I am not sure what you mean by "in house tools," but I am assuming that you mean tools on site (forensic tools) and not tools literally in your actually house. I am also assuming by media, you mean physical media, like a physical spindle hard drive and not a local volume like the C: drive in windows.
To your first question on preserving metadata, I am assuming all you mean is you don't want to alter the file or its contents. For that you usually use something called a write blocker, you connect that to your hard drive so that it is read only. That way nothing is ever written to it, preserving both the metadata and the content. I believe Encase does have a software module write blocker, but what you usually want is a hardware write block (reason being that the bios can still write to the drive when you use a software write blocker). If you are doing forensics work on the drive (this is to say you must interact and possibly change what is on the drive), it is just as you said you will probably be making a copy through a write blocked drive with thing like encase or dd_rescue, before processing it with encase, xways, ftk, or whatever the company uses.
Chain of custody, to my understanding is just a form you fill out so there is documentation on your evidence. You just want to document every move you make; however you company wants. That said I am still a student and a total noob i this topic, so take it with a grain of salt.
Also totally feel your eagerness, looking for jobs/internships myself. Hope this helps. Good luck with the interview.
↧