Lets say you have a SSD with this kind of encryption. I would just mount it as read-only or clone it first and work with the copy. Also the code that does the deletion could be just removed given the fact that any trustable encryption code has to be open source anyway.
And finally if you give out a password that would destroy the data (or attempt to) you incriminate yourself since you show you have something to hide and you attempted to destroy evidence.
Encryption with plausible deniability is way better. You give out a password that actually works and the only thing they have against you is the fact that the drive has lots of seemingly free space. But they cant proof that the free space is actually encrypted data.
In forensics, this would only be done on an image, and not on the live file system. This both avoids triggers like you mention, and also claims that the forensic person has altered the evidence in some way.
Forensic agents have to prove before and after that no changes were made to the file system(s) and any data that may reside on them.
Source: I have prior certification, and have acted as a court designated technical expert. I don't do this anymore, but those elements have not changed over time.
Lets say you have a SSD with this kind of encryption. I would just mount it as read-only or clone it first and work with the copy. Also the code that does the deletion could be just removed given the fact that any trustable encryption code has to be open source anyway.
And finally if you give out a password that would destroy the data (or attempt to) you incriminate yourself since you show you have something to hide and you attempted to destroy evidence.
Encryption with plausible deniability is way better. You give out a password that actually works and the only thing they have against you is the fact that the drive has lots of seemingly free space. But they cant proof that the free space is actually encrypted data.