APFS Filevault2 Decryption

If you are with law enforcement, you can request a trial version of Passware Kit Forensic: https://passware.typeform.com/to/yZgemdAj

Probably too late for the author of this post but hopefully this will come in handy for someone facing the same issue.

Unfortunately there is no free, simple push-button solution for this task. The simplest solution that I know of would be using the Linux apfs-fuse driver to mount the encrypted partition, this will give you a read-only access to the file system and you won't be able to access unallocated. 

There are plenty of tutorials on how to set up the apfs-fuse driver on Debian based Linux distributions, it's really simple. Also your disk image has to be in a raw format in order for apfs-fuse to be able to mount it.

Once you have the apfs-fuse driver installed and your image is in a raw format here's how you mount it:

1. Set up the image as a loop device

Use lsblk (list block devices) command to determine the next free loop device (it is the one that does not exist yet), e.g /dev/loop6. Then set up your image with sudo losetup /dev/loop6 <your_image.img> (Make sure you use the absolute path if you have not CDd to the directory where the image is stored).

2. Mount the loop device

sudo apfs-fuse -s <offset in bytes where the encrypted partition starts> /dev/loop6 <mount_point_of_your_choice>

When calculating the offset in bytes make sure you use the correct sector size which will most likely be 4096 bytes.

If everything will be correct, you will be prompted to enter the password and if that is correct, the partition will be mounted.

apfs-fuse -s 314597376 /dev/loop20 /media/apfs_decrypted/
Volume Macintosh HD is encrypted.
Enter Password: