Shadow Copy: Investigate files that caused an incident

Learn how to create, collect, and download copies of files that caused incidents with the help of the Shadow Copy feature.

In this article, you will learn more about:

• What is Shadow Copy
• How Shadow Copy works
• Prerequisites
• Limitations
• Step 1: Enable the Shadow Copy feature
• Step 2: Request a shadow copy
• Step 3: Download the shadow copy
• Shadow copy storage parameters
• FAQ

 

Introduction: What is Shadow Copy

Shadow copy can help admins verify and investigate incidents.

With Shadow Copy, the admin can download and view the exact copy of the file that caused an incident. It is useful for:

• Investigating situations when a sensitive file was changed.
• Verifying whether or what kind of sensitive data was tampered with during the incident.
• Estimating the severity of the incident.
• Gaining proof related to the incident.

Shadow copy can also help verify false positives during DLP implementation:

• The admin can see exactly what files violated policies.
• As the admin browses through incidents, they can validate the DLP sensitivity settings.

 

How Shadow Copy works

When a policy is violated, an exact copy of the file that was part of the incident is created and stored in a secure local storage on the device. The admin can later download this file copy to verify what data were involved in the incident.

 

Prerequisites

1. Shadow Copy is part of Safetica Pro and Safetica Premium product plans.
2. To download and view shadow copies, the admin must have the Shadow Copy permission enabled in Settings > Accounts and permissions.

 

Limitations

Shadow Copy is not supported for:

• Print and Virtual print
• Git control
• Clipboard operations
• Screen capture operations

 

 

---

Step 1: Enable the Shadow Copy feature

To start creating shadow copies, you must first enable the Shadow Copy feature in individual data policies:

1. In the Safetica console, go to Policies > Data.
2. Either create a new data policy or edit an existing one.
3. Check the Enable Shadow copy checkbox.

  4.  Afterward, violating the policy will trigger the creation of a shadow copy. Shadow copies can be enabled for all policy actions: Log, Notify, Block, and Block (with override).

 

Step 2: Request a shadow copy

For files that violated policies with enabled Shadow Copy feature, you can request the shadow copy of the incident-causing file.

1. In the Safetica console, go to the Data section.
2. In the Shadow copy column, you can see the following values:
   • Available – you can request a shadow copy for this file.
   • Not available – you cannot request a shadow copy for this file (usually because the violated policy did not have Shadow Copy enabled or the shadow copy could not be created for some reason).
3. To request a shadow copy, click the desired file to open its detail.
4. Click Actions > Request shadow copy.
5.  A shadow copy of the incident-causing file will be collected from the device. Depending on the file size and the device's availability, this process may take a while.

  6.  While the shadow copy of the incident-causing file is being collected from the device, you will see this message:

 

Step 3: Download a shadow copy

1. After the requested shadow copy is collected from the device, a download link will appear in the file detail.
2. Click the link to download the shadow copy.

 

 

 

---

Shadow copy storage parameters

Minimum required storage size on the device: 500 MB (reserved on every device).

Maximum storage size on the device: 5 GB (if there is less than 10 GB of free space left on the device). Once the maximum storage size is reached, the oldest shadow copies are deleted as new ones are added.

Maximum size of one shadow copy: 50 MB. This prevents situations when one big file would remove all older files from the storage.

Shadow copy retention time on the Safetica server: 1 week

 

 

FAQ

1. What happens when the incident-causing file version cannot be found?

If the version of the file that caused the incident is not found, a shadow copy of the current file version will be created.

2. What happens when both the incident-causing file version and the current version of the file cannot be found?

You will see an error that shadow copy cannot be collected.

3. What happens when the shadow copy has already been downloaded?

The shadow copy can only be downloaded once. After downloading the file, it is deleted from the Safetica server, so if you need it, you must request it again.

4. What happens when the shadow copy expires?

A shadow copy can only be downloaded for one week after it is requested. Once the week passes, it is deleted from the Safetica server, so if you need it, you must request it again.

5. Can I see and download shadow copies requested by other admins?

Yes, if you are an admin with the Shadow Copy permission, you can see and download shadow copies requested by other admins.

6. Does Safetica track who requested and downloaded shadow copies?

No, there is no audit trail for working with shadow copies for now, but the functionality is planned for the future.

7. What happens if I request a shadow copy from a device that is offline?

Collecting the shadow copy might take a longer time, since it is necessary to wait until the device is online again.

8. Does shadow copy work on macOS devices?

Partially. macOS devices cannot create shadow copies when an incident happens. Only copies of the current version of the incident-causing files can be requested and downloaded.