iOS: Deleted Signal data extracted by FBI via notification database
Despite the suspect having removed the entire app, FBI forensic experts were still able to find Signal messages. They used a trick.
Jacket with FBI lettering: Signal found again.
(Image: Dzelat / Shutterstock.com)
In connection with investigations against individuals whom the US government classifies as "Antifa" groups, the federal police agency FBI has been able to recover data from an iPhone that was thought to be deleted. This is reported by the magazine 404 Media. Forensic experts succeeded in extracting incoming Signal messages from the iOS notification database, even though Signal itself was no longer present on the device. The case involved attacks on a US Border Protection Agency ICE prison in Texas last summer, which, according to the FBI, was fired upon with fireworks and "willfully damaged." At least one police officer was also injured.
Gone from Signal, but not from iPhone database
The trick used by FBI analysts became known during a trial against those involved. A person observing the trial on behalf of the defendants told 404 Media that they learned that with active Signal notifications including previews, this data also landed in the iPhone's internal storage. There, it was then forensically extracted by the FBI. As part of the evidence presentation, it was stated: "Messages were recovered from [the] phone through Apple’s internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing)."
Videos by heise
Interestingly, the person concerned is said to have set Signal to automatically disappear incoming messages. However, this apparently does not happen in the notification database. 404 Media assumes that not only Signal is affected by this fact, but also other applications that use notifications.
There are also push data on the servers
In this case, only local data was viewable, but Apple and other operators of smartphone services have also shared information from their push servers with authorities in the past. Apple did not respond to a request from 404 Media. The proceedings ended with a conviction, with one person sentenced for attempted murder.
Signal responded to an inquiry but later did not reply, the magazine reports. In the app, it is possible to prevent message previews. This should prevent them from landing in the notification database. However, it is also possible to disable all notifications.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
