I've been trying to recover data from a damaged APFS file system that was encrypted by running a raw file scan after 'unlocking' it, but with no luck. With some more investigation it seems this may not be possible at all.
This seems to explain why doing a raw file scan on an encrypted APFS partition won't work.
https://www.blackbagtech.com/blog/ask-e ... ncryption/It seems to say that 'unlocking' the drive decrypts the data based only on what is in the file system, instead of decrypting every sector of the partition like with other encryption types.
So if a file has been deleted or part of the file system is missing or corrupted, then 'unlocking' the drive will only decrypt the data that is listed within the file system. Hence doing a raw recovery for deleted files would only pick up useless encrypted data.
Does anyone know of a way around this?