{"id":3205,"date":"2025-03-27T17:01:54","date_gmt":"2025-03-27T17:01:54","guid":{"rendered":"https:\/\/elusivedata.io\/?p=3205"},"modified":"2025-08-13T15:55:36","modified_gmt":"2025-08-13T15:55:36","slug":"descifrar-apple-notes-ios16","status":"publish","type":"post","link":"https:\/\/elusivedata.io\/es\/decrypt-apple-notes-ios16\/","title":{"rendered":"Descifrar Notas de Apple Bloqueadas en iOS 16.x: Un flujo de trabajo forense completo (SQLite, CyberChef, Python) con Hashcat"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"3205\" class=\"elementor elementor-3205\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c9155f5 e-flex e-con-boxed e-con e-parent\" data-id=\"c9155f5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2fc7219 elementor-widget elementor-widget-heading\" data-id=\"2fc7219\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Introducci\u00f3n<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d80253 elementor-widget elementor-widget-text-editor\" data-id=\"1d80253\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember625\" class=\"ember-view reader-text-block__paragraph\">Mientras analizaba un dispositivo de prueba con una conocida herramienta forense comercial para m\u00f3viles, me encontr\u00e9 con algo intrigante: una nota de Apple bloqueada que s\u00f3lo aparec\u00eda como \"oculta\". La herramienta mostraba el resumen de la nota (etiquetado como \"Lance\"), pero faltaba el contenido real. No hab\u00eda ninguna pista de lo que hab\u00eda bajo el candado, lo que me dej\u00f3 con una pregunta candente: \u00bfpodr\u00eda descubrir el secreto que hab\u00eda dentro? Necesitaba un flujo de trabajo que me ayudara a descifrar las Notas de Apple en iOS 16.<\/p><p id=\"ember626\" class=\"ember-view reader-text-block__paragraph\">El dispositivo funcionaba <strong>iOS 16.7.10<\/strong>y despu\u00e9s de indagar en la base de datos NoteStore.sqlite, me di cuenta de que todas las pistas de cifrado estaban ah\u00ed, esperando a ser descifradas. Con la ayuda de herramientas de c\u00f3digo abierto, me dispuse a recuperar la contrase\u00f1a y descifrar el contenido de la nota.\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/p><p id=\"ember627\" class=\"ember-view reader-text-block__paragraph\">Este art\u00edculo le guiar\u00e1 por <strong>flujo de trabajo forense completo<\/strong> sobre c\u00f3mo <strong data-start=\"979\" data-end=\"1012\">descifrar Notas de Apple en iOS 16:<\/strong><\/p><ul><li>\ud83d\udd13 <strong>Hashcat<\/strong> para descifrar contrase\u00f1as<\/li><li>\ud83d\uddc4\ufe0f <strong>Navegador DB para SQLite<\/strong> para explorar y extraer par\u00e1metros de cifrado<\/li><li>\ud83d\udc0d <strong>Scripts de Python<\/strong> para la derivaci\u00f3n de claves y el desenvolvimiento de claves AES<\/li><li>\ud83d\udd0d <strong>CiberChef<\/strong> para descifrar, descomprimir y analizar la carga \u00fatil final del protobuf.<\/li><\/ul><blockquote id=\"ember629\" class=\"ember-view reader-text-block__blockquote\"><p>\u26a0\ufe0f <strong>Nota importante:<\/strong> Este flujo de trabajo se aplica espec\u00edficamente a las Notas de Apple bloqueadas en <strong>iOS 16.x<\/strong>. A partir de iOS 17, Apple cambi\u00f3 la forma en que se almacenan las notas cifradas, y iOS 18 trae a\u00fan m\u00e1s cambios.<\/p><\/blockquote><p id=\"ember630\" class=\"ember-view reader-text-block__paragraph\">Vamos a sumergirnos y revelar el mensaje oculto dentro de ese Apple Note bloqueado.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-c525deb e-flex e-con-boxed e-con e-parent\" data-id=\"c525deb\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a21125 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"3a21125\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2086843 e-flex e-con-boxed e-con e-parent\" data-id=\"2086843\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9647810 elementor-widget elementor-widget-heading\" data-id=\"9647810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Profundizando en NoteStore.sqlite<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03a06aa elementor-widget elementor-widget-text-editor\" data-id=\"03a06aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>En este punto, sab\u00eda que el contenido de la nota cifrada se almacenaba en NoteStore.sqlite, concretamente en la tabla ZICNOTEDATA. Apple suele <strong><i>gzips<\/i><\/strong> los datos del protobuf de la nota, pero en el caso de las notas bloqueadas, ese BLOB entero es primero <strong>encriptado<\/strong>-lo que significa que un intento de descompresi\u00f3n directa no producir\u00e1 texto legible. Necesitar\u00e1s el <strong>clave de descifrado correcta<\/strong> antes de que se produzca cualquier tipo de descompresi\u00f3n o an\u00e1lisis del protobuf.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-96d0945 elementor-widget elementor-widget-image\" data-id=\"96d0945\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"373\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png\" class=\"attachment-large size-large wp-image-3208\" alt=\"Descifrar Apple Notes iOS 16 usando SQLite DB Browser\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-300x140.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-768x359.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-600x280.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB.png.webp 1133w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">BLOB encriptado en el campo ZDATA para la nota bloqueada (DB Browser para SQLite)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-192f056 elementor-widget elementor-widget-text-editor\" data-id=\"192f056\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>En la captura de pantalla, puede ver los valores hexadecimales sin procesar de ZDATA. Estos datos est\u00e1n codificados por <strong>Cifrado AES<\/strong>Los metadatos cr\u00edticos, como las sales y los recuentos de iteraciones, se guardan en otras partes de la base de datos. A partir de un <strong>del examinador forense<\/strong> reconocer que la nota est\u00e1 totalmente encriptada es la clave para profundizar en la tabla ZICCLOUDSYNCINGOBJECT en busca de los par\u00e1metros necesarios para <strong>grieta<\/strong> el c\u00f3digo de acceso y <strong>desbloquear<\/strong> la nota \ud83d\udd13.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d0ab9d6 e-flex e-con-boxed e-con e-parent\" data-id=\"d0ab9d6\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-40be78a elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"40be78a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-38e76a3 e-flex e-con-boxed e-con e-parent\" data-id=\"38e76a3\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-52d7880 elementor-widget elementor-widget-heading\" data-id=\"52d7880\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Por qu\u00e9 las notas de Apple bloqueadas est\u00e1n encriptadas en iOS 16?