforderlichen Parameter, um das gesperrte Apple-Note-Passwort unter iOS 16 zu knacken\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-300x73.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-768x186.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-600x145.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result.png.webp 1394w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Ausgabe von notes_to_hashcat.py<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f15ff3 elementor-widget elementor-widget-text-editor\" data-id=\"7f15ff3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember573\" class=\"ember-view reader-text-block__heading-3\">Hashcat ausf\u00fchren, um das gesperrte Apple Note Passwort zu entschl\u00fcsseln<\/h3><p id=\"ember574\" class=\"ember-view reader-text-block__paragraph\">Nachdem ich meine Hashcat-Eingabedatei und ein W\u00f6rterbuch zur Hand hatte, f\u00fchrte ich den folgenden Befehl aus:<\/p><pre class=\"reader-text-block__code-block\">hashcat -m 16200 -a 0<br \/>Hier:<\/pre><ul><li>-m 16200 legt den Apple Secure Notes-Modus fest.<\/li><li>-a 0 schaltet Hashcat in den direkten (W\u00f6rterbuch-)Angriffsmodus.<\/li><li>Das W\u00f6rterbuch kann wie folgt aussehen <strong>rockyou.txt<\/strong> oder eine benutzerdefinierte Liste, die von Ger\u00e4teartefakten abgeleitet ist.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-47bf17e elementor-widget elementor-widget-image\" data-id=\"47bf17e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"492\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png\" class=\"attachment-large size-large wp-image-3223\" alt=\"Hashcat zum Entschl\u00fcsseln von gesperrten Apple Notes Passw\u00f6rtern\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-300x185.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-768x472.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1536x945.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-600x369.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed.png.webp 1858w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Hashcat verr\u00e4t das geknackte Passwort: royalewithcheese<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e128532 elementor-widget elementor-widget-text-editor\" data-id=\"e128532\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Hashcat hat erfolgreich das richtige Passwort ermittelt: royalewithcheese. Bei einer tats\u00e4chlichen Untersuchung k\u00f6nnte Ihr W\u00f6rterbuch viel umfangreicher sein, aber dieses Ergebnis best\u00e4tigt, dass Hashcat die schwere Arbeit bew\u00e4ltigen kann.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d589230 e-flex e-con-boxed e-con e-parent\" data-id=\"d589230\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7896451 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"7896451\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e3f6d62 e-flex e-con-boxed e-con e-parent\" data-id=\"e3f6d62\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8e7ccbd elementor-widget elementor-widget-heading\" data-id=\"8e7ccbd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Ableitung des Key Encryption Key (KEK) zur Entschl\u00fcsselung von Apple Notes<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ae9824 elementor-widget elementor-widget-text-editor\" data-id=\"0ae9824\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember581\" class=\"ember-view reader-text-block__paragraph\">Mit dem Passwort in der Hand war der n\u00e4chste Schritt die Ableitung der <strong>Key Encryption Key (KEK)<\/strong>der verwendet wird, um den endg\u00fcltigen AES-Schl\u00fcssel zu verpacken, der den Inhalt der Notiz verschl\u00fcsselt. Um den KEK abzuleiten, ben\u00f6tigte ich die folgenden Werte aus der Tabelle ZICCLOUDSYNCINGOBJECT:<\/p><ul><li><strong>Passphrase<\/strong> (das geknackte Passwort)<\/li><li><strong>Anzahl der Iterationen<\/strong> (ZCRYPTOITERATIONCOUNT)<\/li><li><strong>Salz<\/strong> (ZCRYPTOSALT)<\/li><\/ul><p id=\"ember583\" class=\"ember-view reader-text-block__paragraph\">Zum Beispiel habe ich mit DB Browser eine Abfrage gemacht:<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOITERATIONCOUNT, ZCRYPTOSALT FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = ;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14fac64 elementor-widget elementor-widget-image\" data-id=\"14fac64\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"386\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png\" class=\"attachment-large size-large wp-image-3236\" alt=\"Abfrage von NoteStore.sqlite nach dem Salt und der Iterationszahl, die ben\u00f6tigt werden, um den f\u00fcr die Entschl\u00fcsselung gesperrter Apple Notes erforderlichen KEK zu erhalten\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-300x145.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-768x371.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-600x290.