When a compromised system is powered off, important information or evidence stored in volatile memory may be lost. Installation software designed to detect trojans and hacking utilities may adversely impact the quality of the forensic evidence available. This not only may make a good forensics investigators job more difficult, it may also prevent the evidence from being used to support the prosecution of the intruder. Remove affected systems from the network. Do not make any changes to them. Dont power them off, dont reboot them, dont install anything on them.”]
Source: https://www.csoonline.com/article/2117939/after-a-breach.html