I have no experience whatsoever in forensics, but here's why I would want all the hardware if someone asked me to analyze a system as a generally tech-savvy guy:
1) Some raids take PCs while they're still on, in order to preserve things like encryption keys in memory or cached passwords. It's possible to transfer a running PC over to a battery-powered outlet for transport, then to lab power for analysis. This would be very useful if the machine was using full-disk encryption.
2) Having a full disk image gives you the data, but the easiest way to see how the data behaves is to actually boot up the machine (after imaging the drives, obviously) and see it as the suspect would. There might be subtle differences in behavior if you use lab hardware rather than the actual hardware, and there's even a chance of something crazy like the suspect using a modified Linux kernel that wipes his drives if it detects different hardware.
3) It's a pain in the ass to remove hard drives in some guy's living room when you can just haul the whole thing back to the lab and do it there. I suspect that laziness generally wins over the inconvenience to a potential suspect.
What needs to be established, is government's requirement to have forensic experts do onsite justifications for what should be taken and then duplicate only relevant data (i.e., not pictures of your girlfriend's booty if not relevant to the case) and make an even stronger case for seizure of hardware based on deep relevance to the matter at hand, which should already have been thoroughly established beforehand (beyond "take anything that has operates on any kind of form of electricity).
But how do you determine what data would be considered relevant? It is possible for incriminating data to hide in plain sight, such as in an image file that looks like a picture of your girlfriend's booty.
1) Some raids take PCs while they're still on, in order to preserve things like encryption keys in memory or cached passwords. It's possible to transfer a running PC over to a battery-powered outlet for transport, then to lab power for analysis. This would be very useful if the machine was using full-disk encryption.
2) Having a full disk image gives you the data, but the easiest way to see how the data behaves is to actually boot up the machine (after imaging the drives, obviously) and see it as the suspect would. There might be subtle differences in behavior if you use lab hardware rather than the actual hardware, and there's even a chance of something crazy like the suspect using a modified Linux kernel that wipes his drives if it detects different hardware.
3) It's a pain in the ass to remove hard drives in some guy's living room when you can just haul the whole thing back to the lab and do it there. I suspect that laziness generally wins over the inconvenience to a potential suspect.