Cybersecurity Certification Tip – The Archive Bit and Backups

Cybersecurity Certification Tip – The Archive Bit and Backups

Although I am featuring the CISSP logo in this article, the information that follows could be useful for students pursuing a number of cybersecurity certifications (CASP+, CySA+), as well as IT fundaments courses such as the CompTIA A+

This article is the result of a longer email string that passed between one of my students and me.  It has to do with the role of a type of file metadata, the Archive Bit.  Understanding the role of the archive bit will help the certification test taker answer correctly any questions dealing with the different types of backups.


The first piece to understand is the role of the Archive Bit in File Attributes.  When the Archive Bit is set to 1, it is “turned on” to indicate to the backup software that this file is new or changed since the last backup, and needs to be backed up.  When a file is created for the first time the Archive Bit is set to 1 or “on”.  Any time a file is opened and modified and then saved, the Archive Bit will be changed from 0 or “off” to 1, and is now to be included in the next backup of any type.

Full Backup does what you would expect.  It backs up EVERYTHING, all files with archive bit set to 1 or 0.  A Full backup resets any 1 archive bits back to 0.

A Full Backup takes the longest to complete the backup process.  But a Full Backup is the quickest to restore, because it only requires a single backup file to restore everything.  In reality, a Full Backup takes about the same time to backup as to restore, so why it is the quickest restore may seem confusing.  It is because it only requires the one backup.  All will be explained as we continue.

An Incremental Backup only looks for files that are new or modified with archive bits set to 1.  It backs up just those files, and resets the archive bit to 0.

This is the quickest backup method, because the backup only copies new or changed files, and ignores files that were backed up previously and have an Archive Bit set to zero.  But this is the method with the longest restore time.  Why?  Because you have to restore more than one backup.

Let’s say you have a Full Backup from the weekend.  On Monday some new files are created and existing files are opened, modified, and saved, and those files have the archive bit set to 1.  On Monday evening we make an Incremental Backup, and reset the archive bit to zero.  Incremental Backups are also made on Tuesday, and Wednesday.  The system crashes on Thursday and needs to be restored.  You would need to restore the Full Backup from the weekend plus the three Incremental Backups from Monday, Tuesday, and Wednesday, for a total of four restorations, which takes the most time.

Differential Backup is “different” as it does NOT reset the archive bit to 0, it leaves them unchanged.  A Differential Backup backs up all files with the archive bit set to 1, but DOES NOT reset the Archive bit – this is the “different” part in differential.

Why is this?  Let’s compare using Differential Back to the Increment Backup we did before.  On the weekend I do a Full Backup and all the archive bits are set to zero.  On Monday some new files are created and existing files are opened, modified, and saved, and those files have the archive bit set to 1.  We make a Differential Backup of all the files that were new or changed since the Full Backup.  We leave the archive bit set to 1.  On Tuesday we run another Differential Backup and this time be backup everything new or changed on Monday and Tuesday.  On Wednesday we do it again, and copy new and changed files from Monday, Tuesday, and Wednesday.  Each day the backup process takes a little longer, and the backup file gets a little bigger.

On Thursday we have our system crash, and to restore, we need two backups only, the Full Backup from the weekend, and the Wednesday Differential Backup.  In terms of backup and restore times, Differential is quicker to backup than Full, but longer than Incremental.  Restoring takes less time than Full and less time than Incremental, so speed-wise, Differential falls between Full and Incremental.

The fourth type of backup is the Copy Backup.  This is simply copying files using File Explorer and the Copy/Paste function in Windows.  This is handy for backup up information before working on a system.  It does not change the archive bit, and only copies the files selected.

Hopefully this helps you to understand the role of the Archive Bit in backups.

Type Backup Sets Archive Bit Backup Time Restore Time
Full Backup Everything To zero Longest Shortest
Incremental Archive set to 1 To zero Shortest Longest
Differential Archive set to 1 1 (No change) Medium Medium
Copy Selected files No change Variable Variable

Questions in the exam tend to present a scenario where a admin or  manager is picking a backup method based on criteria such as which is the fasted type to backup, or the fastest to restore.  Also there are questions about how many backup sets will be required to restore after a failure.


November 2022


The Four CISSP Exam Frameworks A good way to look at the CISSP exam is to view in through the lens of four different frameworks: CIA: Confidentiality, Integrity and Availability. Technology: technical skills. Management: what is the best approach to do something from a security manager’s perspective? Risk: risk management which is very important topic in the exam Every time you see a CISSP question, you should be able to look it from one of those perspectives or frameworks. If you get a question about symmetric vs asymmetric encryption, then that’s the technology perspective and the question is testing your technical knowledge. A question about the company’s best approach for security, is challenging your management perspective, and here you should put your self in the place of a security manager and think how would a security manager act in the situation. Then you have questions about availability vs confidentiality vs integrity and this is the CIA perspective, while a question about the annual loss expectancy (ALE) is related to risk management. What is the difference between differential and incremental backups? The difference in incremental vs. differential backup is that, while an incremental backup only includes the data that has changed since the previous backup, a differential backup contains all of the data that has changed since the last full backup.1

Leave a Reply