The FBI was able to recover deleted Signal messages from an iPhone by extracting data stored in the device’s notification database.

Hacker News is a community-driven platform for sharing and discussing technology news, startups, and programming-related topics. Through user submissions and comments, Hacker News offers insights into emerging technology trends, industry developments, and entrepreneurial ventures. Readers can participate in discussions, share their insights, and stay informed about the latest advancements in technology and innovation.

Hacker News

The FBI recovered deleted Signal messages from a suspect's iPhone by extracting data from the device's internal notification database. The messages were preserved because the defendant had not enabled Signal's setting to hide message content from notification previews. Even after Signal was uninstalled, incoming notification data remained cached in iOS storage. The article explores possible technical mechanisms, including BFU/AFU device states, push notification token persistence after app deletion, and law enforcement forensic tools. Notably, Apple changed how iOS 26.4 validates push notification tokens around the same time this case became public.

FBI used iPhone notification data to retrieve deleted Signal messages

Notification history was accessed even after Signal was deleted