Shadow Copy

Learn more about the Shadow Copy feature introduced in Safetica 9.8.

Information in this article applies to Safetica ONE 10 or older.

Shadow Copy helps investigate situations when sensitive files are changed after an incident takes place. With Shadow Copy, the admin can download and display the exact copy of the file that triggered the incident. It is useful for incident verification to see whether or what kind of sensitive data was tampered with. It can also help you verify false positives during DLP implementation, since you can see exactly what files are captured by DLP policies.

Shadow Copy is available in Safetica Protection and Safetica Enterprise.

In this article you will learn:

How it works

When a DLP policy is violated, an exact copy of the file that was part of the incident is stored in a secure local storage on the endpoint. The admin can later download this file copy to verify what data were involved in the incident.


If an endpoint does not have connectivity to Safetica server, the admin must wait for it to connect before shadow copies are downloaded.

Shadow Copy is supported for general and data DLP policies and for most data channels. You can find a complete list here.


  1. Shadow Copy is part of Safetica Protection and Safetica Enterprise. If you are using our legacy products, you must activate the Forensics license.
  2. The admin must have the Shadow copy collecting access right set in Maintenance > Access management > Access settings. Without it, the admin will not be able to download shadow copies.

How to enable shadow copy creation

  1. Open Safetica Management Console and go to Protection > DLP policies.
  2. Create a new policy and in the Policy rules window toggle the Shadow copy slider to Enabled. This allows the policy to create shadow copies (can be created in all modes: Log only, Log and notify, Log and block).


How to collect a shadow copy

  1. Open Safetica Management Console and go to Protection > DLP logs.
  2. If there are shadow copies available, you can collect them by clicking the Yes (Collect) link in Records in the Shadow copy column. Alternatively, you can right-click the respective record and choose the Collect shadow copy option.


    3. In Maintenance > Information collection confirm with []. The shadow copy will start downloading.

Local shadow copy storage parameters

Minimum required free space on endpoint: 500 MB (reserved on every endpoint).

Maximum storage size: 5 GB or less (if there are less than 10 GB of free space left on the endpoint). When the maximum storage size is reached, the oldest local copies are deleted as new ones are added.

Maximum size of one file: 50 MB.

This prevents situations when one big file would remove all older files from the storage.

To change the default shadow copy storage parameters, please contact your Safetica Partner.