Cybersecurity Certification Tip – The Archive Bit and Backups

Although I am featuring the CISSP logo in this article, the information that follows could be useful for students pursuing a number of cybersecurity certifications (CASP+, CySA+), as well as IT fundaments courses such as the CompTIA A+

This article is the result of a longer email string that passed between one of my students and me.  It has to do with the role of a type of file metadata, the Archive Bit.  Understanding the role of the archive bit will help the certification test taker answer correctly any questions dealing with the different types of backups.

The first piece to understand is the role of the Archive Bit in File Attributes.  When the Archive Bit is set to 1, it is “turned on” to indicate to the backup software that this file is new or changed since the last backup, and needs to be backed up.  When a file is created for the first time the Archive Bit is set to 1 or “on”.  Any time a file is opened and modified and then saved, the Archive Bit will be changed from 0 or “off” to 1, and is now to be included in the next backup of any type.

A Full Backup does what you would expect.  It backs up EVERYTHING, all files with archive bit set to 1 or 0.  A Full backup resets any 1 archive bits back to 0.

A Full Backup takes the longest to complete the backup process.  But a Full Backup is the quickest to restore, because it only requires a single backup file to restore everything.  In reality, a Full Backup takes about the same time to backup as to restore, so why it is the quickest restore may seem confusing.  It is because it only requires the one backup.  All will be explained as we continue.

An Incremental Backup only looks for files that are new or modified with archive bits set to 1.  It backs up just those files, and resets the archive bit to 0.

This is the quickest backup method, because the backup only copies new or changed files, and ignores files that were backed up previously and have an Archive Bit set to zero.  But this is the method with the longest restore time.  Why?  Because you have to restore more than one backup.

Let’s say you have a Full Backup from the weekend.  On Monday some new files are created and existing files are opened, modified, and saved, and those files have the archive bit set to 1.  On Monday evening we make an Incremental Backup, and reset the archive bit to zero.  Incremental Backups are also made on Tuesday, and Wednesday.  The system crashes on Thursday and needs to be restored.  You would need to restore the Full Backup from the weekend plus the three Incremental Backups from Monday, Tuesday, and Wednesday, for a total of four restorations, which takes the most time.

A Differential Backup is “different” as it does NOT reset the archive bit to 0, it leaves them unchanged.  A Differential Backup backs up all files with the archive bit set to 1, but DOES NOT reset the Archive bit – this is the “different” part in differential.

Why is this?  Let’s compare using Differential Back to the Increment Backup we did before.  On the weekend I do a Full Backup and all the archive bits are set to zero.  On Monday some new files are created and existing files are opened, modified, and saved, and those files have the archive bit set to 1.  We make a Differential Backup of all the files that were new or changed since the Full Backup.  We leave the archive bit set to 1.  On Tuesday we run another Differential Backup and this time be backup everything new or changed on Monday and Tuesday.  On Wednesday we do it again, and copy new and changed files from Monday, Tuesday, and Wednesday.  Each day the backup process takes a little longer, and the backup file gets a little bigger.

On Thursday we have our system crash, and to restore, we need two backups only, the Full Backup from the weekend, and the Wednesday Differential Backup.  In terms of backup and restore times, Differential is quicker to backup than Full, but longer than Incremental.  Restoring takes less time than Full and less time than Incremental, so speed-wise, Differential falls between Full and Incremental.

The fourth type of backup is the Copy Backup.  This is simply copying files using File Explorer and the Copy/Paste function in Windows.  This is handy for backup up information before working on a system.  It does not change the archive bit, and only copies the files selected.

Hopefully this helps you to understand the role of the Archive Bit in backups.

Type Backup Sets Archive Bit Backup Time Restore Time
Full Backup Everything To zero Longest Shortest
Incremental Archive set to 1 To zero Shortest Longest
Differential Archive set to 1 1 (No change) Medium Medium
Copy Selected files No change Variable Variable

Questions in the exam tend to present a scenario where a admin or  manager is picking a backup method based on criteria such as which is the fasted type to backup, or the fastest to restore.  Also there are questions about how many backup sets will be required to restore after a failure.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at


  1. bobwyzguy  July 9, 2021

    Question: In Domain 7, there was some discussion on Backup Types and the flag changing and/or staying the same. (e.g., 1 changing to 0, or 1 stays 1). With archive flags does it mean that 0 means no change, and 1 means that there was a change since last back up? or is it vice/versa and is there a better way to understand this? Appreciate any clarification you can provide on this.

    Answer: Regarding backups. The archive bit is quite literally a bit of information a single 0 or 1 in the metadata about the file. When the archive bit is showing as 0 (zero) this means there have been no changes to the file since the last backup. When the archive bit is set to one, it means that the file was just created (a new document) and has not been backed up, or that the file was changed in some way since the last time it was backed up.

    All types of backup will backup any file with and archive bit of 1, this includes Normal or Full, Incremental, Differential, and event Copy

    Normal backup backs up everything every time all the 1s AND all the 0s and changes all the 1 bits to 0 When Normal is finished all archive bits are zeros.

    Incremental backup only backs up anything showing and archive bit of 1 and changes the archive bit to zero.

    Differential backs up anything showing a 1 but, but DOES NOT change the archive bit

    Copy backup does not change anything, just copies what you have selected.


Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.