More effective (and more inconvenient) checking

• ideally, don't rely on compromised machine's filesystems
• disconnect disks and move to a different machine
• another approach is to boot from an installation CDROM

Situations that may make this more important

• no known vulnerability existed on the machine
• all sniffer log files must be found, even deleted ones
• all of the intruder's exploit programs must be found
• intruders used your machine in incident relevant to FBI

Note: moving disk may be convenient if one planned to
reinstall the system onto a larger or faster disk