Which of the following should be done if an organization intends to prosecute an attacker once an attack has been completed?

Which of the following should be done if an organization intends to prosecute an attacker once an attack has been completed?

A.
Update antivirus definitions.

B.
Disconnect the entire network from the Internet.

C.
Apply proper forensic techniques.

D.
Restore missing files on the affected system.