What is in an image backup

Posted at Sep 24, 08:12h in microsoft Macrium Software, Marketing Categories: microsoft, macrium-reflect, image-backup, v

This article will cover the details of what is included in a Macrium image backup.

A disk is divided into multiple partitions. On each partition, the allocation of space and indexing of data is managed by a file system. The Macrium imaging process takes a copy of the data underlying the filesystem. This, with a copy of the ‘metadata’ outside the filesystem, represents a faithful copy of everything stored on a disk enabling a system to be returned to a bootable state if a hard disk is corrupted or otherwise fails.

What is always excluded

Page & Hibernation files

To minimise the size of the image file, the page and hibernation files are always excluded. These contain data discarded when Windows reboots, and consequently are not useful to restore a system to a bootable state.¹

The shadow copy storage area

Windows creates VSS snapshots at various points, as does Reflect as part of the backup process. While the snapshot is live, the copy on write process intercepts all writes to the disk, storing the data that is about to be over-written in the shadow copy storage area (also known as the diff area). The size of this diff area can be considerable. This is why pre-restore system restore points are not available in a restored system.

The diff area data is not excluded from image backups created in the Macrium rescue environment. The exclusion of the diff area is orchestrated by the VSS system optimisation writer, however the Windows snapshot subsystem is not available in Windows PE or RE. Therefore, you will find that image backups taken in the rescue environment will be larger.²

What is optionally excluded by Intelligent sector copy mode

Reflect has two imaging modes Intelligent Sector Copy (the default) and Forensic Copy.

Filesystems allocate storage blocks as files are created and appended and deallocate blocks when a file is deleted. Intelligent sector copy mode only reads active blocks. This speeds up the backup process and reduces the size of the backup.³ For all normal purposes, this is the correct option and will enable a system to be restored from scratch.

The alternative mode, Forensic Copy, will include every storage block⁴ in the backup (excluding the data discussed above). This potentially enables the recovery of deleted files as deallocated data is also included in the backup. For SSD based storage, this option has no utility and will only have the effect of slowing down the backup process.⁵

Footnotes

[1] https://en.wikipedia.org/wiki/Paging

[2] Unfortunately, the inclusion of the diff area in rescue environment backup does not mean you will be able to recover your system restore points. The snapshot is invalidated on reboot as the diff area must remain in complete sync with all filesystem activity, and this cannot be maintained where there is a possibility of a foreign mount.

Read more about VSS here …
https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service

[3] A storage block is the minimum allocation unit of a filesystem. For NTFS, it is called a cluster. It is made up of a contiguous block of sectors. A sector is the minimum addressable unit of data on a disk, and typically represents 512 or 4096 bytes.

[4] The size of the backup won’t be reduced by as much as you expect as compression will radically reduce the storage required for runs of zeros.

[5] On SSD based media, a TRIM command is executed for de-allocated sectors. In response, the SSD firmware will internally de-allocate the sectors from its page store (a page is the smallest unit of SSD storage that can be erased). Subsequent reading of de-allocated sectors on SSDs will not return the originally stored data; typically it will just return zeros.
https://en.wikipedia.org/wiki/Trim_(computing)
This presents an ongoing issue for legitimate computer forensics requiring the use of undocumented factory SSD commands to extract the de-allocated data.


Previous Post

What is in an image backup

Next Post

What else can I do with WinPE?