How to provide evidence a hard disk has been recovered in Windows?

CIP regulations are requesting proof that a hard drive has been recovered to prove a recovery process has been completed. I am not sure why that matters as we have proof we ran the recovery process, but they want proof that the drive is a "recovered" drive. I have no idea if that is possible since a recovered drive is identical in every way with the exception of the drive ID. The want more than that, which makes no sence but we are trying here.

Any ideas on if there are any identifying factors in the image on the drive that proves it was a recovered drive?

We use both Windows backup and Macrium. To my knowledge neither one has an "identifier" on the local drive to show it was created from an image?

Thanks for any help here. We can't use any other product either, strictly restricted lol.

With Windows backup it was a Windows backup, with Macrium it has been done with both an image and a backup. Have you an answer for either? We can use either way as long as it shows proof.

Thanks

Open Macrium and select Log. Scroll down to Image Restore and it will show everything that was restored.



Jim

Technomomo said:

CIP regulations are requesting proof that a hard drive has been recovered to prove a recovery process has been completed.

I am certainly no expert, but I read the CIP-009-5 requirements as saying that sufficient evidence would be dated documentation that a recovery took place and was successful.

Evidence must include, but is not limited to, documentation that collectively demonstrates implementation of each of the applicable requirement parts in CIP-009-5 Table R2 – Recovery Plan Implementation and Testing.

...

Examples of evidence may include, but are not limited to, dated documentation of:

• An operational exercise at least once every 36 calendar months between exercises, that demonstrates recovery in a representative environment; or
• An actual recovery response that occurred within the 36 calendar month time frame that exercised the recovery plans.

https://www.nerc.com/pa/Stand/Reliab.../CIP-009-5.pdf

Great responses all. Thanks for the information.
We get a CIP audit every 3 years and in that audit the individuals that are auditing us do follow the CIP regualations and requirements that you all are referencing, but if anyone has been through a CIP audit, they deviate away from those regulations and add to them at will. The ability to argue with CIP is futile as they have the ability to dig and request more information than the regulations state. There are also many different ways that those regulations can be understood, i.e. Word Man's perspective.

I can only tell you what we are being told. I am aware of the CIP regulations and documentations as we live by them sadly. We are just having to apease the auditors, which is like trying to read a phone book to become Harry Potter.

We do have a recovery plan and several procedures, procedures for every single thing we do at any given point to be precise. We need to move past this point.

In the systems that we recover using Macrium, I may be able to use the information from Phone Man. With Windows and the backuplog, there is not much information in that log on the PC I checked on. I will build an image in a short bit and test again. I will be testing both of these today and will post an update.

Please continue to offer me news and information or ideas as this is super helpful. Thanks everyone.

- - - Updated - - -

Thanks everyone. I did find that the Macrium logs do get populated into the image recovered, even when booting to the recovery media. Very cool.

The Windows backup logs are about as agrivating as the Windows backup is. I appreciate the option but we are moving past that as much as possible. I think there is a reason you don't see "Windows Backup" for sale anywhere lol. (correct me if I am wrong here)

I have come to the conclusion that if you want to have proof of recovery for any system, you need to use an imaging software outside of Microsoft. Cloning does not offer the type of logs to prove a recovery since with a cloned drive you usually just swap drives and keep going. There is no "recovery" at that point.

Macrium works fantastic although we do use Avamar (another headach when working with a critical/non-critical network environment. We are looking into Acronis which is a proven leader in this area.

Thanks again. I will log this post as solved.