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt.png.webp 1313w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Iterationszahl: 20000 | Salz: d1afa96252a15d8d58827bcb21940de1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a40be9e elementor-widget elementor-widget-text-editor\" data-id=\"a40be9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Als N\u00e4chstes \u00f6ffnete ich CyberChef - ein Lieblingstool von mir \ud83d\udee0\ufe0f - und zog die Operation \"PBKDF2-Schl\u00fcssel ableiten\" hinein. Ich setzte die Hashing-Funktion auf <strong>SHA-256<\/strong> und die Eingabe des Passworts, des Salzes und der Anzahl der Iterationen produzierte CyberChef die <strong>16-Byte-KEK<\/strong>:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed74a2a elementor-widget elementor-widget-image\" data-id=\"ed74a2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"532\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png\" class=\"attachment-large size-large wp-image-3240\" alt=\"CyberChef verwendet, um KEK aus PBKDF2-Parametern f\u00fcr die Entschl\u00fcsselung von Apple Note abzuleiten.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-300x200.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-768x511.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1536x1022.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-600x399.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">KEK: a1dac1516302e1d3d73ad4fd4b6f8fef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5bfdb59 elementor-widget elementor-widget-text-editor\" data-id=\"5bfdb59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Um diesen Prozess zu automatisieren, habe ich ein Python-Skript namens <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/get_kek.py\" target=\"_self\" data-test-app-aware-link=\"\">get_key.py<\/a>die den Datenbankpfad, die Notiz PK und das Passwort als Argumente akzeptiert. Die Ausf\u00fchrung gibt den KEK in Hex zur\u00fcck.<\/p><pre class=\"reader-text-block__code-block\">python get_kek.py NoteStore.sqlite<\/pre><p>Ergebnis:<\/p><pre class=\"reader-text-block__code-block\">Anmerkung PK=16: KEK (hex) = a1dac1516302e1d3d73ad4fd4b6f8fef<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3861a02 e-flex e-con-boxed e-con e-parent\" data-id=\"3861a02\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e99117b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"e99117b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-63de4bd e-flex e-con-boxed e-con e-parent\" data-id=\"63de4bd\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4ee05cd elementor-widget elementor-widget-heading\" data-id=\"4ee05cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Entschl\u00fcsseln des AES-Schl\u00fcssels zur Entschl\u00fcsselung gesperrter Apple-Notizen unter iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b3e1728 elementor-widget elementor-widget-text-editor\" data-id=\"b3e1728\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember589\" class=\"ember-view reader-text-block__paragraph\">Der n\u00e4chste Schritt war <strong>den Schl\u00fcssel auspacken<\/strong> verwendet, um den Inhalt der Notiz zu verschl\u00fcsseln. Der verschl\u00fcsselte Schl\u00fcssel wird in der Spalte ZCRYPTOWRAPPEDKEY von ZICCLOUDSYNCINGOBJECT gespeichert. Ich habe zum Beispiel abgefragt::<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOWRAPPEDKEY FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = 16;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af11810 elementor-widget elementor-widget-image\" data-id=\"af11810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"391\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png\" class=\"attachment-large size-large wp-image-3247\" alt=\"SQLite-Abfrage nach dem unwrapped.key, der f\u00fcr die Entschl\u00fcsselung von App-Notizen unter iOS16 ben\u00f6tigt wird\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-300x147.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-768x376.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-600x294.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key.png.webp 1295w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Wrapped Key: 78c2b79c3e357117c95feb882009e14be9e5f88598ea6db0<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-883ef21 elementor-widget elementor-widget-text-editor\" data-id=\"883ef21\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 id=\"ember592\" class=\"ember-view reader-text-block__heading-3\">Optionen zum Auspacken<\/h2><h3 id=\"ember593\" class=\"ember-view reader-text-block__heading-3\">Option 1: Entschl\u00fcsseln des AES-Schl\u00fcssels zum Entschl\u00fcsseln gesperrter Apple-Notizen unter iOS 16 mit CyberChef<\/h3><p id=\"ember594\" class=\"ember-view reader-text-block__paragraph\">Ich deaktivierte alle vorherigen Vorg\u00e4nge, suchte nach \"AES Key Unwrap\" und zog es in das Rezeptfenster. Durch Einf\u00fcgen des KEK und des verpackten Schl\u00fcssels gab CyberChef den unverpackten AES-Schl\u00fcssel aus.