After a security breach was identified in a company's financial system, a cybersecurity analyst has been tasked with conducting a forensic analysis of the compromised server. Which of the following actions is the MOST important initial step the analyst should take to ensure the integrity of the forensic investigation?
Immediately disconnect the server from the network to prevent further access.
Reboot the server to analyze its behavior during startup for potential anomalies.
Begin analyzing the most recently modified files for evidence of the intrusion.
Utilize write blockers when making a forensic copy of the storage media.