{"id":3205,"date":"2025-03-27T17:01:54","date_gmt":"2025-03-27T17:01:54","guid":{"rendered":"https:\/\/elusivedata.io\/?p=3205"},"modified":"2025-08-13T15:55:36","modified_gmt":"2025-08-13T15:55:36","slug":"decrypt-apple-notes-ios16","status":"publish","type":"post","link":"https:\/\/elusivedata.io\/fi\/decrypt-apple-notes-ios16\/","title":{"rendered":"Lukittujen Apple Notes -muistiinpanojen salauksen purkaminen iOS 16.x -k\u00e4ytt\u00f6j\u00e4rjestelm\u00e4ss\u00e4: T\u00e4ydellinen rikostekninen ty\u00f6nkulku (SQLite, CyberChef, Python), jossa on Hashcat."},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"3205\" class=\"elementor elementor-3205\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c9155f5 e-flex e-con-boxed e-con e-parent\" data-id=\"c9155f5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2fc7219 elementor-widget elementor-widget-heading\" data-id=\"2fc7219\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Johdanto<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d80253 elementor-widget elementor-widget-text-editor\" data-id=\"1d80253\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember625\" class=\"ember-view reader-text-block__paragraph\">Analysoidessani testilaitetta suositulla kaupallisella mobiilirikosteknisell\u00e4 ty\u00f6kalulla t\u00f6rm\u00e4sin johonkin mielenkiintoiseen - lukittuun Apple Noteen, joka n\u00e4kyi vain \"piilotettuna\". Ty\u00f6kalu n\u00e4ytti muistiinpanon yhteenvedon (merkint\u00e4 \"Lance\"), mutta varsinainen sis\u00e4lt\u00f6 puuttui. Ei ollut mit\u00e4\u00e4n vihjeit\u00e4 siit\u00e4, mit\u00e4 lukon takana oli, ja minulle j\u00e4i polttava kysymys: voisinko paljastaa salaisuuden sis\u00e4lt\u00e4? Tarvitsin ty\u00f6nkulun, joka auttaisi minua purkamaan Apple Notesin salauksen iOS 16:ssa.<\/p><p id=\"ember626\" class=\"ember-view reader-text-block__paragraph\">Laite oli k\u00e4ynniss\u00e4 <strong>iOS 16.7.10<\/strong>, ja kaivettuani NoteStore.sqlite-tietokantaa tajusin, ett\u00e4 kaikki salausvihjeet olivat siell\u00e4 odottamassa purkamista. Avoimen l\u00e4hdekoodin ty\u00f6kalujen avulla l\u00e4hdin palauttamaan salasanaa ja purkamaan muistiinpanojen sis\u00e4lt\u00f6\u00e4.\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/p><p id=\"ember627\" class=\"ember-view reader-text-block__paragraph\">T\u00e4m\u00e4 viesti opastaa sinua <strong>t\u00e4ydellinen rikostekninen ty\u00f6nkulku<\/strong> miten <strong data-start=\"979\" data-end=\"1012\">Apple Notesin salauksen purkaminen iOS 16:ssa:<\/strong><\/p><ul><li>\ud83d\udd13 <strong>Hashcat<\/strong> salasanan murtamiseen<\/li><li>\ud83d\uddc4\ufe0f <strong>DB Browser for SQLite<\/strong> tutkia ja poimia salausparametreja<\/li><li>\ud83d\udc0d <strong>Python-skriptit<\/strong> avainten johtamiseen ja AES-avaimen purkamiseen<\/li><li>\ud83d\udd0d <strong>CyberChef<\/strong> lopullisen protobuf-hy\u00f6tykuorman salauksen purkaminen, purkaminen ja j\u00e4sent\u00e4minen.<\/li><\/ul><blockquote id=\"ember629\" class=\"ember-view reader-text-block__blockquote\"><p>\u26a0\ufe0f <strong>T\u00e4rke\u00e4 huomautus:<\/strong> T\u00e4m\u00e4 ty\u00f6nkulku koskee erityisesti Apple Notes -muistiinpanoja, jotka on lukittu osoitteeseen <strong>iOS 16.x<\/strong>. iOS 17:st\u00e4 alkaen Apple muutti salattujen muistiinpanojen tallennustapaa, ja iOS 18 tuo mukanaan viel\u00e4 lis\u00e4\u00e4 muutoksia.<\/p><\/blockquote><p id=\"ember630\" class=\"ember-view reader-text-block__paragraph\">Sukelletaanpa sis\u00e4\u00e4n ja paljastetaan lukitun Apple Note -muistiinpanon sis\u00e4ll\u00e4 oleva piilotettu viesti.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-c525deb e-flex e-con-boxed e-con e-parent\" data-id=\"c525deb\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a21125 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"3a21125\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2086843 e-flex e-con-boxed e-con e-parent\" data-id=\"2086843\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9647810 elementor-widget elementor-widget-heading\" data-id=\"9647810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Tutustuminen NoteStore.sqlite-tiedostoon<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03a06aa elementor-widget elementor-widget-text-editor\" data-id=\"03a06aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>T\u00e4ss\u00e4 vaiheessa tiesin, ett\u00e4 salatun muistiinpanon sis\u00e4lt\u00f6 oli tallennettu NoteStore.sqlite-tietokantaan, erityisesti ZICNOTEDATA-tauluun. Apple usein <strong><i>gzips<\/i><\/strong> muistiinpanon protobuf-tiedot, mutta lukittujen muistiinpanojen tapauksessa koko BLOB-tietokanta on ensiksi <strong>salattu<\/strong>-mik\u00e4 tarkoittaa, ett\u00e4 suoralla purkuyrityksell\u00e4 ei saada luettavaa teksti\u00e4. Tarvitset <strong>oikea dekoodausavain<\/strong> ennen kuin mink\u00e4\u00e4nlainen purku tai protobufin analysointi voi tapahtua.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-96d0945 elementor-widget elementor-widget-image\" data-id=\"96d0945\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"373\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png\" class=\"attachment-large size-large wp-image-3208\" alt=\"Salaus Apple Notes iOS 16 k\u00e4ytt\u00e4m\u00e4ll\u00e4 SQLite DB Browserin avulla\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-300x140.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-768x359.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-600x280.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB.png.webp 1133w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Lukitun muistiinpanon ZDATA-kent\u00e4n salattu BLOB (DB Browser for SQLite).<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-192f056 elementor-widget elementor-widget-text-editor\" data-id=\"192f056\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Kuvakaappauksessa n\u00e4et ZDATAn raa'at heksadesimaaliarvot. T\u00e4m\u00e4 data on tehokkaasti sekoitettu <strong>AES-salaus<\/strong>, ja kriittiset metatiedot - kuten suolat ja iteraatioluvut - tallennetaan tietokannan muihin osiin. Vuodesta <strong>oikeusl\u00e4\u00e4ketieteellisen tutkijan<\/strong> n\u00e4k\u00f6kulmasta, kun tunnistat, ett\u00e4 huomautus on t\u00e4ysin salattu, sinun on syyt\u00e4 kaivaa syvemm\u00e4lle ZICCLOUDSYNCINGOBJECT-taulukkoon parametreja, joita tarvitaan <strong>crack<\/strong> salasana ja <strong>avaa<\/strong> huomautus \ud83d\udd13.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d0ab9d6 e-flex e-con-boxed e-con e-parent\" data-id=\"d0ab9d6\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-40be78a elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"40be78a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-38e76a3 e-flex e-con-boxed e-con e-parent\" data-id=\"38e76a3\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-52d7880 elementor-widget elementor-widget-heading\" data-id=\"52d7880\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Miksi lukitut Apple Notes -muistiinpanot ovat salattuja iOS 16:ssa?