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d457284 elementor-widget elementor-widget-image\" data-id=\"d457284\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png\" class=\"attachment-large size-large wp-image-3248\" alt=\"CyberChef verwendet, um den KEK abzuleiten und den AES-Schl\u00fcssel f\u00fcr die Entschl\u00fcsselung von Apple Notes unter iOS 16 zu entschl\u00fcsseln\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Unverschl\u00fcsselter Schl\u00fcssel: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f85b338 elementor-widget elementor-widget-text-editor\" data-id=\"f85b338\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember596\" class=\"ember-view reader-text-block__heading-3\">Option 2: Automatisches Entschl\u00fcsseln des AES-Schl\u00fcssels mit unwrap.py<\/h3><p id=\"ember597\" class=\"ember-view reader-text-block__paragraph\">Au\u00dferdem habe ich ein Python-Skript namens <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/unwrap.py\" target=\"_self\" data-test-app-aware-link=\"\">auspacken.py<\/a> das den Datenbankpfad und den KEK (in Hex) als Argumente ben\u00f6tigt. Wenn Sie dieses Skript ausf\u00fchren, wird der Schl\u00fcssel entschl\u00fcsselt und im Hex-Format ausgegeben. In meinem Fall war der entschl\u00fcsselte Schl\u00fcssel:<\/p><pre class=\"reader-text-block__code-block\">python unwrap.py NoteStore.sqlite<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d706b50 elementor-widget elementor-widget-image\" data-id=\"d706b50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"186\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png\" class=\"attachment-large size-large wp-image-3252\" alt=\"Python-Skript unwrap.py zeigt entschl\u00fcsselten AES-Schl\u00fcssel f\u00fcr gesperrte Apple Notes\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-300x70.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-768x178.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1536x357.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-600x139.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key.png.webp 1624w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Unverschl\u00fcsselter Schl\u00fcssel: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ccc7a47 elementor-widget elementor-widget-text-editor\" data-id=\"ccc7a47\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Dies ist der endg\u00fcltige AES-Schl\u00fcssel, der zur Entschl\u00fcsselung des Inhalts der gesperrten Apple-Notiz verwendet wird.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f5503b4 e-flex e-con-boxed e-con e-parent\" data-id=\"f5503b4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8b5b0ce elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"8b5b0ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a5b134e e-flex e-con-boxed e-con e-parent\" data-id=\"a5b134e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b756808 elementor-widget elementor-widget-heading\" data-id=\"b756808\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Entschl\u00fcsseln von Apple Notes BLOBs mit AES-GCM unter iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df237c elementor-widget elementor-widget-text-editor\" data-id=\"9df237c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"333\" data-end=\"576\">Nachdem ich nun den entschl\u00fcsselten Schl\u00fcssel hatte, war es an der Zeit, das Apple Notes BLOB zu entschl\u00fcsseln, das in der Datei <code data-start=\"425\" data-end=\"438\">ZICNOTEDATA<\/code> Tisch. Apple verwendet <strong data-start=\"457\" data-end=\"476\">AES im GCM-Modus<\/strong> um den Inhalt von gesperrten Notizen zu sch\u00fctzen, was bedeutet, dass ich vier wesentliche Komponenten ben\u00f6tigte, um fortzufahren:<\/p><ul data-start=\"578\" data-end=\"768\"><li class=\"\" data-start=\"578\" data-end=\"606\"><p class=\"\" data-start=\"580\" data-end=\"606\">\ud83d\udd11 <strong data-start=\"583\" data-end=\"604\">Unverschl\u00fcsselter AES-Schl\u00fcssel<\/strong><\/p><\/li><li class=\"\" data-start=\"607\" data-end=\"679\"><p class=\"\" data-start=\"609\" data-end=\"679\">\ud83d\udd01 <strong data-start=\"612\" data-end=\"642\">Initialisierungsvektor (IV)<\/strong> von <code data-start=\"648\" data-end=\"677\">ZCRYPTOINITIALIZATIONVECTOR<\/code><\/p><\/li><li class=\"\" data-start=\"680\" data-end=\"731\"><p class=\"\" data-start=\"682\" data-end=\"731\">\ud83c\udff7 <strong data-start=\"685\" data-end=\"711\">GCM-Authentifizierungs-Tag<\/strong> von <code data-start=\"717\" data-end=\"729\">ZCRYPTOTAG<\/code><\/p><\/li><li class=\"\" data-start=\"732\" data-end=\"768\"><p class=\"\" data-start=\"734\" data-end=\"768\">\ud83d\udcbe <strong data-start=\"737\" data-end=\"755\">Verschl\u00fcsseltes BLOB<\/strong> von <code data-start=\"761\" data-end=\"768\">ZDATA<\/code><\/p><\/li><\/ul><h3>\ud83d\udce4 Extrahieren des IV- und GCM-Tags aus NoteStore.sqlite<\/h3><p class=\"\" data-start=\"830\" data-end=\"1096\">Zum Auffinden der <strong data-start=\"844\" data-end=\"850\">IV<\/strong> und <strong data-start=\"855\" data-end=\"866\">GCM-Tag<\/strong>\u00f6ffnete ich die <code data-start=\"881\" data-end=\"894\">ZICNOTEDATA<\/code> Tabelle im DB Browser f\u00fcr SQLite. Diese Felder werden als bin\u00e4re Werte gespeichert und k\u00f6nnen entweder in der <code data-start=\"999\" data-end=\"1012\">ZICNOTEDATA<\/code> oder <code data-start=\"1016\" data-end=\"1039\">ZICCLOUDSYNCINGOBJECT<\/code> Tabellen. Beide speichern die Daten unter denselben Spaltennamen.