Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Decrypting shadow copies

    Decrypting shadow copies

    Shadow copies are packaged as encrypted ZIP files that are downloadable from the storage bucket as well as from the FortiDLP Console via pre-signed URLs. Pre-signed URLs are dynamically generated and are only displayed to operators who are permitted to download shadow copies. Further, if shadow copies are stored on-premises, operators can only access them if they have the appropriate server permissions.

    Note

    A pre-signed URL is valid for one hour. After one hour, you will need to obtain a new URL to view the shadow copy by revisiting the relevant Detection details/Action details panel.

    For identification purposes, the filename given to an encrypted shadow copy contains the corresponding action UUID in the FortiDLP Console. However, the folder structure of the path the shadow copy is uploaded to will vary by the Agent version:

    • For nodes running Agent 11.0.1+, the path will be:
      /<tenant_uuid>/<agent_uuid>/<action_uuid>/<action_uuid>.evidence.
    • For nodes running Agents earlier than 11.0.1, the path will be:
      /<tenant_uuid>/evidence/<first two characters of action_uuid>/<rest of action_uuid>/<action_uuid>.evidence.

    Upon decryption, a shadow copy identifies the original file path associated with the policy violation.

    Example

    For example, if a violation occurred for a file located at C:\Users\Brian\Desktop\secret.txt, the decrypted shadow copy would be extracted as evidence\C:\Users\Brian\Desktop\secret.txt.
    Note

    For macOS print job shadow copies, information about the file path from which the document was printed is generally unavailable. When this is the case, the shadow copy file path will be unrelated to the printed document's location, but if present, the print job name or document name will be included in the path.
    Caution

    When you delete a user from FortiDLP, you permanently remove all references to them. Ensure you make a note of a user's Agent UUID before deleting them for managing shadow copies.

    Follow these instructions to decrypt shadow copies using the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool.

    How to decrypt shadow copies using the FortiDLP Decryption Tool Extension
    Note

    You can only decrypt shadow copies that were generated after your encryption key was created.
    1. Do one of the following:
      • To decrypt a shadow copy from the FortiDLP Console's Detection details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the requested_actions = file_shadow search query.
        3. Click the Detection event stream.
        4. In the Events section, select the table row of the relevant detection.
        5. In the Detection details panel's Associated actions widget, click .

          The FortiDLP Decryption Tool Extension opens.
        6. In the Passphrase field, type your passphrase and then click Unlock.
        7. Click Download to download the decrypted file to your device.
      • To decrypt a shadow copy from the FortiDLP Console's Action details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the action = file_shadow search query.
        3. Click the Action (New)/Action (Legacy) event stream.
        4. In the Events section, select the table row of the relevant action event.
        5. In the Action details panel's Key information & content widget, click Decrypt.

          The FortiDLP Decryption Tool Extension opens.
        6. In the Passphrase field, type your passphrase and then click Unlock.
        7. Click Download to download the decrypted file to your device.
      • To download a shadow copy from the FortiDLP Console or your storage bucket and then decrypt it:
        1. Do one of the following:
          • In the FortiDLP Console, follow the steps above to open the relevant Detection details panel , and in the Associated actions widget, click .
          • In the FortiDLP Console, follow the steps above to open the relevant Action details panel, and in the Key information & content widget, click Download.
          • Download the shadow copy from your storage bucket.
        2. On your browser's menu bar, click the icon and launch the FortiDLP Decryption Tool Extension..
        3. In the Passphrase field, type your passphrase and then click Unlock.
        4. Drag and drop one or more shadow copies or click Select files to decrypt and select them from your device.
        5. Click Download to download the decrypted file(s) to your device.
    How to decrypt shadow copies using the FortiDLP Decryption CLI Tool
    Note

    You can only decrypt shadow copies that were generated after your encryption key was created.
    1. Do one of the following:
      • Download the shadow copy from the FortiDLP Console's Detection details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the requested_actions = file_shadow search query.
        3. Click the Detection event stream.
        4. In the Events section, select the table row of the relevant detection.
        5. In the Detection details panel's Associated actions widget, click .

      • Download the shadow copy from the FortiDLP Console's Action details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the action = file_shadow search query.
        3. Click the Action (New)/Action (Legacy) event stream.
        4. In the Events section, select the table row of the relevant action event.
        5. In the Action details panel's Key information & content widget, click Download.

      • Download the shadow copy from your storage bucket.
    2. Open a command-line interface.
    3. Go to the directory containing the FortiDLP Decryption CLI Tool binary.
    4. Run one of the following commands, where <path> is the path to the encrypted shadow copy file:
      • On Windows, run the command reveal-decryption-tool.exe decrypt <path>.
      • On macOS or Linux, run the command ./reveal-decryption-tool decrypt <path>.
      Note

      If your private key file is not in the default directory (see Setting encryption keys), you must use the -k flag to specify the path to the key file.

      For example:
      reveal-decryption-tool.exe decrypt <shadow copy path> -k <private key path>.

    5. Type your passphrase and then press Enter.

    The decrypted shadow copy will be saved in the same directory as the encrypted version.

