Deleted Signal Messages Aren't Gone: How the FBI Used Apple's Notification Database to Recover Encrypted Chats

A federal terrorism trial in Texas has exposed a forensic technique that allows law enforcement to read Signal messages users believed were permanently destroyed. The method doesn't crack Signal's encryption — it sidesteps it entirely, pulling message content from a place most users don't know exists.

The Case That Revealed the Technique

In early March 2026, nine defendants stood trial in a U.S. federal court for their roles in a July 2025 attack on the Prairieland ICE Detention Facility in Alvarado, Texas [1]. The incident involved the alleged use of commercial fireworks to damage property and culminated in defendant Benjamin Song shooting a police officer in the neck — the officer survived [2]. Prosecutors charged the group with rioting, providing material support to terrorism, and conspiracy to use explosives, making it the first federal case to charge individuals for alleged "antifa" activities following the Trump administration's designation [3].

During the trial, FBI Special Agent Clark Wiethorn testified about Exhibit 158: a set of Signal messages recovered from defendant Lynette Sharp's iPhone [4]. Sharp had deleted Signal from the device. The messages themselves had been set to disappear. None of that mattered.

The FBI recovered copies of incoming Signal messages from the phone's push notification database — an internal iOS storage system where Apple caches notification content for display on the lock screen and in Notification Center [1]. The messages had been decrypted on-device by Signal for display purposes, and iOS preserved that plaintext content in system storage independent of the app itself [5].

How the Extraction Works

The technique targets a specific iOS behavior. When a Signal message arrives on an iPhone, the app decrypts it locally and, if notification previews are enabled, passes the plaintext content to iOS for display. Apple's operating system stores that content in an internal database — commonly identified by forensic researchers as files such as NotificationCenter.db or delimited.db [6].

This database serves a practical function: it lets users scroll through their notification history. But it also creates a forensic artifact. Even if the user deletes the message within Signal, enables disappearing messages, or uninstalls the app entirely, the system-level notification record persists until iOS overwrites it [5]. Forensic tools such as Cellebrite's UFED (Universal Forensic Extraction Device) can extract this data from a seized device [7].

The technique has several constraints. Only incoming messages are recoverable — outgoing messages are not routed through the notification system and remain inaccessible through this method [4]. The extraction requires physical possession of the device. And the amount of message content preserved depends on the user's notification settings: if a user has configured Signal to suppress message content in notifications, there is nothing for iOS to cache [1].

Signal's Encryption Is Not Broken

Security researchers have been careful to distinguish this technique from a cryptographic attack. Signal's end-to-end encryption — based on the Signal Protocol, which uses the Double Ratchet Algorithm for forward secrecy — remains intact [8]. The messages were not intercepted in transit or decrypted by a third party. They were decrypted by Signal itself, on the recipient's device, exactly as designed.

"The vulnerability lies in how iOS handles data persistence and whether users understand the forensic footprint their devices leave behind," one analysis noted [5]. Security researchers have framed the finding as confirmation that "endpoint security matters as much as encryption in transit" and that "security is a system, not a single tool" [7].

Neither Signal nor Apple provided public statements in response to the court testimony, according to 404 Media [1]. Signal does offer a built-in setting that blocks message content from appearing in push notifications, effectively preventing this type of recovery. The setting is not enabled by default [1].

The Legal Framework

The defendants' phones were seized pursuant to search warrants executed at their homes as part of the broader investigation into the Prairieland attack [2]. Court records do not indicate that defense attorneys mounted a specific challenge to the forensic extraction methodology, though defense attorney Harmony Schuerman represented Sharp during the proceedings [4].

The legal standard for phone searches in federal criminal cases is well-established: law enforcement must obtain a warrant supported by probable cause, as the Supreme Court required in Riley v. California (2014) [9]. In the Prairieland case, the warrant authorized a search of seized devices, and the notification database extraction fell within the scope of that authorization.

Supporters of law enforcement access argue that the technique is narrowly scoped. It requires a warrant, physical device access, and produces only partial content (incoming messages, subject to notification settings). The defendants in this case were convicted of terrorism-related charges — a jury found eight of nine guilty of providing material support to terrorism, though the verdicts were mixed on other counts [3]. Prosecutors had presented Signal group chats showing defendants allegedly discussing rifle logistics, police locations, and exit routes to avoid cameras [10].

From the government's perspective, the forensic recovery of communications used to coordinate a violent attack on a federal facility represents exactly the kind of judicially supervised access that balances law enforcement needs against privacy protections.

The Scale of the Encryption Problem for Law Enforcement

The Prairieland case is one data point in a much larger struggle between law enforcement and encrypted communications. According to U.S. Courts wiretap reports, the number of wiretap orders encountering encryption that investigators could not break has risen sharply — from 116 cases in 2020 to 533 in 2024 [11]. Of the 2,297 wiretaps authorized in a recent reporting year, encrypted communications were encountered in 608 instances, and law enforcement could not decrypt the content in approximately 88% of those cases [11].