<\/p><ul data-start=\"1098\" data-end=\"1194\"><li class=\"\" data-start=\"1098\" data-end=\"1144\"><p class=\"\" data-start=\"1100\" data-end=\"1144\"><strong data-start=\"1100\" data-end=\"1106\">IV<\/strong>: <code data-start=\"1108\" data-end=\"1142\">5c0c0bde9b6801747ddad1115a422d05<\/code><\/p><\/li><li class=\"\" data-start=\"1145\" data-end=\"1194\"><p class=\"\" data-start=\"1147\" data-end=\"1194\"><strong data-start=\"1147\" data-end=\"1158\">GCM-Tag<\/strong>: <code data-start=\"1160\" data-end=\"1194\">b9087ba19e3c7deff2cb4b9b51e6aafa<\/code><\/p><\/li><\/ul><p>Das verschl\u00fcsselte BLOB selbst war auch in der <code data-start=\"1246\" data-end=\"1253\">ZDATA<\/code> Spalte. Ich habe alle drei Werte im Hexadezimalformat kopiert, um mich auf den letzten Entschl\u00fcsselungsschritt vorzubereiten.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df39e9 elementor-widget elementor-widget-image\" data-id=\"9df39e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png\" class=\"attachment-large size-large wp-image-3256\" alt=\"SQLite database IV forensic analysis \u2014 digital evidence examination with hex viewer\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Der Initialisierungsvektor: 5c0c0bde9b6801747ddad1115a422d05<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34afaf5 elementor-widget elementor-widget-image\" data-id=\"34afaf5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png\" class=\"attachment-large size-large wp-image-3257\" alt=\"DB Browser zeigt den f\u00fcr die AES-GCM-Entschl\u00fcsselung verwendeten GCM-Tag\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Der GCM-Tag: b9087ba19e3c7deff2cb4b9b51e6aafa<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-16a8017 elementor-widget elementor-widget-image\" data-id=\"16a8017\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png\" class=\"attachment-large size-large wp-image-3258\" alt=\"DB Browser mit verschl\u00fcsselten Apple Note BLOB Daten hervorgehoben\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Das verschl\u00fcsselte BLOB<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34002d9 elementor-widget elementor-widget-text-editor\" data-id=\"34002d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>\ud83e\uddea Entschl\u00fcsselung der Notiz mit CyberChef<\/h2><p class=\"\" data-start=\"1396\" data-end=\"1552\">Als ich alles in der Hand hatte, wandte ich mich an <strong data-start=\"1433\" data-end=\"1446\">CyberChef<\/strong>. Mit diesem Tool war es ein Leichtes, alle Parameter zu kombinieren und den urspr\u00fcnglichen Inhalt zu enth\u00fcllen. So habe ich es gemacht:<\/p><ol data-start=\"1554\" data-end=\"1819\"><li class=\"\" data-start=\"1554\" data-end=\"1597\"><p class=\"\" data-start=\"1557\" data-end=\"1597\">Ich habe die <strong data-start=\"1569\" data-end=\"1586\">\"AES-Entschl\u00fcsselung\"<\/strong> Betrieb.<\/p><\/li><li class=\"\" data-start=\"1598\" data-end=\"1655\"><p class=\"\" data-start=\"1601\" data-end=\"1655\">Ich f\u00fcgte die <strong data-start=\"1614\" data-end=\"1635\">unverschl\u00fcsselter AES-Schl\u00fcssel<\/strong> in das Feld Schl\u00fcssel ein.<\/p><\/li><li class=\"\" data-start=\"1656\" data-end=\"1685\"><p class=\"\" data-start=\"1659\" data-end=\"1685\">Ich habe die <strong data-start=\"1669\" data-end=\"1684\">Modus zu GCM<\/strong>.<\/p><\/li><li class=\"\" data-start=\"1686\" data-end=\"1752\"><p class=\"\" data-start=\"1689\" data-end=\"1752\">Ich habe die <strong data-start=\"1704\" data-end=\"1722\">IV und GCM Tag<\/strong> in ihren jeweiligen Bereichen.<\/p><\/li><li class=\"\" data-start=\"1753\" data-end=\"1819\"><p class=\"\" data-start=\"1756\" data-end=\"1819\">Schlie\u00dflich habe ich die <strong data-start=\"1778\" data-end=\"1796\">verschl\u00fcsseltes BLOB<\/strong> in das Eingabefenster ein.<\/p><\/li><\/ol><div class=\"reader-image-block reader-image-block--full-width\">Sobald ich die <strong data-start=\"1832\" data-end=\"1840\">Backen<\/strong>CyberChef entschl\u00fcsselte das BLOB und zeigte eine komprimierte Datei - genau das, was ich erwartet hatte. Dies bedeutete, dass die Verschl\u00fcsselungsschicht nun vollst\u00e4ndig entfernt war und ich mit der Dekomprimierung der Daten fortfahren konnte.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8947548 elementor-widget elementor-widget-image\" data-id=\"8947548\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png\" class=\"attachment-large size-large wp-image-3263\" alt=\"CyberChef-Rezept zur Entschl\u00fcsselung von Apple Notes BLOB im AES-GCM-Modus\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Entschl\u00fcsselte GZIP-Datei<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f8c36f9 e-flex e-con-boxed e-con e-parent\" data-id=\"f8c36f9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aba9778 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aba9778\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-415622e e-flex e-con-boxed e-con e-parent\" data-id=\"415622e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-23482bc elementor-widget elementor-widget-heading\" data-id=\"23482bc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Entpacken und Parsen der endg\u00fcltigen Notiz (entschl\u00fcsseltes Protobuf aus Apple Notes)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8f50417 elementor-widget elementor-widget-text-editor\" data-id=\"8f50417\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"285\" data-end=\"516\">Nach dem Entschl\u00fcsseln des AES-verschl\u00fcsselten BLOBs habe ich die Ausgabe in einer Datei mit dem Namen <code data-start=\"361\" data-end=\"381\">entschl\u00fcsselt_blob.bin<\/code> und \u00f6ffnete sie in HxD. Die Signatur der Datei <code data-start=\"423\" data-end=\"433\">0x1F8B08<\/code> best\u00e4tigt, dass es sich um eine GZIP-komprimierte Datei handelt - Apple verwendet dies zur Komprimierung von Protobuf-Daten.