During an incident response, a security analyst identified a suspicious file on a workstation that may be related to a malware infection. The analyst needs to collect the file as evidence for further analysis. Which of the following is the analyst's critical step to preserve the digital evidence?
a. unselected The analyst must shut down the system.
b. unselected The analyst must log off the user account.
c. unselected The analyst must maintain chain of custody.
d. unselected The analyst must copy evidence to a USB drive.