Validate Backup Integrity Before Restoration

RecoveryP1180 min
🔒 Ransomware
IR AnalystSwitch roles in the top navigation to see different perspectives.

Validate backup data integrity before using it to restore compromised systems. Scan backups for malware, verify timestamps predate the compromise, and test restores in isolation.

Actions

  1. 1.Inventory all backup sets: document date, type (full/incremental), storage location, retention status.
  2. 2.Select backups predating T-start by at least 24-48 hours to account for potential early undetected access.
  3. 3.Mount backups in an air-gapped test environment. Do NOT connect to production network.
  4. 4.Scan with multiple AV engines: `clamscan -r --infected /mnt/restored_backup/` plus EDR scan. Run YARA rules for investigation IOCs.
  5. 5.Verify application functionality on restored data: database integrity checks, critical data validation.
  6. 6.Hash verified clean backups and document as approved restoration source.

Queries

Event | where Source == "VSS" or Source == "VolSnap" | where TimeGenerated between (datetime(T_START) .. now()) | where EventID in (8193, 8194, 36) | project TimeGenerated, Computer, EventID, RenderedDescription // Detect VSS deletion indicating backup tampering

Notes

  • Ransomware operators routinely destroy backups before encrypting. Check for VSS deletion, backup agent tampering, and backup repository access.
  • Cloud backups with immutable storage may have survived even if on-prem backups were destroyed.