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5f10962 e-flex e-con-boxed e-con e-parent\" data-id=\"5f10962\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c925db9 elementor-widget elementor-widget-text-editor\" data-id=\"c925db9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember636\" class=\"ember-view reader-text-block__paragraph\">Apple Notes protege las notas bloqueadas mediante una combinaci\u00f3n de <strong>PBKDF2<\/strong> (derivaci\u00f3n de claves) y <strong>AES<\/strong> (cifrado). Cuando se activa una contrase\u00f1a en una nota, Apple almacena metadatos criptogr\u00e1ficos clave en la base de datos, como:<\/p><ul><li>ZCRYPTOITERATIONCOUNT<\/li><li>ZCRYPTOSALT<\/li><li>ZCRYPTOWRAPPEDKEY<\/li><\/ul><p id=\"ember638\" class=\"ember-view reader-text-block__paragraph\">Estos valores garantizan que s\u00f3lo alguien con la clave correcta pueda descifrar el contenido de la nota.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-bb87437 e-flex e-con-boxed e-con e-parent\" data-id=\"bb87437\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9c2a25d elementor-widget elementor-widget-heading\" data-id=\"9c2a25d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Enfoque forense<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-734c922 e-flex e-con-boxed e-con e-parent\" data-id=\"734c922\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9077bae elementor-widget elementor-widget-text-editor\" data-id=\"9077bae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember640\" class=\"ember-view reader-text-block__paragraph\">Desde un punto de vista forense, sus pasos suelen incluir:<\/p><ol><li><strong>Identifique<\/strong> las entradas de notas bloqueadas pertinentes en ZICNOTEDATA y ZICCLOUDSYNCINGOBJECT.<\/li><li><strong>Extracto<\/strong> los detalles criptogr\u00e1ficos, como el recuento de iteraciones, la sal y la clave envuelta.<\/li><li><strong>Crack<\/strong> la contrase\u00f1a del usuario con <strong>Hashcat<\/strong> (u otra herramienta de recuperaci\u00f3n de contrase\u00f1as como John the Ripper o Passware).<\/li><li><strong>Derive<\/strong> las teclas finales en <strong>Python o CyberChef<\/strong>\u00a0y <strong>descifrar<\/strong> el BLOB de la nota.<\/li><li><strong>Descomprimir<\/strong> los datos protobuf desbloqueados (con <strong>CyberChef o Python<\/strong>) para revelar el texto plano final.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8357e17 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"8357e17\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/es\/analisis-forense-de-sqlite\/?v=efad7abb323e\">\n\t\t\t\t\t<div class=\"elementor-cta__bg-wrapper\">\n\t\t\t\t<div class=\"elementor-cta__bg elementor-bg\" style=\"background-image: url(https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/07\/SQLite-Forensics-1024x543.png);\" role=\"img\" aria-label=\"An\u00e1lisis forense de SQLite\"><\/div>\n\t\t\t\t<div class=\"elementor-cta__bg-overlay\"><\/div>\n\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t\u00bfQuieres un control total sobre tus investigaciones en SQLite?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tAprende a trabajar m\u00e1s all\u00e1 de las limitaciones de la herramienta, desde el an\u00e1lisis sint\u00e1ctico de los datos cifrados de las aplicaciones hasta la recuperaci\u00f3n de registros eliminados y ocultos. Apl\u00edcalo inmediatamente en tus propias investigaciones.\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tM\u00e1s informaci\u00f3n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-56ca2f1 e-flex e-con-boxed e-con e-parent\" data-id=\"56ca2f1\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-18231c3 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"18231c3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-062def9 e-flex e-con-boxed e-con e-parent\" data-id=\"062def9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-37b1e55 elementor-widget elementor-widget-heading\" data-id=\"37b1e55\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">C\u00f3mo descifrar la contrase\u00f1a del Apple Note bloqueado con Hashcat<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-55bf6d5 elementor-widget elementor-widget-text-editor\" data-id=\"55bf6d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Mi objetivo era simular un escenario forense realista: ten\u00eda un Apple Note bloqueado y necesitaba recuperar su c\u00f3digo de acceso para descifrar el contenido. Ah\u00ed es donde <strong>Hashcat<\/strong> entra en juego. Aprovechando su modo hash Apple Secure Notes (ID <strong>16200<\/strong>), Hashcat intentaba sistem\u00e1ticamente las contrase\u00f1as hasta encontrar la correcta.<\/p><h3 id=\"ember644\" class=\"ember-view reader-text-block__heading-3\">Extracci\u00f3n de las columnas necesarias<\/h3><p id=\"ember645\" class=\"ember-view reader-text-block__paragraph\">Empec\u00e9 abriendo <strong>NoteStore.sqlite<\/strong> en DB Browser y apuntando a filas con ZISPASSWORDPROTECTED = 1 en la tabla ZICCLOUDSYNCINGOBJECT. A continuaci\u00f3n, he consultado las siguientes columnas:<\/p><ul><li>Z_PK - identificador \u00fanico de la nota.<\/li><li>ZCRYPTOSALT - el valor de la sal para PBKDF2.<\/li><li>ZCRYPTOWRAPPEDKEY - la clave envuelta que luego ser\u00e1 desenvuelta.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d4f816 elementor-widget elementor-widget-image\" data-id=\"4d4f816\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"337\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png\" class=\"attachment-large size-large wp-image-3219\" alt=\"SQLite command line commands \u2014 forensic database querying and analysis technique\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-300x126.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-768x323.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-600x253.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1.png.webp 1373w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Consulta SQLite de los par\u00e1metros necesarios para Hashcat<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-63ee483 elementor-widget elementor-widget-text-editor\" data-id=\"63ee483\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember571\" class=\"ember-view reader-text-block__paragraph\">El archivo de entrada Hashcat se gener\u00f3 mediante un peque\u00f1o script de Python <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/notes_to_hashcat.py\" target=\"_self\" data-test-app-aware-link=\"\">notas_a_hashcat.py<\/a>que formatea estos valores en una sola l\u00ednea que Hashcat puede analizar, incluyendo el recuento de iteraciones (de ZCRYPTOITERATIONCOUNT).