Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael Horowitz

Defensive Computing

The best defense against software problems: disk imaging

6 comments

TAGS:backup, disk image backups, Drive Image XML, ShadowProtect Desktop, True Image
IT TOPICS:Personal Technology, Storage, Windows & Microsoft

My previous posting discussed various approaches to dealing with a Windows computer that's been infected by malicious software (malware).

The easy approach, installing anti-malware software and having it scan the machine, is the least likely to fully remove the infection. At the other end of the spectrum, re-installing Windows is guaranteed to remove the infection but at a huge cost in terms of time and effort to put Humpty Dumpty back together. Somewhere in the middle is removing the hard drive and scanning it from an uninfected machine.

But, there is another alternative: roll back the entire C disk to a known clean state.

Some software literally does a rollback. That is, it runs continuously in the background, logging all hard disk activity. This activity log can be used to undo recent changes.

Examples of this approach include SteadyState from Microsoft, Deep Freeze from Faronics and some virtual machine software such as VMWare Workstation (GoBack from Symantec was popular in the old days, but it has been replaced by Ghost version 14).

I don't like this approach, however. It's complicated, there's a constant overhead, it can only rollback so far and software constantly running in the background strikes me as an accident waiting to happen.

DISK IMAGE BACKUPS

My preferred approach is disk image backups.

An image backup is focused on hard disk sectors, rather than files. That is, the intent of a disk image backup program is to backup the entire hard disk - every last bit.

Yes, this is a bit wasteful, as much of the hard disk doesn't need to be backed up. But the upside is the guarantee of being able to restore the computer to a known good state.

If you've ever dealt with a "recovery" CD, DVD or partition that returns a computer to the factory-fresh state, what it's doing is restoring a disk image backup.

With image backups there is no need to have software constantly running, there is no activity log file, no overhead and no limit on how far back the system can be restored. If you don't mind keeping an image backup, a computer can be restored to its state months or years ago.

There are many disk imaging products to chose from including Drive Image XML from Runtime Software, True Image from Acronis, ShadowProtect Desktop from StorageCraft, Drive Backup Express from Paragon Software, DriveClone Express from Farstone, Ghost from Symantec and Image for Windows from Terabyte Unlimited.

Some companies combine regular file-oriented backup with disk image backups into a single product, but I prefer the simpler approach offered by a single-purpose program.

Some disk imaging programs install and run as a normal Windows application. The downside, however, of backing up Windows while it's running should be self-evident, you're painting a picture of a moving subject.

Other disk imaging programs run from a bootable CD and thus backup the system when Windows is not running. When it comes to backup, my preference is for simple, and this is the simpler way to go.

SMALLER IMAGE BACKUPS

Image backups are large and thus are best written to an external hard disk, another LAN resident computer or a Network Attached Storage device. The image backup program should have an option to split the backup into multiple files, each sized to fit on a single CD or DVD.

There are a number of ways that disk imaging programs decrease the size of the image backup.

Every imaging program that I've seen offers compression, some offer different types of compression letting you trade off disk space savings vs. cpu usage and elapsed time.

The biggest savings probably comes from being file system aware. That is, the image backup program won't backup disk space that isn't allocated to a file. Obviously, this can be a huge savings, but if the file system is damaged, so too is the backup. It also limits the imaging application to backing up file systems that it understands.

Another trick might be skipping things like the page/swap file which should never need to be backed up.

A good disk imaging program will offer its file system aware features as an option. This way, you can make small backups most of the time, but still have the option to make a full image backup if the file system breaks or files get deleted by accident. Drive Image XML, for example, can operate in "raw mode" to backup everything. If you don't enable raw mode, then it's file system aware and makes smaller backups.

Although file backups are not the main reason to make image backups, many disk imaging applications let you mount an image backup and see/copy the files within it. Drive Image XML does not allow this for raw mode backups.

SUGGESTED USES

Even with file system tricks, making a disk image is still relatively slow and the backups are relatively large. It's not something you'd want to do every day. Fortunately, it's not needed every day.

On my main computer, I make an image backup once a month, just before running Windows Update. On my other computers, the schedule is haphazard but I have at least one image backup of every computer that I use.

Typically when I work on a computer for a client, the very first thing that I do is make an image backup. This way, if something goes wrong with whatever I'm doing, I can always go back to square one. First do no harm.

I suggest making an image backup before making any significant system changes. For example, make a backup prior to installing a service pack (be it Windows or Office), before running Windows Update, before starting malware removal (a lesson I learned the hard way) and before installing a new release of Internet Explorer. When you buy a new computer, install your applications, then make an image backup.

This brings up the issue of how many backups to retain.

