Key Findings

• FBI forensically recovered incoming Signal messages from an iPhone after the app was deleted, contradicting common privacy assumptions

• Messages were extracted from Apple's push notification database, not by breaking Signal's encryption

• Only incoming messages were recovered, not outgoing ones, due to how iOS processes notifications

• iOS maintains persistent notification databases that survive app removal and can be accessed through forensic tools

• Users commonly misunderstand what "deleting" or "disappearing" means on encrypted messaging apps

Background

A Texas court case involving vandalism and property damage at an ICE detention facility in Alvarado revealed a significant gap between how people think smartphone privacy works and what actually happens. The FBI recovered incoming Signal messages from a defendant's iPhone even though the app had been uninstalled and the messages were set to disappear after a short time. The case, reported by 404 Media and analyzed by security researchers, shows that encrypted messaging apps cannot guarantee complete deletion of all traces from a device.

How Messages Were Recovered

The FBI did not break Signal's encryption or exploit any vulnerability in its protocol. Instead, investigators accessed a completely separate layer of the system: Apple's push notification infrastructure. When someone sends a Signal message to an iPhone, the message gets pushed through Apple's notification system before appearing in the app. If notification previews are enabled, the content is decrypted locally by iOS for display on the lock screen or notification center. This decrypted content is then cached by the operating system in its own database, independent of Signal's control.

Forensic tools can access these iOS notification databases even after an app is uninstalled. The databases persist as part of the operating system's standard functionality for features like notification history and system recovery after reboots. When forensic experts gain access to an unlocked device, they can extract full filesystem images or encrypted iTunes backups and analyze the notification data directly.

Why Only Incoming Messages Were Recovered

A crucial detail emerged from the investigation: only incoming messages were recovered, not outgoing ones. This limitation stems directly from how push notifications work. Incoming messages follow a specific pathway through Apple's infrastructure before reaching the device. Outgoing messages originate directly from the device and go straight to Signal's servers, bypassing Apple's notification system entirely. Without traveling through push notification channels, outgoing messages leave no equivalent trace in iOS system databases.

Researcher Andrea Fortuna explained that this pattern is entirely consistent with notification architecture. Incoming messages pass through Apple's infrastructure and may have visible alerts cached by iOS. Outgoing messages never follow this pathway and therefore create no system-level artifacts for forensic recovery.

The Notification Database Problem

iOS maintains structured databases specifically designed to track notifications and user interactions. These databases are part of the operating system's core functionality and persist independently from individual apps. When an app is deleted, the notification records remain embedded in system-level storage. This happens because notifications are considered OS data, not app data. The databases survive app removal because they serve system functions beyond any single application.

The notification fragments stored in these databases contain decrypted content that iOS has already processed for display. From the operating system's perspective, this is legitimate data to cache for user convenience. From a privacy perspective, it represents an unintended persistence of sensitive information.

Forensic Extraction Methods

Forensic specialists use several techniques to recover this data. One likely method in the Texas case involved logical acquisition after the phone had been unlocked at least once, followed by analysis of an encrypted iTunes backup. These backups can contain rich system and app data, including notification databases. Tools like idevicebackup2 can extract backups without modifying the device itself. Another approach involves analyzing full filesystem images when physical access permits. Commercial forensic suites often include modules specifically designed to parse iOS notification databases.

The key is that these techniques do not involve breaking encryption. Instead, they access data that iOS has already decrypted and stored for normal system operations. Encryption protects messages in transit and at rest, but once decrypted for display, the operating system keeps copies.

The User Misunderstanding

Most people assume that deleting an app or letting disappearing messages expire means no trace remains on the device. This assumption does not account for how modern operating systems actually work. Encrypted messaging apps like Signal control only their own data storage. They cannot control what the underlying operating system does with information it receives. When a notification arrives with a preview, the OS processes it independently of the app's preferences.

Users believe "deleted" means gone, but on modern smartphones, deleted often means removed from the app's interface while persisting elsewhere in the system. Disappearing messages control only the app-level timer and deletion, not system caches or notification databases. The encryption remains strong for transit and storage, but decrypted content displayed to the user gets cached by iOS for system purposes. This creates a fundamental mismatch between user expectations and technical reality.

Sources

• https://securityaffairs.com/190740/security/iphone-forensics-expose-signal-messages-after-app-removal-in-u-s-case.html

• https://x.com/shah_sheikh/status/2043659270122549419

• https://www.techtimes.com/articles/315787/20260410/deleted-doesnt-mean-gone-fbi-recovers-deleted-signal-messages-iphone-using-notification-data.htm