Which piece of information is needed for attribution in an investigation?

A.	proxy logs showing the source RFC 1918 IP addresses
B.	RDP allowed from the Internet
C.	known threat actor behavior
D.	802.1x RADIUS authentication pass arid fail logs