Backups feel like the easy part of Security+. You run a full backup, then smaller ones through the week, and you restore when something breaks. Then the exam hands you a scenario with a failure on Thursday afternoon and asks how many backup sets you need to get the data back, and the "easy" topic quietly costs you a question.
The confusion almost always comes down to one thing people skip: what each backup type does to the archive bit. Get that, and the rest falls out on its own.
Quick refresher on the archive bit. Every file carries a flag that means "this changed since the last backup." Creating or modifying a file sets the bit. Backup software reads that bit to decide what to copy, and depending on the type, it either clears the bit afterward or leaves it alone. That one behavior is the whole game.
Full backup. Copies everything, every time, and clears the archive bit on every file. One full backup is a complete picture of your data at that moment. Slow to run and heavy on storage, but the fastest and simplest to restore, because everything you need lives in a single set.
Incremental backup. Copies only what changed since the last backup of any kind, then clears the archive bit. Monday's incremental grabs what changed since Sunday's full. Tuesday's grabs only what changed since Monday. Each one is small and quick to create. The cost shows up at restore time: you need the last full plus every incremental in order, because each one holds a single day of changes.
Differential backup. Copies everything changed since the last full backup, and leaves the archive bit set. Because the bit stays put, each differential keeps growing through the week. It holds Monday's changes, then Monday and Tuesday, then Monday through Wednesday, and so on. Bigger and slower to create than an incremental, but to restore you only need two things: the last full and the most recent differential.
Here is the tradeoff the exam keeps circling. Incremental is cheap to back up and expensive to restore. Differential is pricier to back up and cheap to restore. Full is heavy on both storage and runtime but the simplest recovery of all. There is no best one, only the one that fits your recovery time objective and your storage budget, which is the reasoning the question is really checking.
Now the scenario that catches people. You run a full backup Sunday night. You run differential backups Monday through Thursday. The array dies Thursday afternoon. How many backup sets do you need to fully restore?
Two. The Sunday full and the Thursday differential. That is the whole point of differential: the most recent one already contains every change since the full, so the days in between come along for free.
Change one word and the answer flips. Make those Monday-through-Thursday backups incremental instead, and now you need five sets: the Sunday full plus all four incrementals, restored in order, because each incremental only holds one day. Same failure, same day, completely different answer, and the only thing that moved was the backup type. That one-word pivot is what the exam builds whole questions around.
A couple of things people trip on past the core three. A copy backup grabs everything like a full but does not touch the archive bit, so it will not disrupt an incremental or differential schedule that is already running. And backup frequency ties straight to your recovery point objective: if you can only afford to lose an hour of data, a nightly job does not meet that no matter how fast it restores. The exam blends backup-type questions with RPO and RTO language on purpose, so read for which one the scenario is actually testing.
To lock it in, practice the way it shows up. Take a blank week, pick a failure day, and work out the restore steps for both incremental and differential from memory. Then flip it: given a restore procedure, name the backup type. Once you can go both directions without looking anything up, backup questions turn into free points instead of a coin flip.
If you want questions that pull this exact move on you, there is a set of practice questions and a free diagnostic exam at secplusmastery.com/diagnostic. Better to find out whether the one-word pivots catch you before the real exam does, not after.
Top comments (0)