The New York Times says being hacked is like someone invading your home, and more than anything else, time is of the essence.
The goal is to determine quickly the "fingerprint" of the intrusion and its scope.
For example, how did the hacker break in, what did he take, when did he break in, and how can it be stopped?
In large-scale attacks, "the first thing a forensics team will do is try to get the hackers off the company’s network, which entails simultaneously plugging any security holes, removing any back doors into the company’s network that the intruders might have installed, and changing all the company’s passwords."
But that's a moot point if it's not entirely removed, and if even just one compromised password is not updated, hackers may still have access.
As the Times article says, in the world of computer security the most dangerous breaches are the quiet ones, or the ones in which hackers actually leave no trace.