I read elsewhere where someone wanted to know if an infected computer could
be restored to an uninfected condition by using a system image made prior to
the infection. (They’d used a 3rd party software and not the Win7 backup and
recovery utility.) The response was that as long as the image itself isn’t
infected restoring that image was just as good as reformatting and installing
Windows from scratch.
But they still suggested reformatting first, just to be safe.
I’ve used the Win7 utility to restore my computer to a previous system
image. I boot my machine using the system repair disk and follow the prompts to
restore to a previous system image. I get a warning dialog box that performing
this action will erase everything from the hard drive and do I really want to
proceed (or something to that effect.) Is that not the reformatting process?
Don’t all imaging software like Acronis, etc require a reformat before
installing the image to make sure the hard drive is free of malware?
Reformatting isn’t always reformatting, and erasing doesn’t always mean
erasing depending on what type of erasing you’re talking about.
Confused yet? You probably should be. 
Yes, restoring an uninfected backup image of your system should be just as
effective as a reformat/reinstall. I wouldn’t bother with the reformat
first.
But if that’s the case, why all the waffling about reformatting and
erasing?
]]>
File Storage and File Deletion
A quick refresher on an important aspect of how files are stored in a hard disk.
There are two parts – the information about the file stored in a “directory” – what you see as a listing of the contents of a folder in Windows Explorer – and the file itself; its actual contents. These are two separate things.
When you delete a file (and I do mean really delete, not just move to recycle bin – we’re talking emptying the recycle bin here), all that does is remove the information about the file in the directory. The file’s data remains untouched somewhere on the hard drive. Since where the data is stored is technically no longer in use by a file, eventually it may be overwritten by some other file. Until that happens, though, the data’s still around.
Concepts like “secure delete” are about making sure that the data is also actually erased, and concepts like “undelete” are about recovering the data before it’s overwritten.
Format vs. Format
When you format a disk you’re emptying it and preparing it for use. However, there are two kinds of format operations: quick and unconditional (or just “not quick”).
A quick format simply overwrites the information in the root folder of the drive to indicate that there’s nothing on the drive. That’s all. It doesn’t actually go out and erase/overwrite the data, it just removes the information that says data was there. That data, however, remains potentially recoverable by data recovery tools.
You get the big warning that you’re about to delete all data because, well, the hard disk looks empty. You’ve removed the information about where to start looking for all the files that used to be on it. As you proceed to install Windows or restore your backup the data for the files that used to be there will be overwritten.
On the other hand, the “not quick” format actually overwrites all the data. It writes the root folder, as above, but then methodically goes out and writes nonsense data to the entire hard dirk, overwriting everything that was on it before.
If a format takes 10 seconds: it was quick. If it takes several minutes, it’s not quick.
In both cases, the drive is “empty” and all files have been deleted. In one case there’s a possibility of using recovery tools to retrieve data that was on the drive, and in the other case there’s not (save some advanced and expensive techniques that are well beyond the scope of this article, not to mention most people’s budgets).
Restore vs. Restore
To be clear, a restore performed by a backup program typically does not format the hard disk first. However, depending on the type of backup and restore, the net effect of performing a restore can be similar.
There are two types of “images” and as a result two types of restores associated with them.
-
Disk Image: A disk image is a complete image of your hard disk. It basically ignores things like files and file structures and just copies the bits it finds on the entire disk surface. The means that both space used by files as well as space not currently used by files is backed up.
Yes, that means that any data that might have been left around in the unused space is also actually backed up.
When a disk image is restored every bit of data that’s on the hard drive before the restore is overwritten with the backup copy. The net effect is that what was on the hard drive before is completely erased and replaced with the backup – both files and unused space both.
-
System Image: A system image is what most “image” backup programs actually create. It’s a complete snapshot of your system, but taken file by file. Empty space is ignored. A system image will simply contain a backup copy of every file on your system at the time the backup was taken, and with the exception of some possible boot and administrative information, nothing more.
When you restore a system image completely, it’s a two step process:
-
Erase the current contents of the drive by overwriting the information in the root folder.
-
Copy the backed-up files back.
You might recognize that first step as being very similar to a quick format.
The important part to notice here is that areas of the disk that are not touched by that “copy the files back” operation are not overwritten in this process at all. Those areas continue to hold whatever they held before. This is unreferenced data, but it’s data nonetheless. A recovery tool could scan all this unused space and potentially recover files.
-
Format vs. Restore (vs. Malware vs. Paranoia)
Regardless of which approach you take – formatting or restoring an image backup – all prior files are “deleted” in the traditional “empty-the-recycle-bin” sense. Any malware that might have been on the machine is no longer accessible.
So a format prior to a restore is pretty much redundant if you’re looking for protection from malware that was on the machine before.
However…
If we step away from malware for a moment and consider data security things start to look a little different.
If you have a system image backup and restore it, anything that was on the machine prior to the restore is definitely deleted – again in the “empty-the-recycle-bin” sense – but the data might still be lying around in the areas of the hard disk that remain unused. That’s a potential risk only in that someone could come along with a data recovery tool and attempt to recover some of those pre-existing files that weren’t overwritten by the restore.
That’s where paranoia – and perhaps a format – comes in. An unconditional (i.e. not quick) format that overwrites the entire hard disk before the restore will ensure that any prior data is truly gone from all areas of the disk. (Alternately, after the restore one could use a “free space wiper” to achieve the same effect.)
So what about the fragmentation? When you restore a system image (not a sector-by-sector image), will the original offsets be used or will the files all be consecutive, effectively defragmented?
03-Jul-2010
Does a root kit survive a restore from an image?
03-Jul-2010
Is Acronis TrueImage a Disk Image or System Image as described above?
07-Jul-2010
Very enlightening article. I do backups all the time, but I didn’t know some of what you mentioned about them. My computer has started being uncooperative lately, and I had to restore it. I am using Maxtor MaxBlast, and it has an option to “wipe” the entire drive before reinstalling the image. I did not “wipe” the drive, and I am not sure if that means formatting or not. In any case, not sure what the problem is, but reinstalling with the image did not work. I also had some Windows and Adobe updates install previous to attempting to restore, and the same ones installed immediately after the restore. The problem did not arise until after these updates occurred. I have to reinstall the image yet again and prevent the updates and hope that was the real problem. If not, my image is useless and I will have to reinstall and start from scratch.
I have the following question related to the subject matter of system images and disk images.
I have read that a true and correct system image must be created on a sector-by-sector basis.
Is this, in fact, so and then why?
Sector-by-sector images require considerably more storage space on the back-up medium.
10-Jul-2010
I had a disk image of a 60 gig drive, then it died. I got a bigger 200 gig drive and restored the image to it. Now it’s also 60 gig.
What happened to the extra 140 gig? What did I do wrong? How do I do it right? Thank you.