When attempting to reconstruct an incident from a packet capture, which three things should an analyst pay special attention to? (Choose three.)
A. IP addresses of hosts that may have been affected
B. the path that was used in the attack
C. the timeline of the attack
D. the tool used to produce the packet capture
E. the geo-location information in the IP header
