[fhars]

On the contrary - you have to at least admit that if you power off a compromised machine, the attacker could have installed all his code in RAM only so that powering off erases evidence.

If you disconnect, you can still try to examine the current memory content and do a forensic analysis.

Of course what you really want is a memory dump via a trusted channel while the CPU is halted (hardware hypervisor or something like that) and then immediately power down. This is usually not supported on COTS hardware, so you have to choose the strategy that will erase the least evidence (power off, disconnect, suspend to disk, VM snapshot, whatever) depending on what you suspect the attack to be.