The FBI was able to recover copies of Signal messages from a suspect’s iPhone even after the app had been deleted, by extracting data stored in Apple’s internal notification database.
The finding emerged during testimony in a recent criminal trial tied to an attack on an ICE detention facility in Texas.
Details of the forensic technique surfaced during proceedings related to a July incident at the Prairieland ICE Detention Facility in Alvarado, where a group allegedly used fireworks to damage property and, in one instance, shot a police officer.
According to courtroom accounts obtained by 404 Media, FBI Special Agent Clark Wiethorn described how investigators accessed remnants of Signal communications through forensic analysis of a seized iPhone. The discovery was documented in part through Exhibit 158, which summarized evidence recovered from the phone of defendant Lynette Sharp.
Although Signal had been uninstalled from the device, incoming messages were still retrievable because they had been preserved in Apple’s internal notification storage. Notes shared by attendees and defense attorney Harmony Schuerman indicate that only incoming messages were captured; outgoing communications were not included in the dataset.
When message previews are enabled, incoming notifications, including portions of message content, can be stored locally in system databases. These records may persist independently of the originating app, meaning that even disappearing messages or deleted apps do not necessarily eliminate all traces of communication.
Signal, a widely used encrypted messaging platform known for its strong privacy protections, offers users the ability to limit what appears in notifications. Settings can be configured to hide message content or even the sender’s identity. The case highlights the practical implications of these options.
Similar artifacts could potentially be generated by other messaging applications that display content in push notifications, so the issue stems from how Apple manages notifications, and isn’t unique to Signal. Apple has not publicly commented on the specifics of how long notification data is retained or under what conditions it is stored.
Users seeking to minimize exposure of message content beyond encrypted apps should adjust notification settings to disable message previews on lock screens, set notifications to display only the sender’s name or nothing at all, and use device-level privacy controls to limit lock screen access.
While end-to-end encryption protects messages in transit and within apps, this case shows that data can still surface in unexpected areas of a device’s operating system, particularly in convenience features like notifications.
Leave a Reply