When following up on a data breach, an IS auditor finds a system administrator may have compromised the chain of custody. Which of the following should the system administrator have done FIRST to preserve the evidence?

A. Perform forensic discovery
B. Notify key stakeholders
C. Quarantine the system
D. Notify the incident response team