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5f10962 e-flex e-con-boxed e-con e-parent\" data-id=\"5f10962\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c925db9 elementor-widget elementor-widget-text-editor\" data-id=\"c925db9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember636\" class=\"ember-view reader-text-block__paragraph\">Apple Notes suojaa lukitut muistiinpanot yhdistelm\u00e4ll\u00e4 <strong>PBKDF2<\/strong> (avainten johtaminen) ja <strong>AES<\/strong> (salaus). Kun salasana on k\u00e4yt\u00f6ss\u00e4 muistiinpanossa, Apple tallentaa tietokantaan keskeisi\u00e4 salausmetatietoja, kuten:<\/p><ul><li>ZCRYPTOITERATIONCOUNT<\/li><li>ZCRYPTOSALT<\/li><li>ZCRYPTOWRAPPEDKEY<\/li><\/ul><p id=\"ember638\" class=\"ember-view reader-text-block__paragraph\">N\u00e4m\u00e4 arvot varmistavat, ett\u00e4 vain oikean salasanan omaava henkil\u00f6 voi purkaa viestin sis\u00e4ll\u00f6n.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-bb87437 e-flex e-con-boxed e-con e-parent\" data-id=\"bb87437\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9c2a25d elementor-widget elementor-widget-heading\" data-id=\"9c2a25d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Oikeusl\u00e4\u00e4ketieteellinen l\u00e4hestymistapa<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-734c922 e-flex e-con-boxed e-con e-parent\" data-id=\"734c922\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9077bae elementor-widget elementor-widget-text-editor\" data-id=\"9077bae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember640\" class=\"ember-view reader-text-block__paragraph\">Rikosteknisest\u00e4 n\u00e4k\u00f6kulmasta katsottuna vaiheisiin kuuluu yleens\u00e4:<\/p><ol><li><strong>Tunnista<\/strong> asiaankuuluvat lukitut muistiinpanomerkinn\u00e4t kohdissa ZICNOTEDATA ja ZICCLOUDSYNCINGOBJECT.<\/li><li><strong>Ote<\/strong> kryptografiset yksityiskohdat, kuten iteraatioiden m\u00e4\u00e4r\u00e4, suola ja k\u00e4\u00e4ritty avain.<\/li><li><strong>Crack<\/strong> k\u00e4ytt\u00e4j\u00e4n salasana <strong>Hashcat<\/strong> (tai jokin muu salasanan palautusty\u00f6kalu, kuten John the Ripper tai Passware).<\/li><li><strong>Derive<\/strong> viimeiset n\u00e4pp\u00e4imet kohdassa <strong>Python tai CyberChef<\/strong>\u00a0ja <strong>purkaa<\/strong> muistiinpanon BLOB.<\/li><li><strong>Purkaminen<\/strong> lukitsemattomat protobuf-tiedot (ja <strong>CyberChef tai Python<\/strong>) lopullisen selv\u00e4kielisen tekstin paljastamiseksi.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8357e17 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"8357e17\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/fi\/sqlite-forensics\/?v=efad7abb323e\">\n\t\t\t\t\t<div class=\"elementor-cta__bg-wrapper\">\n\t\t\t\t<div class=\"elementor-cta__bg elementor-bg\" style=\"background-image: url(https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/07\/SQLite-Forensics-1024x543.png);\" role=\"img\" aria-label=\"SQLite rikostekniset tutkimukset\"><\/div>\n\t\t\t\t<div class=\"elementor-cta__bg-overlay\"><\/div>\n\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tHaluatko t\u00e4yden hallinnan SQLite-tutkimuksistasi?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tOpi ty\u00f6skentelem\u00e4\u00e4n yli ty\u00f6kalurajoitusten, salattujen sovellustietojen analysoinnista poistettujen ja piilotettujen tietueiden palauttamiseen. Sovella sit\u00e4 v\u00e4litt\u00f6m\u00e4sti omissa tutkimuksissasi.\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tLue lis\u00e4\u00e4\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-56ca2f1 e-flex e-con-boxed e-con e-parent\" data-id=\"56ca2f1\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-18231c3 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"18231c3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-062def9 e-flex e-con-boxed e-con e-parent\" data-id=\"062def9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-37b1e55 elementor-widget elementor-widget-heading\" data-id=\"37b1e55\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Lukitun Apple Noten salasanan murtaminen Hashcatilla<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-55bf6d5 elementor-widget elementor-widget-text-editor\" data-id=\"55bf6d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Tavoitteeni oli simuloida realistista rikosteknist\u00e4 skenaariota: minulla oli lukittu Apple Note ja minun piti palauttaa sen salasana sis\u00e4ll\u00f6n salauksen purkamiseksi. T\u00e4ss\u00e4 kohtaa <strong>Hashcat<\/strong> tulee kuvaan mukaan. Hy\u00f6dynt\u00e4m\u00e4ll\u00e4 sen Apple Secure Notes -hash-tilaa (ID <strong>16200<\/strong>), Hashcat kokeili j\u00e4rjestelm\u00e4llisesti salasanoja, kunnes se l\u00f6ysi oikean salasanan.<\/p><h3 id=\"ember644\" class=\"ember-view reader-text-block__heading-3\">Tarvittavien sarakkeiden poimiminen<\/h3><p id=\"ember645\" class=\"ember-view reader-text-block__paragraph\">Aloitin avaamalla <strong>NoteStore.sqlite<\/strong> DB-selaimessa ja kohdistamalla rivit, joissa ZICCLOUDSYNCINGOBJECT-taulukon ZISPASSWORDPROTECTED = 1. T\u00e4m\u00e4n j\u00e4lkeen kysyin seuraavia sarakkeita:<\/p><ul><li>Z_PK - huomautuksen yksil\u00f6llinen tunniste.<\/li><li>ZCRYPTOSALT - PBKDF2:n suola-arvo.<\/li><li>ZCRYPTOWRAPPEDKEY - k\u00e4\u00e4ritty avain, joka my\u00f6hemmin puretaan.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d4f816 elementor-widget elementor-widget-image\" data-id=\"4d4f816\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"337\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png\" class=\"attachment-large size-large wp-image-3219\" alt=\"SQLite command line commands \u2014 forensic database querying and analysis technique\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-300x126.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-768x323.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-600x253.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1.png.webp 1373w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">SQLite-kysely Hashcatin tarvitsemille parametreille<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-63ee483 elementor-widget elementor-widget-text-editor\" data-id=\"63ee483\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember571\" class=\"ember-view reader-text-block__paragraph\">Hashcat-sy\u00f6tt\u00f6tiedosto luotiin pienell\u00e4 Python-skriptill\u00e4. <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/notes_to_hashcat.py\" target=\"_self\" data-test-app-aware-link=\"\">notes_to_hashcat.py<\/a>, joka muotoili n\u00e4m\u00e4 arvot yhdeksi riviksi, jonka Hashcat pystyi j\u00e4sent\u00e4m\u00e4\u00e4n, mukaan lukien iteraatioiden m\u00e4\u00e4r\u00e4 (ZCRYPTOITERATIONCOUNT-arvosta).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9cb96ba elementor-widget elementor-widget-image\" data-id=\"9cb96ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"194\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png\" class=\"attachment-large size-large wp-image-3222\" alt=\"notes_to_hashcat.py ker\u00e4\u00e4 tarvittavat parametrit lukitun Apple Note -salasanan murtamiseen iOS 16:ssa.