{"id":3205,"date":"2025-03-27T17:01:54","date_gmt":"2025-03-27T17:01:54","guid":{"rendered":"https:\/\/elusivedata.io\/?p=3205"},"modified":"2025-08-13T15:55:36","modified_gmt":"2025-08-13T15:55:36","slug":"decrypt-apple-notes-ios16","status":"publish","type":"post","link":"https:\/\/elusivedata.io\/pl\/decrypt-apple-notes-ios16\/","title":{"rendered":"Odszyfrowanie zablokowanych notatek Apple na iOS 16.x: Kompletny Forensic Workflow (SQLite, CyberChef, Python) z wykorzystaniem Hashcat"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"3205\" class=\"elementor elementor-3205\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c9155f5 e-flex e-con-boxed e-con e-parent\" data-id=\"c9155f5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2fc7219 elementor-widget elementor-widget-heading\" data-id=\"2fc7219\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Wprowadzenie<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d80253 elementor-widget elementor-widget-text-editor\" data-id=\"1d80253\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember625\" class=\"ember-view reader-text-block__paragraph\">Podczas analizy urz\u0105dzenia testowego za pomoc\u0105 popularnego komercyjnego mobilnego narz\u0119dzia kryminalistycznego natkn\u0105\u0142em si\u0119 na co\u015b intryguj\u0105cego - zablokowan\u0105 notatk\u0119 Apple Note, kt\u00f3ra wygl\u0105da\u0142a tylko jako \"ukryta\". Narz\u0119dzie pokaza\u0142o podsumowanie notatki (oznaczone jako \"Lance\"), ale brakowa\u0142o faktycznej tre\u015bci. Nie by\u0142o poj\u0119cia, co kryje si\u0119 pod blokad\u0105, pozostawiaj\u0105c mnie z pal\u0105cym pytaniem: czy mog\u0119 odkry\u0107 sekret w \u015brodku? Potrzebowa\u0142em przep\u0142ywu pracy, kt\u00f3ry pom\u00f3g\u0142by mi odszyfrowa\u0107 Apple Notes na iOS 16.<\/p><p id=\"ember626\" class=\"ember-view reader-text-block__paragraph\">Urz\u0105dzenie by\u0142o uruchomione <strong>iOS 16.7.10<\/strong>Po zag\u0142\u0119bieniu si\u0119 w baz\u0119 danych NoteStore.sqlite zda\u0142em sobie spraw\u0119, \u017ce wszystkie wskaz\u00f3wki dotycz\u0105ce szyfrowania znajduj\u0105 si\u0119 w\u0142a\u015bnie tam - czekaj\u0105c na odszyfrowanie. Z pomoc\u0105 narz\u0119dzi open-source postanowi\u0142em odzyska\u0107 has\u0142o i odszyfrowa\u0107 zawarto\u015b\u0107 notatki.\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/p><p id=\"ember627\" class=\"ember-view reader-text-block__paragraph\">Ten post przeprowadzi Ci\u0119 przez <strong>Kompletny przep\u0142yw pracy kryminalistycznej<\/strong> w jaki spos\u00f3b <strong data-start=\"979\" data-end=\"1012\">odszyfrowa\u0107 Apple Notes na iOS 16:<\/strong><\/p><ul><li>\ud83d\udd13 <strong>Hashcat<\/strong> do \u0142amania hase\u0142<\/li><li>\ud83d\uddc4\ufe0f <strong>Przegl\u0105darka DB dla SQLite<\/strong> aby zbada\u0107 i wyodr\u0119bni\u0107 parametry szyfrowania<\/li><li>\ud83d\udc0d <strong>Skrypty Python<\/strong> do wyprowadzania kluczy i rozpakowywania kluczy AES<\/li><li>\ud83d\udd0d <strong>CyberChef<\/strong> aby odszyfrowa\u0107, zdekompresowa\u0107 i przeanalizowa\u0107 ko\u0144cowy \u0142adunek protobuf<\/li><\/ul><blockquote id=\"ember629\" class=\"ember-view reader-text-block__blockquote\"><p>\u26a0\ufe0f <strong>Wa\u017cna uwaga:<\/strong> Ten przep\u0142yw pracy dotyczy w szczeg\u00f3lno\u015bci Apple Notes zablokowanych na <strong>iOS 16.x<\/strong>. Pocz\u0105wszy od iOS 17, Apple zmieni\u0142o spos\u00f3b przechowywania zaszyfrowanych notatek, a iOS 18 wprowadza jeszcze wi\u0119cej zmian.<\/p><\/blockquote><p id=\"ember630\" class=\"ember-view reader-text-block__paragraph\">Zanurzmy si\u0119 i ujawnijmy ukryt\u0105 wiadomo\u015b\u0107 wewn\u0105trz zablokowanego Apple Note.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-c525deb e-flex e-con-boxed e-con e-parent\" data-id=\"c525deb\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a21125 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"3a21125\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2086843 e-flex e-con-boxed e-con e-parent\" data-id=\"2086843\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9647810 elementor-widget elementor-widget-heading\" data-id=\"9647810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Zag\u0142\u0119bianie si\u0119 w NoteStore.sqlite<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03a06aa elementor-widget elementor-widget-text-editor\" data-id=\"03a06aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>W tym momencie wiedzia\u0142em, \u017ce zawarto\u015b\u0107 zaszyfrowanej notatki by\u0142a przechowywana w NoteStore.sqlite, a konkretnie w tabeli ZICNOTEDATA. Apple cz\u0119sto <strong><i>gzips<\/i><\/strong> dane protobuf notatki, ale w przypadku zablokowanych notatek, ca\u0142y ten BLOB jest najpierw <strong>szyfrowany<\/strong>-Oznacza to, \u017ce bezpo\u015brednia pr\u00f3ba dekompresji nie przyniesie czytelnego tekstu. B\u0119dziesz potrzebowa\u0142 <strong>w\u0142a\u015bciwy klucz deszyfruj\u0105cy<\/strong> przed jakimkolwiek rozpakowaniem lub przeanalizowaniem protobuf.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-96d0945 elementor-widget elementor-widget-image\" data-id=\"96d0945\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"373\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png\" class=\"attachment-large size-large wp-image-3208\" alt=\"Deszyfrowanie Apple Notes iOS 16 przy u\u017cyciu SQLite DB Browser\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-300x140.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-768x359.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-600x280.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB.png.webp 1133w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Zaszyfrowany BLOB w polu ZDATA dla zablokowanej notatki (DB Browser dla SQLite)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-192f056 elementor-widget elementor-widget-text-editor\" data-id=\"192f056\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Na zrzucie ekranu wida\u0107 surowe warto\u015bci szesnastkowe dla ZDATA. Dane te s\u0105 skutecznie szyfrowane przez <strong>Szyfrowanie AES<\/strong>z krytycznymi metadanymi, takimi jak sole i liczba iteracji, zapisanymi w innych cz\u0119\u015bciach bazy danych. Od <strong>egzaminator kryminalistyczny<\/strong> Z perspektywy, rozpoznanie, \u017ce notatka jest w pe\u0142ni zaszyfrowana, jest sygna\u0142em do zag\u0142\u0119bienia si\u0119 w tabel\u0119 ZICCLOUDSYNCINGOBJECT w celu uzyskania parametr\u00f3w potrzebnych do <strong>p\u0119kni\u0119cie<\/strong> kod dost\u0119pu i <strong>odblokowanie<\/strong> nota \ud83d\udd13.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d0ab9d6 e-flex e-con-boxed e-con e-parent\" data-id=\"d0ab9d6\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-40be78a elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"40be78a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-38e76a3 e-flex e-con-boxed e-con e-parent\" data-id=\"38e76a3\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-52d7880 elementor-widget elementor-widget-heading\" data-id=\"52d7880\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Dlaczego zablokowane notatki Apple s\u0105 szyfrowane w systemie iOS 16?