An FBI agent testified in federal court about recovering Signal messages from a defendant's iPhone. The Signal app had been deleted from the device by the time of seizure. The messages had been preserved in iOS internal notification storage. Some had been configured as disappearing messages in Signal and had already vanished from the app.
Only incoming messages were recovered, not outgoing. The disclosure came in the federal terrorism trial of nine defendants in U.S. District Court in Fort Worth. The case stems from the July 4, 2025 incident at the Prairieland ICE Detention Facility. The forensic technique was first disclosed in courtroom testimony on April 9, 2026.
The forensic finding does not break Signal's encryption. It exploits a property of the iOS notification subsystem that has been known to digital forensics practitioners for years. No Signal cryptography choice can defeat it on its own.
What the courtroom testimony said
Lynette Sharp is the defendant whose iPhone yielded the messages. The 57-year-old is a cooperating witness in the federal trial. She pleaded guilty in November 2025 to one count of providing material support to terrorists. Sharp agreed to testify for the government in hopes of a reduced sentence on her 15-year maximum charge.
Exhibit 158 was introduced on March 10, 2026, the twelfth day of the federal trial. FBI Special Agent Clark Wiethorn testified about the finding.
The published exhibit summary, posted on the Prairieland Defendants supporter site, describes the technique in plain terms.
Messages were recovered from Sharp's phone through Apple's internal notification storage—Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing).
— Exhibit 158 summary, Prairieland federal trial
Defense attorney Harmony Schuerman took notes during the testimony. She represents co-defendant Elizabeth Soto and shared the notes with reporters. Her notes describe the same mechanism in operational language.
They were able to capture these chats bc [because] of the way she had notifications set up on her phone—anytime a notification pops up on the lock screen, Apple stores it in the internal memory of the device.
— Harmony Schuerman, attorney for defendant Elizabeth Soto
The testimony's most significant detail involved disappearing messages. The recovered content included messages that had been configured to expire in Signal and had actually disappeared from the app itself. The forensic artifact survived both the Signal expiration timer and the subsequent uninstallation of the app.
The technical mechanism
iPhones keep a copy of every notification they show you. The copy lives in a system database that survives the app being deleted. The two best-documented locations are /var/mobile/Library/SpringBoard/PushStore/, a legacy notification storage from earlier iOS versions, and /private/var/mobile/Library/DuetExpertCenter/streams/userNotificationEvents/local/, the modern iOS notification event stream. Both can be parsed by the open-source forensic tool iLEAPP.
None of this is new. The legacy PushStore artifact has been documented in DFIR community publications since at least 2016. The modern DuetExpertCenter form has been documented since 2022. Open-source parsing has been available throughout that period.
Commercial mobile forensic suites all handle this artifact class. Cellebrite, Magnet AXIOM, Belkasoft Evidence Center, and MSAB XRY are the standard tools. What is new in the Prairieland case is the public courtroom record. An FBI agent confirmed under oath that this artifact yields recoverable Signal content in real federal prosecutions.
How a message ends up in that database depends on three things falling into place. Each one has to happen for the message to leak. Take any one of them away and the chain breaks.
First, the messenger has to put the content into the notification. When a Signal message arrives, Signal's notification service extension on iOS receives the encrypted payload from Apple Push Notification Service. Signal decrypts the payload locally on the device using its own session keys.
The end-to-end encryption is intact in transit. The leak happens at the moment Signal hands the decrypted text to iOS for display.
Second, iOS has to cache the notification. The system keeps notification payloads in its internal stream so they can be redisplayed later. Notification Center, lock screen history, Focus summaries, and related system services all read from this cache. The behavior is part of normal iOS notification handling, not a defect.
Third, the user has to leave the app on its default notification setting. Signal has an in-app option called "Notification Content" that controls what Signal puts into the notification payload in the first place. The three choices are "Name, Content & Actions" (the default, which includes the full message text), "Name Only," and "No Name or Content."
The default setting routes full message text into iOS notification storage. With "No Name or Content" selected, there is nothing meaningful for iOS to cache. Signal never sent any message content in the first place.
What the viral version of this story got wrong
A simplified version of the story circulated within hours on Twitter and Telegram. It contained three meaningful errors that change what readers should actually do.
The first error was a clean retention figure that nobody actually documented. The viral version claimed iOS notification storage retains data "for up to one month." No public source on the case supports this number. Apple Biome stream metadata fields do suggest roughly 28 days, but actual notification persistence depends on the iOS subsystem, on storage pressure, on iOS version, and on factors Apple does not document.