<\/p><p class=\"\" data-start=\"518\" data-end=\"677\">Um den Klartext zu extrahieren, \u00f6ffnete ich CyberChef erneut und f\u00fcgte die <strong data-start=\"579\" data-end=\"589\">Gunzip<\/strong> Operation in den Arbeitsablauf integriert. Sofort tauchten in der Ausgabe vertraute Zeichenfolgen auf.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-188566a elementor-widget elementor-widget-image\" data-id=\"188566a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png\" class=\"attachment-large size-large wp-image-3267\" alt=\"CyberChef zeigt dekomprimierte Apple Notes protobuf Daten nach GZIP Extraktion\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Dekomprimierter Protobuf in CyberChef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3956e4f elementor-widget elementor-widget-text-editor\" data-id=\"3956e4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Nach der Dekomprimierung habe ich <strong data-start=\"759\" data-end=\"778\">Protobuf Dekodieren<\/strong> in CyberChef. Das Ergebnis war eine strukturierte Ansicht, die JSON \u00e4hnelt, mit Schl\u00fcsseln und Werten, die den Inhalt des gesperrten Apple Note darstellen.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e094119 e-flex e-con-boxed e-con e-parent\" data-id=\"e094119\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-94d53fe elementor-widget elementor-widget-image\" data-id=\"94d53fe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"470\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png\" class=\"attachment-large size-large wp-image-3268\" alt=\"CyberChef-Ansicht von Apple Notes protobuf dekodierte Struktur mit JSON-\u00e4hnlichem Format\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-300x176.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-768x451.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1536x901.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-600x352.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode.png.webp 1929w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Entschl\u00fcsselter Protbuf in CyberChef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-290c42a elementor-widget elementor-widget-text-editor\" data-id=\"290c42a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Um das Lesen zu erleichtern, habe ich auch ein Python-Skript verwendet, das die <code data-start=\"1017\" data-end=\"1034\">backboxprotobuf<\/code> Modul, um die protobuf-Datei zu analysieren und die Ausgabe in einem sauberen, menschenlesbaren Format auszugeben.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7a338fd elementor-widget elementor-widget-image\" data-id=\"7a338fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"364\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png\" class=\"attachment-large size-large wp-image-3269\" alt=\"Eingabeaufforderung, die den mit dem Python-Skript backboxprotobuf geparsten Apple-Note-Inhalt anzeigt\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png.webp 829w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-300x136.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-768x349.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-600x273.png.webp 600w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Sch\u00f6n formatierte Ergebnisse auf dem Bildschirm<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0996cea elementor-widget elementor-widget-text-editor\" data-id=\"0996cea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Dies stimmt mit dem \u00fcberein, was der Benutzer auf seinem gesperrten Apple Note eingegeben hat. Sie sind von einem versteckten, passwortgesch\u00fctzten Eintrag zur tats\u00e4chlichen Klartextnachricht gelangt - ein unsch\u00e4tzbarer Fund in jedem forensischen Fall.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1eb0aa4 elementor-widget elementor-widget-image\" data-id=\"1eb0aa4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"1024\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png\" class=\"attachment-large size-large wp-image-3271\" alt=\"iPhone note evidence \u2014 forensic extraction of notes from iOS device SQLite database\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png.webp 515w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-151x300.png.webp 151w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-768x1528.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-772x1536.png.webp 772w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-600x1193.