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5f10962 e-flex e-con-boxed e-con e-parent\" data-id=\"5f10962\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c925db9 elementor-widget elementor-widget-text-editor\" data-id=\"c925db9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember636\" class=\"ember-view reader-text-block__paragraph\">Apple Notes zabezpiecza zablokowane notatki za pomoc\u0105 kombinacji <strong>PBKDF2<\/strong> (wyprowadzanie klucza) i <strong>AES<\/strong> (szyfrowanie). Gdy has\u0142o jest w\u0142\u0105czone w notatce, Apple przechowuje kluczowe metadane kryptograficzne w bazie danych - takie jak:<\/p><ul><li>ZCRYPTOITERATIONCOUNT<\/li><li>ZCRYPTOSALT<\/li><li>ZCRYPTOWRAPPEDKEY<\/li><\/ul><p id=\"ember638\" class=\"ember-view reader-text-block__paragraph\">Warto\u015bci te zapewniaj\u0105, \u017ce tylko osoba z prawid\u0142owym kodem dost\u0119pu mo\u017ce odszyfrowa\u0107 zawarto\u015b\u0107 notatki.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-bb87437 e-flex e-con-boxed e-con e-parent\" data-id=\"bb87437\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9c2a25d elementor-widget elementor-widget-heading\" data-id=\"9c2a25d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Podej\u015bcie kryminalistyczne<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-734c922 e-flex e-con-boxed e-con e-parent\" data-id=\"734c922\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9077bae elementor-widget elementor-widget-text-editor\" data-id=\"9077bae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember640\" class=\"ember-view reader-text-block__paragraph\">Z kryminalistycznego punktu widzenia, podejmowane kroki zazwyczaj obejmuj\u0105:<\/p><ol><li><strong>Identyfikacja<\/strong> odpowiednie wpisy zablokowanych notatek w ZICNOTEDATA i ZICCLOUDSYNCINGOBJECT.<\/li><li><strong>Wyci\u0105g<\/strong> szczeg\u00f3\u0142y kryptograficzne, takie jak liczba iteracji, s\u00f3l i zawini\u0119ty klucz.<\/li><li><strong>P\u0119kni\u0119cie<\/strong> has\u0142o u\u017cytkownika za pomoc\u0105 <strong>Hashcat<\/strong> (lub inne narz\u0119dzie do odzyskiwania hase\u0142, takie jak John the Ripper lub Passware).<\/li><li><strong>Pochodna<\/strong> ko\u0144cowe klucze w <strong>Python lub CyberChef<\/strong>\u00a0oraz <strong>odszyfrowywanie<\/strong> BLOB notatki.<\/li><li><strong>Dekompresja<\/strong> odblokowane dane protobuf (z <strong>CyberChef lub Python<\/strong>), aby ujawni\u0107 ostateczny tekst jawny.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8357e17 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"8357e17\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/pl\/sqlite-forensics\/?v=efad7abb323e\">\n\t\t\t\t\t<div class=\"elementor-cta__bg-wrapper\">\n\t\t\t\t<div class=\"elementor-cta__bg elementor-bg\" style=\"background-image: url(https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/07\/SQLite-Forensics-1024x543.png);\" role=\"img\" aria-label=\"SQLite Forensics\"><\/div>\n\t\t\t\t<div class=\"elementor-cta__bg-overlay\"><\/div>\n\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tChcesz mie\u0107 pe\u0142n\u0105 kontrol\u0119 nad swoimi badaniami SQLite?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tDowiedz si\u0119, jak pracowa\u0107 poza ograniczeniami narz\u0119dzi, od analizowania zaszyfrowanych danych aplikacji po odzyskiwanie usuni\u0119tych i ukrytych rekord\u00f3w. Zastosuj je natychmiast we w\u0142asnych dochodzeniach.\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tDowiedz si\u0119 wi\u0119cej\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-56ca2f1 e-flex e-con-boxed e-con e-parent\" data-id=\"56ca2f1\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-18231c3 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"18231c3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-062def9 e-flex e-con-boxed e-con e-parent\" data-id=\"062def9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-37b1e55 elementor-widget elementor-widget-heading\" data-id=\"37b1e55\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Z\u0142amanie has\u0142a zablokowanego Apple Note za pomoc\u0105 Hashcat<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-55bf6d5 elementor-widget elementor-widget-text-editor\" data-id=\"55bf6d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Moim celem by\u0142a symulacja realistycznego scenariusza kryminalistycznego: mia\u0142em zablokowany Apple Note i musia\u0142em odzyska\u0107 jego kod dost\u0119pu, aby odszyfrowa\u0107 zawarto\u015b\u0107. W tym miejscu <strong>Hashcat<\/strong> wchodzi do gry. Wykorzystuj\u0105c tryb skr\u00f3tu Apple Secure Notes (ID <strong>16200<\/strong>), Hashcat systematycznie pr\u00f3bowa\u0142 hase\u0142, a\u017c znalaz\u0142 prawid\u0142owe.<\/p><h3 id=\"ember644\" class=\"ember-view reader-text-block__heading-3\">Wyodr\u0119bnianie wymaganych kolumn<\/h3><p id=\"ember645\" class=\"ember-view reader-text-block__paragraph\">Zacz\u0105\u0142em od otwarcia <strong>NoteStore.sqlite<\/strong> w DB Browser i kierowanie na wiersze z ZISPASSWORDPROTECTED = 1 w tabeli ZICCLOUDSYNCINGOBJECT. Nast\u0119pnie zapyta\u0142em o nast\u0119puj\u0105ce kolumny:<\/p><ul><li>Z_PK - unikalny identyfikator noty.<\/li><li>ZCRYPTOSALT - warto\u015b\u0107 soli dla PBKDF2.<\/li><li>ZCRYPTOWRAPPEDKEY - zawini\u0119ty klucz, kt\u00f3ry zostanie p\u00f3\u017aniej rozpakowany.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d4f816 elementor-widget elementor-widget-image\" data-id=\"4d4f816\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"337\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png\" class=\"attachment-large size-large wp-image-3219\" alt=\"SQLite command line commands \u2014 forensic database querying and analysis technique\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-300x126.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-768x323.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-600x253.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1.png.webp 1373w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Zapytanie SQLite o wymagane parametry dla Hashcat<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-63ee483 elementor-widget elementor-widget-text-editor\" data-id=\"63ee483\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember571\" class=\"ember-view reader-text-block__paragraph\">Plik wej\u015bciowy Hashcat zosta\u0142 wygenerowany przez ma\u0142y skrypt Pythona <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/notes_to_hashcat.py\" target=\"_self\" data-test-app-aware-link=\"\">notes_to_hashcat.py<\/a>, kt\u00f3ry sformatowa\u0142 te warto\u015bci w pojedynczy wiersz, kt\u00f3ry Hashcat m\u00f3g\u0142 przeanalizowa\u0107, w tym liczb\u0119 iteracji (z ZCRYPTOITERATIONCOUNT).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9cb96ba elementor-widget elementor-widget-image\" data-id=\"9cb96ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"194\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png\" class=\"attachment-large size-large wp-image-3222\" alt=\"notes_to_hashcat.py gromadzi wymagane parametry do z\u0142amania zablokowanego has\u0142a Apple Note na iOS 16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-300x73.