Signal chat evidence from Sharp’s device (Exhibit 158):
Messages were recovered from Sharp’s phone through Apple’s internal notification storage — Signal had been removed, but incoming notifications were preserved in internal memory. Only incoming messages were captured (no outgoing).
Yes this most likely comes from Biome/KnowledgeC data which can persist for 30 days. This is not unique to signal but a bunch of apps.
iMessage, Instagram, Facebook, Discord are good examples as they rely on “iOS-level” notification hiding which does nothing in reality.
Signal, Telegram, and WhatsApp have options to sanitize the notification in-app which is the “real protection” against this.
Only way to wipe notification remnants is to factory reset the phone and NOT restore from a iCloud Backup. Your iCloud backup can reintroduce old forensic artifacts. If you have iCloud+ then using iCloud backups would be silly. Most of your important stuff is saved as synced data
Photos (iCloud Photos)
Messages (if Messages in iCloud enabled)
Contacts, Notes, Calendars
iCloud Drive files
Keychain (passwords)
Extra Note: It is also important for everyone you communicate with to be just as educated as you or all of this is for nothing. The FBI used one persons phone (who deleted the app) to access the messages of other people. This serves as a reminder to not blindly use these secure platforms without understanding at least some digital forensics. People bash the cloud for being insecure yet are harvesting a gold mine of data on local devices that could be accessed depending on their security posture.