Recovering Deleted Signal Messages from iPhone: A Forensic Guide

Overview

In 2024, a landmark case revealed that the FBI successfully recovered deleted Signal messages from an iPhone by exploiting a forensic artifact: the device’s push notification database. Even after the Signal app was removed, notification previews of incoming messages remained stored in a SQLite database on the iPhone’s internal memory. This discovery underscores a critical privacy insight: secure messaging apps are only as secure as the data they leave behind in the operating system.

This tutorial walks you through the forensic methodology used to extract those messages, explains the technical underpinnings, and highlights the settings that can prevent such recovery. Whether you are a digital forensics professional, a cybersecurity researcher, or a privacy-conscious user, understanding this technique is essential. Apple has since patched the vulnerability (April 2024), but older iOS versions and devices remain susceptible.

Prerequisites

Hardware and Software

• A target iPhone (physically unlocked or with known passcode).
• A forensic extraction tool such as Cellebrite UFED, GrayKey, or Magnet ACQUIRE (or open-source alternatives like iLEAPP + checkm8-based dumps).
• A workstation with forensic analysis software (e.g., X-Ways Forensics, FTK Imager, or ALEAPP).
• SQLite database viewer (e.g., DB Browser for SQLite).

Legal Considerations

Ensure you have proper legal authorization to extract data from the device. This technique is for law enforcement, incident response, or authorized penetration testing only. Unauthorized extraction may violate privacy laws.

Step-by-Step Extraction

Step 1: Acquire Physical Access

Physical possession of the iPhone is mandatory. The device must be powered on and unlocked (or have its passcode known). If the phone is locked, you will need to use a tool like GrayKey to brute-force the passcode, or a checkm8-based exploit for older iOS versions (iPhone 4s to iPhone X).

Step 2: Disable Auto-Lock and Network Connectivity

To prevent the device from locking during extraction (which could trigger encryption), disable Auto-Lock in Settings. Also, enable Airplane Mode to block remote wipe commands and prevent the phone from syncing new notifications that could overwrite deleted data.

Step 3: Create a Forensic Image

Use your chosen tool to create a physical or file-system image of the iPhone. For example, with Cellebrite UFED:

1. Connect the iPhone to the Cellebrite Touch via lightning cable.
2. Select "Physical Extraction" (if iOS version supports it) or "Advanced Logical Extraction".
3. Follow on-screen prompts to bypass encryption if needed.
4. Save the image as a .tar or .zip to your workstation.

If using open-source tools like iLEAPP, first dump the device’s file system via checkm8 (iPhone 5s–X) or libimobiledevice (jailbroken device):

idevicebackup2 backup –unencrypted ./backup
# Or for checkm8:
./ipwnder_lite
./iPwnder32 –p
./iLEAPP –t ./backup

Step 4: Locate the Notification Database

The push notification database is stored at:

/private/var/mobile/Library/BulletinBoard/BBBulletinBoard.sqlite

In physical or file-system dumps, navigate to this path. The database contains tables like BBBulletinData and BBBulletinStore. On iOS 15+, it may be split into BulletinBoardPartition.sqlite.

Step 5: Parse the SQLite Database

Open the SQLite file with a viewer. Run a query to extract title, subtitle, and message columns from the BBBulletinData table:

SELECT 
    rowid,
    datetime(timestamp, 'unixepoch') as notification_time,
    appIdentifier,
    title,
    subtitle,
    message
FROM BBBulletinData
WHERE appIdentifier LIKE '%signal%'
ORDER BY timestamp DESC;

In some iOS versions, the message body (preview) is stored in the primaryText or secondaryText columns. For deleted apps, the appIdentifier may still reference org.whispersystems.signal even after deletion because the notifications remain.

Step 6: Extract Deleted Signal Messages

Filter results from the query above. You will see each notification containing the sender’s name and the first line of the message (or full preview, depending on Signal’s settings). If Signal’s "Show Notifications" setting was enabled at the time, the full message content was recorded. Even after Signal is deleted, these records persist because iOS does not purge them automatically.

For a more detailed extraction, parse the BBBulletinStore table and decode plist data stored in bulletin columns. Use ALEAPP (AutoMacTC-based) to automate this:

aleapp –i /path/to/file_system –o ./output –module NotificationDatabase

Note: This forensic artifact only captures incoming messages that triggered notifications. Outgoing messages and messages received while notifications were disabled will not be found.

Common Mistakes

1. Overwriting the Notification Database

If you connect the iPhone to a network or let it sync with iCloud, new notifications may overwrite older entries in the SQLite database. Always enable Airplane Mode before extraction.

2. Ignoring Apple’s Patch

Apple patched this vulnerability in iOS 17.5 (April 2024) by clearing the notification database when an app is deleted. If the device was updated after deletion, the database may have been purged. Verify the iOS version before expecting results.

3. Assuming Signal’s Privacy Setting Was Off by Default

Signal offers a setting under Settings > Notifications > Show that controls whether message previews appear. If this was set to Name Only or No Name/Content, the notification database will only contain the sender’s identifier, not the message text. Do not assume full content is recoverable.

Summary

Forensic recovery of deleted Signal messages from an iPhone is possible because iOS stores push notification previews in a SQLite database that persists after app deletion. By obtaining physical access, creating a forensic image, and parsing BBBulletinBoard.sqlite, investigators can extract incoming message content—provided that notifications were enabled with previews. This technique, used by the FBI, highlights a critical privacy gap that Apple has since patched but remains exploitable on older devices. Users who wish to protect themselves should disable message previews in Signal’s settings and keep iOS updated.

For forensic practitioners, always ensure legal authorization, handle devices in a lab environment with network isolation, and verify the iOS version’s vulnerability status before attempting this extraction.