Validate Backup Integrity Before Restoration
Validate backup data integrity before using it to restore compromised systems. Scan backups for malware, verify timestamps predate the compromise, and test restores in isolation.
Actions
- 1
Inventory all backup sets: document date, type (full/incremental), storage location, retention status.
- 2
Select backups predating T-start by at least 24-48 hours to account for potential early undetected access.
- 3
Mount backups in an air-gapped test environment. Do NOT connect to production network.
- 4
Scan with multiple AV engines: `clamscan -r --infected /mnt/restored_backup/` plus EDR scan. Run YARA rules for investigation IOCs.
- 5
Verify application functionality on restored data: database integrity checks, critical data validation.
- 6
Hash verified clean backups and document as approved restoration source.
Queries
Event | where Source == "VSS" or Source == "VolSnap" | where TimeGenerated between (datetime(T_START) .. now()) | where EventID in (8193, 8194, 36) | project TimeGenerated, Computer, EventID, RenderedDescription // Detect VSS deletion indicating backup tampering
index=wineventlog sourcetype=WinEventLog:System source="VSS" OR source="VolSnap" EventCode=8193 OR EventCode=8194 OR EventCode=36 earliest=T_START | stats count by host, EventCode, Message | sort -count
Notes
Ransomware operators routinely destroy backups before encrypting. Check for VSS deletion, backup agent tampering, and backup repository access.
Cloud backups with immutable storage may have survived even if on-prem backups were destroyed.