Performing Forensic Recovery of a VM Resource

You can restore the detected threat content to a an out-of-place destination or cleanroom environment to support incident response, validation, and deeper threat analysis without reintroducing risk to production data.

Forensic recovery restores the most recent recovery point with all detected threat content including malware, encryption, and anomalies, enabling security teams to conduct thorough investigation and forensics.

Available restore destinations: Out-of-place or clean room.

Start the Wizard

1. From the Command Center navigation pane, go to Security center > Threat scan.

   The Threat Scan page appears.

2. Click the Resources tab to show the resources that are currently scanned by Threat Scan.

   

3. For the resource you want to restore, click the Action button , and then select Restore.

   The Restore wizard appears.

4. Select Forensic and then click Next.

   

   The Restore Options page appears.

   

5. Select the type of restore to perform: Guest files or Full virtual machine, and then click Next.

Restore Guest Files

1. Select Guest files and then click Next.

   The Recovery Location page appears.

   

2. Select Out of place and then click Next.

   The Guest Files screen appears.

   

3. Select the files you want to restore, and then click Restore.

   The Restore options pane appears.

   

4. To restore to the source VM:

   1. Select the Select client tab (the default option).

      

   2. Verify that the source VM is selected in the Destination client box (the default option).

   3. Optional: To use a different VSA access node, change the value in the Access node box.

   4. In the Destination Path box, type the full path to the destination folder.

   5. Unconditionally overwrite if it already exists: Overwrites current state of the VM with the restored VM.

   6. Click Submit.

5. To restore to a different VM:

   1. Select the Other VM tab.

      

      By default, the same access node that was used for the backup performs the restore.

   2. Optional: To use a different access node, change the value in the Access node box.

   3. If the destination VM resides on another hypervisor, select the host name of the hypervisor from the Destination VM list, and then browse to select the destination VM.

   4. In the Destination Path box, type the full path to the destination folder.

   5. Unconditionally overwrite if it already exists: Overwrites current state of the VM with the restored VM.

   6. Click Submit.

Restore Full Virtual Machines

1. Select Full virtual machine and then click Next.

   The Recovery Location page appears.

   

2. To restore out-of-place (to a newly defined location):

   1. Select Out of place and then click Next.

      The Destination page appears.

      

   2. In the Restore as list, select the type of hypervisor you want to restore to.

   3. Select the Destination client.

   4. Select the Access node.

   5. Click Next.

      The Virtual Machines page appears.

      

   6. Click Next.

      The Restore Options page appears.

   7. Enter the following options:

      • Power on VMs after restore: Automatically restart VMs after they are restored.

      • Unconditionally overwrite if it already exists: Delete an existing VM and replace it with the restored VM.

      • Register virtual machine with failover cluster: Select this option to register replicated virtual machines to the failover cluster for the destination client.

      • Notify user on job completion: Receive an email notification that the restore is complete.

      • Schedule restore job: To schedule the restore job at a specific interval for a period of time, enable this option, and then provide the schedule details.

      • Restore virtual machine using live recovery. If using this option, to delay the restore, in the Delay migration (in hours) field, enter the number of hours (1-12) for the delay.

      • Reuse Source VM client: Reuse the existing VM client and map its information, such as Client Name, Host Name, and Client ID to the source VM.

   8. Click Next and then click Submit.

3. To restore to a clean room:

   1. Select Cleanroom.

      The Recover resources pane appears.

      

   2. Select the runbook for the recovery group that contains the resources you want to recover.

      The Recover resources pane expands.

      

   3. To select a specific backup for the recovery, enable the Use custom recovery point for recovery job toggle key, and then select a specific recovery point.

   4. Expand all phases to verify they have a Restore status of Ready, and enable the Skip recovery toggle key for any steps you want to skip.

   5. Click Submit.