The second error pointed users at the wrong setting. The viral version recommends Show Previews → Never as the primary fix. It is not. The iOS-level Show Previews setting controls whether the preview is visible on the lock screen, which protects against shoulder-surfing and casual observation. It does not reliably prevent content from being cached in the iOS notification database, because Signal still hands the full content to iOS regardless of how Show Previews is configured. The right primary mitigation is one layer earlier, inside Signal itself.
The third error recommended enabling iCloud Advanced Data Protection. ADP is unrelated to this threat model. It encrypts iCloud backups end-to-end so Apple cannot decrypt them under legal demand from cloud-side compromise. The Prairieland forensic finding involved local on-device acquisition after physical seizure of the iPhone. iCloud encryption settings have no effect on local forensic acquisition. ADP is still worth enabling for cloud-side threats. It just does not defend against what the FBI did in this case, and recommending it as the fix here mixes up two completely different threats.
Signal's encryption protects your messages until iOS draws them on the screen. After that, the operating system owns the content, and the operating system has its own ideas about caching. That's the gap the FBI walked through.
The case in brief
The Prairieland prosecution stems from a July 4, 2025 incident in Alvarado, Texas. The ICE detention facility sits south of Fort Worth. Approximately 13 people gathered outside that night to protest immigration enforcement, according to the federal indictment. Some set off fireworks, some spray-painted vehicles.
Benjamin Song allegedly opened fire when Alvarado police arrived. The former Marine Corps reservist fired multiple rounds with a rifle. Alvarado Police Lt. Thomas Gross was shot in the neck and survived.
Federal prosecutors charged the defendants under material support of terrorism statutes. The Prairieland case is the first federal terrorism prosecution brought against alleged participants in Antifa-associated activity. A presidential designation issued in September 2025 made it possible.
The political framing of the case is contested. The technical forensic finding is not. It would behave identically regardless of which side of any political case the user is on.
The technical lesson applies broadly. Journalists protecting sources, lawyers communicating with clients, dissidents under authoritarian regimes, executives discussing corporate matters — anyone who has chosen Signal because they specifically need disappearing messages to actually disappear.
What Signal and Apple said
Signal acknowledged a request for comment on March 12, 2026, then stopped replying to follow-up emails. The company has not issued a public statement on the Prairieland forensic finding. Apple did not respond to requests for comment and has not issued a public statement.
The trial testimony itself remains the public record on the technique. No DOJ component, FBI Dallas Field Office, or U.S. Attorney's Office has published guidance or commentary on the finding beyond what was said in open court.
What users should actually do
Open Signal. Tap Settings → Notifications → Notification Content. Select "No Name or Content." That is the fix. It stops Signal from putting message text into the notification payload it hands to iOS. With this setting active, there is no message content for iOS to cache, because Signal never sent any.
Show Previews is a useful secondary control. The iOS-level setting at Settings → Notifications → Signal → Show Previews → Never blocks lock-screen previews from shoulder-surfing. It is not a reliable forensic mitigation on its own and should not substitute for the in-Signal setting above.
Related: Signal and WhatsApp accounts hijacked in phishing campaign targeting officials and journalists
Apply the same audit to every messenger handling sensitive communication. iMessage, WhatsApp, Telegram, Wire, Threema, Session, and SimpleX each have their own notification configuration. Each can leak content into iOS notification storage if configured to deliver content in notifications. The correct setting in each app is the one that prevents message content from reaching the notification payload. Hiding lock-screen previews is not the same fix.
Users with elevated threat models should treat any phone seizure as total compromise. Assume content visible on the device is recoverable regardless of which messenger was used or which disappearing-message timer was set. Use a secondary device for the highest-sensitivity conversations and keep it powered off or locked when idle. Forensic acquisition of an iPhone in BFU (before first unlock) state is significantly harder than in AFU (after first unlock) state.
Advanced Data Protection is still worth enabling for cloud-side threats. ADP addresses a different category than the Prairieland finding. Both fixes are worth doing for different reasons.
Why this matters beyond Signal
The Prairieland testimony does not introduce a new vulnerability. It confirms in a federal courtroom what digital forensics practitioners have demonstrated for years. The iOS notification subsystem keeps a copy of everything that messenger apps hand to it. That copy is recoverable through forensic acquisition long after the messenger has been deleted.
The fix is not in Signal's cryptography. The fix is in one setting on your phone. Spend the thirty seconds it takes to change it, then do the same for every other messenger you use for sensitive conversations. "Secure messenger" guarantees stop at the boundary of the operating system, and the operating system is not a secure messenger.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
