All internet browsing leaves remnants lying around the system simply waiting to be plucked. The problem is, finding relevant data and, hopefully, quickly. In the case of Facebook, quickly is not always feasible due to the sheer amount of data that is transferred and consequently paged out. The below items may help in targetting specific activities. None of the strings are hard fast, but may be useful in targeting data located within unallocated space.

User Logged In

When attempting to determine whether a user was logged in, the title bar in the browser will be different for those logged in and those who are not. This does not tell you who was logged in, but merely that someone was. When a user is not logged in, the format is “Username | Facebook“. However, these two are swapped when a user logs in; thus becoming “Facebook | Username“. This can be identified in the HTML and in possible screenshots.

Anonymous login on Facebook

Anonymous login on Facebook

 

Facebook account logged into

Facebook account logged into

Current User

It may be possible to find the currently logged in user’s profile ID by finding the string below where # is the profile ID.

href=\\\"http:\\\/\\\/www.facebook.com\\\/profile.php?id=#\\\">You
\"c_user\":\"#\"

The email address associated with the user’s account may be found using the following string where email is the user’s email.

\"lxe\":\"email\"

Account Modification

While useful in finding the currently logged in user’s name, the following is more noteworthy when it comes to identity theft.

div id="change_all_names_val">
id="old_full_name"

The account settings page is also home to the password reset option. The following will help identify whether the account settings page was visited and possibly help corroborate whether the account had been hijacked.

class="password_confirm_password">
Password change not successful"

Personal Messages

Personal messages (“private messages” or, simply, PMs) may be identified as well. They are stored much like email in an inbox fashion. The sender’s name and a partial subject line are present. The following can help narrow down searches for PMs.

a href=\"http:\/\/www.facebook.com\/?sk=messages&tid=