{"id":3205,"date":"2025-03-27T17:01:54","date_gmt":"2025-03-27T17:01:54","guid":{"rendered":"https:\/\/elusivedata.io\/?p=3205"},"modified":"2025-08-13T15:55:36","modified_gmt":"2025-08-13T15:55:36","slug":"dekryptera-apple-anteckningar-ios16","status":"publish","type":"post","link":"https:\/\/elusivedata.io\/sv\/decrypt-apple-notes-ios16\/","title":{"rendered":"Dekryptera l\u00e5sta Apple-anteckningar p\u00e5 iOS 16.x: Ett komplett r\u00e4ttsmedicinskt arbetsfl\u00f6de (SQLite, CyberChef, Python) med Hashcat"},"content":{"rendered":"<div data-elementor-type=\"wp-post\" data-elementor-id=\"3205\" class=\"elementor elementor-3205\" data-elementor-post-type=\"post\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c9155f5 e-flex e-con-boxed e-con e-parent\" data-id=\"c9155f5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-2fc7219 elementor-widget elementor-widget-heading\" data-id=\"2fc7219\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Inledning<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1d80253 elementor-widget elementor-widget-text-editor\" data-id=\"1d80253\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember625\" class=\"ember-view reader-text-block__paragraph\">N\u00e4r jag analyserade en testenhet med ett popul\u00e4rt kommersiellt mobilt kriminaltekniskt verktyg st\u00f6tte jag p\u00e5 n\u00e5got sp\u00e4nnande - en l\u00e5st Apple Note som bara syntes som \"dold\". Verktyget visade anteckningens sammanfattning (m\u00e4rkt \"Lance\"), men det faktiska inneh\u00e5llet saknades. Det fanns ingen aning om vad som fanns under l\u00e5set och jag st\u00e4llde mig en br\u00e4nnande fr\u00e5ga: kunde jag avsl\u00f6ja hemligheten p\u00e5 insidan? Jag beh\u00f6vde ett arbetsfl\u00f6de som skulle hj\u00e4lpa mig att dekryptera Apple Notes p\u00e5 iOS 16.<\/p><p id=\"ember626\" class=\"ember-view reader-text-block__paragraph\">Enheten var ig\u00e5ng <strong>iOS 16.7.10<\/strong>och efter att ha gr\u00e4vt i databasen NoteStore.sqlite ins\u00e5g jag att alla krypteringsledtr\u00e5dar fanns d\u00e4r - i v\u00e4ntan p\u00e5 att avkodas. Med hj\u00e4lp av verktyg med \u00f6ppen k\u00e4llkod b\u00f6rjade jag \u00e5terskapa l\u00f6senordet och dekryptera anteckningens inneh\u00e5ll.\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0\u00a0<\/p><p id=\"ember627\" class=\"ember-view reader-text-block__paragraph\">Detta inl\u00e4gg g\u00e5r igenom hur du <strong>komplett kriminaltekniskt arbetsfl\u00f6de<\/strong> om hur man <strong data-start=\"979\" data-end=\"1012\">dekryptera Apple Notes p\u00e5 iOS 16:<\/strong><\/p><ul><li>\ud83d\udd13 <strong>Hashcat<\/strong> f\u00f6r att kn\u00e4cka l\u00f6senord<\/li><li>\ud83d\uddc4\ufe0f <strong>DB Browser f\u00f6r SQLite<\/strong> f\u00f6r att utforska och extrahera krypteringsparametrar<\/li><li>\ud83d\udc0d <strong>Python-skript<\/strong> f\u00f6r h\u00e4rledning av nycklar och uppackning av AES-nycklar<\/li><li>\ud83d\udd0d <strong>CyberChef<\/strong> f\u00f6r att dekryptera, dekomprimera och analysera den slutliga protobuf-nyttolasten<\/li><\/ul><blockquote id=\"ember629\" class=\"ember-view reader-text-block__blockquote\"><p>\u26a0\ufe0f <strong>Viktig anm\u00e4rkning:<\/strong> Detta arbetsfl\u00f6de g\u00e4ller specifikt f\u00f6r Apple Notes som \u00e4r l\u00e5sta p\u00e5 <strong>iOS 16.x<\/strong>. Fr\u00e5n och med iOS 17 \u00e4ndrade Apple hur krypterade anteckningar lagras - och iOS 18 inneb\u00e4r \u00e4nnu fler f\u00f6r\u00e4ndringar.<\/p><\/blockquote><p id=\"ember630\" class=\"ember-view reader-text-block__paragraph\">L\u00e5t oss dyka in och avsl\u00f6ja det dolda meddelandet i den l\u00e5sta Apple Note.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-c525deb e-flex e-con-boxed e-con e-parent\" data-id=\"c525deb\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-3a21125 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"3a21125\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-2086843 e-flex e-con-boxed e-con e-parent\" data-id=\"2086843\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9647810 elementor-widget elementor-widget-heading\" data-id=\"9647810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Gr\u00e4va sig in i NoteStore.sqlite<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-03a06aa elementor-widget elementor-widget-text-editor\" data-id=\"03a06aa\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Vid denna tidpunkt visste jag att inneh\u00e5llet i den krypterade noten lagrades i NoteStore.sqlite, s\u00e4rskilt i tabellen ZICNOTEDATA. Apple brukar ofta <strong><i>gzips<\/i><\/strong> anteckningens protobuf-data, men n\u00e4r det g\u00e4ller l\u00e5sta anteckningar \u00e4r hela BLOB f\u00f6rst <strong>krypterad<\/strong>-vilket inneb\u00e4r att ett direkt dekomprimeringsf\u00f6rs\u00f6k inte ger l\u00e4sbar text. Du kommer att beh\u00f6va <strong>r\u00e4tt dekrypteringsnyckel<\/strong> innan n\u00e5gon form av uppackning eller protobuf-parsning kan ske.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-96d0945 elementor-widget elementor-widget-image\" data-id=\"96d0945\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img fetchpriority=\"high\" decoding=\"async\" width=\"800\" height=\"373\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png\" class=\"attachment-large size-large wp-image-3208\" alt=\"Dekryptera Apple Notes iOS 16 med hj\u00e4lp av SQLite DB Browser\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-1024x478.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-300x140.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-768x359.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB-600x280.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Encrypted_BLOB.png 1133w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Krypterad BLOB i ZDATA-f\u00e4ltet f\u00f6r den l\u00e5sta anteckningen (DB Browser f\u00f6r SQLite)<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-192f056 elementor-widget elementor-widget-text-editor\" data-id=\"192f056\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>I sk\u00e4rmdumpen kan du se de r\u00e5a hexadecimala v\u00e4rdena f\u00f6r ZDATA. Dessa data \u00e4r effektivt krypterade av <strong>AES-kryptering<\/strong>, med kritiska metadata - som salter och iterationsantal - sparade i andra delar av databasen. Fr\u00e5n en <strong>r\u00e4ttsmedicinsk unders\u00f6kare<\/strong> N\u00e4r du inser att noten \u00e4r helt krypterad \u00e4r det dags att gr\u00e4va djupare i tabellen ZICCLOUDSYNCINGOBJECT f\u00f6r att hitta de parametrar som beh\u00f6vs f\u00f6r att <strong>spricka<\/strong> l\u00f6senkoden och <strong>l\u00e5sa upp<\/strong> anteckningen \ud83d\udd13.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d0ab9d6 e-flex e-con-boxed e-con e-parent\" data-id=\"d0ab9d6\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-40be78a elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"40be78a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-38e76a3 e-flex e-con-boxed e-con e-parent\" data-id=\"38e76a3\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-52d7880 elementor-widget elementor-widget-heading\" data-id=\"52d7880\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Varf\u00f6r \u00e4r l\u00e5sta Apple-anteckningar krypterade p\u00e5 iOS 16?<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-5f10962 e-flex e-con-boxed e-con e-parent\" data-id=\"5f10962\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-c925db9 elementor-widget elementor-widget-text-editor\" data-id=\"c925db9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember636\" class=\"ember-view reader-text-block__paragraph\">Apple Notes s\u00e4krar l\u00e5sta anteckningar med hj\u00e4lp av en kombination av <strong>PBKDF2<\/strong> (h\u00e4rledning av nycklar) och <strong>AES<\/strong> (kryptering). N\u00e4r ett l\u00f6senord aktiveras p\u00e5 en anteckning lagrar Apple viktiga kryptografiska metadata i databasen, t.ex:<\/p><ul><li>ZCRYPTOITERATIONSANTAL<\/li><li>ZCRYPTOSALT<\/li><li>ZCRYPTOWRAPPEDKEY<\/li><\/ul><p id=\"ember638\" class=\"ember-view reader-text-block__paragraph\">Dessa v\u00e4rden s\u00e4kerst\u00e4ller att endast den som har r\u00e4tt l\u00f6senord kan dekryptera inneh\u00e5llet i anteckningen.