You are investigating a suspected data breach at your organization. Network logs indicate unauthorized access to a sensitive database server. The server is running Windows Server 2019. The IT manager, eager to resolve the issue quickly, wants to immediately re-image the server. What is the BEST course of action? a) Allow the IT manager to re-image the server to minimize downtime and prevent further data exfiltration. b) Immediately disconnect the server from the network to isolate it and preserve potential evidence. c) Follow established incident response procedures, including documenting the scene, acquiring a forensic image of the server before any modifications, and maintaining chain of custody. d) Contact law enforcement immediately and allow them to take control of the server and the investigation.