What should incident handlers do with suspicious files found during an investigation?

Incident handlers should isolate suspicious files for analysis to ensure that a thorough investigation can be conducted without compromising the integrity of the data or the system. Isolating these files helps to prevent potential malware from spreading or further damaging the network. This allows for a controlled environment where the behavior of the files can be safely examined without exposing the organization to additional risk.

This approach facilitates a deeper understanding of the file's nature, whether it's benign or malicious, and enables appropriate response measures to be taken based on the findings. Through this careful analysis, incident handlers can make informed decisions on what course of action to pursue next, which might include deletion, quarantine, or patching vulnerabilities that allowed for the suspicious file to exist in the first place.

Additionally, handling suspicious files in this way aligns with best practices in incident response and forensic investigations, which prioritize evidence preservation and careful examination before making irreversible decisions.