During the cleanup and restoration phase of a penetration test, which action BEST reduces the likelihood that another attacker could recover and reuse artifacts the testers placed on target hosts?
Change the file permissions of payloads to read-only and rename them with a .bak extension.
Sanitize or securely erase the tester-created files using NIST SP 800-88 clearing or purging methods before deleting them.
Move the artifacts to a hidden directory and set the hidden attribute so normal users will not see them.
Compress all artifacts into a password-protected archive and leave the file on the host for future reference.
Following recognized media-sanitization guidance-such as using overwriting, cryptographic erase, or other NIST SP 800-88 clearing/purging techniques-renders tester-created files unrecoverable. Simply compressing, renaming, hiding, or changing permissions only obscures the artifacts; the data can still be restored with basic forensic tools, leaving the environment exposed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is NIST SP 800-88?
Open an interactive chat with Bash
Why is overwriting alone considered insufficient without following standards like NIST SP 800-88?
Open an interactive chat with Bash
What is cryptographic erasure, and how does it differ from traditional data wiping?