A method and device monitor usage of external storage media. The method and system selectively shadow I/O (input/output) from/to only external storage media. The method selectively shadows only accesses to external storage media connected to a computer. The method detects a data access to an external storage medium and writes a copy of the accessed data to a storage location other than the external storage medium. In one embodiment, the access is a write operation. In one embodiment, the method intercepts an I/O request from the computer to an external storage media drive in which the external storage media is inserted. In the case of the Windows NT or Windows 2000 operating systems, the intercepted I/O requests are preferably IRP_MJ_CREATE, IRP_MJ_WRITE, IRP_MJ_CLOSE and IRP_MJ_FILE_SYSTEM_CONTROL packets. An apparatus comprises a detector and a storage connected to the detector. The detector receives I/O requests to an external storage medium. The storage is one other than the external storage medium. Written in the storage is a copy of the accessed data. In one embodiment, the apparatus further comprises one or more proxy handlers connected to the detector, wherein the proxy handlers handle certain I/O requests, which, in the case of the Windows NT or Windows NT operating system, include IRP_MJ_CREATE, IRP_MJ_WRITE, IRP_MJ_CLOSE and IRP_MJ_FILE_SYSTEM_CONTROL packets.