During a professional penetration test, taking sensitive information, such as social security numbers, password hashes, or intellectual property from a client would be a serious serious situation.  Broadly, we perform these engagements to improve our clients, their environments, and their overall security.  Taking sensitive data potentially exposes them to additional risk; however, as professionals we also need to document our work.  


Although CPTC is not a penetration test of a "real" company, we still hold to the realism of asking teams to perform a professional engagement.  As such taking an entire drive, or other sensitive information such as PII, password hashes, code, designs, etc. is not allowed without the explicit permission of the client, similar to a professional environment. 


In short, take only what you need to document your work in your report (and in your future career your workpapers or documentation) and leave the real data at the client site.