FBI Extracted Deleted Signal Messages from iPhone Notification Database

The FBI successfully recovered deleted Signal messages from an iPhone by accessing data stored in the device's internal notification database, according to reporting on a legal case. The messages had been deleted from the Signal app itself, but copies of incoming message previews persisted in a lower-level iOS system database that handles push notifications. This forensic extraction was possible because Signal's default configuration allows message content and sender information to display in lock-screen notifications, and iOS automatically archives these notification previews in persistent storage that forensic tools can access.

The recovery method did not compromise Signal's end-to-end encryption or break the messaging protocol. Instead, it exploited the fact that notification content—before being displayed to the user—exists temporarily in plaintext within the operating system. Once Signal generates a notification preview for display, the iOS system independently stores that preview data. A device with physical access and forensic tools can then recover these artifacts, even if the user later deletes the Signal app. The case underscores a longstanding security principle: encrypted messaging is only as secure as the device it runs on.

Signal has long offered a setting to prevent message previews from appearing on lock screens, eliminating the plaintext notification that iOS would store. Following disclosure of the case, Apple released a patch that removes the notification database vulnerability entirely. The incident highlights the importance of both application-level settings and device-level security posture for users seeking to protect sensitive communications from forensic recovery.