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-bb87437 e-flex e-con-boxed e-con e-parent\" data-id=\"bb87437\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9c2a25d elementor-widget elementor-widget-heading\" data-id=\"9c2a25d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Forensiskt tillv\u00e4gag\u00e5ngss\u00e4tt<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-734c922 e-flex e-con-boxed e-con e-parent\" data-id=\"734c922\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-9077bae elementor-widget elementor-widget-text-editor\" data-id=\"9077bae\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember640\" class=\"ember-view reader-text-block__paragraph\">Fr\u00e5n en kriminalteknisk synvinkel inkluderar dina steg vanligtvis:<\/p><ol><li><strong>Identifiera<\/strong> de relevanta l\u00e5sta anteckningsposterna i ZICNOTEDATA och ZICCLOUDSYNCINGOBJECT.<\/li><li><strong>Extrakt<\/strong> de kryptografiska detaljerna - som antal iterationer, salt och den inkapslade nyckeln.<\/li><li><strong>Spricka<\/strong> anv\u00e4ndarens l\u00f6senord med <strong>Hashcat<\/strong> (eller ett annat verktyg f\u00f6r \u00e5terst\u00e4llning av l\u00f6senord som John the Ripper eller Passware).<\/li><li><strong>H\u00e4rleda<\/strong> de sista nycklarna i <strong>Python eller CyberChef<\/strong>\u00a0och <strong>dekryptera<\/strong> anteckningens BLOB.<\/li><li><strong>Dekomprimera<\/strong> den ol\u00e5sta protobuf-datan (med <strong>CyberChef eller Python<\/strong>) f\u00f6r att avsl\u00f6ja den slutliga klartexten.<\/li><\/ol>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8357e17 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"8357e17\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/sv\/sqlite-forensics\/?v=efad7abb323e\">\n\t\t\t\t\t<div class=\"elementor-cta__bg-wrapper\">\n\t\t\t\t<div class=\"elementor-cta__bg elementor-bg\" style=\"background-image: url(https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/07\/SQLite-Forensics-1024x543.png);\" role=\"img\" aria-label=\"SQLite Forensics\"><\/div>\n\t\t\t\t<div class=\"elementor-cta__bg-overlay\"><\/div>\n\t\t\t<\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tVill du ha full kontroll \u00f6ver dina SQLite-unders\u00f6kningar?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tL\u00e4r dig hur du arbetar bortom verktygets begr\u00e4nsningar, fr\u00e5n att analysera krypterad appdata till att \u00e5terst\u00e4lla raderade och dolda poster. Till\u00e4mpa det omedelbart i dina egna utredningar.\n\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tL\u00e4s mer\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-56ca2f1 e-flex e-con-boxed e-con e-parent\" data-id=\"56ca2f1\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-18231c3 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"18231c3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-062def9 e-flex e-con-boxed e-con e-parent\" data-id=\"062def9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-37b1e55 elementor-widget elementor-widget-heading\" data-id=\"37b1e55\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Kn\u00e4cka l\u00f6senordet till den l\u00e5sta Apple Note med Hashcat<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-55bf6d5 elementor-widget elementor-widget-text-editor\" data-id=\"55bf6d5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Mitt m\u00e5l var att simulera ett realistiskt kriminaltekniskt scenario: Jag hade en l\u00e5st Apple Note och beh\u00f6vde \u00e5terst\u00e4lla l\u00f6senkoden f\u00f6r att dekryptera inneh\u00e5llet. Det \u00e4r d\u00e4r <strong>Hashcat<\/strong> kommer in i bilden. Genom att utnyttja hash-l\u00e4get f\u00f6r Apple Secure Notes (ID <strong>16200<\/strong>) testade Hashcat systematiskt olika l\u00f6senord tills det hittade det r\u00e4tta.<\/p><h3 id=\"ember644\" class=\"ember-view reader-text-block__heading-3\">Extrahera de n\u00f6dv\u00e4ndiga kolumnerna<\/h3><p id=\"ember645\" class=\"ember-view reader-text-block__paragraph\">Jag b\u00f6rjade med att \u00f6ppna <strong>NoteStore.sqlite<\/strong> i DB Browser och riktade in sig p\u00e5 rader med ZISPASSWORDPROTECTED = 1 i tabellen ZICCLOUDSYNCINGOBJECT. Jag fr\u00e5gade sedan f\u00f6ljande kolumner:<\/p><ul><li>Z_PK - anteckningens unika identifierare.<\/li><li>ZCRYPTOSALT - saltv\u00e4rdet f\u00f6r PBKDF2.<\/li><li>ZCRYPTOWRAPPEDKEY - den inplastade nyckeln som senare kommer att packas upp.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4d4f816 elementor-widget elementor-widget-image\" data-id=\"4d4f816\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"337\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png\" class=\"attachment-large size-large wp-image-3219\" alt=\"SQLite command line commands \u2014 forensic database querying and analysis technique\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-1024x431.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-300x126.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-768x323.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1-600x253.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/sqlite_commands_1.png 1373w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">SQLite-fr\u00e5ga f\u00f6r n\u00f6dv\u00e4ndiga parametrar f\u00f6r Hashcat<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-63ee483 elementor-widget elementor-widget-text-editor\" data-id=\"63ee483\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember571\" class=\"ember-view reader-text-block__paragraph\">Hashcat-ing\u00e5ngsfilen genererades av ett litet Python-skript <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/notes_to_hashcat.py\" target=\"_self\" data-test-app-aware-link=\"\">anteckningar_till_hashcat.py<\/a>som formaterade dessa v\u00e4rden till en enda rad som Hashcat kunde analysera, inklusive iterationsantalet (fr\u00e5n ZCRYPTOITERATIONCOUNT).<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9cb96ba elementor-widget elementor-widget-image\" data-id=\"9cb96ba\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" width=\"800\" height=\"194\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png\" class=\"attachment-large size-large wp-image-3222\" alt=\"notes_to_hashcat.py samlar in de n\u00f6dv\u00e4ndiga parametrarna f\u00f6r att kn\u00e4cka det l\u00e5sta Apple Note-l\u00f6senordet p\u00e5 iOS 16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-1024x248.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-300x73.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-768x186.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result-600x145.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/notes_to_hashcat_result.png 1394w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Utdata fr\u00e5n notes_to_hashcat.py<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7f15ff3 elementor-widget elementor-widget-text-editor\" data-id=\"7f15ff3\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember573\" class=\"ember-view reader-text-block__heading-3\">K\u00f6r Hashcat f\u00f6r att dekryptera det l\u00e5sta Apple Note-l\u00f6senordet<\/h3><p id=\"ember574\" class=\"ember-view reader-text-block__paragraph\">Med min Hashcat-ing\u00e5ngsfil klar och en ordbok till hands k\u00f6rde jag f\u00f6ljande kommando:<\/p><pre class=\"reader-text-block__code-block\">hashcat -m 16200 -a 0<br \/>H\u00e4r:<\/pre><ul><li>-m 16200 anger Apple Secure Notes-l\u00e4ge.<\/li><li>-a 0 s\u00e4tter Hashcat i attackl\u00e4ge Straight (ordbok).<\/li><li>Ordlistan kan vara n\u00e5got i stil med <strong>rockyou.txt<\/strong> eller en anpassad lista som h\u00e4rr\u00f6r fr\u00e5n enhetens artefakter.