I want to analyze an .dd image of an Aplle hard drive that contains encrypted APFS partitions using Autopsy on Windows.
I have the password, but when loading a physical copy of the hard drive nothing/little is found since the physical drive contains mostly encrypted partitions.
Although APFS support has been added since 4.14, I do not see any documentation or way on how to use it. Any advice on how Autopsy can be used to analyses encrypted APFS partitions?
Is there an extra tool needed to decrypt and dump the content of APFS partitions? Preferably I want to keep a bit by bit copy in order to scan for deleted files, in particular deleted/overwritten Apple keychain entries since my client has accidentally overwritten an important password. And no, he does not have any other copies since he did not enable syncing of his files via iCloud unfortunately.