> Did this ever lock you out of any machines configured to use Whole Disk Encryption or out of encrypted, mounted volumes?
That read weird to me too. My file system is totally encrypted and the easiest way to get a copy of it is to not turn the machine off but make a copy of the mounted hard disks first. That's true for any encrypted file system, sounds like a pretty big faux pas in the procedure.
From a technical perspective, there are definitely better ways to go about acquisition. It can be very hard for technical people to work in computer forensics because many technically attractive strategies are off-limits to you due to constraints that are wholly non-technical.
Think of it like this. Police would probably find a lot more evidence if they were able to search your car/property without consent, but they don't because that would violate your civil rights. The acquisition situation is a little bit different, because it's not strictly a matter of civil rights. It's more subtle. We have the right to examine the computer, but the process has to:
1) Hold up in a court as irrefutable and demonstrate a process that is inherently resistant to tampering.
2) Discover the evidence required to execute the legal strategy.
All the evidence in the world won't convict someone if the defense can take the position that evidence was tampered with. Using the computer prior to examination is akin to taking a gun used in a murder to the gun range before checking it in as evidence. Simply testifying that you didn't tamper with it doesn't do the trick. It very quickly becomes a chicken and the egg problem.
That read weird to me too. My file system is totally encrypted and the easiest way to get a copy of it is to not turn the machine off but make a copy of the mounted hard disks first. That's true for any encrypted file system, sounds like a pretty big faux pas in the procedure.