An advanced attacker that has access to forensic imaging tools can pull data off of your phone as long as it has been unlocked the first time after boot.
There are some models and some OSs (like Graphene on the newest Pixels) that are safe, for the time being, in AFU mode. You still want to power the phone off if you have the chance.
In your friend’s situation, his phone can be powered, isolated from RF to prevent remote wiping and kept in a lock state in order to preserve the keys in memory until an exploit is found for that model. If the OS automatically reboots after 3 days, it prevents this kind of attack.
Oh now I get the use case for such feature, I was thinking: why would the attacker wait for 3 days to Unlock the device or even give you time to reboot it (that’s why I mentioned this story)
It is not enough to lock the phone.
An advanced attacker that has access to forensic imaging tools can pull data off of your phone as long as it has been unlocked the first time after boot.
There are some models and some OSs (like Graphene on the newest Pixels) that are safe, for the time being, in AFU mode. You still want to power the phone off if you have the chance.
In your friend’s situation, his phone can be powered, isolated from RF to prevent remote wiping and kept in a lock state in order to preserve the keys in memory until an exploit is found for that model. If the OS automatically reboots after 3 days, it prevents this kind of attack.
Oh now I get the use case for such feature, I was thinking: why would the attacker wait for 3 days to Unlock the device or even give you time to reboot it (that’s why I mentioned this story)
It makes sense for a number of reasons. You could be being detained or your device could be sitting in lost and found.