<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-47bf17e elementor-widget elementor-widget-image\" data-id=\"47bf17e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"492\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png\" class=\"attachment-large size-large wp-image-3223\" alt=\"Anv\u00e4nda Hashcat f\u00f6r att dekryptera l\u00e5st Apple Notes-l\u00f6senord\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1024x630.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-300x185.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-768x472.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-1536x945.png 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed-600x369.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/hashcat_completed.png 1858w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Hashcat avsl\u00f6jar det kn\u00e4ckta l\u00f6senordet: royalewithcheese<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e128532 elementor-widget elementor-widget-text-editor\" data-id=\"e128532\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Hashcat identifierade framg\u00e5ngsrikt det korrekta l\u00f6senordet: royalewithcheese. I en verklig unders\u00f6kning kan din ordlista vara mycket st\u00f6rre, men det h\u00e4r resultatet bekr\u00e4ftade att Hashcat kunde hantera de tunga lyften.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d589230 e-flex e-con-boxed e-con e-parent\" data-id=\"d589230\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-7896451 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"7896451\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e3f6d62 e-flex e-con-boxed e-con e-parent\" data-id=\"e3f6d62\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8e7ccbd elementor-widget elementor-widget-heading\" data-id=\"8e7ccbd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">H\u00e4rleda nyckelkrypteringsnyckeln (KEK) f\u00f6r att dekryptera Apple Notes<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0ae9824 elementor-widget elementor-widget-text-editor\" data-id=\"0ae9824\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember581\" class=\"ember-view reader-text-block__paragraph\">Med l\u00f6senordet i handen var n\u00e4sta steg att h\u00e4rleda <strong>Nyckelkrypteringsnyckel (KEK)<\/strong>, som anv\u00e4nds f\u00f6r att omsluta den slutliga AES-nyckeln som krypterar anteckningens inneh\u00e5ll. F\u00f6r att h\u00e4rleda KEK beh\u00f6vde jag f\u00f6ljande v\u00e4rden fr\u00e5n tabellen ZICCLOUDSYNCINGOBJECT:<\/p><ul><li><strong>L\u00f6senord<\/strong> (det kn\u00e4ckta l\u00f6senordet)<\/li><li><strong>Antal iterationer<\/strong> (ZCRYPTOITERATIONCOUNT)<\/li><li><strong>Salt<\/strong> (ZCRYPTOSALT)<\/li><\/ul><p id=\"ember583\" class=\"ember-view reader-text-block__paragraph\">Till exempel, med hj\u00e4lp av DB Browser, fr\u00e5gade jag:<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOITERATIONCOUNT, ZCRYPTOSALT FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = ;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-14fac64 elementor-widget elementor-widget-image\" data-id=\"14fac64\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"386\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png\" class=\"attachment-large size-large wp-image-3236\" alt=\"Fr\u00e5ga NoteStore.sqlite efter Salt- och Iteration-antalet som beh\u00f6vs f\u00f6r att skaffa den KEK som beh\u00f6vs f\u00f6r att dekryptera l\u00e5sta Apple Notes\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-1024x494.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-300x145.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-768x371.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt-600x290.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/db_query_iter_and_salt.png 1313w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Antal iterationer: 20000 | Salt: d1afa96252a15d8d58827bcb21940de1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-a40be9e elementor-widget elementor-widget-text-editor\" data-id=\"a40be9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>D\u00e4refter \u00f6ppnade jag CyberChef - ett av mina favoritverktyg \ud83d\udee0\ufe0f - och drog in operationen \"Derive PBKDF2 key\". St\u00e4lla in hashingfunktionen till <strong>SHA-256<\/strong> och matade in l\u00f6senordet, saltet och iterationsantalet producerade CyberChef <strong>16-byte KEK<\/strong>:<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ed74a2a elementor-widget elementor-widget-image\" data-id=\"ed74a2a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"532\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png\" class=\"attachment-large size-large wp-image-3240\" alt=\"CyberChef anv\u00e4nds f\u00f6r att h\u00e4rleda KEK fr\u00e5n PBKDF2-parametrar f\u00f6r dekryptering av Apple Note.\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1024x681.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-300x200.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-768x511.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-1536x1022.png 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2-600x399.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_PBKDF2.png 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">KEK: a1dac1516302e1d3d73ad4fd4b6f8fef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-5bfdb59 elementor-widget elementor-widget-text-editor\" data-id=\"5bfdb59\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>F\u00f6r att automatisera denna process skapade jag ett Python-skript som heter <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/get_kek.py\" target=\"_self\" data-test-app-aware-link=\"\">get_key.py<\/a>som tar emot databass\u00f6kv\u00e4gen, not PK och l\u00f6senord som argument. Om den k\u00f6rs returneras KEK i hex.<\/p><pre class=\"reader-text-block__code-block\">python get_kek.py NoteStore.sqlite<\/pre><p>Resultat:<\/p><pre class=\"reader-text-block__code-block\">Anm\u00e4rkning PK=16: KEK (hex) = a1dac1516302e1d3d73ad4fd4b6f8fef<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-3861a02 e-flex e-con-boxed e-con e-parent\" data-id=\"3861a02\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-e99117b elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"e99117b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-63de4bd e-flex e-con-boxed e-con e-parent\" data-id=\"63de4bd\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4ee05cd elementor-widget elementor-widget-heading\" data-id=\"4ee05cd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Avsl\u00f6ja AES-nyckeln f\u00f6r att dekryptera l\u00e5sta Apple-anteckningar p\u00e5 iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b3e1728 elementor-widget elementor-widget-text-editor\" data-id=\"b3e1728\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p id=\"ember589\" class=\"ember-view reader-text-block__paragraph\">N\u00e4sta steg var att <strong>packa upp nyckeln<\/strong> som anv\u00e4nds f\u00f6r att kryptera anteckningens inneh\u00e5ll. Den omslutna nyckeln lagras i kolumnen ZCRYPTOWRAPPEDKEY i ZICCLOUDSYNCINGOBJECT. Till exempel fr\u00e5gade jag::<\/p><pre class=\"reader-text-block__code-block\">SELECT ZCRYPTOWRAPPEDKEY FROM ZICCLOUDSYNCINGOBJECT WHERE Z_PK = 16;<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-af11810 elementor-widget elementor-widget-image\" data-id=\"af11810\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"391\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png\" class=\"attachment-large size-large wp-image-3247\" alt=\"SQLite-fr\u00e5ga f\u00f6r den unwrapped.key som kr\u00e4vs f\u00f6r att dekryptera appe-anteckningar p\u00e5 iOS16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-1024x501.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-300x147.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-768x376.