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-300x73.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-768x186.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-600x145.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result.png.webp 1394w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Tulos tiedostosta notes_to_hashcat.py<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f15ff3 elementor-widget elementor-widget-text-editor\" data-id=\"7f15ff3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember573\" class=\"ember-view reader-text-block__heading-3\">Hashcatin suorittaminen lukitun Apple Note -salasanan purkamiseksi<\/h3><p id=\"ember574\" class=\"ember-view reader-text-block__paragraph\">Kun Hashcat-sy\u00f6tt\u00f6tiedostoni oli valmis ja sanakirja k\u00e4sill\u00e4, suoritin seuraavan komennon:<\/p><pre class=\"reader-text-block__code-block\">hashcat -m 16200 -a 0<br \/>T\u00e4ss\u00e4:<\/pre><ul><li>-m 16200 m\u00e4\u00e4ritt\u00e4\u00e4 Apple Secure Notes -tilan.<\/li><li>-a 0 asettaa Hashcatin Straight (sanakirja) hy\u00f6kk\u00e4ystilaan.<\/li><li>Sanakirja voi olla seuraavanlainen <strong>rockyou.txt<\/strong> tai laitteen artefakteista johdettu mukautettu luettelo.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-47bf17e elementor-widget elementor-widget-image\" data-id=\"47bf17e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"492\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png\" class=\"attachment-large size-large wp-image-3223\" alt=\"Hashcatin k\u00e4ytt\u00e4minen lukitun Apple Notes -salasanan purkamiseen\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-300x185.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-768x472.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1536x945.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-600x369.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed.png.webp 1858w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Hashcat paljastaa murretun salasanan: royalewithcheese<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e128532 elementor-widget elementor-widget-text-editor\" data-id=\"e128532\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Hashcat tunnisti onnistuneesti oikean salasanan: royalewithcheese. Todellisessa tutkimuksessa sanakirjasi voisi olla paljon suurempi, mutta t\u00e4m\u00e4 tulos vahvisti, ett\u00e4 Hashcat pystyi hoitamaan raskaan ty\u00f6n.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d589230 e-flex e-con-boxed e-con e-parent\" data-id=\"d589230\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7896451 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"7896451\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e3f6d62 e-flex e-con-boxed e-con e-parent\" data-id=\"e3f6d62\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8e7ccbd elementor-widget elementor-widget-heading\" data-id=\"8e7ccbd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Avainsalausavaimen (KEK) johtaminen Apple Notesin salauksen purkamiseksi<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ae9824 elementor-widget elementor-widget-text-editor\" data-id=\"0ae9824\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember581\" class=\"ember-view reader-text-block__paragraph\">Kun salasana oli selvill\u00e4, seuraava askel oli johtaa <strong>Avainsalausavain (KEK)<\/strong>, jota k\u00e4ytet\u00e4\u00e4n k\u00e4\u00e4rim\u00e4\u00e4n lopullinen AES-avain, jolla muistion sis\u00e4lt\u00f6 salataan. KEK:n saamiseksi tarvitsen seuraavat arvot ZICCLOUDSYNCINGOBJECT-taulukosta:<\/p><ul><li><strong>Salasana<\/strong> (murrettu salasana)<\/li><li><strong>Iteraatioiden m\u00e4\u00e4r\u00e4<\/strong> (ZCRYPTOITERATIONCOUNT)<\/li><li><strong>Suola<\/strong> (ZCRYPTOSALT)<\/li><\/ul><p id=\"ember583\" class=\"ember-view reader-text-block__paragraph\">Esimerkiksi DB Browserin avulla tein kyselyn:<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOITERATIONCOUNT, ZCRYPTOSALT FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = ;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14fac64 elementor-widget elementor-widget-image\" data-id=\"14fac64\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"386\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png\" class=\"attachment-large size-large wp-image-3236\" alt=\"NoteStore.sqlite-tiedostosta kysyt\u00e4\u00e4n Salt- ja Iteration-lukua, joita tarvitaan lukittujen Apple Notes -muistiinpanojen salauksen purkamiseen tarvittavan KEK:n hankkimiseen.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-300x145.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-768x371.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-600x290.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt.png.webp 1313w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Iteraatioiden m\u00e4\u00e4r\u00e4: Salt: d1afa96252a15d8d58827bcb21940de1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a40be9e elementor-widget elementor-widget-text-editor\" data-id=\"a40be9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Seuraavaksi avasin CyberChefin - suosikkity\u00f6kaluni \ud83d\udee0\ufe0f - ja vedin sis\u00e4\u00e4n \"Derive PBKDF2 key\" -operaation. Asetin hashing-funktion arvoksi <strong>SHA-256<\/strong> ja sy\u00f6tt\u00e4m\u00e4ll\u00e4 salasanan, suolan ja iteraatioluvun, CyberChef tuotti <strong>16 tavun KEK<\/strong>:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed74a2a elementor-widget elementor-widget-image\" data-id=\"ed74a2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"532\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png\" class=\"attachment-large size-large wp-image-3240\" alt=\"CyberChef k\u00e4ytt\u00e4\u00e4 KEK:n johtamiseen PBKDF2-parametreista Apple Note -muistiinpanojen salauksen purkamista varten.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-300x200.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-768x511.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1536x1022.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-600x399.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">KEK: a1dac1516302e1d3d73ad4fd4b6f8fef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5bfdb59 elementor-widget elementor-widget-text-editor\" data-id=\"5bfdb59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>T\u00e4m\u00e4n prosessin automatisoimiseksi loin Python-skriptin nimelt\u00e4 <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/get_kek.py\" target=\"_self\" data-test-app-aware-link=\"\">get_key.py<\/a>, joka hyv\u00e4ksyy argumentteina tietokannan polun, huomautuksen PK ja salasanan. Sen suorittaminen palauttaa KEK:n heksadesimaalina.