File write to external drive
I'm a relative newcomer to digital forensics and would like some assistance in interpreting the following regarding a corporate investigation for data exfiltration.
Splunk logs indicate that the following file write occurred to an external drive:
but it is attributed to the process C:/Windows/SysWOW64/SearchProtocolHost.exe - which I believed to be an automated process related to indexing files and not user performed (otherwise this would display under explorer.exe, correct?)
What would account for this log activity to be registering as a file write to the external drive under the above process?
*For context, user was attempting to copy personal items from work device to include .pst items to transfer from work to personal machine. Due to encryption protocols, user ultimately transferred data from shared OneDrive folder to a personal email domain. I'm trying to determine if the above was an attempt by the user to copy his entire work mailbox to an external drive - and if so - why this would not have shown up under explore.exe process?
Thanks for any assistance.