[Syntyr]

“Oh, no problem...we have a backup of it. Try again. “

You are correct

The first process performed when a PC or laptop is brought in for inspection is the drive is removed from the laptop and a Bit level copy is made along with checksums TWICE. So now you have three copies. The original, the master copy with checksums so you can verify its contents should the need arise in a court case and the one that you actually do the decryption work on.

Unfortunately this bypasses all all of the programs that would normally run as a self destruct that would have been loaded on the laptop or PC. You run the drive on a clean forensics system.

[Gondring]

Thus, the false-data ideas.

[no-s]

The first process performed when a PC or laptop is brought in for inspection is the drive is removed from the laptop

At which point the thermite envelopes affixed to the drive are ignited because the drive was removed without the removal password...I seem to recall some milspec drives with special parts to facilitate this...thumb drives can work the same way.

There's enough smarts available in the drive itself that you could envision a firmware that detects an unauthorized bit-level copy and takes some action, from selective copy to garbling the copy to self destruct. You would have to take the platters out and use a test rig to copy the bits. Probably too expensive for many prosecutions.