Activity logs show a large amount of data downloaded from a company server to an employee’s workstation overnight. Upon further investigation, the technician identifies the data as being outside the scope of the employee’s regular job functions. Which of the following steps should the technician take NEXT?
A. Report through proper channels
B. Document the changes
C. Continue to track more evidence
D. Preserve the chain of custody