@itsfoss I used to do Forensics gigs (I'm pretty much retired these days), even though I have 11 years to go before it becomes official.
I was lucky (?) enough to be on a defendant's team, and got direct permission to do things most forensics teams cannot do at each stage of the way.
Without getting technical about it, it was abundantly clear the defendant was lying to us, and had actually re-installed their OS 3 times, with each time the evidence magically reappearing. I was also able to prove that there was no back door, and that everything dealing with the evidence was done from the GUI and not command line, and that a "shocking" amount of the activity happened when he was home alone.
Windows keeps track of recently opened files. Slackspace keeps those around a long time. Linux was happy to dig those things up flawlessly.
Given all the work I accomplished in the time allotted, there is no way I could have done it with Encase or any of the other court standards.
And the evidence was accepted, because it was easy to prove that the drive image was pristine and stayed that way throughout the investigation.
I think I should write a whitepaper about what I did on the case, because I've not seen the techniques described anywhere else. It's the only case I handled that particular way.
GNU/Linux made it slobberproof, and perfectly admissible in court. It helps that I found everything the police forensics had reported, and nothing conflicted. The fact that I found so much more than they did was pure gold.