If you need to move files, logs, or any kind of program output off a compromised system without disrupting evidentiary data on the disk, use netcat.

On your trusted system:

$ nc -v -l -p 2222 > victim.dump

On the victim's system:

$ <program> | nc <trusted_system> 2222

Where program is the discovery application you're running (e.g. netstat -an).

If you have packages on your system upon which no others depend, you easily can find out what they are by running the deborphan program. This command will uninstall them:

$ deborphan | xargs apt-get remove

(The --yes switch can be used with apt-get to continue with the removal instead of asking for confirmation.)