Learn how to create, collect, and download copies of files that caused incidents with the help of the Shadow Copy feature.
In this article, you will learn more about:
- What is Shadow Copy
- How Shadow Copy works
- Prerequisites
- Limitations
- Step 1: Enable the Shadow Copy feature
- Step 2: Request a shadow copy
- Step 3: Download the shadow copy
- Shadow copy storage parameters
- FAQ
Introduction: What is Shadow Copy
Shadow copy can help admins verify and investigate incidents.
With Shadow Copy, the admin can download and view the exact copy of the file that caused an incident. It is useful for:
- Investigating situations when a sensitive file was changed.
- Verifying whether or what kind of sensitive data was tampered with during the incident.
- Estimating the severity of the incident.
- Gaining proof related to the incident.
Shadow copy can also help verify false positives during DLP implementation:
- The admin can see exactly what files violated policies.
- As the admin browses through incidents, they can validate the DLP sensitivity settings.
How Shadow Copy works
When a policy is violated, an exact copy of the file that was part of the incident is created and stored in a secure local storage on the device. The admin can later download this file copy to verify what data were involved in the incident.
Prerequisites
- Shadow Copy is part of Safetica Pro and Safetica Premium product plans.
- To download and view shadow copies, the admin must have the Shadow Copy permission enabled in Settings > Accounts and permissions.
Limitations
Shadow Copy is not supported for:
- Print and Virtual print
- Git control
- Clipboard operations
- Screen capture operations
Step 1: Enable the Shadow Copy feature
To start creating shadow copies, you must first enable the Shadow Copy feature in individual data policies:
- In the Safetica console, go to Policies > Data.
- Either create a new data policy or edit an existing one.
- Check the Enable Shadow copy checkbox.
✍️To use the Shadow Copy feature, you need to specify at least one data classification in the policy.
4. Afterward, violating the policy will trigger the creation of a shadow copy. Shadow copies can be enabled for all policy actions: Log, Notify, Block, and Block (with override).
Step 2: Request a shadow copy
For files that violated policies with enabled Shadow Copy feature, you can request the shadow copy of the incident-causing file.
- In the Safetica console, go to the Data section.
- In the Shadow copy column, you can see the following values:
- Available – you can request a shadow copy for this file.
- Not available – you cannot request a shadow copy for this file (usually because the violated policy did not have Shadow Copy enabled or the shadow copy could not be created for some reason).
- To request a shadow copy, click the desired file to open its detail.
- Click Actions > Request shadow copy.
- A shadow copy of the incident-causing file will be collected from the device. Depending on the file size and the device's availability, this process may take a while.
✍️If the incident-causing version of the file is not found, a copy of the current file version will be created and collected.
🍏macOS: macOS devices cannot create shadow copies when an incident happens. But they can create copies of the current versions of such incident-causing files.
6. While the shadow copy of the incident-causing file is being collected from the device, you will see this message:
Step 3: Download a shadow copy
- After the requested shadow copy is collected from the device, a download link will appear in the file detail.
- Click the link to download the shadow copy.
❗If a device does not have connectivity to the Safetica server (i.e., the device is offline), the admin must wait for it to connect before shadow copies can be downloaded.
✍️An admin with Shadow copy permission can download shadow copies requested by other admins. However, the shadow copy can only be downloaded once and is available for one week. Afterward, it will need to be requested again.
Shadow copy storage parameters
What is the capacity of the shadow copy storage on the device?
Minimum required storage size on the device: 500 MB (reserved on every device).
Maximum storage size on the device: 5 GB (if there is less than 10 GB of free space left on the device). Once the maximum storage size is reached, the oldest shadow copies are deleted as new ones are added.
Maximum size of one shadow copy: 50 MB. This prevents situations when one big file would remove all older files from the storage.
✍️To change the default shadow copy storage parameters, please contact your Safetica Partner.
Shadow copy retention time on the Safetica server: 1 week
FAQ
1. What happens when the incident-causing file version cannot be found?
If the version of the file that caused the incident is not found, a shadow copy of the current file version will be created.
2. What happens when both the incident-causing file version and the current version of the file cannot be found?
You will see an error that shadow copy cannot be collected.
3. What happens when the shadow copy has already been downloaded?
The shadow copy can only be downloaded once. After downloading the file, it is deleted from the Safetica server, so if you need it, you must request it again.
4. What happens when the shadow copy expires?
A shadow copy can only be downloaded for one week after it is requested. Once the week passes, it is deleted from the Safetica server, so if you need it, you must request it again.
5. Can I see and download shadow copies requested by other admins?
Yes, if you are an admin with the Shadow Copy permission, you can see and download shadow copies requested by other admins.
6. Does Safetica track who requested and downloaded shadow copies?
No, there is no audit trail for working with shadow copies for now, but the functionality is planned for the future.
7. What happens if I request a shadow copy from a device that is offline?
Collecting the shadow copy might take a longer time, since it is necessary to wait until the device is online again.
8. Does shadow copy work on macOS devices?
Partially. macOS devices cannot create shadow copies when an incident happens. Only copies of the current version of the incident-causing files can be requested and downloaded.
9. What is the maximum size of a single shadow copy file?
The maximum size of one shadow copy file is 50 MB.