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key-600x294.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_query_wrapped_key.png 1295w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Inkapslad nyckel: 78c2b79c3e357117c95feb882009e14be9e5f88598ea6db0<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-883ef21 elementor-widget elementor-widget-text-editor\" data-id=\"883ef21\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2 id=\"ember592\" class=\"ember-view reader-text-block__heading-3\">Alternativ f\u00f6r uppackning<\/h2><h3 id=\"ember593\" class=\"ember-view reader-text-block__heading-3\">Alternativ 1: Unwrapping AES-nyckeln f\u00f6r dekryptering av l\u00e5sta Apple-anteckningar p\u00e5 iOS 16 med CyberChef<\/h3><p id=\"ember594\" class=\"ember-view reader-text-block__paragraph\">Jag inaktiverade alla tidigare operationer, s\u00f6kte efter \"AES Key Unwrap\" och drog den in i receptf\u00f6nstret. Genom att klistra in KEK och den inslagna nyckeln matade CyberChef ut den uppslagna AES-nyckeln.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d457284 elementor-widget elementor-widget-image\" data-id=\"d457284\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png\" class=\"attachment-large size-large wp-image-3248\" alt=\"CyberChef anv\u00e4nds f\u00f6r att h\u00e4rleda KEK och unwrap AES-nyckel f\u00f6r Apple Notes dekryptering p\u00e5 iOS 16\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1024x679.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-300x199.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-768x509.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-1536x1018.png 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key-600x398.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Unwrapped_Key.png 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Of\u00f6rpackad nyckel: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-f85b338 elementor-widget elementor-widget-text-editor\" data-id=\"f85b338\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h3 id=\"ember596\" class=\"ember-view reader-text-block__heading-3\">Alternativ 2: Automatisera uppackning av AES-nycklar med unwrap.py<\/h3><p id=\"ember597\" class=\"ember-view reader-text-block__paragraph\">Jag har ocks\u00e5 utvecklat ett Python-skript som heter <a class=\"dgePcUVTyZcmWIuOySyndWdGoBMukAZsio\" tabindex=\"0\" href=\"https:\/\/github.com\/eichbaumj\/Python\/blob\/master\/unwrap.py\" target=\"_self\" data-test-app-aware-link=\"\">unwrap.py<\/a> som tar databass\u00f6kv\u00e4gen och KEK (i hex) som argument. N\u00e4r skriptet k\u00f6rdes packades nyckeln upp och skrevs ut i hex-format. I mitt fall var den uppackade nyckeln:<\/p><pre class=\"reader-text-block__code-block\">python unwrap.py NoteStore.sqlite<\/pre>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-d706b50 elementor-widget elementor-widget-image\" data-id=\"d706b50\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"186\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png\" class=\"attachment-large size-large wp-image-3252\" alt=\"Python-skriptet unwrap.py visar dekrypterad AES-nyckel f\u00f6r l\u00e5sta Apple Notes\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1024x238.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-300x70.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-768x178.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-1536x357.png 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key-600x139.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/unwrapped_key.png 1624w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Of\u00f6rpackad nyckel: 4b1f0c718aa05a0d097d7bf4865c89d1<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ccc7a47 elementor-widget elementor-widget-text-editor\" data-id=\"ccc7a47\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Detta \u00e4r den slutliga AES-nyckeln som kommer att anv\u00e4ndas f\u00f6r att dekryptera inneh\u00e5llet i den l\u00e5sta Apple-noten.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f5503b4 e-flex e-con-boxed e-con e-parent\" data-id=\"f5503b4\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-8b5b0ce elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"8b5b0ce\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-a5b134e e-flex e-con-boxed e-con e-parent\" data-id=\"a5b134e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b756808 elementor-widget elementor-widget-heading\" data-id=\"b756808\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Dekryptering av Apple Notes BLOBs med AES-GCM p\u00e5 iOS 16<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df237c elementor-widget elementor-widget-text-editor\" data-id=\"9df237c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"333\" data-end=\"576\">Nu n\u00e4r jag hade den uppackade nyckeln var det dags att dekryptera Apple Notes BLOB som lagras i <code data-start=\"425\" data-end=\"438\">ZICNOTEDATA<\/code> bord. Apple anv\u00e4nder <strong data-start=\"457\" data-end=\"476\">AES i GCM-l\u00e4ge<\/strong> f\u00f6r att skydda inneh\u00e5llet i l\u00e5sta anteckningar, vilket inneb\u00e4r att jag beh\u00f6vde fyra viktiga komponenter f\u00f6r att g\u00e5 vidare:<\/p><ul data-start=\"578\" data-end=\"768\"><li class=\"\" data-start=\"578\" data-end=\"606\"><p class=\"\" data-start=\"580\" data-end=\"606\">\ud83d\udd11 <strong data-start=\"583\" data-end=\"604\">Of\u00f6rpackad AES-nyckel<\/strong><\/p><\/li><li class=\"\" data-start=\"607\" data-end=\"679\"><p class=\"\" data-start=\"609\" data-end=\"679\">\ud83d\udd01 <strong data-start=\"612\" data-end=\"642\">Initialiseringsvektor (IV)<\/strong> fr\u00e5n <code data-start=\"648\" data-end=\"677\">ZCRYPTOINITIALISERINGSVEKTOR<\/code><\/p><\/li><li class=\"\" data-start=\"680\" data-end=\"731\"><p class=\"\" data-start=\"682\" data-end=\"731\">\ud83c\udff7 <strong data-start=\"685\" data-end=\"711\">Tagg f\u00f6r autentisering av GCM<\/strong> fr\u00e5n <code data-start=\"717\" data-end=\"729\">ZCRYPTOTAG<\/code><\/p><\/li><li class=\"\" data-start=\"732\" data-end=\"768\"><p class=\"\" data-start=\"734\" data-end=\"768\">\ud83d\udcbe <strong data-start=\"737\" data-end=\"755\">Krypterad BLOB<\/strong> fr\u00e5n <code data-start=\"761\" data-end=\"768\">ZDATA<\/code><\/p><\/li><\/ul><h3>\ud83d\udce4 Extrahera IV- och GCM-taggen fr\u00e5n NoteStore.sqlite<\/h3><p class=\"\" data-start=\"830\" data-end=\"1096\">F\u00f6r att lokalisera <strong data-start=\"844\" data-end=\"850\">IV<\/strong> och <strong data-start=\"855\" data-end=\"866\">GCM-tagg<\/strong>\u00f6ppnade jag <code data-start=\"881\" data-end=\"894\">ZICNOTEDATA<\/code> tabell i DB Browser f\u00f6r SQLite. Dessa f\u00e4lt lagras som bin\u00e4ra v\u00e4rden och kan hittas i antingen <code data-start=\"999\" data-end=\"1012\">ZICNOTEDATA<\/code> eller <code data-start=\"1016\" data-end=\"1039\">ZICCLOUDSYNCINGOBJECT<\/code> tabeller. B\u00e5da lagrar data under samma kolumnnamn.<\/p><ul data-start=\"1098\" data-end=\"1194\"><li class=\"\" data-start=\"1098\" data-end=\"1144\"><p class=\"\" data-start=\"1100\" data-end=\"1144\"><strong data-start=\"1100\" data-end=\"1106\">IV<\/strong>: <code data-start=\"1108\" data-end=\"1142\">5c0c0bde9b6801747ddad1115a422d05<\/code><\/p><\/li><li class=\"\" data-start=\"1145\" data-end=\"1194\"><p class=\"\" data-start=\"1147\" data-end=\"1194\"><strong data-start=\"1147\" data-end=\"1158\">GCM-tagg<\/strong>: <code data-start=\"1160\" data-end=\"1194\">b9087ba19e3c7deff2cb4b9b51e6aafa<\/code><\/p><\/li><\/ul><p>Den krypterade BLOB:en i sig var ocks\u00e5 synlig i <code data-start=\"1246\" data-end=\"1253\">ZDATA<\/code> kolumn. Jag kopierade alla tre v\u00e4rdena i hexadecimalt format och f\u00f6rberedde mig f\u00f6r det sista dekrypteringssteget.