Many people have Internet Evidence Finder (IEF) in their toolbox to help identify specific Internet-related artifacts/behavior of a particular user for investigative purposes. IEF can also be used to help identify activity that is typically associated with malware.
Depending on the version of the operating system, each user’s Internet History is located in a subfolder somewhere under their profile, i.e. c:\Users\
One profile that is missing from the areas listed above is the user profile used for the SYSTEM account. The SYSTEM account is not a normal account and is not one that is used for interactive logons (totally different than the Administrator account).
The Security ID (SID) for the SYSTEM account is always S-1-5-18. One of the common non-Internet-related artifacts that is left behind by some malware is the existence of the recycle bin for the SYSTEM account.
Another quick and easy thing to look at is the existence of Internet–related activity by the SYSTEM account. The SYSTEM profile is located under the c:\Windows path, typically at “c:\Windows\System32\Config\systemprofile\”. Typically, the SYSTEM account should not be browsing the Internet, especially Facebook 
If you are an Internet Evidence Finder (IEF) Triage user (running IEF on a live running un-trusted machine), it is recommended that you check the entire drive\partition by choosing the “Drives” option from the initial screen.
If you want to search just selected files/folders, it is recommended you use the “native browser” (this is the default view) to display and choose the paths you want to scan since with this option IEF does not rely on the OS to enumerate files & folders, it instead parses the file system itself by going to the physical disk level. This prevents a kernel-level rootkit from hiding files & folders from the OS view.
Using IEF, when using a “Full Search” type, this path is automatically checked:
After choosing the partition and the “Full Search” option, IEF will scan all the files and folders looking for common Internet-related artifacts. Internet activity by the SYSTEM account will look something like below and should be examined closely as a sign of activity by malware.
As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com