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9cb96ba elementor-widget elementor-widget-image\" data-id=\"9cb96ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"194\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png\" class=\"attachment-large size-large wp-image-3222\" alt=\"notes_to_hashcat.py re\u00fane los par\u00e1metros necesarios para descifrar la contrase\u00f1a de notas de Apple bloqueadas en iOS 16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-300x73.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-768x186.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-600x145.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result.png.webp 1394w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Salida de notes_to_hashcat.py<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f15ff3 elementor-widget elementor-widget-text-editor\" data-id=\"7f15ff3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember573\" class=\"ember-view reader-text-block__heading-3\">Ejecutar Hashcat para descifrar la contrase\u00f1a bloqueada de Apple Note<\/h3><p id=\"ember574\" class=\"ember-view reader-text-block__paragraph\">Con mi archivo de entrada Hashcat listo y un diccionario a mano, ejecut\u00e9 el siguiente comando:<\/p><pre class=\"reader-text-block__code-block\">hashcat -m 16200 -a 0<br \/>Toma:<\/pre><ul><li>-m 16200 especifica el modo Apple Secure Notes.<\/li><li>-a 0 establece Hashcat en modo de ataque directo (diccionario).<\/li><li>El diccionario puede ser algo como <strong>rockyou.txt<\/strong> o una lista personalizada derivada de artefactos del dispositivo.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-47bf17e elementor-widget elementor-widget-image\" data-id=\"47bf17e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"492\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png\" class=\"attachment-large size-large wp-image-3223\" alt=\"Uso de Hashcat para descifrar contrase\u00f1as bloqueadas de Apple Notes\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-300x185.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-768x472.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1536x945.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-600x369.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed.png.webp 1858w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Hashcat revela la contrase\u00f1a descifrada: royalewithcheese<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e128532 elementor-widget elementor-widget-text-editor\" data-id=\"e128532\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Hashcat identific\u00f3 con \u00e9xito la contrase\u00f1a correcta: royalewithcheese. En una investigaci\u00f3n real, tu diccionario podr\u00eda ser mucho mayor, pero este resultado confirm\u00f3 que Hashcat pod\u00eda encargarse del trabajo pesado.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d589230 e-flex e-con-boxed e-con e-parent\" data-id=\"d589230\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7896451 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"7896451\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e3f6d62 e-flex e-con-boxed e-con e-parent\" data-id=\"e3f6d62\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8e7ccbd elementor-widget elementor-widget-heading\" data-id=\"8e7ccbd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Obtenci\u00f3n de la clave de cifrado (KEK) para descifrar Apple Notes<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ae9824 elementor-widget elementor-widget-text-editor\" data-id=\"0ae9824\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember581\" class=\"ember-view reader-text-block__paragraph\">Con la contrase\u00f1a en la mano, el siguiente paso era deducir la <strong>Clave de cifrado (KEK)<\/strong>que se utiliza para envolver la clave AES final que cifra el contenido de la nota. Para derivar la KEK, necesitaba los siguientes valores de la tabla ZICCLOUDSYNCINGOBJECT:<\/p><ul><li><strong>Frase de contrase\u00f1a<\/strong> (la contrase\u00f1a descifrada)<\/li><li><strong>Recuento de iteraciones<\/strong> (ZCRYPTOITERATIONCOUNT)<\/li><li><strong>Sal<\/strong> (ZCRYPTOSALT)<\/li><\/ul><p id=\"ember583\" class=\"ember-view reader-text-block__paragraph\">Por ejemplo, utilizando DB Browser, hice una consulta:<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOITERATIONCOUNT, ZCRYPTOSALT FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = ;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14fac64 elementor-widget elementor-widget-image\" data-id=\"14fac64\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"386\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png\" class=\"attachment-large size-large wp-image-3236\" alt=\"Consulta de NoteStore.sqlite para obtener la sal y el recuento de iteraciones necesarios para obtener la clave KEK necesaria para descifrar notas de Apple bloqueadas.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-300x145.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-768x371.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-600x290.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt.png.webp 1313w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Recuento de iteraciones: 20000 | Salt: d1afa96252a15d8d58827bcb21940de1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a40be9e elementor-widget elementor-widget-text-editor\" data-id=\"a40be9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>A continuaci\u00f3n, abr\u00ed CyberChef -una de mis herramientas favoritas \ud83d\udee0\ufe0f- y arrastr\u00e9 la operaci\u00f3n \"Derive PBKDF2 key\". Configur\u00e9 la funci\u00f3n hash como <strong>SHA-256<\/strong> e introduciendo la contrase\u00f1a, la sal y el recuento de iteraciones, CyberChef produjo el <strong>KEK de 16 bytes<\/strong>:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed74a2a elementor-widget elementor-widget-image\" data-id=\"ed74a2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"532\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png\" class=\"attachment-large size-large wp-image-3240\" alt=\"CyberChef utilizado para derivar KEK de los par\u00e1metros PBKDF2 para el descifrado de Apple Note.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-300x200.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-768x511.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1536x1022.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-600x399.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">KEK: a1dac1516302e1d3d73ad4fd4b6f8fef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5bfdb59 elementor-widget elementor-widget-text-editor\" data-id=\"5bfdb59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Para automatizar este proceso, he creado un script en Python llamado <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/get_kek.py\" target=\"_self\" data-test-app-aware-link=\"\">get_key.py<\/a>que acepta como argumentos la ruta de la base de datos, la nota PK y la contrase\u00f1a. Su ejecuci\u00f3n devuelve el KEK en hexadecimal.