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note.png.webp 819w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Screenshot des gesperrten Apple-Note-Inhalts mit UFADE<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b8a6adf e-flex e-con-boxed e-con e-parent\" data-id=\"b8a6adf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f99fa9e elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"f99fa9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6f7a515 elementor-widget elementor-widget-video\" data-id=\"6f7a515\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=5Gr4LtE-_iE&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ec61c4f elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"ec61c4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/de\/sqlite-forensik\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tLernen Sie, wie Sie strukturierte Daten wie diese erkennen, extrahieren und interpretieren k\u00f6nnen\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Dies ist ein praktisches Beispiel daf\u00fcr, wie Protobufs in SQLite-Datenbanken gespeichert werden.\n\nSchauen Sie sich unseren vollst\u00e4ndigen SQLite Forensics-Kurs an oder kontaktieren Sie uns, um zu sehen, wie er zu Ihrer Arbeit passen kann.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tMehr erfahren\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d72a604 e-flex e-con-boxed e-con e-parent\" data-id=\"d72a604\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-22b6bb5 elementor-widget elementor-widget-heading\" data-id=\"22b6bb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd1a Schlusswort<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c3e41b elementor-widget elementor-widget-text-editor\" data-id=\"4c3e41b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"192\" data-end=\"593\">Herzlichen Gl\u00fcckwunsch \ud83c\udf89 - Sie haben gerade einen vollst\u00e4ndigen forensischen Arbeitsablauf abgeschlossen, um <strong data-start=\"263\" data-end=\"304\">Gesperrte Apple-Notizen unter iOS 16 entschl\u00fcsseln<\/strong>. Sie haben die Verschl\u00fcsselungsparameter aus der SQLite-Datenbank extrahiert, das Passwort geknackt mit <strong data-start=\"394\" data-end=\"405\">Hashcat<\/strong>abgeleitet und den AES-Schl\u00fcssel entschl\u00fcsselt. <strong data-start=\"447\" data-end=\"457\">Python<\/strong>und schlie\u00dflich entschl\u00fcsselt und analysiert die protobuf mit <strong data-start=\"510\" data-end=\"523\">CyberChef<\/strong>. Mit jedem Schritt kamen Sie dem verborgenen Inhalt des Zettels n\u00e4her.<\/p><p class=\"\" data-start=\"595\" data-end=\"833\">Dieses praktische Beispiel zeigt, wie leistungsf\u00e4hig <strong data-start=\"641\" data-end=\"662\">Open-Source-Werkzeuge<\/strong> in der digitalen Forensik sein kann. Sie helfen Ermittlern, verschl\u00fcsselte Apple-Notizen aufzusp\u00fcren, die kommerziellen Tools m\u00f6glicherweise entgehen - insbesondere auf Ger\u00e4ten mit <strong data-start=\"811\" data-end=\"832\">iOS 16 oder fr\u00fcher<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8c713e5 e-flex e-con-boxed e-con e-parent\" data-id=\"8c713e5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aa24044 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aa24044\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b6bbf21 e-flex e-con-boxed e-con e-parent\" data-id=\"b6bbf21\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5bf4bff elementor-widget elementor-widget-heading\" data-id=\"5bf4bff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd75\ufe0f Bonus: Der Passwort-Hinweis<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-529bd7f elementor-widget elementor-widget-text-editor\" data-id=\"529bd7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"874\" data-end=\"963\">Hier ist eine zus\u00e4tzliche Wendung - ich habe eine <strong data-start=\"908\" data-end=\"925\">Passwort-Hinweis<\/strong> im <code data-start=\"933\" data-end=\"956\">ZICCLOUDSYNCINGOBJECT<\/code> Tisch:<\/p><blockquote data-start=\"965\" data-end=\"986\"><p class=\"\" data-start=\"967\" data-end=\"986\"><strong data-start=\"967\" data-end=\"986\">Viertelpf\u00fcnder<\/strong><\/p><\/blockquote><p class=\"\" data-start=\"988\" data-end=\"1244\">Da das Ger\u00e4t jemandem namens \"Vincent\" geh\u00f6rte, war es nicht schwer, das Passwort zu erraten: <strong data-start=\"1080\" data-end=\"1100\">royalewithcheese<\/strong> - eine Anspielung auf <em data-start=\"1112\" data-end=\"1126\">Pulp Fiction<\/em>. In realen F\u00e4llen k\u00f6nnen Passwort-Hinweise wie dieser den Arbeitsablauf beschleunigen, wenn sie mit einem strategischen Knackprozess kombiniert werden.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-efeabdf e-flex e-con-boxed e-con e-parent\" data-id=\"efeabdf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1a2a4f6 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"1a2a4f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7878d44 e-flex e-con-boxed e-con e-parent\" data-id=\"7878d44\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b1e7fb8 elementor-widget elementor-widget-heading\" data-id=\"b1e7fb8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udcf1 Noch eine Sache... \u00dcber iOS 17 und iOS 18<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1fbdcca elementor-widget elementor-widget-text-editor\" data-id=\"1fbdcca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"1299\" data-end=\"1619\">Diese Anleitung bezieht sich speziell auf die Entschl\u00fcsselung <strong data-start=\"1334\" data-end=\"1381\">Apple Notes unter iOS 16 und fr\u00fcher<\/strong>. Beginnend mit <strong data-start=\"1397\" data-end=\"1407\">iOS 17<\/strong>hat Apple erhebliche \u00c4nderungen am Notes-Verschl\u00fcsselungsprozess vorgenommen. M\u00f6glicherweise fehlen Felder f\u00fcr die Schl\u00fcsselableitung, andere kryptografische Strukturen oder Notizen, die nicht mehr mit denselben Methoden entschl\u00fcsselt werden k\u00f6nnen.