ComputerWorld has an article which describe the two most common mistakes made by companies which complicates forensics investigations.
I cannot stress this enough: "As a system administrator, your job is to determine why a box is acting up. If you discover a break-in, call law enforcement and/or the incident response team. While you're waiting for them, write down what you did up to that point. DON'T DO ANYTHING ELSE TO/WITH THE BOX!!!!"