Source: U.S. Courts Wiretap Reports

Data as of Dec 31, 2025CSV

The FBI's own "lawful access" page describes encryption as one of the most significant obstacles to effective law enforcement, noting that the problem extends across criminal investigations from counterterrorism to child exploitation [12]. A leaked 2021 FBI document cataloging what data can be obtained from encrypted messaging apps showed that Signal yields the least information of any major platform — only the date and time a user registered and the last date they connected to the service [13].

This scarcity of available data from Signal makes device-level forensic techniques like the notification database extraction particularly significant for investigators. Unlike iMessage (where iCloud backups can include encryption keys) or WhatsApp (where cloud backups may contain message content), Signal's server-side data is minimal by design [13].

Who Is Affected

Signal has grown from roughly 20 million monthly active users in 2020 to approximately 85 million in 2026, driven by repeated privacy controversies at competitor platforms [14].

Source: Business of Apps / Backlinko

Data as of Apr 1, 2026CSV

The app's user base includes populations for whom message security is not a convenience but a safety requirement. The Freedom of the Press Foundation recommends that journalists always enable Signal's disappearing messages when communicating with sources [15]. Digital security guides for activists specifically recommend setting disappearing message timers to as short as five minutes during protests or direct actions [16]. Domestic abuse survivors, human rights workers, and lawyers communicating with clients in sensitive matters also rely on Signal's security guarantees.

The notification database technique disproportionately affects these users because it undermines a specific security assumption: that deleting a message (or enabling disappearing messages) removes it from the device. For users who have not adjusted their notification preview settings — and Signal does not enable the content-blocking setting by default — the iOS notification cache creates an invisible copy that persists after the original is gone.

The mitigation is straightforward but requires user action: within Signal's settings, users can disable notification content so that alerts display only the sender's name or nothing at all [1]. This prevents iOS from caching message text. Adjusting iOS-level notification settings to disable lock screen previews provides an additional layer of protection [4].

International Comparison

The forensic capability revealed in the Prairieland case exists within a broader international landscape of mobile device extraction.

Cellebrite, the Israeli company whose tools were used in this case, sells its products to law enforcement agencies worldwide [17]. The company signed an $11 million contract with U.S. Immigration and Customs Enforcement in 2025 and acquired Corellium, a mobile device virtualization firm, for $200 million in June 2025 [17]. A 2026 Citizen Lab investigation found Cellebrite tools used on a Kenyan activist's phone while in police custody [18].

In the United Kingdom, the Home Office has pursued a different approach, issuing Technical Capability Notices to compel companies like Apple to provide access to encrypted data — a legal mechanism that critics view as a "stalking horse" for broader attacks on encrypted messaging services including Signal, WhatsApp, and Telegram [19]. Germany, where nearly 20% of Signal's user base is concentrated, generally requires judicial authorization for device searches but has expanded its legal framework for law enforcement access in recent years [14].

Australia's Assistance and Access Act of 2018 gives authorities the power to compel companies to provide technical assistance in accessing encrypted communications, including through "technical capability notices" similar to the UK model [20].

The public disclosure of the notification database technique in a U.S. court filing has drawn concern from security researchers. Once a forensic method is described in open court proceedings, the knowledge is available to any government or actor that reads the transcript. Nations such as the United Kingdom, Australia, France, and Germany already employ similar statutory approaches to encrypted data access [20]. The question is whether authoritarian states — which may have access to the same Cellebrite tools but lack comparable judicial oversight — can now more efficiently target dissidents, journalists, and opposition figures using this specific iOS artifact.

What Comes Next

The Prairieland trial ended in March 2026 with a mixed verdict: eight of nine defendants were convicted on terrorism-related charges, while Benjamin Song was additionally convicted of attempted murder [3]. Sentencing is pending. The DOJ characterized the case as its first successful terrorism prosecution against "antifa" — though legal analysts have noted the terrorism designation attached to the charges does not necessarily reflect the legal definition used in the underlying statutes [21].

The forensic technique itself is unlikely to remain viable indefinitely. Apple released iOS 26.4 with changes to how the system validates push notification tokens, though whether this addresses the specific artifact is unclear [4]. Signal could also modify its notification handling to clear the iOS cache more aggressively, though this would require cooperation with or workarounds for Apple's notification framework.

For now, the practical reality is this: Signal's encryption protects messages in transit. But once a message reaches an iPhone and generates a notification, a copy may live in Apple's system storage — surviving deletion, surviving app removal, and surviving the user's belief that the conversation is gone. The fix is a settings change that takes less than a minute. The problem is that most of Signal's 85 million users don't know they need to make it.