Biskus APFS Capture
The first and only program to read APFS volumes for forensics analysis (DFIR).
While there are many programs available for capturing disk contents in general, Biskus APFS Capture is currently the only one that performs these operations on Apple’s new APFS file system format.
It does not yet support encrypted volumes (even if the password is known).
1 Comment RSS · Twitter
October 27, 2017 6:32 PM
Yeah, if anyone is interested in "guessing" how the APFS code handles en/decryption, let me know. :)