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-768x186.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-600x145.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result.png.webp 1394w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Dane wyj\u015bciowe z notes_to_hashcat.py<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f15ff3 elementor-widget elementor-widget-text-editor\" data-id=\"7f15ff3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember573\" class=\"ember-view reader-text-block__heading-3\">Uruchamianie Hashcat w celu odszyfrowania zablokowanego has\u0142a Apple Note<\/h3><p id=\"ember574\" class=\"ember-view reader-text-block__paragraph\">Maj\u0105c gotowy plik wej\u015bciowy Hashcat i s\u0142ownik pod r\u0119k\u0105, uruchomi\u0142em nast\u0119puj\u0105ce polecenie:<\/p><pre class=\"reader-text-block__code-block\">hashcat -m 16200 -a 0<br \/>Tutaj:<\/pre><ul><li>-m 16200 okre\u015bla tryb Apple Secure Notes.<\/li><li>-a 0 ustawia Hashcat na tryb ataku prostego (s\u0142ownikowego).<\/li><li>S\u0142ownik mo\u017ce wygl\u0105da\u0107 nast\u0119puj\u0105co <strong>rockyou.txt<\/strong> lub niestandardow\u0105 list\u0119 pochodz\u0105c\u0105 z artefakt\u00f3w urz\u0105dzenia.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-47bf17e elementor-widget elementor-widget-image\" data-id=\"47bf17e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"492\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png\" class=\"attachment-large size-large wp-image-3223\" alt=\"U\u017cywanie Hashcat do odszyfrowania zablokowanego has\u0142a Apple Notes\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-300x185.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-768x472.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1536x945.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-600x369.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed.png.webp 1858w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Hashcat ujawniaj\u0105cy z\u0142amane has\u0142o: royalewithcheese<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e128532 elementor-widget elementor-widget-text-editor\" data-id=\"e128532\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Hashcat pomy\u015blnie zidentyfikowa\u0142 prawid\u0142owe has\u0142o: royalewithcheese. W rzeczywistym dochodzeniu s\u0142ownik mo\u017ce by\u0107 znacznie wi\u0119kszy, ale ten wynik potwierdzi\u0142, \u017ce Hashcat poradzi sobie z ci\u0119\u017ckim zadaniem.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d589230 e-flex e-con-boxed e-con e-parent\" data-id=\"d589230\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7896451 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"7896451\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e3f6d62 e-flex e-con-boxed e-con e-parent\" data-id=\"e3f6d62\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8e7ccbd elementor-widget elementor-widget-heading\" data-id=\"8e7ccbd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Uzyskanie klucza szyfrowania (KEK) do odszyfrowania Apple Notes<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ae9824 elementor-widget elementor-widget-text-editor\" data-id=\"0ae9824\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember581\" class=\"ember-view reader-text-block__paragraph\">Maj\u0105c has\u0142o w r\u0119ku, nast\u0119pnym krokiem by\u0142o uzyskanie <strong>Klucz szyfrowania klucza (KEK)<\/strong>kt\u00f3ry jest u\u017cywany do zawijania ostatecznego klucza AES, kt\u00f3ry szyfruje zawarto\u015b\u0107 notatki. Aby uzyska\u0107 KEK, potrzebowa\u0142em nast\u0119puj\u0105cych warto\u015bci z tabeli ZICCLOUDSYNCINGOBJECT:<\/p><ul><li><strong>Has\u0142o<\/strong> (z\u0142amane has\u0142o)<\/li><li><strong>Liczba iteracji<\/strong> (ZCRYPTOITERATIONCOUNT)<\/li><li><strong>S\u00f3l<\/strong> (ZCRYPTOSALT)<\/li><\/ul><p id=\"ember583\" class=\"ember-view reader-text-block__paragraph\">Na przyk\u0142ad, u\u017cywaj\u0105c DB Browser, zapyta\u0142em:<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOITERATIONCOUNT, ZCRYPTOSALT FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = ;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14fac64 elementor-widget elementor-widget-image\" data-id=\"14fac64\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"386\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png\" class=\"attachment-large size-large wp-image-3236\" alt=\"Zapytanie NoteStore.sqlite o liczb\u0119 soli i iteracji potrzebnych do uzyskania KEK potrzebnego do odszyfrowania zablokowanych Apple Notes\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-300x145.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-768x371.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-600x290.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt.png.webp 1313w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Liczba iteracji: 20000 | Salt: d1afa96252a15d8d58827bcb21940de1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a40be9e elementor-widget elementor-widget-text-editor\" data-id=\"a40be9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Nast\u0119pnie otworzy\u0142em CyberChef - moje ulubione narz\u0119dzie \ud83d\udee0\ufe0f - i przeci\u0105gn\u0105\u0142em operacj\u0119 \"Derive PBKDF2 key\". Ustawi\u0142em funkcj\u0119 haszuj\u0105c\u0105 na <strong>SHA-256<\/strong> i wprowadzaj\u0105c has\u0142o, s\u00f3l i liczb\u0119 iteracji, CyberChef wygenerowa\u0142 nast\u0119puj\u0105ce dane <strong>16-bajtowy KEK<\/strong>:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed74a2a elementor-widget elementor-widget-image\" data-id=\"ed74a2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"532\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png\" class=\"attachment-large size-large wp-image-3240\" alt=\"CyberChef u\u017cywany do wyprowadzania KEK z parametr\u00f3w PBKDF2 do deszyfrowania Apple Note.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-300x200.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-768x511.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1536x1022.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-600x399.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">KEK: a1dac1516302e1d3d73ad4fd4b6f8fef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5bfdb59 elementor-widget elementor-widget-text-editor\" data-id=\"5bfdb59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Aby zautomatyzowa\u0107 ten proces, stworzy\u0142em skrypt Pythona o nazwie <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/get_kek.py\" target=\"_self\" data-test-app-aware-link=\"\">get_key.py<\/a>kt\u00f3ra jako argumenty przyjmuje \u015bcie\u017ck\u0119 do bazy danych, not\u0119 PK i has\u0142o. Uruchomienie zwraca KEK w hex.