Application Recovery – CompTIA Security+ SY0-501 – 5.6

When a security incident occurs, you’ll need to get applications running again as quickly as possible. In this video, you’ll learn about application restoration priorities and backup strategies.

<< Previous Video: Disaster Recovery Sites Next: Geographic Considerations >>


When you’re recovering applications, some applications may have a higher priority than others. Applications that are customer facing may have a higher priority or applications that handle the billing or the payroll process may have a higher priority. The list of what applications have priority should be well defined before you would ever need to use this list. Usually this is a priority that is set by the management of the organization. And the order may change based on the time of year. There may be applications that are more important at the end of the year and other applications that are more important at the end of a quarter.

You have many options when it comes to backups. You could backup to tape, you could backup the data to disk, or you could back it up to an optical drive. Databases may backup using replication, where you have online duplications across multiple different database servers. Or there may be online backups. Databases usually require a specialized backup process to ensure that you’re able to capture all of the data in the database.

If you have emails, then there will be email backups that need to occur. This could be to a separate server, a separate database, or you may have backups built into every mailbox. It’s common to backup operating systems using snapshots, especially in today’s virtual environments where the hypervisor can take a snapshot of an operating system and capture everything about that operating system at a specific date and time. And system administrators may gather system backups where they’re able to rebuild an entire system from bare metal using just the backup images that they previously created.

Many operating systems will use an attribute to the file called an archive bit. This identifies that the file is ready for archiving, and usually that bit is set anytime a particular file is modified. If you were to then perform a full backup of all of the files on the drive, all of the archived bits will be reset or cleared, and the next time you would modify a file, you would see that the file archive bit would be set again.

There are a number of different strategies for backing up files in an operating system. One is to perform a full backup, which copies every single file every time you perform a backup. And regardless of the type of backup that you plan to do, you’ll usually start with a full backup in every case. With an incremental backup, you’re backing up all of the files that have been changed since the last incremental backup. And with a differential backup, you’re backing up all of the files that were changed since you performed a full backup.

Here’s how an incremental backup might work. You would start on Monday by performing a full backup. On Tuesday, we’re only going to backup any files that have been incrementally changed since our last full backup. And on Wednesday, we’re only going to back up any files that have been changed since both the full backup and the previous incremental backup.

On Thursday, we’ll perform another incremental backup, which has a unique set of data– only the files that have been changed since the previous backups have occurred. To be able to then recover from all of these incremental backups, we need both the full backup and all of the individual incremental backups to be able to create an entire full recovery of all of the data.

A differential backup works a little bit differently. We do start with the same full backup as we saw with the incremental backup. And then on Tuesday, we create a differential backup of anything that may have changed since the full backup. On Wednesday, we create another differential backup that is also everything that has changed since the full backup up. And Thursday is the same differential backup that backups all the files that have changed since the full backup.

Since we now have this differential update, whenever we need to perform a recovery, we only need the last full backup and the last differential backup that was created. On our full backup, you saw that we were able to gather all of the data that we had stored on that system. It does take a long time to backup, but a relatively short time to restore this information since you only need the one tape set to be able to restore an entire full backup. And once you perform a full backup, that Archive attribute is cleared.

For an incremental backup, we’re backing up only the new files and files that were modified since the last backup. Very quick backup time, but we will need multiple tape sets to be able to restore this backup. And again, after an incremental backup, we are clearing out all of the archived bits from all of the files.

And lastly, the differential backup, which backs up all data modified since the last full backup, it’s a moderate backup time and a moderate restore time, because you only need the last full backup and the last differential backup that was made. And the Archive attribute on a differential backup does not clear anything so that we’re able to create an additional differential backup every day.