While falling back to a prior image backup is, by far, the best way to approach malware removal, there's always a chance that the backup is infected too. There is no one right answer, it depends on factors such as how important the computer is, how big the backups are, how much storage space you have for backups, etc. As a rule of thumb, I'd start by keeping two backups of important machines and one of those you don't judge to be important.

Next time, using partitions with disk image backups.

Email this

Digg this

What People Are Saying

Add new comment

removing data from hard drive

Submitted by Joe on July 19, 2009 - 2:29 A.M.

Dell just replaced my hard drive and wants me to return the old drive to them. How can I remove the data from the drive before returning it to Dell?

Thanks for your help.

Joe

Reply | Report this comment

the best option imho

Submitted by Lawrence Lewis on May 1, 2009 - 10:55 P.M.

Like everyone else, I've had the odd system mess up due to third party interference e.g. viruses, windows update not recognizing partitions created by Partition Magic and overwriting data(!) etc. - however, the last time I had an unrecoverable system issue like that, I decided it would be the LAST time.

Looking at the various options, I plumped for a "cold metal" backup.

My operating system drive is a 160gb Seagate. I put a 160gb WD in an EZ-Swap drive tray and installed Casper XP, a drive imaging program.

Normally, I run the Seagate only. At backup time, I boot the system with the WD Drive Tray engaged. The bios sees the WD drive and assigns drive letters. Casper clones the Seagate (about 80GB data) to the WD in about 15 mins.

If the OS gets corrupted, I simply change the boot priority and boot from the cloned WD and I'm up and running immediately. To restore the Seagate, I run Casper and clone from the WD backup.

*Using different brands of drives is a good idea as the serial numbers in the list of source / target drives are easily identified by their prefixes, e.g. SE or WD.

Reply | Report this comment

Disk Imaging

Submitted by Anonymous on April 21, 2009 - 10:57 A.M.

Another excellent imaging software is Macrium Reflect. An easy-to-use freeware.

Reply | Report this comment

Malware Removal

Submitted by Anonymous on April 20, 2009 - 8:24 A.M.

I just wanted to note, I was forced to follow your advice recently in a malware removal. A file system corruption was preventing most programs from executing, including my cleanup utilities.

I had to remove the hard drive and use my handy usb adapter to plug it into my healthy system. After running scandisk to repair the file system issue, I ran my utilities which found and removed a few infections. But it didn't find and remove everything.

In fact, once Ihad the hard drive back in the system, I ran the utilities from safe mode and found more than a couple additional infections that weren't detected when running the scan from my system. I don't know why this is, but it's occurred twice to me.

So my advice would be, even if you scan the hard drive attached to a healthy machine, scan it again from the machine it is based on. Scan it every way you can with every utility at your disposal until it appears and behaves like a clean computer. Obviously disk imaging and restoration of a healthy image is ideal, but when it comes to scanning with malware removal utilities don't stop after one clean.

Anyway, that's my two cents. Thanks for all the great advice.

Reply | Report this comment

Most people don't or can't do this.

Submitted by Anonymous on April 20, 2009 - 12:43 A.M.

This has been the saga of Windows for 20 years. By the time some figure out how to do an image backup and restore, they've already been infected and this exercise just restores previous infections.

You are a little late dude. Windows restores have been an exercise in futility
forever. The MS restore function is a joke and will crap on you every chance it gets. It has never worked.

You stand a better chance with pluggin in a Linux disk, copying your files, wiping the hard drive,and installing Linux. Takes much less time and is more intuitive.

Reply | Report this comment

MS Backups

Submitted by PC.Tech on April 20, 2009 - 11:47 A.M.

"Windows restores have been an exercise in futility forever..."

Not for everybody, Mr. Anonymous - one size does -not- fit all.

Although no one is completely happy with the MS backup software provided with XP or Vista Business, partitioning an external HD is a good idea. That way you can keep multiple dated backups on the external HD - and do a limited restore on a few files for verification when each backup is done.

Reply | Report this comment

Groundhog Day: A Windows Briefcase nightmare

Live Mesh: for now, a solution in search of a problem

Peace of mind: knowing you have a good backup…

E-mail is dead! Long live mobile 'push' (aka CrackBerry) e-mail!

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

Get Mobile-phone Access to Your BMC Remedy Applications
Download this new White Paper today!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

IT Best Practices: To Support or Not Support Consumer Owned Smartphones
Better understand the challenges, resolutions and best practices for managing a multi-Smartphone environment.

Effectively Implementing Datacenter Automation
Effectively select and deploy the best datacenter automation solution today!

Forrester Consulting - Optimizing Users and Applications in a Mobile World
Learn how to successfully deploy a WAN optimization solution that is specifically tuned for a mobile environment!

Aligning IT to Business: The Rising Importance of Application Delivery Networks
Application Delivery Networking (ADN) will play a vital role in helping enterprises incorporate strategic technologies to achieve business initiatives.

All White Papers | All Webcasts