<\/p><pre class=\"reader-text-block__code-block\">python get_kek.py NoteStore.sqlite<\/pre><p>Resultado:<\/p><pre class=\"reader-text-block__code-block\">Nota PK=16: KEK (hex) = a1dac1516302e1d3d73ad4fd4b6f8fef<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3861a02 e-flex e-con-boxed e-con e-parent\" data-id=\"3861a02\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e99117b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"e99117b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-63de4bd e-flex e-con-boxed e-con e-parent\" data-id=\"63de4bd\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4ee05cd elementor-widget elementor-widget-heading\" data-id=\"4ee05cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">C\u00f3mo descifrar la clave AES para desencriptar notas de Apple bloqueadas en iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b3e1728 elementor-widget elementor-widget-text-editor\" data-id=\"b3e1728\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember589\" class=\"ember-view reader-text-block__paragraph\">El siguiente paso fue <strong>desenvolver la llave<\/strong> utilizada para cifrar el contenido de la nota. La clave encriptada se almacena en la columna ZCRYPTOWRAPPEDKEY de ZICCLOUDSYNCINGOBJECT. Por ejemplo, he consultado::<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOWRAPPEDKEY FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = 16;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af11810 elementor-widget elementor-widget-image\" data-id=\"af11810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"391\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png\" class=\"attachment-large size-large wp-image-3247\" alt=\"Consulta SQLite para el unwrapped.key necesario para descifrar notas de Apel en iOS16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-300x147.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-768x376.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-600x294.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key.png.webp 1295w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Llave envuelta: 78c2b79c3e357117c95feb882009e14be9e5f88598ea6db0<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-883ef21 elementor-widget elementor-widget-text-editor\" data-id=\"883ef21\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 id=\"ember592\" class=\"ember-view reader-text-block__heading-3\">Opciones de desembalaje<\/h2><h3 id=\"ember593\" class=\"ember-view reader-text-block__heading-3\">Opci\u00f3n 1: Descifrar la clave AES para descifrar notas de Apple bloqueadas en iOS 16 con CyberChef<\/h3><p id=\"ember594\" class=\"ember-view reader-text-block__paragraph\">Desactiv\u00e9 cualquier operaci\u00f3n anterior, busqu\u00e9 \"AES Key Unwrap\" y la arrastr\u00e9 a la ventana de la receta. Al pegar la KEK y la clave envuelta, CyberChef gener\u00f3 la clave AES desenvuelta.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d457284 elementor-widget elementor-widget-image\" data-id=\"d457284\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png\" class=\"attachment-large size-large wp-image-3248\" alt=\"CyberChef utilizado para derivar KEK y desenvolver la clave AES para el descifrado de notas de Apple en iOS 16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Llave desenvuelta: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f85b338 elementor-widget elementor-widget-text-editor\" data-id=\"f85b338\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember596\" class=\"ember-view reader-text-block__heading-3\">Opci\u00f3n 2: Automatizaci\u00f3n del descifrado de claves AES con unwrap.py<\/h3><p id=\"ember597\" class=\"ember-view reader-text-block__paragraph\">Tambi\u00e9n desarroll\u00e9 un script en Python llamado <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/unwrap.py\" target=\"_self\" data-test-app-aware-link=\"\">unwrap.py<\/a> que toma la ruta de la base de datos y la KEK (en hexadecimal) como argumentos. La ejecuci\u00f3n de este script desenvolvi\u00f3 la clave y la imprimi\u00f3 en formato hexadecimal. En mi caso, la clave desenvuelta era:<\/p><pre class=\"reader-text-block__code-block\">python unwrap.py NoteStore.sqlite<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d706b50 elementor-widget elementor-widget-image\" data-id=\"d706b50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"186\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png\" class=\"attachment-large size-large wp-image-3252\" alt=\"Script de Python unwrap.py que muestra la clave AES descifrada de Apple Notes bloqueadas\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-300x70.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-768x178.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1536x357.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-600x139.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key.png.webp 1624w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Llave desenvuelta: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ccc7a47 elementor-widget elementor-widget-text-editor\" data-id=\"ccc7a47\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Esta es la clave AES final que se utilizar\u00e1 para descifrar el contenido de la nota de Apple bloqueada.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f5503b4 e-flex e-con-boxed e-con e-parent\" data-id=\"f5503b4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8b5b0ce elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"8b5b0ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a5b134e e-flex e-con-boxed e-con e-parent\" data-id=\"a5b134e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b756808 elementor-widget elementor-widget-heading\" data-id=\"b756808\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Desencriptar BLOBs de Notas de Apple usando AES-GCM en iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df237c elementor-widget elementor-widget-text-editor\" data-id=\"9df237c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"333\" data-end=\"576\">Ahora que ten\u00eda la clave desenvuelta, era el momento de descifrar el BLOB de Apple Notes almacenado en el archivo <code data-start=\"425\" data-end=\"438\">ZICNOTEDATA<\/code> mesa. Apple utiliza <strong data-start=\"457\" data-end=\"476\">AES en modo GCM<\/strong> para proteger el contenido de las notas bloqueadas, lo que significa que necesitaba cuatro componentes esenciales para proceder:<\/p><ul data-start=\"578\" data-end=\"768\"><li class=\"\" data-start=\"578\" data-end=\"606\"><p class=\"\" data-start=\"580\" data-end=\"606\">\ud83d\udd11 <strong data-start=\"583\" data-end=\"604\">Clave AES desenvuelta<\/strong><\/p><\/li><li