Investigators were able to fbi retrieve deleted signal messages from a defendant's iPhone even though the user had deleted the app, according to reporting that described how authorities recovered incoming chats from device notifications.
As reported by 404 Media and summarized by Jake Peterson at Lifehacker, the FBI could not recover the defendant's outgoing Signal messages but did extract incoming messages by accessing the iPhone push notification database.
The court record in the case, noted by a supporter of the defendants who took notes during the trial, showed that any app permitted to show previews and alerts on the Lock Screen will save those previews to the phone's internal memory, and investigators were able to obtain those saved previews.
The matter arose in a case linked to a group accused of vandalizing property and setting off fireworks at the ICE Prairieland Detention Facility, an incident that included an officer being shot in the neck, court notes showed.
How Alerts Create Forensic Trails And How Users Can Limit Exposure
The vulnerability is not unique to Signal, Lifehacker's reporting said, because any app that displays alert previews on the Lock Screen can leave readable content in the notification database for anyone with the tools to access it.
Investigators likely had access to a range of other notifications on the device, the report observed, including texts, reminders, news bulletins, purchases, and direct messages, all of which may remain in Notification Center until dismissed.
Signal offers a built-in mitigation for this exposure, the article explained, by letting users block message content and sender names from appearing in notifications; to enable it, open Signal, tap your profile in the top-left corner, go to Settings, then under Notification Content choose No Name or Content.
Users can instead pick Name Only if they want to know who sent a message before opening the app, but the report cautioned that an intruder who scrapes notifications may still see the sender in that mode.
The reporting stresses that end-to-end encryption protects messages in transit, but notification previews can leave a separate local trail that authorities can exploit when they can access an iPhone's internal notification records.
