Choosing to acquire a snapshot of the system's active memory is the correct answer as it ensures that all current data being processed by the system, including possible malware code or unauthorized actions performed by the attacker, is captured for analysis before it is lost. This procedure must be conducted correctly to avoid altering memory contents, which could affect the investigation. Powering off the system or conducting antivirus scans could lead to the loss of volatile data contained within the memory, and rebooting to install monitoring software will cause the current state of memory to be cleared.