The Encryption Ghost: How the FBI Recovers “Deleted” Signal Messages from iPhone Caches

During a federal court proceeding in Texas on April 9, 2026, the FBI presented retrieved messages from the encrypted communication platform Signal—which the suspect had previously deleted—as definitive forensic evidence.

This revelation has incited widespread consternation, as Signal is esteemed as a premier end-to-end encrypted utility. Given that the suspect utilized the “disappearing messages” feature, the restoration of such data should theoretically be impossible; thus, the mystery of the FBI’s methodology emerged. On the iOS platform, application notifications are channeled into a local database to facilitate previews on the lock screen or the banner. This repository retains data for approximately thirty days; consequently, even if a user expunges a message or uninstalls the application, the notification’s substance persists within this localized database.

Utilizing forensic instruments such as Cellebrite, FBI specialists successfully extracted Signal message fragments from this iOS notification cache—a revelation that underscores a significant security vulnerability for users of encrypted communication tools.

The crux of this flaw lies in the operational sequence: once a user enables lock screen previews, an incoming message is decrypted by Signal, prompting the iOS system to generate a notification preview, which is subsequently cached in a system-level database. This repository exists independently of Signal’s architecture; therefore, neither the deletion of the message nor the removal of the app can purge the cached notification. This serves as the pivotal point of access for forensic investigators. While this may be perceived as a structural deficiency in encrypted messaging, the ultimate resolution rests with the user: one must weigh the convenience of immediate previews against the sanctuary of absolute privacy.

From a security standpoint, it is imperative that users disable lock screen previews, permitting only the notification alert and badge. This ensures that the message remains concealed until the device is unlocked and the application is manually accessed. To fortify one’s privacy, navigate to iOS Settings, select Notifications, locate Signal (or any pertinent messaging app), and under “Lock Screen Appearance,” modify “Show Previews” from the default “Always” to “Never.” This adjustment ensures that incoming missives are not rendered in plaintext or committed to the notification cache.