<\/p><pre class=\"reader-text-block__code-block\">python get_kek.py NoteStore.sqlite<\/pre><p>Tulos:<\/p><pre class=\"reader-text-block__code-block\">Huomautus PK=16: KEK (hex) = a1dac151616302e1d3d73ad4fd4b6f8fef<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3861a02 e-flex e-con-boxed e-con e-parent\" data-id=\"3861a02\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e99117b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"e99117b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-63de4bd e-flex e-con-boxed e-con e-parent\" data-id=\"63de4bd\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4ee05cd elementor-widget elementor-widget-heading\" data-id=\"4ee05cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">AES-avaimen purkaminen lukittujen Apple Notes -muistiinpanojen salauksen purkamiseksi iOS 16:ssa<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b3e1728 elementor-widget elementor-widget-text-editor\" data-id=\"b3e1728\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember589\" class=\"ember-view reader-text-block__paragraph\">Seuraava vaihe oli <strong>avaimen avaaminen<\/strong> jota k\u00e4ytet\u00e4\u00e4n viestin sis\u00e4ll\u00f6n salaamiseen. K\u00e4\u00e4ritty avain tallennetaan ZICCLOUDSYNCINGOBJECTin ZCRYPTOWRAPPEDKEY-sarakkeeseen. Esimerkiksi kysyin::<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOWRAPPEDKEY FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = 16;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af11810 elementor-widget elementor-widget-image\" data-id=\"af11810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"391\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png\" class=\"attachment-large size-large wp-image-3247\" alt=\"SQLite-kysely unwrapped.key-avaimelle, jota tarvitaan appe-muistiinpanojen salauksen purkamiseen iOS16:lla.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-300x147.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-768x376.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-600x294.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key.png.webp 1295w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">K\u00e4\u00e4ritty avain: 78c2b79c3e357117c95feb882009e14be9e5f88598ea6db0<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-883ef21 elementor-widget elementor-widget-text-editor\" data-id=\"883ef21\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 id=\"ember592\" class=\"ember-view reader-text-block__heading-3\">K\u00e4\u00e4reiden purkamisvaihtoehdot<\/h2><h3 id=\"ember593\" class=\"ember-view reader-text-block__heading-3\">Vaihtoehto 1: AES-avaimen purkaminen lukittujen Apple Notes -muistiinpanojen purkamiseksi iOS 16:ssa CyberChefin avulla<\/h3><p id=\"ember594\" class=\"ember-view reader-text-block__paragraph\">Poistin kaikki aiemmat toiminnot k\u00e4yt\u00f6st\u00e4, etsin komennon \"AES Key Unwrap\" ja raahasin sen resepti-ikkunaan. Liitt\u00e4m\u00e4ll\u00e4 KEK:n ja k\u00e4\u00e4rityn avaimen CyberChef antoi tuloksena puretun AES-avaimen.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d457284 elementor-widget elementor-widget-image\" data-id=\"d457284\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png\" class=\"attachment-large size-large wp-image-3248\" alt=\"CyberChef k\u00e4ytt\u00e4\u00e4 KEK:n johtamiseen ja AES-avaimen purkamiseen Apple Notesin salauksen purkamiseen iOS 16:ssa.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">K\u00e4\u00e4rim\u00e4t\u00f6n avain: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f85b338 elementor-widget elementor-widget-text-editor\" data-id=\"f85b338\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember596\" class=\"ember-view reader-text-block__heading-3\">Vaihtoehto 2: AES-avaimen purkamisen automatisointi unwrap.py:ll\u00e4<\/h3><p id=\"ember597\" class=\"ember-view reader-text-block__paragraph\">Kehitin my\u00f6s Python-skriptin nimelt\u00e4 <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/unwrap.py\" target=\"_self\" data-test-app-aware-link=\"\">unwrap.py<\/a> joka ottaa argumentteina tietokannan polun ja KEK:n (heksadesimaalina). T\u00e4m\u00e4n skriptin suorittaminen purki avaimen ja tulosti sen heksamuodossa. Minun tapauksessani purettu avain oli:<\/p><pre class=\"reader-text-block__code-block\">python unwrap.py NoteStore.sqlite<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d706b50 elementor-widget elementor-widget-image\" data-id=\"d706b50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"186\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png\" class=\"attachment-large size-large wp-image-3252\" alt=\"Python-skripti unwrap.py, joka n\u00e4ytt\u00e4\u00e4 lukittujen Apple Notes -muistiinpanojen AES-avaimen puretun salauksen.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-300x70.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-768x178.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1536x357.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-600x139.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key.png.webp 1624w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">K\u00e4\u00e4rim\u00e4t\u00f6n avain: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ccc7a47 elementor-widget elementor-widget-text-editor\" data-id=\"ccc7a47\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>T\u00e4m\u00e4 on lopullinen AES-avain, jota k\u00e4ytet\u00e4\u00e4n lukitun Apple-muistion sis\u00e4ll\u00f6n salauksen purkamiseen.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f5503b4 e-flex e-con-boxed e-con e-parent\" data-id=\"f5503b4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8b5b0ce elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"8b5b0ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a5b134e e-flex e-con-boxed e-con e-parent\" data-id=\"a5b134e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b756808 elementor-widget elementor-widget-heading\" data-id=\"b756808\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Apple Notesin BLOB-tiedostojen salauksen purkaminen AES-GCM:n avulla iOS 16:ssa<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df237c elementor-widget elementor-widget-text-editor\" data-id=\"9df237c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"333\" data-end=\"576\">Nyt kun minulla oli purettu avain, oli aika purkaa Apple Notesin BLOB-tiedosto, joka oli tallennettu tiedostoon <code data-start=\"425\" data-end=\"438\">ZICNOTEDATA<\/code> p\u00f6yt\u00e4. Apple k\u00e4ytt\u00e4\u00e4 <strong data-start=\"457\" data-end=\"476\">AES GCM-tilassa<\/strong> suojata lukittujen muistiinpanojen sis\u00e4lt\u00f6, mik\u00e4 tarkoittaa, ett\u00e4 tarvitsen nelj\u00e4 olennaista komponenttia jatkamista varten:<\/p><ul data-start=\"578\" data-end=\"768\"><li class=\"\" data-start=\"578\" data-end=\"606\"><p class=\"\" data-start=\"580\" data-end=\"606\">\ud83d\udd11 <strong data-start=\"583\" data-end=\"604\">K\u00e4\u00e4rim\u00e4t\u00f6n AES-avain<\/strong><\/p><\/li><li class=\"\" data-start=\"607\" data-end=\"679\"><p class=\"\" data-start=\"609\" data-end=\"679\">\ud83d\udd01 <strong data-start=\"612\" data-end=\"642\">Aloitusvektori (IV)<\/strong> osoitteesta <code data-start=\"648\" data-end=\"677\">ZCRYPTOINITIALIZATIONVECTOR<\/code><\/p><\/li><li class=\"\" data-start=\"680\" data-end=\"731\"><p class=\"\" data-start=\"682\" data-end=\"731\">\ud83c\udff7 <strong data-start=\"685\" data-end=\"711\">GCM-tunnistusmerkki<\/strong> osoitteesta <code data-start=\"717\" data-end=\"729\">ZCRYPTOTAG<\/code><\/p><\/li><li class=\"\" data-start=\"732\" data-end=\"768\"><p class=\"\" data-start=\"734\" data-end=\"768\">\ud83d\udcbe <strong data-start=\"737\" data-end=\"755\">Salattu BLOB<\/strong> osoitteesta <code data-start=\"761\" data-end=\"768\">ZDATA<\/code><\/p><\/li><\/ul><h3>\ud83d\udce4 IV- ja GCM-tagin poimiminen NoteStore.sqlite-tiedostosta<\/h3><p class=\"\" data-start=\"830\" data-end=\"1096\">Paikallistaa <strong data-start=\"844\" data-end=\"850\">IV<\/strong> ja <strong data-start=\"855\" data-end=\"866\">GCM-tunniste<\/strong>, avasin <code data-start=\"881\" data-end=\"894\">ZICNOTEDATA<\/code> taulukko DB Browser for SQLite -ohjelmassa. N\u00e4m\u00e4 kent\u00e4t tallennetaan bin\u00e4\u00e4riarvoina ja ne l\u00f6ytyv\u00e4t joko kent\u00e4st\u00e4 <code data-start=\"999\" data-end=\"1012\">ZICNOTEDATA<\/code> tai <code data-start=\"1016\" data-end=\"1039\">ZICCLOUDSYNCINGOBJECT<\/code> p\u00f6yd\u00e4t. Molemmat tallentavat tiedot samoilla sarakkeiden nimill\u00e4.