Live Triage is the way to go, it's fast and aligns best with business objectives of least impact to business downtime. Most data on computers isn't forensically/threat hunting relevant. Disk Images are usually necessary if you are trying to carve for a file no longer on disk or litigation/lawyers come in. One key thing to focus on is employees who know how to use 5 tools well are more well prepared to defend vs throwing 10 shiny tools at them. On many engagements we see customers with all the tools, but the security folks aren't well versed in how to use them or don't gain a deep enough understanding as they are switching between tools/portals.