<\/p><pre class=\"reader-text-block__code-block\">python get_kek.py NoteStore.sqlite<\/pre><p>Wynik:<\/p><pre class=\"reader-text-block__code-block\">Uwaga PK=16: KEK (hex) = a1dac1516302e1d3d73ad4fd4b6f8fef<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3861a02 e-flex e-con-boxed e-con e-parent\" data-id=\"3861a02\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e99117b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"e99117b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-63de4bd e-flex e-con-boxed e-con e-parent\" data-id=\"63de4bd\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4ee05cd elementor-widget elementor-widget-heading\" data-id=\"4ee05cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Rozpakowywanie klucza AES w celu odszyfrowania zablokowanych notatek Apple na iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b3e1728 elementor-widget elementor-widget-text-editor\" data-id=\"b3e1728\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember589\" class=\"ember-view reader-text-block__paragraph\">Nast\u0119pnym krokiem by\u0142o <strong>rozpakuj klucz<\/strong> u\u017cywany do szyfrowania zawarto\u015bci notatki. Zawini\u0119ty klucz jest przechowywany w kolumnie ZCRYPTOWRAPPEDKEY obiektu ZICCLOUDSYNCINGOBJECT. Na przyk\u0142ad, zapyta\u0142em::<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOWRAPPEDKEY FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = 16;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af11810 elementor-widget elementor-widget-image\" data-id=\"af11810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"391\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png\" class=\"attachment-large size-large wp-image-3247\" alt=\"Zapytanie SQLite o unwrapped.key wymagane do odszyfrowania notatek w systemie iOS16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-300x147.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-768x376.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-600x294.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key.png.webp 1295w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Wrapped Key: 78c2b79c3e357117c95feb882009e14be9e5f88598ea6db0<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-883ef21 elementor-widget elementor-widget-text-editor\" data-id=\"883ef21\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 id=\"ember592\" class=\"ember-view reader-text-block__heading-3\">Opcje rozpakowywania<\/h2><h3 id=\"ember593\" class=\"ember-view reader-text-block__heading-3\">Opcja 1: Rozpakowanie klucza AES w celu odszyfrowania zablokowanych notatek Apple Notes na iOS 16 za pomoc\u0105 CyberChef<\/h3><p id=\"ember594\" class=\"ember-view reader-text-block__paragraph\">Wy\u0142\u0105czy\u0142em wszystkie poprzednie operacje, wyszuka\u0142em \"AES Key Unwrap\" i przeci\u0105gn\u0105\u0142em go do okna receptury. Wklejaj\u0105c KEK i zawini\u0119ty klucz, CyberChef wy\u015bwietli\u0142 rozpakowany klucz AES.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d457284 elementor-widget elementor-widget-image\" data-id=\"d457284\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png\" class=\"attachment-large size-large wp-image-3248\" alt=\"CyberChef u\u017cyty do wyprowadzenia KEK i rozpakowania klucza AES do odszyfrowania Apple Notes na iOS 16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Unwrapped Key: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f85b338 elementor-widget elementor-widget-text-editor\" data-id=\"f85b338\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember596\" class=\"ember-view reader-text-block__heading-3\">Opcja 2: Automatyzacja rozpakowywania klucza AES za pomoc\u0105 unwrap.py<\/h3><p id=\"ember597\" class=\"ember-view reader-text-block__paragraph\">Opracowa\u0142em r\u00f3wnie\u017c skrypt Pythona o nazwie <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/unwrap.py\" target=\"_self\" data-test-app-aware-link=\"\">unwrap.py<\/a> kt\u00f3ry jako argumenty przyjmuje \u015bcie\u017ck\u0119 do bazy danych i KEK (w formacie hex). Uruchomienie tego skryptu powoduje rozpakowanie klucza i wydrukowanie go w formacie hex. W moim przypadku rozpakowany klucz to:<\/p><pre class=\"reader-text-block__code-block\">python unwrap.py NoteStore.sqlite<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d706b50 elementor-widget elementor-widget-image\" data-id=\"d706b50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"186\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png\" class=\"attachment-large size-large wp-image-3252\" alt=\"Skrypt Python unwrap.py pokazuj\u0105cy odszyfrowany klucz AES dla zablokowanych Apple Notes\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-300x70.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-768x178.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1536x357.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-600x139.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key.png.webp 1624w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Unwrapped Key: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ccc7a47 elementor-widget elementor-widget-text-editor\" data-id=\"ccc7a47\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Jest to ostateczny klucz AES, kt\u00f3ry zostanie u\u017cyty do odszyfrowania zablokowanej zawarto\u015bci notatki Apple.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f5503b4 e-flex e-con-boxed e-con e-parent\" data-id=\"f5503b4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8b5b0ce elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"8b5b0ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a5b134e e-flex e-con-boxed e-con e-parent\" data-id=\"a5b134e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b756808 elementor-widget elementor-widget-heading\" data-id=\"b756808\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Odszyfrowywanie notatek Apple Notes BLOB przy u\u017cyciu AES-GCM w systemie iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df237c elementor-widget elementor-widget-text-editor\" data-id=\"9df237c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"333\" data-end=\"576\">Teraz, gdy mia\u0142em ju\u017c rozpakowany klucz, nadszed\u0142 czas, aby odszyfrowa\u0107 plik Apple Notes BLOB przechowywany w folderze <code data-start=\"425\" data-end=\"438\">ZICNOTEDATA<\/code> tabela. Apple u\u017cywa <strong data-start=\"457\" data-end=\"476\">AES w trybie GCM<\/strong> aby chroni\u0107 zawarto\u015b\u0107 zablokowanych notatek, co oznacza, \u017ce potrzebowa\u0142em czterech podstawowych komponent\u00f3w, aby kontynuowa\u0107:<\/p><ul data-start=\"578\" data-end=\"768\"><li class=\"\" data-start=\"578\" data-end=\"606\"><p class=\"\" data-start=\"580\" data-end=\"606\">\ud83d\udd11 <strong data-start=\"583\" data-end=\"604\">Rozpakowany klucz AES<\/strong><\/p><\/li><li class=\"\" data-start=\"607\" data-end=\"679\"><p class=\"\" data-start=\"609\" data-end=\"679\">\ud83d\udd01 <strong data-start=\"612\" data-end=\"642\">Wektor inicjalizacji (IV)<\/strong> z <code data-start=\"648\" data-end=\"677\">ZCRYPTOINITIALIZATIONVECTOR<\/code><\/p><\/li><li class=\"\" data-start=\"680\" data-end=\"731\"><p class=\"\" data-start=\"682\" data-end=\"731\">\ud83c\udff7 <strong data-start=\"685\" data-end=\"711\">Znacznik uwierzytelniania GCM<\/strong> z <code data-start=\"717\" data-end=\"729\">ZCRYPTOTAG<\/code><\/p><\/li><li class=\"\" data-start=\"732\" data-end=\"768\"><p class=\"\" data-start=\"734\" data-end=\"768\">\ud83d\udcbe <strong data-start=\"737\" data-end=\"755\">Zaszyfrowany BLOB<\/strong> z <code data-start=\"761\" data-end=\"768\">ZDATA<\/code><\/p><\/li><\/ul><h3>\ud83d\udce4 Wyodr\u0119bnianie znacznika IV i GCM z pliku NoteStore.sqlite<\/h3><p class=\"\" data-start=\"830\" data-end=\"1096\">Aby zlokalizowa\u0107 <strong data-start=\"844\" data-end=\"850\">IV<\/strong> oraz <strong data-start=\"855\" data-end=\"866\">Znacznik GCM<\/strong>otworzy\u0142em <code data-start=\"881\" data-end=\"894\">ZICNOTEDATA<\/code> w tabeli DB Browser dla SQLite. Pola te s\u0105 przechowywane jako warto\u015bci binarne i mo\u017cna je znale\u017a\u0107 w sekcji <code data-start=\"999\" data-end=\"1012\">ZICNOTEDATA<\/code> lub <code data-start=\"1016\" data-end=\"1039\">ZICCLOUDSYNCINGOBJECT<\/code> tabele. Obie przechowuj\u0105 dane pod tymi samymi nazwami kolumn.