<\/p><ul data-start=\"1098\" data-end=\"1194\"><li class=\"\" data-start=\"1098\" data-end=\"1144\"><p class=\"\" data-start=\"1100\" data-end=\"1144\"><strong data-start=\"1100\" data-end=\"1106\">IV<\/strong>: <code data-start=\"1108\" data-end=\"1142\">5c0c0bde9b6801747ddad1115a422d05<\/code><\/p><\/li><li class=\"\" data-start=\"1145\" data-end=\"1194\"><p class=\"\" data-start=\"1147\" data-end=\"1194\"><strong data-start=\"1147\" data-end=\"1158\">GCM-tunniste<\/strong>: <code data-start=\"1160\" data-end=\"1194\">b9087ba19e3c7deff2cb4b9b51e6aafa<\/code><\/p><\/li><\/ul><p>Itse salattu BLOB oli my\u00f6s n\u00e4kyviss\u00e4 osoitteessa <code data-start=\"1246\" data-end=\"1253\">ZDATA<\/code> sarake. Kopioin kaikki kolme arvoa heksadesimaalimuodossa valmistautuakseni salauksen purkamiseen.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df39e9 elementor-widget elementor-widget-image\" data-id=\"9df39e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png\" class=\"attachment-large size-large wp-image-3256\" alt=\"SQLite database IV forensic analysis \u2014 digital evidence examination with hex viewer\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Aloitusvektori: 5c0c0bde9b6801747ddad1115a422d05<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34afaf5 elementor-widget elementor-widget-image\" data-id=\"34afaf5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png\" class=\"attachment-large size-large wp-image-3257\" alt=\"DB-selain n\u00e4ytt\u00e4\u00e4 AES-GCM-purkamiseen k\u00e4ytetyn GCM-tagin.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">GCM Tag: b9087ba19e3c7deff2cb4b9b51e6aafa<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-16a8017 elementor-widget elementor-widget-image\" data-id=\"16a8017\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png\" class=\"attachment-large size-large wp-image-3258\" alt=\"DB-selain, jossa on salattuja Apple Note BLOB -tietoja korostettuna\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Salattu BLOB<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34002d9 elementor-widget elementor-widget-text-editor\" data-id=\"34002d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>\ud83e\uddea Muistiinpanon purkaminen CyberChefin avulla<\/h2><p class=\"\" data-start=\"1396\" data-end=\"1552\">Kun kaikki oli k\u00e4siss\u00e4ni, k\u00e4\u00e4nnyin <strong data-start=\"1433\" data-end=\"1446\">CyberChef<\/strong>. T\u00e4m\u00e4n ty\u00f6kalun avulla oli helppo yhdist\u00e4\u00e4 kaikki parametrit ja paljastaa alkuper\u00e4inen sis\u00e4lt\u00f6. N\u00e4in min\u00e4 tein:<\/p><ol data-start=\"1554\" data-end=\"1819\"><li class=\"\" data-start=\"1554\" data-end=\"1597\"><p class=\"\" data-start=\"1557\" data-end=\"1597\">Lis\u00e4sin <strong data-start=\"1569\" data-end=\"1586\">\"AES Decrypt\"<\/strong> toiminta.<\/p><\/li><li class=\"\" data-start=\"1598\" data-end=\"1655\"><p class=\"\" data-start=\"1601\" data-end=\"1655\">Liitin <strong data-start=\"1614\" data-end=\"1635\">k\u00e4\u00e4rim\u00e4t\u00f6n AES-avain<\/strong> Avain-kentt\u00e4\u00e4n.<\/p><\/li><li class=\"\" data-start=\"1656\" data-end=\"1685\"><p class=\"\" data-start=\"1659\" data-end=\"1685\">Asetan <strong data-start=\"1669\" data-end=\"1684\">GCM:\u00e4\u00e4n<\/strong>.<\/p><\/li><li class=\"\" data-start=\"1686\" data-end=\"1752\"><p class=\"\" data-start=\"1689\" data-end=\"1752\">Asetin <strong data-start=\"1704\" data-end=\"1722\">IV ja GCM Tag<\/strong> omille aloilleen.<\/p><\/li><li class=\"\" data-start=\"1753\" data-end=\"1819\"><p class=\"\" data-start=\"1756\" data-end=\"1819\">Lopuksi kopioin <strong data-start=\"1778\" data-end=\"1796\">salattu BLOB<\/strong> sy\u00f6tt\u00f6ikkunaan.<\/p><\/li><\/ol><div class=\"reader-image-block reader-image-block--full-width\">Kun osuin <strong data-start=\"1832\" data-end=\"1840\">Paista<\/strong>, CyberChef purki BLOB-tiedoston salauksen ja paljasti pakatun tiedoston - juuri sen, mit\u00e4 odotin. T\u00e4m\u00e4 tarkoitti, ett\u00e4 salauskerros oli nyt poistettu kokonaan, ja voisin siirty\u00e4 purkamaan tietoja.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8947548 elementor-widget elementor-widget-image\" data-id=\"8947548\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png\" class=\"attachment-large size-large wp-image-3263\" alt=\"CyberChef resepti salauksen purkaminen Apple Notes BLOB k\u00e4ytt\u00e4en AES-GCM-tilassa\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Purettu GZIP-tiedosto<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f8c36f9 e-flex e-con-boxed e-con e-parent\" data-id=\"f8c36f9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aba9778 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aba9778\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-415622e e-flex e-con-boxed e-con e-parent\" data-id=\"415622e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-23482bc elementor-widget elementor-widget-heading\" data-id=\"23482bc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Lopullisen muistiinpanon purkaminen ja j\u00e4sent\u00e4minen (Apple Notesin purettu protobuf)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8f50417 elementor-widget elementor-widget-text-editor\" data-id=\"8f50417\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"285\" data-end=\"516\">Kun olin purkanut AES-salatun BLOB-tiedoston salauksen, tallensin tulosteen tiedostoon nimelt\u00e4 <code data-start=\"361\" data-end=\"381\">decrypted_blob.bin<\/code> ja avasin sen HxD:ss\u00e4. Tiedoston allekirjoitus <code data-start=\"423\" data-end=\"433\">0x1F8B08<\/code> vahvisti, ett\u00e4 kyseess\u00e4 oli GZIP-pakattu tiedosto - Apple k\u00e4ytt\u00e4\u00e4 t\u00e4t\u00e4 pakkaamaan protobuf-tietoja.<\/p><p class=\"\" data-start=\"518\" data-end=\"677\">Puraaksesi selv\u00e4kielisen tekstin, avasin CyberChefin uudelleen ja lis\u00e4sin tiedoston <strong data-start=\"579\" data-end=\"589\">Gunzip<\/strong> toiminto ty\u00f6nkulkuun. Tulosteessa alkoi heti n\u00e4ky\u00e4 tuttuja merkkijonoja.