Procedure 2: Backup the System Disk for a Windows 8.1 Workstation
Using the Internet, research commercially available system backup tool or application. (Do not use any features or utilities that are part of the Windows operating system.) Then, identify appropriate sources of information and instructions for your selected tool. Using those sources, research the procedures required to
Create a “known good” copy (system backup or complete system image) of the hard drive containing the Windows 8.1 system and installed applications for a workstation in the SCADA lab.
Generate a hash code for use in verifying the validity and integrity of the backup file or system image file. (If your backup utility does not provide this, you will need to find a separate tool that will generate an MD-5 or SHA-256 hash value for the image file or backup file. See https://www.howtogeek.com/67241/htg-explains-what-are-md5-sha-1-hashes-and-how-do-i-check-them/ for an explanation of file integrity checking using hash codes.)
You should also research and document best practices for labeling and storing the digital media containing the backup files and/or system image files. The storage location should provide secure storage yet be readily available to incident responders in the event of an incident. The label or storage log should include the hash value for each backup file and system image file.
Identify how the backup tool could be used during the preparation phase of the incident response and recovery process. Typical uses include:
Create a “known good” backup that contains a complete, verified and approved system configuration that includes the operating system and all required application software.
Create a copy of the original operating system installation (before software applications are installed).
Write a guidance document that identifies the tool, explains the capabilities it provides, and then lists and briefly describes the recommended uses identified under item #2. Add a list of resources that can be consulted for additional information. Next, summarize the procedures required to perform the tasks listed under item #1 (do not provide step-by-step instructions). Close your guidance document with a Notes / Warnings / Restrictions section that answers the question “Is there anything else the incident responder needs to be aware of when using this tool?”