A360
Key Takeaways✦ Atlas AI
01
FBI extracted deleted Signal messages.
02
Data persisted in iPhone notification logs.
03
Highlights importance of privacy settings.
Atlas AI
U.S. investigators said they were able to recover deleted Signal messages from an iPhone by using information stored in the device’s push notification database, a method described during a recent trial tied to events at the ICE Prairieland Detention Facility in Alvarado, Texas.
Officials described the forensic work as relying on physical access to the iPhone and specialized software. The approach focused on copies of incoming messages that had been retained by the operating system’s notification logs, rather than pulling content directly from Signal itself.
The trial referenced in the account involves defendants accused of actions at the ICE Prairieland Detention Facility in July. The allegations cited include property damage and the shooting of an officer, according to the case description.
The extraction was presented as an example of how remnants of data can remain on a device even after a secure messaging app is removed. In this instance, the key repository was the push notification database, which can preserve message previews or content that appeared in notifications.
Officials said the technique underscores a privacy risk: information from encrypted communications may be stored outside the encrypted app environment, in areas controlled by the phone’s operating system. The point raised was not that Signal’s end-to-end encryption was bypassed, but that message content can be duplicated into notification records that are separate from the app’s own storage.
The account also highlighted a mitigation step available to users. Signal includes a setting that can prevent message content from being displayed in push notifications, reducing the chance that sensitive text is written into notification logs that may be accessible during device forensics.
More broadly, the episode illustrates how device-level artifacts can shape what investigators can retrieve when they have physical access and appropriate tools. It also shows how privacy outcomes can depend not only on an app’s encryption design but on how operating systems handle notifications and what is retained in system databases.
What remains unclear from the description is the full scope of what was recovered, including how much content was available through notification records and how long such data persisted on the device. The account also does not specify whether the recovered material included complete messages or only portions that had been surfaced through notifications.