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-188566a elementor-widget elementor-widget-image\" data-id=\"188566a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png\" class=\"attachment-large size-large wp-image-3267\" alt=\"CyberChef n\u00e4ytt\u00e4\u00e4 puretut Apple Notesin protobuf-tiedot GZIP-uuttamisen j\u00e4lkeen.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Purettu protobuf CyberChefiss\u00e4<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3956e4f elementor-widget elementor-widget-text-editor\" data-id=\"3956e4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Kun purettu, olen soveltanut <strong data-start=\"759\" data-end=\"778\">Protobufin dekoodaus<\/strong> CyberChefiss\u00e4. Tuloksena oli JSON:ia muistuttava rakenteinen n\u00e4kym\u00e4, jossa avaimet ja arvot edustavat lukitun Apple Note -muistion sis\u00e4lt\u00f6\u00e4.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e094119 e-flex e-con-boxed e-con e-parent\" data-id=\"e094119\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-94d53fe elementor-widget elementor-widget-image\" data-id=\"94d53fe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"470\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png\" class=\"attachment-large size-large wp-image-3268\" alt=\"CyberChef-n\u00e4kym\u00e4 Apple Notesin protobufin puretusta rakenteesta JSON-muotoisessa muodossa.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-300x176.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-768x451.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1536x901.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-600x352.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode.png.webp 1929w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Purettu Protbuf CyberChefiss\u00e4<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-290c42a elementor-widget elementor-widget-text-editor\" data-id=\"290c42a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Lukemisen helpottamiseksi k\u00e4ytin my\u00f6s Python-skripti\u00e4, joka hy\u00f6dynsi ty\u00f6kalua <code data-start=\"1017\" data-end=\"1034\">backboxprotobuf<\/code> moduuli j\u00e4sent\u00e4\u00e4 protobuf-tiedoston ja tulostaa tulosteen puhtaassa, ihmisen luettavassa muodossa.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7a338fd elementor-widget elementor-widget-image\" data-id=\"7a338fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"364\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png\" class=\"attachment-large size-large wp-image-3269\" alt=\"Komentokehote, joka n\u00e4ytt\u00e4\u00e4 puretun Apple Note -sis\u00e4ll\u00f6n backboxprotobuf Python-skriptill\u00e4\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png.webp 829w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-300x136.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-768x349.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-600x273.png.webp 600w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Kauniisti muotoillut tulokset tulostuvat n\u00e4yt\u00f6lle<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0996cea elementor-widget elementor-widget-text-editor\" data-id=\"0996cea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>T\u00e4m\u00e4 vastaa sit\u00e4, mit\u00e4 k\u00e4ytt\u00e4j\u00e4 kirjoitti lukittuun Apple Note -muistiinpanoonsa. Olet p\u00e4\u00e4ssyt piilotetusta, salasanalla suojatusta merkinn\u00e4st\u00e4 varsinaiseen, selv\u00e4kieliseen viestiin - korvaamaton l\u00f6yt\u00f6 miss\u00e4 tahansa rikosteknisess\u00e4 tapauksessa.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1eb0aa4 elementor-widget elementor-widget-image\" data-id=\"1eb0aa4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"1024\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png\" class=\"attachment-large size-large wp-image-3271\" alt=\"iPhone note evidence \u2014 forensic extraction of notes from iOS device SQLite database\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png.webp 515w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-151x300.png.webp 151w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-768x1528.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-772x1536.png.webp 772w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-600x1193.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note.png.webp 819w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Kuvakaappaus lukitun Apple Noten sis\u00e4ll\u00f6st\u00e4 UFADE:n avulla<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b8a6adf e-flex e-con-boxed e-con e-parent\" data-id=\"b8a6adf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f99fa9e elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"f99fa9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6f7a515 elementor-widget elementor-widget-video\" data-id=\"6f7a515\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=5Gr4LtE-_iE&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ec61c4f elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"ec61c4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/fi\/sqlite-forensics\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tOpi tunnistamaan, poimimaan ja tulkitsemaan t\u00e4llaista j\u00e4sennelty\u00e4 tietoa.\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t T\u00e4m\u00e4 on reaalimaailman esimerkki siit\u00e4, miten protobuffeja tallennetaan SQLite-tietokantoihin.\n\nTutustu koko SQLite Forensics -kurssimme tai ota yhteytt\u00e4, niin katsotaan, miten se sopii sinun ty\u00f6h\u00f6si.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tLue lis\u00e4\u00e4\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d72a604 e-flex e-con-boxed e-con e-parent\" data-id=\"d72a604\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-22b6bb5 elementor-widget elementor-widget-heading\" data-id=\"22b6bb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd1a Pakkaus<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c3e41b elementor-widget elementor-widget-text-editor\" data-id=\"4c3e41b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"192\" data-end=\"593\">Onneksi olkoon \ud83c\udf89 - olet juuri suorittanut t\u00e4ydellisen rikosteknisen ty\u00f6nkulun. <strong data-start=\"263\" data-end=\"304\">lukittujen Apple Notes -muistiinpanojen salauksen purkaminen iOS 16:ssa<\/strong>. Poimit salausparametrit SQLite-tietokannasta, murtauduit salasanaan k\u00e4ytt\u00e4m\u00e4ll\u00e4 <strong data-start=\"394\" data-end=\"405\">Hashcat<\/strong>, johdettu ja purettu AES-avain k\u00e4ytt\u00e4en <strong data-start=\"447\" data-end=\"457\">Python<\/strong>, ja lopuksi purkaa ja j\u00e4sent\u00e4\u00e4 protobufin komennolla <strong data-start=\"510\" data-end=\"523\">CyberChef<\/strong>. Jokainen askel toi sinut l\u00e4hemm\u00e4ksi viestin piilotetun sis\u00e4ll\u00f6n paljastamista.