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-9df39e9 elementor-widget elementor-widget-image\" data-id=\"9df39e9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png\" class=\"attachment-large size-large wp-image-3256\" alt=\"SQLite database IV forensic analysis \u2014 digital evidence examination with hex viewer\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-1024x562.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-300x165.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-768x422.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV-600x329.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_IV.png 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Initialiseringsvektorn: 5c0c0bde9b6801747ddad1115a422d05<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34afaf5 elementor-widget elementor-widget-image\" data-id=\"34afaf5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png\" class=\"attachment-large size-large wp-image-3257\" alt=\"DB Browser visar GCM-taggen som anv\u00e4nds f\u00f6r dekryptering av AES-GCM\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-1024x562.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-300x165.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-768x422.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG-600x329.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_TAG.png 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">The GCM Tag: b9087ba19e3c7deff2cb4b9b51e6aafa<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-16a8017 elementor-widget elementor-widget-image\" data-id=\"16a8017\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"439\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png\" class=\"attachment-large size-large wp-image-3258\" alt=\"DB Browser med krypterad Apple Note BLOB-data markerad\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-1024x562.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-300x165.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-768x422.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB-600x329.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/DB_BLOB.png 1155w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Den krypterade BLOB:en<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-34002d9 elementor-widget elementor-widget-text-editor\" data-id=\"34002d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>\ud83e\uddea Avkryptering av anteckningen med CyberChef<\/h2><p class=\"\" data-start=\"1396\" data-end=\"1552\">Med allt i handen v\u00e4nde jag mig till <strong data-start=\"1433\" data-end=\"1446\">CyberChef<\/strong>. Det h\u00e4r verktyget gjorde det enkelt att kombinera alla parametrar och avsl\u00f6ja det ursprungliga inneh\u00e5llet. H\u00e4r \u00e4r vad jag gjorde:<\/p><ol data-start=\"1554\" data-end=\"1819\"><li class=\"\" data-start=\"1554\" data-end=\"1597\"><p class=\"\" data-start=\"1557\" data-end=\"1597\">Jag lade till <strong data-start=\"1569\" data-end=\"1586\">\"AES-dekryptering\"<\/strong> operation.<\/p><\/li><li class=\"\" data-start=\"1598\" data-end=\"1655\"><p class=\"\" data-start=\"1601\" data-end=\"1655\">Jag klistrade in <strong data-start=\"1614\" data-end=\"1635\">Of\u00f6rpackad AES-nyckel<\/strong> i f\u00e4ltet Nyckel.<\/p><\/li><li class=\"\" data-start=\"1656\" data-end=\"1685\"><p class=\"\" data-start=\"1659\" data-end=\"1685\">Jag st\u00e4llde in <strong data-start=\"1669\" data-end=\"1684\">l\u00e4ge till GCM<\/strong>.<\/p><\/li><li class=\"\" data-start=\"1686\" data-end=\"1752\"><p class=\"\" data-start=\"1689\" data-end=\"1752\">Jag satte in <strong data-start=\"1704\" data-end=\"1722\">IV och GCM Tag<\/strong> inom sina respektive omr\u00e5den.<\/p><\/li><li class=\"\" data-start=\"1753\" data-end=\"1819\"><p class=\"\" data-start=\"1756\" data-end=\"1819\">Slutligen kopierade jag <strong data-start=\"1778\" data-end=\"1796\">krypterad BLOB<\/strong> i inmatningsf\u00f6nstret.<\/p><\/li><\/ol><div class=\"reader-image-block reader-image-block--full-width\">N\u00e4r jag tr\u00e4ffade <strong data-start=\"1832\" data-end=\"1840\">Baka<\/strong>dekrypterade CyberChef BLOB:en och visade en komprimerad fil - precis som jag f\u00f6rv\u00e4ntade mig. Detta innebar att krypteringslagret nu var helt borttaget och jag kunde g\u00e5 vidare till att dekomprimera data.<\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8947548 elementor-widget elementor-widget-image\" data-id=\"8947548\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png\" class=\"attachment-large size-large wp-image-3263\" alt=\"CyberChef recept dekryptering Apple Notes BLOB med AES-GCM-l\u00e4ge\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1024x679.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-300x199.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-768x509.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-1536x1018.png 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt-600x398.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_AES_Decrypt.png 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Dekrypterad GZIP-fil<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-f8c36f9 e-flex e-con-boxed e-con e-parent\" data-id=\"f8c36f9\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aba9778 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aba9778\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-415622e e-flex e-con-boxed e-con e-parent\" data-id=\"415622e\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-23482bc elementor-widget elementor-widget-heading\" data-id=\"23482bc\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Packa upp och analysera den slutliga anteckningen (dekrypterad Protobuf fr\u00e5n Apple Notes)<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8f50417 elementor-widget elementor-widget-text-editor\" data-id=\"8f50417\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"285\" data-end=\"516\">Efter att ha dekrypterat den AES-krypterade BLOB sparade jag utdata i en fil med namnet <code data-start=\"361\" data-end=\"381\">dekrypterad_blob.bin<\/code> och \u00f6ppnade den i HxD. Filens signatur <code data-start=\"423\" data-end=\"433\">0x1F8B08<\/code> bekr\u00e4ftade att det var en GZIP-komprimerad fil - Apple anv\u00e4nder detta f\u00f6r att komprimera protobuf-data.<\/p><p class=\"\" data-start=\"518\" data-end=\"677\">F\u00f6r att extrahera klartexten \u00f6ppnade jag CyberChef igen och lade till <strong data-start=\"579\" data-end=\"589\">Gunzip<\/strong> operation till arbetsfl\u00f6det. Omedelbart b\u00f6rjade bekanta str\u00e4ngar dyka upp i utdata.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-188566a elementor-widget elementor-widget-image\" data-id=\"188566a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"530\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png\" class=\"attachment-large size-large wp-image-3267\" alt=\"CyberChef visar dekomprimerad Apple Notes protobuf-data efter GZIP-extraktion\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1024x679.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-300x199.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-768x509.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-1536x1018.png 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1-600x398.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_Gunzip-1.png 1708w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Dekomprimerad protobuf i CyberChef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3956e4f elementor-widget elementor-widget-text-editor\" data-id=\"3956e4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>N\u00e4r jag v\u00e4l var okomprimerad anv\u00e4nde jag <strong data-start=\"759\" data-end=\"778\">Protobuf Avkodning<\/strong> i CyberChef. Resultatet blev en strukturerad vy som liknade JSON, med nycklar och v\u00e4rden som representerade inneh\u00e5llet i den l\u00e5sta Apple Note.