<\/p><p class=\"\" data-start=\"1621\" data-end=\"1785\">Wenn Sie herausfinden wollen, wie Sie <strong data-start=\"1648\" data-end=\"1691\">Apple Notes unter iOS 17 oder iOS 18 entschl\u00fcsseln<\/strong>Ich w\u00fcrde gerne mit Ihnen zusammenarbeiten. Teilen Sie Ihre Erkenntnisse mit - lassen Sie uns gemeinsam die neue Verschl\u00fcsselung aufschl\u00fcsseln.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4d8d5c0 e-flex e-con-boxed e-con e-parent\" data-id=\"4d8d5c0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d446cd4 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"d446cd4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"mailto:contact@elusivedata.io\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tDanke f\u00fcrs Lesen! Haben Sie Fragen?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Schreiben Sie sie unten in die Kommentare oder wenden Sie sich direkt an uns. Lassen Sie uns die Grenzen der forensischen Entdeckung weiter verschieben.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tKontakt\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0768b7d elementor-widget elementor-widget-heading\" data-id=\"0768b7d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Das k\u00f6nnte Sie auch interessieren<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cc0d9d0 elementor-widget elementor-widget-video\" data-id=\"cc0d9d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=QFn63mQ5_gI&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53a6229 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"53a6229\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e6108d9 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"e6108d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/de\/ed-sqlite-visualizer\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tSQLite Visualizer. Eine ganz neue Art, SQLite zu erkunden.\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tDer neue ED SQLite Visualizer erm\u00f6glicht es Ihnen, Datenbankinterna zu sehen, versteckte Datens\u00e4tze wiederzufinden und die Punkte schneller als je zuvor zu verbinden - alles visuell. Er wird bereits in unserem vollst\u00e4ndigen SQLite-Kurs verwendet und ist bald f\u00fcr alle verf\u00fcgbar. \t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tSehen Sie, was kommen wird \u2192.\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Entdecken Sie, wie ich eine gesperrte Apple-Notiz von einem iOS 16.7.10-Ger\u00e4t mit Open-Source-Tools wie Hashcat, Python und CyberChef entschl\u00fcsselt habe. Dieser forensische Arbeitsablauf zeigt Schritt f\u00fcr Schritt, wie versteckte Inhalte aus Apples Notizen-App extrahiert und entschl\u00fcsselt werden. Eine Pflichtlekt\u00fcre f\u00fcr digitale Ermittler und Experten f\u00fcr mobile Forensik.<\/p>","protected":false},"author":1,"featured_media":3203,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_theme","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-3205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-forensics"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Decrypt Locked Apple Notes on iOS 16 | Forensic Guide<\/title>\n<meta name=\"description\" content=\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/elusivedata.io\/de\/apple-notes-ios16-entschlusseln\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta property=\"og:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/elusivedata.io\/de\/apple-notes-ios16-entschlusseln\/\" \/>\n<meta property=\"og:site_name\" content=\"Elusive Data\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-27T17:01:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-13T15:55:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"574\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"James Eichbaum\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta name=\"twitter:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"James Eichbaum\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"15\u00a0Minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"author\":{\"name\":\"James Eichbaum\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\"},\"headline\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"wordCount\":1989,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"articleSection\":[\"Mobile Forensics\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"name\":\"Decrypt Locked Apple Notes on iOS 16 | Forensic Guide\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"description\":\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"width\":4400,\"height\":2465,\"caption\":\"Three padlocks on black background representing encrypted Apple Notes\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/elusivedata.