<\/p><p class=\"\" data-start=\"595\" data-end=\"833\">T\u00e4m\u00e4 k\u00e4yt\u00e4nn\u00f6nl\u00e4heinen l\u00e4pik\u00e4ynti todistaa, kuinka tehokkaita <strong data-start=\"641\" data-end=\"662\">avoimen l\u00e4hdekoodin ty\u00f6kalut<\/strong> voi olla digitaalisessa rikostekniikassa. Ne auttavat tutkijoita l\u00f6yt\u00e4m\u00e4\u00e4n salattuja Apple Notes -muistiinpanoja, jotka kaupalliset ty\u00f6kalut saattavat j\u00e4\u00e4d\u00e4 huomaamatta - erityisesti laitteissa, joissa on k\u00e4yt\u00f6ss\u00e4 <strong data-start=\"811\" data-end=\"832\">iOS 16 tai aikaisempi<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8c713e5 e-flex e-con-boxed e-con e-parent\" data-id=\"8c713e5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aa24044 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aa24044\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b6bbf21 e-flex e-con-boxed e-con e-parent\" data-id=\"b6bbf21\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5bf4bff elementor-widget elementor-widget-heading\" data-id=\"5bf4bff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd75\ufe0f Bonus: Salasanavihje<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-529bd7f elementor-widget elementor-widget-text-editor\" data-id=\"529bd7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"874\" data-end=\"963\">T\u00e4ss\u00e4 on ylim\u00e4\u00e4r\u00e4inen kierre - l\u00f6ysin er\u00e4\u00e4n <strong data-start=\"908\" data-end=\"925\">salasanavihje<\/strong> vuonna <code data-start=\"933\" data-end=\"956\">ZICCLOUDSYNCINGOBJECT<\/code> p\u00f6yt\u00e4:<\/p><blockquote data-start=\"965\" data-end=\"986\"><p class=\"\" data-start=\"967\" data-end=\"986\"><strong data-start=\"967\" data-end=\"986\">Quarter Pounder<\/strong><\/p><\/blockquote><p class=\"\" data-start=\"988\" data-end=\"1244\">Koska laite kuului jollekin Vincent-nimiselle henkil\u00f6lle, salasanaa ei ollut vaikea arvata: <strong data-start=\"1080\" data-end=\"1100\">royalewithcheese<\/strong> - ny\u00f6kk\u00e4ys <em data-start=\"1112\" data-end=\"1126\">Pulp Fiction<\/em>. Todellisissa tapauksissa t\u00e4llaiset salasanavihjeet voivat nopeuttaa ty\u00f6nkulkua, kun ne yhdistet\u00e4\u00e4n strategiseen murtoprosessiin.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-efeabdf e-flex e-con-boxed e-con e-parent\" data-id=\"efeabdf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1a2a4f6 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"1a2a4f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7878d44 e-flex e-con-boxed e-con e-parent\" data-id=\"7878d44\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b1e7fb8 elementor-widget elementor-widget-heading\" data-id=\"b1e7fb8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udcf1 Viel\u00e4 yksi asia... iOS 17:st\u00e4 ja iOS 18:sta<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1fbdcca elementor-widget elementor-widget-text-editor\" data-id=\"1fbdcca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"1299\" data-end=\"1619\">T\u00e4m\u00e4 opas koskee erityisesti salauksen purkamista <strong data-start=\"1334\" data-end=\"1381\">Apple Notes iOS 16:ssa ja sit\u00e4 aikaisemmissa versioissa<\/strong>. Alkaen <strong data-start=\"1397\" data-end=\"1407\">iOS 17<\/strong>Apple teki merkitt\u00e4vi\u00e4 muutoksia Notesin salausprosessiin. Saatat t\u00f6rm\u00e4t\u00e4 puuttuviin avainten johdannaiskenttiin, erilaisiin salausrakenteisiin tai muistiinpanoihin, jotka eiv\u00e4t en\u00e4\u00e4 purkaudu samoilla menetelmill\u00e4.<\/p><p class=\"\" data-start=\"1621\" data-end=\"1785\">Jos tutkit, miten <strong data-start=\"1648\" data-end=\"1691\">purkaa Apple Notesin salaus iOS 17:ss\u00e4 tai iOS 18:ssa<\/strong>Haluaisin tehd\u00e4 yhteisty\u00f6t\u00e4. Jaa havaintosi - puretaan uusi salaus yhdess\u00e4.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4d8d5c0 e-flex e-con-boxed e-con e-parent\" data-id=\"4d8d5c0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d446cd4 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"d446cd4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"mailto:contact@elusivedata.io\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tKiitos lukemisesta! Onko kysytt\u00e4v\u00e4\u00e4?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Kirjoita ne alla oleviin kommentteihin tai ota suoraan yhteytt\u00e4. Jatketaan rikosteknisen l\u00f6yt\u00e4misen rajojen pident\u00e4mist\u00e4.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tOta yhteytt\u00e4\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0768b7d elementor-widget elementor-widget-heading\" data-id=\"0768b7d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Saatat olla my\u00f6s kiinnostunut<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cc0d9d0 elementor-widget elementor-widget-video\" data-id=\"cc0d9d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=QFn63mQ5_gI&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53a6229 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"53a6229\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e6108d9 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"e6108d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/fi\/ed-sqlite-visualizer\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tSQLite Visualizer. Aivan uusi tapa tutkia SQLite\u00e4.\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tTulevan ED SQLite Visualizerin avulla n\u00e4et tietokannan sis\u00e4iset ominaisuudet, voit palauttaa piilotettuja tietueita ja yhdist\u00e4\u00e4 pisteit\u00e4 nopeammin kuin koskaan, kaikki visuaalisesti. Sit\u00e4 k\u00e4ytet\u00e4\u00e4n jo t\u00e4ydell\u00e4 SQLite-kurssillamme, ja se on pian kaikkien saatavilla. \t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tKatso mit\u00e4 on tulossa \u2192\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Tutustu siihen, miten purin lukitun Apple Note -muistion iOS 16.7.10 -laitteesta k\u00e4ytt\u00e4m\u00e4ll\u00e4 avoimen l\u00e4hdekoodin ty\u00f6kaluja, kuten Hashcat, Python ja CyberChef. T\u00e4m\u00e4 vaiheittainen rikostekninen ty\u00f6nkulku paljastaa prosessin, joka on takana piilotetun sis\u00e4ll\u00f6n poimimisessa ja salauksen purkamisessa Applen Notes-sovelluksesta. Pakollinen lukemisto digitaalisten tutkijoiden ja mobiilirikostutkijoiden ammattilaisille.<\/p>","protected":false},"author":1,"featured_media":3203,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_theme","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-3205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-forensics"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Decrypt Locked Apple Notes on iOS 16 | Forensic Guide<\/title>\n<meta name=\"description\" content=\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/elusivedata.io\/fi\/decrypt-apple-notes-ios16\/\" \/>\n<meta property=\"og:locale\" content=\"fi_FI\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta property=\"og:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/elusivedata.io\/fi\/decrypt-apple-notes-ios16\/\" \/>\n<meta property=\"og:site_name\" content=\"Elusive Data\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-27T17:01:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-13T15:55:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"574\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"James Eichbaum\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta