ps -eo pid,ppid,user,command
Use ps without cpu time to perform a diff between ps runs. This allows you to find processes started or stopped between runs.
To run dd or ddrescue on an encrypted APFS drive you should remember that APFS volumes first have to be unlocked and then decrypted. Unlocking them automatically mounts them. Once mounted then you need to decrypt them.
Boot the mac from an external drive (use an SSD for speed). I used a SABRENT USB3 enclosure.
Once booted up with the external MacOS instance, identify the internal drive which needs to be decrypted with the following command:
diskutil apfs list
Container disk1 45DA114F-7418-41B9-ACF0-F965CC48E8B4
| ====================================================
| APFS Container Reference: disk1
| Size (Capacity Ceiling): 500068036608 B (500.1 GB)
| Capacity In Use By Volumes: 249342025728 B (249.3 GB) (49.9% used)
| Capacity Not Allocated: 250726010880 B (250.7 GB) (50.1% free)
| |
| +-< Physical Store disk0s2 76998992-D9B0-4CAF-AF06-8E44EBF91F5B
| | -----------------------------------------------------------
| | APFS Physical Store Disk: disk0s2
| | Size: 500068036608 B (500.1 GB)
| |
| +-> Volume disk1s1 035E01AA-7321-3A41-9479-22DF47E45B7E
| | ---------------------------------------------------
| | APFS Volume Disk (Role): disk1s1 (No specific role)
| | Name: APPLE SSD SM512E Media (Case-insensitive)
| | Mount Point: /Volumes/APPLE SSD SM512E Media
| | Capacity Consumed: 247547052032 B (247.5 GB)
| | FileVault: Yes (locked)
sh-3.2# diskutil apfs unlockVolume /dev/disk1s1
Passphrase:
Unlocking any cryptographic user on APFS Volume disk1s1
Unlocked and mounted APFS Volume
Find out valid users
sh-3.2# diskutil apfs listkeys disk1s1
Cryptographic users for disk1s1 (4 found)
|
+-- EC1C2AD9-B618-4ED6-BD8D-50F361C27507
| Type: iCloud Recovery User
|
+-- 64C0C6EB-0000-11AA-AA11-00306543ECAC
| Type: iCloud Recovery External Key
|
+-- 6AAC510E-AE1F-417A-B739-8687BD5D2023
| Type: Local Open Directory User
|
+-- 223300DE-012D-4D48-A458-102F94617E62
Type: Local Open Directory User
Pick a user and use the UUID as the argument for -user:
sh-3.2# diskutil apfs decryptVolume /dev/disk1s1 -user 6AAC510E-AE1F-417A-B739-8687BD5D2023
Passphrase for existing user 6AAC510E-AE1F-417A-B739-8687BD5D2023: ****************
Starting background decryption of disk1s1 using crypto user 6AAC510E-AE1F-417A-B739-8687BD5D2023 as authorization
Background decryption is ongoing; see "diskutil apfs list" to see progress
sh-3.2# diskutil apfs list |grep Unlocked
| | Decryption Progress: 44.0% (Unlocked)
Notes:
ddrescue seems to be faster than dd
If you are examining a SDCARD, use a USB3 adapter and not the native Flashcard reader. The native reader seems to be USB2.0