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-e094119 e-flex e-con-boxed e-con e-parent\" data-id=\"e094119\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-94d53fe elementor-widget elementor-widget-image\" data-id=\"94d53fe\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"470\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png\" class=\"attachment-large size-large wp-image-3268\" alt=\"CyberChef-visning av Apple Notes protobuf-avkodad struktur med JSON-liknande format\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1024x601.png 1024w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-300x176.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-768x451.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-1536x901.png 1536w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode-600x352.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/CC_ProtoBuff_Decode.png 1929w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Avkodad Protbuf i CyberChef<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-290c42a elementor-widget elementor-widget-text-editor\" data-id=\"290c42a\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>F\u00f6r att underl\u00e4tta l\u00e4sningen anv\u00e4nde jag ocks\u00e5 ett Python-skript som utnyttjade <code data-start=\"1017\" data-end=\"1034\">backboxprotobuf<\/code> modulen f\u00f6r att analysera protobuf-filen och skriva ut resultatet i ett rent, l\u00e4sbart format.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7a338fd elementor-widget elementor-widget-image\" data-id=\"7a338fd\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"364\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png\" class=\"attachment-large size-large wp-image-3269\" alt=\"Kommandotolk som visar analyserat Apple Note-inneh\u00e5ll med hj\u00e4lp av Python-skriptet backboxprotobuf\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output.png 829w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-300x136.png 300w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-768x349.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/proto_test_output-600x273.png 600w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Snyggt formaterade resultat som skrivs ut p\u00e5 sk\u00e4rmen<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0996cea elementor-widget elementor-widget-text-editor\" data-id=\"0996cea\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Detta matchar vad anv\u00e4ndaren skrev i sin l\u00e5sta Apple Note. Du har g\u00e5tt fr\u00e5n en dold, l\u00f6senordsskyddad post till det faktiska meddelandet i klartext - en ov\u00e4rderlig uppt\u00e4ckt i alla kriminaltekniska fall.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1eb0aa4 elementor-widget elementor-widget-image\" data-id=\"1eb0aa4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"image.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t\t\t\t<figure class=\"wp-caption\">\n\t\t\t\t\t\t\t\t\t\t<img loading=\"lazy\" decoding=\"async\" width=\"515\" height=\"1024\" src=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png\" class=\"attachment-large size-large wp-image-3271\" alt=\"iPhone note evidence \u2014 forensic extraction of notes from iOS device SQLite database\" srcset=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-515x1024.png 515w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-151x300.png 151w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-768x1528.png 768w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-772x1536.png 772w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note-600x1193.png 600w, https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/iphone_note.png 819w\" sizes=\"(max-width: 515px) 100vw, 515px\" \/>\t\t\t\t\t\t\t\t\t\t\t<figcaption class=\"widget-image-caption wp-caption-text\">Sk\u00e4rmdump med hj\u00e4lp av UFADE av det l\u00e5sta Apple Note-inneh\u00e5llet<\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b8a6adf e-flex e-con-boxed e-con e-parent\" data-id=\"b8a6adf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-f99fa9e elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"f99fa9e\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-6f7a515 elementor-widget elementor-widget-video\" data-id=\"6f7a515\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=5Gr4LtE-_iE&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-ec61c4f elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"ec61c4f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/sv\/sqlite-forensics\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tL\u00e4r dig hur du identifierar, extraherar och tolkar strukturerad data som denna\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Det h\u00e4r \u00e4r ett verkligt exempel p\u00e5 hur protobufs lagras i SQLite-databaser.\n\nKolla in v\u00e5r fullst\u00e4ndiga SQLite Forensics-kurs eller h\u00f6r av dig f\u00f6r att se hur den kan passa ditt arbete.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tL\u00e4s mer\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-d72a604 e-flex e-con-boxed e-con e-parent\" data-id=\"d72a604\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-22b6bb5 elementor-widget elementor-widget-heading\" data-id=\"22b6bb5\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd1a Avslutning<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-4c3e41b elementor-widget elementor-widget-text-editor\" data-id=\"4c3e41b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"192\" data-end=\"593\">Grattis \ud83c\udf89 - du har just slutf\u00f6rt ett fullst\u00e4ndigt kriminaltekniskt arbetsfl\u00f6de f\u00f6r att <strong data-start=\"263\" data-end=\"304\">dekryptera l\u00e5sta Apple-anteckningar p\u00e5 iOS 16<\/strong>. Du extraherade krypteringsparametrar fr\u00e5n SQLite-databasen, kn\u00e4ckte l\u00f6senordet med <strong data-start=\"394\" data-end=\"405\">Hashcat<\/strong>h\u00e4rledde och packade upp AES-nyckeln med hj\u00e4lp av <strong data-start=\"447\" data-end=\"457\">Python<\/strong>och slutligen dekrypterade och analyserade protobuf med <strong data-start=\"510\" data-end=\"523\">CyberChef<\/strong>. Varje steg f\u00f6rde dig n\u00e4rmare en avsl\u00f6jande av anteckningens dolda inneh\u00e5ll.<\/p><p class=\"\" data-start=\"595\" data-end=\"833\">Denna praktiska genomg\u00e5ng visar hur kraftfullt <strong data-start=\"641\" data-end=\"662\">verktyg med \u00f6ppen k\u00e4llkod<\/strong> kan vara inom digital kriminalteknik. De hj\u00e4lper utredare att hitta krypterade Apple Notes som kommersiella verktyg kanske missar - s\u00e4rskilt p\u00e5 enheter som k\u00f6r <strong data-start=\"811\" data-end=\"832\">iOS 16 eller tidigare<\/strong>.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-8c713e5 e-flex e-con-boxed e-con e-parent\" data-id=\"8c713e5\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-aa24044 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"aa24044\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-b6bbf21 e-flex e-con-boxed e-con e-parent\" data-id=\"b6bbf21\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-5bf4bff elementor-widget elementor-widget-heading\" data-id=\"5bf4bff\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udd75\ufe0f Bonus: L\u00f6senordshint<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-529bd7f elementor-widget elementor-widget-text-editor\" data-id=\"529bd7f\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"874\" data-end=\"963\">H\u00e4r \u00e4r en extra twist - jag hittade en <strong data-start=\"908\" data-end=\"925\">l\u00f6senordshint<\/strong> i <code data-start=\"933\" data-end=\"956\">ZICCLOUDSYNCINGOBJECT<\/code> bord:<\/p><blockquote data-start=\"965\" data-end=\"986\"><p class=\"\" data-start=\"967\" data-end=\"986\"><strong data-start=\"967\" data-end=\"986\">Quarter Pounder<\/strong><\/p><\/blockquote><p class=\"\" data-start=\"988\" data-end=\"1244\">Eftersom enheten tillh\u00f6rde n\u00e5gon som hette \"Vincent\" var det inte sv\u00e5rt att gissa l\u00f6senordet: <strong data-start=\"1080\" data-end=\"1100\">royalewithcheese<\/strong> - en nick till <em data-start=\"1112\" data-end=\"1126\">Pulp Fiction<\/em>. I verkliga fall kan l\u00f6senordstips som detta p\u00e5skynda arbetsfl\u00f6det n\u00e4r de kombineras med en strategisk kn\u00e4ckningsprocess.