Invisible Footprints: How Forensics Extracts Deleted Signal Messages from iPhone Notification Logs

Overview

In 2024, reports surfaced that the FBI had successfully recovered deleted Signal messages from an iPhone belonging to a defendant—even after the app had been uninstalled. The source of these remnants wasn’t the Signal app itself but the iPhone’s internal push notification database. This tutorial explores the forensic technique behind this extraction, explains why it works, and provides step-by-step guidance on how to protect yourself. Whether you’re a security researcher, a privacy advocate, or a curious user, understanding this flaw helps you make informed choices about encrypted messaging.

The key takeaway: message content displayed in notifications is cached by iOS in a system-level database that persists even after app deletion. Forensic tools like Cellebrite or GrayKey can access this database and extract message previews. Signal has long offered a setting to disable notification previews—this case shows why that setting is critical.

Prerequisites

Before diving into the technical steps, you’ll need:

• Basic understanding of iOS file system structure and forensics.
• Access to a forensic extraction tool (e.g., Cellebrite UFED, GrayKey, or open-source alternatives like libimobiledevice for forensic dumps).
• An iPhone (for testing) with Signal installed and notifications enabled.
• Familiarity with SQLite databases (the notification cache is stored in a SQLite file).

Note: This tutorial is for educational purposes only. Performing forensic extractions on devices you do not own may violate laws.

Step-by-Step Instructions

1. Understand How iOS Stores Notifications

When an iPhone receives a push notification for an app like Signal, iOS writes a record to the NotificationData SQLite database located at:

/var/mobile/Library/BulletinBoard/NotificationData.sqlite

This database includes columns for app identifier, timestamp, and—critically—the notification’s alertBody and title fields, which contain the message preview text. Even if the user clears the notification from the lock screen, the database entry persists until overwritten by new notifications or a system purge (which iOS does not guarantee promptly).

2. Perform a Forensic Extraction of the iPhone

The attacker must have physical access to the device and use a commercially available forensic tool. For this example, we’ll simulate the process using a logical extraction (which does not break the passcode) but with a forensically sound dump.

1. Connect the iPhone to a host computer running the forensic software.
2. Select “Physical Extraction” or “Advanced Logical Extraction” depending on the tool.
3. Wait for the tool to create a full file system image (may take hours).
4. Once extracted, mount the image locally or browse the file tree via the software.

If using open-source tools like idevicebackup2 or libimobiledevice, you can create an encrypted backup that includes the BulletinBoard database. However, modern iOS (16+) may restrict backup contents for security.

3. Locate and Query the Notification Database

Within the extracted file system, navigate to:

/root/Library/BulletinBoard/NotificationData.sqlite

Copy this file to a local analysis machine. Use a SQLite browser or command-line tool to query:

sqlite3 NotificationData.sqlite "SELECT * FROM records WHERE appID LIKE '%org.whispersystems.signal%';"

This will return all stored notifications from Signal. The content column (or alertBody in some schemas) contains the raw message text. Example output:

appID: org.whispersystems.signal
content: “Meet me at 8pm outside the courthouse”
timestamp: 2024-04-15 14:30:00

4. Recover Even After App Deletion

If Signal is deleted, iOS does not automatically remove that app’s old notification records from the database. The records remain until overwritten. In the FBI’s case, the defendant had uninstalled Signal, but the notification database still held months-old message previews. The attacker can simply run the same SQL query—no Signal app needed.

5. Interpret the Extracted Data

Every notification stored includes the full text of the message preview as shown on the lock screen. If the user had not disabled “Show Previews” in Signal’s settings, the entire message content is visible. Even if only the sender’s name or a snippet appears (e.g., “Message from Alice: …”), the database may contain the full preview depending on how the app crafted the notification. Signal’s encrypted nature does not protect this cached copy.

Common Mistakes

Mistake 1: Assuming Deletion Means Forever Gone

Many users believe that deleting an app or clearing notification history removes all traces. iOS does not delete NotificationData.sqlite entries upon app removal. The database may retain records for months.

Mistake 2: Overlooking the Notification Preview Setting

Signal’s default setting shows message content in notifications. Users who ignore this setting leave themselves exposed. Change it immediately: Signal Settings > Notifications > Show > No Name or No Preview or Never.

Mistake 3: Relying Only on Signal’s Encryption

Signal protects messages in transit and at rest within its own app container. But notification content is stored outside that container, in system-level databases. Encrypting the app does not encrypt the notification cache.

Mistake 4: Forensics Without Proper Authorization

Attempting to extract a notification database from a device you do not own without consent is illegal in many jurisdictions. This tutorial is for understanding or for authorized testing on your own device.

Summary

The FBI’s extraction of deleted Signal messages from an iPhone’s push notification database reveals a persistent privacy loophole. Even encrypted messaging apps are vulnerable if they cache message content in system notification logs that survive app deletion. The fix is simple: disable message previews in Signal’s notification settings. Apple has since patched the specific vulnerability with iOS 17.5 (noted in the original report), but users on older versions or those who ignore settings remain at risk. Always treat notification content as potentially recoverable. Go back to Step 1 to review how the database works, or read the Common Mistakes to avoid pitfalls.