You can do `cat /dev/sda` on a live server (as root) without any special stuff like LVM or a hypervisor, it just isn't guaranteed to take a clean image, as it isn't a snapshot. In most cases you'd probably just need to run fdisk to tidy it up and get 99% of the data back in one piece.
You can't make any modifications for it to be admissible in court. This includes logging into a live server to take an image, or 'fixing' errors introduced during the copy.
Professional forensic investigators have what are called 'write blockers' that prevent all writes when drives are plugged in to be imaged.
It was in another country, and the image was provided by the other country. Not sure about the law/case-law around how that works with respect to chain-of-evidence.
They can create a hernetic environment to fsck a copy to find what files are on the original, and then copy the target file content from the discovered addresses.
Otherwise I could shred say some paper evidence, and the course would reject a taped-up copy that shows my original document. Which they wouldn't, of course.
