Please enjoy this blog authored by Jerry Bui (Founder & CEO, Right Forensics) and Phil Weldon, CEDS, RCA (Director of eDiscovery and Litigation Support Technology at HeckerFink LLP)
(Image Source: ChatGPT 4o; Prompt “I'm writing an article on ephemeral messaging. Create an image for me to use with the article.”)
In the context of electronic discovery, Signal poses a unique evidentiary challenge. Its technical safeguards, combined with the ephemeral nature of its communications, render data difficult to preserve, extract, or meaningfully analyze under traditional methods. This article provides an overview of the current state of signal extractions within the context of eDiscovery. Before collecting any data, it is crucial to obtain explicit written client consent and confirm legal authority. Additionally, consider Signal’s technical architecture to ensure the data you need is available in the required format. For mobile data collection to be defensible, it should be meticulously documented in the chain of custody and forensic reporting process. Defensible workflows are repeatable, auditable, and legally sound. Our goal with this article is to demystify the process of Signal collections for the ILTA community, helping to establish more consistent and effective practices when handling this data source.
Signal is an open-source communications platform engineered for privacy, offering end-to-end encryption that safeguards messages in transit and at rest. Its architecture is designed to prevent a party—not even Signal’s own personnel—from decrypting or accessing user content (https://signal.org/blog/looking-back-as-the-world-moves-forward/https://signal.org/blog/looking-back-as-the-world-moves-forward/). As an independent 501(c)(3) nonprofit, Signal resists the monetization pressures that often compete with privacy elsewhere. The application supports ephemeral messaging, enabling users to enforce automatic deletion policies on a per-message or per-conversation basis. While each Signal account is linked to a single phone number, the platform now permits pseudonymous use via optional usernames.
iOS
Acquiring Signal data on devices running iOS 17 and above necessitates a full file system (FFS) extraction, a process that is considerably more time-intensive than traditional advanced logical acquisitions—which are functionally similar to encrypted iTunes backups. This shift poses operational challenges for eDiscovery workflows, which often rely on the efficiency of remote advanced logical collections.
Signal’s local data is stored in encrypted form, with decryption keys securely housed in the iOS keychain. Effective acquisition therefore hinges on the device being in an After First Unlock (AFU) state. Absent this condition, access to decrypted content may be infeasible.
Advanced forensic tools such as Cellebrite Inseyets (or Premium), Oxygen Forensic Detective, and Magnet Axiom leverage proprietary exploits to circumvent system-level encryption and extract the necessary artifacts.
In iOS 18.1, Apple introduced a security feature known as “inactivity reboot,” which automatically reboots an iPhone if it remains locked and unused for 72 hours. This transition shifts the device from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, wherein encryption keys are purged from memory and securely stored within the Secure Enclave. Consequently, access to user data becomes significantly more challenging without the device passcode. This feature operates independently of network connectivity.
For forensic practitioners, if the client cannot recall or provide their device passcode, this presents a critical time constraint. If a device isn’t accessed within the 72-hour window, it reboots into BFU, rendering many conventional data extraction methods ineffective. Therefore, it’s imperative to act swiftly upon taking possession of the device, ensuring that data acquisition occurs before the inactivity timer elapses. This underscores the necessity for prompt action and the importance of obtaining the device passcode to facilitate access.
Key Artifacts:
Signal data resides in the app’s sandbox:
/private/var/mobile/Containers/Data/Application/[UUID]/Documents/
Signal.sqlite – Contains message metadata, contacts, and limited thread information.
Attachments.noindex – Houses media files shared via Signal.
ANDROID
Full file system acquisition in android will require Android Debug Bridge (ADB) mode and a temporary soft root.
Key Artifacts:
/data/data/org.thoughtcrime.securesms/
databases/signal.db - messages
shared_prefs - account info and preferences
files/attachments/ - media content
JAILBREAK (aka rooting risk)
From a forensic standpoint, any method that alters the device state—such as jailbreaking or soft rooting—must be disclosed to the client in advance and documented in forensic reporting (ideally isolated through cryptographic hash validation and full documentation to defend against claims of data spoliation or manipulation).
When targeting ephemeral applications like Signal, capture the device in an After First Unlock (AFU) state—and do not interact with the app interface, as read receipts or UI events may trigger automated data deletion. Finally, perform and document validation of the acquisition to confirm its integrity.
OBFUSCATION
The FBI’s evolving stance on encrypted messaging reflects a nuanced balance between national security concerns and the imperative to protect individual privacy. In the wake of significant cyberattacks, such as the “Salt Typhoon” breach attributed to Chinese hackers, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have advised the public to adopt end-to-end encrypted communication platforms like Signal and WhatsApp to safeguard personal information (https://www.nbcnews.com/tech/security/us-officials-urge-americans-use-encrypted-apps-cyberattack-rcna182694).
This recommendation underscores a shift in perception: the use of encrypted and ephemeral messaging platforms is not solely a tactic for obfuscation by custodians but also a proactive measure endorsed by authorities to enhance cybersecurity. While the FBI has historically expressed concerns about “warrant-proof” encryption hindering lawful investigations, the current guidance acknowledges the role of strong encryption in protecting against unauthorized access by malicious actors. Consequently, the adoption of such platforms may reflect a broader commitment to data security rather than an intent to conceal information, challenging traditional assumptions in electronic discovery contexts.
CLOSING
A final consideration is that this practical guidance may become obsolete with little warning. Signal has demonstrated a clear adversarial stance toward forensic vendors such as Cellebrite and has previously modified its codebase explicitly to disrupt or invalidate forensic acquisition methods. Notably, Signal’s leadership has publicly disclosed multiple vulnerabilities in Cellebrite’s software (signal.org/blog/cellebrite-vulnerabilities) and has highlighted the ethical and technical shortcomings of such tools (signal.org/blog/cellebrite-and-clickbait). In one widely publicized instance, Signal’s CEO reverse-engineered Cellebrite’s UFED device and injected exploit code during a demonstration, underscoring both the volatility of these tools and Signal’s proactive resistance to surveillance-oriented technologies (vice.com/en/article/signal-ceo-hacks-cellebrite-iphone-hacking-device-used-by-cops). Given this history, eDiscovery practitioners must remain vigilant and adaptable, recognizing that capabilities available today may be rendered ineffective tomorrow by developments in Signal’s security architecture.
#LitigationSupporteDiscovery
#Forensics
#Applications
#CommunicationsTechnologies
#Level300
#ProfessionalDevelopment