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"name\":\"ElusiveData\",\"description\":\"Excellence in Digital Forensics Training and Consulting\",\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/elusivedata.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\",\"name\":\"ElusiveData\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"width\":2560,\"height\":370,\"caption\":\"ElusiveData\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.youtube.com\\\/@elusivedata\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\",\"name\":\"James Eichbaum\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"caption\":\"James Eichbaum\"},\"sameAs\":[\"http:\\\/\\\/elusivedata.io\"],\"url\":\"https:\\\/\\\/elusivedata.io\\\/de\\\/author\\\/eichbaumjamesgmail-com\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Gesperrte Apple-Notizen auf iOS 16 entschl\u00fcsseln | Forensische Anleitung","description":"Entschl\u00fcsseln Sie gesperrte Apple Notes unter iOS 16 mit Open-Source-Tools wie Hashcat, CyberChef und Python. Ein vollst\u00e4ndiger forensischer Arbeitsablauf - keine kostenpflichtigen Tools erforderlich.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/elusivedata.io\/de\/apple-notes-ios16-entschlusseln\/","og_locale":"de_DE","og_type":"article","og_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","og_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","og_url":"https:\/\/elusivedata.io\/de\/apple-notes-ios16-entschlusseln\/","og_site_name":"Elusive Data","article_published_time":"2025-03-27T17:01:54+00:00","article_modified_time":"2025-08-13T15:55:36+00:00","og_image":[{"width":1024,"height":574,"url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png","type":"image\/png"}],"author":"James Eichbaum","twitter_card":"summary_large_image","twitter_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","twitter_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","twitter_image":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","twitter_misc":{"Verfasst von":"James Eichbaum","Gesch\u00e4tzte Lesezeit":"15\u00a0Minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#article","isPartOf":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"author":{"name":"James Eichbaum","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436"},"headline":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","mainEntityOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"wordCount":1989,"commentCount":2,"publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","articleSection":["Mobile Forensics"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","url":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","name":"Gesperrte Apple-Notizen auf iOS 16 entschl\u00fcsseln | Forensische Anleitung","isPartOf":{"@id":"https:\/\/elusivedata.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","description":"Entschl\u00fcsseln Sie gesperrte Apple Notes unter iOS 16 mit Open-Source-Tools wie Hashcat, CyberChef und Python. Ein vollst\u00e4ndiger forensischer Arbeitsablauf - keine kostenpflichtigen Tools erforderlich.","breadcrumb":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","width":4400,"height":2465,"caption":"Three padlocks on black background representing encrypted Apple Notes"},{"@type":"BreadcrumbList","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/elusivedata.io\/"},{"@type":"ListItem","position":2,"name":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat"}]},{"@type":"WebSite","@id":"https:\/\/elusivedata.io\/#website","url":"https:\/\/elusivedata.io\/","name":"ElusiveData","description":"Hervorragende Schulung und Beratung im Bereich digitale Forensik","publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/elusivedata.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/elusivedata.io\/#organization","name":"ElusiveData","url":"https:\/\/elusivedata.io\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","width":2560,"height":370,"caption":"ElusiveData"},"image":{"@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.youtube.com\/@elusivedata"]},{"@type":"Person","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436","name":"James Eichbaum","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","url":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","caption":"James Eichbaum"},"sameAs":["http:\/\/elusivedata.io"],"url":"https:\/\/elusivedata.io\/de\/author\/eichbaumjamesgmail-com\/"}]}},"_links":{"self":[{"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/posts\/3205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/comments?post=3205"}],"version-history":[{"count":90,"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/posts\/3205\/revisions"}],"predecessor-version":[{"id":14968,"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/posts\/3205\/revisions\/14968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/media\/3203"}],"wp:attachment":[{"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/media?parent=3205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/categories?post=3205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elusivedata.io\/de\/wp-json\/wp\/v2\/tags?post=3205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}