iPhone Signal Forensics: Extracting Deleted Messages from Notification Databases and Strengthening Privacy

Overview

In early 2023, a court case revealed that the FBI successfully retrieved copies of incoming Signal messages from a defendant’s iPhone—even after the Signal app had been deleted. The trick? The messages lived on in the device’s push notification database, a hidden reservoir that many users overlook. This incident underscores a critical lesson: encrypted messaging apps like Signal may protect data in transit and at rest within the app, but notification previews can leave a forensic trail.

This tutorial explores how forensic examiners can extract those residual messages from an iPhone’s notification store, and—more importantly—how you can lock down your device to prevent such leaks. Whether you’re a security researcher, a privacy-conscious user, or a digital forensics student, you’ll walk away with actionable steps and a deeper understanding of iOS internals.

Prerequisites

For the Forensic Examiner

• Physical access to the target iPhone (unlocked or with passcode bypass capabilities).
• Forensic acquisition tools such as Cellebrite UFED, GrayKey, or open-source alternatives (e.g., checkra1n for older devices).
• SQLite browser (e.g., DB Browser for SQLite) to read and query the notification database.
• Knowledge of iOS file system paths (though we’ll cover the relevant locations).
• A quiet, controlled environment to preserve chain of custody.

For the Privacy-Conscious User

• An iPhone running iOS 13 or later (the setting exists on all recent versions).
• Signal app (version 5.0 or later).
• Access to Settings > Signal on your iPhone.

Step-by-Step Instructions

Part 1: Forensic Extraction of Deleted Signal Notifications

Step 1 – Acquire a Device Image

Connect the iPhone to your forensic workstation and use a tool like Cellebrite or GrayKey to create a full file system image (logical or physical). This image contains all user data, including the SQLite databases where notifications are stored.

Step 2 – Locate the Notification Database

Inside the extracted image, navigate to the following path:

/private/var/mobile/Library/SpringBoard/ApplicationShortcutItems/

The push notification data for third-party apps is stored in a database named com.apple.notificationcenter.db (older iOS) or distributed across per-app containers. For Signal, look in:

/private/var/mobile/Containers/Data/Application/<Signal-UUID>/Library/Caches/

But the most reliable source is the system-level notificationcenter database. In iOS 15+, the file is at:

/private/var/mobile/Library/NotificationCenter/NotificationHistory.plist

Use a SQLite browser to open the .db or .plist file.

Step 3 – Query the Database

Run SQL queries to extract message content. For example, to see all records from Signal’s bundle identifier (org.whispersystems.signal):

SELECT * FROM notifications WHERE app_identifier = 'org.whispersystems.signal';

The message or data column often contains the plaintext of incoming messages, even if the sender is in a different Signal session. Experiment with columns like title, subtitle, and userInfo.

Step 4 – Interpret the Results

Each notification record includes a timestamp, app identifier, and a JSON blob that holds the message body. For example, you might see:

{"aps":{"alert":"Hello, can you meet at 5pm?"},"message":"Hello, can you meet at 5pm?"}

This is exactly what Signal pushed to the notification system. Even after the app is deleted, this record persists until the database is pruned (usually after 30 days or on device reboot with limited storage).

Part 2: Preventing Notification Data Leakage (for Users)

Step 1 – Open Signal Settings

Launch the Signal app, tap your profile avatar in the top-left corner, then select Settings > Notifications.

Step 2 – Disable Message Previews

Under Notifications, toggle off Show previews. This prevents Signal from including message text in the push notification payload.

Step 3 – Lock Screen & Notification Center Settings

Go to iPhone Settings > Notifications > Signal. Under Show Previews, choose When Unlocked (or Never) to avoid displaying message content on the lock screen. This reduces the chance that even if the notification is logged, only generic text appears.

Step 4 – Enable Disappearing Messages (Optional)

In Signal, set messages to disappear after a short interval (e.g., 1 hour). While this doesn’t affect stored notifications, it limits the window of exposure if the database is extracted later.

Common Mistakes

• Leaving “Show Previews” on in Signal. Many users assume that simply using an encrypted app is sufficient. The notification database stores whatever the app sends, so if previews are enabled, plaintext is saved.
• Assuming deletion of the app wipes all traces. The notification database is managed by iOS, not Signal. Deleting the app only removes its container; the system notifications remain until the OS garbage-collects them.
• Not clearing notification history. On iPhone, you can manually clear all notifications by going to Settings > Notifications > [Signal] > Notification History > Clear History. However, this only removes recent ones; older records may stay in the backup.
• Ignoring iCloud backups. If you back up your iPhone to iCloud, the notification database is included. A forensic examiner could restore that backup and extract the data.
• Using a passcode that is easy to guess. Even with the best settings, if an attacker gains physical access and can brute‑force the passcode, they can image the device. Use a strong alphanumeric passcode.

Back to Overview

Summary

The FBI’s extraction of Signal messages from an iPhone’s push notification database is a wake‑up call. Encrypted apps are only as strong as their weakest link—and that link is often the iOS notification system. By following the forensic steps outlined here, you can understand how such data is recovered. More importantly, by disabling message previews in both Signal and iPhone settings, you can plug this leak. Remember: no single setting guarantees total privacy, but turning off previews is a significant step. Stay safe.

Back to Common Mistakes