This article describes Safetica Incident file manager function and what it brings.
The incident file manager is a brand new feature of the Safetica 9.3 version. It allows you to download copies of sensitive files for forensic evidence based on records in the DLP logs. For example, there is a record in DLP logs about blocked upload to webmail. For clarification, you want to review the file to see what exact information it contains and why it was tagged, logged and blocked. The important condition is that the file has to still exist on the endpoint. This feature, which is slightly similar to a shadow copy, has two prerequisites due to safety:
- Separate license key - forensic license key is free of charge, you can request it via your distributor or Safetica business channel manager
- Enabled function in Safetica management console
These limitations are very important because incident file download is a highly sensitive feature and could be misused. Therefore it is recommended using it by authorized Safetica administrators.
Enabling incident file manager in Safetica management console
Go to Safetica Management Console > Maintenance > Access management. Here you can enable forensics for users, you want.
Downloading of sensitive files in Safetica management console
Go to Safetica Management Console > Protection > DLP logs. Here you can choose a file you want to download. It is done by right-clicking on a record and choosing an option download file. Then you will be taken to the Information collection, which you probably know from collecting troubleshooting information. Here you have to confirm your request and download the file. Please realize that the file may have changed between the time it was detected, and when you downloaded it. Don't forget to remove the file from collecting tasks and downloads in Safetica Management Console to delete it from the Safetica Management Service server.