Back
Technology

FBI Recovers Deleted Signal Messages from iPhone Notification Database

Generated on: Last updated: 1 sources
View source

FBI Recovers Deleted Signal Messages from iPhone Notification Database

A report from 404 Media indicates the FBI recovered deleted Signal messages from an iPhone by extracting data from the device’s notification database.

Notification History Access

Testimony in a recent trial, involving individuals at the ICE Prairieland Detention Facility, indicated that the FBI recovered content from incoming Signal messages on a defendant's iPhone. This recovery occurred even after the Signal application had been removed from the device.

Defendant Lynette Sharp, who had pleaded guilty to providing material support to terrorists, was involved in the case. FBI Special Agent Clark Wiethorn testified on evidence, including Exhibit 158.

A summary of Exhibit 158, reportedly published on a supporters' website, states: "Messages were recovered from Sharp’s phone through Apple’s internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing)."

Signal's settings offer an option to prevent message content from being previewed in notifications. The defendant reportedly did not have this setting enabled, which may have allowed the system to store the content in the notification database. Neither Signal nor Apple provided statements to 404 Media regarding notification handling or storage.

Internal Storage Mechanism

The precise method used by the FBI for data recovery is unclear due to limited technical details about the iPhone's condition. iPhones operate in various system states, such as BFU (Before First Unlock) and AFU (After First Unlock), each with distinct security and data access limitations. Data access expands when a device is unlocked, as the system presumes user presence.

Push notification tokens are not immediately invalidated upon app deletion. Servers may continue sending notifications, with the iPhone determining whether to display them, as the server does not know if the app remains installed.

Apple altered how iOS validates push notification tokens in iOS 26.4. The connection between this change and the case remains undetermined, but the timing has been noted.

Given Exhibit 158's description of messages recovered via 'Apple’s internal notification storage,' a device backup is a potential source of the extracted information. Commercially available tools for law enforcement that exploit iOS vulnerabilities could facilitate such data access.