# Recovery and restoration tools and techniques ## Common recovery and restoration tools * Imaging software * Spare/replacement hardware * Device management suites * Change and configuration base lining tools and documentation * System monitoring suites Most of these will already exist as part of normal IT operations ## Imaging software Infected or destroyed systems need to be re-imaged May be under the umbrella of IT Verify images are not compromised before using ## Hardware Some incidents may require replacement of hardware * Physical intrusion and compromise * Physical intrusion where equipment is destroyed * DDoS that causes CPUs to get so hot that motherboard is damaged ## Device management suites Some of the restoration activities may be part of these suites already Makes it easier and more efficient when restarting large numbers of devices Work with IT on access and/or licensing ## Change and configuration base lining tools Official baselines will help you establish "normal" operations There may be lag time between system updates and image refreshes In larger organizations, changes to systems may still be happening during the incident Smaller organizations without change management should rely on baseline documentation ## System monitoring tools Need to be able to monitor systems for any recurring abnormal behavior Can also help with establishing new baselines * I.e., updates to new hardware or software due to breach may cause slight change in system behavior * Abnormal or new behavior may not be malicious --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/online-courses/cyber-incident-response/stages-of-incident-response/incident-recovery/recovery-and-restoration-tools-and-techniques.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.