class=\"\" data-start=\"607\" data-end=\"679\"><p class=\"\" data-start=\"609\" data-end=\"679\">\ud83d\udd01 <strong data-start=\"612\" data-end=\"642\">Vector de inicializaci\u00f3n (IV)<\/strong> de <code data-start=\"648\" data-end=\"677\">ZCRYPTOINITIALIZATIONVECTOR<\/code><\/p><\/li><li class=\"\" data-start=\"680\" data-end=\"731\"><p class=\"\" data-start=\"682\" data-end=\"731\">\ud83c\udff7 <strong data-start=\"685\" data-end=\"711\">Etiqueta de autenticaci\u00f3n GCM<\/strong> de <code data-start=\"717\" data-end=\"729\">ZCRYPTOTAG<\/code><\/p><\/li><li class=\"\" data-start=\"732\" data-end=\"768\"><p class=\"\" data-start=\"734\" data-end=\"768\">\ud83d\udcbe <strong data-start=\"737\" data-end=\"755\">BLOB cifrado<\/strong> de <code data-start=\"761\" data-end=\"768\">ZDATA<\/code><\/p><\/li><\/ul><h3>\ud83d\udce4 Extracci\u00f3n de la etiqueta IV y GCM de NoteStore.sqlite<\/h3><p class=\"\" data-start=\"830\" data-end=\"1096\">Para localizar el <strong data-start=\"844\" data-end=\"850\">IV<\/strong> y <strong data-start=\"855\" data-end=\"866\">Etiqueta GCM<\/strong>Abr\u00ed el <code data-start=\"881\" data-end=\"894\">ZICNOTEDATA<\/code> en DB Browser for SQLite. Estos campos se almacenan como valores binarios y se pueden encontrar en los campos <code data-start=\"999\" data-end=\"1012\">ZICNOTEDATA<\/code> o <code data-start=\"1016\" data-end=\"1039\">ZICCLOUDSYNCINGOBJECT<\/code> tablas. Ambas almacenan los datos con los mismos nombres de columna.<\/p><ul data-start=\"1098\" data-end=\"1194\"><li class=\"\" data-start=\"1098\" data-end=\"1144\"><p class=\"\" data-start=\"1100\" data-end=\"1144\"><strong data-start=\"1100\" data-end=\"1106\">IV<\/strong>: <code data-start=\"1108\" data-end=\"1142\">5c0c0bde9b6801747ddad1115a422d05<\/code><\/p><\/li><li class=\"\" data-start=\"1145\" data-end=\"1194\"><p class=\"\" data-start=\"1147\" data-end=\"1194\"><strong data-start=\"1147\" data-end=\"1158\">Etiqueta GCM<\/strong>: <code data-start=\"1160\" data-end=\"1194\">b9087ba19e3c7deff2cb4b9b51e6aafa<\/code><\/p><\/li><\/ul><p>El propio BLOB encriptado tambi\u00e9n era visible en el <code data-start=\"1246\" data-end=\"1253\">ZDATA<\/code> columna. Copi\u00e9 los tres valores en formato hexadecimal, prepar\u00e1ndome para el paso final de descifrado.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df39e9 elementor-widget elementor-widget-image\" data-id=\"9df39e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png\" class=\"attachment-large size-large wp-image-3256\" alt=\"SQLite database IV forensic analysis \u2014 digital evidence examination with hex viewer\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">El vector de inicializaci\u00f3n: 5c0c0bde9b6801747ddad1115a422d05<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34afaf5 elementor-widget elementor-widget-image\" data-id=\"34afaf5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png\" class=\"attachment-large size-large wp-image-3257\" alt=\"DB Browser muestra la etiqueta GCM utilizada para el descifrado AES-GCM\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">La etiqueta GCM: b9087ba19e3c7deff2cb4b9b51e6aafa<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-16a8017 elementor-widget elementor-widget-image\" data-id=\"16a8017\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png\" class=\"attachment-large size-large wp-image-3258\" alt=\"DB Browser con datos BLOB encriptados de Apple Note resaltados\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">El BLOB encriptado<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34002d9 elementor-widget elementor-widget-text-editor\" data-id=\"34002d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>\ud83e\uddea Descifrar la nota con CyberChef<\/h2><p class=\"\" data-start=\"1396\" data-end=\"1552\">Con todo en la mano, me dirig\u00ed a <strong data-start=\"1433\" data-end=\"1446\">CiberChef<\/strong>. Esta herramienta facilit\u00f3 la combinaci\u00f3n de todos los par\u00e1metros y revel\u00f3 el contenido original. Esto es lo que hice:<\/p><ol data-start=\"1554\" data-end=\"1819\"><li class=\"\" data-start=\"1554\" data-end=\"1597\"><p class=\"\" data-start=\"1557\" data-end=\"1597\">He a\u00f1adido el <strong data-start=\"1569\" data-end=\"1586\">\"Descifrar AES\"<\/strong> operaci\u00f3n.<\/p><\/li><li class=\"\" data-start=\"1598\" data-end=\"1655\"><p class=\"\" data-start=\"1601\" data-end=\"1655\">He pegado el <strong data-start=\"1614\" data-end=\"1635\">clave AES desenvuelta<\/strong> en el campo Clave.<\/p><\/li><li class=\"\" data-start=\"1656\" data-end=\"1685\"><p class=\"\" data-start=\"1659\" data-end=\"1685\">Puse el <strong data-start=\"1669\" data-end=\"1684\">modo a GCM<\/strong>.<\/p><\/li><li class=\"\" data-start=\"1686\" data-end=\"1752\"><p class=\"\" data-start=\"1689\" data-end=\"1752\">He insertado el <strong data-start=\"1704\" data-end=\"1722\">IV y GCM Tag<\/strong> en sus respectivos campos.<\/p><\/li><li class=\"\" data-start=\"1753\" data-end=\"1819\"><p class=\"\" data-start=\"1756\" data-end=\"1819\">Por \u00faltimo, copi\u00e9 el <strong data-start=\"1778\" data-end=\"1796\">BLOB encriptado<\/strong> en la ventana de entrada.<\/p><\/li><\/ol><div class=\"reader-image-block reader-image-block--full-width\">Una vez que golpe\u00e9 <strong data-start=\"1832\" data-end=\"1840\">Hornear<\/strong>CyberChef descifr\u00f3 el BLOB y mostr\u00f3 un archivo comprimido, exactamente lo que esperaba. Esto significaba que la capa de cifrado se hab\u00eda eliminado por completo y pod\u00eda pasar a descomprimir los datos.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8947548 elementor-widget elementor-widget-image\" data-id=\"8947548\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png\" class=\"attachment-large size-large wp-image-3263\" alt=\"CyberChef receta descifrar Apple Notes BLOB utilizando el modo AES-GCM\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Archivo GZIP descifrado<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f8c36f9 e-flex e-con-boxed e-con e-parent\" data-id=\"f8c36f9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aba9778 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aba9778\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-415622e e-flex e-con-boxed e-con e-parent\" data-id=\"415622e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-23482bc elementor-widget elementor-widget-heading\" data-id=\"23482bc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Descomprimir y analizar la nota final (Protobuf descifrado de Apple Notes)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8f50417 elementor-widget elementor-widget-text-editor\" data-id=\"8f50417\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"285\" data-end=\"516\">Despu\u00e9s de descifrar el BLOB cifrado con AES, guard\u00e9 el resultado en un archivo llamado <code data-start=\"361\" data-end=\"381\">descifrado_blob.bin<\/code> y lo he abierto en HxD. La firma del archivo <code data-start=\"423\" data-end=\"433\">0x1F8B08<\/code> confirm\u00f3 que era un archivo comprimido con GZIP, que Apple utiliza para comprimir datos protobuf.