For some attacks would you not want to just remove the public IP so you can study memory?

Some compromised EC2 instances are not as useful when shutdown. If you want a live look at the processes and what they are doing would not keeping the instance live but cutting network be the ideal way to study in memory proc?