<\/p><ul data-start=\"1098\" data-end=\"1194\"><li class=\"\" data-start=\"1098\" data-end=\"1144\"><p class=\"\" data-start=\"1100\" data-end=\"1144\"><strong data-start=\"1100\" data-end=\"1106\">IV<\/strong>: <code data-start=\"1108\" data-end=\"1142\">5c0c0bde9b6801747ddad1115a422d05<\/code><\/p><\/li><li class=\"\" data-start=\"1145\" data-end=\"1194\"><p class=\"\" data-start=\"1147\" data-end=\"1194\"><strong data-start=\"1147\" data-end=\"1158\">Znacznik GCM<\/strong>: <code data-start=\"1160\" data-end=\"1194\">b9087ba19e3c7deff2cb4b9b51e6aafa<\/code><\/p><\/li><\/ul><p>Sam zaszyfrowany BLOB by\u0142 r\u00f3wnie\u017c widoczny w pliku <code data-start=\"1246\" data-end=\"1253\">ZDATA<\/code> kolumna. Skopiowa\u0142em wszystkie trzy warto\u015bci w formacie szesnastkowym, przygotowuj\u0105c si\u0119 do ostatniego etapu deszyfrowania.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df39e9 elementor-widget elementor-widget-image\" data-id=\"9df39e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png\" class=\"attachment-large size-large wp-image-3256\" alt=\"SQLite database IV forensic analysis \u2014 digital evidence examination with hex viewer\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Wektor inicjalizacji: 5c0c0bde9b6801747ddad1115a422d05<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34afaf5 elementor-widget elementor-widget-image\" data-id=\"34afaf5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png\" class=\"attachment-large size-large wp-image-3257\" alt=\"Przegl\u0105darka DB pokazuj\u0105ca znacznik GCM u\u017cywany do deszyfrowania AES-GCM\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Tag GCM: b9087ba19e3c7deff2cb4b9b51e6aafa<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-16a8017 elementor-widget elementor-widget-image\" data-id=\"16a8017\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png\" class=\"attachment-large size-large wp-image-3258\" alt=\"Przegl\u0105darka DB z pod\u015bwietlonymi zaszyfrowanymi danymi Apple Note BLOB\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-300x165.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-768x422.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-600x329.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB.png.webp 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Zaszyfrowany BLOB<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34002d9 elementor-widget elementor-widget-text-editor\" data-id=\"34002d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Odszyfrowywanie notatki za pomoc\u0105 CyberChef<\/h2><p class=\"\" data-start=\"1396\" data-end=\"1552\">Maj\u0105c wszystko pod r\u0119k\u0105, zwr\u00f3ci\u0142em si\u0119 do <strong data-start=\"1433\" data-end=\"1446\">CyberChef<\/strong>. Narz\u0119dzie to u\u0142atwi\u0142o po\u0142\u0105czenie wszystkich parametr\u00f3w i ujawnienie oryginalnej zawarto\u015bci. Oto co zrobi\u0142em:<\/p><ol data-start=\"1554\" data-end=\"1819\"><li class=\"\" data-start=\"1554\" data-end=\"1597\"><p class=\"\" data-start=\"1557\" data-end=\"1597\">Doda\u0142em <strong data-start=\"1569\" data-end=\"1586\">\"AES Decrypt\"<\/strong> dzia\u0142anie.<\/p><\/li><li class=\"\" data-start=\"1598\" data-end=\"1655\"><p class=\"\" data-start=\"1601\" data-end=\"1655\">Wklei\u0142em <strong data-start=\"1614\" data-end=\"1635\">rozpakowany klucz AES<\/strong> w polu Klucz.<\/p><\/li><li class=\"\" data-start=\"1656\" data-end=\"1685\"><p class=\"\" data-start=\"1659\" data-end=\"1685\">Ustawi\u0142em <strong data-start=\"1669\" data-end=\"1684\">tryb do GCM<\/strong>.<\/p><\/li><li class=\"\" data-start=\"1686\" data-end=\"1752\"><p class=\"\" data-start=\"1689\" data-end=\"1752\">W\u0142o\u017cy\u0142em <strong data-start=\"1704\" data-end=\"1722\">Znacznik IV i GCM<\/strong> w swoich dziedzinach.<\/p><\/li><li class=\"\" data-start=\"1753\" data-end=\"1819\"><p class=\"\" data-start=\"1756\" data-end=\"1819\">Na koniec skopiowa\u0142em <strong data-start=\"1778\" data-end=\"1796\">zaszyfrowany BLOB<\/strong> w oknie wprowadzania.<\/p><\/li><\/ol><div class=\"reader-image-block reader-image-block--full-width\">Raz uderzy\u0142em <strong data-start=\"1832\" data-end=\"1840\">Piec<\/strong>CyberChef odszyfrowa\u0142 BLOB i ujawni\u0142 skompresowany plik - dok\u0142adnie to, czego oczekiwa\u0142em. Oznacza\u0142o to, \u017ce warstwa szyfrowania zosta\u0142a ca\u0142kowicie usuni\u0119ta i mog\u0142em przej\u015b\u0107 do dekompresji danych.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8947548 elementor-widget elementor-widget-image\" data-id=\"8947548\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png\" class=\"attachment-large size-large wp-image-3263\" alt=\"Przepis CyberChefa odszyfrowuj\u0105cy Apple Notes BLOB przy u\u017cyciu trybu AES-GCM\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Odszyfrowany plik GZIP<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f8c36f9 e-flex e-con-boxed e-con e-parent\" data-id=\"f8c36f9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aba9778 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aba9778\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-415622e e-flex e-con-boxed e-con e-parent\" data-id=\"415622e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-23482bc elementor-widget elementor-widget-heading\" data-id=\"23482bc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Rozpakowywanie i analizowanie ko\u0144cowej notatki (odszyfrowany protobuf z Apple Notes)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8f50417 elementor-widget elementor-widget-text-editor\" data-id=\"8f50417\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"285\" data-end=\"516\">Po odszyfrowaniu zaszyfrowanego AES BLOB, zapisa\u0142em dane wyj\u015bciowe do pliku o nazwie <code data-start=\"361\" data-end=\"381\">decrypted_blob.bin<\/code> i otworzy\u0142 go w HxD. Sygnatura pliku <code data-start=\"423\" data-end=\"433\">0x1F8B08<\/code> potwierdzi\u0142, \u017ce by\u0142 to plik skompresowany GZIP - Apple u\u017cywa go do kompresji danych protobuf.<\/p><p class=\"\" data-start=\"518\" data-end=\"677\">Aby wyodr\u0119bni\u0107 zwyk\u0142y tekst, ponownie otworzy\u0142em CyberChef i doda\u0142em plik <strong data-start=\"579\" data-end=\"589\">Gunzip<\/strong> do przep\u0142ywu pracy. Natychmiast na wyj\u015bciu zacz\u0119\u0142y pojawia\u0107 si\u0119 znajome ci\u0105gi znak\u00f3w.