<\/p><p class=\"\" data-start=\"518\" data-end=\"677\">Para extraer el texto sin formato, volv\u00ed a abrir CyberChef y a\u00f1ad\u00ed el archivo <strong data-start=\"579\" data-end=\"589\">Gunzip<\/strong> al flujo de trabajo. Inmediatamente, empezaron a aparecer cadenas familiares en la salida.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-188566a elementor-widget elementor-widget-image\" data-id=\"188566a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png\" class=\"attachment-large size-large wp-image-3267\" alt=\"CyberChef muestra los datos protobuf descomprimidos de Apple Notes tras la extracci\u00f3n GZIP\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Protobuf descomprimido en CyberChef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3956e4f elementor-widget elementor-widget-text-editor\" data-id=\"3956e4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Una vez descomprimido, apliqu\u00e9 <strong data-start=\"759\" data-end=\"778\">Decodificaci\u00f3n Protobuf<\/strong> en CyberChef. El resultado fue una vista estructurada parecida a JSON, con claves y valores que representaban el contenido del Apple Note bloqueado.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e094119 e-flex e-con-boxed e-con e-parent\" data-id=\"e094119\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-94d53fe elementor-widget elementor-widget-image\" data-id=\"94d53fe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"470\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png\" class=\"attachment-large size-large wp-image-3268\" alt=\"Vista CyberChef de la estructura descodificada del protobuf de Apple Notes con formato similar a JSON\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-300x176.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-768x451.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1536x901.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-600x352.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode.png.webp 1929w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Protbuf descodificado en CyberChef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-290c42a elementor-widget elementor-widget-text-editor\" data-id=\"290c42a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Para facilitar la lectura, tambi\u00e9n utilic\u00e9 un script de Python que aprovechaba el archivo <code data-start=\"1017\" data-end=\"1034\">backboxprotobuf<\/code> para analizar el archivo protobuf e imprimir la salida en un formato limpio y legible.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7a338fd elementor-widget elementor-widget-image\" data-id=\"7a338fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"364\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png\" class=\"attachment-large size-large wp-image-3269\" alt=\"S\u00edmbolo del sistema que muestra el contenido analizado de Apple Note mediante el script backboxprotobuf Python\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png.webp 829w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-300x136.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-768x349.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-600x273.png.webp 600w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Resultados bien formateados impresos en pantalla<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0996cea elementor-widget elementor-widget-text-editor\" data-id=\"0996cea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Esto coincide con lo que el usuario escribi\u00f3 en su Apple Note bloqueada. Se ha pasado de una entrada oculta y protegida por contrase\u00f1a al mensaje real en texto sin formato, un hallazgo de valor incalculable en cualquier caso forense.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1eb0aa4 elementor-widget elementor-widget-image\" data-id=\"1eb0aa4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"1024\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png\" class=\"attachment-large size-large wp-image-3271\" alt=\"iPhone note evidence \u2014 forensic extraction of notes from iOS device SQLite database\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png.webp 515w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-151x300.png.webp 151w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-768x1528.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-772x1536.png.webp 772w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-600x1193.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note.png.webp 819w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Captura de pantalla con UFADE del contenido del Apple Note bloqueado<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b8a6adf e-flex e-con-boxed e-con e-parent\" data-id=\"b8a6adf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f99fa9e elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"f99fa9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6f7a515 elementor-widget elementor-widget-video\" data-id=\"6f7a515\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=5Gr4LtE-_iE&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ec61c4f elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"ec61c4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/es\/analisis-forense-de-sqlite\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tAprenda a reconocer, extraer e interpretar datos estructurados como \u00e9stos\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Este es un ejemplo real de c\u00f3mo se almacenan los protobufs dentro de las bases de datos SQLite.\n\nEcha un vistazo a nuestro curso completo de SQLite Forensics o ponte en contacto para ver c\u00f3mo puede encajar en tu trabajo.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tM\u00e1s informaci\u00f3n\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d72a604 e-flex e-con-boxed e-con e-parent\" data-id=\"d72a604\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-22b6bb5 elementor-widget elementor-widget-heading\" data-id=\"22b6bb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd1a Para terminar<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c3e41b elementor-widget elementor-widget-text-editor\" data-id=\"4c3e41b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"192\" data-end=\"593\">Enhorabuena \ud83c\udf89 - acabas de completar un flujo de trabajo forense completo para <strong data-start=\"263\" data-end=\"304\">descifrar bloqueado Notas de Apple en iOS 16<\/strong>. Ha extra\u00eddo los par\u00e1metros de cifrado de la base de datos SQLite, ha descifrado la contrase\u00f1a con <strong data-start=\"394\" data-end=\"405\">Hashcat<\/strong>deriv\u00f3 y desenvolvi\u00f3 la clave AES utilizando <strong data-start=\"447\" data-end=\"457\">Python<\/strong>y finalmente descifrar y analizar el protobuf con <strong data-start=\"510\" data-end=\"523\">CiberChef<\/strong>. Cada paso te acercaba m\u00e1s a descubrir el contenido oculto de la nota.