How does law enforcement deal with the investigation of an active computer intrusion on a live network?

An active computer intrusion can provide significant investigative leads to law enforcement. At times, allowing the unauthorized connection to be maintained can provide key information to pursue prosecution. Law enforcement understands that victims may choose to terminate the connection of an active intrusion to protect network assets. However, with the cooperation of law enforcement, there may be alternative actions that would both preserve investigative leads and protect the network. Victims should not instinctively kick attackers off the network without at least considering the alternatives (i.e., filtering, constructing a jail system, etc.) and the possible value of keeping the connection alive (i.e., understanding the depth of intrusion, inventorying impacted systems, determining motives and methods, etc.).