    Tooltip

    If preferred, you can save the decrypted file to a different location by specifying a destination path. For example:
    reveal-decryption-tool.exe decrypt <encrypted shadow copy path> <decrypted shadow copy path>.
    Previous
    Next

    Decrypting shadow copies

    Decrypting shadow copies

    Shadow copies are packaged as encrypted ZIP files that are downloadable from the storage bucket as well as from the FortiDLP Console via pre-signed URLs. Pre-signed URLs are dynamically generated and are only displayed to operators who are permitted to download shadow copies. Further, if shadow copies are stored on-premises, operators can only access them if they have the appropriate server permissions.

    Note

    A pre-signed URL is valid for one hour. After one hour, you will need to obtain a new URL to view the shadow copy by revisiting the relevant Detection details/Action details panel.

    For identification purposes, the filename given to an encrypted shadow copy contains the corresponding action UUID in the FortiDLP Console. However, the folder structure of the path the shadow copy is uploaded to will vary by the Agent version:

    • For nodes running Agent 11.0.1+, the path will be:
      /<tenant_uuid>/<agent_uuid>/<action_uuid>/<action_uuid>.evidence.
    • For nodes running Agents earlier than 11.0.1, the path will be:
      /<tenant_uuid>/evidence/<first two characters of action_uuid>/<rest of action_uuid>/<action_uuid>.evidence.

    Upon decryption, a shadow copy identifies the original file path associated with the policy violation.

    Example

    For example, if a violation occurred for a file located at C:\Users\Brian\Desktop\secret.txt, the decrypted shadow copy would be extracted as evidence\C:\Users\Brian\Desktop\secret.txt.
    Note

    For macOS print job shadow copies, information about the file path from which the document was printed is generally unavailable. When this is the case, the shadow copy file path will be unrelated to the printed document's location, but if present, the print job name or document name will be included in the path.
    Caution

    When you delete a user from FortiDLP, you permanently remove all references to them. Ensure you make a note of a user's Agent UUID before deleting them for managing shadow copies.

    Follow these instructions to decrypt shadow copies using the FortiDLP Decryption Tool Extension or FortiDLP Decryption CLI Tool.

    How to decrypt shadow copies using the FortiDLP Decryption Tool Extension
    Note

    You can only decrypt shadow copies that were generated after your encryption key was created.
    1. Do one of the following:
      • To decrypt a shadow copy from the FortiDLP Console's Detection details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the requested_actions = file_shadow search query.
        3. Click the Detection event stream.
        4. In the Events section, select the table row of the relevant detection.
        5. In the Detection details panel's Associated actions widget, click .

          The FortiDLP Decryption Tool Extension opens.
        6. In the Passphrase field, type your passphrase and then click Unlock.
        7. Click Download to download the decrypted file to your device.
      • To decrypt a shadow copy from the FortiDLP Console's Action details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the action = file_shadow search query.
        3. Click the Action (New)/Action (Legacy) event stream.
        4. In the Events section, select the table row of the relevant action event.
        5. In the Action details panel's Key information & content widget, click Decrypt.

          The FortiDLP Decryption Tool Extension opens.
        6. In the Passphrase field, type your passphrase and then click Unlock.
        7. Click Download to download the decrypted file to your device.
      • To download a shadow copy from the FortiDLP Console or your storage bucket and then decrypt it:
        1. Do one of the following:
          • In the FortiDLP Console, follow the steps above to open the relevant Detection details panel , and in the Associated actions widget, click .
          • In the FortiDLP Console, follow the steps above to open the relevant Action details panel, and in the Key information & content widget, click Download.
          • Download the shadow copy from your storage bucket.
        2. On your browser's menu bar, click the icon and launch the FortiDLP Decryption Tool Extension..
        3. In the Passphrase field, type your passphrase and then click Unlock.
        4. Drag and drop one or more shadow copies or click Select files to decrypt and select them from your device.
        5. Click Download to download the decrypted file(s) to your device.
    How to decrypt shadow copies using the FortiDLP Decryption CLI Tool
    Note

    You can only decrypt shadow copies that were generated after your encryption key was created.
    1. Do one of the following:
      • Download the shadow copy from the FortiDLP Console's Detection details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the requested_actions = file_shadow search query.
        3. Click the Detection event stream.
        4. In the Events section, select the table row of the relevant detection.
        5. In the Detection details panel's Associated actions widget, click .

      • Download the shadow copy from the FortiDLP Console's Action details panel:
        1. On the left-hand sidebar, click .
        2. In the search bar, enter the action = file_shadow search query.
        3. Click the Action (New)/Action (Legacy) event stream.
        4. In the Events section, select the table row of the relevant action event.
        5. In the Action details panel's Key information & content widget, click Download.

      • Download the shadow copy from your storage bucket.
    2. Open a command-line interface.
    3. Go to the directory containing the FortiDLP Decryption CLI Tool binary.
    4. Run one of the following commands, where <path> is the path to the encrypted shadow copy file:
      • On Windows, run the command reveal-decryption-tool.exe decrypt <path>.
      • On macOS or Linux, run the command ./reveal-decryption-tool decrypt <path>.
      Note

      If your private key file is not in the default directory (see Setting encryption keys), you must use the -k flag to specify the path to the key file.

      For example:
      reveal-decryption-tool.exe decrypt <shadow copy path> -k <private key path>.

    5. Type your passphrase and then press Enter.

    The decrypted shadow copy will be saved in the same directory as the encrypted version.

    Tooltip

    If preferred, you can save the decrypted file to a different location by specifying a destination path. For example:
    reveal-decryption-tool.exe decrypt <encrypted shadow copy path> <decrypted shadow copy path>.
    Previous
    Next