<\/p><p class=\"\" data-start=\"595\" data-end=\"833\">Este tutorial pr\u00e1ctico demuestra lo potente que es <strong data-start=\"641\" data-end=\"662\">herramientas de c\u00f3digo abierto<\/strong> en la investigaci\u00f3n forense digital. Ayudan a los investigadores a descubrir Notas de Apple cifradas que las herramientas comerciales podr\u00edan pasar por alto, especialmente en dispositivos que ejecutan <strong data-start=\"811\" data-end=\"832\">iOS 16 o anterior<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8c713e5 e-flex e-con-boxed e-con e-parent\" data-id=\"8c713e5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aa24044 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aa24044\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b6bbf21 e-flex e-con-boxed e-con e-parent\" data-id=\"b6bbf21\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5bf4bff elementor-widget elementor-widget-heading\" data-id=\"5bf4bff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd75\ufe0f Bonus: La pista de la contrase\u00f1a<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-529bd7f elementor-widget elementor-widget-text-editor\" data-id=\"529bd7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"874\" data-end=\"963\">Aqu\u00ed hay un giro extra - He encontrado un <strong data-start=\"908\" data-end=\"925\">pista de contrase\u00f1a<\/strong> en el <code data-start=\"933\" data-end=\"956\">ZICCLOUDSYNCINGOBJECT<\/code> mesa:<\/p><blockquote data-start=\"965\" data-end=\"986\"><p class=\"\" data-start=\"967\" data-end=\"986\"><strong data-start=\"967\" data-end=\"986\">Cuarto de libra<\/strong><\/p><\/blockquote><p class=\"\" data-start=\"988\" data-end=\"1244\">Como el dispositivo pertenec\u00eda a alguien llamado \"Vincent\", no fue dif\u00edcil adivinar la contrase\u00f1a: <strong data-start=\"1080\" data-end=\"1100\">royalewithcheese<\/strong> - un gui\u00f1o a <em data-start=\"1112\" data-end=\"1126\">Pulp Fiction<\/em>. En casos reales, este tipo de pistas sobre contrase\u00f1as pueden acelerar el flujo de trabajo si se combinan con un proceso estrat\u00e9gico de descifrado.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-efeabdf e-flex e-con-boxed e-con e-parent\" data-id=\"efeabdf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1a2a4f6 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"1a2a4f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7878d44 e-flex e-con-boxed e-con e-parent\" data-id=\"7878d44\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b1e7fb8 elementor-widget elementor-widget-heading\" data-id=\"b1e7fb8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udcf1 Una cosa m\u00e1s... sobre iOS 17 y iOS 18<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1fbdcca elementor-widget elementor-widget-text-editor\" data-id=\"1fbdcca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"1299\" data-end=\"1619\">Esta gu\u00eda se aplica espec\u00edficamente a c\u00f3mo desencriptar <strong data-start=\"1334\" data-end=\"1381\">Notas de Apple en iOS 16 y versiones anteriores<\/strong>. A partir de <strong data-start=\"1397\" data-end=\"1407\">iOS 17<\/strong>Apple ha introducido cambios significativos en el proceso de cifrado de Notes. Es posible que falten campos de derivaci\u00f3n de claves, que las estructuras criptogr\u00e1ficas sean diferentes o que las notas ya no se descifren con los mismos m\u00e9todos.<\/p><p class=\"\" data-start=\"1621\" data-end=\"1785\">Si est\u00e1 estudiando c\u00f3mo <strong data-start=\"1648\" data-end=\"1691\">descifrar Notas de Apple en iOS 17 o iOS 18<\/strong>Me encantar\u00eda colaborar. Comparte tus descubrimientos: analicemos juntos el nuevo cifrado.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4d8d5c0 e-flex e-con-boxed e-con e-parent\" data-id=\"4d8d5c0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d446cd4 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"d446cd4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"mailto:contact@elusivedata.io\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tGracias por leernos. \u00bfAlguna pregunta?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Escr\u00edbelas en los comentarios o ponte en contacto con nosotros directamente. Sigamos ampliando los l\u00edmites del descubrimiento forense.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tP\u00f3ngase en contacto con nosotros\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0768b7d elementor-widget elementor-widget-heading\" data-id=\"0768b7d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Tambi\u00e9n le puede interesar<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cc0d9d0 elementor-widget elementor-widget-video\" data-id=\"cc0d9d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=QFn63mQ5_gI&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53a6229 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"53a6229\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e6108d9 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"e6108d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/es\/ed-sqlite-visualizer\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tVisualizador SQLite. Una nueva forma de explorar SQLite.\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tEl pr\u00f3ximo ED SQLite Visualizer le permite ver el interior de la base de datos, recuperar registros ocultos, y conectar los puntos m\u00e1s r\u00e1pido que nunca, todo visualmente. Ya est\u00e1 en uso en nuestro curso completo de SQLite, y pronto estar\u00e1 disponible para todo el mundo. \t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tVer lo que viene \u2192\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Descubre c\u00f3mo descifr\u00e9 una nota de Apple bloqueada de un dispositivo iOS 16.7.10 utilizando herramientas de c\u00f3digo abierto como Hashcat, Python y CyberChef. Este flujo de trabajo forense paso a paso revela el proceso de extracci\u00f3n y descifrado de contenido oculto de la aplicaci\u00f3n Notas de Apple. Una lectura obligada para investigadores digitales y profesionales del an\u00e1lisis forense de m\u00f3viles.