In my experience, there's almost an even split between computer system problems caused by worms and viruses and problems caused by applying software updates and security patches. If you keep regular system backups and always make a complete backup of your system before applying a software update, you're probably in the minority. Even some enterprise systems aren't fully archived to tape systems, simply because tape drives have less capacity than modern hard drives.
After my last hard drive exceeded the capacity of my tape system by about 20 GB, I neglected to back up my workstation for a while. Of course, as Murphy's Law predicts, I had problems at the worst possible time. I don't know exactly what happened, but Microsoft Image Composer refused to run after I installed a new application.
After this event, I realized that having an image backup of my hard drive would have allowed me to recover from either a system compromise or botched software install/ update in minutes, rather than in days. For example, I could have recovered from that recent Windows XP security update in minutes if I'd had a backup IDE hard drive.
Back up one hard drive to another
Most Wintel systems can have up to four IDE devices installed, and most computers probably use only two or three IDE devices. To make image backups using a hard drive, all you need is another hard drive that's at least as large as the one you have and an image copy program. I use large IDE hard drives for image backups since they're quite affordable.
Norton Ghost, frequently included with boxed replacement IDE hard drives, is a popular program that effectively makes image copies of one hard drive to another. I've seen 20-GB IDE drives for as low as $50, which is probably less than the cost of replacing one when your computer crashes after you've been infested with the latest worm. If a hacker trashes your system, you can easily ghost your primary hard drive from the backup hard drive and simply reboot.
Remember that image backups aren't for data redundancy; they're for emergency archival backup. Also, a hacked system using RAID is still trashed and must be restored from an archival copy.
How to make image backups on UNIX
On UNIX, the two most common archival tools are tar and cpio, but I prefer to use the dd utility, which copies the raw sectors from one device to another. (You can also use dd to make image copies of hard drives used in Windows systems.) On my Linux system, I switch to single-user mode and use this command to completely copy my primary IDE hard drive to the secondary mirror copy, like this:
dd if=/dev/hda of=/dev/hdb bs=1k count=`cat /proc/ide/hda/capacity`
Specifying the count argument as a shell command, as I've done in this example, is a simple way to designate the correct number of 1-KB blocks to copy. This is one of the features of the Linux proc filesystem and may not be available on your system. If it isn't, to make this command work properly, you'll need to know how many 1-KB blocks your hard drive holds.
To restore from the backup drive, you can use a rescue floppy or you can change jumpers and reboot, which is the method I prefer.
When you're using Norton Ghost or the UNIX dd command to create image backups, keep a couple of things in mind. First, create an image backup before you install a software update, just in case the update fails. Second, make sure your machine isn't already compromised—although an archive copy of a compromised system can be useful to provide forensics without keeping the compromised system from being returned to service.
The bottom line
Tape drives haven't decreased in cost or increased in capacity as rapidly as IDE hard drives have, but they're not dead yet. Still, they're not my preference when I need to quickly restore a damaged or compromised system. A second archival hard drive is also handy if the primary hard drive fails—something that hard drives have a nasty habit of doing at the worst possible time.
This article originally published in the Internet Security Focus e-newsletter.