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-efeabdf e-flex e-con-boxed e-con e-parent\" data-id=\"efeabdf\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-1a2a4f6 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"1a2a4f6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-7878d44 e-flex e-con-boxed e-con e-parent\" data-id=\"7878d44\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-b1e7fb8 elementor-widget elementor-widget-heading\" data-id=\"b1e7fb8\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">\ud83d\udcf1 En sak till ... om iOS 17 och iOS 18<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1fbdcca elementor-widget elementor-widget-text-editor\" data-id=\"1fbdcca\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p class=\"\" data-start=\"1299\" data-end=\"1619\">Denna guide g\u00e4ller specifikt f\u00f6r hur man dekrypterar <strong data-start=\"1334\" data-end=\"1381\">Apple Notes p\u00e5 iOS 16 och tidigare<\/strong>. B\u00f6rjar med <strong data-start=\"1397\" data-end=\"1407\">iOS 17<\/strong>Apple inf\u00f6rde betydande \u00e4ndringar i Notes-krypteringsprocessen. Du kan st\u00f6ta p\u00e5 saknade nyckelavledningsf\u00e4lt, olika kryptografiska strukturer eller anteckningar som inte l\u00e4ngre dekrypteras med samma metoder.<\/p><p class=\"\" data-start=\"1621\" data-end=\"1785\">Om du funderar p\u00e5 hur du kan <strong data-start=\"1648\" data-end=\"1691\">dekryptera Apple Notes p\u00e5 iOS 17 eller iOS 18<\/strong>Jag skulle g\u00e4rna vilja samarbeta. Dela med dig av dina resultat - l\u00e5t oss bryta ner den nya krypteringen tillsammans.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-4d8d5c0 e-flex e-con-boxed e-con e-parent\" data-id=\"4d8d5c0\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-d446cd4 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"d446cd4\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"mailto:contact@elusivedata.io\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tTack f\u00f6r att du l\u00e4ste! Har du n\u00e5gra fr\u00e5gor?\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\t Skriv dem i kommentarerna nedan eller kontakta oss direkt. L\u00e5t oss forts\u00e4tta att flytta fram gr\u00e4nserna f\u00f6r forensiska uppt\u00e4ckter.\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tKontakta oss\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-0768b7d elementor-widget elementor-widget-heading\" data-id=\"0768b7d\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Du kanske ocks\u00e5 \u00e4r intresserad av<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-cc0d9d0 elementor-widget elementor-widget-video\" data-id=\"cc0d9d0\" data-element_type=\"widget\" data-e-type=\"widget\" data-settings=\"{&quot;youtube_url&quot;:&quot;https:\\\/\\\/www.youtube.com\\\/watch?v=QFn63mQ5_gI&quot;,&quot;video_type&quot;:&quot;youtube&quot;,&quot;controls&quot;:&quot;yes&quot;}\" data-widget_type=\"video.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-wrapper elementor-open-inline\">\n\t\t\t<div class=\"elementor-video\"><\/div>\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-53a6229 elementor-widget-divider--view-line elementor-widget elementor-widget-divider\" data-id=\"53a6229\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"divider.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<div class=\"elementor-divider\">\n\t\t\t<span class=\"elementor-divider-separator\">\n\t\t\t\t\t\t<\/span>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e6108d9 elementor-cta--layout-image-above elementor-cta--skin-classic elementor-animated-content elementor-bg-transform elementor-bg-transform-zoom-in elementor-widget elementor-widget-call-to-action\" data-id=\"e6108d9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"call-to-action.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<a class=\"elementor-cta\" href=\"https:\/\/elusivedata.io\/sv\/ed-sqlite-visualizer\/?v=efad7abb323e\">\n\t\t\t\t\t\t\t<div class=\"elementor-cta__content\">\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<h2 class=\"elementor-cta__title elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tSQLite Visualizer. Ett helt nytt s\u00e4tt att utforska SQLite.\t\t\t\t\t<\/h2>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__description elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t\tDen kommande ED SQLite Visualizer l\u00e5ter dig se databasens interna funktioner, \u00e5terst\u00e4lla dolda poster och koppla ihop punkterna snabbare \u00e4n n\u00e5gonsin, allt visuellt. Anv\u00e4nds redan i v\u00e5r fullst\u00e4ndiga SQLite-kurs och \u00e4r snart tillg\u00e4nglig f\u00f6r alla. \t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-cta__button-wrapper elementor-cta__content-item elementor-content-item\">\n\t\t\t\t\t<span class=\"elementor-cta__button elementor-button elementor-size-\">\n\t\t\t\t\t\tSe vad som komma skall \u2192.\t\t\t\t\t<\/span>\n\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"<p>Uppt\u00e4ck hur jag dekrypterade en l\u00e5st Apple Note fr\u00e5n en iOS 16.7.10-enhet med hj\u00e4lp av \u00f6ppen k\u00e4llkodsverktyg som Hashcat, Python och CyberChef. Detta steg-f\u00f6r-steg-forensiska arbetsfl\u00f6de avsl\u00f6jar processen bakom extrahering och dekryptering av dolt inneh\u00e5ll fr\u00e5n Apples Notes-app. En m\u00e5ste-l\u00e4sning f\u00f6r digitala utredare och yrkesverksamma inom mobil kriminalteknik.<\/p>","protected":false},"author":1,"featured_media":3203,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_theme","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[21],"tags":[],"class_list":["post-3205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mobile-forensics"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Decrypt Locked Apple Notes on iOS 16 | Forensic Guide<\/title>\n<meta name=\"description\" content=\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/elusivedata.io\/sv\/dekryptera-apple-anteckningar-ios16\/\" \/>\n<meta property=\"og:locale\" content=\"sv_SE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta property=\"og:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/elusivedata.io\/sv\/dekryptera-apple-anteckningar-ios16\/\" \/>\n<meta property=\"og:site_name\" content=\"Elusive Data\" \/>\n<meta property=\"article:published_time\" content=\"2025-03-27T17:01:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-08-13T15:55:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"574\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"James Eichbaum\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\" \/>\n<meta name=\"twitter:description\" content=\"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png\" \/>\n<meta name=\"twitter:label1\" content=\"Skriven av\" \/>\n\t<meta name=\"twitter:data1\" content=\"James Eichbaum\" \/>\n\t<meta name=\"twitter:label2\" content=\"Ber\u00e4knad l\u00e4stid\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minuter\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"author\":{\"name\":\"James Eichbaum\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\"},\"headline\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"},\"wordCount\":1989,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"articleSection\":[\"Mobile Forensics\"],\"inLanguage\":\"sv-SE\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\",\"name\":\"Decrypt Locked Apple Notes on iOS 16 | Forensic Guide\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"datePublished\":\"2025-03-27T17:01:54+00:00\",\"dateModified\":\"2025-08-13T15:55:36+00:00\",\"description\":\"Decrypt locked Apple Notes on iOS 16 using open-source tools like Hashcat, CyberChef, and Python. A full forensic workflow\u2014no paid tools needed.