Susan needs to track the chain of custody for the evidence and should ensure that a proper chain of custody is maintained. This is especially important when dealing with data that may become part of legal proceedings. Forensic hashes are typically generated as part of forensic processes to ensure that the original and copies of forensic data match, but a hash alone does not provide chain-of-custody tracking. Legal holds require organizations to preserve data but don't track chain of custody, and IoC ratings are unrelated to this question.

Hui knows that she needs to preserve the logs per the legal hold notice and will need to identify a method to preserve the logs while maintaining operations for her organization. Failing to do so can have significant legal repercussions.

Hashes are used to validate drive images and other forensic artifacts. Comparing a hash of the original and the image is commonly used to ensure that they match. None of the other options will validate a drive image, and encrypting a drive will modify it, spoiling the evidence.

A baseline for traffic patterns and levels would allow Kathleen to determine if the traffic was typical or if something unusual was going on. Heuristics focus on behaviors, and Kathleen wants to see if traffic levels are different, not behaviors. Protocol analysis looks at whether there is an unusual protocol or data, and network flow logs are useful for determining which systems are sending traffic to where and via what protocol.

Open feed data can vary in quality and reliability. That means Renee will have to put processes in place to assess the quality and reliability of the IoC information she is receiving. An open feed implies that it is free. Open feeds are generally active, and IoC detail levels vary as IoCs are created and updated, regardless of the type of feed.

Active monitoring is focused on reaching out to gather data using tools like ping and iPerf. Passive monitoring using protocol analyzers collects network traffic and router-based monitoring using SNMP, and flows gather data by receiving or collecting logged information.

System images are not typically part of an IOC. Hashes of malicious software may be, as well as IP addresses, hostnames, domains, and behavior- based information, among other common details.