This is why when raiding a "hacker" LEOs were[1997] supposed to take immediate physical control of the device and not believe anything said "hacker" tells them about the device.
now that mobiles are more common than desktops, but not commonly controlled entirely by the user, heuristics have become sloppy.
"Assume That Every Computer Has
Been Rigged To Destroy Evidence"
"Assume That Every Computer Has Been Rigged To Destroy Evidence"
https://www.govtech.com/magazines/gt/Computer-Evidence-Proce... [1997]