Have a look at the coroner toolkit from Dan Farmer and Wietse Venema. Debian packaged : tct
It is advised *not* to turn off your box, maybe you can unplug its network... not sure its a good idea even. http://www.fish.com/tct/help-when-broken-into Chosen extract : What to do ----------- The first 3 basic steps to handling a "situation" (roughly taken from the wonderful Criminalistics, An Introduction to Forensic Science, by Saferstein (see the "bibliography" file) are: o Secure and isolate the scene o Record the scene o Conduct a systematic search for evidence And while speed is of the essence, attempt to stay calm and don't panic. And do *NOT* touch the keyboard or the computer yet unless you absolutely have to. We repeat. Do *NOT* touch the keyboard or the computer yet. Did you hear us? STAY AWAY FROM THE COMPUTER! Anything you do will destroy evidence, so simply don't touch it for now, or do as little as possible and don't start looking for damage yet. And while you might get lucky and find all the damage and evidence and perpetrator immediately, don't get your hopes up too much, this is still not an exact science, and almost every case has more than its share of disappointments.