name=\"twitter:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png\" \/>\n<meta name=\"twitter:label1\" content=\"Kirjoittanut\" \/>\n\t<meta name=\"twitter:data1\" content=\"James Eichbaum\" \/>\n\t<meta name=\"twitter:label2\" content=\"Arvioitu lukuaika\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minuuttia\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"author\":{\"name\":\"James Eichbaum\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\"},\"headline\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"wordCount\":1989,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"articleSection\":[\"Mobile Forensics\"],\"inLanguage\":\"fi\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"name\":\"Decrypt Locked Apple Notes on iOS 16 | Forensic Guide\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"description\":\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\"},\"inLanguage\":\"fi\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fi\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"width\":4400,\"height\":2465,\"caption\":\"Three padlocks on black background representing encrypted Apple Notes\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/elusivedata.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"name\":\"ElusiveData\",\"description\":\"Excellence in Digital Forensics Training and Consulting\",\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/elusivedata.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fi\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\",\"name\":\"ElusiveData\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fi\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"width\":2560,\"height\":370,\"caption\":\"ElusiveData\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.youtube.com\\\/@elusivedata\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\",\"name\":\"James Eichbaum\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fi\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"caption\":\"James Eichbaum\"},\"sameAs\":[\"http:\\\/\\\/elusivedata.io\"],\"url\":\"https:\\\/\\\/elusivedata.io\\\/fi\\\/author\\\/eichbaumjamesgmail-com\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Lukittujen Apple Notes -muistiinpanojen salauksen purkaminen iOS 16:ssa | Oikeusl\u00e4\u00e4ketieteellinen opas","description":"Pura lukitut Apple Notes -muistiinpanot iOS 16:ssa k\u00e4ytt\u00e4m\u00e4ll\u00e4 avoimen l\u00e4hdekoodin ty\u00f6kaluja, kuten Hashcat, CyberChef ja Python. T\u00e4ydellinen rikostekninen ty\u00f6nkulku - ei tarvita maksullisia ty\u00f6kaluja.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/elusivedata.io\/fi\/decrypt-apple-notes-ios16\/","og_locale":"fi_FI","og_type":"article","og_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","og_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","og_url":"https:\/\/elusivedata.io\/fi\/decrypt-apple-notes-ios16\/","og_site_name":"Elusive Data","article_published_time":"2025-03-27T17:01:54+00:00","article_modified_time":"2025-08-13T15:55:36+00:00","og_image":[{"width":1024,"height":574,"url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png","type":"image\/png"}],"author":"James Eichbaum","twitter_card":"summary_large_image","twitter_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","twitter_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","twitter_image":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","twitter_misc":{"Kirjoittanut":"James Eichbaum","Arvioitu lukuaika":"15 minuuttia"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#article","isPartOf":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"author":{"name":"James Eichbaum","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436"},"headline":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","mainEntityOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"wordCount":1989,"commentCount":2,"publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","articleSection":["Mobile Forensics"],"inLanguage":"fi","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","url":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","name":"Lukittujen Apple Notes -muistiinpanojen salauksen purkaminen iOS 16:ssa | Oikeusl\u00e4\u00e4ketieteellinen opas","isPartOf":{"@id":"https:\/\/elusivedata.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","description":"Pura lukitut Apple Notes -muistiinpanot iOS 16:ssa k\u00e4ytt\u00e4m\u00e4ll\u00e4 avoimen l\u00e4hdekoodin ty\u00f6kaluja, kuten Hashcat, CyberChef ja Python. T\u00e4ydellinen rikostekninen ty\u00f6nkulku - ei tarvita maksullisia ty\u00f6kaluja.","breadcrumb":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb"},"inLanguage":"fi","potentialAction":[{"@type":"ReadAction","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"]}]},{"@type":"ImageObject","inLanguage":"fi","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","width":4400,"height":2465,"caption":"Three padlocks on black background representing encrypted Apple Notes"},{"@type":"BreadcrumbList","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/elusivedata.io\/"},{"@type":"ListItem","position":2,"name":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat"}]},{"@type":"WebSite","@id":"https:\/\/elusivedata.io\/#website","url":"https:\/\/elusivedata.io\/","name":"ElusiveData","description":"Huippuosaamista digitaalisen rikostekniikan koulutuksessa ja konsultoinnissa","publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/elusivedata.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fi"},{"@type":"Organization","@id":"https:\/\/elusivedata.io\/#organization","name":"ElusiveData","url":"https:\/\/elusivedata.io\/","logo":{"@type":"ImageObject","inLanguage":"fi","@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","width":2560,"height":370,"caption":"ElusiveData"},"image":{"@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.youtube.com\/@elusivedata"]},{"@type":"Person","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436","name":"James Eichbaum","image":{"@type":"ImageObject","inLanguage":"fi","@id":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","url":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","caption":"James Eichbaum"},"sameAs":["http:\/\/elusivedata.io"],"url":"https:\/\/elusivedata.io\/fi\/author\/eichbaumjamesgmail-com\/"}]}},"_links":{"self":[{"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/posts\/3205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/comments?post=3205"}],"version-history":[{"count":90,"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/posts\/3205\/revisions"}],"predecessor-version":[{"id":14968,"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/posts\/3205\/revisions\/14968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/media\/3203"}],"wp:attachment":[{"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/media?parent=3205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/categories?post=3205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elusivedata.io\/fi\/wp-json\/wp\/v2\/tags?post=3205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}