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-188566a elementor-widget elementor-widget-image\" data-id=\"188566a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png\" class=\"attachment-large size-large wp-image-3267\" alt=\"CyberChef pokazuj\u0105cy zdekompresowane dane Apple Notes protobuf po ekstrakcji GZIP\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-300x199.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-768x509.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1536x1018.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-600x398.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1.png.webp 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Zdekompresowany protobuf w CyberChef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3956e4f elementor-widget elementor-widget-text-editor\" data-id=\"3956e4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Po rozpakowaniu zastosowa\u0142em <strong data-start=\"759\" data-end=\"778\">Dekodowanie Protobuf<\/strong> w CyberChef. Rezultatem by\u0142 ustrukturyzowany widok przypominaj\u0105cy JSON, z kluczami i warto\u015bciami reprezentuj\u0105cymi zawarto\u015b\u0107 zablokowanego Apple Note.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e094119 e-flex e-con-boxed e-con e-parent\" data-id=\"e094119\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-94d53fe elementor-widget elementor-widget-image\" data-id=\"94d53fe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"470\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png\" class=\"attachment-large size-large wp-image-3268\" alt=\"Widok CyberChef zdekodowanej struktury Apple Notes protobuf w formacie podobnym do JSON\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png.webp 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-300x176.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-768x451.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1536x901.png.webp 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-600x352.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode.png.webp 1929w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Zdekodowany Protbuf w CyberChefie<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-290c42a elementor-widget elementor-widget-text-editor\" data-id=\"290c42a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Aby u\u0142atwi\u0107 czytanie, u\u017cy\u0142em r\u00f3wnie\u017c skryptu Pythona, kt\u00f3ry wykorzystuje funkcj\u0119 <code data-start=\"1017\" data-end=\"1034\">backboxprotobuf<\/code> aby przeanalizowa\u0107 plik protobuf i wydrukowa\u0107 dane wyj\u015bciowe w czystym, czytelnym dla cz\u0142owieka formacie.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7a338fd elementor-widget elementor-widget-image\" data-id=\"7a338fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"364\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png\" class=\"attachment-large size-large wp-image-3269\" alt=\"Wiersz polece\u0144 wy\u015bwietlaj\u0105cy przeanalizowan\u0105 zawarto\u015b\u0107 Apple Note przy u\u017cyciu skryptu backboxprotobuf Python\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png.webp 829w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-300x136.png.webp 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-768x349.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-600x273.png.webp 600w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">\u0141adnie sformatowane wyniki drukowane na ekranie<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0996cea elementor-widget elementor-widget-text-editor\" data-id=\"0996cea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Odpowiada to temu, co u\u017cytkownik wpisa\u0142 w zablokowanym Apple Note. Przeszed\u0142e\u015b od ukrytego, chronionego has\u0142em wpisu do rzeczywistej, zwyk\u0142ej wiadomo\u015bci - bezcenne znalezisko w ka\u017cdej sprawie kryminalistycznej.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1eb0aa4 elementor-widget elementor-widget-image\" data-id=\"1eb0aa4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"1024\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png\" class=\"attachment-large size-large wp-image-3271\" alt=\"iPhone note evidence \u2014 forensic extraction of notes from iOS device SQLite database\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png.webp 515w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-151x300.png.webp 151w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-768x1528.png.webp 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-772x1536.png.webp 772w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-600x1193.png.webp 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note.png.webp 819w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Zrzut ekranu przy u\u017cyciu UFADE zablokowanej zawarto\u015bci Apple Note<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b8a6adf e-flex e-con-boxed e-con e-parent\" data-id=\"b8a6adf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f99fa9e elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"f99fa9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6f7a515 elementor-widget elementor-widget-video\" data-id=\"6f7a515\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=5Gr4LtE-_iE&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ec61c4f elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"ec61c4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/pl\/sqlite-forensics\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tDowiedz si\u0119, jak rozpoznawa\u0107, wyodr\u0119bnia\u0107 i interpretowa\u0107 dane strukturalne w ten spos\u00f3b\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Jest to rzeczywisty przyk\u0142ad tego, jak protobufy s\u0105 przechowywane w bazach danych SQLite.\n\nSprawd\u017a nasz pe\u0142ny kurs SQLite Forensics lub skontaktuj si\u0119 z nami, aby zobaczy\u0107, jak mo\u017ce on pasowa\u0107 do Twojej pracy.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tDowiedz si\u0119 wi\u0119cej\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d72a604 e-flex e-con-boxed e-con e-parent\" data-id=\"d72a604\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-22b6bb5 elementor-widget elementor-widget-heading\" data-id=\"22b6bb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Podsumowanie<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c3e41b elementor-widget elementor-widget-text-editor\" data-id=\"4c3e41b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"192\" data-end=\"593\">Gratulacje \ud83c\udf89 - w\u0142a\u015bnie uko\u0144czy\u0142e\u015b pe\u0142ny kryminalistyczny workflow do <strong data-start=\"263\" data-end=\"304\">odszyfrowa\u0107 zablokowane Apple Notes na iOS 16<\/strong>. Wyodr\u0119bni\u0142e\u015b parametry szyfrowania z bazy danych SQLite, z\u0142ama\u0142e\u015b has\u0142o za pomoc\u0105 <strong data-start=\"394\" data-end=\"405\">Hashcat<\/strong>wyprowadzi\u0142 i rozpakowa\u0142 klucz AES przy u\u017cyciu <strong data-start=\"447\" data-end=\"457\">Python<\/strong>i ostatecznie odszyfrowa\u0142 i przeanalizowa\u0142 protobuf za pomoc\u0105 <strong data-start=\"510\" data-end=\"523\">CyberChef<\/strong>. Ka\u017cdy krok przybli\u017ca\u0142 ci\u0119 do ujawnienia ukrytej zawarto\u015bci notatki.