Recovering Deleted Signal Messages from iPhone: A Forensic Guide
By — min read
<h2 id="overview">Overview</h2>
<p>In 2024, a landmark case revealed that the FBI successfully recovered deleted <strong>Signal</strong> messages from an iPhone by exploiting a forensic artifact: the device’s push notification database. Even after the Signal app was removed, notification previews of incoming messages remained stored in a SQLite database on the iPhone’s internal memory. This discovery underscores a critical privacy insight: secure messaging apps are only as secure as the data they leave behind in the operating system.</p><figure style="margin:20px 0"><img src="https://www.schneier.com/wp-content/uploads/2019/10/rss-32px.png" alt="Recovering Deleted Signal Messages from iPhone: A Forensic Guide" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.schneier.com</figcaption></figure>
<p>This tutorial walks you through the forensic methodology used to extract those messages, explains the technical underpinnings, and highlights the settings that can prevent such recovery. Whether you are a digital forensics professional, a cybersecurity researcher, or a privacy-conscious user, understanding this technique is essential. Apple has since patched the vulnerability (April 2024), but older iOS versions and devices remain susceptible.</p>
<h2 id="prerequisites">Prerequisites</h2>
<h3>Hardware and Software</h3>
<ul>
<li>A target iPhone (physically unlocked or with known passcode).</li>
<li>A forensic extraction tool such as <strong>Cellebrite UFED</strong>, <strong>GrayKey</strong>, or <strong>Magnet ACQUIRE</strong> (or open-source alternatives like <strong>iLEAPP</strong> + <strong>checkm8</strong>-based dumps).</li>
<li>A workstation with forensic analysis software (e.g., <strong>X-Ways Forensics</strong>, <strong>FTK Imager</strong>, or <strong>ALEAPP</strong>).</li>
<li>SQLite database viewer (e.g., <strong>DB Browser for SQLite</strong>).</li>
</ul>
<h3>Legal Considerations</h3>
<p>Ensure you have proper <strong>legal authorization</strong> to extract data from the device. This technique is for law enforcement, incident response, or authorized penetration testing only. Unauthorized extraction may violate privacy laws.</p>
<h2 id="stepbystep">Step-by-Step Extraction</h2>
<h3>Step 1: Acquire Physical Access</h3>
<p>Physical possession of the iPhone is mandatory. The device must be powered on and unlocked (or have its passcode known). If the phone is locked, you will need to use a tool like <strong>GrayKey</strong> to brute-force the passcode, or a checkm8-based exploit for older iOS versions (iPhone 4s to iPhone X).</p>
<h3>Step 2: Disable Auto-Lock and Network Connectivity</h3>
<p>To prevent the device from locking during extraction (which could trigger encryption), disable <em>Auto-Lock</em> in Settings. Also, enable Airplane Mode to block remote wipe commands and prevent the phone from syncing new notifications that could overwrite deleted data.</p>
<h3>Step 3: Create a Forensic Image</h3>
<p>Use your chosen tool to create a <strong>physical or file-system image</strong> of the iPhone. For example, with Cellebrite UFED:</p>
<pre><code>1. Connect the iPhone to the Cellebrite Touch via lightning cable.