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\"},\"inLanguage\":\"sv-SE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"sv-SE\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#primaryimage\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2025\\\/03\\\/Locked_Notes.png\",\"width\":4400,\"height\":2465,\"caption\":\"Three padlocks on black background representing encrypted Apple Notes\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/decrypt-apple-notes-ios16\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/elusivedata.io\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#website\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"name\":\"ElusiveData\",\"description\":\"Excellence in Digital Forensics Training and Consulting\",\"publisher\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/elusivedata.io\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"sv-SE\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#organization\",\"name\":\"ElusiveData\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"sv-SE\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/Asset-3_2x-scaled.png\",\"width\":2560,\"height\":370,\"caption\":\"ElusiveData\"},\"image\":{\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.youtube.com\\\/@elusivedata\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/#\\\/schema\\\/person\\\/2c00b8313d6aef321fd69bf82e2aa436\",\"name\":\"James Eichbaum\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"sv-SE\",\"@id\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"url\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"contentUrl\":\"https:\\\/\\\/elusivedata.io\\\/wp-content\\\/plugins\\\/ld-dashboard\\\/public\\\/img\\\/img_avatar.png\",\"caption\":\"James Eichbaum\"},\"sameAs\":[\"http:\\\/\\\/elusivedata.io\"],\"url\":\"https:\\\/\\\/elusivedata.io\\\/sv\\\/author\\\/eichbaumjamesgmail-com\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Dekryptera l\u00e5sta Apple-anteckningar p\u00e5 iOS 16 | Forensic Guide","description":"Dekryptera l\u00e5sta Apple Notes p\u00e5 iOS 16 med hj\u00e4lp av \u00f6ppen k\u00e4llkodsverktyg som Hashcat, CyberChef och Python. Ett fullst\u00e4ndigt kriminaltekniskt arbetsfl\u00f6de - inga betalda verktyg beh\u00f6vs.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/elusivedata.io\/sv\/dekryptera-apple-anteckningar-ios16\/","og_locale":"sv_SE","og_type":"article","og_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","og_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","og_url":"https:\/\/elusivedata.io\/sv\/dekryptera-apple-anteckningar-ios16\/","og_site_name":"Elusive Data","article_published_time":"2025-03-27T17:01:54+00:00","article_modified_time":"2025-08-13T15:55:36+00:00","og_image":[{"width":1024,"height":574,"url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes-1024x574.png","type":"image\/png"}],"author":"James Eichbaum","twitter_card":"summary_large_image","twitter_title":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","twitter_description":"Discover how I decrypted a locked Apple Note from an iOS 16.7.10 device using open-source tools like Hashcat, Python, and CyberChef. This step-by-step forensic workflow reveals the process behind extracting and decrypting hidden content from Apple\u2019s Notes app. A must-read for digital investigators and mobile forensics professionals.","twitter_image":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","twitter_misc":{"Skriven av":"James Eichbaum","Ber\u00e4knad l\u00e4stid":"15 minuter"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#article","isPartOf":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"author":{"name":"James Eichbaum","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436"},"headline":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","mainEntityOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"},"wordCount":1989,"commentCount":2,"publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","articleSection":["Mobile Forensics"],"inLanguage":"sv-SE","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","url":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/","name":"Dekryptera l\u00e5sta Apple-anteckningar p\u00e5 iOS 16 | Forensic Guide","isPartOf":{"@id":"https:\/\/elusivedata.io\/#website"},"primaryImageOfPage":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"image":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage"},"thumbnailUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","datePublished":"2025-03-27T17:01:54+00:00","dateModified":"2025-08-13T15:55:36+00:00","description":"Dekryptera l\u00e5sta Apple Notes p\u00e5 iOS 16 med hj\u00e4lp av \u00f6ppen k\u00e4llkodsverktyg som Hashcat, CyberChef och Python. Ett fullst\u00e4ndigt kriminaltekniskt arbetsfl\u00f6de - inga betalda verktyg beh\u00f6vs.","breadcrumb":{"@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb"},"inLanguage":"sv-SE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/"]}]},{"@type":"ImageObject","inLanguage":"sv-SE","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#primaryimage","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2025\/03\/Locked_Notes.png","width":4400,"height":2465,"caption":"Three padlocks on black background representing encrypted Apple Notes"},{"@type":"BreadcrumbList","@id":"https:\/\/elusivedata.io\/decrypt-apple-notes-ios16\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/elusivedata.io\/"},{"@type":"ListItem","position":2,"name":"Decrypt Locked Apple Notes on iOS 16.x: A Complete Forensic Workflow (SQLite, CyberChef, Python) Featuring Hashcat"}]},{"@type":"WebSite","@id":"https:\/\/elusivedata.io\/#website","url":"https:\/\/elusivedata.io\/","name":"ElusiveData","description":"Utbildning och r\u00e5dgivning inom digital kriminalteknik","publisher":{"@id":"https:\/\/elusivedata.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/elusivedata.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"sv-SE"},{"@type":"Organization","@id":"https:\/\/elusivedata.io\/#organization","name":"ElusiveData","url":"https:\/\/elusivedata.io\/","logo":{"@type":"ImageObject","inLanguage":"sv-SE","@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/","url":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/uploads\/2024\/11\/Asset-3_2x-scaled.png","width":2560,"height":370,"caption":"ElusiveData"},"image":{"@id":"https:\/\/elusivedata.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.youtube.com\/@elusivedata"]},{"@type":"Person","@id":"https:\/\/elusivedata.io\/#\/schema\/person\/2c00b8313d6aef321fd69bf82e2aa436","name":"James Eichbaum","image":{"@type":"ImageObject","inLanguage":"sv-SE","@id":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","url":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","contentUrl":"https:\/\/elusivedata.io\/wp-content\/plugins\/ld-dashboard\/public\/img\/img_avatar.png","caption":"James Eichbaum"},"sameAs":["http:\/\/elusivedata.io"],"url":"https:\/\/elusivedata.io\/sv\/author\/eichbaumjamesgmail-com\/"}]}},"_links":{"self":[{"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/posts\/3205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/comments?post=3205"}],"version-history":[{"count":90,"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/posts\/3205\/revisions"}],"predecessor-version":[{"id":14968,"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/posts\/3205\/revisions\/14968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/media\/3203"}],"wp:attachment":[{"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/media?parent=3205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/categories?post=3205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/elusivedata.io\/sv\/wp-json\/wp\/v2\/tags?post=3205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}