<\/p><p class=\"\" data-start=\"595\" data-end=\"833\">Ten praktyczny przewodnik udowadnia, jak pot\u0119\u017cny <strong data-start=\"641\" data-end=\"662\">narz\u0119dzia open source<\/strong> mo\u017ce by\u0107 w kryminalistyce cyfrowej. Pomagaj\u0105 \u015bledczym odkry\u0107 zaszyfrowane notatki Apple Notes, kt\u00f3re komercyjne narz\u0119dzia mog\u0105 przeoczy\u0107 - zw\u0142aszcza na urz\u0105dzeniach z systemem operacyjnym. <strong data-start=\"811\" data-end=\"832\">iOS 16 lub wcze\u015bniejszy<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8c713e5 e-flex e-con-boxed e-con e-parent\" data-id=\"8c713e5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aa24044 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aa24044\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b6bbf21 e-flex e-con-boxed e-con e-parent\" data-id=\"b6bbf21\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5bf4bff elementor-widget elementor-widget-heading\" data-id=\"5bf4bff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd75\ufe0f Bonus: Podpowied\u017a do has\u0142a<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-529bd7f elementor-widget elementor-widget-text-editor\" data-id=\"529bd7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"874\" data-end=\"963\">Oto dodatkowy zwrot akcji - znalaz\u0142em <strong data-start=\"908\" data-end=\"925\">podpowied\u017a do has\u0142a<\/strong> w <code data-start=\"933\" data-end=\"956\">ZICCLOUDSYNCINGOBJECT<\/code> tabela:<\/p><blockquote data-start=\"965\" data-end=\"986\"><p class=\"\" data-start=\"967\" data-end=\"986\"><strong data-start=\"967\" data-end=\"986\">Quarter Pounder<\/strong><\/p><\/blockquote><p class=\"\" data-start=\"988\" data-end=\"1244\">Poniewa\u017c urz\u0105dzenie nale\u017ca\u0142o do kogo\u015b o imieniu \"Vincent\", odgadni\u0119cie has\u0142a nie by\u0142o trudne: <strong data-start=\"1080\" data-end=\"1100\">royalewithcheese<\/strong> - uk\u0142on w stron\u0119 <em data-start=\"1112\" data-end=\"1126\">Pulp Fiction<\/em>. W rzeczywistych przypadkach takie podpowiedzi hase\u0142 mog\u0105 przyspieszy\u0107 przep\u0142yw pracy w po\u0142\u0105czeniu ze strategicznym procesem \u0142amania.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-efeabdf e-flex e-con-boxed e-con e-parent\" data-id=\"efeabdf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1a2a4f6 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"1a2a4f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7878d44 e-flex e-con-boxed e-con e-parent\" data-id=\"7878d44\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b1e7fb8 elementor-widget elementor-widget-heading\" data-id=\"b1e7fb8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Jeszcze jedna rzecz... o iOS 17 i iOS 18<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1fbdcca elementor-widget elementor-widget-text-editor\" data-id=\"1fbdcca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"1299\" data-end=\"1619\">Ten przewodnik dotyczy w szczeg\u00f3lno\u015bci sposobu odszyfrowywania <strong data-start=\"1334\" data-end=\"1381\">Notatki Apple na iOS 16 i wcze\u015bniejszych<\/strong>. Pocz\u0105wszy od <strong data-start=\"1397\" data-end=\"1407\">iOS 17<\/strong>Apple wprowadzi\u0142o znacz\u0105ce zmiany w procesie szyfrowania aplikacji Notes. Mo\u017cna napotka\u0107 brakuj\u0105ce pola wyprowadzania klucza, r\u00f3\u017cne struktury kryptograficzne lub notatki, kt\u00f3re nie s\u0105 ju\u017c odszyfrowywane przy u\u017cyciu tych samych metod.<\/p><p class=\"\" data-start=\"1621\" data-end=\"1785\">Je\u015bli zastanawiasz si\u0119, jak <strong data-start=\"1648\" data-end=\"1691\">odszyfrowa\u0107 Apple Notes na iOS 17 lub iOS 18<\/strong>, chcia\u0142bym wsp\u00f3\u0142pracowa\u0107. Podziel si\u0119 swoimi odkryciami - wsp\u00f3lnie przeanalizujmy nowe szyfrowanie.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4d8d5c0 e-flex e-con-boxed e-con e-parent\" data-id=\"4d8d5c0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d446cd4 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"d446cd4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"mailto:contact@elusivedata.io\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tDzi\u0119kujemy za przeczytanie! Masz pytania?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Zostaw je w komentarzach poni\u017cej lub skontaktuj si\u0119 z nami bezpo\u015brednio. Przesuwajmy granice odkry\u0107 kryminalistycznych.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tSkontaktuj si\u0119 z nami\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0768b7d elementor-widget elementor-widget-heading\" data-id=\"0768b7d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Mo\u017cesz by\u0107 tak\u017ce zainteresowany<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cc0d9d0 elementor-widget elementor-widget-video\" data-id=\"cc0d9d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=QFn63mQ5_gI&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53a6229 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"53a6229\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e6108d9 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"e6108d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/pl\/ed-sqlite-visualizer\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tSQLite Visualizer. Zupe\u0142nie nowy spos\u00f3b odkrywania SQLite.\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tNadchodz\u0105cy ED SQLite Visualizer pozwala zobaczy\u0107 wewn\u0119trzne elementy bazy danych, odzyska\u0107 ukryte rekordy i po\u0142\u0105czy\u0107 kropki szybciej ni\u017c kiedykolwiek, a wszystko to wizualnie. Jest ju\u017c u\u017cywany w naszym pe\u0142nym kursie SQLite, a wkr\u00f3tce b\u0119dzie dost\u0119pny dla wszystkich. \t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tZobacz, co nadchodzi \u2192\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Dowiedz si\u0119, jak odszyfrowa\u0142em zablokowan\u0105 aplikacj\u0119 Apple Note z urz\u0105dzenia z systemem iOS 16.7.10 przy u\u017cyciu narz\u0119dzi open source, takich jak Hashcat, Python i CyberChef. Ten krok po kroku kryminalistyczny przep\u0142yw pracy ujawnia proces wyodr\u0119bniania i odszyfrowywania ukrytej zawarto\u015bci z aplikacji Notatki Apple. Lektura obowi\u0105zkowa dla cyfrowych \u015bledczych i mobilnych specjalist\u00f3w medycyny s\u0105dowej.