In a recent trial regarding the vandalism of a detention center in Prairieland, Texas, FBI agents confirmed that investigators were able to recover deleted Signal messages from a suspect’s iPhone. Even after the app had been uninstalled, the messages were retrieved from the device's internal push notification database.
The case involved several defendants who set off fireworks and damaged property at the detention facility, with one individual also firing a shot at a police officer. FBI Special Agent Clark Wiethorn testified in court that although the Signal app had been deleted, investigators were able to access the content of some incoming messages because the system stores push notifications by default.
Security Vulnerabilities in Privacy Settings
A supporter of the defendants who was taking notes in the courtroom told the media that iPhones store notifications and previews shown on the lock screen in the device's memory. Even if messages are set to "disappear" within the Signal app, the system retains traces of them in an underlying database as long as the phone received a push notification.
Defense attorney Harmony Schuerman, after reviewing the evidence list, stated: "They were able to get these chat logs because the defendant had notification previews enabled. As long as a notification pops up on the lock screen, Apple devices store it in their internal memory."
This evidence extraction was limited to incoming messages; no records of sent messages were found. The investigation suggests the issue stems from a conflict between how encrypted messaging apps and Apple’s operating system handle notifications. Regardless of whether a user deletes the app, as long as the device is in physical custody, forensic software can perform a deep dive into this stored data.
Signal’s privacy settings allow users to restrict notification content, offering options such as "Show Name Only" or "No Name or Content." However, many users are unaware that keeping the default "Show Message Content" setting enabled effectively bypasses the app's self-destruct protection mechanism.
Previous reports have indicated that Apple has provided thousands of push notification records in response to government legal requests. The Prairieland case further confirms that even without direct cooperation from Apple, law enforcement can conduct forensic data recovery by utilizing the notification copies retained by the system, provided they have physical access to the device. All defendants in the case have since been found guilty.