<\/p>","protected":false},"author":1,"featured_media":3203,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_theme","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-3205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-forensics"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Decrypt Locked Apple Notes on iOS 16 | Forensic Guide<\/title>\n<meta name=\"description\" content=\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/elusivedata.io\/es\/descifrar-apple-notes-ios16\/\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta property=\"og:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/elusivedata.io\/es\/descifrar-apple-notes-ios16\/\" \/>\n<meta property=\"og:site_name\" content=\"Elusive Data\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-27T17:01:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-13T15:55:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"574\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"James Eichbaum\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta name=\"twitter:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"James Eichbaum\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"author\":{\"name\":\"James Eichbaum\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\"},\"headline\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"wordCount\":1989,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"articleSection\":[\"Mobile Forensics\"],\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"name\":\"Decrypt Locked Apple Notes on iOS 16 | Forensic Guide\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"description\":\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"width\":4400,\"height\":2465,\"caption\":\"Three padlocks on black background representing encrypted Apple Notes\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/elusivedata.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"name\":\"ElusiveData\",\"description\":\"Excellence in Digital Forensics Training and Consulting\",\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/elusivedata.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\",\"name\":\"ElusiveData\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"width\":2560,\"height\":370,\"caption\":\"ElusiveData\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.youtube.com\\\/@elusivedata\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\",\"name\":\"James Eichbaum\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"caption\":\"James Eichbaum\"},\"sameAs\":[\"http:\\\/\\\/elusivedata.io\"],\"url\":\"https:\\\/\\\/elusivedata.io\\\/es\\\/author\\\/eichbaumjamesgmail-com\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Desencriptar Notas de Apple Bloqueadas en iOS 16 | Gu\u00eda Forense","description":"Descifra Notas de Apple bloqueadas en iOS 16 utilizando herramientas de c\u00f3digo abierto como Hashcat, CyberChef y Python. Un flujo de trabajo forense completo, sin necesidad de herramientas de pago.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/elusivedata.io\/es\/descifrar-apple-notes-ios16\/","og_locale":"es_ES","og_type":"article","og_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","og_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","og_url":"https:\/\/elusivedata.io\/es\/descifrar-apple-notes-ios16\/","og_site_name":"Elusive Data","article_published_time":"2025-03-27T17:01:54+00:00","article_modified_time":"2025-08-13T15:55:36+00:00","og_image":[{"width":1024,"height":574,"url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png","type":"image\/png"}],"author":"James Eichbaum","twitter_card":"summary_large_image","twitter_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","twitter_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","twitter_image":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","twitter_misc":{"Escrito por":"James Eichbaum","Tiempo de lectura":"15 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#article","isPartOf":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"author":{"name":"James Eichbaum","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436"},"headline":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","mainEntityOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"wordCount":1989,"commentCount":2,"publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","articleSection":["Mobile Forensics"],"inLanguage":"es","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","url":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","name":"Desencriptar Notas de Apple Bloqueadas en iOS 16 | Gu\u00eda Forense","isPartOf":{"@id":"https:\/\/elusivedata.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","description":"Descifra Notas de Apple bloqueadas en iOS 16 utilizando herramientas de c\u00f3digo abierto como Hashcat, CyberChef y Python. Un flujo de trabajo forense completo, sin necesidad de herramientas de pago.","breadcrumb":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"]}]},{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","width":4400,"height":2465,"caption":"Three padlocks on black background representing encrypted Apple Notes"},{"@type":"BreadcrumbList","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/elusivedata.io\/"},{"@type":"ListItem","position":2,"name":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat"}]},{"@type":"WebSite","@id":"https:\/\/elusivedata.io\/#website","url":"https:\/\/elusivedata.io\/","name":"ElusiveData","description":"Excelencia en formaci\u00f3n y consultor\u00eda forense digital","publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/elusivedata.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/elusivedata.io\/#organization","name":"ElusiveData","url":"https:\/\/elusivedata.io\/","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","width":2560,"height":370,"caption":"ElusiveData"},"image":{"@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.youtube.com\/@elusivedata"]},{"@type":"Person","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436","name":"James Eichbaum","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","url":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","caption":"James Eichbaum"},"sameAs":["http:\/\/elusivedata.io"],"url":"https:\/\/elusivedata.io\/es\/author\/eichbaumjamesgmail-com\/"}]}},"_links":{"self":[{"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/posts\/3205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/comments?post=3205"}],"version-history":[{"count":90,"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/posts\/3205\/revisions"}],"predecessor-version":[{"id":14968,"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/posts\/3205\/revisions\/14968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/media\/3203"}],"wp:attachment":[{"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/media?parent=3205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/categories?post=3205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elusivedata.io\/es\/wp-json\/wp\/v2\/tags?post=3205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}