If you need to move files, logs, or any kind of program output off a compromised system without disrupting evidentiary data on the disk, use netcat.

On your trusted system:

$ nc -v -l -p 2222 > victim.dump

On the victim's system:

$ <program> | nc <trusted_system> 2222

Where program is the discovery application you're running (e.g. netstat -an).