2. Select "Physical Extraction" (if iOS version supports it) or "Advanced Logical Extraction".
3. Follow on-screen prompts to bypass encryption if needed.
4. Save the image as a .tar or .zip to your workstation.</code></pre>
<p>If using open-source tools like <strong>iLEAPP</strong>, first dump the device’s file system via <strong>checkm8</strong> (iPhone 5s–X) or <strong>libimobiledevice</strong> (jailbroken device):</p>
<pre><code>idevicebackup2 backup –unencrypted ./backup
# Or for checkm8:
./ipwnder_lite
./iPwnder32 –p
./iLEAPP –t ./backup</code></pre>
<h3>Step 4: Locate the Notification Database</h3>
<p>The push notification database is stored at:</p>
<pre><code>/private/var/mobile/Library/BulletinBoard/BBBulletinBoard.sqlite</code></pre>
<p>In physical or file-system dumps, navigate to this path. The database contains tables like <code>BBBulletinData</code> and <code>BBBulletinStore</code>. On iOS 15+, it may be split into <code>BulletinBoardPartition.sqlite</code>.</p>
<h3>Step 5: Parse the SQLite Database</h3>
<p>Open the SQLite file with a viewer. Run a query to extract <strong>title</strong>, <strong>subtitle</strong>, and <strong>message</strong> columns from the <code>BBBulletinData</code> table:</p>
<pre><code>SELECT
rowid,
datetime(timestamp, 'unixepoch') as notification_time,
appIdentifier,
title,
subtitle,
message
FROM BBBulletinData
WHERE appIdentifier LIKE '%signal%'
ORDER BY timestamp DESC;</code></pre>
<p>In some iOS versions, the message body (preview) is stored in the <code>primaryText</code> or <code>secondaryText</code> columns. For deleted apps, the <code>appIdentifier</code> may still reference <code>org.whispersystems.signal</code> even after deletion because the notifications remain.</p><figure style="margin:20px 0"><img src="https://www.schneier.com/wp-content/uploads/2019/10/facebook-32px.png" alt="Recovering Deleted Signal Messages from iPhone: A Forensic Guide" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: www.schneier.com</figcaption></figure>
<h3>Step 6: Extract Deleted Signal Messages</h3>
<p>Filter results from the query above. You will see each notification containing the sender’s name and the first line of the message (or full preview, depending on Signal’s settings). If Signal’s "Show Notifications" setting was enabled at the time, the <em>full message content</em> was recorded. Even after Signal is deleted, these records persist because iOS does not purge them automatically.</p>
<p>For a more detailed extraction, parse the <code>BBBulletinStore</code> table and decode plist data stored in <code>bulletin</code> columns. Use <strong>ALEAPP</strong> (AutoMacTC-based) to automate this:</p>
<pre><code>aleapp –i /path/to/file_system –o ./output –module NotificationDatabase</code></pre>
<p><strong>Note:</strong> This forensic artifact only captures <em>incoming</em> messages that triggered notifications. Outgoing messages and messages received while notifications were disabled will not be found.</p>
<h2 id="commonmistakes">Common Mistakes</h2>
<h3>1. Overwriting the Notification Database</h3>
<p>If you connect the iPhone to a network or let it sync with iCloud, new notifications may overwrite older entries in the SQLite database. <strong>Always enable Airplane Mode before extraction.</strong></p>
<h3>2. Ignoring Apple’s Patch</h3>
<p>Apple patched this vulnerability in <strong>iOS 17.5</strong> (April 2024) by clearing the notification database when an app is deleted. If the device was updated after deletion, the database may have been purged. Verify the iOS version before expecting results.</p>
<h3>3. Assuming Signal’s Privacy Setting Was Off by Default</h3>
<p>Signal offers a setting under <strong>Settings > Notifications > Show</strong> that controls whether message previews appear. If this was set to <strong>Name Only</strong> or <strong>No Name/Content</strong>, the notification database will only contain the sender’s identifier, not the message text. <strong>Do not assume full content is recoverable.</strong></p>
<h2 id="summary">Summary</h2>
<p>Forensic recovery of deleted Signal messages from an iPhone is possible because iOS stores push notification previews in a SQLite database that persists after app deletion. By obtaining physical access, creating a forensic image, and parsing <strong>BBBulletinBoard.sqlite</strong>, investigators can extract incoming message content—provided that notifications were enabled with previews. This technique, used by the FBI, highlights a critical privacy gap that Apple has since patched but remains exploitable on older devices. Users who wish to protect themselves should disable message previews in Signal’s settings and keep iOS updated.</p>
<p>For forensic practitioners, always ensure legal authorization, handle devices in a lab environment with network isolation, and verify the iOS version’s vulnerability status before attempting this extraction.</p>
Tags: