matatheuuphanigospephispebruprajeswekechefrouuswekaswushebrispesawuwrebephewispophoprodapofruprijeuespumacricrebraclotrigo

Acquiring volatile memory (RAM) from modern Linux and Generic Kernel Image (GKI) Android systems has become increasingly difficult due to recent hardening features such as Secure Boot, Kernel Lockdown, and strict module signing and loading policies. As a result, traditional open-source tools such as LiME and AVML are no longer viable, preventing the acquisition and analysis of complete physical memory dumps. To address this limitation, we introduce LEMON, the first eBPF-based universal memory acquisition tool for both hardened Linux systems and modern GKI Android devices, extending the range of devices on which volatile memory acquisition is possible. LEMON requires neither kernel source code, code signing, nor prior deployment. It is compatible with x86_64 and ARM64 architectures and supports acquisition either to local storage or over the network in standard forensic file formats. In this paper, we provide a detailed description of LEMON’s implementation, compare it with state-of-the-art open-source acquisition tools, evaluate the byte-level atomicity of its dumps and its acquisition time against existing alternatives, and show the deployment and use of LEMON on two real GKI-equipped Android phones. Furthermore, to enable a complete memory forensics analysis chain on modern Android phones, we adapt a method for generating Volatility 3 profiles from BTF debug information emitted by the kernel at runtime. In a simulated scenario on a real phone, this enabled us to recover contact details from the volatile memory of a terminated password manager. The contact details were unavailable in persistent storage and entirely absent from the logs, contradicting the belief that disk forensics alone is sufficient to extract all relevant evidence from an Android device. Finally, in the spirit of open science and to support the forensics community, we release LEMON as an open-source project.