<\/p>","protected":false},"author":1,"featured_media":3203,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_theme","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-3205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-forensics"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Decrypt Locked Apple Notes on iOS 16 | Forensic Guide<\/title>\n<meta name=\"description\" content=\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/elusivedata.io\/pl\/decrypt-apple-notes-ios16\/\" \/>\n<meta property=\"og:locale\" content=\"pl_PL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta property=\"og:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/elusivedata.io\/pl\/decrypt-apple-notes-ios16\/\" \/>\n<meta property=\"og:site_name\" content=\"Elusive Data\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-27T17:01:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-13T15:55:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"574\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"James Eichbaum\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta name=\"twitter:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png\" \/>\n<meta name=\"twitter:label1\" content=\"Napisane przez\" \/>\n\t<meta name=\"twitter:data1\" content=\"James Eichbaum\" \/>\n\t<meta name=\"twitter:label2\" content=\"Szacowany czas czytania\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minut\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"author\":{\"name\":\"James Eichbaum\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\"},\"headline\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"wordCount\":1989,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"articleSection\":[\"Mobile Forensics\"],\"inLanguage\":\"pl-PL\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"name\":\"Decrypt Locked Apple Notes on iOS 16 | Forensic Guide\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"description\":\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\"},\"inLanguage\":\"pl-PL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"width\":4400,\"height\":2465,\"caption\":\"Three padlocks on black background representing encrypted Apple Notes\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/elusivedata.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"name\":\"ElusiveData\",\"description\":\"Excellence in Digital Forensics Training and Consulting\",\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/elusivedata.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pl-PL\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\",\"name\":\"ElusiveData\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"width\":2560,\"height\":370,\"caption\":\"ElusiveData\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.youtube.com\\\/@elusivedata\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\",\"name\":\"James Eichbaum\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pl-PL\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"caption\":\"James Eichbaum\"},\"sameAs\":[\"http:\\\/\\\/elusivedata.io\"],\"url\":\"https:\\\/\\\/elusivedata.io\\\/pl\\\/author\\\/eichbaumjamesgmail-com\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Odszyfrowanie zablokowanych notatek Apple na iOS 16 | Przewodnik kryminalistyczny","description":"Odszyfrowanie zablokowanych notatek Apple Notes na iOS 16 przy u\u017cyciu narz\u0119dzi open source, takich jak Hashcat, CyberChef i Python. Pe\u0142ny przep\u0142yw pracy kryminalistycznej - nie s\u0105 potrzebne \u017cadne p\u0142atne narz\u0119dzia.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/elusivedata.io\/pl\/decrypt-apple-notes-ios16\/","og_locale":"pl_PL","og_type":"article","og_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","og_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","og_url":"https:\/\/elusivedata.io\/pl\/decrypt-apple-notes-ios16\/","og_site_name":"Elusive Data","article_published_time":"2025-03-27T17:01:54+00:00","article_modified_time":"2025-08-13T15:55:36+00:00","og_image":[{"width":1024,"height":574,"url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png","type":"image\/png"}],"author":"James Eichbaum","twitter_card":"summary_large_image","twitter_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","twitter_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","twitter_image":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","twitter_misc":{"Napisane przez":"James Eichbaum","Szacowany czas czytania":"15 minut"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#article","isPartOf":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"author":{"name":"James Eichbaum","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436"},"headline":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","mainEntityOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"wordCount":1989,"commentCount":2,"publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","articleSection":["Mobile Forensics"],"inLanguage":"pl-PL","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","url":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","name":"Odszyfrowanie zablokowanych notatek Apple na iOS 16 | Przewodnik kryminalistyczny","isPartOf":{"@id":"https:\/\/elusivedata.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","description":"Odszyfrowanie zablokowanych notatek Apple Notes na iOS 16 przy u\u017cyciu narz\u0119dzi open source, takich jak Hashcat, CyberChef i Python. Pe\u0142ny przep\u0142yw pracy kryminalistycznej - nie s\u0105 potrzebne \u017cadne p\u0142atne narz\u0119dzia.","breadcrumb":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb"},"inLanguage":"pl-PL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"]}]},{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","width":4400,"height":2465,"caption":"Three padlocks on black background representing encrypted Apple Notes"},{"@type":"BreadcrumbList","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/elusivedata.io\/"},{"@type":"ListItem","position":2,"name":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat"}]},{"@type":"WebSite","@id":"https:\/\/elusivedata.io\/#website","url":"https:\/\/elusivedata.io\/","name":"ElusiveData","description":"Doskona\u0142o\u015b\u0107 w zakresie szkole\u0144 i doradztwa w dziedzinie informatyki \u015bledczej","publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/elusivedata.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pl-PL"},{"@type":"Organization","@id":"https:\/\/elusivedata.io\/#organization","name":"ElusiveData","url":"https:\/\/elusivedata.io\/","logo":{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","width":2560,"height":370,"caption":"ElusiveData"},"image":{"@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.youtube.com\/@elusivedata"]},{"@type":"Person","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436","name":"James Eichbaum","image":{"@type":"ImageObject","inLanguage":"pl-PL","@id":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","url":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","caption":"James Eichbaum"},"sameAs":["http:\/\/elusivedata.io"],"url":"https:\/\/elusivedata.io\/pl\/author\/eichbaumjamesgmail-com\/"}]}},"_links":{"self":[{"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/posts\/3205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/comments?post=3205"}],"version-history":[{"count":90,"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/posts\/3205\/revisions"}],"predecessor-version":[{"id":14968,"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/posts\/3205\/revisions\/14968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/media\/3203"}],"wp:attachment":[{"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/media?parent=3205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/categories?post=3205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elusivedata.io\/pl\/wp-json\/wp\/v2\/tags?post=3205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}